summaryrefslogtreecommitdiff
path: root/templates/vhosts/perl
AgeCommit message (Collapse)Author
2010-12-12enable HTS everywheremh
2010-12-06add STS header for enforced SSL sitesmh
* http://en.wikipedia.org/wiki/Strict_Transport_Security This will tell browsers to interact with that site only per HTTPS.
2010-10-25improve redirect, so we don't stick on the servernamemh
2010-08-18add missing directive for ssl proxy vhostsmh
2010-08-16impelement itk plus modemh
itk plus mode is an additional mode to deploy itk based hostings which should be a bit more performant. The idea is that we have two apache-instances running: A) prefork based, listening on the external interface B) itk based, listening on the loopback interface A) will serve all static webpages, as well as possibly serve all static content of dynamic websites. All requests to dynamic content will be redirected to B). The idea is that A) doesn't load any modules to server dynamic content at all. B) will serve all the dynamic scripts of a vhost. This will mean that for vhosts (static ones) as well as static content (all none dynamic scripts) we can benefit from the fast prefork model, while we can use itk's security model for all the dynamic scripts. There are two new additional run_modes: - proxy-itk: this just passes all requests to apache instance B). This one is similar to plain itk based mode and should be used for vhosts that shouldn't (yet) changed to the mixed mode. - static-itk: this passes only requests to dynamic scripts to B) while all static content is served by A). Beware that the user with which A) is running should be member of the run group of B) and all static files need to readable by the group. This reduces the security model you have with plain itk, as the prefork apache user will be able to read php (config-) files of any vhost that runs in static-itk mode. If you want to keep the level of security for a certain vhost, you need to run the specific vhost in proxy-itk mode. Note 1: you cannot run vhosts in itk mode and others in proxy or static itk mode. There is a duplicate file resource definition that blocks that possibility. Note 2: This mode works currently only on CentOS based systems, as no work have been done so far to implement an init.d script that's able to run 2 apache instances.
2010-08-11introduce logmode featuremh
We are now able to select how apache should log accesses. These modes are: * default: as you would use it * semianonym: no ips are logged for CustomLog, ErrorLog still logs ips * anonym: no ips are logged for CustomLog, ErrorLog is sent to /dev/null * nologs: all logs are sent to /dev/null
2010-01-04add $mod_security_relevantonly flag, enabled by default, logs only on ↵Jerome Charaoui
suspicious requests, set to 'false' to log all requests (as before)
2009-12-23introduce config::global for global configs in conf.d and config::include ↵Jerome Charaoui
for vhost snippets in include.d
2009-12-23change OS-specific vhost templates into links, add Debian (though not all ↵Jerome Charaoui
are tested on Debian)
2009-06-24unified mod_sec stuff, turn audit engine off as wellmh
2009-06-13introcuded ssl_mode onlymh
2009-05-17whitespace cleanupMarcel Haerry
2009-04-26fixing ServerAdmin stuffmh
ServerAdmin was missing for ssl vhosts ServerAdmin was set if the variable have been set to 'absent'
2009-04-25server_admin variable for ServerAdmin line in vhostsandreas
2009-04-13setting logging style of mod_secmh
according to http://thread.gmane.org/gmane.comp.apache.mod-security.user/5257/focus=5260 it should be that way.
2009-04-01always write the mod_sec logs to its own logfilemh
2009-03-16this isn't needed in the https section :-/mh
2009-03-15audit typ have to be serialmh
2009-03-10correct optionmh
2009-03-09write mod_sec logfiles per vhostmh
2008-12-06fixing ssl_mode decision, still set the directory stuffmh
2008-12-06finished sslmode config, added itk stuff to php vhostmh
2008-12-06- added default charset possiblitymh
- enabled ssl on all 3 vhost modes
2008-12-05ignore absentmh
2008-12-05we need a new linemh
2008-12-05correct decision and made it more logicalmh
2008-12-05correct testmh
2008-12-05fixed option decision, centos static is now link of openbsd, as we can use ↵mh
the same
2008-12-05- add index.shtml to default index if we do includmh
es, as well add +Includes to the directory options if not yet done - removed the security rewrite as it is already in the defaults.inc! - removed the enforcement of mod_security
2008-12-01added run_mode for running vhosts with the itk modulemh
2008-12-01added perl vhost definitionmh