From b5c93a893a07f20f5322a95a64073f167d9dbb9a Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 10 Jun 2010 03:52:26 +0200 Subject: adjust sslciphersuite to new recommendations --- files/include.d/CentOS/ssl_defaults.inc | 3 ++- files/include.d/Debian/ssl_defaults.inc | 1 + files/include.d/OpenBSD/ssl_defaults.inc | 3 ++- files/vhosts.d/Gentoo/0-default_ssl.conf | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) (limited to 'files') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index 5cc663f..04d3077 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -16,7 +16,8 @@ SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH # Server Certificate: diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index e69de29..3889cff 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -0,0 +1 @@ +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc index e7d2c36..91b14e0 100644 --- a/files/include.d/OpenBSD/ssl_defaults.inc +++ b/files/include.d/OpenBSD/ssl_defaults.inc @@ -1,4 +1,5 @@ SSLEngine on -SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf index 7efe879..a123de8 100644 --- a/files/vhosts.d/Gentoo/0-default_ssl.conf +++ b/files/vhosts.d/Gentoo/0-default_ssl.conf @@ -31,7 +31,8 @@ UseCanonicalName On # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 + #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH SSLCertificateFile /e/certs/server.crt SSLCertificateKeyFile /e/certs/server.key -- cgit v1.2.3 From 1bdb39c6dd8ccaf76d8a4aa2e9486069afd2d476 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 16 Aug 2010 19:01:24 +0200 Subject: impelement itk plus mode itk plus mode is an additional mode to deploy itk based hostings which should be a bit more performant. The idea is that we have two apache-instances running: A) prefork based, listening on the external interface B) itk based, listening on the loopback interface A) will serve all static webpages, as well as possibly serve all static content of dynamic websites. All requests to dynamic content will be redirected to B). The idea is that A) doesn't load any modules to server dynamic content at all. B) will serve all the dynamic scripts of a vhost. This will mean that for vhosts (static ones) as well as static content (all none dynamic scripts) we can benefit from the fast prefork model, while we can use itk's security model for all the dynamic scripts. There are two new additional run_modes: - proxy-itk: this just passes all requests to apache instance B). This one is similar to plain itk based mode and should be used for vhosts that shouldn't (yet) changed to the mixed mode. - static-itk: this passes only requests to dynamic scripts to B) while all static content is served by A). Beware that the user with which A) is running should be member of the run group of B) and all static files need to readable by the group. This reduces the security model you have with plain itk, as the prefork apache user will be able to read php (config-) files of any vhost that runs in static-itk mode. If you want to keep the level of security for a certain vhost, you need to run the specific vhost in proxy-itk mode. Note 1: you cannot run vhosts in itk mode and others in proxy or static itk mode. There is a duplicate file resource definition that blocks that possibility. Note 2: This mode works currently only on CentOS based systems, as no work have been done so far to implement an init.d script that's able to run 2 apache instances. --- files/service/CentOS/httpd.itk_plus | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 files/service/CentOS/httpd.itk_plus (limited to 'files') diff --git a/files/service/CentOS/httpd.itk_plus b/files/service/CentOS/httpd.itk_plus new file mode 100644 index 0000000..4d74de2 --- /dev/null +++ b/files/service/CentOS/httpd.itk_plus @@ -0,0 +1,24 @@ +# Configuration file for the httpd service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +#HTTPD=/usr/sbin/httpd.worker +HTTPD=/usr/sbin/httpd +HTTPD_LOCAL=/usr/sbin/httpd.itk + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set OPTIONS here. +# +#OPTIONS= + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the HTTPD_LANG +# variable can be set. +# +#HTTPD_LANG=C -- cgit v1.2.3 From b3a17cff5315fbbda901a6f1d406c3500cf65a3a Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 16 Aug 2010 21:51:22 +0200 Subject: fix various missing things for itk_plus mode --- files/itk_plus/conf.d/CentOS/ssl.conf | 75 +++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 files/itk_plus/conf.d/CentOS/ssl.conf (limited to 'files') diff --git a/files/itk_plus/conf.d/CentOS/ssl.conf b/files/itk_plus/conf.d/CentOS/ssl.conf new file mode 100644 index 0000000..597df1b --- /dev/null +++ b/files/itk_plus/conf.d/CentOS/ssl.conf @@ -0,0 +1,75 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec -- cgit v1.2.3 From 5f8c23126ae41d9213e964a3c056020fc33479ae Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 Aug 2010 23:00:31 +0200 Subject: correct statement --- files/itk_plus/conf.d/CentOS/ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'files') diff --git a/files/itk_plus/conf.d/CentOS/ssl.conf b/files/itk_plus/conf.d/CentOS/ssl.conf index 597df1b..fb0c915 100644 --- a/files/itk_plus/conf.d/CentOS/ssl.conf +++ b/files/itk_plus/conf.d/CentOS/ssl.conf @@ -15,7 +15,7 @@ LoadModule ssl_module modules/mod_ssl.so # When we also provide SSL we have to listen to the # the HTTPS port in addition. # -Listen 443 +NameVirtualHost *:443 ## ## SSL Global Context -- cgit v1.2.3 From 3223bb26521cd7aed97c3d5bd7df73269991639d Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 12 Dec 2010 18:51:48 +0100 Subject: update to latest secure ssl directives --- files/include.d/CentOS/ssl_defaults.inc | 6 ++++-- files/include.d/Debian/ssl_defaults.inc | 4 +++- files/include.d/OpenBSD/ssl_defaults.inc | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) (limited to 'files') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index 04d3077..b57cbb9 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -11,14 +11,16 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +#SSLProtocol all -SSLv2 +SSLProtocol -all +SSLv3 +TLSv1 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH +SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index 3889cff..949fe58 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -1 +1,3 @@ -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH +SSLProtocol -all +SSLv3 +TLSv1 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH +SSLHonorCipherOrder on diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc index 91b14e0..67cf36f 100644 --- a/files/include.d/OpenBSD/ssl_defaults.inc +++ b/files/include.d/OpenBSD/ssl_defaults.inc @@ -1,5 +1,5 @@ SSLEngine on #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key -- cgit v1.2.3 From a371c169c45dbd14ad3c465f8b7314b14c4ed8cb Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 22 Feb 2011 22:59:51 +0100 Subject: add STS header in default ssl config --- files/include.d/CentOS/ssl_defaults.inc | 3 +++ files/include.d/Debian/ssl_defaults.inc | 3 +++ 2 files changed, 6 insertions(+) (limited to 'files') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index b57cbb9..c1ef0be 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -142,3 +142,6 @@ SetEnvIf User-Agent ".*MSIE.*" \ # compact non-error SSL logfile on a virtual host basis. CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index 949fe58..d1ec68d 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -1,3 +1,6 @@ SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH SSLHonorCipherOrder on + +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" -- cgit v1.2.3 From 5a93a0363e9f967550d4a4267113e2b0714c06c2 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 18 Mar 2011 10:23:04 +0100 Subject: we don't need these logfiles in the include --- files/include.d/CentOS/ssl_defaults.inc | 12 ------------ files/vhosts.d/CentOS/0-default_ssl.conf | 6 ++++++ 2 files changed, 6 insertions(+), 12 deletions(-) (limited to 'files') diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index c1ef0be..7735ebb 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -1,9 +1,3 @@ -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog logs/ssl_error_log -TransferLog logs/ssl_access_log -LogLevel warn - # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on @@ -137,11 +131,5 @@ SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - # set STS Header Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf index 9f8c4b6..d018bcc 100644 --- a/files/vhosts.d/CentOS/0-default_ssl.conf +++ b/files/vhosts.d/CentOS/0-default_ssl.conf @@ -8,6 +8,12 @@ Include include.d/ssl_defaults.inc DocumentRoot /var/www/html + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/ssl_error_log + TransferLog logs/ssl_access_log + LogLevel warn + SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key -- cgit v1.2.3 From 2fa748dcc92e34b13bd4b6f7e452ef89b29490c4 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 19:22:40 +0200 Subject: introduce a new template style, less duplicated things, more handy options --- files/include.d/silverstripe.inc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 files/include.d/silverstripe.inc (limited to 'files') diff --git a/files/include.d/silverstripe.inc b/files/include.d/silverstripe.inc new file mode 100644 index 0000000..40c44e4 --- /dev/null +++ b/files/include.d/silverstripe.inc @@ -0,0 +1,17 @@ +# silverstripe .htaccess + + Order deny,allow + Deny from all + #Allow from 127.0.0.1 + + + + RewriteEngine On + #RewriteBase / + + RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) + + RewriteCond %{REQUEST_URI} ^(.*)$ + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] + -- cgit v1.2.3 From d9b5ec61e22353faf9b975d14cdec45efc128f2c Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 13 Oct 2011 00:56:24 +0200 Subject: add worker related config files --- files/service/CentOS/httpd.worker | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 files/service/CentOS/httpd.worker (limited to 'files') diff --git a/files/service/CentOS/httpd.worker b/files/service/CentOS/httpd.worker new file mode 100644 index 0000000..290923f --- /dev/null +++ b/files/service/CentOS/httpd.worker @@ -0,0 +1,22 @@ +# Configuration file for the httpd service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +HTTPD=/usr/sbin/httpd.worker + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set OPTIONS here. +# +#OPTIONS= + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the HTTPD_LANG +# variable can be set. +# +#HTTPD_LANG=C -- cgit v1.2.3 From 80c3e890becd31f704f3409094d6da1c137b844e Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:32:41 +0100 Subject: add munin plugin to this module --- files/munin/apache_activity | 99 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100755 files/munin/apache_activity (limited to 'files') diff --git a/files/munin/apache_activity b/files/munin/apache_activity new file mode 100755 index 0000000..65fc072 --- /dev/null +++ b/files/munin/apache_activity @@ -0,0 +1,99 @@ +#!/usr/bin/perl +# +# Parameters supported: +# +# config +# autoconf +# +# Configurable variables +# +# url - Override default status-url +# +# Magic markers: +#%# family=auto +#%# capabilities=autoconf + +my $ret = undef; +if (!eval "require LWP::UserAgent;") { + $ret = "LWP::UserAgent not found"; +} + +my $URL = exists $ENV{'url'} ? $ENV{'url'} : "http://127.0.0.1:%d/server-status?auto"; +my @PORTS = exists $ENV{'ports'} ? split(' ', $ENV{'ports'}) : (80); +my %chars = ( + # '\_' => 'Waiting', + # 'S' => 'Starting up', + 'R' => 'Reading request', + 'W' => 'Sending reply', + 'K' => 'Keepalive', + 'D' => 'DNS lookup', + 'C' => 'Closing', + # 'L' => 'Logging', + # 'G' => 'Gracefully finishing', + # 'I' => 'Idle cleanup', + # '\.' => 'Open slot', + ); + +# "_" Waiting for Connection, "S" Starting up, "R" Reading Request, +# "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, +# "C" Closing connection, "L" Logging, "G" Gracefully finishing, +# "I" Idle cleanup of worker, "." Open slot with no current process + +if (exists $ARGV[0] and $ARGV[0] eq "autoconf") { + if ($ret) { + print "no ($ret)\n"; + exit 1; + } + my $ua = LWP::UserAgent->new(timeout => 30); + my @badports; + + foreach my $port (@PORTS) { + my $url = sprintf $URL, $port; + my $response = $ua->request(HTTP::Request->new('GET',$url)); + push @badports, $port unless $response->is_success and $response->content =~ /Scoreboard/im; + } + + if (@badports) { + print "no (no apache server-status on ports @badports)\n"; + exit 1; + } else { + print "yes\n"; + exit 0; + } +} + +if (exists $ARGV[0] and $ARGV[0] eq "config") { + print "graph_title Apache activity\n"; + print "graph_args --base 1000 -l 0\n"; + print "graph_category apache\n"; + print "graph_vlabel processes\n"; + foreach my $port (@PORTS) { + while (my ($char, $val) = each (%chars)) { + $char =~ s/\\\./dot/; + $char =~ s/\\\_/underline/; + print "activity_${port}_${char}.label "; + print $val, "\n"; + print "activity_${port}_${char}.type GAUGE\n"; + } + } + exit 0; +} + +foreach my $port (@PORTS) { + my $ua = LWP::UserAgent->new (timeout => 30); + my $url = sprintf $URL, $port; + my $response = $ua->request (HTTP::Request->new('GET',$url)); + if ($response->content =~ /^Scoreboard\:\s?(.*)$/sm) { + my $string = $1; + chomp $string; + my @act = split (//, $string); + foreach my $char (keys (%chars)) { + my $num = scalar (grep (/$char/, @act)); + $char =~ s/\\\./dot/; + $char =~ s/\\\_/underline/; + print "activity_${port}_${char}.value $num\n"; + } + } +} + + -- cgit v1.2.3