From 7bbb0feacac0565457f5f56f65468429803454fb Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 11 Aug 2010 14:06:53 +0200 Subject: introduce logmode feature We are now able to select how apache should log accesses. These modes are: * default: as you would use it * semianonym: no ips are logged for CustomLog, ErrorLog still logs ips * anonym: no ips are logged for CustomLog, ErrorLog is sent to /dev/null * nologs: all logs are sent to /dev/null --- templates/vhosts/php_spip/php_spip.erb | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 4a6c829..99c94e2 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -12,8 +12,20 @@ <%- end -%> DocumentRoot <%= documentroot %>/ + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/error_log + CustomLog <%= logdir %>/access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/access_log noip + <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + <%- end -%> <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ <%- end -%> @@ -92,8 +104,20 @@ <%- end -%> DocumentRoot <%= documentroot %>/ + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/error_log + CustomLog <%= logdir %>/access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/access_log noip + <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + <%- end -%> <%- if run_mode.to_s == 'itk' -%> AssignUserId <%= run_uid+" "+run_gid %> -- cgit v1.2.3 From 1bdb39c6dd8ccaf76d8a4aa2e9486069afd2d476 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 16 Aug 2010 19:01:24 +0200 Subject: impelement itk plus mode itk plus mode is an additional mode to deploy itk based hostings which should be a bit more performant. The idea is that we have two apache-instances running: A) prefork based, listening on the external interface B) itk based, listening on the loopback interface A) will serve all static webpages, as well as possibly serve all static content of dynamic websites. All requests to dynamic content will be redirected to B). The idea is that A) doesn't load any modules to server dynamic content at all. B) will serve all the dynamic scripts of a vhost. This will mean that for vhosts (static ones) as well as static content (all none dynamic scripts) we can benefit from the fast prefork model, while we can use itk's security model for all the dynamic scripts. There are two new additional run_modes: - proxy-itk: this just passes all requests to apache instance B). This one is similar to plain itk based mode and should be used for vhosts that shouldn't (yet) changed to the mixed mode. - static-itk: this passes only requests to dynamic scripts to B) while all static content is served by A). Beware that the user with which A) is running should be member of the run group of B) and all static files need to readable by the group. This reduces the security model you have with plain itk, as the prefork apache user will be able to read php (config-) files of any vhost that runs in static-itk mode. If you want to keep the level of security for a certain vhost, you need to run the specific vhost in proxy-itk mode. Note 1: you cannot run vhosts in itk mode and others in proxy or static itk mode. There is a duplicate file resource definition that blocks that possibility. Note 2: This mode works currently only on CentOS based systems, as no work have been done so far to implement an init.d script that's able to run 2 apache instances. --- templates/vhosts/php_spip/php_spip.erb | 203 ++++++++++++++++++++++++++++++++- 1 file changed, 198 insertions(+), 5 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 99c94e2..c63cf77 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> AssignUserId <%= run_uid+" "+run_gid %> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> /"> @@ -66,6 +73,7 @@ <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -83,6 +91,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -118,13 +127,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> AssignUserId <%= run_uid+" "+run_gid %> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> /"> AllowOverride <%= allow_override %> @@ -153,6 +165,7 @@ <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -170,9 +183,189 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + + +<%- unless ssl_mode.to_s == 'only' then -%> + + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + /"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + <%- end -%> + <%- end -%> + + + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> + +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> + + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + /"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + <%- end -%> + + + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> + +<%- end -%> + +<%- end -%> -- cgit v1.2.3 From ab7b8230d40c31cf995e51c4b43ded2c524122e0 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 18 Aug 2010 00:09:32 +0200 Subject: add missing directive for ssl proxy vhosts --- templates/vhosts/php_spip/php_spip.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index c63cf77..6a26c4c 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -317,6 +317,7 @@ ProxyPreserveHost On ProxyRequests off + SSLProxyEngine On <%- if run_mode.to_s == 'static-itk' -%> ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 <%- else -%> -- cgit v1.2.3 From a4358a825de159a145b877c7b7d7c795c72cb3b4 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 25 Oct 2010 22:58:24 +0200 Subject: improve redirect, so we don't stick on the servername --- templates/vhosts/php_spip/php_spip.erb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 6a26c4c..da42d40 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -31,7 +31,9 @@ <%- end -%> <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] <%- end -%> <%- if default_charset.to_s != 'absent' then -%> @@ -234,7 +236,9 @@ ProxyPassReverse / http://127.0.0.1/ <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] <%- end -%> <%- if default_charset.to_s != 'absent' then -%> -- cgit v1.2.3 From a87d7b91cc95c8ac7aee327e4cf4d3ce564cdea1 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 6 Dec 2010 17:40:46 +0100 Subject: add STS header for enforced SSL sites * http://en.wikipedia.org/wiki/Strict_Transport_Security This will tell browsers to interact with that site only per HTTPS. --- templates/vhosts/php_spip/php_spip.erb | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index da42d40..13c1199 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -139,6 +139,10 @@ AssignUserId <%= run_uid+" "+run_gid %> + <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> + Header add Strict-Transport-Security "max-age=15768000" + <%- end -%> /"> AllowOverride <%= allow_override %> @@ -332,6 +336,10 @@ <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> + Header add Strict-Transport-Security "max-age=15768000" + <%- end -%> <%- if run_mode.to_s == 'static-itk' -%> /"> -- cgit v1.2.3 From 22fba9762d707383c65c822c2310b17b1eb104c2 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 12 Dec 2010 18:47:06 +0100 Subject: enable HTS everywhere --- templates/vhosts/php_spip/php_spip.erb | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 13c1199..05f8485 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -129,21 +129,19 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + AddDefaultCharset <%= default_charset %> <%- end -%> <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> + AssignUserId <%= run_uid+" "+run_gid %> - <%- end -%> - <%- if ssl_mode.to_s == 'force' then -%> + Header add Strict-Transport-Security "max-age=15768000" - <%- end -%> /"> AllowOverride <%= allow_override %> <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> @@ -332,15 +330,13 @@ ProxyPass / https://127.0.0.1/ <%- end -%> ProxyPassReverse / https://127.0.0.1/ - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + AddDefaultCharset <%= default_charset %> <%- end -%> - <%- if ssl_mode.to_s == 'force' then -%> + Header add Strict-Transport-Security "max-age=15768000" - <%- end -%> <%- if run_mode.to_s == 'static-itk' -%> /"> AllowOverride <%= allow_override %> -- cgit v1.2.3 From cbbffa1d3de5a19a72dd7bb88fb1bcb14e5384e1 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 22:52:47 +0200 Subject: improve mod_security rules * handled now by a partial * possibility to add rules that should be removed * possibility to add custom mod_sec options" * use new infrastructure for existing mod_sec tweaks --- templates/vhosts/php_spip/php_spip.erb | 72 ++-------------------------------- 1 file changed, 4 insertions(+), 68 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 05f8485..ebd9d84 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -76,23 +76,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -170,23 +154,7 @@ <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -265,23 +233,7 @@ <%- end -%> <%- end -%> - - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -353,23 +305,7 @@ <%- end -%> - - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> -- cgit v1.2.3 From cd1150af3af7411c88835d8fa5e41c40d40146fb Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 23:16:43 +0200 Subject: switching logs over to partials --- templates/vhosts/php_spip/php_spip.erb | 60 +++------------------------------- 1 file changed, 4 insertions(+), 56 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index ebd9d84..48a6774 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -15,20 +15,7 @@ <%- end -%> DocumentRoot <%= documentroot %>/ - <%- case logmode.to_s - when 'nologs' -%> - ErrorLog /dev/null - CustomLog /dev/null - <%- when 'semianonym' -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log noip - <%- when 'anonym' -%> - ErrorLog /dev/null - CustomLog <%= logdir %>/access_log noip - <%- else -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/logs.erb') %> <%- if ssl_mode.to_s == 'force' then -%> RewriteEngine On @@ -99,20 +86,7 @@ <%- end -%> DocumentRoot <%= documentroot %>/ - <%- case logmode.to_s - when 'nologs' -%> - ErrorLog /dev/null - CustomLog /dev/null - <%- when 'semianonym' -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log noip - <%- when 'anonym' -%> - ErrorLog /dev/null - CustomLog <%= logdir %>/access_log noip - <%- else -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/logs.erb') %> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> @@ -181,20 +155,7 @@ DirectoryIndex index.htm index.html index.php <%- end -%> - <%- case logmode.to_s - when 'nologs' -%> - ErrorLog /dev/null - CustomLog /dev/null - <%- when 'semianonym' -%> - ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log - CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip - <%- when 'anonym' -%> - ErrorLog /dev/null - CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip - <%- else -%> - ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log - CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/logs.erb') %> ProxyPreserveHost On ProxyRequests off @@ -258,20 +219,7 @@ DirectoryIndex index.htm index.html index.php <%- end -%> - <%- case logmode.to_s - when 'nologs' -%> - ErrorLog /dev/null - CustomLog /dev/null - <%- when 'semianonym' -%> - ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log - CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip - <%- when 'anonym' -%> - ErrorLog /dev/null - CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip - <%- else -%> - ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log - CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/logs.erb') %> ProxyPreserveHost On ProxyRequests off -- cgit v1.2.3 From 09feb96edeaff10bde462aabb8c4d0c961eadd1a Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 23:30:11 +0200 Subject: migrate authentication to partials --- templates/vhosts/php_spip/php_spip.erb | 28 ++++------------------------ 1 file changed, 4 insertions(+), 24 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 48a6774..a4ffd19 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -40,12 +40,7 @@ Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> php_admin_flag engine on <%- if php_safe_mode.to_s == 'false' -%> php_admin_flag safe_mode Off @@ -106,12 +101,7 @@ Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> php_admin_flag engine on <%- if php_safe_mode.to_s == 'false' -%> php_admin_flag safe_mode Off @@ -184,12 +174,7 @@ Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> <%- end -%> <%- end -%> @@ -244,12 +229,7 @@ Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> <%- end -%> -- cgit v1.2.3 From 29517a83414f478a0e28a9fc57b178e35e9ba112 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 23:42:56 +0200 Subject: this is now in the include file --- templates/vhosts/php_spip/php_spip.erb | 4 ---- 1 file changed, 4 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index a4ffd19..644c743 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -93,8 +93,6 @@ <%- end -%> - Header add Strict-Transport-Security "max-age=15768000" - /"> AllowOverride <%= allow_override %> <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> @@ -220,8 +218,6 @@ AddDefaultCharset <%= default_charset %> <%- end -%> - Header add Strict-Transport-Security "max-age=15768000" - <%- if run_mode.to_s == 'static-itk' -%> /"> AllowOverride <%= allow_override %> -- cgit v1.2.3 From 58847f6375cffe9c1018a7b51d5062b86796a534 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 18 May 2011 00:13:25 +0200 Subject: move header to partials --- templates/vhosts/php_spip/php_spip.erb | 68 +++++----------------------------- 1 file changed, 10 insertions(+), 58 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 644c743..b4542bc 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -4,16 +4,7 @@ <%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ +<%= scope.function_template('apache/vhosts/partials/header_default.erb') %> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> @@ -22,10 +13,6 @@ RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> @@ -69,23 +56,12 @@ <%- unless ssl_mode.to_s == 'false' then -%> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ +<% scope.unsetvar('vhost_part') + scope.setvar('vhost_part',:ssl) -%> + <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') -%> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> - <%- if default_charset.to_s != 'absent' then -%> - - AddDefaultCharset <%= default_charset %> - <%- end -%> <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> @@ -129,19 +105,8 @@ <%- unless ssl_mode.to_s == 'only' then -%> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - <%- if run_mode.to_s == 'static-itk' -%> - DocumentRoot <%= documentroot %>/ +<%= scope.function_template('apache/vhosts/partials/header_default.erb') %> DirectoryIndex index.htm index.html index.php - <%- end -%> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> @@ -159,10 +124,6 @@ RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> <%- if run_mode.to_s == 'static-itk' then -%> <%- if not ssl_mode.to_s == 'force' then -%> @@ -187,20 +148,11 @@ <%- unless ssl_mode.to_s == 'false' then -%> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - <%- if run_mode.to_s == 'static-itk' -%> - DocumentRoot <%= documentroot %>/ +<% scope.unsetvar('vhost_part') + scope.setvar('vhost_part',:ssl) -%> + <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') -%> DirectoryIndex index.htm index.html index.php - <%- end -%> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> -- cgit v1.2.3 From 7d5eae278c87136bc26f1d312b599b79f5782ee6 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 18 May 2011 00:40:27 +0200 Subject: we need to set the var also vor http parts --- templates/vhosts/php_spip/php_spip.erb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index b4542bc..9f93c18 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -4,7 +4,10 @@ <%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> -<%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') + scope.setvar('vhost_part',:normal) -%> + <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') -%> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> @@ -105,7 +108,10 @@ <%- unless ssl_mode.to_s == 'only' then -%> -<%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') + scope.setvar('vhost_part',:normal) -%> + <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') -%> DirectoryIndex index.htm index.html index.php <%= scope.function_template('apache/vhosts/partials/logs.erb') %> @@ -165,10 +171,6 @@ ProxyPass / https://127.0.0.1/ <%- end -%> ProxyPassReverse / https://127.0.0.1/ - <%- if default_charset.to_s != 'absent' then -%> - - AddDefaultCharset <%= default_charset %> - <%- end -%> <%- if run_mode.to_s == 'static-itk' -%> /"> -- cgit v1.2.3 From 2fa748dcc92e34b13bd4b6f7e452ef89b29490c4 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 19:22:40 +0200 Subject: introduce a new template style, less duplicated things, more handy options --- templates/vhosts/php_spip/php_spip.erb | 194 --------------------------------- 1 file changed, 194 deletions(-) delete mode 100644 templates/vhosts/php_spip/php_spip.erb (limited to 'templates/vhosts/php_spip/php_spip.erb') diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb deleted file mode 100644 index 9f93c18..0000000 --- a/templates/vhosts/php_spip/php_spip.erb +++ /dev/null @@ -1,194 +0,0 @@ -# <%= servername %> -<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - -<%- end -%> -<%- unless ssl_mode.to_s == 'only' then -%> - -<% scope.unsetvar('vhost_part') - scope.setvar('vhost_part',:normal) -%> - <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> -<% scope.unsetvar('vhost_part') -%> - -<%= scope.function_template('apache/vhosts/partials/logs.erb') %> - - <%- if ssl_mode.to_s == 'force' then -%> - RewriteEngine On - RewriteCond %{HTTPS} !=on - RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - - <%- end -%> - <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> - - AssignUserId <%= run_uid+" "+run_gid %> - - - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - /"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> -<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' -%>/usr/share/php/Smarty/:<%- end -%><%- if php_use_pear.to_s == 'true' -%>/usr/share/pear/:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - - <%- end -%> - - <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> -<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> - <%- end -%> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> - -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> - -<% scope.unsetvar('vhost_part') - scope.setvar('vhost_part',:ssl) -%> - <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> -<% scope.unsetvar('vhost_part') -%> - -<%= scope.function_template('apache/vhosts/partials/logs.erb') %> - <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> - - - AssignUserId <%= run_uid+" "+run_gid %> - - <%- end -%> - - /"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> -<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' -%>/usr/share/php/Smarty/:<%- end -%><%- if php_use_pear.to_s == 'true' -%>/usr/share/pear/:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - - - <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> -<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> - <%- end -%> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> - -<%- end -%> -<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - - -<%- unless ssl_mode.to_s == 'only' then -%> - -<% scope.unsetvar('vhost_part') - scope.setvar('vhost_part',:normal) -%> - <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> -<% scope.unsetvar('vhost_part') -%> - DirectoryIndex index.htm index.html index.php - -<%= scope.function_template('apache/vhosts/partials/logs.erb') %> - - ProxyPreserveHost On - ProxyRequests off - <%- if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 - <%- else -%> - ProxyPass / http://127.0.0.1/ - <%- end -%> - ProxyPassReverse / http://127.0.0.1/ - - <%- if ssl_mode.to_s == 'force' then -%> - RewriteEngine On - RewriteCond %{HTTPS} !=on - RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - - <%- end -%> - <%- if run_mode.to_s == 'static-itk' then -%> - <%- if not ssl_mode.to_s == 'force' then -%> - /"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> -<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - - <%- end -%> - <%- end -%> - -<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> - -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> - -<% scope.unsetvar('vhost_part') - scope.setvar('vhost_part',:ssl) -%> - <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> -<% scope.unsetvar('vhost_part') -%> - DirectoryIndex index.htm index.html index.php - -<%= scope.function_template('apache/vhosts/partials/logs.erb') %> - - ProxyPreserveHost On - ProxyRequests off - SSLProxyEngine On - <%- if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 - <%- else -%> - ProxyPass / https://127.0.0.1/ - <%- end -%> - ProxyPassReverse / https://127.0.0.1/ - - <%- if run_mode.to_s == 'static-itk' -%> - /"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> -<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - - <%- end -%> - -<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> - -<%- end -%> - -<%- end -%> -- cgit v1.2.3