From 7bbb0feacac0565457f5f56f65468429803454fb Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 11 Aug 2010 14:06:53 +0200 Subject: introduce logmode feature We are now able to select how apache should log accesses. These modes are: * default: as you would use it * semianonym: no ips are logged for CustomLog, ErrorLog still logs ips * anonym: no ips are logged for CustomLog, ErrorLog is sent to /dev/null * nologs: all logs are sent to /dev/null --- templates/vhosts/static/static.erb | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 05354d6..3d3e4ed 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -11,8 +11,20 @@ <%- end -%> DocumentRoot <%= documentroot %>/ + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/error_log + CustomLog <%= logdir %>/access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/access_log noip + <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> <%- end -%> @@ -73,8 +85,20 @@ <%- end -%> DocumentRoot <%= documentroot %>/ + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/error_log + CustomLog <%= logdir %>/access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/access_log noip + <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> <%- end -%> -- cgit v1.2.3 From a4358a825de159a145b877c7b7d7c795c72cb3b4 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 25 Oct 2010 22:58:24 +0200 Subject: improve redirect, so we don't stick on the servername --- templates/vhosts/static/static.erb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 3d3e4ed..18168c1 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -29,7 +29,10 @@ AddDefaultCharset <%= default_charset %> <%- end -%> <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> -- cgit v1.2.3 From a87d7b91cc95c8ac7aee327e4cf4d3ce564cdea1 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 6 Dec 2010 17:40:46 +0100 Subject: add STS header for enforced SSL sites * http://en.wikipedia.org/wiki/Strict_Transport_Security This will tell browsers to interact with that site only per HTTPS. --- templates/vhosts/static/static.erb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 18168c1..7eac5a9 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -106,6 +106,10 @@ AddDefaultCharset <%= default_charset %> <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> + Header add Strict-Transport-Security "max-age=15768000" + + <%- end -%> <%- if options.to_s != 'absent' or htpasswd_file.to_s != 'absent' then -%> /"> AllowOverride <%= allow_override %> -- cgit v1.2.3 From 22fba9762d707383c65c822c2310b17b1eb104c2 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 12 Dec 2010 18:47:06 +0100 Subject: enable HTS everywhere --- templates/vhosts/static/static.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 7eac5a9..030d588 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -103,13 +103,12 @@ CustomLog <%= logdir %>/access_log combined <%- end -%> <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> <%- end -%> - <%- if ssl_mode.to_s == 'force' then -%> Header add Strict-Transport-Security "max-age=15768000" - <%- end -%> <%- if options.to_s != 'absent' or htpasswd_file.to_s != 'absent' then -%> /"> AllowOverride <%= allow_override %> -- cgit v1.2.3 From cbbffa1d3de5a19a72dd7bb88fb1bcb14e5384e1 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 22:52:47 +0200 Subject: improve mod_security rules * handled now by a partial * possibility to add rules that should be removed * possibility to add custom mod_sec options" * use new infrastructure for existing mod_sec tweaks --- templates/vhosts/static/static.erb | 36 ++---------------------------------- 1 file changed, 2 insertions(+), 34 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 030d588..55ae5ac 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -51,23 +51,7 @@ <%- end -%> - - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -125,23 +109,7 @@ <%- end %> - - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> -- cgit v1.2.3 From cd1150af3af7411c88835d8fa5e41c40d40146fb Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 23:16:43 +0200 Subject: switching logs over to partials --- templates/vhosts/static/static.erb | 33 ++------------------------------- 1 file changed, 2 insertions(+), 31 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 55ae5ac..05760d6 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -11,23 +11,7 @@ <%- end -%> DocumentRoot <%= documentroot %>/ - <%- case logmode.to_s - when 'nologs' -%> - ErrorLog /dev/null - CustomLog /dev/null - <%- when 'semianonym' -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log noip - <%- when 'anonym' -%> - ErrorLog /dev/null - CustomLog <%= logdir %>/access_log noip - <%- else -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/logs.erb') %> <%- if ssl_mode.to_s == 'force' then -%> RewriteEngine On RewriteCond %{HTTPS} !=on @@ -72,20 +56,7 @@ <%- end -%> DocumentRoot <%= documentroot %>/ - <%- case logmode.to_s - when 'nologs' -%> - ErrorLog /dev/null - CustomLog /dev/null - <%- when 'semianonym' -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log noip - <%- when 'anonym' -%> - ErrorLog /dev/null - CustomLog <%= logdir %>/access_log noip - <%- else -%> - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/logs.erb') %> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> -- cgit v1.2.3 From 09feb96edeaff10bde462aabb8c4d0c961eadd1a Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 23:30:11 +0200 Subject: migrate authentication to partials --- templates/vhosts/static/static.erb | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 05760d6..db5f102 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -26,12 +26,7 @@ Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> <%- end -%> @@ -64,21 +59,14 @@ Header add Strict-Transport-Security "max-age=15768000" - <%- if options.to_s != 'absent' or htpasswd_file.to_s != 'absent' then -%> /"> AllowOverride <%= allow_override %> <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> Options <%= options %><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - <%- end %> <%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> -- cgit v1.2.3 From 29517a83414f478a0e28a9fc57b178e35e9ba112 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 23:42:56 +0200 Subject: this is now in the include file --- templates/vhosts/static/static.erb | 2 -- 1 file changed, 2 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index db5f102..287f413 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -57,8 +57,6 @@ AddDefaultCharset <%= default_charset %> <%- end -%> - Header add Strict-Transport-Security "max-age=15768000" - /"> AllowOverride <%= allow_override %> <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> -- cgit v1.2.3 From 58847f6375cffe9c1018a7b51d5062b86796a534 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 18 May 2011 00:13:25 +0200 Subject: move header to partials --- templates/vhosts/static/static.erb | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 287f413..bbe8527 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -1,15 +1,7 @@ # <%= servername %> <%- unless ssl_mode.to_s == 'only' then -%> - Include include.d/defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ +<%= scope.function_template('apache/vhosts/partials/header_default.erb') %> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> <%- if ssl_mode.to_s == 'force' then -%> @@ -40,22 +32,12 @@ <%- unless ssl_mode.to_s == 'false' then -%> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ +<% scope.unsetvar('vhost_part') + scope.setvar('vhost_part',:ssl) -%> + <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') -%> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> - <%- if default_charset.to_s != 'absent' then -%> - - AddDefaultCharset <%= default_charset %> - <%- end -%> /"> AllowOverride <%= allow_override %> -- cgit v1.2.3 From 7d5eae278c87136bc26f1d312b599b79f5782ee6 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 18 May 2011 00:40:27 +0200 Subject: we need to set the var also vor http parts --- templates/vhosts/static/static.erb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index bbe8527..e8e278b 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -1,7 +1,10 @@ # <%= servername %> <%- unless ssl_mode.to_s == 'only' then -%> -<%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') + scope.setvar('vhost_part',:normal) -%> + <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> +<% scope.unsetvar('vhost_part') -%> <%= scope.function_template('apache/vhosts/partials/logs.erb') %> <%- if ssl_mode.to_s == 'force' then -%> -- cgit v1.2.3 From 9f52ab2655acccd47cf7e3a824b603c5d6846f35 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 12:31:14 +0200 Subject: migrating a first part over to the new partial style --- templates/vhosts/static/CentOS.erb | 1 - templates/vhosts/static/Debian.erb | 1 - templates/vhosts/static/OpenBSD.erb | 1 - templates/vhosts/static/partial.erb | 8 +++++ templates/vhosts/static/static.erb | 60 ------------------------------------- 5 files changed, 8 insertions(+), 63 deletions(-) delete mode 120000 templates/vhosts/static/CentOS.erb delete mode 120000 templates/vhosts/static/Debian.erb delete mode 120000 templates/vhosts/static/OpenBSD.erb create mode 100644 templates/vhosts/static/partial.erb delete mode 100644 templates/vhosts/static/static.erb (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/CentOS.erb b/templates/vhosts/static/CentOS.erb deleted file mode 120000 index f10517f..0000000 --- a/templates/vhosts/static/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -static.erb \ No newline at end of file diff --git a/templates/vhosts/static/Debian.erb b/templates/vhosts/static/Debian.erb deleted file mode 120000 index f10517f..0000000 --- a/templates/vhosts/static/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -static.erb \ No newline at end of file diff --git a/templates/vhosts/static/OpenBSD.erb b/templates/vhosts/static/OpenBSD.erb deleted file mode 120000 index f10517f..0000000 --- a/templates/vhosts/static/OpenBSD.erb +++ /dev/null @@ -1 +0,0 @@ -static.erb \ No newline at end of file diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb new file mode 100644 index 0000000..03bd2f8 --- /dev/null +++ b/templates/vhosts/static/partial.erb @@ -0,0 +1,8 @@ + /"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> +<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> + \ No newline at end of file diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb deleted file mode 100644 index e8e278b..0000000 --- a/templates/vhosts/static/static.erb +++ /dev/null @@ -1,60 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> - -<% scope.unsetvar('vhost_part') - scope.setvar('vhost_part',:normal) -%> - <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> -<% scope.unsetvar('vhost_part') -%> - -<%= scope.function_template('apache/vhosts/partials/logs.erb') %> - <%- if ssl_mode.to_s == 'force' then -%> - RewriteEngine On - RewriteCond %{HTTPS} !=on - RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - - <%- end -%> - - <%- if not ssl_mode.to_s == 'force' then -%> - /"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> -<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - - <%- end -%> - -<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> - -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> - -<% scope.unsetvar('vhost_part') - scope.setvar('vhost_part',:ssl) -%> - <%= scope.function_template('apache/vhosts/partials/header_default.erb') %> -<% scope.unsetvar('vhost_part') -%> - -<%= scope.function_template('apache/vhosts/partials/logs.erb') %> - - /"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%= options %><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> -<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - - -<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> - -<%- end -%> -- cgit v1.2.3 From 2fa748dcc92e34b13bd4b6f7e452ef89b29490c4 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 19:22:40 +0200 Subject: introduce a new template style, less duplicated things, more handy options --- templates/vhosts/static/partial.erb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb index 03bd2f8..78dc925 100644 --- a/templates/vhosts/static/partial.erb +++ b/templates/vhosts/static/partial.erb @@ -1,8 +1,5 @@ /"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> +<%= scope.function_template('apache/vhosts/partials/std_override_options.erb') %> - <%- end -%> <%= scope.function_template('apache/vhosts/partials/authentication.erb') %> \ No newline at end of file -- cgit v1.2.3 From 9cbf2fafee3f4623b75d1a6b70458ab097e64924 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 8 Jun 2012 12:09:39 -0300 Subject: fix dynamic scope variables, function access --- templates/vhosts/static/partial.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'templates/vhosts/static') diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb index 78dc925..f2cc46b 100644 --- a/templates/vhosts/static/partial.erb +++ b/templates/vhosts/static/partial.erb @@ -1,5 +1,5 @@ /"> -<%= scope.function_template('apache/vhosts/partials/std_override_options.erb') %> +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> -<%= scope.function_template('apache/vhosts/partials/authentication.erb') %> - \ No newline at end of file +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + -- cgit v1.2.3