From 0a935aba20935ff81023874ba0615ac17d7c874e Mon Sep 17 00:00:00 2001 From: mhoellein Date: Mon, 23 Jan 2023 11:33:52 +0100 Subject: [PATCH] committing changes in /etc after apt run Package changes: -apache2 2.4.54-1+ubuntu18.04.1+deb.sury.org+1 amd64 -apache2-bin 2.4.54-1+ubuntu18.04.1+deb.sury.org+1 amd64 -apache2-data 2.4.54-1+ubuntu18.04.1+deb.sury.org+1 all -apache2-utils 2.4.54-1+ubuntu18.04.1+deb.sury.org+1 amd64 +apache2 2.4.55-1+ubuntu18.04.1+deb.sury.org+2 amd64 +apache2-bin 2.4.55-1+ubuntu18.04.1+deb.sury.org+2 amd64 +apache2-data 2.4.55-1+ubuntu18.04.1+deb.sury.org+2 all +apache2-utils 2.4.55-1+ubuntu18.04.1+deb.sury.org+2 amd64 -chromium-codecs-ffmpeg-extra 108.0.5359.71-0ubuntu0.18.04.5 amd64 +chromium-codecs-ffmpeg-extra 109.0.5414.74-0ubuntu0.18.04.14 amd64 -code-brand 22.05-21 all -collaboraoffice 22.05.9-2 amd64 -collaboraoffice-ure 22.05.9-2 amd64 +code-brand 22.05-23 all +collaboraoffice 22.05.9-3 amd64 +collaboraoffice-ure 22.05.9-3 amd64 -collaboraofficebasis-calc 22.05.9-2 amd64 -collaboraofficebasis-core 22.05.9-2 amd64 -collaboraofficebasis-draw 22.05.9-2 amd64 -collaboraofficebasis-en-us 22.05.9-2 amd64 -collaboraofficebasis-extension-pdf-import 22.05.9-2 amd64 -collaboraofficebasis-graphicfilter 22.05.9-2 amd64 -collaboraofficebasis-images 22.05.9-2 amd64 -collaboraofficebasis-impress 22.05.9-2 amd64 -collaboraofficebasis-math 22.05.9-2 amd64 -collaboraofficebasis-ooofonts 22.05.9-2 amd64 -collaboraofficebasis-ooolinguistic 22.05.9-2 amd64 -collaboraofficebasis-writer 22.05.9-2 amd64 +collaboraofficebasis-calc 22.05.9-3 amd64 +collaboraofficebasis-core 22.05.9-3 amd64 +collaboraofficebasis-draw 22.05.9-3 amd64 +collaboraofficebasis-en-us 22.05.9-3 amd64 +collaboraofficebasis-extension-pdf-import 22.05.9-3 amd64 +collaboraofficebasis-graphicfilter 22.05.9-3 amd64 +collaboraofficebasis-images 22.05.9-3 amd64 +collaboraofficebasis-impress 22.05.9-3 amd64 +collaboraofficebasis-math 22.05.9-3 amd64 +collaboraofficebasis-ooofonts 22.05.9-3 amd64 +collaboraofficebasis-ooolinguistic 22.05.9-3 amd64 +collaboraofficebasis-writer 22.05.9-3 amd64 -coolwsd 22.05.9.2-1 amd64 +coolwsd 22.05.9.3-1 amd64 -firefox 108.0.1+linuxmint1+tricia amd64 -firefox-locale-de 108.0.1+linuxmint1+tricia amd64 -firefox-locale-en 108.0.1+linuxmint1+tricia amd64 +firefox 109.0+linuxmint1+tricia amd64 +firefox-locale-de 109.0+linuxmint1+tricia amd64 +firefox-locale-en 109.0+linuxmint1+tricia amd64 -git 1:2.17.1-1ubuntu0.13 amd64 -git-man 1:2.17.1-1ubuntu0.13 all -gitweb 1:2.17.1-1ubuntu0.13 all +git 1:2.17.1-1ubuntu0.15 amd64 +git-man 1:2.17.1-1ubuntu0.15 all +gitweb 1:2.17.1-1ubuntu0.15 all -libasn1-8-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libasn1-8-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 +libasn1-8-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libasn1-8-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 -libgssapi3-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libgssapi3-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 +libgssapi3-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libgssapi3-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 -libhcrypto4-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libhcrypto4-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 -libhdb9-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 +libhcrypto4-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libhcrypto4-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 +libhdb9-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 -libheimbase1-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libheimbase1-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 -libheimntlm0-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libheimntlm0-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 +libheimbase1-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libheimbase1-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 +libheimntlm0-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libheimntlm0-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 -libhx509-5-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libhx509-5-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 +libhx509-5-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libhx509-5-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 -libkdc2-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 +libkdc2-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 -libkrb5-26-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libkrb5-26-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 +libkrb5-26-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libkrb5-26-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 -libpq5 10.22-0ubuntu0.18.04.1 amd64 +libpq5 10.23-0ubuntu0.18.04.1 amd64 -libroken18-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libroken18-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 +libroken18-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libroken18-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 -libsnmp-base 5.7.3+dfsg-1.8ubuntu3.7 all -libsnmp30 5.7.3+dfsg-1.8ubuntu3.7 amd64 +libsnmp-base 5.7.3+dfsg-1.8ubuntu3.8 all +libsnmp30 5.7.3+dfsg-1.8ubuntu3.8 amd64 -libwind0-heimdal 7.5.0+dfsg-1ubuntu0.2 amd64 -libwind0-heimdal 7.5.0+dfsg-1ubuntu0.2 i386 +libwind0-heimdal 7.5.0+dfsg-1ubuntu0.3 amd64 +libwind0-heimdal 7.5.0+dfsg-1ubuntu0.3 i386 -libxpm4 1:3.5.12-1 amd64 -libxpm4 1:3.5.12-1 i386 +libxpm4 1:3.5.12-1ubuntu0.18.04.2 amd64 +libxpm4 1:3.5.12-1ubuntu0.18.04.2 i386 -linux-libc-dev 4.15.0-201.212 amd64 +linux-libc-dev 4.15.0-202.213 amd64 -python-apt 1.6.5ubuntu0.7 amd64 -python-apt-common 1.6.5ubuntu0.7 all +python-apt 1.6.6 amd64 +python-apt-common 1.6.6 all -python3-apt 1.6.5ubuntu0.7 amd64 +python3-apt 1.6.6 amd64 -snmp 5.7.3+dfsg-1.8ubuntu3.7 amd64 -snmpd 5.7.3+dfsg-1.8ubuntu3.7 amd64 +snmp 5.7.3+dfsg-1.8ubuntu3.8 amd64 +snmpd 5.7.3+dfsg-1.8ubuntu3.8 amd64 -sudo 1.8.21p2-3ubuntu1.4 amd64 +sudo 1.8.21p2-3ubuntu1.5 amd64 -update-notifier-common 3.192.1.12 all +update-notifier-common 3.192.1.15 all -vim 2:8.0.1453-1ubuntu1.9 amd64 -vim-common 2:8.0.1453-1ubuntu1.9 all +vim 2:8.0.1453-1ubuntu1.10 amd64 +vim-common 2:8.0.1453-1ubuntu1.10 all -vim-runtime 2:8.0.1453-1ubuntu1.9 all -vim-tiny 2:8.0.1453-1ubuntu1.9 amd64 +vim-runtime 2:8.0.1453-1ubuntu1.10 all +vim-tiny 2:8.0.1453-1ubuntu1.10 amd64 -w3m 0.5.3-36build1 amd64 +w3m 0.5.3-36ubuntu0.1 amd64 -xxd 2:8.0.1453-1ubuntu1.9 amd64 +xxd 2:8.0.1453-1ubuntu1.10 amd64 --- .etckeeper | 2 + apache2/conf-available/charset.conf | 2 - .../conf-available/localized-error-pages.conf | 2 - .../other-vhosts-access-log.conf | 2 - apache2/conf-available/security.conf | 27 +- apache2/conf-available/serve-cgi-bin.conf | 2 - apache2/mods-available/actions.conf | 2 - apache2/mods-available/alias.conf | 39 +- apache2/mods-available/autoindex.conf | 165 +++--- apache2/mods-available/cache_disk.conf | 40 +- apache2/mods-available/cgid.conf | 4 +- apache2/mods-available/dav_fs.conf | 2 - apache2/mods-available/deflate.conf | 16 +- apache2/mods-available/dir.conf | 6 +- apache2/mods-available/http2.conf | 62 ++- apache2/mods-available/info.conf | 24 +- apache2/mods-available/ldap.conf | 2 - apache2/mods-available/mime.conf | 476 +++++++++--------- apache2/mods-available/mime_magic.conf | 6 +- apache2/mods-available/mpm_event.conf | 18 +- apache2/mods-available/mpm_worker.conf | 18 +- apache2/mods-available/negotiation.conf | 34 +- apache2/mods-available/proxy_balancer.conf | 24 +- apache2/mods-available/proxy_ftp.conf | 10 +- apache2/mods-available/proxy_html.conf | 47 +- apache2/mods-available/reqtimeout.conf | 42 +- apache2/mods-available/setenvif.conf | 56 +-- apache2/mods-available/ssl.conf | 144 +++--- apache2/mods-available/status.conf | 40 +- apache2/mods-available/userdir.conf | 18 +- apache2/ports.conf | 2 - apache2/sites-available/default-ssl.conf | 238 +++++---- init.d/apache2 | 2 - letsencrypt/csr/3903_csr-certbot.pem | 16 + letsencrypt/keys/3904_key-certbot.pem | 28 ++ logrotate.d/apache2 | 36 +- 36 files changed, 784 insertions(+), 870 deletions(-) create mode 100644 letsencrypt/csr/3903_csr-certbot.pem create mode 100644 letsencrypt/keys/3904_key-certbot.pem diff --git a/.etckeeper b/.etckeeper index 4f794e9d..48135554 100755 --- a/.etckeeper +++ b/.etckeeper @@ -8311,6 +8311,7 @@ maybe chmod 0644 'letsencrypt/csr/3899_csr-certbot.pem' maybe chmod 0644 'letsencrypt/csr/3900_csr-certbot.pem' maybe chmod 0644 'letsencrypt/csr/3901_csr-certbot.pem' maybe chmod 0644 'letsencrypt/csr/3902_csr-certbot.pem' +maybe chmod 0644 'letsencrypt/csr/3903_csr-certbot.pem' maybe chmod 0700 'letsencrypt/keys' maybe chmod 0600 'letsencrypt/keys/0000_key-certbot.pem' maybe chmod 0600 'letsencrypt/keys/0001_key-certbot.pem' @@ -12216,6 +12217,7 @@ maybe chmod 0600 'letsencrypt/keys/3900_key-certbot.pem' maybe chmod 0600 'letsencrypt/keys/3901_key-certbot.pem' maybe chmod 0600 'letsencrypt/keys/3902_key-certbot.pem' maybe chmod 0600 'letsencrypt/keys/3903_key-certbot.pem' +maybe chmod 0600 'letsencrypt/keys/3904_key-certbot.pem' maybe chmod 0755 'letsencrypt/live' maybe chmod 0755 'letsencrypt/live/ccu.hoellein.online' maybe chmod 0644 'letsencrypt/live/ccu.hoellein.online/README' diff --git a/apache2/conf-available/charset.conf b/apache2/conf-available/charset.conf index 8b0f4159..40d7198b 100644 --- a/apache2/conf-available/charset.conf +++ b/apache2/conf-available/charset.conf @@ -4,5 +4,3 @@ # in meta http-equiv or xml encoding tags. #AddDefaultCharset UTF-8 - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/localized-error-pages.conf b/apache2/conf-available/localized-error-pages.conf index f188d806..a3a198a0 100644 --- a/apache2/conf-available/localized-error-pages.conf +++ b/apache2/conf-available/localized-error-pages.conf @@ -77,5 +77,3 @@ # # # - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/other-vhosts-access-log.conf b/apache2/conf-available/other-vhosts-access-log.conf index 5e9f5e9e..9f7aecd0 100644 --- a/apache2/conf-available/other-vhosts-access-log.conf +++ b/apache2/conf-available/other-vhosts-access-log.conf @@ -1,4 +1,2 @@ # Define an access log for VirtualHosts that don't define their own logfile CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf index f9f69d49..cad7dc1c 100644 --- a/apache2/conf-available/security.conf +++ b/apache2/conf-available/security.conf @@ -1,16 +1,3 @@ -# -# Disable access to the entire file system except for the directories that -# are explicitly allowed later. -# -# This currently breaks the configurations that come with some web application -# Debian packages. -# -# -# AllowOverride None -# Require all denied -# - - # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. @@ -49,11 +36,12 @@ TraceEnable Off # Forbid access to version control directories # # If you use version control systems in your document root, you should -# probably deny access to their directories. For example, for subversion: +# probably deny access to their directories. +# +# Examples: # -# -# Require all denied -# +#RedirectMatch 404 /\.git +#RedirectMatch 404 /\.svn # # Setting this header will prevent MSIE from interpreting files as something @@ -67,7 +55,4 @@ TraceEnable Off # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # -#Header set X-Frame-Options: "sameorigin" - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +#Header set Content-Security-Policy "frame-ancestors 'self';" diff --git a/apache2/conf-available/serve-cgi-bin.conf b/apache2/conf-available/serve-cgi-bin.conf index b02782da..ae660b16 100644 --- a/apache2/conf-available/serve-cgi-bin.conf +++ b/apache2/conf-available/serve-cgi-bin.conf @@ -16,5 +16,3 @@ - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/mods-available/actions.conf b/apache2/mods-available/actions.conf index c3f5d293..22e6f9ff 100644 --- a/apache2/mods-available/actions.conf +++ b/apache2/mods-available/actions.conf @@ -7,5 +7,3 @@ # Format: Action media/type /cgi-script/location # Format: Action handler-name /cgi-script/location # - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/mods-available/alias.conf b/apache2/mods-available/alias.conf index 3583d3bd..ed12b2bb 100644 --- a/apache2/mods-available/alias.conf +++ b/apache2/mods-available/alias.conf @@ -1,24 +1,19 @@ - - # Aliases: Add here as many aliases as you need (with no limit). The format is - # Alias fakename realname - # - # Note that if you include a trailing / on fakename then the server will - # require it to be present in the URL. So "/icons" isn't aliased in this - # example, only "/icons/". If the fakename is slash-terminated, then the - # realname must also be slash terminated, and if the fakename omits the - # trailing slash, the realname must also omit it. - # - # We include the /icons/ alias for FancyIndexed directory listings. If - # you do not use FancyIndexing, you may comment this out. +# Aliases: Add here as many aliases as you need (with no limit). The format is +# Alias fakename realname +# +# Note that if you include a trailing / on fakename then the server will +# require it to be present in the URL. So "/icons" isn't aliased in this +# example, only "/icons/". If the fakename is slash-terminated, then the +# realname must also be slash terminated, and if the fakename omits the +# trailing slash, the realname must also omit it. +# +# We include the /icons/ alias for FancyIndexed directory listings. If +# you do not use FancyIndexing, you may comment this out. - Alias /icons/ "/usr/share/apache2/icons/" +Alias /icons/ "/usr/share/apache2/icons/" - - Options FollowSymlinks - AllowOverride None - Require all granted - - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet + + Options FollowSymlinks + AllowOverride None + Require all granted + diff --git a/apache2/mods-available/autoindex.conf b/apache2/mods-available/autoindex.conf index f6cf45f4..e53c3913 100644 --- a/apache2/mods-available/autoindex.conf +++ b/apache2/mods-available/autoindex.conf @@ -1,96 +1,91 @@ - - # Directives controlling the display of server-generated directory listings. +# Directives controlling the display of server-generated directory listings. - # - # IndexOptions: Controls the appearance of server-generated directory - # listings. - # Remove/replace the "Charset=UTF-8" if you don't use UTF-8 for your filenames. - IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 +# +# IndexOptions: Controls the appearance of server-generated directory +# listings. +# Remove/replace the "Charset=UTF-8" if you don't use UTF-8 for your filenames. +IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 - # - # AddIcon* directives tell the server which icon to show for different - # files or filename extensions. These are only displayed for - # FancyIndexed directories. - AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2 +# +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2 - AddIconByType (TXT,/icons/text.gif) text/* - AddIconByType (IMG,/icons/image2.gif) image/* - AddIconByType (SND,/icons/sound2.gif) audio/* - AddIconByType (VID,/icons/movie.gif) video/* +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* - AddIcon /icons/binary.gif .bin .exe - AddIcon /icons/binhex.gif .hqx - AddIcon /icons/tar.gif .tar - AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv - AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip - AddIcon /icons/a.gif .ps .ai .eps - AddIcon /icons/layout.gif .html .shtml .htm .pdf - AddIcon /icons/text.gif .txt - AddIcon /icons/c.gif .c - AddIcon /icons/p.gif .pl .py - AddIcon /icons/f.gif .for - AddIcon /icons/dvi.gif .dvi - AddIcon /icons/uuencoded.gif .uu - AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl - AddIcon /icons/tex.gif .tex - # It's a suffix rule, so simply matching "core" matches "score" as well ! - AddIcon /icons/bomb.gif /core - AddIcon (SND,/icons/sound2.gif) .ogg - AddIcon (VID,/icons/movie.gif) .ogm +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +# It's a suffix rule, so simply matching "core" matches "score" as well ! +AddIcon /icons/bomb.gif /core +AddIcon (SND,/icons/sound2.gif) .ogg +AddIcon (VID,/icons/movie.gif) .ogm - AddIcon /icons/back.gif .. - AddIcon /icons/hand.right.gif README - AddIcon /icons/folder.gif ^^DIRECTORY^^ - AddIcon /icons/blank.gif ^^BLANKICON^^ +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ - # Default icons for OpenDocument format - AddIcon /icons/odf6odt-20x22.png .odt - AddIcon /icons/odf6ods-20x22.png .ods - AddIcon /icons/odf6odp-20x22.png .odp - AddIcon /icons/odf6odg-20x22.png .odg - AddIcon /icons/odf6odc-20x22.png .odc - AddIcon /icons/odf6odf-20x22.png .odf - AddIcon /icons/odf6odb-20x22.png .odb - AddIcon /icons/odf6odi-20x22.png .odi - AddIcon /icons/odf6odm-20x22.png .odm +# Default icons for OpenDocument format +AddIcon /icons/odf6odt-20x22.png .odt +AddIcon /icons/odf6ods-20x22.png .ods +AddIcon /icons/odf6odp-20x22.png .odp +AddIcon /icons/odf6odg-20x22.png .odg +AddIcon /icons/odf6odc-20x22.png .odc +AddIcon /icons/odf6odf-20x22.png .odf +AddIcon /icons/odf6odb-20x22.png .odb +AddIcon /icons/odf6odi-20x22.png .odi +AddIcon /icons/odf6odm-20x22.png .odm - AddIcon /icons/odf6ott-20x22.png .ott - AddIcon /icons/odf6ots-20x22.png .ots - AddIcon /icons/odf6otp-20x22.png .otp - AddIcon /icons/odf6otg-20x22.png .otg - AddIcon /icons/odf6otc-20x22.png .otc - AddIcon /icons/odf6otf-20x22.png .otf - AddIcon /icons/odf6oti-20x22.png .oti - AddIcon /icons/odf6oth-20x22.png .oth +AddIcon /icons/odf6ott-20x22.png .ott +AddIcon /icons/odf6ots-20x22.png .ots +AddIcon /icons/odf6otp-20x22.png .otp +AddIcon /icons/odf6otg-20x22.png .otg +AddIcon /icons/odf6otc-20x22.png .otc +AddIcon /icons/odf6otf-20x22.png .otf +AddIcon /icons/odf6oti-20x22.png .oti +AddIcon /icons/odf6oth-20x22.png .oth - # - # DefaultIcon is which icon to show for files which do not have an icon - # explicitly set. - DefaultIcon /icons/unknown.gif +# +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +DefaultIcon /icons/unknown.gif - # - # AddDescription allows you to place a short description after a file in - # server-generated indexes. These are only displayed for FancyIndexed - # directories. - # Format: AddDescription "description" filename - #AddDescription "GZIP compressed document" .gz - #AddDescription "tar archive" .tar - #AddDescription "GZIP compressed tar archive" .tgz +# +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename +#AddDescription "GZIP compressed document" .gz +#AddDescription "tar archive" .tar +#AddDescription "GZIP compressed tar archive" .tgz - # - # ReadmeName is the name of the README file the server will look for by - # default, and append to directory listings. - # - # HeaderName is the name of a file which should be prepended to - # directory indexes - ReadmeName README.html - HeaderName HEADER.html +# +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. +# +# HeaderName is the name of a file which should be prepended to +# directory indexes +ReadmeName README.html +HeaderName HEADER.html - # - # IndexIgnore is a set of filenames which directory indexing should ignore - # and not include in the listing. Shell-style wildcarding is permitted. - IndexIgnore .??* *~ *# RCS CVS *,v *,t - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +IndexIgnore .??* *~ *# RCS CVS *,v *,t diff --git a/apache2/mods-available/cache_disk.conf b/apache2/mods-available/cache_disk.conf index a69beaeb..8625539b 100644 --- a/apache2/mods-available/cache_disk.conf +++ b/apache2/mods-available/cache_disk.conf @@ -1,27 +1,21 @@ - +# cache cleaning is done by htcacheclean, which can be configured in +# /etc/default/apache2 +# +# For further information, see the comments in that file, +# /usr/share/doc/apache2/README.Debian, and the htcacheclean(8) +# man page. - # cache cleaning is done by htcacheclean, which can be configured in - # /etc/default/apache2 - # - # For further information, see the comments in that file, - # /usr/share/doc/apache2/README.Debian, and the htcacheclean(8) - # man page. +# This path must be the same as the one in /etc/default/apache2 +CacheRoot /var/cache/apache2/mod_cache_disk - # This path must be the same as the one in /etc/default/apache2 - CacheRoot /var/cache/apache2/mod_cache_disk +# This will also cache local documents. It usually makes more sense to +# put this into the configuration for just one virtual host. +#CacheEnable disk / - # This will also cache local documents. It usually makes more sense to - # put this into the configuration for just one virtual host. - #CacheEnable disk / - - # The result of CacheDirLevels * CacheDirLength must not be higher than - # 20. Moreover, pay attention on file system limits. Some file systems - # do not support more than a certain number of inodes and - # subdirectories (e.g. 32000 for ext3) - CacheDirLevels 2 - CacheDirLength 1 - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# The result of CacheDirLevels * CacheDirLength must not be higher than +# 20. Moreover, pay attention on file system limits. Some file systems +# do not support more than a certain number of inodes and +# subdirectories (e.g. 32000 for ext3) +CacheDirLevels 2 +CacheDirLength 1 diff --git a/apache2/mods-available/cgid.conf b/apache2/mods-available/cgid.conf index 762f00b7..2f22b70d 100644 --- a/apache2/mods-available/cgid.conf +++ b/apache2/mods-available/cgid.conf @@ -1,4 +1,2 @@ # Socket for cgid communication -ScriptSock ${APACHE_RUN_DIR}/cgisock - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +ScriptSock ${APACHE_RUN_DIR}/socks/cgisock diff --git a/apache2/mods-available/dav_fs.conf b/apache2/mods-available/dav_fs.conf index 8499551a..c7130c24 100644 --- a/apache2/mods-available/dav_fs.conf +++ b/apache2/mods-available/dav_fs.conf @@ -1,3 +1 @@ DAVLockDB ${APACHE_LOCK_DIR}/DAVLock - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/mods-available/deflate.conf b/apache2/mods-available/deflate.conf index e891e03c..440a68b0 100644 --- a/apache2/mods-available/deflate.conf +++ b/apache2/mods-available/deflate.conf @@ -1,11 +1,7 @@ - - - AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript - AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript - AddOutputFilterByType DEFLATE application/rss+xml - AddOutputFilterByType DEFLATE application/wasm - AddOutputFilterByType DEFLATE application/xml - + + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript + AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript + AddOutputFilterByType DEFLATE application/rss+xml + AddOutputFilterByType DEFLATE application/wasm + AddOutputFilterByType DEFLATE application/xml - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/mods-available/dir.conf b/apache2/mods-available/dir.conf index 21a0e8be..c0a462b3 100644 --- a/apache2/mods-available/dir.conf +++ b/apache2/mods-available/dir.conf @@ -1,5 +1 @@ - - DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm diff --git a/apache2/mods-available/http2.conf b/apache2/mods-available/http2.conf index f45db4d4..612baa51 100644 --- a/apache2/mods-available/http2.conf +++ b/apache2/mods-available/http2.conf @@ -1,34 +1,30 @@ +Protocols h2 h2c http/1.1 -# mod_http2 doesn't work with mpm_prefork - - Protocols h2 h2c http/1.1 - - # # HTTP/2 push configuration - # - # H2Push on - # - # # Default Priority Rule - # - # H2PushPriority * After 16 - # - # # More complex ruleset: - # - # H2PushPriority * after - # H2PushPriority text/css before - # H2PushPriority image/jpeg after 32 - # H2PushPriority image/png after 32 - # H2PushPriority application/javascript interleaved - # - # # Configure some stylesheet and script to be pushed by the webserver - # - # - # Header add Link "; rel=preload; as=style" - # Header add Link "; rel=preload; as=script" - # - # Since mod_http2 doesn't support the mod_logio module (which provide the %O format), - # you may want to change your LogFormat directive as follow: - # - # LogFormat "%v:%p %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined - # LogFormat "%h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" combined - # LogFormat "%h %l %u %t \"%r\" %>s %B" common - +# # HTTP/2 push configuration +# +# H2Push on +# +# # Default Priority Rule +# +# H2PushPriority * After 16 +# +# # More complex ruleset: +# +# H2PushPriority * after +# H2PushPriority text/css before +# H2PushPriority image/jpeg after 32 +# H2PushPriority image/png after 32 +# H2PushPriority application/javascript interleaved +# +# # Configure some stylesheet and script to be pushed by the webserver +# +# +# Header add Link "; rel=preload; as=style" +# Header add Link "; rel=preload; as=script" +# +# Since mod_http2 doesn't support the mod_logio module (which provide the %O format), +# you may want to change your LogFormat directive as follow: +# +# LogFormat "%v:%p %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +# LogFormat "%h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" combined +# LogFormat "%h %l %u %t \"%r\" %>s %B" common diff --git a/apache2/mods-available/info.conf b/apache2/mods-available/info.conf index 78a0649e..cf79351e 100644 --- a/apache2/mods-available/info.conf +++ b/apache2/mods-available/info.conf @@ -1,15 +1,9 @@ - - - # Allow remote server configuration reports, with the URL of - # http://servername/server-info (requires that mod_info.c be loaded). - # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. - # - - SetHandler server-info - Require local - #Require ip 192.0.2.0/24 - - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# Allow remote server configuration reports, with the URL of +# http://servername/server-info (requires that mod_info.c be loaded). +# Uncomment and change the "192.0.2.0/24" to allow access from other hosts. +# + + SetHandler server-info + Require local + #Require ip 192.0.2.0/24 + diff --git a/apache2/mods-available/ldap.conf b/apache2/mods-available/ldap.conf index 697b70b8..470d5c85 100644 --- a/apache2/mods-available/ldap.conf +++ b/apache2/mods-available/ldap.conf @@ -2,5 +2,3 @@ SetHandler ldap-status Require local - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/mods-available/mime.conf b/apache2/mods-available/mime.conf index 38f8eb51..1f593b9b 100644 --- a/apache2/mods-available/mime.conf +++ b/apache2/mods-available/mime.conf @@ -1,252 +1,246 @@ - +# +# TypesConfig points to the file containing the list of mappings from +# filename extension to MIME-type. +# +TypesConfig /etc/mime.types - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types +# +# AddType allows you to add to or override the MIME configuration +# file mime.types for specific file types. +# +#AddType application/x-gzip .tgz +# +# AddEncoding allows you to have certain browsers uncompress +# information on the fly. Note: Not all browsers support this. +# Despite the name similarity, the following Add* directives have +# nothing to do with the FancyIndexing customization directives above. +# +#AddEncoding x-compress .Z +#AddEncoding x-gzip .gz .tgz +#AddEncoding x-bzip2 .bz2 +# +# If the AddEncoding directives above are commented-out, then you +# probably should define those extensions to indicate media types: +# +AddType application/x-compress .Z +AddType application/x-gzip .gz .tgz +AddType application/x-bzip2 .bz2 - # - # AddType allows you to add to or override the MIME configuration - # file mime.types for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # Despite the name similarity, the following Add* directives have - # nothing to do with the FancyIndexing customization directives above. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - #AddEncoding x-bzip2 .bz2 - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - AddType application/x-bzip2 .bz2 +# +# DefaultLanguage and AddLanguage allows you to specify the language of +# a document. You can then use content negotiation to give a browser a +# file in a language the user can understand. +# +# Specify a default language. This means that all data +# going out without a specific language tag (see below) will +# be marked with this one. You probably do NOT want to set +# this unless you are sure it is correct for all cases. +# +# * It is generally better to not mark a page as +# * being a certain language than marking it with the wrong +# * language! +# +# DefaultLanguage nl +# +# Note 1: The suffix does not have to be the same as the language +# keyword --- those with documents in Polish (whose net-standard +# language code is pl) may wish to use "AddLanguage pl .po" to +# avoid the ambiguity with the common suffix for perl scripts. +# +# Note 2: The example entries below illustrate that in some cases +# the two character 'Language' abbreviation is not identical to +# the two character 'Country' code for its country, +# E.g. 'Danmark/dk' versus 'Danish/da'. +# +# Note 3: In the case of 'ltz' we violate the RFC by using a three char +# specifier. There is 'work in progress' to fix this and get +# the reference data for rfc1766 cleaned up. +# +# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) +# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) +# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) +# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) +# Norwegian (no) - Polish (pl) - Portugese (pt) +# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) +# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) +# +AddLanguage am .amh +AddLanguage ar .ara +AddLanguage be .be +AddLanguage bg .bg +AddLanguage bn .bn +AddLanguage br .br +AddLanguage bs .bs +AddLanguage ca .ca +AddLanguage cs .cz .cs +AddLanguage cy .cy +AddLanguage da .da +AddLanguage da .dk +AddLanguage de .de +AddLanguage dz .dz +AddLanguage el .el +AddLanguage en .en +AddLanguage eo .eo +# es is ecmascript in /etc/mime.types +RemoveType es +AddLanguage es .es +AddLanguage et .et +AddLanguage eu .eu +AddLanguage fa .fa +AddLanguage fi .fi +AddLanguage fr .fr +AddLanguage ga .ga +AddLanguage gl .glg +AddLanguage gu .gu +AddLanguage he .he +AddLanguage hi .hi +AddLanguage hr .hr +AddLanguage hu .hu +AddLanguage hy .hy +AddLanguage id .id +AddLanguage is .is +AddLanguage it .it +AddLanguage ja .ja +AddLanguage ka .ka +AddLanguage kk .kk +AddLanguage km .km +AddLanguage kn .kn +AddLanguage ko .ko +AddLanguage ku .ku +AddLanguage lo .lo +AddLanguage lt .lt +AddLanguage ltz .ltz +AddLanguage lv .lv +AddLanguage mg .mg +AddLanguage mk .mk +AddLanguage ml .ml +AddLanguage mr .mr +AddLanguage ms .msa +AddLanguage nb .nob +AddLanguage ne .ne +AddLanguage nl .nl +AddLanguage nn .nn +AddLanguage no .no +AddLanguage pa .pa +AddLanguage pl .po +AddLanguage pt-BR .pt-br +AddLanguage pt .pt +AddLanguage ro .ro +AddLanguage ru .ru +AddLanguage sa .sa +AddLanguage se .se +AddLanguage si .si +AddLanguage sk .sk +AddLanguage sl .sl +AddLanguage sq .sq +AddLanguage sr .sr +AddLanguage sv .sv +AddLanguage ta .ta +AddLanguage te .te +AddLanguage th .th +AddLanguage tl .tl +RemoveType tr +# tr is troff in /etc/mime.types +AddLanguage tr .tr +AddLanguage uk .uk +AddLanguage ur .ur +AddLanguage vi .vi +AddLanguage wo .wo +AddLanguage xh .xh +AddLanguage zh-CN .zh-cn +AddLanguage zh-TW .zh-tw - # - # DefaultLanguage and AddLanguage allows you to specify the language of - # a document. You can then use content negotiation to give a browser a - # file in a language the user can understand. - # - # Specify a default language. This means that all data - # going out without a specific language tag (see below) will - # be marked with this one. You probably do NOT want to set - # this unless you are sure it is correct for all cases. - # - # * It is generally better to not mark a page as - # * being a certain language than marking it with the wrong - # * language! - # - # DefaultLanguage nl - # - # Note 1: The suffix does not have to be the same as the language - # keyword --- those with documents in Polish (whose net-standard - # language code is pl) may wish to use "AddLanguage pl .po" to - # avoid the ambiguity with the common suffix for perl scripts. - # - # Note 2: The example entries below illustrate that in some cases - # the two character 'Language' abbreviation is not identical to - # the two character 'Country' code for its country, - # E.g. 'Danmark/dk' versus 'Danish/da'. - # - # Note 3: In the case of 'ltz' we violate the RFC by using a three char - # specifier. There is 'work in progress' to fix this and get - # the reference data for rfc1766 cleaned up. - # - # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) - # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) - # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) - # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) - # Norwegian (no) - Polish (pl) - Portugese (pt) - # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) - # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) - # - AddLanguage am .amh - AddLanguage ar .ara - AddLanguage be .be - AddLanguage bg .bg - AddLanguage bn .bn - AddLanguage br .br - AddLanguage bs .bs - AddLanguage ca .ca - AddLanguage cs .cz .cs - AddLanguage cy .cy - AddLanguage da .da - AddLanguage da .dk - AddLanguage de .de - AddLanguage dz .dz - AddLanguage el .el - AddLanguage en .en - AddLanguage eo .eo - # es is ecmascript in /etc/mime.types - RemoveType es - AddLanguage es .es - AddLanguage et .et - AddLanguage eu .eu - AddLanguage fa .fa - AddLanguage fi .fi - AddLanguage fr .fr - AddLanguage ga .ga - AddLanguage gl .glg - AddLanguage gu .gu - AddLanguage he .he - AddLanguage hi .hi - AddLanguage hr .hr - AddLanguage hu .hu - AddLanguage hy .hy - AddLanguage id .id - AddLanguage is .is - AddLanguage it .it - AddLanguage ja .ja - AddLanguage ka .ka - AddLanguage kk .kk - AddLanguage km .km - AddLanguage kn .kn - AddLanguage ko .ko - AddLanguage ku .ku - AddLanguage lo .lo - AddLanguage lt .lt - AddLanguage ltz .ltz - AddLanguage lv .lv - AddLanguage mg .mg - AddLanguage mk .mk - AddLanguage ml .ml - AddLanguage mr .mr - AddLanguage ms .msa - AddLanguage nb .nob - AddLanguage ne .ne - AddLanguage nl .nl - AddLanguage nn .nn - AddLanguage no .no - AddLanguage pa .pa - AddLanguage pl .po - AddLanguage pt-BR .pt-br - AddLanguage pt .pt - AddLanguage ro .ro - AddLanguage ru .ru - AddLanguage sa .sa - AddLanguage se .se - AddLanguage si .si - AddLanguage sk .sk - AddLanguage sl .sl - AddLanguage sq .sq - AddLanguage sr .sr - AddLanguage sv .sv - AddLanguage ta .ta - AddLanguage te .te - AddLanguage th .th - AddLanguage tl .tl - RemoveType tr - # tr is troff in /etc/mime.types - AddLanguage tr .tr - AddLanguage uk .uk - AddLanguage ur .ur - AddLanguage vi .vi - AddLanguage wo .wo - AddLanguage xh .xh - AddLanguage zh-CN .zh-cn - AddLanguage zh-TW .zh-tw +# +# Commonly used filename extensions to character sets. You probably +# want to avoid clashes with the language extensions, unless you +# are good at carefully testing your setup after each change. +# See http://www.iana.org/assignments/character-sets for the +# official list of charset names and their respective RFCs. +# +AddCharset us-ascii .ascii .us-ascii +AddCharset ISO-8859-1 .iso8859-1 .latin1 +AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen +AddCharset ISO-8859-3 .iso8859-3 .latin3 +AddCharset ISO-8859-4 .iso8859-4 .latin4 +AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru +AddCharset ISO-8859-6 .iso8859-6 .arb .arabic +AddCharset ISO-8859-7 .iso8859-7 .grk .greek +AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew +AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk +AddCharset ISO-8859-10 .iso8859-10 .latin6 +AddCharset ISO-8859-13 .iso8859-13 +AddCharset ISO-8859-14 .iso8859-14 .latin8 +AddCharset ISO-8859-15 .iso8859-15 .latin9 +AddCharset ISO-8859-16 .iso8859-16 .latin10 +AddCharset ISO-2022-JP .iso2022-jp .jis +AddCharset ISO-2022-KR .iso2022-kr .kis +AddCharset ISO-2022-CN .iso2022-cn .cis +AddCharset Big5 .Big5 .big5 .b5 +AddCharset cn-Big5 .cn-big5 +# For russian, more than one charset is used (depends on client, mostly): +AddCharset WINDOWS-1251 .cp-1251 .win-1251 +AddCharset CP866 .cp866 +AddCharset KOI8 .koi8 +AddCharset KOI8-E .koi8-e +AddCharset KOI8-r .koi8-r .koi8-ru +AddCharset KOI8-U .koi8-u +AddCharset KOI8-ru .koi8-uk .ua +AddCharset ISO-10646-UCS-2 .ucs2 +AddCharset ISO-10646-UCS-4 .ucs4 +AddCharset UTF-7 .utf7 +AddCharset UTF-8 .utf8 +AddCharset UTF-16 .utf16 +AddCharset UTF-16BE .utf16be +AddCharset UTF-16LE .utf16le +AddCharset UTF-32 .utf32 +AddCharset UTF-32BE .utf32be +AddCharset UTF-32LE .utf32le +AddCharset euc-cn .euc-cn +AddCharset euc-gb .euc-gb +AddCharset euc-jp .euc-jp +AddCharset euc-kr .euc-kr +#Not sure how euc-tw got in - IANA doesn't list it??? +AddCharset EUC-TW .euc-tw +AddCharset gb2312 .gb2312 .gb +AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2 +AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4 +AddCharset shift_jis .shift_jis .sjis +AddCharset BRF .brf - # - # Commonly used filename extensions to character sets. You probably - # want to avoid clashes with the language extensions, unless you - # are good at carefully testing your setup after each change. - # See http://www.iana.org/assignments/character-sets for the - # official list of charset names and their respective RFCs. - # - AddCharset us-ascii .ascii .us-ascii - AddCharset ISO-8859-1 .iso8859-1 .latin1 - AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen - AddCharset ISO-8859-3 .iso8859-3 .latin3 - AddCharset ISO-8859-4 .iso8859-4 .latin4 - AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru - AddCharset ISO-8859-6 .iso8859-6 .arb .arabic - AddCharset ISO-8859-7 .iso8859-7 .grk .greek - AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew - AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk - AddCharset ISO-8859-10 .iso8859-10 .latin6 - AddCharset ISO-8859-13 .iso8859-13 - AddCharset ISO-8859-14 .iso8859-14 .latin8 - AddCharset ISO-8859-15 .iso8859-15 .latin9 - AddCharset ISO-8859-16 .iso8859-16 .latin10 - AddCharset ISO-2022-JP .iso2022-jp .jis - AddCharset ISO-2022-KR .iso2022-kr .kis - AddCharset ISO-2022-CN .iso2022-cn .cis - AddCharset Big5 .Big5 .big5 .b5 - AddCharset cn-Big5 .cn-big5 - # For russian, more than one charset is used (depends on client, mostly): - AddCharset WINDOWS-1251 .cp-1251 .win-1251 - AddCharset CP866 .cp866 - AddCharset KOI8 .koi8 - AddCharset KOI8-E .koi8-e - AddCharset KOI8-r .koi8-r .koi8-ru - AddCharset KOI8-U .koi8-u - AddCharset KOI8-ru .koi8-uk .ua - AddCharset ISO-10646-UCS-2 .ucs2 - AddCharset ISO-10646-UCS-4 .ucs4 - AddCharset UTF-7 .utf7 - AddCharset UTF-8 .utf8 - AddCharset UTF-16 .utf16 - AddCharset UTF-16BE .utf16be - AddCharset UTF-16LE .utf16le - AddCharset UTF-32 .utf32 - AddCharset UTF-32BE .utf32be - AddCharset UTF-32LE .utf32le - AddCharset euc-cn .euc-cn - AddCharset euc-gb .euc-gb - AddCharset euc-jp .euc-jp - AddCharset euc-kr .euc-kr - #Not sure how euc-tw got in - IANA doesn't list it??? - AddCharset EUC-TW .euc-tw - AddCharset gb2312 .gb2312 .gb - AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2 - AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4 - AddCharset shift_jis .shift_jis .sjis - AddCharset BRF .brf +# +# AddHandler allows you to map certain file extensions to "handlers": +# actions unrelated to filetype. These can be either built into the server +# or added with the Action directive (see below) +# +# To use CGI scripts outside of ScriptAliased directories: +# (You will also need to add "ExecCGI" to the "Options" directive.) +# +#AddHandler cgi-script .cgi - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi +# +# For files that include their own HTTP headers: +# +#AddHandler send-as-is asis - # - # For files that include their own HTTP headers: - # - #AddHandler send-as-is asis +# +# For server-parsed imagemap files: +# +#AddHandler imap-file map - # - # For server-parsed imagemap files: - # - #AddHandler imap-file map +# +# For type maps (negotiated resources): +# (This is enabled by default to allow the Apache "It Worked" page +# to be distributed in multiple languages.) +# +AddHandler type-map var - # - # For type maps (negotiated resources): - # (This is enabled by default to allow the Apache "It Worked" page - # to be distributed in multiple languages.) - # - AddHandler type-map var - - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml +# +# Filters allow you to process content before it is sent to the client. +# +# To parse .shtml files for server-side includes (SSI): +# (You will also need to add "Includes" to the "Options" directive.) +# +AddType text/html .shtml AddOutputFilter INCLUDES .shtml - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/mods-available/mime_magic.conf b/apache2/mods-available/mime_magic.conf index 12ed9300..0658c3d1 100644 --- a/apache2/mods-available/mime_magic.conf +++ b/apache2/mods-available/mime_magic.conf @@ -1,5 +1 @@ - - MIMEMagicFile /etc/apache2/magic - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +MIMEMagicFile /etc/apache2/magic diff --git a/apache2/mods-available/mpm_event.conf b/apache2/mods-available/mpm_event.conf index 2003d070..b1f712f3 100644 --- a/apache2/mods-available/mpm_event.conf +++ b/apache2/mods-available/mpm_event.conf @@ -5,14 +5,10 @@ # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestWorkers: maximum number of worker threads # MaxConnectionsPerChild: maximum number of requests a server process serves - - StartServers 2 - MinSpareThreads 25 - MaxSpareThreads 75 - ThreadLimit 64 - ThreadsPerChild 25 - MaxRequestWorkers 150 - MaxConnectionsPerChild 0 - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +StartServers 2 +MinSpareThreads 25 +MaxSpareThreads 75 +ThreadLimit 64 +ThreadsPerChild 25 +MaxRequestWorkers 150 +MaxConnectionsPerChild 0 diff --git a/apache2/mods-available/mpm_worker.conf b/apache2/mods-available/mpm_worker.conf index de5831e1..109cf640 100644 --- a/apache2/mods-available/mpm_worker.conf +++ b/apache2/mods-available/mpm_worker.conf @@ -9,14 +9,10 @@ # MaxRequestWorkers: maximum number of threads # MaxConnectionsPerChild: maximum number of requests a server process serves - - StartServers 2 - MinSpareThreads 25 - MaxSpareThreads 75 - ThreadLimit 64 - ThreadsPerChild 25 - MaxRequestWorkers 150 - MaxConnectionsPerChild 0 - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +StartServers 2 +MinSpareThreads 25 +MaxSpareThreads 75 +ThreadLimit 64 +ThreadsPerChild 25 +MaxRequestWorkers 150 +MaxConnectionsPerChild 0 diff --git a/apache2/mods-available/negotiation.conf b/apache2/mods-available/negotiation.conf index 409b3bfe..3e6c7135 100644 --- a/apache2/mods-available/negotiation.conf +++ b/apache2/mods-available/negotiation.conf @@ -1,20 +1,14 @@ - - - # LanguagePriority allows you to give precedence to some languages - # in case of a tie during content negotiation. - # - # Just list the languages in decreasing order of preference. We have - # more or less alphabetized them here. You probably want to change this. - # - LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW - - # - # ForceLanguagePriority allows you to serve a result page rather than - # MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) - # [in case no accepted languages matched the available variants] - # - ForceLanguagePriority Prefer Fallback - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# LanguagePriority allows you to give precedence to some languages +# in case of a tie during content negotiation. +# +# Just list the languages in decreasing order of preference. We have +# more or less alphabetized them here. You probably want to change this. +# +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW + +# +# ForceLanguagePriority allows you to serve a result page rather than +# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) +# [in case no accepted languages matched the available variants] +# +ForceLanguagePriority Prefer Fallback diff --git a/apache2/mods-available/proxy_balancer.conf b/apache2/mods-available/proxy_balancer.conf index 16199f6d..6b62ec29 100644 --- a/apache2/mods-available/proxy_balancer.conf +++ b/apache2/mods-available/proxy_balancer.conf @@ -1,15 +1,9 @@ - - - # Balancer manager enables dynamic update of balancer members - # (needs mod_status). Uncomment to enable. - # - # - # - # SetHandler balancer-manager - # Require local - # - # - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# Balancer manager enables dynamic update of balancer members +# (needs mod_status). Uncomment to enable. +# +# +# +# SetHandler balancer-manager +# Require local +# +# diff --git a/apache2/mods-available/proxy_ftp.conf b/apache2/mods-available/proxy_ftp.conf index 29fec567..103a4bbe 100644 --- a/apache2/mods-available/proxy_ftp.conf +++ b/apache2/mods-available/proxy_ftp.conf @@ -1,8 +1,2 @@ - - - # Define the character set for proxied FTP listings. Default is ISO-8859-1 - ProxyFtpDirCharset UTF-8 - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# Define the character set for proxied FTP listings. Default is ISO-8859-1 +ProxyFtpDirCharset UTF-8 diff --git a/apache2/mods-available/proxy_html.conf b/apache2/mods-available/proxy_html.conf index 14692add..a6b40dfc 100644 --- a/apache2/mods-available/proxy_html.conf +++ b/apache2/mods-available/proxy_html.conf @@ -13,42 +13,43 @@ # # Here's the declaration for W3C HTML 4.01 and XHTML 1.0 -ProxyHTMLLinks a href -ProxyHTMLLinks area href -ProxyHTMLLinks link href -ProxyHTMLLinks img src longdesc usemap -ProxyHTMLLinks object classid codebase data usemap -ProxyHTMLLinks q cite -ProxyHTMLLinks blockquote cite -ProxyHTMLLinks ins cite -ProxyHTMLLinks del cite -ProxyHTMLLinks form action -ProxyHTMLLinks input src usemap -ProxyHTMLLinks head profile -ProxyHTMLLinks base href -ProxyHTMLLinks script src for +ProxyHTMLLinks a href +ProxyHTMLLinks area href +ProxyHTMLLinks link href +ProxyHTMLLinks img src longdesc usemap +ProxyHTMLLinks object classid codebase data usemap +ProxyHTMLLinks q cite +ProxyHTMLLinks blockquote cite +ProxyHTMLLinks ins cite +ProxyHTMLLinks del cite +ProxyHTMLLinks form action +ProxyHTMLLinks input src usemap +ProxyHTMLLinks head profile +ProxyHTMLLinks base href +ProxyHTMLLinks script src for # To support scripting events (with ProxyHTMLExtended On), # you'll need to declare them too. -ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \ - onmouseover onmousemove onmouseout onkeypress \ - onkeydown onkeyup onfocus onblur onload \ - onunload onsubmit onreset onselect onchange +ProxyHTMLEvents \ + onclick ondblclick \ + onmousedown onmouseup onmouseover onmousemove onmouseout \ + onkeypress onkeydown onkeyup onfocus onblur \ + onload onunload onsubmit onreset onselect onchange # If you need to support legacy (pre-1998, aka "transitional") HTML or XHTML, # you'll need to uncomment the following deprecated link attributes. # Note that these are enabled in earlier mod_proxy_html versions # -# ProxyHTMLLinks frame src longdesc -# ProxyHTMLLinks iframe src longdesc -# ProxyHTMLLinks body background -# ProxyHTMLLinks applet codebase +# ProxyHTMLLinks frame src longdesc +# ProxyHTMLLinks iframe src longdesc +# ProxyHTMLLinks body background +# ProxyHTMLLinks applet codebase # # If you're dealing with proprietary HTML variants, # declare your own URL attributes here as required. # -# ProxyHTMLLinks myelement myattr otherattr +# ProxyHTMLLinks myelement myattr otherattr # ########### # EXAMPLE # diff --git a/apache2/mods-available/reqtimeout.conf b/apache2/mods-available/reqtimeout.conf index 534cd88e..8b5f5510 100644 --- a/apache2/mods-available/reqtimeout.conf +++ b/apache2/mods-available/reqtimeout.conf @@ -1,27 +1,21 @@ - +# mod_reqtimeout limits the time waiting on the client to prevent an +# attacker from causing a denial of service by opening many connections +# but not sending requests. This file tries to give a sensible default +# configuration, but it may be necessary to tune the timeout values to +# the actual situation. Note that it is also possible to configure +# mod_reqtimeout per virtual host. - # mod_reqtimeout limits the time waiting on the client to prevent an - # attacker from causing a denial of service by opening many connections - # but not sending requests. This file tries to give a sensible default - # configuration, but it may be necessary to tune the timeout values to - # the actual situation. Note that it is also possible to configure - # mod_reqtimeout per virtual host. +# Wait max 20 seconds for the first byte of the request line+headers +# From then, require a minimum data rate of 500 bytes/s, but don't +# wait longer than 40 seconds in total. +# Note: Lower timeouts may make sense on non-ssl virtual hosts but can +# cause problem with ssl enabled virtual hosts: This timeout includes +# the time a browser may need to fetch the CRL for the certificate. If +# the CRL server is not reachable, it may take more than 10 seconds +# until the browser gives up. +RequestReadTimeout header=20-40,minrate=500 - # Wait max 20 seconds for the first byte of the request line+headers - # From then, require a minimum data rate of 500 bytes/s, but don't - # wait longer than 40 seconds in total. - # Note: Lower timeouts may make sense on non-ssl virtual hosts but can - # cause problem with ssl enabled virtual hosts: This timeout includes - # the time a browser may need to fetch the CRL for the certificate. If - # the CRL server is not reachable, it may take more than 10 seconds - # until the browser gives up. - RequestReadTimeout header=20-40,minrate=500 - - # Wait max 10 seconds for the first byte of the request body (if any) - # From then, require a minimum data rate of 500 bytes/s - RequestReadTimeout body=10,minrate=500 - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# Wait max 10 seconds for the first byte of the request body (if any) +# From then, require a minimum data rate of 500 bytes/s +RequestReadTimeout body=10,minrate=500 diff --git a/apache2/mods-available/setenvif.conf b/apache2/mods-available/setenvif.conf index f7c88240..8bba04c3 100644 --- a/apache2/mods-available/setenvif.conf +++ b/apache2/mods-available/setenvif.conf @@ -1,32 +1,26 @@ - +# +# The following directives modify normal HTTP response behavior to +# handle known problems with browser implementations. +# +BrowserMatch "Mozilla/2" nokeepalive +BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 +BrowserMatch "RealPlayer 4\.0" force-response-1.0 +BrowserMatch "Java/1\.0" force-response-1.0 +BrowserMatch "JDK/1\.0" force-response-1.0 - # - # The following directives modify normal HTTP response behavior to - # handle known problems with browser implementations. - # - BrowserMatch "Mozilla/2" nokeepalive - BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 - BrowserMatch "RealPlayer 4\.0" force-response-1.0 - BrowserMatch "Java/1\.0" force-response-1.0 - BrowserMatch "JDK/1\.0" force-response-1.0 - - # - # The following directive disables redirects on non-GET requests for - # a directory that does not include the trailing slash. This fixes a - # problem with Microsoft WebFolders which does not appropriately handle - # redirects for folders with DAV methods. - # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. - # - BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully - BrowserMatch "MS FrontPage" redirect-carefully - BrowserMatch "^WebDrive" redirect-carefully - BrowserMatch "^WebDAVFS/1\.[012]" redirect-carefully - BrowserMatch "^gnome-vfs/1\.0" redirect-carefully - BrowserMatch "^gvfs/1" redirect-carefully - BrowserMatch "^XML Spy" redirect-carefully - BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully - BrowserMatch " Konqueror/4" redirect-carefully - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# +# The following directive disables redirects on non-GET requests for +# a directory that does not include the trailing slash. This fixes a +# problem with Microsoft WebFolders which does not appropriately handle +# redirects for folders with DAV methods. +# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. +# +BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully +BrowserMatch "MS FrontPage" redirect-carefully +BrowserMatch "^WebDrive" redirect-carefully +BrowserMatch "^WebDAVFS/1\.[012]" redirect-carefully +BrowserMatch "^gnome-vfs/1\.0" redirect-carefully +BrowserMatch "^gvfs/1" redirect-carefully +BrowserMatch "^XML Spy" redirect-carefully +BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully +BrowserMatch " Konqueror/4" redirect-carefully diff --git a/apache2/mods-available/ssl.conf b/apache2/mods-available/ssl.conf index 1dc4eea6..83ca99e0 100644 --- a/apache2/mods-available/ssl.conf +++ b/apache2/mods-available/ssl.conf @@ -1,85 +1,83 @@ - +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the SSL library. +# The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +# +SSLRandomSeed startup builtin +SSLRandomSeed startup file:/dev/urandom 512 +SSLRandomSeed connect builtin +SSLRandomSeed connect file:/dev/urandom 512 - # Pseudo Random Number Generator (PRNG): - # Configure one or more sources to seed the PRNG of the SSL library. - # The seed data should be of good random quality. - # WARNING! On some platforms /dev/random blocks if not enough entropy - # is available. This means you then cannot use the /dev/random device - # because it would lead to very long connection times (as long as - # it requires to make more entropy available). But usually those - # platforms additionally provide a /dev/urandom device which doesn't - # block. So, if available, use this one instead. Read the mod_ssl User - # Manual for more details. - # - SSLRandomSeed startup builtin - SSLRandomSeed startup file:/dev/urandom 512 - SSLRandomSeed connect builtin - SSLRandomSeed connect file:/dev/urandom 512 +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## - ## - ## SSL Global Context - ## - ## All SSL configuration in this context applies both to - ## the main server and all SSL-enabled virtual hosts. - ## +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl - # - # Some MIME-types for downloading Certificates and CRLs - # - AddType application/x-x509-ca-cert .crt - AddType application/x-pkcs7-crl .crl +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase - # Pass Phrase Dialog: - # Configure the pass phrase gathering process. - # The filtering dialog program (`builtin' is a internal - # terminal dialog) has to provide the pass phrase on stdout. - SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +# (The mechanism dbm has known memory leaks and should not be used). +#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache +SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) +SSLSessionCacheTimeout 300 - # Inter-Process Session Cache: - # Configure the SSL Session Cache: First the mechanism - # to use and second the expiring timeout (in seconds). - # (The mechanism dbm has known memory leaks and should not be used). - #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache - SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) - SSLSessionCacheTimeout 300 +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +# (Disabled by default, the global Mutex directive consolidates by default +# this) +#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache - # Semaphore: - # Configure the path to the mutual exclusion semaphore the - # SSL engine uses internally for inter-process synchronization. - # (Disabled by default, the global Mutex directive consolidates by default - # this) - #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. See the +# ciphers(1) man page from the openssl package for list of all available +# options. +# Enable only secure ciphers: +SSLCipherSuite HIGH:!aNULL - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. See the - # ciphers(1) man page from the openssl package for list of all available - # options. - # Enable only secure ciphers: - SSLCipherSuite HIGH:!aNULL +# SSL server cipher order preference: +# Use server priorities for cipher algorithm choice. +# Clients may prefer lower grade encryption. You should enable this +# option if you want to enforce stronger encryption, and can afford +# the CPU cost, and did not override SSLCipherSuite in a way that puts +# insecure ciphers first. +# Default: Off +#SSLHonorCipherOrder on - # SSL server cipher order preference: - # Use server priorities for cipher algorithm choice. - # Clients may prefer lower grade encryption. You should enable this - # option if you want to enforce stronger encryption, and can afford - # the CPU cost, and did not override SSLCipherSuite in a way that puts - # insecure ciphers first. - # Default: Off - #SSLHonorCipherOrder on +# The protocols to enable. +# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +# SSL v2 is no longer supported +SSLProtocol all -SSLv3 - # The protocols to enable. - # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 - # SSL v2 is no longer supported - SSLProtocol all -SSLv3 +# Allow insecure renegotiation with clients which do not yet support the +# secure renegotiation protocol. Default: Off +#SSLInsecureRenegotiation on - # Allow insecure renegotiation with clients which do not yet support the - # secure renegotiation protocol. Default: Off - #SSLInsecureRenegotiation on +# Whether to forbid non-SNI clients to access name based virtual hosts. +# Default: Off +#SSLStrictSNIVHostCheck On - # Whether to forbid non-SNI clients to access name based virtual hosts. - # Default: Off - #SSLStrictSNIVHostCheck On - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet +# Warning: Session Tickets require regular reloading of the server! +# Make sure you do this (e.g. via logrotate) before changing this setting! +SSLSessionTickets off diff --git a/apache2/mods-available/status.conf b/apache2/mods-available/status.conf index 5f53ba7a..cd7dd588 100644 --- a/apache2/mods-available/status.conf +++ b/apache2/mods-available/status.conf @@ -1,29 +1,23 @@ - - # Allow server status reports generated by mod_status, - # with the URL of http://servername/server-status - # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status +# Uncomment and change the "192.0.2.0/24" to allow access from other hosts. - - SetHandler server-status - Require local - #Require ip 192.0.2.0/24 - + + SetHandler server-status + Require local + #Require ip 192.0.2.0/24 + - # Keep track of extended status information for each request - ExtendedStatus On +# Keep track of extended status information for each request +ExtendedStatus On - # Determine if mod_status displays the first 63 characters of a request or - # the last 63, assuming the request itself is greater than 63 chars. - # Default: Off - #SeeRequestTail On - - - - # Show Proxy LoadBalancer status in mod_status - ProxyStatus On - +# Determine if mod_status displays the first 63 characters of a request or +# the last 63, assuming the request itself is greater than 63 chars. +# Default: Off +#SeeRequestTail On + + # Show Proxy LoadBalancer status in mod_status + ProxyStatus On - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/mods-available/userdir.conf b/apache2/mods-available/userdir.conf index 2c334ecf..16cf53cd 100644 --- a/apache2/mods-available/userdir.conf +++ b/apache2/mods-available/userdir.conf @@ -1,12 +1,8 @@ - - UserDir public_html - UserDir disabled root +UserDir public_html +UserDir disabled root - - AllowOverride FileInfo AuthConfig Limit Indexes - Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - Require method GET POST OPTIONS - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet + + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + Require method GET POST OPTIONS + diff --git a/apache2/ports.conf b/apache2/ports.conf index 5daec58c..f41641b1 100644 --- a/apache2/ports.conf +++ b/apache2/ports.conf @@ -11,5 +11,3 @@ Listen 80 Listen 443 - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/sites-available/default-ssl.conf b/apache2/sites-available/default-ssl.conf index ab40cc94..9de96fa2 100644 --- a/apache2/sites-available/default-ssl.conf +++ b/apache2/sites-available/default-ssl.conf @@ -1,134 +1,130 @@ - - - ServerAdmin webmaster@localhost + + ServerAdmin webmaster@localhost - DocumentRoot /var/www/html + DocumentRoot /var/www/html - # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, - # error, crit, alert, emerg. - # It is also possible to configure the loglevel for particular - # modules, e.g. - #LogLevel info ssl:warn + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined - # For most configuration files from conf-available/, which are - # enabled or disabled at a global level, it is possible to - # include a line for only one particular virtual host. For example the - # following line enables the CGI configuration for this host only - # after it has been globally disabled with "a2disconf". - #Include conf-available/serve-cgi-bin.conf + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf - # SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/ssl/certs/ - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl/ - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - # BrowserMatch "MSIE [2-6]" \ - # nokeepalive ssl-unclean-shutdown \ - # downgrade-1.0 force-response-1.0 + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + # BrowserMatch "MSIE [2-6]" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet + diff --git a/init.d/apache2 b/init.d/apache2 index 1f51d9e7..c2959d45 100755 --- a/init.d/apache2 +++ b/init.d/apache2 @@ -351,5 +351,3 @@ case "$1" in esac exit 0 - -# vim: syntax=sh ts=4 sw=4 sts=4 sr noet diff --git a/letsencrypt/csr/3903_csr-certbot.pem b/letsencrypt/csr/3903_csr-certbot.pem new file mode 100644 index 00000000..82f7e119 --- /dev/null +++ b/letsencrypt/csr/3903_csr-certbot.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICdTCCAV0CAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMK+ +UB5vd8SokepD1EWeWPf1NzepcV6Z1VnoijjxRq+ZXe8mbpZmhW7mby/t1/oEJ154 +XtXHyzBbC2b2K8VJn907y5rZS+y9lU66CADXV8jsFfKBrbM33DHAFgVHDZ8E/77U +88OBQiBQ2l0T3hUT0x7lIvPuJPzWTlbEgE5T0owYCGZcq9Lrw3Llsz0R6LAXOoVd +kNIj+igXc3HwrrEuHX9r/L3DTDCRobCicbbkDDfWKtl9c2fSqKc5Iyy2V0efsYqN +UKQNGeUwDiv1+FeIut6OSun0YGtm82dBb4DnzILInsRvE4O4dv7FyrJECWQyDNT7 +qfdRde6MH/wyxlBUQ7ECAwEAAaAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0RBBYw +FIISdHYuaG9lbGxlaW4ub25saW5lMA0GCSqGSIb3DQEBCwUAA4IBAQCktdRelYkk +zN+Z9X8W/ZmUOKA4sN5TOpHsTcGuY6g0Xe2eB+5gFH3P+6U2VPhjhTmq57adkdKI +se1J0dpYCMav77U56/dxJBKZFglJr1+Tw0TooCcbTZTBU1DsGtfaWpsJyoU1piTr +PAz8y286fUtteLykiSBMytXOiFn+YlGnuDpaLOCBb6gy4aBzjZ1XF4C14lEsm1nX +CLnVhDo63Ee9YXq/PsEG4s3oRGDup3Wbmq5FCeL8SQYovyS/2LGI9SHPRHBa++rH +gzIkFKfwVTMS6qVNv+u1e8ZYhKoGVdnuI4qMcb9B34yf4bvlptXizDAoVWkYGTyv +Oy/r8kh2vhFQ +-----END CERTIFICATE REQUEST----- diff --git a/letsencrypt/keys/3904_key-certbot.pem b/letsencrypt/keys/3904_key-certbot.pem new file mode 100644 index 00000000..243de663 --- /dev/null +++ b/letsencrypt/keys/3904_key-certbot.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDCvlAeb3fEqJHq +Q9RFnlj39Tc3qXFemdVZ6Io48UavmV3vJm6WZoVu5m8v7df6BCdeeF7Vx8swWwtm +9ivFSZ/dO8ua2UvsvZVOuggA11fI7BXyga2zN9wxwBYFRw2fBP++1PPDgUIgUNpd +E94VE9Me5SLz7iT81k5WxIBOU9KMGAhmXKvS68Ny5bM9EeiwFzqFXZDSI/ooF3Nx +8K6xLh1/a/y9w0wwkaGwonG25Aw31irZfXNn0qinOSMstldHn7GKjVCkDRnlMA4r +9fhXiLrejkrp9GBrZvNnQW+A58yCyJ7EbxODuHb+xcqyRAlkMgzU+6n3UXXujB/8 +MsZQVEOxAgMBAAECggEAII5IPo5L62hy3ELynaDXJryrunZtKW92J02krdhIBNsS +xQQbwLDq5ZtIQy7zyCwhmL1uvTZlVXQi99d3gcfJHeb9Jqnk83LOHxcid2GIn2I4 +WQ4sx6Uy/m4qQD+cm1TunCxlg+177IMXvi+wFL33sVaE/Vp2fH4nIoI/INkKfbjL +7yuXeiHyEa+j0K5tplI2JU6FhSeT8BaPtZXnvWN5PBIqG7KRdpieviVMVt4Zf1yo +RHmQBoUkwO+XUh32yWLCIpZSbBZOQ7ThOzmLtxaEhqdZrmIaIdV/O6uHAJOiJgsx +gDZeXzM4Ox0bjKMqAz6k+anIrO251dEavM6EmNi3AQKBgQDxDbXAj79cwRaVssvH +GMrXu6dioNZhEOtVn+jhGrpiOvNYnFDrFM2gUvi84yXPGcBtV0YNJsjntBjf/UeO +kIthJl6fYEnZ1rsKjDtxOU9UZfj9v54tLdh+ruBZRCWAJqGalgEuhzK1fFEb2o/H +DGeaCRjuwVPdOimoFYY8o+91qQKBgQDO0YNXLIWP0+I9l059E1RRyeIK9sS9dMQA +YCcVMr5ZO8sGsUX02VtjEL2OaMMvEEuVqozoctPXbRbo863CGCc0geS8/CbUJq84 +hcYkZ4q5QOGPlAzpZ5/QwXlrMcMTZpbPkxgIj1GFuyhafyEtWbz7/tpbuFFerHcE +hVkKe5MSyQKBgQDQAHuQALooqHj7jb/nOg52X3fNVGoIchgP15+U9oJUFvg6ww/T ++iyBJnd6Tism7Nqtvvw0hv4fabl5Nk3TyAhtOTW3Itg2/+J/9IeqaMB6XE+hbgJo +i8HfdrkibfpJ/Yu/H6c/ZewszGwUs+ES6jJPqX/5LZtXL0QYxRIDK5aKmQKBgQCu +O20FhJlkaKEhOBXEYwNW/9exWuC1puf0VQy33A7mB+xrT+7abj6B/7lhfrpoLLcw +eATLUulKhDmXuKn6aPSmVIOJ/ncLpSdaW8BoLN5+YL1lgtk5zLWjXUrX1o08C+Ij +Lw1BMNQB8ID3dEBT/1SpirMUL/xE4NBHe7tejGqDmQKBgQC/Kk+Na9U6/4LqdJA0 +L/r7ZMwM39kWSiem2XAAbMHn0LYWtqeqG0/EDqsE53pXxIc2nSuewngH378u6E// +AI9UN/oHxv8uZqoeySxCQ0Ey8EbQtMBAGbmw4Fwi89svRlhgxUUiAubLDRmqGt+r +0iD6dGENIA5cVRlnM9DRi1zoLw== +-----END PRIVATE KEY----- diff --git a/logrotate.d/apache2 b/logrotate.d/apache2 index 6da4ef86..f8df0222 100644 --- a/logrotate.d/apache2 +++ b/logrotate.d/apache2 @@ -1,20 +1,20 @@ /var/log/apache2/*.log { - daily - missingok - rotate 14 - compress - delaycompress - notifempty - create 640 root adm - sharedscripts - prerotate - if [ -d /etc/logrotate.d/httpd-prerotate ]; then - run-parts /etc/logrotate.d/httpd-prerotate - fi - endscript - postrotate - if pgrep -f ^/usr/sbin/apache2 > /dev/null; then - invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate - fi - endscript + daily + missingok + rotate 14 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then + run-parts /etc/logrotate.d/httpd-prerotate + fi + endscript + postrotate + if pgrep -f ^/usr/sbin/apache2 > /dev/null; then + invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate + fi + endscript } -- 2.43.0