Bug#267477: ssl default config for apache2

To: 267477@bugs.debian.org
Subject: Bug#267477: ssl default config for apache2
From: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 26 Oct 2005 19:40:16 +0200
Message-id: <[🔎] 200510261940.24546.sf@sfritsch.de>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 267477@bugs.debian.org

Hi,

I have created yet another default SSL configuration for this bug. 
With this one it is possible to enable the default SSL site just with 
"a2enmod ssl" (plus creation of a certificate). It does this by 
including a default.common file twice into the 
sites-available/default file, once inside a *:80 and once inside a 
*:443 virtualhost and using <IfModule mod_ssl.c> in the appropriate 
places.


Notes:
- Since ports.conf is not a conffile, upgraders need to change this by 
hand.

- Since the virtualhost in sites-available/default is now *:80, a hint 
is added to ports.conf that the virtualhost directives have to be 
changed as well when changing ports.

- A reasonable SSL default configuration should only allow save 
ciphers, therefore I have changed mods-available/ssl.conf. People 
needing cipher upgrades via SGC will know how to change it back.


Cheers,
Stefan

diff -urN apache2-2.0.55-orig/debian/apache2-common.postinst apache2-2.0.55/debian/apache2-common.postinst
--- apache2-2.0.55-orig/debian/apache2-common.postinst	2005-10-26 17:21:55.000000000 +0200
+++ apache2-2.0.55/debian/apache2-common.postinst	2005-10-26 17:54:12.000000000 +0200
@@ -17,14 +17,14 @@
 	NO_PORT_80=`$NETSTAT -lnt | awk '{print $4}' | grep ':80$'` || true
 	if [ -n "$NO_AF_INET" -o -n "$NO_PORT_80" ]; then
 		echo "NO_START=1" >> /etc/default/apache2
-		echo "Listen 80" >> /etc/apache2/ports.conf
+		cp /usr/share/apache2/ports.conf.template /etc/apache2/ports.conf
 		if [ -n "$NO_AF_INET" ]; then
 			echo "netstat is unable to query the state of your listening TCP ports.  This could be because you don't have TCP support in your kernel (unlikely), or because you do not have the /proc filesystem mounted.  To be on the safe side, we're assuming that port 80 is in use."
 		fi
 		echo "Setting Apache2 not to start, as something else appears to be using Port 80. To allow apache2 to start, set NO_START to 0 in /etc/default/apache2. Apache2 has been set to listen on port 80 by default, so please edit /etc/apache2/ports.conf as desired. Note that the Port directive no longer works."
 	else
 		echo "NO_START=0" >> /etc/default/apache2
-		echo "Listen 80" >> /etc/apache2/ports.conf
+		cp /usr/share/apache2/ports.conf.template /etc/apache2/ports.conf
 		echo "Setting Apache2 to Listen on port 80. If this is not desired, please edit /etc/apache2/ports.conf as desired. Note that the Port directive no longer works."
 	fi
 fi
diff -urN apache2-2.0.55-orig/debian/config-mods/ssl.conf apache2-2.0.55/debian/config-mods/ssl.conf
--- apache2-2.0.55-orig/debian/config-mods/ssl.conf	2005-10-26 17:21:55.000000000 +0200
+++ apache2-2.0.55/debian/config-mods/ssl.conf	2005-10-26 19:31:37.000000000 +0200
@@ -41,7 +41,17 @@
 #   Configure the path to the mutual exclusion semaphore the
 #   SSL engine uses internally for inter-process synchronization. 
 SSLMutex  file:/var/run/apache2/ssl_mutex
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+#   Use this instead if you want to allow cipher upgrades via SGC facility.
+#   In this case you also have to use something like 
+#        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+#   see http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html.en#upgradeenc
+#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLCipherSuite HIGH:MEDIUM
+
+# use this to disable SSLv2 
+#SSLProtocol all -SSLv2
+SSLProtocol all
 
 #   SSL Protocol Adjustments:
 #   The safe and default but still SSL/TLS standard compliant shutdown
diff -urN apache2-2.0.55-orig/debian/default-site apache2-2.0.55/debian/default-site
--- apache2-2.0.55-orig/debian/default-site	2005-10-26 17:21:55.000000000 +0200
+++ apache2-2.0.55/debian/default-site	2005-10-26 19:31:44.000000000 +0200
@@ -1,46 +1,25 @@
-NameVirtualHost *
-<VirtualHost *>
-	ServerAdmin webmaster@localhost
-	
-	DocumentRoot /var/www
-	<Directory />
-		Options FollowSymLinks
-		AllowOverride None
-	</Directory>
-	<Directory /var/www/>
-		Options Indexes FollowSymLinks MultiViews
-		AllowOverride None
-		Order allow,deny
-		allow from all
-		# Uncomment this directive is you want to see apache2's
-		# default start page (in /apache2-default) when you go to /
-                #RedirectMatch ^/$ /apache2-default/
-	</Directory>
-
-	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
-	<Directory "/usr/lib/cgi-bin">
-		AllowOverride None
-		Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
-		Order allow,deny
-		Allow from all
-	</Directory>
-
-	ErrorLog /var/log/apache2/error.log
-
-	# Possible values include: debug, info, notice, warn, error, crit,
-	# alert, emerg.
-	LogLevel warn
-
-	CustomLog /var/log/apache2/access.log combined
-	ServerSignature On
-
-    Alias /doc/ "/usr/share/doc/"
-    <Directory "/usr/share/doc/">
-        Options Indexes MultiViews FollowSymLinks
-        AllowOverride None
-        Order deny,allow
-        Deny from all
-        Allow from 127.0.0.0/255.0.0.0 ::1/128
-    </Directory>
+NameVirtualHost *:80
+<VirtualHost *:80>
+
+	Include /etc/apache2/sites-available/default.common
 
 </VirtualHost>
+
+
+<IfModule mod_ssl.c>
+    <VirtualHost *:443>
+	SSLEngine on
+	SSLCertificateFile /etc/apache2/ssl/apache.pem
+	# If the key is not combined with the certificate, use this directive to
+	# point at the key file.
+	#SSLCertificateKeyFile /etc/apache2/ssl/server_key_name_httpsd.key
+
+	# Use if you want to allow cipher upgrades via SGC
+	# (see ssl.conf)
+	#SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+        Include /etc/apache2/sites-available/default.common 
+
+    </VirtualHost>
+</IfModule>
+
diff -urN apache2-2.0.55-orig/debian/default-site.common apache2-2.0.55/debian/default-site.common
--- apache2-2.0.55-orig/debian/default-site.common	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.0.55/debian/default-site.common	2005-10-26 17:48:02.000000000 +0200
@@ -0,0 +1,42 @@
+ServerAdmin webmaster@localhost
+
+DocumentRoot /var/www
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+</Directory>
+<Directory /var/www/>
+	Options Indexes FollowSymLinks MultiViews
+	AllowOverride None
+	Order allow,deny
+	allow from all
+	# Uncomment this directive is you want to see apache2's
+	# default start page (in /apache2-default) when you go to /
+        #RedirectMatch ^/$ /apache2-default/
+</Directory>
+
+ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+<Directory "/usr/lib/cgi-bin">
+	AllowOverride None
+	Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
+	Order allow,deny
+	Allow from all
+</Directory>
+
+ErrorLog /var/log/apache2/error.log
+
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+LogLevel warn
+
+CustomLog /var/log/apache2/access.log combined
+ServerSignature On
+
+Alias /doc/ "/usr/share/doc/"
+<Directory "/usr/share/doc/">
+Options Indexes MultiViews FollowSymLinks
+AllowOverride None
+Order deny,allow
+Deny from all
+Allow from 127.0.0.0/255.0.0.0 ::1/128
+</Directory>
diff -urN apache2-2.0.55-orig/debian/ports.conf.template apache2-2.0.55/debian/ports.conf.template
--- apache2-2.0.55-orig/debian/ports.conf.template	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.0.55/debian/ports.conf.template	2005-10-26 17:58:43.000000000 +0200
@@ -0,0 +1,8 @@
+# If you change the default ports you will also have to change the VirtualHost
+# directives in /etc/apache2/sites-available/default
+
+Listen 80
+
+<IfModule mod_ssl.c>
+	Listen 443
+</IfModule>
diff -urN apache2-2.0.55-orig/debian/README.Debian apache2-2.0.55/debian/README.Debian
--- apache2-2.0.55-orig/debian/README.Debian	2005-10-26 17:21:55.000000000 +0200
+++ apache2-2.0.55/debian/README.Debian	2005-10-26 19:34:09.000000000 +0200
@@ -8,6 +8,9 @@
 
 -       See /etc/apache2/README for more information on the config layout.
 
+-	See /usr/share/doc/apache2/README.ssl for information on how to
+	enable SSL.
+
 -       We don't ship INSTALL or README.platforms, since they don't go into 
         any useful details post build.
 
diff -urN apache2-2.0.55-orig/debian/README.etc apache2-2.0.55/debian/README.etc
--- apache2-2.0.55-orig/debian/README.etc	2005-10-26 17:21:55.000000000 +0200
+++ apache2-2.0.55/debian/README.etc	2005-10-26 19:33:12.000000000 +0200
@@ -61,7 +61,9 @@
 	Like mods-available/, except it contains configuration
 	directives for different virtual hosts that might be used with
 	apache2.  Note that the hostname doesn't have to correspond
-	exactly with the filename.  'default' is the default host.
+	exactly with the filename.  'default' is the default host
+	includes default.common for port 80 and port 443 (if mod_ssl
+	is enabled).
 
 sites-enabled/
 
diff -urN apache2-2.0.55-orig/debian/README.ssl apache2-2.0.55/debian/README.ssl
--- apache2-2.0.55-orig/debian/README.ssl	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.0.55/debian/README.ssl	2005-10-26 19:16:15.000000000 +0200
@@ -0,0 +1,28 @@
+To enable ssl:
+
+0. Have apache working without SSL ;-)
+
+1. a) Adjust SSLCertificateFile and SSLCertificateKeyFile in your
+      /etc/apache2/sites-enabled/default to point to your
+      certificate and key file.
+
+   or
+   
+   b) Create a self-signed certificate:
+
+	/usr/sbin/apache2-ssl-certificate
+
+2. Enable mod_ssl:
+
+	a2enmod ssl
+
+3. If you have upgraded from a previous version, you may have to add the
+   "Listen 443" directive to your /etc/apache2/ports.conf by hand. You
+   can do this by copying the default file:
+
+	cp /usr/share/apache2/ports.conf.template /etc/apache2/ports.conf
+
+4. Restart apache:
+
+	/etc/init.d/apache2 restart
+
diff -urN apache2-2.0.55-orig/debian/rules apache2-2.0.55/debian/rules
--- apache2-2.0.55-orig/debian/rules	2005-10-26 17:21:55.000000000 +0200
+++ apache2-2.0.55/debian/rules	2005-10-26 17:58:08.000000000 +0200
@@ -233,6 +233,7 @@
 	rm -r debian/apache2-common/var/www/apache2-default/manual
 	cp debian/robots.txt debian/apache2-common/var/www/apache2-default/
 	cp -R debian/config-sites/* debian/apache2-common/usr/share/apache2/config
+	cp debian/ports.conf.template debian/apache2-common/usr/share/apache2
 	cp -R debian/config-mods/*.load debian/apache2-common/etc/apache2/mods-available
 	cp -R debian/config-mods/*.conf debian/apache2-common/etc/apache2/mods-available
 	cp -R debian/config/* debian/apache2-common/etc/apache2/
@@ -252,6 +253,7 @@
 		do install -m755 $$i debian/apache2-common/usr/sbin; \
 	done
 	cp debian/default-site debian/apache2-common/etc/apache2/sites-available/default
+	cp debian/default-site.common debian/apache2-common/etc/apache2/sites-available/default.common
 	cp debian/apache2-doc.conf debian/apache2-doc/etc/apache2/conf.d/apache2-doc
 	cp debian/ssleay.cnf debian/apache2-common/usr/share/apache2/ssleay.cnf
 	$(INSTALL) debian/ssl-certificate debian/apache2-common/usr/sbin/apache2-ssl-certificate 
@@ -277,6 +279,7 @@
 	cp debian/logrotate debian/apache2-common/etc/logrotate.d/apache2
 	cp debian/README.etc debian/apache2-common/etc/apache2/README
 	cp debian/README.etc debian/apache2-common/usr/share/doc/apache2/README.etc
+	cp debian/README.ssl debian/apache2-common/usr/share/doc/apache2/README.ssl
 	touch $@
 
 binary-indep: build install

Attachment: pgpPYCWa7shfv.pgp
Description: PGP signature

Reply to:

Prev by Date: Bug#334336: marked as done (apache: FTBFS with openssl 0.9.8: EVP_F_EVP_DECRYPTFINAL undeclared)
Next by Date: Bug#322348: /etc/init.d/apache script wasn't removed by postrm
Previous by thread: Bug#334336: marked as done (apache: FTBFS with openssl 0.9.8: EVP_F_EVP_DECRYPTFINAL undeclared)
Next by thread: Bug#337325: mod_proxy: encodes URLs in error messages wrongly
Index(es):
- Date
- Thread