diff options
author | root <root@vps-18a7a2b7.vps.ovh.ca> | 2024-02-09 23:25:31 -0500 |
---|---|---|
committer | root <root@vps-18a7a2b7.vps.ovh.ca> | 2024-02-09 23:25:31 -0500 |
commit | 327ff766b9048a66db2ff6e3ab590c3a02287e38 (patch) | |
tree | cf51c9e8af592ad3088bfff37d91d6d2641e06d3 | |
parent | 4527ea41480571aa9bc4534a0972cb27e0fa74a7 (diff) |
fixup! enable-default-ssl.bash
-rw-r--r-- | src/rpc.bash | 1 | ||||
-rw-r--r-- | wordpress/default-ssl.conf.ctpl | 136 |
2 files changed, 137 insertions, 0 deletions
diff --git a/src/rpc.bash b/src/rpc.bash index 4908767..db6d0a6 100644 --- a/src/rpc.bash +++ b/src/rpc.bash | |||
@@ -1,5 +1,6 @@ | |||
1 | #!/bin/false | 1 | #!/bin/false |
2 | 2 | ||
3 | command -v recursive_dependencies >/dev/null || | ||
3 | source dependencies.bash | 4 | source dependencies.bash |
4 | 5 | ||
5 | # Input: $BASH_RPC_REMOTE_DEST - hostname passed to ssh (uses ssh host aliases) | 6 | # Input: $BASH_RPC_REMOTE_DEST - hostname passed to ssh (uses ssh host aliases) |
diff --git a/wordpress/default-ssl.conf.ctpl b/wordpress/default-ssl.conf.ctpl new file mode 100644 index 0000000..8063589 --- /dev/null +++ b/wordpress/default-ssl.conf.ctpl | |||
@@ -0,0 +1,136 @@ | |||
1 | <MDomain {SITE_NAME}> | ||
2 | MDContactEmail webmaster@{SITE_NAME} | ||
3 | MDCertificateAgreement accepted | ||
4 | MDRequireHttps temporary | ||
5 | </MDomain> | ||
6 | <VirtualHost *:443> | ||
7 | ServerName {SITE_NAME} | ||
8 | ServerAdmin webmaster@{SITE_NAME} | ||
9 | |||
10 | DocumentRoot /var/www/html | ||
11 | |||
12 | # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, | ||
13 | # error, crit, alert, emerg. | ||
14 | # It is also possible to configure the loglevel for particular | ||
15 | # modules, e.g. | ||
16 | #LogLevel info ssl:warn | ||
17 | |||
18 | ErrorLog $\{APACHE_LOG_DIR\}/error.log | ||
19 | CustomLog $\{APACHE_LOG_DIR\}/access.log combined | ||
20 | |||
21 | # For most configuration files from conf-available/, which are | ||
22 | # enabled or disabled at a global level, it is possible to | ||
23 | # include a line for only one particular virtual host. For example the | ||
24 | # following line enables the CGI configuration for this host only | ||
25 | # after it has been globally disabled with "a2disconf". | ||
26 | #Include conf-available/serve-cgi-bin.conf | ||
27 | |||
28 | # SSL Engine Switch: | ||
29 | # Enable/Disable SSL for this virtual host. | ||
30 | SSLEngine on | ||
31 | |||
32 | # A self-signed (snakeoil) certificate can be created by installing | ||
33 | # the ssl-cert package. See | ||
34 | # /usr/share/doc/apache2/README.Debian.gz for more info. | ||
35 | # If both key and certificate are stored in the same file, only the | ||
36 | # SSLCertificateFile directive is needed. | ||
37 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | ||
38 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | ||
39 | |||
40 | # Server Certificate Chain: | ||
41 | # Point SSLCertificateChainFile at a file containing the | ||
42 | # concatenation of PEM encoded CA certificates which form the | ||
43 | # certificate chain for the server certificate. Alternatively | ||
44 | # the referenced file can be the same as SSLCertificateFile | ||
45 | # when the CA certificates are directly appended to the server | ||
46 | # certificate for convinience. | ||
47 | #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt | ||
48 | |||
49 | # Certificate Authority (CA): | ||
50 | # Set the CA certificate verification path where to find CA | ||
51 | # certificates for client authentication or alternatively one | ||
52 | # huge file containing all of them (file must be PEM encoded) | ||
53 | # Note: Inside SSLCACertificatePath you need hash symlinks | ||
54 | # to point to the certificate files. Use the provided | ||
55 | # Makefile to update the hash symlinks after changes. | ||
56 | #SSLCACertificatePath /etc/ssl/certs/ | ||
57 | #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt | ||
58 | |||
59 | # Certificate Revocation Lists (CRL): | ||
60 | # Set the CA revocation path where to find CA CRLs for client | ||
61 | # authentication or alternatively one huge file containing all | ||
62 | # of them (file must be PEM encoded) | ||
63 | # Note: Inside SSLCARevocationPath you need hash symlinks | ||
64 | # to point to the certificate files. Use the provided | ||
65 | # Makefile to update the hash symlinks after changes. | ||
66 | #SSLCARevocationPath /etc/apache2/ssl.crl/ | ||
67 | #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl | ||
68 | |||
69 | # Client Authentication (Type): | ||
70 | # Client certificate verification type and depth. Types are | ||
71 | # none, optional, require and optional_no_ca. Depth is a | ||
72 | # number which specifies how deeply to verify the certificate | ||
73 | # issuer chain before deciding the certificate is not valid. | ||
74 | #SSLVerifyClient require | ||
75 | #SSLVerifyDepth 10 | ||
76 | |||
77 | # SSL Engine Options: | ||
78 | # Set various options for the SSL engine. | ||
79 | # o FakeBasicAuth: | ||
80 | # Translate the client X.509 into a Basic Authorisation. This means that | ||
81 | # the standard Auth/DBMAuth methods can be used for access control. The | ||
82 | # user name is the `one line' version of the client's X.509 certificate. | ||
83 | # Note that no password is obtained from the user. Every entry in the user | ||
84 | # file needs this password: `xxj31ZMTZzkVA'. | ||
85 | # o ExportCertData: | ||
86 | # This exports two additional environment variables: SSL_CLIENT_CERT and | ||
87 | # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the | ||
88 | # server (always existing) and the client (only existing when client | ||
89 | # authentication is used). This can be used to import the certificates | ||
90 | # into CGI scripts. | ||
91 | # o StdEnvVars: | ||
92 | # This exports the standard SSL/TLS related `SSL_*' environment variables. | ||
93 | # Per default this exportation is switched off for performance reasons, | ||
94 | # because the extraction step is an expensive operation and is usually | ||
95 | # useless for serving static content. So one usually enables the | ||
96 | # exportation for CGI and SSI requests only. | ||
97 | # o OptRenegotiate: | ||
98 | # This enables optimized SSL connection renegotiation handling when SSL | ||
99 | # directives are used in per-directory context. | ||
100 | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire | ||
101 | <FilesMatch "\\.(?:cgi|shtml|phtml|php)$"> | ||
102 | SSLOptions +StdEnvVars | ||
103 | </FilesMatch> | ||
104 | <Directory /usr/lib/cgi-bin> | ||
105 | SSLOptions +StdEnvVars | ||
106 | </Directory> | ||
107 | |||
108 | # SSL Protocol Adjustments: | ||
109 | # The safe and default but still SSL/TLS standard compliant shutdown | ||
110 | # approach is that mod_ssl sends the close notify alert but doesn't wait for | ||
111 | # the close notify alert from client. When you need a different shutdown | ||
112 | # approach you can use one of the following variables: | ||
113 | # o ssl-unclean-shutdown: | ||
114 | # This forces an unclean shutdown when the connection is closed, i.e. no | ||
115 | # SSL close notify alert is send or allowed to received. This violates | ||
116 | # the SSL/TLS standard but is needed for some brain-dead browsers. Use | ||
117 | # this when you receive I/O errors because of the standard approach where | ||
118 | # mod_ssl sends the close notify alert. | ||
119 | # o ssl-accurate-shutdown: | ||
120 | # This forces an accurate shutdown when the connection is closed, i.e. a | ||
121 | # SSL close notify alert is send and mod_ssl waits for the close notify | ||
122 | # alert of the client. This is 100% SSL/TLS standard compliant, but in | ||
123 | # practice often causes hanging connections with brain-dead browsers. Use | ||
124 | # this only for browsers where you know that their SSL implementation | ||
125 | # works correctly. | ||
126 | # Notice: Most problems of broken clients are also related to the HTTP | ||
127 | # keep-alive facility, so you usually additionally want to disable | ||
128 | # keep-alive for those clients, too. Use variable "nokeepalive" for this. | ||
129 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround | ||
130 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and | ||
131 | # "force-response-1.0" for this. | ||
132 | # BrowserMatch "MSIE [2-6]" \\ | ||
133 | # nokeepalive ssl-unclean-shutdown \\ | ||
134 | # downgrade-1.0 force-response-1.0 | ||
135 | |||
136 | </VirtualHost> | ||