X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=34c28f59e9bc38848729635f63f77ed817e065d6;hp=e70708ad366a5b42fe25bb6c11fd1c3171748316;hb=08bfdef225ec9d8d83a6658d64d462404be011a3;hpb=4ad3d3b9cd8f94b54ffbc9cf6cff1327a2af5012 diff --git a/vm_hosted b/vm_hosted index e70708a..34c28f5 100755 --- a/vm_hosted +++ b/vm_hosted @@ -55,6 +55,181 @@ rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? . /etc/profile } +rule_apache2_configure () { + local -; set +f + rule apt_get_install \ + apache2-mpm-itk \ + libapache2-mod-php5 + # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634 + # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers + # NOTE: apache2-mpm-itk semble le plus sécurisé, + # car on est certain que tout est exécuté avec les uid/gid + # assignés au VirtualHost/Directory/Location + # néamoins il se peut qu'une combinaison du genre : + # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm + # soit plus performante (threads et pas forks), + # cependant l'usage de suexec impose des forks il semble.. + # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ; + # donc pour l'instant : apache2-mpm-itk + rule www_configure + cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF | + ServerName "$vm_fqdn" + EOF + sudo install -m 660 -o root -g root /dev/stdin \ + /etc/apache2/apache2.conf + sudo install -m 660 -o root -g root \ + "$tool"/etc/apache2/envvars \ + /etc/apache2/envvars + sudo install -m 660 -o root -g root \ + "$tool"/etc/apache2/httpd.conf \ + /etc/apache2/httpd.conf + #sudo install -m 660 -o root -g root /dev/stdin \ + # /etc/apache2/suexec/www-data <<-EOF + # /home + # pub/www/cgi + # EOF + sudo install -m 660 -o root -g root \ + "$tool"/etc/apache2/ports.conf \ + /etc/apache2/ports.conf + sudo a2enmod actions + sudo a2enmod headers + sudo a2enmod rewrite + sudo a2enmod ssl + sudo a2enmod userdir + local conf + sudo a2dissite "*" + sudo ln -fns \ + /etc/apache2 \ + /home/www/etc/apache2 + for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf + do conf=${conf#"$tool"/etc/apache2/site.d/} + local port site + IFS=. read -r port site <<-EOF + ${conf%\/VirtualHost\.conf} + EOF + assert 'test "${site:+set}"' + assert 'test "${port:+set}"' + local site_user="$user.$port.$site" + local site_dir="$user.$port.$site" + case $port in + (443) + local hint="run vm_remote apache2_key_send before" + assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint + sudo install -d -m 770 -o "$user" -g "$user" \ + /etc/apache2 \ + /etc/apache2/site.d/"$site_dir" \ + /etc/apache2/site.d/"$site_dir"/x509 \ + /etc/apache2/site.d/"$site_dir"/x509/ca \ + /etc/apache2/site.d/"$site_dir"/x509/empty \ + /etc/apache2/site.d/"$site_dir"/x509/rvk \ + /etc/apache2/site.d/"$site_dir"/x509/usr + sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ + /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem + #sudo install -m 664 -o "$user" -g "$user" \ + # "$tool"/var/pub/x509/"$site"/rvk.pem \ + # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem + sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \ + /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem + sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/"$site"/crt.pem \ + /etc/apache2/site.d/"$site_dir"/x509/crt.pem + ;; + esac + case $port in + (80) + cat <<-EOF + + AssignUserID $site_user $site_user + CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined + #CustomLog "/dev/null" Combined + DocumentRoot /home/www/pub/$site_dir + ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60" + #ErrorLog "/dev/null" + ServerName $site + LogLevel Warn + $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf) + + EOF + ;; + (443) + cat <<-EOF + + + AssignUserID $site_user $site_user + BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined + #CustomLog "/dev/null" Combined + DocumentRoot /home/www/pub/$site_dir + ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60" + #ErrorLog "/dev/null" + LogLevel Warn + ServerName $site + SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem + SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/ + #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem + SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem + SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/ + # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés + SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/ + SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem + SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem + SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem + SSLCipherSuite AES+RSA+SHA256 + SSLEngine On + SSLInsecureRenegotiation Off + SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars + SSLProtocol -All +TLSv1 + #SSLRenegBufferSize 262144 + SSLSessionCacheTimeout 1200 + SSLStrictSNIVHostCheck On + SSLUserName SSL_CLIENT_S_DN_CN + SSLVerifyClient None + SSLVerifyDepth 1 + $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf) + + + EOF + ;; + esac | + sudo install -m 660 -o root -g root /dev/stdin \ + /etc/apache2/site.d/"$site_dir"/VirtualHost.conf + sudo ln -fns \ + ../site.d/"$site_dir"/VirtualHost.conf \ + /etc/apache2/sites-available/"$site_dir" + sudo install -d -m 770 -o "$user" -g "$user" \ + /home/www/log/"$site_dir" \ + /home/www/log/"$site_dir"/apache2 + sudo ln -fns \ + /etc/apache2/site.d/"$site_dir" \ + /home/www/etc/apache2/"$site_dir" + test -e /home/www/pub/"$site_dir" || + sudo install -d -m 770 -o "$user" -g "$user" \ + /home/www/pub/"$site_dir" + getent passwd "$site_user" >/dev/null || + sudo adduser \ + --disabled-password \ + --group \ + --no-create-home \ + --home /home/www/pub/"$site_dir" \ + --shell /bin/false \ + --system \ + "$site_user" + sudo setfacl -m u:"$site_user":--x \ + /home/www/ \ + /home/www/pub/ \ + /home/www/pub/"$site_dir"/ + sudo setfacl -m d:u:"$site_user":rwx \ + "$home"/pub/www/"$site_dir"/ + test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh || + . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh + test -e /etc/apache2/sites-enabled/"$site_dir" || + sudo a2ensite "$site_dir" + done + sudo service apache2 restart + } rule_apt_configure () { sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free @@ -292,6 +467,13 @@ rule_initramfs_configure () { # NOTE: clefs générées par Debian sudo update-initramfs -u } +rule_time_configure () { + sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF + Europe/Paris + EOF + sudo dpkg-reconfigure tzdata + rule apt_get_install ntp + } rule_locale_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF fr_FR.UTF-8 UTF-8 @@ -621,7 +803,6 @@ rule_user_configure () { /etc/skel/etc \ /etc/skel/etc/ssh sudo install -d -m 770 -o root -g adm \ - /etc/skel/etc/apache2 \ /etc/skel/var \ /etc/skel/var/log \ /etc/skel/var/cache \ @@ -685,11 +866,13 @@ rule_configure () { rule git_configure rule etckeeper_configure rule locale_configure + rule time_configure rule network_configure rule filesystem_configure rule login_configure rule ssh_configure rule mail_configure + rule apache2_configure rule user_root_configure rule boot_configure rule user_configure