From 08bfdef225ec9d8d83a6658d64d462404be011a3 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 26 Feb 2013 16:46:08 +0100 Subject: [PATCH] Ajout : vm_hosted : rule_apache2_configure . --- etc/apache2/apache2.conf | 37 ++++ etc/apache2/envvars | 32 ++++ etc/apache2/httpd.conf | 0 etc/apache2/ports.conf | 7 + .../VirtualHost.conf | 1 + .../VirtualHost.conf | 49 +++++ vm_hosted | 177 +++++++++++++++++- vm_remote | 40 +++- 8 files changed, 338 insertions(+), 5 deletions(-) create mode 100644 etc/apache2/apache2.conf create mode 100644 etc/apache2/envvars create mode 100644 etc/apache2/httpd.conf create mode 100644 etc/apache2/ports.conf create mode 120000 etc/apache2/site.d/hc.443.www.heureux-cyclage.org/VirtualHost.conf create mode 100644 etc/apache2/site.d/hc.80.www.heureux-cyclage.org/VirtualHost.conf diff --git a/etc/apache2/apache2.conf b/etc/apache2/apache2.conf new file mode 100644 index 0000000..12fba30 --- /dev/null +++ b/etc/apache2/apache2.conf @@ -0,0 +1,37 @@ +AccessFileName .htaccess +AddDefaultCharset UTF-8 +DefaultType None +ErrorDocument 404 default +ErrorLog ${APACHE_LOG_DIR}/error.log + + # NOTE: The following lines prevent .htaccess and .htpasswd files + # from being viewed by Web clients. + Order allow,deny + Deny from all + Satisfy all + +Group ${APACHE_RUN_GROUP} +HostnameLookups Off +KeepAlive On +KeepAliveTimeout 15 +LockFile ${APACHE_LOCK_DIR}/accept.lock + # XXX: the accept serialization lock file MUST BE STORED ON A LOCAL DISK. +LogFormat "%{User-agent}i" agent +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogLevel warn + # NOTE: possible values include: debug, info, notice, warn, error, crit, alert, emerg. +MaxKeepAliveRequests 100 +PidFile ${APACHE_PID_FILE} +#ServerRoot "/var/www" +Timeout 300 +User ${APACHE_RUN_USER} + +Include mods-enabled/*.load +Include mods-enabled/*.conf +Include httpd.conf +Include ports.conf +Include conf.d/ +Include sites-enabled/*.conf diff --git a/etc/apache2/envvars b/etc/apache2/envvars new file mode 100644 index 0000000..e5549dd --- /dev/null +++ b/etc/apache2/envvars @@ -0,0 +1,32 @@ +# envvars - default environment variables for apache2ctl + +unset HOME + # NOTE: this won't be correct after changing uid. + +# NOTE: for supporting multiple apache2 instances. +if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then + SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" +else + SUFFIX= +fi + +# NOTE: since there is no sane way to get the parsed apache2 config in scripts, some +# settings are defined via environment variables and then used in apache2ctl, +# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. +export APACHE_RUN_USER=www-data +export APACHE_RUN_GROUP=www-data +export APACHE_PID_FILE=/var/run/apache2$SUFFIX.pid +export APACHE_RUN_DIR=/var/run/apache2$SUFFIX +export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX +export APACHE_LOG_DIR=/var/log/apache2$SUFFIX + # XXX: only /var/log/apache2 is handled by /etc/logrotate.d/apache2. + +#export LANG=C +. /etc/default/locale + # NOTE: the locale used by some modules like mod_dav. + +export LANG + +#export APACHE_LYNX='www-browser -dump' + # NOTE: the command to get the status for 'apache2ctl status'. + # Some packages providing 'www-browser' need '--dump' instead of '-dump'. diff --git a/etc/apache2/httpd.conf b/etc/apache2/httpd.conf new file mode 100644 index 0000000..e69de29 diff --git a/etc/apache2/ports.conf b/etc/apache2/ports.conf new file mode 100644 index 0000000..270cb77 --- /dev/null +++ b/etc/apache2/ports.conf @@ -0,0 +1,7 @@ +NameVirtualHost *:80 +Listen *:80 + + + Listen *:443 + NameVirtualHost *:443 + diff --git a/etc/apache2/site.d/hc.443.www.heureux-cyclage.org/VirtualHost.conf b/etc/apache2/site.d/hc.443.www.heureux-cyclage.org/VirtualHost.conf new file mode 120000 index 0000000..7aac55f --- /dev/null +++ b/etc/apache2/site.d/hc.443.www.heureux-cyclage.org/VirtualHost.conf @@ -0,0 +1 @@ +../hc.80.www.heureux-cyclage.org/VirtualHost.conf \ No newline at end of file diff --git a/etc/apache2/site.d/hc.80.www.heureux-cyclage.org/VirtualHost.conf b/etc/apache2/site.d/hc.80.www.heureux-cyclage.org/VirtualHost.conf new file mode 100644 index 0000000..c027e7d --- /dev/null +++ b/etc/apache2/site.d/hc.80.www.heureux-cyclage.org/VirtualHost.conf @@ -0,0 +1,49 @@ + + Allow From All + AllowOverride None + Options Indexes FollowSymlinks + Order Allow,Deny + + + AddHandler cgi-script .cgi + Allow From All + AllowOverride None + Options +ExecCGI + Order Allow,Deny + + + + AllowOverride All + ErrorDocument 404 default + + Allow From All + Order Allow,Deny + + + Deny From All + Order Deny,Allow + + Options MultiViews Indexes FollowSymLinks IncludesNoExec + + + AddHandler cgi-script .cgi + Options +ExecCGI + + + Allow From all + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order Allow,Deny + + RewriteCond %{ENV:REDIRECT_PHPRC} (.+) + RewriteRule .* - [E=PHPRC:%1] + # NOTE: permet de faire un SetEnv PHPRC dans les .htaccess + # SEE: http://stackoverflow.com/questions/3050444/when-setting-environment-variables-in-apache-rewriterule-directives-what-causes + UserDir pub/www + UserDir disabled root + UserDir disabled + UserDir enabled julm lchevalier + +ServerAdmin contact+www@heureux-cyclage.org +ServerAlias heureux-cyclage.org +ServerAlias ateliers diff --git a/vm_hosted b/vm_hosted index 9af76a9..34c28f5 100755 --- a/vm_hosted +++ b/vm_hosted @@ -55,6 +55,181 @@ rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? . /etc/profile } +rule_apache2_configure () { + local -; set +f + rule apt_get_install \ + apache2-mpm-itk \ + libapache2-mod-php5 + # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634 + # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers + # NOTE: apache2-mpm-itk semble le plus sécurisé, + # car on est certain que tout est exécuté avec les uid/gid + # assignés au VirtualHost/Directory/Location + # néamoins il se peut qu'une combinaison du genre : + # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm + # soit plus performante (threads et pas forks), + # cependant l'usage de suexec impose des forks il semble.. + # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ; + # donc pour l'instant : apache2-mpm-itk + rule www_configure + cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF | + ServerName "$vm_fqdn" + EOF + sudo install -m 660 -o root -g root /dev/stdin \ + /etc/apache2/apache2.conf + sudo install -m 660 -o root -g root \ + "$tool"/etc/apache2/envvars \ + /etc/apache2/envvars + sudo install -m 660 -o root -g root \ + "$tool"/etc/apache2/httpd.conf \ + /etc/apache2/httpd.conf + #sudo install -m 660 -o root -g root /dev/stdin \ + # /etc/apache2/suexec/www-data <<-EOF + # /home + # pub/www/cgi + # EOF + sudo install -m 660 -o root -g root \ + "$tool"/etc/apache2/ports.conf \ + /etc/apache2/ports.conf + sudo a2enmod actions + sudo a2enmod headers + sudo a2enmod rewrite + sudo a2enmod ssl + sudo a2enmod userdir + local conf + sudo a2dissite "*" + sudo ln -fns \ + /etc/apache2 \ + /home/www/etc/apache2 + for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf + do conf=${conf#"$tool"/etc/apache2/site.d/} + local port site + IFS=. read -r port site <<-EOF + ${conf%\/VirtualHost\.conf} + EOF + assert 'test "${site:+set}"' + assert 'test "${port:+set}"' + local site_user="$user.$port.$site" + local site_dir="$user.$port.$site" + case $port in + (443) + local hint="run vm_remote apache2_key_send before" + assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint + sudo install -d -m 770 -o "$user" -g "$user" \ + /etc/apache2 \ + /etc/apache2/site.d/"$site_dir" \ + /etc/apache2/site.d/"$site_dir"/x509 \ + /etc/apache2/site.d/"$site_dir"/x509/ca \ + /etc/apache2/site.d/"$site_dir"/x509/empty \ + /etc/apache2/site.d/"$site_dir"/x509/rvk \ + /etc/apache2/site.d/"$site_dir"/x509/usr + sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ + /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem + #sudo install -m 664 -o "$user" -g "$user" \ + # "$tool"/var/pub/x509/"$site"/rvk.pem \ + # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem + sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \ + /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem + sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/"$site"/crt.pem \ + /etc/apache2/site.d/"$site_dir"/x509/crt.pem + ;; + esac + case $port in + (80) + cat <<-EOF + + AssignUserID $site_user $site_user + CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined + #CustomLog "/dev/null" Combined + DocumentRoot /home/www/pub/$site_dir + ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60" + #ErrorLog "/dev/null" + ServerName $site + LogLevel Warn + $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf) + + EOF + ;; + (443) + cat <<-EOF + + + AssignUserID $site_user $site_user + BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined + #CustomLog "/dev/null" Combined + DocumentRoot /home/www/pub/$site_dir + ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60" + #ErrorLog "/dev/null" + LogLevel Warn + ServerName $site + SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem + SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/ + #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem + SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem + SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/ + # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés + SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/ + SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem + SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem + SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem + SSLCipherSuite AES+RSA+SHA256 + SSLEngine On + SSLInsecureRenegotiation Off + SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars + SSLProtocol -All +TLSv1 + #SSLRenegBufferSize 262144 + SSLSessionCacheTimeout 1200 + SSLStrictSNIVHostCheck On + SSLUserName SSL_CLIENT_S_DN_CN + SSLVerifyClient None + SSLVerifyDepth 1 + $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf) + + + EOF + ;; + esac | + sudo install -m 660 -o root -g root /dev/stdin \ + /etc/apache2/site.d/"$site_dir"/VirtualHost.conf + sudo ln -fns \ + ../site.d/"$site_dir"/VirtualHost.conf \ + /etc/apache2/sites-available/"$site_dir" + sudo install -d -m 770 -o "$user" -g "$user" \ + /home/www/log/"$site_dir" \ + /home/www/log/"$site_dir"/apache2 + sudo ln -fns \ + /etc/apache2/site.d/"$site_dir" \ + /home/www/etc/apache2/"$site_dir" + test -e /home/www/pub/"$site_dir" || + sudo install -d -m 770 -o "$user" -g "$user" \ + /home/www/pub/"$site_dir" + getent passwd "$site_user" >/dev/null || + sudo adduser \ + --disabled-password \ + --group \ + --no-create-home \ + --home /home/www/pub/"$site_dir" \ + --shell /bin/false \ + --system \ + "$site_user" + sudo setfacl -m u:"$site_user":--x \ + /home/www/ \ + /home/www/pub/ \ + /home/www/pub/"$site_dir"/ + sudo setfacl -m d:u:"$site_user":rwx \ + "$home"/pub/www/"$site_dir"/ + test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh || + . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh + test -e /etc/apache2/sites-enabled/"$site_dir" || + sudo a2ensite "$site_dir" + done + sudo service apache2 restart + } rule_apt_configure () { sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free @@ -628,7 +803,6 @@ rule_user_configure () { /etc/skel/etc \ /etc/skel/etc/ssh sudo install -d -m 770 -o root -g adm \ - /etc/skel/etc/apache2 \ /etc/skel/var \ /etc/skel/var/log \ /etc/skel/var/cache \ @@ -698,6 +872,7 @@ rule_configure () { rule login_configure rule ssh_configure rule mail_configure + rule apache2_configure rule user_root_configure rule boot_configure rule user_configure diff --git a/vm_remote b/vm_remote index cf899d7..68735c3 100755 --- a/vm_remote +++ b/vm_remote @@ -61,14 +61,14 @@ rule__ssh_known_hosts_update () { rule__x509_service_key_send_deciphered () { # SYNTAX: $service $remote_destination ${ssh_options-} local service="$1"; shift local remote_destination="$1"; shift - gpg --decrypt "var/sec/x509/service/$service/key.pass.gpg" | + gpg --decrypt "var/sec/x509/$vm_domainname/$service/key.pass.gpg" | openssl rsa -passin 'stdin' \ - -in "var/sec/x509/service/$service/key.pem" \ + -in "var/sec/x509/$vm_domainname/$service/key.pem" \ -out '/dev/stdout' | rule ssh "$@" ' \ install -m 400 -o root -g root \ /dev/stdin \ - "'"$remote_destination"'" \ + '"$remote_destination"' \ ' } @@ -98,6 +98,38 @@ rule_luks_key_backup () { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTI -o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg done } + +rule_apache2_key_send () { + local -; set +f + for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf + do conf=${conf#"$tool"/etc/apache2/site.d/} + local user port service site + IFS=. read -r user port service site <<-EOF + ${conf%\/VirtualHost\.conf} + EOF + assert 'test "${user:+set}"' + assert 'test "${service:+set}"' + assert 'test "${site:+set}"' + assert 'test "${port:+set}"' + local site_dir="$user.$port.$service.$site" + case $port in + (443) + rule ssh -l root ' \ + sudo install -d -m 770 -o '"$user"' -g '"$user"' \ + /etc/apache2 \ + /etc/apache2/site.d/'"$site_dir"' \ + /etc/apache2/site.d/'"$site_dir"'/x509; \ + sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \ + /etc/apache2/site.d/'"$site_dir"'/x509/.gitignore <<-EOF + key.pem + EOF + ' + rule _x509_service_key_send_deciphered $service \ + ~"$user"/etc/apache2/"$site_dir"/x509/key.pem -l root "$@" + ;; + esac + done + } rule_dovecot_key_send () { rule ssh -l root ' \ sudo install -d -m 770 -o root -g root \ @@ -110,7 +142,7 @@ rule_dovecot_key_send () { EOF ' rule _x509_service_key_send_deciphered imap \ - /etc/dovecot/$vm_domainname/imap/x509/key.pem -l root "$@" + /etc/dovecot/$vm_domainname/$service/x509/key.pem -l root "$@" } rule_postfix_key_send () { rule ssh -l root ' \ -- 2.20.1