diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /www-servers/apache/files |
reinit the tree, so we can have metadata
Diffstat (limited to 'www-servers/apache/files')
-rw-r--r-- | www-servers/apache/files/41_mod_http2.conf | 9 | ||||
-rw-r--r-- | www-servers/apache/files/apache-asf-httpoxy.patch | 20 | ||||
-rw-r--r-- | www-servers/apache/files/apache.conf | 2 | ||||
-rw-r--r-- | www-servers/apache/files/apache2.2-hardened.service | 27 | ||||
-rw-r--r-- | www-servers/apache/files/apache2.2.service | 19 |
5 files changed, 77 insertions, 0 deletions
diff --git a/www-servers/apache/files/41_mod_http2.conf b/www-servers/apache/files/41_mod_http2.conf new file mode 100644 index 000000000000..e4c9454e0127 --- /dev/null +++ b/www-servers/apache/files/41_mod_http2.conf @@ -0,0 +1,9 @@ +<IfDefine SSL> + <IfModule http2_module> + # enable debugging for this module + #LogLevel http2:info + + #Enable HTTP/2 support + Protocols h2 h2c http/1.1 + </IfModule> +</IfDefine> diff --git a/www-servers/apache/files/apache-asf-httpoxy.patch b/www-servers/apache/files/apache-asf-httpoxy.patch new file mode 100644 index 000000000000..68e3d869a77e --- /dev/null +++ b/www-servers/apache/files/apache-asf-httpoxy.patch @@ -0,0 +1,20 @@ +https://bugs.gentoo.org/589226 +https://www.apache.org/security/asf-httpoxy-response.txt + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them diff --git a/www-servers/apache/files/apache.conf b/www-servers/apache/files/apache.conf new file mode 100644 index 000000000000..56e23aefaf8e --- /dev/null +++ b/www-servers/apache/files/apache.conf @@ -0,0 +1,2 @@ +d /run/apache2 710 root apache +d /run/apache_ssl_mutex diff --git a/www-servers/apache/files/apache2.2-hardened.service b/www-servers/apache/files/apache2.2-hardened.service new file mode 100644 index 000000000000..7a512a733e72 --- /dev/null +++ b/www-servers/apache/files/apache2.2-hardened.service @@ -0,0 +1,27 @@ +[Unit] +Description=The Apache HTTP Server +After=network.target remote-fs.target nss-lookup.target + +[Service] +EnvironmentFile=/etc/conf.d/apache2 +ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND +ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful +ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop +# We want systemd to give httpd some time to finish gracefully, but still want +# it to kill httpd after TimeoutStopSec if something went wrong during the +# graceful stop. Normally, Systemd sends SIGTERM signal right after the +# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give +# httpd time to finish. +KillSignal=SIGCONT +PrivateTmp=true +#Hardening +PrivateTmp=true +CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK +SecureBits=noroot-locked +ProtectSystem=full +NoNewPrivileges=true +PrivateDevices=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/www-servers/apache/files/apache2.2.service b/www-servers/apache/files/apache2.2.service new file mode 100644 index 000000000000..76f783a423b9 --- /dev/null +++ b/www-servers/apache/files/apache2.2.service @@ -0,0 +1,19 @@ +[Unit] +Description=The Apache HTTP Server +After=network.target remote-fs.target nss-lookup.target + +[Service] +EnvironmentFile=/etc/conf.d/apache2 +ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND +ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful +ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop +# We want systemd to give httpd some time to finish gracefully, but still want +# it to kill httpd after TimeoutStopSec if something went wrong during the +# graceful stop. Normally, Systemd sends SIGTERM signal right after the +# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give +# httpd time to finish. +KillSignal=SIGCONT +PrivateTmp=true + +[Install] +WantedBy=multi-user.target |