reinit the tree, so we can have metadata

5 files changed, 77 insertions, 0 deletions

diff --git a/www-servers/apache/files/41_mod_http2.conf b/www-servers/apache/files/41_mod_http2.conf
new file mode 100644
index 000000000000..e4c9454e0127
--- /dev/null
+++ b/www-servers/apache/files/41_mod_http2.conf
@@ -0,0 +1,9 @@
+<IfDefine SSL>
+  <IfModule http2_module>
+    # enable debugging for this module
+    #LogLevel http2:info
+
+    #Enable HTTP/2 support
+    Protocols h2 h2c http/1.1
+  </IfModule>
+</IfDefine>
diff --git a/www-servers/apache/files/apache-asf-httpoxy.patch b/www-servers/apache/files/apache-asf-httpoxy.patch
new file mode 100644
index 000000000000..68e3d869a77e
--- /dev/null
+++ b/www-servers/apache/files/apache-asf-httpoxy.patch
@@ -0,0 +1,20 @@
+https://bugs.gentoo.org/589226
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c	(revision 1752426)
++++ server/util_script.c	(working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff --git a/www-servers/apache/files/apache.conf b/www-servers/apache/files/apache.conf
new file mode 100644
index 000000000000..56e23aefaf8e
--- /dev/null
+++ b/www-servers/apache/files/apache.conf
@@ -0,0 +1,2 @@
+d /run/apache2 710 root apache
+d /run/apache_ssl_mutex
diff --git a/www-servers/apache/files/apache2.2-hardened.service b/www-servers/apache/files/apache2.2-hardened.service
new file mode 100644
index 000000000000..7a512a733e72
--- /dev/null
+++ b/www-servers/apache/files/apache2.2-hardened.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=The Apache HTTP Server
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+EnvironmentFile=/etc/conf.d/apache2
+ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
+ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
+ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
+# We want systemd to give httpd some time to finish gracefully, but still want
+# it to kill httpd after TimeoutStopSec if something went wrong during the
+# graceful stop. Normally, Systemd sends SIGTERM signal right after the
+# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
+# httpd time to finish.
+KillSignal=SIGCONT
+PrivateTmp=true
+#Hardening
+PrivateTmp=true
+CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
+SecureBits=noroot-locked
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/www-servers/apache/files/apache2.2.service b/www-servers/apache/files/apache2.2.service
new file mode 100644
index 000000000000..76f783a423b9
--- /dev/null
+++ b/www-servers/apache/files/apache2.2.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=The Apache HTTP Server
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+EnvironmentFile=/etc/conf.d/apache2
+ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
+ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
+ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
+# We want systemd to give httpd some time to finish gracefully, but still want
+# it to kill httpd after TimeoutStopSec if something went wrong during the
+# graceful stop. Normally, Systemd sends SIGTERM signal right after the
+# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
+# httpd time to finish.
+KillSignal=SIGCONT
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target