VR: consistent SSL setup, vhost is not an example, but a template

2025-11-03 04:12:31 +01:00 · 2016-05-18 16:38:39 +02:00 · 2016-05-18 16:38:39 +02:00 · e32cd1303a
commit e32cd1303a
parent f379df4bc2
7 changed files with 13 additions and 7 deletions
--- a/2
+++ b/2
@ -224,7 +224,7 @@ Within the patches/systemvm/debian/config/etc/apache2 directory
            ports.conf 
            sites-available/default 
            sites-available/default-ssl 
-            vhostexample.conf 
+            vhost.template

 Within the patches/systemvm/debian/config/etc/ssh/ directory
    licensed under the BSD (2-clause) http://www.opensource.org/licenses/BSD-2-Clause  (as follows)
--- a/pom.xml
+++ b/pom.xml
@ -895,7 +895,7 @@
              <exclude>systemvm/patches/debian/config/etc/apache2/ports.conf</exclude>
              <exclude>systemvm/patches/debian/config/etc/apache2/sites-available/default</exclude>
              <exclude>systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl</exclude>
-              <exclude>systemvm/patches/debian/config/etc/apache2/vhostexample.conf</exclude>
+              <exclude>systemvm/patches/debian/config/etc/apache2/vhost.template</exclude>
              <exclude>systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl</exclude>
              <exclude>systemvm/patches/debian/config/etc/vpcdnsmasq.conf</exclude>
              <exclude>systemvm/patches/debian/config/etc/ssh/sshd_config</exclude>
--- a/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
+++ b/systemvm/patches/debian/config/etc/apache2/vhostexample.conf
@ -87,6 +87,8 @@
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
 	SSLProtocol all -SSLv2 -SSLv3
+	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+	SSLHonorCipherOrder on

 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py
@ -41,12 +41,11 @@ class CsApache(CsApp):
            CsHelper.service("apache2", "restart")

    def setup(self):
-        CsHelper.copy_if_needed("/etc/apache2/vhostexample.conf",
+        CsHelper.copy_if_needed("/etc/apache2/vhost.template",
                                "/etc/apache2/sites-enabled/vhost-%s.conf" % self.ip)

        file = CsFile("/etc/apache2/sites-enabled/vhost-%s.conf" % (self.ip))
        file.search("<VirtualHost.*:80>", "\t<VirtualHost %s:80>" % (self.ip))
-        file.search("<VirtualHost.*:80>", "\t<VirtualHost %s:80>" % (self.ip))
        file.search("<VirtualHost.*:443>", "\t<VirtualHost %s:443>" % (self.ip))
        file.search("Listen .*:80", "Listen %s:80" % (self.ip))
        file.search("Listen .*:443", "Listen %s:443" % (self.ip))
@ -60,6 +59,11 @@ class CsApache(CsApp):
            "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip)
        ])

+        self.fw.append([
+            "", "front",
+            "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 443 -j ACCEPT" % (self.dev, self.ip)
+        ])
+

 class CsPasswdSvc():
    """
--- a/tools/whisker/LICENSE
+++ b/tools/whisker/LICENSE
@ -2774,7 +2774,7 @@ Within the patches/systemvm/debian/config/etc/apache2 directory
            ports.conf 
            sites-available/default 
            sites-available/default-ssl 
-            vhostexample.conf 
+            vhost.template

 Within the patches/systemvm/debian/config/etc/ssh/ directory
    licensed under the BSD (2-clause) http://www.opensource.org/licenses/BSD-2-Clause  (as follows)
--- a/tools/whisker/descriptor-for-packaging.xml
+++ b/tools/whisker/descriptor-for-packaging.xml
@ -2460,7 +2460,7 @@ Copyright (c) 2012 The Apache Software Foundation
            <by-organisation id='apache.org.2'>
                <resource name='httpd.conf' />
                <resource name='ports.conf' />
-                <resource name='vhostexample.conf' />
+                <resource name='vhost.template' />
                <resource name='sites-available/default' />
                <resource name='sites-available/default-ssl' />
            </by-organisation>
--- a/tools/whisker/descriptor.xml
+++ b/tools/whisker/descriptor.xml
@ -2444,7 +2444,7 @@ Copyright (c) 2012 The Apache Software Foundation
            <by-organisation id='apache.org.2'>
                <resource name='httpd.conf' />
                <resource name='ports.conf' />
-                <resource name='vhostexample.conf' />
+                <resource name='vhost.template' />
                <resource name='sites-available/default' />
                <resource name='sites-available/default-ssl' />
            </by-organisation>