diff options
-rw-r--r-- | 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 18 | ||||
-rw-r--r-- | 2.4/init/apache2.confd | 4 | ||||
-rwxr-xr-x | 2.4/init/apache2.initd | 26 | ||||
-rw-r--r-- | 2.4/patches/04_no_which.patch | 54 | ||||
-rw-r--r-- | 2.4/scripts/apache2-logrotate | 8 | ||||
-rw-r--r-- | 2.4/scripts/apache2ctl | 2 | ||||
-rwxr-xr-x | rolltarball.sh | 112 |
7 files changed, 123 insertions, 101 deletions
diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf index 6abc21d..d068f61 100644 --- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf +++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf @@ -21,22 +21,22 @@ Listen 443 # Enable/Disable SSL for this virtual host. SSLEngine on + # TLS defaults are set according to the Mozilla intermediate + # configuration: https://ssl-config.mozilla.org/ + ## SSLProtocol: - # Don't use SSLv2 anymore as it's considered to be broken security-wise. - # Also disable SSLv3 as most modern browsers are capable of TLS. - SSLProtocol ALL -SSLv2 -SSLv3 + # Disable old protocol versions that have known flaws or are deprecated. + SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - # This list of ciphers is recommended by mozilla and was stripped off - # its RC4 ciphers. (bug #506924) - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ## SSLHonorCipherOrder: - # Prefer the server's cipher preference order as the client may have a - # weak default order. - SSLHonorCipherOrder On + # Don't enforce cipher order since all ciphers are strong and + # clients may have preferences on e.g. hardware capabilities. + SSLHonorCipherOrder Off ## Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate diff --git a/2.4/init/apache2.confd b/2.4/init/apache2.confd index 4635201..e6bb6c2 100644 --- a/2.4/init/apache2.confd +++ b/2.4/init/apache2.confd @@ -41,7 +41,9 @@ APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D INFO" # via them will result in Apache failing to start # YOU HAVE BEEN WARNED. -# PID file +# PID file. +# You need to set "PidFile" in httpd.conf as well if you change this from the +# default (which is /var/run/apache2.pid) #PIDFILE=/var/run/apache2.pid # timeout for startup/shutdown checks diff --git a/2.4/init/apache2.initd b/2.4/init/apache2.initd index e834b44..2956fcc 100755 --- a/2.4/init/apache2.initd +++ b/2.4/init/apache2.initd @@ -36,16 +36,11 @@ depend() { use dns entropy logger mysql netmount postgresql after sshd if ! echo ${rc_need} | grep -Fq "net." ; then - local x warn_addr - for x in $(virtualhosts | grep '^\(\[\|\*:\|\)[[:digit:]]' | sed 's@\(:[[:digit:]]\{1,5\}\)\([[:space:]].*\|$\)@\1@' | sort -u) ; do - case "${x}" in - \*:80|\*.443) ;; - *) warn_addr="${warn_addr} ${x}" ;; - esac - done + local warn_addr + warn_addr="$(virtualhosts 2>/dev/null | sed -nre 's/^([^ *]+:[0-9]+)[[:space:]].*/\1/p' | tr '\n' ' ')" if [ -n "${warn_addr}" ] ; then need net - ewarn "You are binding an interface in you virtual hosts." + ewarn "You are binding an interface in your virtual hosts." ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/apache2" ewarn "where FOO is the interface(s) providing the following address(es):" ewarn "${warn_addr}" @@ -72,12 +67,12 @@ checkconfig() { OUTPUT=$( ${APACHE2} ${APACHE2_OPTS} -t 2>&1 ) ret=$? - if [ $ret -ne 0 ]; then + if [ ${ret} -ne 0 ]; then eerror "${SVCNAME} has detected an error in your setup:" printf "%s\n" "${OUTPUT}" fi - return $ret + return ${ret} } start() { @@ -92,15 +87,16 @@ start() { ebegin "Starting ${SVCNAME}" # Use start stop daemon to apply system limits #347301 - start-stop-daemon --start -- ${APACHE2} ${APACHE2_OPTS} -k start + start-stop-daemon --start --pidfile "${PIDFILE}" -- \ + ${APACHE2} ${APACHE2_OPTS} -k start local i=0 retval=1 - while [ $i -lt ${TIMEOUT} ] ; do + while [ ${i} -lt ${TIMEOUT} ] ; do if [ -e "${PIDFILE}" ] ; then retval=0 break fi - sleep 1 && i=$(expr $i + 1) + sleep 1 && i=$(expr ${i} + 1) done eend ${retval} @@ -122,8 +118,8 @@ stop() { local i=0 retval=0 while ( test -f "${PIDFILE}" || pgrep -P ${PID} apache2 >/dev/null ) \ - && [ $i -lt ${TIMEOUT} ]; do - sleep 1 && i=$(expr $i + 1) + && [ ${i} -lt ${TIMEOUT} ]; do + sleep 1 && i=$(expr ${i} + 1) done [ -e "${PIDFILE}" ] && retval=1 diff --git a/2.4/patches/04_no_which.patch b/2.4/patches/04_no_which.patch new file mode 100644 index 0000000..65764df --- /dev/null +++ b/2.4/patches/04_no_which.patch @@ -0,0 +1,54 @@ +https://bugs.gentoo.org/844868 +https://bz.apache.org/bugzilla/show_bug.cgi?id=66130 +--- a/build/aix/buildaix.ksh ++++ b/build/aix/buildaix.ksh +@@ -26,14 +26,14 @@ export CFLAGS='-O2 -qlanglvl=extc99' + lslpp -L bos.adt.insttools >/dev/null + [[ $? -ne 0 ]] && echo "must have bos.adt.insttools installed" && exit -1 + +-apr_config=`which apr-1-config` +-apu_config=`which apu-1-config` ++apr_config=`command -v apr-1-config 2>/dev/null` ++apu_config=`command -v apu-1-config 2>/dev/null` + + if [[ -z ${apr_config} && -z ${apu_config} ]] + then + export PATH=/opt/bin:${PATH} +- apr_config=`which apr-1-config` +- apu_config=`which apu-1-config` ++ apr_config=`command -v apr-1-config 2>/dev/null` ++ apu_config=`command -v apu-1-config 2>/dev/null` + fi + + while test $# -gt 0 +--- a/build/pkg/buildpkg.sh ++++ b/build/pkg/buildpkg.sh +@@ -24,8 +24,8 @@ PREFIX=/usr/local/apache2 + TEMPDIR=/var/tmp/$USER/httpd-root + rm -rf $TEMPDIR + +-apr_config=`which apr-1-config` +-apu_config=`which apu-1-config` ++apr_config=`command -v apr-1-config 2>/dev/null` ++apu_config=`command -v apu-1-config 2>/dev/null` + + while test $# -gt 0 + do +--- a/configure.in ++++ b/configure.in +@@ -216,13 +216,13 @@ AC_ARG_WITH(pcre, + APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library)) + if test "x$with_pcre" = "x" || test "$with_pcre" = "yes"; then + with_pcre="$PATH" +-else if which $with_pcre 2>/dev/null; then :; else ++else if command -v $with_pcre 2>/dev/null; then :; else + with_pcre="$with_pcre/bin:$with_pcre" + fi + fi + + AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config], +- [`which $with_pcre 2>/dev/null`], $with_pcre) ++ [`command -v $with_pcre 2>/dev/null`], $with_pcre) + + if test "x$PCRE_CONFIG" != "x"; then + if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else diff --git a/2.4/scripts/apache2-logrotate b/2.4/scripts/apache2-logrotate index 9dd431c..5d9f8dc 100644 --- a/2.4/scripts/apache2-logrotate +++ b/2.4/scripts/apache2-logrotate @@ -1,11 +1,15 @@ # Apache2 logrotate snipet for Gentoo Linux -# Contributes by Chuck Short +# Originally contributed by Chuck Short # /var/log/apache2/*log { missingok notifempty sharedscripts postrotate - /etc/init.d/apache2 reload > /dev/null 2>&1 || true + if test -d /run/systemd/system ; then + systemctl reload apache2.service > /dev/null 2>&1 || true + else + /etc/init.d/apache2 reload > /dev/null 2>&1 || true + fi endscript } diff --git a/2.4/scripts/apache2ctl b/2.4/scripts/apache2ctl index 872044b..890ded5 100644 --- a/2.4/scripts/apache2ctl +++ b/2.4/scripts/apache2ctl @@ -89,7 +89,7 @@ configdump() { } -if ! is_systemd; then +if ! is_systemd ; then # If systemd IS NOT detected, run the legacy apache2ctl code # If first parameter is a verb defined in $RC_VERBS, pass the command to init script. diff --git a/rolltarball.sh b/rolltarball.sh index 1962c00..e2ef6d7 100755 --- a/rolltarball.sh +++ b/rolltarball.sh @@ -22,14 +22,13 @@ # Please increase version number before each commit which includes changes to # this script. -MYVERSION='2.0' +MYVERSION='2.2' # ********** Begin functions ********** usage() { - if [ -n "$1" ] - then + if [[ -n "$1" ]] ; then eerror $1 else cat <<-USAGE_HEADER @@ -91,8 +90,7 @@ eerror() { die() { - if [ "$#" -gt 0 ] - then + if [[ "$#" -gt 0 ]] ; then eerror ${*} fi exit 1 @@ -100,16 +98,14 @@ die() { einfo() { - if [ "${VERBOSE}" -ge "1" ] - then + if [[ "${VERBOSE}" -ge "1" ]] ; then echo -e " ${GOOD}*${NORMAL} ${*}" fi } ebegin() { - if [ "${VERBOSE}" -ge "1" ] - then + if [[ "${VERBOSE}" -ge "1" ]] ; then echo -e " ${GOOD}*${NORMAL} ${*}..." fi } @@ -117,22 +113,18 @@ ebegin() { eend() { - if [ "$#" -eq 0 ] || ([ -n "$1" ] && [ "$1" -eq 0 ]) - then - if [ "${VERBOSE}" -ge "1" ] - then + if [[ "$#" -eq 0 ]] || { [[ -n "$1" ]] && [[ "$1" -eq 0 ]] ; } ; then + if [[ "${VERBOSE}" -ge "1" ]] ; then echo -e "${ENDCOL} ${BRACKET}[ ${GOOD}ok${BRACKET} ]${NORMAL}" fi else retval=$1 - if [ "$#" -ge 2 ] - then + if [[ "$#" -ge 2 ]] ; then shift eerror "${*}" fi - if [ "${VERBOSE}" -ge "1" ] - then + if [[ "${VERBOSE}" -ge "1" ]] ; then echo -e "${ENDCOL} ${BRACKET}[ ${BAD}!!${BRACKET} ]${NORMAL}" fi return ${retval} @@ -142,16 +134,14 @@ eend() { ewarn() { - if [ "${VERBOSE}" -ge "2" ] - then + if [[ "${VERBOSE}" -ge "2" ]] ; then echo -e " ${WARN}*${NORMAL} ${*}" fi } edebug() { - if [ "${VERBOSE}" -ge "4" ] - then + if [[ "${VERBOSE}" -ge "4" ]] ; then echo -e " ${HILITE}*${NORMAL} ${*}" fi } @@ -202,22 +192,19 @@ UPLOAD_MIRROR=0 VERBOSE=1 # load configuration -if [ -e ~/.apache-rolltarball ] -then +if [[ -e ~/.apache-rolltarball ]] ; then . ~/.apache-rolltarball edebug "Loaded configuration from ~/.apache-rolltarball" fi -if [ "${COLOR}" -eq "0" ] -then +if [[ "${COLOR}" -eq "0" ]] ; then nocolor; else color; fi # Process command line -until [ -z "$1" ] -do +until [[ -z "$1" ]] ; do case "$1" in --*) # long options @@ -233,7 +220,7 @@ do no-copy) COPYTO=;; datestamp) DATESTAMP=${VALUE};; devspace) UPLOAD_DEV=1;; - no-devspace) UPLOAD_DEV=0;; + no-devspace) UPLOAD_DEV=0;; digest) DIGEST=1;; no-digest) DIGEST=0;; ebuild) MOD_EBUILD=1;; @@ -255,8 +242,7 @@ do # short options OPTLIST=${1/-/} shift - while [ -n "${OPTLIST}" ] - do + while [[ -n "${OPTLIST}" ]] ; do OPT=${OPTLIST:0:1} OPTLIST=${OPTLIST#?} case "${OPT}" in @@ -287,8 +273,7 @@ do done ;; *) - if [ -n "${EBUILD}" ] - then + if [[ -n "${EBUILD}" ]] ; then usage "Only one ebuild can be specified" else EBUILD=$1 @@ -298,33 +283,27 @@ do esac done -if [ -z "${EBUILD}" ] -then +if [[ -z "${EBUILD}" ]] ; then usage "You must specify an ebuild" fi -if [ "${EBUILD##*.}" != "ebuild" ] -then +if [[ "${EBUILD##*.}" != "ebuild" ]] ; then usage "You must specify an ebuild" fi -if [ ! -f ${EBUILD} ] -then +if [[ ! -f ${EBUILD} ]] ; then die "Ebuild ${EBUILD} does not exist or is not a file" fi -if [ "${VERBOSE}" -lt "0" ] -then +if [[ "${VERBOSE}" -lt "0" ]] ; then VERBOSE=0 fi -if [ "${VERBOSE}" -gt "4" ] -then +if [[ "${VERBOSE}" -gt "4" ]] ; then VERBOSE=4 fi -if [ "${VERBOSE}" -ge "3" ] -then +if [[ "${VERBOSE}" -ge "3" ]] ; then edebug "Program output enabled" exec 9>&1 else @@ -332,14 +311,12 @@ else exec 9>/dev/null fi -if [ "${ASK}" -eq "1" ] -then +if [[ "${ASK}" -eq "1" ]] ; then PRETEND=1 fi -if [ -z "${G_USER}" ] -then - G_USER="$(git log -1 | grep ^Author | sed 's&.*<\([[:alnum:]\._-]\+\)@.*>&\1&')" +if [[ -z "${G_USER}" ]] ; then + G_USER="$(git log --pretty=fuller -1 | sed -n '/^Commit:/s&.*<\([[:alnum:]\._-]\+\)@.*>&\1&p')" einfo "Detected Gentoo Developer: ${G_USER}" fi @@ -363,8 +340,7 @@ git pull >&9 eend $? "git update failed!" || die new_mtime=$(stat --format=%Y $0) -if [ "${my_mtime}" -ne "${new_mtime}" ] -then +if [[ "${my_mtime}" -ne "${new_mtime}" ]] ; then einfo "A new version of $0 is available" einfo "Please restart $0" die @@ -406,8 +382,7 @@ edebug " TB_DIR: ${TB_DIR}" # simply returns true or false based on whether we are in pretend mod or not pretend() { - if [ "${PRETEND}" -eq 1 ] - then + if [[ "${PRETEND}" -eq 1 ]] ; then true return $? else @@ -440,10 +415,8 @@ build_tarball() { rm -rf ${TB_DIR} || ewarn "Couldn't clean up, manually remove ${TB_DIR}/" } - if [ -n "${COPYTO}" ] - then - if [ -d ${COPYTO} -a -w ${COPYTO} ] - then + if [[ -n "${COPYTO}" ]] ; then + if [[ -d ${COPYTO} ]] && [[ -w ${COPYTO} ]] ; then pretend && einfo " Copy ${TB} to ${COPYTO}" pretend || { ebegin "Copying ${TB} to ${COPYTO}" @@ -457,13 +430,12 @@ build_tarball() { edebug "Copy not enabled" fi - if [ "${UPLOAD_DEV}" -eq 1 ] - then + if [[ "${UPLOAD_DEV}" -eq 1 ]] ; then pretend && einfo " Upload ${TB} to" - pretend && einfo " http://dev.gentoo.org/~${G_USER}/dist/apache/" + pretend && einfo " https://dev.gentoo.org/~${G_USER}/dist/apache/" pretend || { einfo "Uploading ${TB} to" - ebegin " http://dev.gentoo.org/~${G_USER}/dist/apache/" + ebegin " https://dev.gentoo.org/~${G_USER}/dist/apache/" edebug "Making directories on dev.gentoo.org: ~/public_html/dist/apache" ssh ${G_USER}@dev.gentoo.org 'mkdir -pm 0755 ~/public_html/dist/apache/' >&9 || eend $? "Failed to make directories" || die @@ -477,8 +449,7 @@ build_tarball() { edebug "Upload to devspace not enabled" fi - if [ "${UPLOAD_MIRROR}" -eq 1 ] - then + if [[ "${UPLOAD_MIRROR}" -eq 1 ]] ; then pretend && einfo " Upload ${TB} to mirror://gentoo/" pretend || { ebegin "Uploading ${TB} to mirror://gentoo/" @@ -494,10 +465,8 @@ build_tarball() { edebug "Upload to mirrors not enabled" fi - if [ "${MOD_EBUILD}" -eq 1 ] - then - if [ -r ${EBUILD} ] - then + if [[ "${MOD_EBUILD}" -eq 1 ]] ; then + if [[ -r ${EBUILD} ]] ; then pretend && einfo " Update GENTOO_PATCHSTAMP, GENTOO_DEVELOPER and GENTOO_PATCHNAME" pretend || { ebegin "Updating GENTOO_PATCHSTAMP, GENTOO_DEVELOPER and GENTOO_PATCHNAME" @@ -517,8 +486,7 @@ build_tarball() { edebug "Modify ebuild not enabled" fi - if [ "${DIGEST}" -eq 1 ] - then + if [[ "${DIGEST}" -eq 1 ]] ; then pretend && einfo " Regenerate digests" pretend || { ebegin "Regenerating digests" @@ -530,13 +498,11 @@ build_tarball() { fi pretend && einfo "No actions actually taken" - if [ "${ASK}" -eq 1 ] - then + if [[ "${ASK}" -eq 1 ]] ; then einfo "Would you like to perform the above actions?" echo -n "Type 'Yes' or 'No'> " read ask_in - if [ "${ask_in}" == "Yes" -o "${ask_in}" == "yes" ] - then + if [[ "${ask_in}" == [Yy]es ]] ; then ASK=0 PRETEND=0 build_tarball |