smeserver/smeserver-apache
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: smeserver:11_0_0-10_el8_sme
Branches Tags
smeserver:master
smeserver:11_0_0-14_el8_sme smeserver:11_0_0-13_el8_sme smeserver:11_0_0-12_el8_sme smeserver:11_0_0-11_el8_sme smeserver:11_0_0-10_el8_sme smeserver:11_0_0-9_el8_sme smeserver:11_0_0-8_el8_sme smeserver:11_0_0-7_el8_sme smeserver:11_0_0-5_el8_sme smeserver:11_0_0-4_el8_sme smeserver:11_0_0-3_el8_sme smeserver:11_0_0-2_el8_sme smeserver:11_0_0-1_el8_sme smeserver:2.6.0-25 smeserver:2.6.0 smeserver:SME10.2
...
compare: smeserver:11_0_0-13_el8_sme
Branches Tags
smeserver:master
smeserver:11_0_0-14_el8_sme smeserver:11_0_0-13_el8_sme smeserver:11_0_0-12_el8_sme smeserver:11_0_0-11_el8_sme smeserver:11_0_0-10_el8_sme smeserver:11_0_0-9_el8_sme smeserver:11_0_0-8_el8_sme smeserver:11_0_0-7_el8_sme smeserver:11_0_0-5_el8_sme smeserver:11_0_0-4_el8_sme smeserver:11_0_0-3_el8_sme smeserver:11_0_0-2_el8_sme smeserver:11_0_0-1_el8_sme smeserver:2.6.0-25 smeserver:2.6.0 smeserver:SME10.2

3 Commits
11_0_0-10_ ... 11_0_0-13_

Author SHA1 Message Date
Jean-Philippe Pialasse
57202723f1 * Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme 
- use esmith::ssl to set ciphers and protocol [SME: 12821]
  improve cipher order to get strongers first
  drop SSLv2
 2025-01-18 15:29:38 -05:00
Jean-Philippe Pialasse
1bfad8c651 * Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme 
- fix OCSP Stapling support [SME: 12819]
- fix .well-known/security.txt [SME: 12818]
- add X-Permitted-Cross-Domain-Policies header [SME: 12857]
- add  Cross-Origin headers [SME: 12856]
- add Permissions-Policy header [SME: 12855]
 2025-01-02 00:13:14 -05:00
Jean-Philippe Pialasse
aecee0e087 * Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme 
- add X-Content-Type-Options nosniff [SME: 12835]
- add Strict Transport Security support HSTS [SME: 12815]
- add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816]
- add referrer-Policy same-origin [SME: 12817]
- add OCSP Stapling support [SME: 12819]
- add CSP Content-Security-Policy support [SME: 9567]
- add .well-known and .well-known/security.txt [SME: 12818]
 2024-12-31 11:09:42 -05:00
11 changed files with 36 additions and 16 deletions
Expand all files Collapse all files

1
root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2
View File

@@ -1 +0,0 @@
disabled

5
root/etc/e-smith/db/configuration/migrate/apache Normal file
View File

@@ -0,0 +1,5 @@
{
# delete old httpd-e-smith apache properties
$DB->get('httpd-e-smith')->delete_prop($_) for ( qw(SSLv2 ) );
}

9
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
View File

@@ -1,5 +1,6 @@
{
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
$OUT = "SSLCipherSuite ";
$OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
{
use esmith::ssl;
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
$OUT = "SSLCipherSuite ";
$OUT .= $modSSL{CipherSuite} || $smeCiphers;
}

8
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
View File

@@ -1,9 +1,5 @@
{
use esmith::ssl;
# Specify which SSL Protocols to accept for this context
$OUT .= "SSLProtocol all";
$OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
$OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled';
$OUT .= "SSLProtocol ". SSLprotoApache() ;
}

2
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling
View File

@@ -1,2 +1,2 @@
SSLUseStapling On
SSLStaplingCache dbm:/run/httpd/ssl_stapling(32768)
SSLStaplingCache dbm:/run/httpd/ssl_stapling

1
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Domain Normal file
View File

@@ -0,0 +1 @@
header setifempty X-Permitted-Cross-Domain-Policies "none"

5
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Origin Normal file
View File

@@ -0,0 +1,5 @@
Header setifempty Cross-Origin-Embedder-Policy "unsafe-none; report-to='default'"
Header setifempty Cross-Origin-Embedder-Policy-Report-Only "unsafe-none; report-to='default'"
Header setifempty Cross-Origin-Opener-Policy "unsafe-none"
Header setifempty Cross-Origin-Opener-Policy-Report-Only "unsafe-none; report-to='default'"
Header setifempty Cross-Origin-Resource-Policy "same-site"

1
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Permissions-Policy Normal file
View File

@@ -0,0 +1 @@
Header setifempty Permissions-Policy "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()"

2
root/etc/e-smith/templates/var/www/html/.well-known/security.txt/20encryption
View File

@@ -4,5 +4,5 @@ Encryption: {
# Encryption: https://example.com/pgp-key.txt
# Encryption: dns:5d2d37ab76d47d36._openpgpkey.example.com?type=OPENPGPKEY
# Encryption: openpgp4fpr:5f2de5521c63a801ab59ccb603d49de44b29100f
${'httpd-e-smith'}{'SecurityEncryption'}||'none'}
${'httpd-e-smith'}{'SecurityEncryption'}||'openpgp4fpr:'}

2
root/usr/lib/systemd/system/httpd-e-smith.service
View File

@@ -8,7 +8,7 @@ Documentation=man:apachectl(8)
Type=notify
ExecStartPre=/sbin/e-smith/service-status httpd-e-smith
ExecStartPre=/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
ExecStartPre=-/sbin/e-smith/expand-template /var/www/html/.well-known/acme-challenge/security.txt
ExecStartPre=-/sbin/e-smith/expand-template /var/www/html/.well-known/security.txt
ExecStartPre=/sbin/e-smith/systemd/httpd-e-smith-prepare
ExecStart=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
ExecReload=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k graceful

16
smeserver-apache.spec
View File

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module
%define name smeserver-apache
Name: %{name}
%define version 11.0.0
%define release 10
%define release 13
Version: %{version}
Release: %{release}%{?dist}
License: GPL
@@ -74,7 +74,19 @@ if [ $1 -gt 1 ] ; then
fi
%changelog
* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
- use esmith::ssl to set ciphers and protocol [SME: 12821]
improve cipher order to get strongers first
drop SSLv2
* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
- fix OCSP Stapling support [SME: 12819]
- fix .well-known/security.txt [SME: 12818]
- add X-Permitted-Cross-Domain-Policies header [SME: 12857]
- add Cross-Origin headers [SME: 12856]
- add Permissions-Policy header [SME: 12855]
* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
- add X-Content-Type-Options nosniff [SME: 12835]
- add Strict Transport Security support HSTS [SME: 12815]
- add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816]