* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

- use esmith::ssl to set ciphers and protocol [SME: 12821]
  improve cipher order to get strongers first
  drop SSLv2

.gitignore

@@ -2,3 +2,4 @@
 *.log
 *spec-20*
 *.tar.xz
+*.bak

README.md

@@ -6,7 +6,14 @@ SMEServer Koozali developed git repo for smeserver-apache smeserver
 <br />https://wiki.koozali.org/
 
 ## Bugzilla
-Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-apache&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)\
+Show list of outstanding bugs:
+[All](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&bug_status=VERIFIED&cf_package=smeserver-apache&classification=SME+Server&list_id=105756&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Confirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=CONFIRMED&cf_package=smeserver-apache&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Unconfirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&cf_package=smeserver-apache&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Need info](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=NEEDINFO&cf_package=smeserver-apache&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[In progress](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=IN_PROGRESS&cf_package=smeserver-apache&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Resolved](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=RESOLVED&cf_package=smeserver-apache&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Verified](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=VERIFIED&cf_package=smeserver-apache&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)
 And a list of outstanding Legacy bugs: (e-smith-apache) [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-apache&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
 
 ## Description

additional/e-smith-apache.spec

@@ -1,321 +0,0 @@
-Summary: e-smith server and gateway - apache module
-%define name e-smith-apache
-Name: %{name}
-%define version 1.1.2
-%define release 01
-Version: %{version}
-Release: %{release}
-License: GPL
-Vendor: Mitel Networks Corporation
-Group: Networking/Daemons
-Source: %{name}-%{version}.tar.gz
-Packager: e-smith developers <bugs@e-smith.com>
-BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
-BuildArchitectures: noarch
-Requires: e-smith-base >= 4.15.1
-Requires: e-smith-daemontools >= 1.7.1-01
-Conflicts: e-smith-ibays < 1.0.2
-AutoReqProv: no
-BuildRequires: e-smith-devtools >= 1.11.0-12
-
-%description
-e-smith server and gateway software - apache module.
-
-%changelog
-* Wed Nov 17 2004 Mark Knox <markk@e-smith.com>
-- [1.1.2-01]
-- Picking up new directory. MN00056429.
-
-* Wed Nov 17 2004 Mark Knox <markk@e-smith.com>
-- [1.1.1-03]
-- Added empty ValidFrom defaults fragment [markk MN00056429]
-
-* Tue Nov  9 2004 Charlie Brady <charlieb@e-smith.com>
-- [1.1.1-02]
-- Modify config and run script for compatibility with apache 2. Most of these
-  changes were contributed by Shad Lords. [charlieb MN00051144]
-
-* Mon Oct  4 2004 Charlie Brady <charlieb@e-smith.com>
-- [1.1.1-01]
-- New development stream for apache 2 - 1.1.1
-
-* Fri Sep  3 2004 Charlie Brady <charlieb@e-smith.com>
-- [1.1.0-23]
-- Clean BuildRequires. [charlieb MN00043055]
-
-* Tue Jul 13 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-22]
-- Updated modPerl templates to remove use of esmith::config.
-  [msoulier MN00039579]
-
-* Tue Jun 22 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-21]
-- Added RewriteCond statements to previous RewriteRules to exclude localhost,
-  so ssh port-forwarding is not broken. [msoulier MN00020885]
-
-* Fri Jun 18 2004 Tony Clayton <apc@e-smith.com>
-- [1.1.0-20]
-- Fix LoadModule fragment from last patch [tonyc 11348]
-
-* Mon Jun 14 2004 Tony Clayton <apc@e-smith.com>
-- [1.1.0-19]
-- Add modPerl service and httpd.conf templates [tonyc 11348]
-
-* Mon May 10 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-18]
-- Adding rewrite rules to prevent plaintext access to the server manager.
-  [msoulier MN00020885]
-
-* Thu May  6 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-17]
-- Added httpd-admin's remoteaccess list to permissible networks for
-  server-resources. [msoulier MN00024949]
-
-* Mon Feb 23 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-16]
-- Backing-out last change. [msoulier dpar-21489]
-
-* Mon Feb 23 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-15]
-- Added restart-httpd-graceful to domain-* events. [msoulier dpar-21489]
-
-* Wed Feb 18 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-14]
-- Updating requires to e-smith-daemontools. [msoulier 7629]
-
-* Wed Feb 18 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-13]
-- Updating restart-httpd-graceful to use new daemontools sigusr1 option.
-  [msoulier 7629]
-
-* Wed Jan 21 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-12]
-- Staggering the symlinks a little farther. [msoulier 9955]
-
-* Wed Jan 21 2004 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-11]
-- Adding symlinks to the service-domain-create event for httpd restart.
-  [msoulier 9955]
-
-* Tue Dec  9 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-10]
-- Fixed another error in the specfile, resulting in incorrect file
-  permissions. [msoulier 7629]
-- Updated action scripts for supervise. [msoulier 7629]
-
-* Tue Dec  9 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-09]
-- Fixed an error in the specfile. [msoulier 7629]
-
-* Tue Dec  9 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-08]
-- Updated createlinks for daemontools. [msoulier 7629]
-
-* Tue Dec  9 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-07]
-- Putting httpd-e-smith under supervision. [msoulier 7629]
-
-* Thu Sep 18 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-06]
-- Added a null-string return value to the end of 00Setup, ensure no output
-  from that fragment. [msoulier 9803]
-
-* Wed Sep  3 2003 Charlie Brady <charlieb@e-smith.com>
-- [1.1.0-05]
-- Use implementation class, not virtual class in  VirtualHosts/00Setup fragment.
-  [charlieb 9803]
-
-* Wed Sep  3 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-04]
-- Added a 75AddType05.exe fragment to specify a proper mime-type for .exe
-  files. [msoulier 9866]
-
-* Fri Aug 29 2003 Charlie Brady <charlieb@e-smith.com>
-- [1.1.0-03]
-- Allow TemplatePath property in domain record to specify an alternate template
-  subdir for virtual host content specification (e.g. to proxypass a domain).
-  [charlieb 8409]
-
-* Fri Aug 29 2003 Charlie Brady <charlieb@e-smith.com>
-- [1.1.0-02]
-- Changed the VirtualHosts subtemplate to pass the domain object instead of db handle,
-  and modified VirtualHosts/00Setup fragment to convert it to the right class.
-  Fix scoping problem with the blessed object. [charlieb 9803]
-
-* Fri Aug 29 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.1.0-01]
-- rolling to dev stream - 1.1.0
-
-* Fri Aug 29 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.0.0-04]
-- Added a 00Setup fragment to VirtualHosts to process the %domainsdb hash back
-  into an esmith::DomainsDB object. [msoulier 9803]
-
-* Mon Aug 25 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.0.0-03]
-- Added a reference to the domains db in the extra data for processing the
-  VirtualHosts fragments. [msoulier 9803]
-
-* Fri Aug  1 2003 Michael Soulier <msoulier@e-smith.com>
-- [1.0.0-02]
-- Fixed a precedence error that broke virtual hosts in apache.
-  [msoulier 9640]
-
-* Wed Jul  9 2003 Charlie Brady <charlieb@e-smith.com>
-- [1.0.0-01]
-- Setting to release version number  - 1.0.0
-
-* Wed Jul  9 2003 Michael Soulier <msoulier@e-smith.com>
-- [0.2.0-04]
-- Fixed breakage in admin web server when a local network with a 32-bit subnet
-  mask is used. [msoulier 9259]
-
-* Thu Jul  3 2003 Charlie Brady <charlieb@e-smith.com>
-- [0.2.0-03]
-- Fix log noise problem in expansion of httpd.conf template. [charlieb 9269]
-
-* Wed Jul  2 2003 Charlie Brady <charlieb@e-smith.com>
-- [0.2.0-02]
-- List primary domain as first (default) virtual domain in apache config.
-  Include $SystemName.domain.name in ServerAlias directive. [charlieb 9241]
-
-* Thu Jun 26 2003 Charlie Brady <charlieb@e-smith.com>
-- [0.2.0-01]
-- Changing version to stable stream number - 0.2.0
-
-* Thu Jun 12 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.2-01]
-- Add order to migrate fragments [gordonr 9015]
-
-* Wed Jun 11 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.1-02]
-- Fixed Conflicts header - should be <, not <= [gordonr 8903]
-
-* Fri Jun  6 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.1-01]
-- Shuffled some httpd.conf fragments to e-smith-ibays [gordonr 8903]
-
-* Wed May 28 2003 Michael Soulier <msoulier@e-smith.com>
-- [0.1.0-19]
-- Moving httpd-e-smith init script to e-smith-apache. [msoulier 8852]
-
-* Tue Apr 29 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-18]
-- Do an explicit die if the httpd-e-smith record is missing from the
-  config db, rather than an implicit die due to an invalid object
-  reference [gordonr 8609]
-
-* Wed Apr  9 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-17]
-- Relocated conf-httpd from e-smith-base [gordonr 8150]
-
-* Fri Apr  4 2003 Mark Knox <markk@e-smith.com>
-- [0.1.0-16]
-- Moved restart-httpd-* actions from base [markk 5509]
-
-* Fri Apr  4 2003 Mark Knox <markk@e-smith.com>
-- [0.1.0-15]
-- Moved db config fragments here from e-smith-base [markk 5509]
-
-* Tue Apr  1 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-14]
-- Make /server-resources/ browsable from LAN [gordonr 6620]
-
-* Tue Apr  1 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-13]
-- Delete Apache ReadmeName directive [gordonr 6313]
-
-* Tue Apr  1 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-12]
-- Fixed broken conf-httpd-e-smith links in post-{install,upgrade} [gordonr 7960]
-
-* Tue Mar 18 2003 Lijie Deng <lijied@e-smith.com>
-- [0.1.0-11]
-- Deleted ./etc/httpd/conf/httpd.conf/template-begin 
-  deleted ./etc/httpd/conf/srm.conf/template-begin
-  deleted ./etc/httpd/conf/access.conf/template-begin [lijied 3295]
-
-* Mon Mar 17 2003 Lijie Deng <lijied@e-smith.com>
-- [0.1.0-10]
-- Delete empty template-end file  [lijied 3295]
-  
-* Wed Mar 12 2003 Charlie Brady <charlieb@e-smith.com>
-- [0.1.0-09]
-- Remove more references to primary and wwwpublic in favour
-  of the "Primary" i-bay. There is still some special case code,
-  which might go later if it turns out not to be needed.
-  [charlieb 5652]
-
-* Tue Mar 11 2003 Mark Knox <markk@e-smith.com>
-- [0.1.0-08]
-- Fixed a missing quote in 27ManagerProxyPass [markk 7635]
-
-* Tue Mar 11 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-07]
-- Pass externalSSLAccess and localAccess to VirtualDomains fragments so they don't
-  need to recalculate these values [gordonr 7635]
-- Use early return from 27ManagerProxyPass and new DB interface [gordonr 7635]
-
-* Mon Mar 10 2003 Charlie Brady <charlieb@e-smith.com>
-- [0.1.0-06]
-- Remove special case handling for /home/e-smith/files/primary in Apache
-  configuration. Migrate code and db entries for wwwpublic to Public.
-  [charlieb 5652]
-
-* Fri Mar  7 2003 Charlie Brady <charlieb@e-smith.com>
-- [0.1.0-05]
-- Replace deprecated CONFREF with MORE_DATA in processTemplate call in
-  VirtualHosts fragment of httpd.conf templates. Fixes template
-  expansion breakage (I'm not sure what broke it, but this fixes it.)
-  [charlieb]
-- Add default config db fragments to set type and status. Remove redundant
-  conf-httpd-e-smith script. [charlieb 1507]
-
-* Fri Jan 24 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-04]
-- Move SSL initialisation to global context [gordonr 1432]
-
-* Fri Jan 24 2003 Gordon Rowell <gordonr@e-smith.com>
-- [0.1.0-03]
-- Use default SSL certificate of $SystemName.$DomainName [gordonr 4874]
-
-* Wed Jan  8 2003 Mark Knox <markk@e-smith.com>
-- [0.1.0-02]
-- Added conf-httpd-e-smith action linked to the same events as conf-startup
-  in e-smith-base [markk 6428]
-
-* Mon Jan 06 2003 Mark Knox <m_knox@mitel.com>
-- [0.1.0-01]
-- Initial release, split out from e-smith-base [markk 6428]
-
-%prep
-%setup
-
-%pre
-
-%post
-
-%build
-perl createlinks
-mkdir -p root/service
-ln -s /var/service/httpd-e-smith root/service/httpd-e-smith
-mkdir -p root/var/service/httpd-e-smith/supervise
-touch root/var/service/httpd-e-smith/down
-
-%install
-rm -rf $RPM_BUILD_ROOT
-(cd root   ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
-
-/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
-    --dir /var/service/httpd-e-smith 'attr(01755,root,root)' \
-    --file /var/service/httpd-e-smith/down 'attr(0644,root,root)' \
-    --file /var/service/httpd-e-smith/run 'attr(0755,root,root)' \
-    > e-smith-%{version}-filelist
-
-echo "%doc COPYING"          >> e-smith-%{version}-filelist
-
-%clean 
-rm -rf $RPM_BUILD_ROOT
-
-%files -f e-smith-%{version}-filelist
-%defattr(-,root,root)

contriborbase

@@ -1 +0,0 @@
-sme10

createlinks

@@ -6,6 +6,7 @@ use esmith::Build::CreateLinks qw(:all);
 #--------------------------------------------------
 my $event = "smeserver-apache-update";
 templates2events("/etc/httpd/conf/httpd.conf", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 event_link("systemd-reload", $event, "89");
 event_link("systemd-default", $event, "88");
@@ -16,6 +17,7 @@ templates2events("/etc/logrotate.d/httpd", $event);
 #--------------------------------------------------
 my $event = "console-save";
 
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -143,6 +145,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 
 $event = "remoteaccess-update";
 
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -152,6 +155,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 
 $event = "email-update";
 
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -161,6 +165,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 
 $event = "logrotate";
 
+templates2events("/var/www/html/.well-known/security.txt", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
 #--------------------------------------------------
@@ -168,6 +173,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 #--------------------------------------------------
 
 $event = "ssl-update";
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -176,6 +182,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 #--------------------------------------------------
 
 $event = "post-install";
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/logrotate.d/httpd", $event);
 
 #--------------------------------------------------
@@ -183,5 +190,6 @@ templates2events("/etc/logrotate.d/httpd", $event);
 #--------------------------------------------------
 
 $event = "post-upgrade";
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/logrotate.d/httpd", $event);
 

root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2

@@ -1 +0,0 @@
-disabled

root/etc/e-smith/db/configuration/migrate/apache

@@ -0,0 +1,5 @@
+{
+ # delete old httpd-e-smith apache properties
+ $DB->get('httpd-e-smith')->delete_prop($_) for ( qw(SSLv2 ) ); 
+
+}

root/etc/e-smith/templates.metadata/var/www/html/.well-known/security.txt

@@ -0,0 +1,3 @@
+UID="root"
+GID="apache"
+PERMS=0640

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite

@@ -1,5 +1,6 @@
-{
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    $OUT  = "SSLCipherSuite ";
-    $OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+{
+    use esmith::ssl;
+    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
+    $OUT  = "SSLCipherSuite ";
+    $OUT .= $modSSL{CipherSuite} || $smeCiphers;
 }

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol

@@ -1,9 +1,5 @@
 {
+    use esmith::ssl;
     # Specify which SSL Protocols to accept for this context
-    $OUT .= "SSLProtocol all";
-    $OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
-    $OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled';
+    $OUT .= "SSLProtocol ". SSLprotoApache() ;
 }

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling

@@ -0,0 +1,2 @@
+SSLUseStapling On
+SSLStaplingCache dbm:/run/httpd/ssl_stapling

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Domain

@@ -0,0 +1 @@
+header setifempty X-Permitted-Cross-Domain-Policies "none"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Origin

@@ -0,0 +1,5 @@
+Header setifempty Cross-Origin-Embedder-Policy	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Embedder-Policy-Report-Only	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Opener-Policy	"unsafe-none"
+Header setifempty Cross-Origin-Opener-Policy-Report-Only	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Resource-Policy	"same-site"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Permissions-Policy

@@ -0,0 +1 @@
+Header setifempty Permissions-Policy	"accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38nosniff

@@ -0,0 +1 @@
+Header setifempty X-Content-Type-Options nosniff

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38referer

@@ -0,0 +1 @@
+Header setifempty Referrer-Policy "same-origin"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38xframe

@@ -0,0 +1,3 @@
+# prevent clickjacking attacks
+Header unset X-Frame-Options
+Header set X-Frame-Options SAMEORIGIN

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/79well-known

@@ -0,0 +1,18 @@
+# Alias for letsencrypt, security.txt and mailconfig ...
+Alias /.well-known/ /var/www/html/.well-known/
+# do not proxy request to acme-challenge and security.txt
+ProxyPass /.well-known/security.txt !
+ProxyPass /.well-known/acme-challenge !
+
+<Directory "/var/www/html/.well-known">
+  Options None
+  AllowOverride None
+  Require all granted
+  AddDefaultCharset off
+  Satisfy any
+</Directory>
+<Directory /var/www/html/.well-known/acme-challenge/>
+  Header set Content-Type "application/jose+json"
+  Require all granted
+  Satisfy any
+</Directory>

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt

@@ -0,0 +1,12 @@
+{
+    # vim: ft=perl:
+
+    $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
+    $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
+
+    $OUT = '';
+        if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
+        {
+            $OUT .= "    RewriteRule ^/.well-known/security.txt\$    https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n";
+        }
+}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/29HSTS

@@ -0,0 +1,26 @@
+{
+    use esmith::DomainsDB;
+    my $domains = esmith::DomainsDB->open_ro;
+
+    # return if not SSL
+    return "    # skipping SSL certificate\n" unless $port eq "$httpsPort";
+
+    # return unless we have a real certificate (however, here  we assume that one will not set manually a self signed one...)
+    # by the way accessing with an ip will fail.
+    my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'}  || "disabled";
+    return "    # HSTS  incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt);
+
+    # return unless enabled for domain
+    return "    # HSTS disabled\n" unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled');
+
+    # if setting preload you need max-age>= 1years in second and includeSubDomains enabled.
+    my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : "";
+
+    my $includeSubDomains = (${'httpd-e-smith'}{HSTSsubdomain} eq 'enabled')? "; includeSubDomains" : "";
+    $includeSubDomains = "; includeSubDomains" if ($preload eq "; preload");
+
+    # default to 1 years in second to access to preload; suggested 2 years.
+    my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000";
+
+    $OUT = '    Header always set Strict-Transport-Security "max-age='.$age.' '.$includeSubDomains.' '.$preload.'"' ;
+}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp

@@ -0,0 +1,11 @@
+{
+    use esmith::AccountsDB;
+    my $accounts = esmith::AccountsDB->open_ro;
+    my $CSP = $accounts->get_prop($virtualHostContent, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost;  style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost ";
+    return  "    # CSP disabled for this host\n" if ($CSP eq "disabled");
+    if ($CSP ne '')
+    {
+    $OUT .= "    # Content-Security-Policy; only if not set by content\n";
+    $OUT .= "    Header setifempty Content-Security-Policy \"$CSP\"\n";
+    }
+}

root/etc/e-smith/templates/var/www/html/.well-known/security.txt/10contact

@@ -0,0 +1,9 @@
+# Our security address
+Contact: { 
+# some examples
+# Contact: mailto:security@example.com
+# Contact: mailto:security%2Buri%2Bencoded@example.com
+# Contact: tel:+1-201-555-0123
+# Contact: https://example.com/security-contact.html
+${'httpd-e-smith'}{'SecurityContact'}||"mailto:admin\@$DomainName"}
+

root/etc/e-smith/templates/var/www/html/.well-known/security.txt/20encryption

@@ -0,0 +1,8 @@
+# Our openPGP key
+Encryption: { 
+# some example
+# Encryption: https://example.com/pgp-key.txt
+# Encryption: dns:5d2d37ab76d47d36._openpgpkey.example.com?type=OPENPGPKEY
+# Encryption: openpgp4fpr:5f2de5521c63a801ab59ccb603d49de44b29100f
+${'httpd-e-smith'}{'SecurityEncryption'}||'openpgp4fpr:'}
+

root/etc/e-smith/templates/var/www/html/.well-known/security.txt/30expires

@@ -0,0 +1,15 @@
+# Expiration date of this policy
+Expires: {
+ use strict;
+ use warnings;
+ use esmith::ConfigDB;
+ use DateTime;
+ my $db = esmith::ConfigDB->open or die "Could not open config db";
+ # Obtain the TimeZone configuration database value
+ my $timezone = $db->get("TimeZone")->value||"US/eastern";
+ my $dt   = DateTime->now(time_zone    => $timezone);
+ $dt->set_year($dt->year()+1);
+ $dt->set_time_zone('UTC');
+ $OUT =  $dt."z" ;
+}
+

root/etc/e-smith/templates/var/www/html/.well-known/security.txt/40language

@@ -0,0 +1,8 @@
+# Prefered Languages
+Preferred-Languages: { substr( ($sysconfig{Language}||"en"),0,2) }
+{
+# see https://securitytxt.org/ for more fields
+# Acknowledgments : https://
+# Policy : https://
+# Hiring : https://
+}

root/usr/lib/systemd/system/httpd-e-smith.service

@@ -8,6 +8,7 @@ Documentation=man:apachectl(8)
 Type=notify
 ExecStartPre=/sbin/e-smith/service-status httpd-e-smith
 ExecStartPre=/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
+ExecStartPre=-/sbin/e-smith/expand-template /var/www/html/.well-known/security.txt
 ExecStartPre=/sbin/e-smith/systemd/httpd-e-smith-prepare
 ExecStart=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
 ExecReload=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k graceful

smeserver-apache.spec

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module
 %define name smeserver-apache
 Name: %{name}
 %define version 11.0.0
-%define release 7
+%define release 13
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -18,6 +18,7 @@ Requires: smeserver-lib >= 1.15.1-19
 Requires: smeserver-daemontools >= 1.7.1-01
 Requires: mod_ssl
 Requires: mod_authnz_external
+Requires: perl-DateTime
 Obsoletes: distcache <= 1.4.5
 Obsoletes: mod_auth_external
 Obsoletes: e-smith-proxypass
@@ -51,6 +52,9 @@ rm -rf $RPM_BUILD_ROOT
     --dir /var/service/httpd-e-smith 'attr(01755,root,root)' \
     --file /var/service/httpd-e-smith/down 'attr(0644,root,root)' \
     --file /var/service/httpd-e-smith/run 'attr(0755,root,root)' \
+    --ignoredir /var/www/html/ --ignoredir /var/www/ \
+    --dir /var/www/html/.well-known 'attr(0701,root,root)' \
+    --dir /var/www/html/.well-known/acme-challenge 'attr(0755,root,root)' \
     > e-smith-%{version}-filelist
 
 echo "%doc COPYING"          >> e-smith-%{version}-filelist
@@ -70,6 +74,27 @@ if [ $1 -gt 1 ] ; then
 fi
 
 %changelog
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
+- use esmith::ssl to set ciphers and protocol [SME: 12821]
+  improve cipher order to get strongers first
+  drop SSLv2
+
+* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- fix OCSP Stapling support [SME: 12819]
+- fix .well-known/security.txt [SME: 12818]
+- add X-Permitted-Cross-Domain-Policies header [SME: 12857]
+- add  Cross-Origin headers [SME: 12856] 
+- add Permissions-Policy header [SME: 12855]
+
+* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
+- add X-Content-Type-Options nosniff [SME: 12835]
+- add Strict Transport Security support HSTS [SME: 12815]
+- add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816]
+- add referrer-Policy same-origin [SME: 12817]
+- add OCSP Stapling support [SME: 12819]
+- add CSP Content-Security-Policy support [SME: 9567] 
+- add .well-known and .well-known/security.txt [SME: 12818]
+
 * Thu Apr 04 2024 Brian Read <brianr@koozali.org> 11.0.0-7.sme
 - Update createlinks to create smeserver-package-update event[SME: 12579]