* Thu Feb 20 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-14.sme

- load mod dav and dav_fs by default [SME: 2269]
- regroup multiple mod fragments in less fragments

createlinks

@@ -6,7 +6,7 @@ use esmith::Build::CreateLinks qw(:all);
 #--------------------------------------------------
 my $event = "smeserver-apache-update";
 templates2events("/etc/httpd/conf/httpd.conf", $event);
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 event_link("systemd-reload", $event, "89");
 event_link("systemd-default", $event, "88");
@@ -17,7 +17,7 @@ templates2events("/etc/logrotate.d/httpd", $event);
 #--------------------------------------------------
 my $event = "console-save";
 
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -145,7 +145,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 
 $event = "remoteaccess-update";
 
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -155,7 +155,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 
 $event = "email-update";
 
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -165,7 +165,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 
 $event = "logrotate";
 
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
 #--------------------------------------------------
@@ -173,7 +173,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 #--------------------------------------------------
 
 $event = "ssl-update";
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/httpd/conf/httpd.conf", $event);
 safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith");
 
@@ -182,7 +182,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s
 #--------------------------------------------------
 
 $event = "post-install";
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/logrotate.d/httpd", $event);
 
 #--------------------------------------------------
@@ -190,6 +190,6 @@ templates2events("/etc/logrotate.d/httpd", $event);
 #--------------------------------------------------
 
 $event = "post-upgrade";
-templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event);
+templates2events("/var/www/html/.well-known/security.txt", $event);
 templates2events("/etc/logrotate.d/httpd", $event);
 

root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2

@@ -1 +0,0 @@
-disabled

root/etc/e-smith/db/configuration/migrate/apache

@@ -0,0 +1,5 @@
+{
+ # delete old httpd-e-smith apache properties
+ $DB->get('httpd-e-smith')->delete_prop($_) for ( qw(SSLv2 ) ); 
+
+}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/20LoadModule15

@@ -1,3 +0,0 @@
-# notify for systemd
-LoadModule systemd_module modules/mod_systemd.so
-

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/20LoadModule50

@@ -4,10 +4,12 @@
 		proxy_http
 		alias
 		rewrite
+		access_compat
                 authn_core
                 authz_core
 		authz_host
 		authz_user
+		authnz_external
                 authn_file
                 authn_anon
                 auth_digest
@@ -15,9 +17,12 @@
                 authz_groupfile
 		authnz_ldap
 		ldap
+		dav
+		dav_fs
 		proxy_wstunnel
                 mpm_prefork
                 socache_dbm
+		systemd
                 unixd
 	    ));
 }

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/20LoadModule60

@@ -1,7 +0,0 @@
-{
-
-    $OUT .= load_modules(qw(
-               access_compat
-    ));
-}
-

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/20LoadModule80

@@ -1,4 +0,0 @@
-
-# Extra Modules
-LoadModule authnz_external_module modules/mod_authnz_external.so
-

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite

@@ -1,5 +1,6 @@
-{
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    $OUT  = "SSLCipherSuite ";
-    $OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+{
+    use esmith::ssl;
+    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
+    $OUT  = "SSLCipherSuite ";
+    $OUT .= $modSSL{CipherSuite} || $smeCiphers;
 }

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol

@@ -1,9 +1,5 @@
 {
+    use esmith::ssl;
     # Specify which SSL Protocols to accept for this context
-    $OUT .= "SSLProtocol all";
-    $OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
-    $OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled';
+    $OUT .= "SSLProtocol ". SSLprotoApache() ;
 }

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling

@@ -1,2 +1,2 @@
 SSLUseStapling On
-SSLStaplingCache dbm:/run/httpd/ssl_stapling(32768)
+SSLStaplingCache dbm:/run/httpd/ssl_stapling

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Domain

@@ -0,0 +1 @@
+header setifempty X-Permitted-Cross-Domain-Policies "none"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Cross-Origin

@@ -0,0 +1,5 @@
+Header setifempty Cross-Origin-Embedder-Policy	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Embedder-Policy-Report-Only	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Opener-Policy	"unsafe-none"
+Header setifempty Cross-Origin-Opener-Policy-Report-Only	"unsafe-none; report-to='default'"
+Header setifempty Cross-Origin-Resource-Policy	"same-site"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38Permissions-Policy

@@ -0,0 +1 @@
+Header setifempty Permissions-Policy	"accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=*, publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=*, usb=(), xr-spatial-tracking=(), gamepad=(), serial=()"

root/etc/e-smith/templates/var/www/html/.well-known/security.txt/10contact

@@ -5,5 +5,5 @@ Contact: {
 # Contact: mailto:security%2Buri%2Bencoded@example.com
 # Contact: tel:+1-201-555-0123
 # Contact: https://example.com/security-contact.html
-${'httpd-e-smith'}{'SecurityContact'}||"mailto:admin@$DomainName"}
+${'httpd-e-smith'}{'SecurityContact'}||"mailto:admin\@$DomainName"}
 

root/etc/e-smith/templates/var/www/html/.well-known/security.txt/20encryption

@@ -4,5 +4,5 @@ Encryption: {
 # Encryption: https://example.com/pgp-key.txt
 # Encryption: dns:5d2d37ab76d47d36._openpgpkey.example.com?type=OPENPGPKEY
 # Encryption: openpgp4fpr:5f2de5521c63a801ab59ccb603d49de44b29100f
-${'httpd-e-smith'}{'SecurityEncryption'}||'none'}
+${'httpd-e-smith'}{'SecurityEncryption'}||'openpgp4fpr:'}
 

root/usr/lib/systemd/system/httpd-e-smith.service

@@ -8,7 +8,7 @@ Documentation=man:apachectl(8)
 Type=notify
 ExecStartPre=/sbin/e-smith/service-status httpd-e-smith
 ExecStartPre=/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
-ExecStartPre=-/sbin/e-smith/expand-template /var/www/html/.well-known/acme-challenge/security.txt
+ExecStartPre=-/sbin/e-smith/expand-template /var/www/html/.well-known/security.txt
 ExecStartPre=/sbin/e-smith/systemd/httpd-e-smith-prepare
 ExecStart=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
 ExecReload=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k graceful

smeserver-apache.spec

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module
 %define name smeserver-apache
 Name: %{name}
 %define version 11.0.0
-%define release 8
+%define release 14
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -74,7 +74,23 @@ if [ $1 -gt 1 ] ; then
 fi
 
 %changelog
-* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
+* Thu Feb 20 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-14.sme
+- load mod dav and dav_fs by default [SME: 2269]
+- regroup multiple mod fragments in less fragments
+
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
+- use esmith::ssl to set ciphers and protocol [SME: 12821]
+  improve cipher order to get strongers first
+  drop SSLv2
+
+* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- fix OCSP Stapling support [SME: 12819]
+- fix .well-known/security.txt [SME: 12818]
+- add X-Permitted-Cross-Domain-Policies header [SME: 12857]
+- add  Cross-Origin headers [SME: 12856] 
+- add Permissions-Policy header [SME: 12855]
+
+* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
 - add X-Content-Type-Options nosniff [SME: 12835]
 - add Strict Transport Security support HSTS [SME: 12815]
 - add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816]