From: Dragan Dosen Date: Wed, 2 Apr 2008 17:19:21 +0000 (+0200) Subject: Initial commit X-Git-Tag: v2.2+2~15 X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=commitdiff_plain;h=eb37ec66b33ffb28c3a28fae57326403db609a25;p=apache2-cn.git Initial commit --- eb37ec66b33ffb28c3a28fae57326403db609a25 diff --git a/carnet-generate-ssl b/carnet-generate-ssl new file mode 100755 index 0000000..661d731 --- /dev/null +++ b/carnet-generate-ssl @@ -0,0 +1,112 @@ +#!/bin/sh +set -e + +TMPFILE=`tempfile -d /var/tmp -p apache2-cn` +TMPFILE2=`tempfile -d /var/tmp -p apache2-cn` + +trap "rm -f $TMPFILE $TMPFILE2" 1 2 15; + +CONFDIR="$1" +FQDN="$2" +WEBMASTER="$3" +DOMAIN="$4" + +sslcrt=/etc/ssl/certs +sslkey=/etc/ssl/private +A2CNDIR=$(dirname $0) + +if [ -z "$4" ]; then + echo "Usage: $0 " + echo + echo " confdir is ignored" + echo " fqdn is the fully qualified name of the web server" + echo " email address that will appear in the certificate" + echo " org is the organization name" + exit 2 +fi + +# XXX validate the arguments + +export RANDFILE=/dev/urandom +cd /etc/ssl + +if [ ! -f ${sslkey}/ca.key ]; then +# CA +openssl genrsa -out $sslkey/ca.key 1024 +cat < $TMPFILE +[ req ] +default_bits = 1024 +default_keyfile = ca.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no + +[ req_distinguished_name ] +C = HR +O = $DOMAIN +CN = $FQDN CA +emailAddress = $WEBMASTER + +[ req_attributes ] + +EOF +openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr +cat >$TMPFILE < "$TMPFILE2" +sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \ + < $A2CNDIR/templates/openssl.cnf > "$TMPFILE" +openssl req -config "$TMPFILE" -new -nodes \ + -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr +openssl x509 -extfile "$TMPFILE" -days 3650 \ + -CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \ + -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem +# verify +openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem | read mod1 +openssl rsa -noout -modulus -in ${sslkey}/apache2.key | read mod2 +if [ "$mod1" != "$mod2" ]; then + echo "Moduli for server keys don't match." + exit 1 +fi + +KEYS="${KEYS} + - ${sslcrt}/apache2.pem" +KEYS="${KEYS} + - ${sslkey}/apache2.key" + +cd ${sslcrt} +ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem) + +rm -f $TMPFILE $TMPFILE2 + +echo "Successfully generated server key pairs:" +echo "$KEYS" +echo diff --git a/carnet.conf b/carnet.conf new file mode 100644 index 0000000..c938b6b --- /dev/null +++ b/carnet.conf @@ -0,0 +1,17 @@ + + AddDefaultCharset off + + AddHandler cgi-script .cgi .pl + + + + LanguagePriority hr ba en ca cs da de el eo es et fr he it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW + + + + DirectoryIndex index.html index.htm index.cgi index.pl index.php index.xhtml + + + + SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown + diff --git a/debian/README.CARNet b/debian/README.CARNet new file mode 100644 index 0000000..66042c8 --- /dev/null +++ b/debian/README.CARNet @@ -0,0 +1,34 @@ +apache2-cn +---------- + +Ovaj paket donosi CARNetovu dodatnu konfiguraciju za apache2 paket +iz Debian sarge distribucije. + +Paket dodaje VirtualHost zapise za slijedece webove: + + http://stroj.domena.hr/ + http://www.domena.hr/ + https://www.domena.hr/ + +Zadnji web koristi certifikat potpisan sa lokalno generiranim CA +parom kljuceva. Za sve navedene web stranice DocumentRoot je +postavljen tako da se sadrzaj sprema i cita iz + + /var/www/www.domena.hr + +U slucaju da korisnik ne zeli WWW VirtualHost, DocumentRoot bit +ce postavljen u: + + /var/www/stroj.domena.hr + +Apache2 moduli koji su automatski ukljuceni: + + * PHP4 + * SSL + * rewrite + * userdir + * suexec + * CGI + + + -- Dragan Dosen Thu, 7 Feb 2008 16:11:17 +0100 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..1cac587 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,19 @@ +apache2-cn (2.2-3) stable; urgency=low + + * TODO.... + + -- Dragan Dosen Wed, 2 Apr 2008 12:37:00 +0200 + +apache2-cn (2.2-2) stable; urgency=low + + * Ispravak kod pozivanja starog mktemp-a + + -- Ivan Rako Thu, 27 Dec 2007 14:42:58 +0100 + +apache2-cn (2.2-1) carnet-etch; urgency=low + + * Prvo izdanje. + - konfiguracija iz pretpostavljenih postavki za etch. + + -- Zoran Dzelajlija Fri, 28 Sep 2007 09:24:26 +0200 + diff --git a/debian/changelog.CARNet b/debian/changelog.CARNet new file mode 120000 index 0000000..194579e --- /dev/null +++ b/debian/changelog.CARNet @@ -0,0 +1 @@ +changelog.Debian \ No newline at end of file diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..dd48595 --- /dev/null +++ b/debian/control @@ -0,0 +1,17 @@ +Source: apache2-cn +Section: web +Priority: optional +Maintainer: Dragan Dosen +Build-Depends: debhelper (>= 4.0.0) +Standards-Version: 3.6.1 + +Package: apache2-cn +Architecture: all +Pre-Depends: findutils +Depends: apache2-mpm-prefork (>= 2.2), apache2 (>= 2.2), apache2 (<< 2.3), php5-cn | php4-cn, carnet-tools-cn (>= 2.0), ${perl:Depends}, ssl-cert, procps, mail-transport-agent +Suggests: apache2-doc, ca-certificates, monit-cn +Conflicts: apache-cn (<< 2:1.3.33-6), apache-ssl, squirrelmail-cn (<< 2:1.4.2-6) +Description: Apache web server with mod_ssl enabled + This dummy package provided by CARNet configures a simple https enabled + web service with PHP5. + diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..1450a12 --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +usr/share/apache2-cn diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..b5a8299 --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +debian/changelog.CARNet +debian/README.CARNet diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..ba81a00 --- /dev/null +++ b/debian/install @@ -0,0 +1,3 @@ +templates usr/share/apache2-cn +carnet.conf usr/share/apache2-cn +carnet-generate-ssl usr/share/apache2-cn diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..e9923d7 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,678 @@ +#!/bin/sh + +set -e + +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx + +# Source debconf library. +. /usr/share/debconf/confmodule + +case "$1" in + configure) + # continue below + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + + +# Include CARNet functions. +. /usr/share/carnet-tools/functions.sh + +PKG="apache2-cn" +VERSION="2.2-1" +CONFDIR="/etc/apache2" +CONFDIROLD="/etc/apache" +CONF="$CONFDIR/apache2.conf" +CONFOLD="$CONFDIROLD/httpd.conf" +A2MODEDIR="$CONFDIR/mods-enabled" +PORTCONF="$CONFDIR/ports.conf" +A2CNDIR=/usr/share/apache2-cn +TMPLDIR=$A2CNDIR/templates +CERTDIR=/etc/ssl/certs +A2PHPINI="/etc/php4/apache2/php.ini" + +HOST=$(hostname) +FQDN=$(hostname --fqdn) +WEBMASTER="webmaster@$FQDN" +DOMAIN=$(hostname -d) +BACKUPDIR="/var/backups/apache2-cn" + +backup_done=0 +need_restart=0 +apache2_sslcert=0 +apache2_sslcf= +apache2_sslckf= +apache2_sslccf= +has_vhosts=0 +temp_files= +has_listen_ssl=0 +listen_ssl_mask= + + +# cleanup() +# +# Cleanup all temp files. +# +cleanup () { + + if [ -n "$temp_files" ]; then + for item in $temp_files; do + if [ -e "$item" ]; then + rm -f $item + fi + done + fi +} + +# tag_conf() +# +# Add CARNet package info lines to config's header. +# +tag_conf () { + + local conf_file + conf_file="$1" + + if [ -e "$conf_file" ]; then + + cat >> $conf_file < 0 - tagged +# 1 - not tagged or file does not exists +# 2 - file exists, but it is not tagged +# +chk_conf_tag () { + + local conf_file + conf_file="$1" + RET=1 + + if [ -f "$conf_file" ]; then + if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" "$conf_file"; then + RET=0 + else + RET=2 + fi + fi +} + +# conf_log_fix () +# +# Check CustomLog, ErrorLog and TransferLog paths - /var/log/apache/ is replaced +# with /var/log/apache2/. +# +conf_log_fix () { + + local conf_file out + conf_file="$1" + + if [ -f "$conf_file" ]; then + + if egrep -iq '^[[:space:]]*(Error|Custom|Transfer)Log[[:space:]]*\/var\/log\/apache\/' "$conf_file"; then + + out=$(mktemp ${conf_file}.XXXXXX) + temp_files="${temp_files} ${out}" + + sed 's/\(^[[:space:]]*\(Error\|Custom\|Transfer\)Log[[:space:]]*\)\/var\/log\/apache\//\1\/var\/log\/apache2\//I' \ + $conf_file > $out + mv $out $conf_file + fi + fi +} + +# generate_ssl() +# +# Generate Apache2 web server SSL certificate. +# +generate_ssl () { + + generate_ssl_output=$($A2CNDIR/carnet-generate-ssl ignore "$FQDN" "$WEBMASTER" "$DOMAIN" 2> /dev/null) + cp_echo "$generate_ssl_output" + need_restart=1 +} + +# listen_ssl() +# +# Check if port 443 is configured in ports.conf file. +# +listen_ssl() { + + if ! egrep -iq "^[[:space:]]*Listen[[:space:]]*.*443$" "$PORTCONF"; then + + cp_echo "CN: Enabling SSL port (443) for Apache2 web server." + + out=$(mktemp ${PORTCONF}.XXXXXX) + cp $PORTCONF $out + echo "Listen 443" >> $out + cp_mv $out $PORTCONF + + need_restart=1 + temp_files="${temp_files} ${out}" + fi +} + +# install_conf() +# +# Install specified Apache2 configuration file. +# +install_conf() { + + conftmpl="$A2CNDIR/$1.conf" + conf="$CONFDIR/conf.d/$2.conf" + + if [ ! -e "$conf" ]; then + + cp_echo "CN: Enabling CARNet specific configuration." + cp "$conftmpl" "$conf" + + need_restart=1 + else + cp_echo "CN: $conf already exists, left untouched." 1>&2 + fi +} + +# install_vhost() +# +# Install specified VirtualHost for Apache2 web server. +# +# Invocation: +# +# install_vhost [-nvh] [-d] [-s docroot_symlink_dest] template site site-enabled-symlink +# +# -nvh - add NameVirtualHost +# -d - mkdir DocumentRoot +# -r - set DocumentRoot +# -n - set ServerName +# -s X - symlink DocumentRoot to X (all in /var/www) +# +# site - name of file in sites-available, host part of ServerName unless -r or -n is used +# site-enabled-symlink - name of symlink in sites-enabled +# +install_vhost() { + + add_namevirthost= + mkdir_docroot= + symlink_docroot= + docroot= + vhostname= + + while echo "x$1" | grep -q '^x-'; do + case "$1" in + -nvh) + add_namevirthost=1 + shift + ;; + -d) + mkdir_docroot=1 + shift + ;; + -s) + shift + symlink_docroot="$1" + shift + ;; + -r) + shift + docroot="$1" + if ! echo "$docroot" | grep -q /; then + docroot="/var/www/$docroot" + fi + shift + ;; + -n) + shift + vhostname="$1" + shift + ;; + esac + done + + vhosttmpl="$1.template" + vhost="$2" + venabled="$3" + [ -z "$vhostname" ] && vhostname=$(echo "$vhost"| awk -F. '{print $1}') + force_vhost= + + vhostdir=$CONFDIR/sites-available + venabledir=$CONFDIR/sites-enabled + + if [ ! -e "$TMPLDIR/${vhosttmpl}" ]; then + echo "E: vhost template ${vhosttmpl} not found in $TMPLDIR!" 1>&2 + exit 2 + fi + + [ -z "$docroot" ] && docroot="/var/www/$vhostname.$DOMAIN" + + # if we were broken mid-installation, force + if [ ! -e "$docroot" -a \( -n "$mkdir_docroot" -o -n "$symlink_docroot" \) ]; then + force_vhost=1 + fi + + # add vhost if either of these is true + # - adding is forced OR + # - it doesn't exist + # + if [ -n "$force_vhost" -o \( ! -e "$vhostdir/$vhost" -a ! -e "$venabledir/$venabled" \) ]; then + + cp_echo "CN: Adding $vhost VirtualHost." + out=$(mktemp $vhostdir/$vhost.XXXXXX) + temp_files="${temp_files} ${out}" + + # CARNet header. + tag_conf "$out" + + if [ "$add_namevirthost" ]; then + nvh=$(awk -F'[ >]' '/^> $out + fi + + sed "s/HOST/$vhostname/g; s/DOMAIN/$DOMAIN/g; + s#DOCROOT#$docroot#g; s/IPADDR/$MYIP/g" < $TMPLDIR/$vhosttmpl >> $out + cp_mv $out $vhostdir/$vhost + chmod 644 $vhostdir/$vhost + ln -fs ../sites-available/$vhost $venabledir/$venabled + + if [ -n "$mkdir_docroot" -a ! -d "$docroot" ]; then + mkdir "$docroot" + echo '

Radi!

' > "$docroot/index.html" + elif [ -n "$symlink_docroot" ]; then + ln -fs "$symlink_docroot" "$docroot" + fi + + need_restart=1 + fi +} + + +# Set trap for deleting all temp files. +# +trap cleanup 0 1 2 15 + + +# Make sure that monit conf for Apache is disabled. +if [ -f "/etc/monit.d/apache1.conf" ]; then + mv /etc/monit.d/apache1.conf /etc/monit.d/apache1.conf.disabled + pkill -9 -f /usr/sbin/monit || true +fi + + +# First of all - stop Apache web server, make sure Apache is NOT running. +# +if [ -x /usr/sbin/invoke-rc.d ]; then + [ -x /usr/sbin/apache ] && invoke-rc.d apache stop || true + pkill -9 -f /usr/sbin/apache || true +else + [ -x /etc/init.d/apache ] && /etc/init.d/apache stop || true +fi + + +# Backup all configuration located in /etc/apache2/conf.d/ and +# /etc/apache2/sites-available/ directories. +# +if [ -e "$CONF" ]; then + cp_echo "CN: Doing backup for $CONF" + cp_backup_conffile -d $BACKUPDIR -p $CONF + backup_done=1 +fi +if [ -d "$CONFDIR/conf.d" ] && [ -n "$(ls ${CONFDIR}/conf.d/)" ]; then + cp_echo "CN: Doing backup for all files in /etc/apache2/conf.d/" + for file in /etc/apache2/conf.d/*; do + if [ -z "$(echo $file | egrep '^/.*~')" ]; then + cp_backup_conffile -d $BACKUPDIR -p $file + fi + done + backup_done=1 +fi +if [ -d "$CONFDIR/sites-available" ] && [ -n "$(ls ${CONFDIR}/sites-available/)" ]; then + cp_echo "CN: Doing backup for all files in /etc/apache2/sites-available/" + for file in /etc/apache2/sites-available/*; do + if [ -z "$(echo $file | egrep '^/.*~')" ]; then + cp_backup_conffile -d $BACKUPDIR -p $file + fi + done + backup_done=1 +fi +if [ $backup_done -eq 1 ]; then + cp_echo "CN: Backup is located in directory: $BACKUPDIR/" +fi + + +# Enable Apache2 web server modules (cgi, rewrite, userdir, suexec, php4, ssl). +# +if [ -e "$CONF" ]; then + + if [ ! -e "$A2MODEDIR/cgi.load" ]; then + cp_echo "CN: Enabling CGI module for Apache2 web server." + a2enmod cgi >/dev/null || true + need_restart=1 + fi + + if [ ! -e "$A2MODEDIR/rewrite.load" ]; then + cp_echo "CN: Enabling rewrite module for Apache2 web server." + a2enmod rewrite >/dev/null || true + need_restart=1 + fi + + if [ ! -e "$A2MODEDIR/userdir.load" ] || [ ! -e "$A2MODEDIR/userdir.conf" ]; then + cp_echo "CN: Enabling userdir module for Apache2 web server." + a2enmod userdir >/dev/null || true + need_restart=1 + fi + + if [ ! -e "$A2MODEDIR/suexec.load" ]; then + cp_echo "CN: Enabling SUEXEC module for Apache2 web server." + a2enmod suexec >/dev/null || true + need_restart=1 + fi + + if [ ! -e "$A2MODEDIR/php4.load" ] || [ ! -e "$A2MODEDIR/php4.conf" ]; then + cp_echo "CN: Enabling PHP4 module for Apache2 web server." + a2enmod php4 >/dev/null || true + need_restart=1 + fi + + if [ ! -e "$A2MODEDIR/ssl.load" ] || [ ! -e "$A2MODEDIR/ssl.conf" ]; then + cp_echo "CN: Enabling SSL module for Apache2 web server." + a2enmod ssl >/dev/null || true + need_restart=1 + fi +fi + + +# Install CARNet specific configuration file. +# +install_conf carnet 000-carnet + +# Enable SSL port (443). +# +listen_ssl + +# Disable default site configuration. +# +if [ -e "$CONF" ]; then + if [ -e "$CONFDIR/sites-enabled/000-default" ]; then + cp_echo "CN: Disabling 000-default site configuration." + a2dissite 000-default >/dev/null || true + + need_restart=1 + fi +fi + + +# Apache2 SSL certificate. +# +has_listen_ssl=0 + +if [ -d "$CONFDIR/conf.d" ] && [ -n "$(ls $CONFDIR/conf.d)" ]; then + listen_ssl_mask=$CONFDIR/conf.d/* +fi +if [ -d "$CONFDIR/sites-enabled" ] && [ -n "$(ls $CONFDIR/sites-enabled)" ]; then + listen_ssl_mask=$listen_ssl_mask" "$CONFDIR/sites-enabled/* +fi + +for file in $CONF $listen_ssl_mask; do + if [ -f "$file" ]; then + if egrep -iq '^[[:space:]]*' $file; then + has_listen_ssl=1 + apache2_sslcert=1 + break + fi + fi +done + +if [ $apache2_sslcert -eq 0 ]; then + + db_get apache2-cn/sslcf || true + apache2_sslcf="$RET" + + if [ -n "$apache2_sslcf" ]; then + + db_get apache2-cn/sslckf || true + apache2_sslckf="$RET" + + db_get apache2-cn/sslccf || true + apache2_sslccf="$RET" + + need_restart=1 + else + + # Generate new SSL certificate files. + generate_ssl + + apache2_sslcf= + apache2_sslckf= + apache2_sslccf= + fi +fi + + +# Add VirtualHosts. +# +db_get apache2-cn/wwwhost || true +if [ "$RET" = "true" ]; then + + # Add WWW VirtualHost. + if [ -f "$CONFDIR/sites-available/$FQDN" ]; then + cp_backup_conffile -d $BACKUPDIR -p $CONFDIR/sites-available/$FQDN + fi + if [ -f "$CONFDIR/sites-available/www.$DOMAIN" ]; then + cp_backup_conffile -d $BACKUPDIR -p $CONFDIR/sites-available/www.$DOMAIN + fi + + chk_conf_tag "$CONFDIR/sites-available/$FQDN" + if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + install_vhost -nvh -d -r www.$DOMAIN default $FQDN 000-$FQDN + need_restart=1 + fi + + chk_conf_tag "$CONFDIR/sites-available/www.$DOMAIN" + if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + install_vhost default www.$DOMAIN www.$DOMAIN + need_restart=1 + fi +else + + # No WWW VirtualHost. + if [ -f "$CONFDIR/sites-available/$FQDN" ]; then + cp_backup_conffile -d $BACKUPDIR -p $CONFDIR/sites-available/$FQDN + fi + + chk_conf_tag "$CONFDIR/sites-available/$FQDN" + if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN + need_restart=1 + fi +fi + + +# Add VirtualHost for SSL? +# +if [ $apache2_sslcert -eq 0 ]; then + + if [ -f "$CONFDIR/sites-available/ssl" ]; then + cp_backup_conffile -d $BACKUPDIR -p $CONFDIR/sites-available/ssl + fi + + # No active SSL VirtualHosts found - add new one. + chk_conf_tag "$CONFDIR/sites-available/ssl" + if [ ! -f "$CONFDIR/sites-available/ssl" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + install_vhost -r $FQDN -n $HOST ssl ssl 001-ssl + need_restart=1 + fi +fi + + +# Check SSL certificates location for VirtualHosts. +# +if [ $apache2_sslcert -eq 0 ]; then + + chk_conf_tag "${CONFDIR}/sites-available/ssl" + if [ $RET -eq 0 ] && [ -n "$apache2_sslcf" ]; then + + SSLTMP=$(mktemp ${CONFDIR}/ssltmp.XXXXXX) + temp_files="${temp_files} ${SSLTMP}" + cp ${CONFDIR}/sites-available/ssl $SSLTMP + + # SSLCertificateFile + cp_check_and_sed "^[[:space:]]*SSLCertificateFile \/etc\/ssl\/certs\/apache2\.pem" \ + "s#SSLCertificateFile /etc/ssl/certs/apache2.pem#SSLCertificateFile $apache2_sslcf #g" \ + $SSLTMP || true + + # SSLCertificateKeyFile + cp_check_and_sed "^[[:space:]]*SSLCertificateKeyFile \/etc\/ssl\/private\/apache2\.key" \ + "s#SSLCertificateKeyFile /etc/ssl/private/apache2.key#SSLCertificateKeyFile $apache2_sslckf #g" \ + $SSLTMP || true + + # SSLCertificateChainFile + if [ -n "$apache2_sslccf" ]; then + cp_check_and_sed "^# SSLCertificateChainFile \/etc\/ssl\/certs/sureserverEDU\.pem" \ + "s#\# SSLCertificateChainFile /etc/ssl/certs/sureserverEDU.pem#SSLCertificateChainFile $apache2_sslccf #g" \ + $SSLTMP || true + fi + + cp_mv $SSLTMP ${CONFDIR}/sites-available/ssl + + need_restart=1 + + # Just to be sure. + if [ -e "$SSLTMP" ]; then + rm -f $SSLTMP + fi + fi +fi + + +# Check for CustomLog, ErrorLog and TransferLog in Apache2 configuration. +# +cp_echo "CN: Checking Apache2 CustomLog, ErrorLog and TransferLog directives." +if [ -d "$CONFDIR/conf.d" ] && [ -n "$(ls $CONFDIR/conf.d)" ]; then + log_mask=$CONFDIR/conf.d/* +fi +if [ -d "$CONFDIR/sites-available" ] && [ -n "$(ls $CONFDIR/sites-available)" ]; then + log_mask=$log_mask" "$CONFDIR/sites-available/* +fi +for file in $CONF $log_mask; do + chk_conf_tag "$file" + if [ $RET -eq 0 ]; then + conf_log_fix "$file" + fi +done + + +# Start Apache2 web server on boot? +# This will enable Apache2 in /etc/default/apache2 file. +# +if egrep -q "^[[:space:]]*NO_START=1" /etc/default/apache2; then + cp_check_and_sed NO_START=1 s/NO_START=1/NO_START=0/ /etc/default/apache2 || true + need_restart=1 +fi + + +db_stop || true + + +# Remove old AOSI configuration for Apache: aosi-www.conf, aosi.conf. +# +if [ -e "$CONFDIR/conf.d/aosi-www.conf" ] || [ -e "$CONFDIR/conf.d/aosi.conf" ]; then + cp_echo "CN: Removing old AOSI configuration files for Apache2." + need_restart=1 +fi +[ -e "$CONFDIR/conf.d/aosi-www.conf" ] && rm -f $CONFDIR/conf.d/aosi-www.conf +[ -e "$CONFDIR/conf.d/aosi.conf" ] && rm -f $CONFDIR/conf.d/aosi.conf + + +# Stop Apache web server and disable Apache automatic start on boot. +# +if [ -x "/etc/init.d/apache" ]; then + + # Stop Apache. + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apache stop || true + else + /etc/init.d/apache stop || true + fi + + # Disable automatic start on boot. + if [ -x "`which update-rc.d 2>/dev/null`" ]; then + update-rc.d -f apache remove > /dev/null 2>&1 || true + update-rc.d apache stop 90 6 . > /dev/null 2>&1 || true + fi +fi + +# Also check for Apache-SSL web server. +# +if [ -x "/etc/init.d/apache-ssl" ]; then + + # Stop Apache-SSL. + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apache-ssl stop || true + else + /etc/init.d/apache-ssl stop || true + fi + + # Disable automatic start on boot. + if [ -x "`which update-rc.d 2>/dev/null`" ]; then + update-rc.d -f apache-ssl remove > /dev/null 2>&1 || true + update-rc.d apache-ssl stop 90 6 . > /dev/null 2>&1 || true + fi +fi + + +# Restart Apache2 web server if needed. +# +if [ $need_restart -eq 1 ]; then + + # Check Apache2 web server configuration. + if apache2ctl configtest 2>/dev/null; then + + # Restart Apache2 web server. + if [ -x "/etc/init.d/apache2" ]; then + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apache2 force-reload || true + else + /etc/init.d/apache2 force-reload || true + fi + fi + else + + # Something is broken. + cp_echo "CN: Your Apache2 configuration seem to be broken." + cp_echo "CN: Please, check the service after the installation finishes!" + fi +fi + + +# Mail root +# +cp_mail "$PKG" + + +# (re)generate monit.d files if monit-cn is installed. +# +if [ -x "/usr/sbin/update-monit.d" ]; then + update-monit.d || true +fi + + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 0000000..6681ea5 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,87 @@ +#!/bin/sh + +set -e + +# Debconf +. /usr/share/debconf/confmodule + +# Include CARNet functions. +. /usr/share/carnet-tools/functions.sh + + +HOST=$(hostname -f) +DOMAIN=$(hostname -d) +sitefiles="000-$HOST www.$DOMAIN 001-ssl" +sitesdir=/etc/apache2/sites-available + + +case "$1" in + purge) + # Get CARNet config files in /etc/apache2/sites-available directory. + if [ -d "${sitesdir}" ] && [ -n "$(ls ${sitesdir}/)" ]; then + + sitefiles="" + for file in ${sitesdir}/*; do + if [ -f "$file" ]; then + if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" $file; then + site=`echo "$file" | sed 's/^\/.*\///'` + sitefiles="$sitefiles $site" + fi + fi + done + fi + + # Remove our vhosts. + for site in $sitefiles; do + + if [ -e "$sitesdir/$site" ]; then + + cp_echo "CN: Removing $site site configuration file." + rm -f $sitesdir/$site + fi + done + + # Remove default DocumentRoot if there's only a one line index.html there + docroots="/var/www/$HOST.$DOMAIN /var/www/www.$DOMAIN" + + if [ -d "/var/www" ]; then + + for docroot in $docroots; do + + if [ -d $docroot ]; then + if [ "x$(echo ${docroot}/*)" = "x${docroot}/index.html" ]; then + if [ "$(wc -l ${docroot}/index.html | awk '{print $1}')" -eq 1 ]; then + + cp_echo "CN: Removing document root directory ${docroot}." + rm -f $docroot/index.html + rmdir $docroot || true + fi + fi + fi + done + fi + + # Remove CARNet specific configuration. + if [ -d "$CONFDIR/conf.d" ] && [ -n "$(ls ${CONFDIR}/conf.d/)" ]; then + cp_echo "CN: Disabling CARNet specific configuration." + for file in /etc/apache2/conf.d/*; do + if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" $file; then + rm -f $file + fi + done + fi + + # Debconf purge + db_purge + + # Mail root + cp_mail "apache2-cn" + ;; + *) + ;; +esac + + +db_stop + +exit 0 diff --git a/debian/prerm b/debian/prerm new file mode 100755 index 0000000..ce3ced3 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,78 @@ +#!/bin/sh + +set -e + +# Include CARNet functions. +. /usr/share/carnet-tools/functions.sh + + +HOST=$(hostname -f) +DOMAIN=$(hostname -d) +sites="000-$HOST 001-ssl www.$DOMAIN" +sitesendir=/etc/apache2/sites-enabled + + +case "$1" in + remove|deconfigure) + + # Get CARNet config files in /etc/apache2/sites-enabled directory. + if [ -d "${sitesendir}" ] && [ -n "$(ls ${sitesendir}/)" ]; then + + sites="" + for file in ${sitesendir}/*; do + if [ -f "$file" ]; then + if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" $file; then + site=`echo "$file" | sed 's/^\/.*\///'` + sites="$sites $site" + fi + fi + done + fi + + # Deconfigure our web sites, do nothing else + for site in $sites; do + + if [ -e "$sitesendir/$site" ]; then + + cp_echo "CN: Disabling $site site configuration." + a2dissite $site >/dev/null || true + fi + done + + cp_echo "CN: Enabling default site configuration for Apache2 web server." + a2ensite default >/dev/null || true + + # Restart Apache2 web server. + if apache2ctl configtest 2>/dev/null; then + + # Restart Apache2 web server. + if [ -x "/etc/init.d/apache2" ]; then + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apache2 force-reload || true + else + /etc/init.d/apache2 force-reload || true + fi + fi + else + + # Something is broken. + cp_echo "CN: Your Apache2 configuration seem to be broken." + cp_echo "CN: Please, check the service configuration!" + fi + + # Mail root + cp_mail "apache2-cn" + + echo + ;; + upgrade) + ;; + failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..eadc17c --- /dev/null +++ b/debian/rules @@ -0,0 +1,88 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + # $(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + # -$(MAKE) clean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/apache2-cn + # $(MAKE) install DESTDIR=$(CURDIR)/debian/apache2-cn + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot +# dh_installchangelogs -k +# dh_installdocs -X1.3 -n doc/* + dh_installchangelogs + dh_installdocs + dh_installexamples + dh_install -X.svn +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo + dh_installman + dh_link +# dh_strip + dh_compress + dh_fixperms + dh_perl usr/share/apache2-cn +# dh_python +# dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure diff --git a/templates/default.template b/templates/default.template new file mode 100644 index 0000000..cf1bd53 --- /dev/null +++ b/templates/default.template @@ -0,0 +1,18 @@ + + ServerAdmin webmaster@HOST.DOMAIN + + ServerName HOST.DOMAIN + DocumentRoot DOCROOT + LogLevel warn + ErrorLog /var/log/apache2/HOST.DOMAIN-error.log + CustomLog /var/log/apache2/HOST.DOMAIN-access.log combined + + # + # # AllowOverride All + # AllowOverride None + # Options OPTIONS + # Order allow,deny + # Allow from all + # + + diff --git a/templates/openssl.cnf b/templates/openssl.cnf new file mode 100644 index 0000000..1b49eb2 --- /dev/null +++ b/templates/openssl.cnf @@ -0,0 +1,25 @@ +# +# custom openssl configuration file +# based on csr.sh from http://wiki.cacert.org/wiki/VhostTaskForce +# + +[ req ] +default_bits = 1024 +default_keyfile = /var/lib/misc/HOST_privatekey.pem +distinguished_name = req_distinguished_name +prompt = no +default_days = 3650 +string_mask = nombstr +req_extensions = v3_req + +[ req_distinguished_name ] +countryName = HR +#stateOrProvinceName = +#localityName = +organizationName = DOMAIN +#organizationalUnitName = +commonName = HOST +emailAddress = WEBMASTER + +[ v3_req ] +subjectAltName=DNS:HOST,DNS:www.DOMAIN,DNS:mail.DOMAIN,DNS:ldap.DOMAIN,DNS:webmail.DOMAIN diff --git a/templates/ssl.template b/templates/ssl.template new file mode 100644 index 0000000..a060692 --- /dev/null +++ b/templates/ssl.template @@ -0,0 +1,29 @@ + + +# Since SSL has no NameVirtualHosts, and we don't support machines with +# multiple IP addresses yet, make this a simple default config. + + + ServerAdmin webmaster@HOST.DOMAIN + ServerName HOST.DOMAIN + DocumentRoot DOCROOT + LogLevel warn + ErrorLog /var/log/apache2/ssl-HOST.DOMAIN-error.log + CustomLog /var/log/apache2/ssl-HOST.DOMAIN-access.log combined + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/apache2.pem + SSLCertificateKeyFile /etc/ssl/private/apache2.key + # SSLCertificateChainFile /etc/ssl/certs/sureserverEDU.pem + + # + # # AllowOverride All + # AllowOverride None + # Options OPTIONS + # Order allow,deny + # Allow from all + # + + + +