From 74f4d4ac8639cea7a0e02e66fe8aa491405ef46d Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 3 Apr 2014 14:29:58 +0200 Subject: [PATCH] Current state --- apache2/httpd.conf | 167 -------- apache2/magic | 382 ------------------- apache2/modules.d/.keep_www-servers_apache-2 | 0 apache2/modules.d/00_default_settings.conf | 134 ------- apache2/modules.d/00_error_documents.conf | 58 --- apache2/modules.d/00_languages.conf | 133 ------- apache2/modules.d/00_mod_autoindex.conf | 83 ---- apache2/modules.d/00_mod_info.conf | 12 - apache2/modules.d/00_mod_log_config.conf | 35 -- apache2/modules.d/00_mod_mime.conf | 55 --- apache2/modules.d/00_mod_status.conf | 17 - apache2/modules.d/00_mod_userdir.conf | 34 -- apache2/modules.d/00_mpm.conf | 99 ----- apache2/modules.d/10_mod_mem_cache.conf | 10 - apache2/modules.d/40_mod_ssl.conf | 63 --- apache2/modules.d/45_mod_dav.conf | 19 - apache2/modules.d/46_mod_ldap.conf | 20 - apache2/vhosts.d/.keep_www-servers_apache-2 | 0 apache2/vhosts.d/00_default_ssl_vhost.conf | 179 --------- apache2/vhosts.d/00_default_vhost.conf | 48 --- apache2/vhosts.d/default_vhost.include | 73 ---- ca-certificates.conf | 4 +- config-archive/etc/ssh/sshd_config | 29 +- config-archive/etc/ssh/sshd_config.1 | 205 ++++++++++ config-archive/etc/ssh/sshd_config.dist | 7 +- drirc | 50 ++- hosts.allow | 17 + init.d/apache2 | 182 --------- init.d/samba | 7 +- logrotate.d/apache2 | 11 - logrotate.d/consolekit | 8 + pam.d/mate-screensaver | 4 +- portage/package.keywords/common | 3 + portage/package.use | 2 +- runlevels/default/xdm | 1 + ssh/ssh_host_ed25519_key | 7 + ssh/ssh_host_ed25519_key.pub | 1 + ssh/sshd_config | 7 +- ssl/certs/4597689c.0 | 1 - ssl/certs/656b3e35.0 | 1 - ssl/certs/9818ca0b.0 | 1 - ssl/certs/b097d71d.0 | 1 - zonecheck/afnic.profile | 129 ------- zonecheck/de.profile | 134 ------- zonecheck/default.profile | 174 --------- zonecheck/reverse.profile | 108 ------ zonecheck/rootservers | 31 -- zonecheck/zc.conf | 122 ------ 48 files changed, 329 insertions(+), 2539 deletions(-) delete mode 100644 apache2/httpd.conf delete mode 100644 apache2/magic delete mode 100644 apache2/modules.d/.keep_www-servers_apache-2 delete mode 100644 apache2/modules.d/00_default_settings.conf delete mode 100644 apache2/modules.d/00_error_documents.conf delete mode 100644 apache2/modules.d/00_languages.conf delete mode 100644 apache2/modules.d/00_mod_autoindex.conf delete mode 100644 apache2/modules.d/00_mod_info.conf delete mode 100644 apache2/modules.d/00_mod_log_config.conf delete mode 100644 apache2/modules.d/00_mod_mime.conf delete mode 100644 apache2/modules.d/00_mod_status.conf delete mode 100644 apache2/modules.d/00_mod_userdir.conf delete mode 100644 apache2/modules.d/00_mpm.conf delete mode 100644 apache2/modules.d/10_mod_mem_cache.conf delete mode 100644 apache2/modules.d/40_mod_ssl.conf delete mode 100644 apache2/modules.d/45_mod_dav.conf delete mode 100644 apache2/modules.d/46_mod_ldap.conf delete mode 100644 apache2/vhosts.d/.keep_www-servers_apache-2 delete mode 100644 apache2/vhosts.d/00_default_ssl_vhost.conf delete mode 100644 apache2/vhosts.d/00_default_vhost.conf delete mode 100644 apache2/vhosts.d/default_vhost.include create mode 100644 config-archive/etc/ssh/sshd_config.1 create mode 100644 hosts.allow delete mode 100755 init.d/apache2 delete mode 100644 logrotate.d/apache2 create mode 100644 logrotate.d/consolekit create mode 120000 runlevels/default/xdm create mode 100644 ssh/ssh_host_ed25519_key create mode 100644 ssh/ssh_host_ed25519_key.pub delete mode 120000 ssl/certs/4597689c.0 delete mode 120000 ssl/certs/656b3e35.0 delete mode 120000 ssl/certs/9818ca0b.0 delete mode 120000 ssl/certs/b097d71d.0 delete mode 100644 zonecheck/afnic.profile delete mode 100644 zonecheck/de.profile delete mode 100644 zonecheck/default.profile delete mode 100644 zonecheck/reverse.profile delete mode 100644 zonecheck/rootservers delete mode 100644 zonecheck/zc.conf diff --git a/apache2/httpd.conf b/apache2/httpd.conf deleted file mode 100644 index 46b57fc..0000000 --- a/apache2/httpd.conf +++ /dev/null @@ -1,167 +0,0 @@ -# This is a modification of the default Apache 2.2 configuration file -# for Gentoo Linux. -# -# Support: -# http://www.gentoo.org/main/en/lists.xml [mailing lists] -# http://forums.gentoo.org/ [web forums] -# irc://irc.freenode.net#gentoo-apache [irc chat] -# -# Bug Reports: -# http://bugs.gentoo.org [gentoo related bugs] -# http://httpd.apache.org/bug_report.html [apache httpd related bugs] -# -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "var/log/apache2/foo_log" -# with ServerRoot set to "/usr" will be interpreted by the -# server as "/usr/var/log/apache2/foo.log". - -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to point the LockFile directive -# at a local disk. If you wish to share the same ServerRoot for multiple -# httpd daemons, you will need to change at least LockFile and PidFile. -ServerRoot "/usr/lib64/apache2" - -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# -# GENTOO: Automatically defined based on APACHE2_MODULES USE_EXPAND variable. -# Do not change manually, it will be overwritten on upgrade. -# -# The following modules are considered as the default configuration. -# If you wish to disable one of them, you may have to alter other -# configuration directives. -# -# Change these at your own risk! - -LoadModule actions_module modules/mod_actions.so -LoadModule alias_module modules/mod_alias.so -LoadModule auth_basic_module modules/mod_auth_basic.so -LoadModule authn_alias_module modules/mod_authn_alias.so -LoadModule authn_anon_module modules/mod_authn_anon.so -LoadModule authn_dbm_module modules/mod_authn_dbm.so -LoadModule authn_default_module modules/mod_authn_default.so -LoadModule authn_file_module modules/mod_authn_file.so - -LoadModule authnz_ldap_module modules/mod_authnz_ldap.so - -LoadModule authz_dbm_module modules/mod_authz_dbm.so -LoadModule authz_default_module modules/mod_authz_default.so -LoadModule authz_groupfile_module modules/mod_authz_groupfile.so -LoadModule authz_host_module modules/mod_authz_host.so -LoadModule authz_owner_module modules/mod_authz_owner.so -LoadModule authz_user_module modules/mod_authz_user.so -LoadModule autoindex_module modules/mod_autoindex.so - -LoadModule cache_module modules/mod_cache.so - -LoadModule cgi_module modules/mod_cgi.so -LoadModule cgid_module modules/mod_cgid.so - -LoadModule dav_module modules/mod_dav.so - - -LoadModule dav_fs_module modules/mod_dav_fs.so - - -LoadModule dav_lock_module modules/mod_dav_lock.so - -LoadModule deflate_module modules/mod_deflate.so -LoadModule dir_module modules/mod_dir.so - -LoadModule disk_cache_module modules/mod_disk_cache.so - -LoadModule env_module modules/mod_env.so -LoadModule expires_module modules/mod_expires.so -LoadModule ext_filter_module modules/mod_ext_filter.so - -LoadModule file_cache_module modules/mod_file_cache.so - -LoadModule filter_module modules/mod_filter.so -LoadModule headers_module modules/mod_headers.so -LoadModule include_module modules/mod_include.so - -LoadModule info_module modules/mod_info.so - - -LoadModule ldap_module modules/mod_ldap.so - -LoadModule log_config_module modules/mod_log_config.so -LoadModule logio_module modules/mod_logio.so - -LoadModule mem_cache_module modules/mod_mem_cache.so - -LoadModule mime_module modules/mod_mime.so -LoadModule mime_magic_module modules/mod_mime_magic.so -LoadModule negotiation_module modules/mod_negotiation.so -LoadModule rewrite_module modules/mod_rewrite.so -LoadModule setenvif_module modules/mod_setenvif.so -LoadModule speling_module modules/mod_speling.so - -LoadModule ssl_module modules/mod_ssl.so - - -LoadModule status_module modules/mod_status.so - - -LoadModule suexec_module modules/mod_suexec.so - -LoadModule unique_id_module modules/mod_unique_id.so - -LoadModule userdir_module modules/mod_userdir.so - -LoadModule usertrack_module modules/mod_usertrack.so -LoadModule vhost_alias_module modules/mod_vhost_alias.so - -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -User apache -Group apache - -# Supplemental configuration -# -# Most of the configuration files in the /etc/apache2/modules.d/ directory can -# be turned on using APACHE2_OPTS in /etc/conf.d/apache2 to add extra features -# or to modify the default configuration of the server. -# -# To know which flag to add to APACHE2_OPTS, look at the first line of the -# the file, which will usually be an where OPTION is the -# flag to use. -Include /etc/apache2/modules.d/*.conf - -# Virtual-host support -# -# Gentoo has made using virtual-hosts easy. In /etc/apache2/vhosts.d/ we -# include a default vhost (enabled by adding -D DEFAULT_VHOST to -# APACHE2_OPTS in /etc/conf.d/apache2). -Include /etc/apache2/vhosts.d/*.conf - -# vim: ts=4 filetype=apache diff --git a/apache2/magic b/apache2/magic deleted file mode 100644 index 0de7336..0000000 --- a/apache2/magic +++ /dev/null @@ -1,382 +0,0 @@ -# Magic data for mod_mime_magic Apache module (originally for file(1) command) -# The module is described in /manual/mod/mod_mime_magic.html -# -# The format is 4-5 columns: -# Column #1: byte number to begin checking from, ">" indicates continuation -# Column #2: type of data to match -# Column #3: contents of data to match -# Column #4: MIME type of result -# Column #5: MIME encoding of result (optional) - -#------------------------------------------------------------------------------ -# Localstuff: file(1) magic for locally observed files -# Add any locally observed files here. - -#------------------------------------------------------------------------------ -# end local stuff -#------------------------------------------------------------------------------ - -#------------------------------------------------------------------------------ -# Java - -0 short 0xcafe ->2 short 0xbabe application/java - -#------------------------------------------------------------------------------ -# audio: file(1) magic for sound formats -# -# from Jan Nicolai Langfeldt , -# - -# Sun/NeXT audio data -0 string .snd ->12 belong 1 audio/basic ->12 belong 2 audio/basic ->12 belong 3 audio/basic ->12 belong 4 audio/basic ->12 belong 5 audio/basic ->12 belong 6 audio/basic ->12 belong 7 audio/basic - ->12 belong 23 audio/x-adpcm - -# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format -# that uses little-endian encoding and has a different magic number -# (0x0064732E in little-endian encoding). -0 lelong 0x0064732E ->12 lelong 1 audio/x-dec-basic ->12 lelong 2 audio/x-dec-basic ->12 lelong 3 audio/x-dec-basic ->12 lelong 4 audio/x-dec-basic ->12 lelong 5 audio/x-dec-basic ->12 lelong 6 audio/x-dec-basic ->12 lelong 7 audio/x-dec-basic -# compressed (G.721 ADPCM) ->12 lelong 23 audio/x-dec-adpcm - -# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM" -# AIFF audio data -8 string AIFF audio/x-aiff -# AIFF-C audio data -8 string AIFC audio/x-aiff -# IFF/8SVX audio data -8 string 8SVX audio/x-aiff - -# Creative Labs AUDIO stuff -# Standard MIDI data -0 string MThd audio/unknown -#>9 byte >0 (format %d) -#>11 byte >1 using %d channels -# Creative Music (CMF) data -0 string CTMF audio/unknown -# SoundBlaster instrument data -0 string SBI audio/unknown -# Creative Labs voice data -0 string Creative\ Voice\ File audio/unknown -## is this next line right? it came this way... -#>19 byte 0x1A -#>23 byte >0 - version %d -#>22 byte >0 \b.%d - -# [GRR 950115: is this also Creative Labs? Guessing that first line -# should be string instead of unknown-endian long...] -#0 long 0x4e54524b MultiTrack sound data -#0 string NTRK MultiTrack sound data -#>4 long x - version %ld - -# Microsoft WAVE format (*.wav) -# [GRR 950115: probably all of the shorts and longs should be leshort/lelong] -# Microsoft RIFF -0 string RIFF audio/unknown -# - WAVE format ->8 string WAVE audio/x-wav -# MPEG audio. -0 beshort&0xfff0 0xfff0 audio/mpeg -# C64 SID Music files, from Linus Walleij -0 string PSID audio/prs.sid - -#------------------------------------------------------------------------------ -# c-lang: file(1) magic for C programs or various scripts -# - -# XPM icons (Greg Roelofs, newt@uchicago.edu) -# ideally should go into "images", but entries below would tag XPM as C source -0 string /*\ XPM image/x-xbm 7bit - -# this first will upset you if you're a PL/1 shop... (are there any left?) -# in which case rm it; ascmagic will catch real C programs -# C or REXX program text -0 string /* text/plain -# C++ program text -0 string // text/plain - -#------------------------------------------------------------------------------ -# compress: file(1) magic for pure-compression formats (no archives) -# -# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc. -# -# Formats for various forms of compressed data -# Formats for "compress" proper have been moved into "compress.c", -# because it tries to uncompress it to figure out what's inside. - -# standard unix compress -0 string \037\235 application/octet-stream x-compress - -# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver) -0 string \037\213 application/octet-stream x-gzip - -# According to gzip.h, this is the correct byte order for packed data. -0 string \037\036 application/octet-stream -# -# This magic number is byte-order-independent. -# -0 short 017437 application/octet-stream - -# XXX - why *two* entries for "compacted data", one of which is -# byte-order independent, and one of which is byte-order dependent? -# -# compacted data -0 short 0x1fff application/octet-stream -0 string \377\037 application/octet-stream -# huf output -0 short 0145405 application/octet-stream - -# Squeeze and Crunch... -# These numbers were gleaned from the Unix versions of the programs to -# handle these formats. Note that I can only uncrunch, not crunch, and -# I didn't have a crunched file handy, so the crunch number is untested. -# Keith Waclena -#0 leshort 0x76FF squeezed data (CP/M, DOS) -#0 leshort 0x76FE crunched data (CP/M, DOS) - -# Freeze -#0 string \037\237 Frozen file 2.1 -#0 string \037\236 Frozen file 1.0 (or gzip 0.5) - -# lzh? -#0 string \037\240 LZH compressed data - -#------------------------------------------------------------------------------ -# frame: file(1) magic for FrameMaker files -# -# This stuff came on a FrameMaker demo tape, most of which is -# copyright, but this file is "published" as witness the following: -# -0 string \ -# and Anna Shergold -# -0 string \ -0 string \14 byte 12 (OS/2 1.x format) -#>14 byte 64 (OS/2 2.x format) -#>14 byte 40 (Windows 3.x format) -#0 string IC icon -#0 string PI pointer -#0 string CI color icon -#0 string CP color pointer -#0 string BA bitmap array - - -#------------------------------------------------------------------------------ -# lisp: file(1) magic for lisp programs -# -# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) -0 string ;; text/plain 8bit -# Emacs 18 - this is always correct, but not very magical. -0 string \012( application/x-elc -# Emacs 19 -0 string ;ELC\023\000\000\000 application/x-elc - -#------------------------------------------------------------------------------ -# mail.news: file(1) magic for mail and news -# -# There are tests to ascmagic.c to cope with mail and news. -0 string Relay-Version: message/rfc822 7bit -0 string #!\ rnews message/rfc822 7bit -0 string N#!\ rnews message/rfc822 7bit -0 string Forward\ to message/rfc822 7bit -0 string Pipe\ to message/rfc822 7bit -0 string Return-Path: message/rfc822 7bit -0 string Path: message/news 8bit -0 string Xref: message/news 8bit -0 string From: message/rfc822 7bit -0 string Article message/news 8bit -#------------------------------------------------------------------------------ -# msword: file(1) magic for MS Word files -# -# Contributor claims: -# Reversed-engineered MS Word magic numbers -# - -0 string \376\067\0\043 application/msword -0 string \333\245-\0\0\0 application/msword - -# disable this one because it applies also to other -# Office/OLE documents for which msword is not correct. See PR#2608. -#0 string \320\317\021\340\241\261 application/msword - - - -#------------------------------------------------------------------------------ -# printer: file(1) magic for printer-formatted files -# - -# PostScript -0 string %! application/postscript -0 string \004%! application/postscript - -# Acrobat -# (due to clamen@cs.cmu.edu) -0 string %PDF- application/pdf - -#------------------------------------------------------------------------------ -# sc: file(1) magic for "sc" spreadsheet -# -38 string Spreadsheet application/x-sc - -#------------------------------------------------------------------------------ -# tex: file(1) magic for TeX files -# -# XXX - needs byte-endian stuff (big-endian and little-endian DVI?) -# -# From - -# Although we may know the offset of certain text fields in TeX DVI -# and font files, we can't use them reliably because they are not -# zero terminated. [but we do anyway, christos] -0 string \367\002 application/x-dvi -#0 string \367\203 TeX generic font data -#0 string \367\131 TeX packed font data -#0 string \367\312 TeX virtual font data -#0 string This\ is\ TeX, TeX transcript text -#0 string This\ is\ METAFONT, METAFONT transcript text - -# There is no way to detect TeX Font Metric (*.tfm) files without -# breaking them apart and reading the data. The following patterns -# match most *.tfm files generated by METAFONT or afm2tfm. -#2 string \000\021 TeX font metric data -#2 string \000\022 TeX font metric data -#>34 string >\0 (%s) - -# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) -#0 string \\input\ texinfo Texinfo source text -#0 string This\ is\ Info\ file GNU Info text - -# correct TeX magic for Linux (and maybe more) -# from Peter Tobias (tobias@server.et-inf.fho-emden.de) -# -0 leshort 0x02f7 application/x-dvi - -# RTF - Rich Text Format -0 string {\\rtf application/rtf - -#------------------------------------------------------------------------------ -# animation: file(1) magic for animation/movie formats -# -# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8) -# MPEG file -0 string \000\000\001\263 video/mpeg -# -# The contributor claims: -# I couldn't find a real magic number for these, however, this -# -appears- to work. Note that it might catch other files, too, -# so BE CAREFUL! -# -# Note that title and author appear in the two 20-byte chunks -# at decimal offsets 2 and 22, respectively, but they are XOR'ed with -# 255 (hex FF)! DL format SUCKS BIG ROCKS. -# -# DL file version 1 , medium format (160x100, 4 images/screen) -0 byte 1 video/unknown -0 byte 2 video/unknown -# Quicktime video, from Linus Walleij -# from Apple quicktime file format documentation. -4 string moov video/quicktime -4 string mdat video/quicktime - diff --git a/apache2/modules.d/.keep_www-servers_apache-2 b/apache2/modules.d/.keep_www-servers_apache-2 deleted file mode 100644 index e69de29..0000000 diff --git a/apache2/modules.d/00_default_settings.conf b/apache2/modules.d/00_default_settings.conf deleted file mode 100644 index 0fa43b2..0000000 --- a/apache2/modules.d/00_default_settings.conf +++ /dev/null @@ -1,134 +0,0 @@ -# This configuration file reflects default settings for Apache HTTP Server. -# You may change these, but chances are that you may not need to. - -# Timeout: The number of seconds before receives and sends time out. -Timeout 300 - -# KeepAlive: Whether or not to allow persistent connections (more than -# one request per connection). Set to "Off" to deactivate. -KeepAlive On - -# MaxKeepAliveRequests: The maximum number of requests to allow -# during a persistent connection. Set to 0 to allow an unlimited amount. -# We recommend you leave this number high, for maximum performance. -MaxKeepAliveRequests 100 - -# KeepAliveTimeout: Number of seconds to wait for the next request from the -# same client on the same connection. -KeepAliveTimeout 15 - -# UseCanonicalName: Determines how Apache constructs self-referencing -# URLs and the SERVER_NAME and SERVER_PORT variables. -# When set "Off", Apache will use the Hostname and Port supplied -# by the client. When set "On", Apache will use the value of the -# ServerName directive. -UseCanonicalName Off - -# AccessFileName: The name of the file to look for in each directory -# for additional configuration directives. See also the AllowOverride -# directive. -AccessFileName .htaccess - -# ServerTokens -# This directive configures what you return as the Server HTTP response -# Header. The default is 'Full' which sends information about the OS-Type -# and compiled in modules. -# Set to one of: Full | OS | Minor | Minimal | Major | Prod -# where Full conveys the most information, and Prod the least. -ServerTokens Prod - -# TraceEnable -# This directive overrides the behavior of TRACE for both the core server and -# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, -# which disallows any request body to accompany the request. TraceEnable off -# causes the core server and mod_proxy to return a 405 (Method not allowed) -# error to the client. -# For security reasons this is turned off by default. (bug #240680) -TraceEnable off - -# Optionally add a line containing the server version and virtual host -# name to server-generated pages (internal error documents, FTP directory -# listings, mod_status and mod_info output etc., but not CGI generated -# documents or custom error documents). -# Set to "EMail" to also include a mailto: link to the ServerAdmin. -# Set to one of: On | Off | EMail -ServerSignature On - -# HostnameLookups: Log the names of clients or just their IP addresses -# e.g., www.apache.org (on) or 204.62.129.132 (off). -# The default is off because it'd be overall better for the net if people -# had to knowingly turn this feature on, since enabling it means that -# each client request will result in AT LEAST one lookup request to the -# nameserver. -HostnameLookups Off - -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall is used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -EnableMMAP On -EnableSendfile On - -# FileEtag: Configures the file attributes that are used to create -# the ETag (entity tag) response header field when the document is -# based on a static file. (The ETag value is used in cache management -# to save network bandwidth.) -FileEtag INode MTime Size - -# ContentDigest: This directive enables the generation of Content-MD5 -# headers as defined in RFC1864 respectively RFC2616. -# The Content-MD5 header provides an end-to-end message integrity -# check (MIC) of the entity-body. A proxy or client may check this -# header for detecting accidental modification of the entity-body -# in transit. -# Note that this can cause performance problems on your server since -# the message digest is computed on every request (the values are -# not cached). -# Content-MD5 is only sent for documents served by the core, and not -# by any module. For example, SSI documents, output from CGI scripts, -# and byte range responses do not have this header. -ContentDigest Off - -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -ErrorLog /var/log/apache2/error_log - -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -LogLevel warn - -# We configure the "default" to be a very restrictive set of features. - - Options FollowSymLinks - AllowOverride None - Order deny,allow - Deny from all - - -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# -# The index.html.var file (a type-map) is used to deliver content- -# negotiated documents. The MultiViews Options can be used for the -# same purpose, but it is much slower. -# -# To add files to that list use AddDirectoryIndex in a custom config -# file. Do not change this entry unless you know what you are doing. - - DirectoryIndex index.html index.html.var - - -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. - - Order allow,deny - Deny from all - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_error_documents.conf b/apache2/modules.d/00_error_documents.conf deleted file mode 100644 index 815668f..0000000 --- a/apache2/modules.d/00_error_documents.conf +++ /dev/null @@ -1,58 +0,0 @@ -# The configuration below implements multi-language error documents through -# content-negotiation. - -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html - -# Required modules: mod_alias, mod_include, mod_negotiation -# We use Alias to redirect any /error/HTTP_.html.var response to -# our collection of by-error message multi-language collections. We use -# includes to substitute the appropriate text. -# You can modify the messages' appearance without changing any of the -# default HTTP_.html.var files by adding the line: -# Alias /error/include/ "/your/include/path/" -# which allows you to create your own set of files by starting with the -# /var/www/localhost/error/include/ files and copying them to /your/include/path/, -# even on a per-VirtualHost basis. The default include files will display -# your Apache version number and your ServerAdmin email address regardless -# of the setting of ServerSignature. - - -Alias /error/ "/usr/share/apache2/error/" - - - AllowOverride None - Options IncludesNoExec - AddOutputFilter Includes html - AddHandler type-map var - Order allow,deny - Allow from all - LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr - ForceLanguagePriority Prefer Fallback - - -ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var -ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var -ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var -ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var -ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var -ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var -ErrorDocument 410 /error/HTTP_GONE.html.var -ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var -ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var -ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var -ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var -ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var -ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var -ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var -ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var -ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var -ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_languages.conf b/apache2/modules.d/00_languages.conf deleted file mode 100644 index c429bf9..0000000 --- a/apache2/modules.d/00_languages.conf +++ /dev/null @@ -1,133 +0,0 @@ -# Settings for hosting different languages. - -# DefaultLanguage and AddLanguage allows you to specify the language of -# a document. You can then use content negotiation to give a browser a -# file in a language the user can understand. -# -# Specify a default language. This means that all data -# going out without a specific language tag (see below) will -# be marked with this one. You probably do NOT want to set -# this unless you are sure it is correct for all cases. -# -# It is generally better to not mark a page as -# being a certain language than marking it with the wrong -# language! -# -# DefaultLanguage nl -# -# Note 1: The suffix does not have to be the same as the language -# keyword --- those with documents in Polish (whose net-standard -# language code is pl) may wish to use "AddLanguage pl .po" to -# avoid the ambiguity with the common suffix for perl scripts. -# -# Note 2: The example entries below illustrate that in some cases -# the two character 'Language' abbreviation is not identical to -# the two character 'Country' code for its country, -# E.g. 'Danmark/dk' versus 'Danish/da'. -# -# Note 3: In the case of 'ltz' we violate the RFC by using a three char -# specifier. There is 'work in progress' to fix this and get -# the reference data for rfc1766 cleaned up. -# -# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) -# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) -# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) -# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) -# Norwegian (no) - Polish (pl) - Portugese (pt) -# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) -# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) -AddLanguage ca .ca -AddLanguage cs .cz .cs -AddLanguage da .dk -AddLanguage de .de -AddLanguage el .el -AddLanguage en .en -AddLanguage eo .eo -AddLanguage es .es -AddLanguage et .et -AddLanguage fr .fr -AddLanguage he .he -AddLanguage hr .hr -AddLanguage it .it -AddLanguage ja .ja -AddLanguage ko .ko -AddLanguage ltz .ltz -AddLanguage nl .nl -AddLanguage nn .nn -AddLanguage no .no -AddLanguage pl .po -AddLanguage pt .pt -AddLanguage pt-BR .pt-br -AddLanguage ru .ru -AddLanguage sv .sv -AddLanguage zh-CN .zh-cn -AddLanguage zh-TW .zh-tw - -# LanguagePriority allows you to give precedence to some languages -# in case of a tie during content negotiation. -# -# Just list the languages in decreasing order of preference. We have -# more or less alphabetized them here. You probably want to change this. -LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW - -# ForceLanguagePriority allows you to serve a result page rather than -# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) -# [in case no accepted languages matched the available variants] -ForceLanguagePriority Prefer Fallback - -# Commonly used filename extensions to character sets. You probably -# want to avoid clashes with the language extensions, unless you -# are good at carefully testing your setup after each change. -# See http://www.iana.org/assignments/character-sets for the -# official list of charset names and their respective RFCs. -AddCharset us-ascii.ascii .us-ascii -AddCharset ISO-8859-1 .iso8859-1 .latin1 -AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen -AddCharset ISO-8859-3 .iso8859-3 .latin3 -AddCharset ISO-8859-4 .iso8859-4 .latin4 -AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru -AddCharset ISO-8859-6 .iso8859-6 .arb .arabic -AddCharset ISO-8859-7 .iso8859-7 .grk .greek -AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew -AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk -AddCharset ISO-8859-10 .iso8859-10 .latin6 -AddCharset ISO-8859-13 .iso8859-13 -AddCharset ISO-8859-14 .iso8859-14 .latin8 -AddCharset ISO-8859-15 .iso8859-15 .latin9 -AddCharset ISO-8859-16 .iso8859-16 .latin10 -AddCharset ISO-2022-JP .iso2022-jp .jis -AddCharset ISO-2022-KR .iso2022-kr .kis -AddCharset ISO-2022-CN .iso2022-cn .cis -AddCharset Big5.Big5 .big5 .b5 -AddCharset cn-Big5 .cn-big5 -# For russian, more than one charset is used (depends on client, mostly): -AddCharset WINDOWS-1251 .cp-1251 .win-1251 -AddCharset CP866 .cp866 -AddCharset KOI8 .koi8 -AddCharset KOI8-E .koi8-e -AddCharset KOI8-r .koi8-r .koi8-ru -AddCharset KOI8-U .koi8-u -AddCharset KOI8-ru .koi8-uk .ua -AddCharset ISO-10646-UCS-2 .ucs2 -AddCharset ISO-10646-UCS-4 .ucs4 -AddCharset UTF-7 .utf7 -AddCharset UTF-8 .utf8 -AddCharset UTF-16 .utf16 -AddCharset UTF-16BE .utf16be -AddCharset UTF-16LE .utf16le -AddCharset UTF-32 .utf32 -AddCharset UTF-32BE .utf32be -AddCharset UTF-32LE .utf32le -AddCharset euc-cn .euc-cn -AddCharset euc-gb .euc-gb -AddCharset euc-jp .euc-jp -AddCharset euc-kr .euc-kr -# Not sure how euc-tw got in - IANA doesn't list it??? -AddCharset EUC-TW .euc-tw -AddCharset gb2312 .gb2312 .gb -AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2 -AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4 -AddCharset shift_jis .shift_jis .sjis - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_mod_autoindex.conf b/apache2/modules.d/00_mod_autoindex.conf deleted file mode 100644 index ca2a168..0000000 --- a/apache2/modules.d/00_mod_autoindex.conf +++ /dev/null @@ -1,83 +0,0 @@ - - -# We include the /icons/ alias for FancyIndexed directory listings. If -# you do not use FancyIndexing, you may comment this out. -Alias /icons/ "/usr/share/apache2/icons/" - - - Options Indexes MultiViews - AllowOverride None - Order allow,deny - Allow from all - - - -# Directives controlling the display of server-generated directory listings. -# -# To see the listing of a directory, the Options directive for the -# directory must include "Indexes", and the directory must not contain -# a file matching those listed in the DirectoryIndex directive. - -# IndexOptions: Controls the appearance of server-generated directory -# listings. -IndexOptions FancyIndexing VersionSort - -# AddIcon* directives tell the server which icon to show for different -# files or filename extensions. These are only displayed for -# FancyIndexed directories. -AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip - -AddIconByType (TXT,/icons/text.gif) text/* -AddIconByType (IMG,/icons/image2.gif) image/* -AddIconByType (SND,/icons/sound2.gif) audio/* -AddIconByType (VID,/icons/movie.gif) video/* - -AddIcon /icons/binary.gif .bin .exe -AddIcon /icons/binhex.gif .hqx -AddIcon /icons/tar.gif .tar -AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv -AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip -AddIcon /icons/a.gif .ps .ai .eps -AddIcon /icons/layout.gif .html .shtml .htm .pdf -AddIcon /icons/text.gif .txt -AddIcon /icons/c.gif .c -AddIcon /icons/p.gif .pl .py -AddIcon /icons/f.gif .for -AddIcon /icons/dvi.gif .dvi -AddIcon /icons/uuencoded.gif .uu -AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl -AddIcon /icons/tex.gif .tex -AddIcon /icons/bomb.gif core - -AddIcon /icons/back.gif .. -AddIcon /icons/hand.right.gif README -AddIcon /icons/folder.gif ^^DIRECTORY^^ -AddIcon /icons/blank.gif ^^BLANKICON^^ - -# DefaultIcon is which icon to show for files which do not have an icon -# explicitly set. -DefaultIcon /icons/unknown.gif - -# AddDescription allows you to place a short description after a file in -# server-generated indexes. These are only displayed for FancyIndexed -# directories. -# Format: AddDescription "description" filename - -#AddDescription "GZIP compressed document" .gz -#AddDescription "tar archive" .tar -#AddDescription "GZIP compressed tar archive" .tgz - -# ReadmeName is the name of the README file the server will look for by -# default, and append to directory listings. - -# HeaderName is the name of a file which should be prepended to -# directory indexes. -ReadmeName README.html -HeaderName HEADER.html - -# IndexIgnore is a set of filenames which directory indexing should ignore -# and not include in the listing. Shell-style wildcarding is permitted. -IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_mod_info.conf b/apache2/modules.d/00_mod_info.conf deleted file mode 100644 index 809c223..0000000 --- a/apache2/modules.d/00_mod_info.conf +++ /dev/null @@ -1,12 +0,0 @@ - -# Allow remote server configuration reports, with the URL of -# http://servername/server-info - - SetHandler server-info - Order deny,allow - Deny from all - Allow from 127.0.0.1 - - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_mod_log_config.conf b/apache2/modules.d/00_mod_log_config.conf deleted file mode 100644 index ce0238e..0000000 --- a/apache2/modules.d/00_mod_log_config.conf +++ /dev/null @@ -1,35 +0,0 @@ - -# The following directives define some format nicknames for use with -# a CustomLog directive (see below). -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined -LogFormat "%h %l %u %t \"%r\" %>s %b" common - -LogFormat "%{Referer}i -> %U" referer -LogFormat "%{User-Agent}i" agent -LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script -LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost - - -# You need to enable mod_logio.c to use %I and %O -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio -LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" vhostio - - -# The location and format of the access logfile (Common Logfile Format). -# If you do not define any access logfiles within a -# container, they will be logged here. Contrariwise, if you *do* -# define per- access logfiles, transactions will be -# logged therein and *not* in this file. -CustomLog /var/log/apache2/access_log common - -# If you would like to have agent and referer logfiles, -# uncomment the following directives. -#CustomLog /var/log/apache2/referer_log referer -#CustomLog /var/log/apache2/agent_logs agent - -# If you prefer a logfile with access, agent, and referer information -# (Combined Logfile Format) you can use the following directive. -#CustomLog /var/log/apache2/access_log combined - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_mod_mime.conf b/apache2/modules.d/00_mod_mime.conf deleted file mode 100644 index 51f23d5..0000000 --- a/apache2/modules.d/00_mod_mime.conf +++ /dev/null @@ -1,55 +0,0 @@ -# DefaultType: the default MIME type the server will use for a document -# if it cannot otherwise determine one, such as from filename extensions. -# If your server contains mostly text or HTML documents, "text/plain" is -# a good value. If most of your content is binary, such as applications -# or images, you may want to use "application/octet-stream" instead to -# keep browsers from trying to display binary files as though they are -# text. -DefaultType text/plain - - -# TypesConfig points to the file containing the list of mappings from -# filename extension to MIME-type. -TypesConfig /etc/mime.types - -# AddType allows you to add to or override the MIME configuration -# file specified in TypesConfig for specific file types. -#AddType application/x-gzip .tgz - -# AddEncoding allows you to have certain browsers uncompress -# information on the fly. Note: Not all browsers support this. -#AddEncoding x-compress .Z -#AddEncoding x-gzip .gz .tgz - -# If the AddEncoding directives above are commented-out, then you -# probably should define those extensions to indicate media types: -AddType application/x-compress .Z -AddType application/x-gzip .gz .tgz - -# AddHandler allows you to map certain file extensions to "handlers": -# actions unrelated to filetype. These can be either built into the server -# or added with the Action directive (see below) - -# To use CGI scripts outside of ScriptAliased directories: -# (You will also need to add "ExecCGI" to the "Options" directive.) -#AddHandler cgi-script .cgi - -# For type maps (negotiated resources): -#AddHandler type-map var - -# Filters allow you to process content before it is sent to the client. -# -# To parse .shtml files for server-side includes (SSI): -# (You will also need to add "Includes" to the "Options" directive.) -#AddType text/html .shtml -#AddOutputFilter INCLUDES .shtml - - - -# The mod_mime_magic module allows the server to use various hints from the -# contents of the file itself to determine its type. The MIMEMagicFile -# directive tells the module where the hint definitions are located. -MIMEMagicFile /etc/apache2/magic - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_mod_status.conf b/apache2/modules.d/00_mod_status.conf deleted file mode 100644 index edd46a4..0000000 --- a/apache2/modules.d/00_mod_status.conf +++ /dev/null @@ -1,17 +0,0 @@ - -# Allow server status reports generated by mod_status, -# with the URL of http://servername/server-status - - SetHandler server-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 - - -# ExtendedStatus controls whether Apache will generate "full" status -# information (ExtendedStatus On) or just basic information (ExtendedStatus -# Off) when the "server-status" handler is called. -ExtendedStatus On - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_mod_userdir.conf b/apache2/modules.d/00_mod_userdir.conf deleted file mode 100644 index da7d0fb..0000000 --- a/apache2/modules.d/00_mod_userdir.conf +++ /dev/null @@ -1,34 +0,0 @@ -# Settings for user home directories - -# UserDir: The name of the directory that is appended onto a user's home -# directory if a ~user request is received. Note that you must also set -# the default access control for these directories, as in the example below. -UserDir public_html - -# Control access to UserDir directories. The following is an example -# for a site where these directories are restricted to read-only. - - AllowOverride FileInfo AuthConfig Limit Indexes - Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - - Order allow,deny - Allow from all - - - Order deny,allow - Deny from all - - - -# Suexec isn't really required to run cgi-scripts, but it's a really good -# idea if you have multiple users serving websites... - - - Options ExecCGI - SetHandler cgi-script - - - - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_mpm.conf b/apache2/modules.d/00_mpm.conf deleted file mode 100644 index 20effa9..0000000 --- a/apache2/modules.d/00_mpm.conf +++ /dev/null @@ -1,99 +0,0 @@ -# Server-Pool Management (MPM specific) - -# PidFile: The file in which the server should record its process -# identification number when it starts. -# -# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING -PidFile /var/run/apache2.pid - -# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. -#LockFile /var/run/apache2.lock - -# Only one of the below sections will be relevant on your -# installed httpd. Use "/usr/sbin/apache2 -l" to find out the -# active mpm. - -# common MPM configuration -# These configuration directives apply to all MPMs -# -# StartServers: Number of child server processes created at startup -# MaxClients: Maximum number of child processes to serve requests -# MaxRequestsPerChild: Limit on the number of requests that an individual child -# server will handle during its life - - -# prefork MPM -# This is the default MPM if USE=-threads -# -# MinSpareServers: Minimum number of idle child server processes -# MaxSpareServers: Maximum number of idle child server processes - - StartServers 5 - MinSpareServers 5 - MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 - - -# worker MPM -# This is the default MPM if USE=threads -# -# MinSpareThreads: Minimum number of idle threads available to handle request spikes -# MaxSpareThreads: Maximum number of idle threads -# ThreadsPerChild: Number of threads created by each child process - - StartServers 2 - MinSpareThreads 25 - MaxSpareThreads 75 - ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 - - -# event MPM -# -# MinSpareThreads: Minimum number of idle threads available to handle request spikes -# MaxSpareThreads: Maximum number of idle threads -# ThreadsPerChild: Number of threads created by each child process - - StartServers 2 - MinSpareThreads 25 - MaxSpareThreads 75 - ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 - - -# peruser MPM -# -# MinSpareProcessors: Minimum number of idle child server processes -# MinProcessors: Minimum number of processors per virtual host -# MaxProcessors: Maximum number of processors per virtual host -# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable -# Multiplexer: Specify a Multiplexer child configuration. -# Processor: Specify a user and group for a specific child process - - MinSpareProcessors 2 - MinProcessors 2 - MaxProcessors 10 - MaxClients 150 - MaxRequestsPerChild 1000 - ExpireTimeout 1800 - - Multiplexer nobody nobody - Processor apache apache - - -# itk MPM -# -# MinSpareServers: Minimum number of idle child server processes -# MaxSpareServers: Maximum number of idle child server processes - - StartServers 5 - MinSpareServers 5 - MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/10_mod_mem_cache.conf b/apache2/modules.d/10_mod_mem_cache.conf deleted file mode 100644 index 520d9fd..0000000 --- a/apache2/modules.d/10_mod_mem_cache.conf +++ /dev/null @@ -1,10 +0,0 @@ - -# 128MB cache for objects < 2MB -CacheEnable mem / -MCacheSize 131072 -MCacheMaxObjectCount 1000 -MCacheMinObjectSize 1 -MCacheMaxObjectSize 2097152 - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/40_mod_ssl.conf b/apache2/modules.d/40_mod_ssl.conf deleted file mode 100644 index 3d0a043..0000000 --- a/apache2/modules.d/40_mod_ssl.conf +++ /dev/null @@ -1,63 +0,0 @@ -# Note: The following must must be present to support -# starting without SSL on platforms with no /dev/random equivalent -# but a statically compiled-in mod_ssl. - -SSLRandomSeed startup builtin -SSLRandomSeed connect builtin - - - -# This is the Apache server configuration file providing SSL support. -# It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these -# directives see - -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. - -## Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the SSL library. -# The seed data should be of good random quality. -# WARNING! On some platforms /dev/random blocks if not enough entropy -# is available. This means you then cannot use the /dev/random device -# because it would lead to very long connection times (as long as -# it requires to make more entropy available). But usually those -# platforms additionally provide a /dev/urandom device which doesn't -# block. So, if available, use this one instead. Read the mod_ssl User -# Manual for more details. -#SSLRandomSeed startup file:/dev/random 512 -#SSLRandomSeed startup file:/dev/urandom 512 -#SSLRandomSeed connect file:/dev/random 512 -#SSLRandomSeed connect file:/dev/urandom 512 - -## SSL Global Context: -# All SSL configuration in this context applies both to the main server and -# all SSL-enabled virtual hosts. - -# Some MIME-types for downloading Certificates and CRLs - - AddType application/x-x509-ca-cert .crt - AddType application/x-pkcs7-crl .crl - - -## Pass Phrase Dialog: -# Configure the pass phrase gathering process. The filtering dialog program -# (`builtin' is a internal terminal dialog) has to provide the pass phrase on -# stdout. -SSLPassPhraseDialog builtin - -## Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism to use and second the -# expiring timeout (in seconds). -#SSLSessionCache dbm:/var/run/ssl_scache -SSLSessionCache shmcb:/var/run/ssl_scache(512000) -SSLSessionCacheTimeout 300 - -## Semaphore: -# Configure the path to the mutual exclusion semaphore the SSL engine uses -# internally for inter-process synchronization. -SSLMutex file:/var/run/ssl_mutex - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/45_mod_dav.conf b/apache2/modules.d/45_mod_dav.conf deleted file mode 100644 index 36f6b9c..0000000 --- a/apache2/modules.d/45_mod_dav.conf +++ /dev/null @@ -1,19 +0,0 @@ - -DavLockDB "/var/lib/dav/lockdb" - -# The following directives disable redirects on non-GET requests for -# a directory that does not include the trailing slash. This fixes a -# problem with several clients that do not appropriately handle -# redirects for folders with DAV methods. - -BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully -BrowserMatch "MS FrontPage" redirect-carefully -BrowserMatch "^WebDrive" redirect-carefully -BrowserMatch "^WebDAVFS/1.[012345678]" redirect-carefully -BrowserMatch "^gnome-vfs/1.0" redirect-carefully -BrowserMatch "^XML Spy" redirect-carefully -BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully - - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/46_mod_ldap.conf b/apache2/modules.d/46_mod_ldap.conf deleted file mode 100644 index c2893f8..0000000 --- a/apache2/modules.d/46_mod_ldap.conf +++ /dev/null @@ -1,20 +0,0 @@ -# Examples below are taken from the online documentation -# Refer to: -# http://localhost/manual/mod/mod_ldap.html -# http://localhost/manual/mod/mod_auth_ldap.html - -LDAPSharedCacheSize 200000 -LDAPCacheEntries 1024 -LDAPCacheTTL 600 -LDAPOpCacheEntries 1024 -LDAPOpCacheTTL 600 - - - SetHandler ldap-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 - - - -# vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/.keep_www-servers_apache-2 b/apache2/vhosts.d/.keep_www-servers_apache-2 deleted file mode 100644 index e69de29..0000000 diff --git a/apache2/vhosts.d/00_default_ssl_vhost.conf b/apache2/vhosts.d/00_default_ssl_vhost.conf deleted file mode 100644 index 98bfc2f..0000000 --- a/apache2/vhosts.d/00_default_ssl_vhost.conf +++ /dev/null @@ -1,179 +0,0 @@ - - - -# see bug #178966 why this is in here - -# When we also provide SSL we have to listen to the HTTPS port -# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" -Listen 443 - - - ServerName localhost - Include /etc/apache2/vhosts.d/default_vhost.include - ErrorLog /var/log/apache2/ssl_error_log - - - TransferLog /var/log/apache2/ssl_access_log - - - ## SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - ## SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - - ## Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If the certificate - # is encrypted, then you will be prompted for a pass phrase. Note that a - # kill -HUP will prompt again. Keep in mind that if you have both an RSA - # and a DSA certificate you can configure both in parallel (to also allow - # the use of DSA ciphers, etc.) - SSLCertificateFile /etc/ssl/apache2/server.crt - - ## Server Private Key: - # If the key is not combined with the certificate, use this directive to - # point at the key file. Keep in mind that if you've both a RSA and a DSA - # private key you can configure both in parallel (to also allow the use of - # DSA ciphers, etc.) - SSLCertificateKeyFile /etc/ssl/apache2/server.key - - ## Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the concatenation of - # PEM encoded CA certificates which form the certificate chain for the - # server certificate. Alternatively the referenced file can be the same as - # SSLCertificateFile when the CA certificates are directly appended to the - # server certificate for convinience. - #SSLCertificateChainFile /etc/ssl/apache2/ca.crt - - ## Certificate Authority (CA): - # Set the CA certificate verification path where to find CA certificates - # for client authentication or alternatively one huge file containing all - # of them (file must be PEM encoded). - # Note: Inside SSLCACertificatePath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCACertificatePath /etc/ssl/apache2/ssl.crt - #SSLCACertificateFile /etc/ssl/apache2/ca-bundle.crt - - ## Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client authentication - # or alternatively one huge file containing all of them (file must be PEM - # encoded). - # Note: Inside SSLCARevocationPath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCARevocationPath /etc/ssl/apache2/ssl.crl - #SSLCARevocationFile /etc/ssl/apache2/ca-bundle.crl - - ## Client Authentication (Type): - # Client certificate verification type and depth. Types are none, optional, - # require and optional_no_ca. Depth is a number which specifies how deeply - # to verify the certificate issuer chain before deciding the certificate is - # not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - ## Access Control: - # With SSLRequire you can do per-directory access control based on arbitrary - # complex boolean expressions containing server variable checks and other - # lookup directives. The syntax is a mixture between C and Perl. See the - # mod_ssl documentation for more details. - # - # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - # - - ## SSL Engine Options: - # Set various options for the SSL engine. - - ## FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that the - # standard Auth/DBMAuth methods can be used for access control. The user - # name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - - ## ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server - # (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates into - # CGI scripts. - - ## StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the exportation - # for CGI and SSI requests only. - - ## StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under - # a "Satisfy any" situation, i.e. when it applies access is denied and no - # other module can change it. - - ## OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - - SSLOptions +StdEnvVars - - - ## SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait - # for the close notify alert from client. When you need a different - # shutdown approach you can use one of the following variables: - - ## ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates the - # SSL/TLS standard but is needed for some brain-dead browsers. Use this when - # you receive I/O errors because of the standard approach where mod_ssl - # sends the close notify alert. - - ## ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation works - # correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - - ## Per-Server Logging: - # The home of a custom SSL log file. Use this when you want a compact - # non-error SSL logfile on a virtual host basis. - - CustomLog /var/log/apache2/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - - - - -# vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/00_default_vhost.conf b/apache2/vhosts.d/00_default_vhost.conf deleted file mode 100644 index 9fa425a..0000000 --- a/apache2/vhosts.d/00_default_vhost.conf +++ /dev/null @@ -1,48 +0,0 @@ -# Virtual Hosts -# -# If you want to maintain multiple domains/hostnames on your -# machine you can setup VirtualHost containers for them. Most configurations -# use only name-based virtual hosts so the server doesn't need to worry about -# IP addresses. This is indicated by the asterisks in the directives below. -# -# Please see the documentation at -# -# for further details before you try to setup virtual hosts. -# -# You may use the command line option '-S' to verify your virtual host -# configuration. - - -# see bug #178966 why this is in here - -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# Use name-based virtual hosting. -NameVirtualHost *:80 - -# When virtual hosts are enabled, the main host defined in the default -# httpd.conf configuration will go away. We redefine it here so that it is -# still available. -# -# If you disable this vhost by removing -D DEFAULT_VHOST from -# /etc/conf.d/apache2, the first defined virtual host elsewhere will be -# the default. - - ServerName localhost - Include /etc/apache2/vhosts.d/default_vhost.include - - - ServerEnvironment apache apache - - - - -# vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/default_vhost.include b/apache2/vhosts.d/default_vhost.include deleted file mode 100644 index 6d45888..0000000 --- a/apache2/vhosts.d/default_vhost.include +++ /dev/null @@ -1,73 +0,0 @@ -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -ServerAdmin root@localhost - -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -# If you change this to something that isn't under /var/www then suexec -# will no longer work. -DocumentRoot "/var/www/localhost/htdocs" - -# This should be changed to whatever you set DocumentRoot to. - - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.2/mod/core.html#options - # for more information. - Options Indexes FollowSymLinks - - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - AllowOverride All - - # Controls who can get stuff from this server. - Order allow,deny - Allow from all - - - - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/" - - -# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. - - AllowOverride None - Options None - Order allow,deny - Allow from all - - -# vim: ts=4 filetype=apache diff --git a/ca-certificates.conf b/ca-certificates.conf index 30d2538..c903618 100644 --- a/ca-certificates.conf +++ b/ca-certificates.conf @@ -1,5 +1,5 @@ -# Automatically generated by app-misc/ca-certificates-20130906 -# Mo 17. Mär 21:20:18 UTC 2014 +# Automatically generated by app-misc/ca-certificates-20130906-r1 +# Di 1. Apr 21:03:01 UTC 2014 # Do not edit. cacert.org/cacert.org_class3.crt cacert.org/cacert.org_root.crt diff --git a/config-archive/etc/ssh/sshd_config b/config-archive/etc/ssh/sshd_config index c2dcc3b..7854461 100644 --- a/config-archive/etc/ssh/sshd_config +++ b/config-archive/etc/ssh/sshd_config @@ -27,8 +27,8 @@ # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 #X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 # "key type names" for X.509 certificates with DSA key # Note first defined is used in signature operations! @@ -95,6 +95,9 @@ #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -115,6 +118,11 @@ # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -164,23 +172,21 @@ PrintMotd no PrintLastLog no TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server @@ -188,18 +194,21 @@ Subsystem sftp /usr/lib64/misc/sftp-server # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes -# allow the use of the none cipher -#NoneEnabled no - -# disable hpn performance boosts. +# disable hpn performance boosts #HPNDisabled no # buffer size for hpn to non-hpn connections #HPNBufferSize 2048 +# allow the use of the none cipher +#NoneEnabled no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/config-archive/etc/ssh/sshd_config.1 b/config-archive/etc/ssh/sshd_config.1 new file mode 100644 index 0000000..c2dcc3b --- /dev/null +++ b/config-archive/etc/ssh/sshd_config.1 @@ -0,0 +1,205 @@ +# $OpenBSD$ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd no +PrintLastLog no +TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib64/misc/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# allow the use of the none cipher +#NoneEnabled no + +# disable hpn performance boosts. +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/config-archive/etc/ssh/sshd_config.dist b/config-archive/etc/ssh/sshd_config.dist index e818623..c76351a 100644 --- a/config-archive/etc/ssh/sshd_config.dist +++ b/config-archive/etc/ssh/sshd_config.dist @@ -24,6 +24,7 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! @@ -151,8 +152,8 @@ PasswordAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -168,6 +169,7 @@ UsePAM yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes PrintMotd no PrintLastLog no #TCPKeepAlive yes @@ -208,6 +210,7 @@ Subsystem sftp /usr/lib64/misc/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server # Allow client to pass locale environment variables #367017 diff --git a/drirc b/drirc index a13941f..ebc04cd 100644 --- a/drirc +++ b/drirc @@ -1,29 +1,77 @@ + + - + + + + + + + + + + + + + + diff --git a/hosts.allow b/hosts.allow new file mode 100644 index 0000000..c473eb9 --- /dev/null +++ b/hosts.allow @@ -0,0 +1,17 @@ +# For more information, please see the hosts.allow(5) manpage + +# Rule format: +# daemon : client list +# The value for 'daemon' is determined by the name of the binary. +# OpenSSH runs as 'sshd' so you would use 'sshd' for 'daemon'. +# Client list can be a list of ip's or hostnames. + +# Allow only sshd connections from ips matching 192.168.0.* +#sshd: 192.168.0. + +# Only allow sendmail connections from the localhost +#sendmail: localhost + +# Allow everyone from foobar.edu to access everything except for +# the terminalserver +#ALL: .foobar.edu EXCEPT terminalserver.foobar.edu diff --git a/init.d/apache2 b/init.d/apache2 deleted file mode 100755 index c3ce4e7..0000000 --- a/init.d/apache2 +++ /dev/null @@ -1,182 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -extra_commands="configtest modules virtualhosts" -extra_started_commands="configdump fullstatus graceful gracefulstop reload" - -description_configdump="Dumps the configuration of the runing apache server. Requires server-info to be enabled and www-client/lynx." -description_configtest="Run syntax tests for configuration files." -description_fullstatus="Gives the full status of the server. Requires lynx and server-status to be enabled." -description_graceful="A graceful restart advises the children to exit after the current request and reloads the configuration." -description_gracefulstop="A graceful stop advises the children to exit after the current request and stops the server." -description_modules="Dump a list of loaded Static and Shared Modules." -description_reload="Kills all children and reloads the configuration." -description_virtualhosts="Show the settings as parsed from the config file (currently only shows the virtualhost settings)." -description_stop="Kills all children and stops the server." - -depend() { - need net - use mysql dns logger netmount postgresql - after sshd -} - -configtest() { - ebegin "Checking ${SVCNAME} configuration" - checkconfig - eend $? -} - -checkconfd() { - if [ ! -f /etc/init.d/sysfs ]; then - eerror "This init script works only with openrc (baselayout-2)." - eerror "If you still need baselayout-1.x, please, use" - eerror "apache2.initd-baselayout-1 from /usr/share/doc/apache2-*/" - fi - - PIDFILE="${PIDFILE:-/var/run/apache2.pid}" - TIMEOUT=${TIMEOUT:-15} - - SERVERROOT="${SERVERROOT:-/usr/lib64/apache2}" - if [ ! -d ${SERVERROOT} ]; then - eerror "SERVERROOT does not exist: ${SERVERROOT}" - return 1 - fi - - CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}" - [ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}" - if [ ! -r "${CONFIGFILE}" ]; then - eerror "Unable to read configuration file: ${CONFIGFILE}" - return 1 - fi - - APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}" - APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}" - [ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}" - - APACHE2="/usr/sbin/apache2" -} - -checkconfig() { - checkconfd || return 1 - - ${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1 - ret=$? - if [ $ret -ne 0 ]; then - eerror "${SVCNAME} has detected an error in your setup:" - ${APACHE2} ${APACHE2_OPTS} -t - fi - - return $ret -} - -start() { - checkconfig || return 1 - - ebegin "Starting ${SVCNAME}" - # Use start stop daemon to apply system limits #347301 - start-stop-daemon --start -- ${APACHE2} ${APACHE2_OPTS} -k start - - i=0 - while [ ! -e "${PIDFILE}" ] && [ $i -lt ${TIMEOUT} ]; do - sleep 1 && i=$(expr $i + 1) - done - - eend $(test $i -lt ${TIMEOUT}) -} - -stop() { - if [ "${RC_CMD}" = "restart" ]; then - checkconfig || return 1 - else - checkconfd || return 1 - fi - - PID=$(cat "${PIDFILE}" 2>/dev/null) - if [ -z "${PID}" ]; then - einfo "${SVCNAME} not running (no pid file)" - return 0 - fi - - ebegin "Stopping ${SVCNAME}" - ${APACHE2} ${APACHE2_OPTS} -k stop - - i=0 - while ( test -f "${PIDFILE}" && pgrep -P ${PID} apache2 >/dev/null ) \ - && [ $i -lt ${TIMEOUT} ]; do - sleep 1 && i=$(expr $i + 1) - done - - eend $(test $i -lt ${TIMEOUT}) -} - -reload() { - RELOAD_TYPE="${RELOAD_TYPE:-graceful}" - - checkconfig || return 1 - - if [ "${RELOAD_TYPE}" = "restart" ]; then - ebegin "Restarting ${SVCNAME}" - ${APACHE2} ${APACHE2_OPTS} -k restart - eend $? - elif [ "${RELOAD_TYPE}" = "graceful" ]; then - ebegin "Gracefully restarting ${SVCNAME}" - ${APACHE2} ${APACHE2_OPTS} -k graceful - eend $? - else - eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/${SVCNAME}" - fi -} - -graceful() { - checkconfig || return 1 - ebegin "Gracefully restarting ${SVCNAME}" - ${APACHE2} ${APACHE2_OPTS} -k graceful - eend $? -} - -gracefulstop() { - checkconfig || return 1 - ebegin "Gracefully stopping ${SVCNAME}" - ${APACHE2} ${APACHE2_OPTS} -k graceful-stop - eend $? -} - -modules() { - checkconfig || return 1 - ${APACHE2} ${APACHE2_OPTS} -M 2>&1 -} - -fullstatus() { - LYNX="${LYNX:-lynx -dump}" - STATUSURL="${STATUSURL:-http://localhost/server-status}" - - if ! type -p $(set -- ${LYNX}; echo $1) 2>&1 >/dev/null; then - eerror "lynx not found! you need to emerge www-client/lynx" - else - ${LYNX} ${STATUSURL} - fi -} - -virtualhosts() { - checkconfig || return 1 - ${APACHE2} ${APACHE2_OPTS} -S -} - -configdump() { - LYNX="${LYNX:-lynx -dump}" - INFOURL="${INFOURL:-http://localhost/server-info}" - - checkconfd || return 1 - - if ! type -p $(set -- ${LYNX}; echo $1) 2>&1 >/dev/null; then - eerror "lynx not found! you need to emerge www-client/lynx" - else - echo "${APACHE2} started with '${APACHE2_OPTS}'" - for i in config server list; do - ${LYNX} "${INFOURL}/?${i}" | sed '/Apache Server Information/d;/^[[:space:]]\+[_]\+$/Q' - done - fi -} - -# vim: ts=4 filetype=gentoo-init-d diff --git a/init.d/samba b/init.d/samba index 779ec09..96bb94e 100755 --- a/init.d/samba +++ b/init.d/samba @@ -1,9 +1,10 @@ #!/sbin/runscript -# Copyright 1999-2011 Gentoo Foundation +# Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License, v2 or later -# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.6/samba.initd,v 1.3 2011/09/14 22:52:33 polynomial-c Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.6/samba.initd,v 1.4 2014/03/14 09:30:41 polynomial-c Exp $ extra_started_commands="reload" +piddir="/var/run/samba" depend() { after slapd @@ -34,7 +35,7 @@ signal_do() { } mkdir_sambadirs() { - [ -d /var/run/samba ] || mkdir -p /var/run/samba + [ -d "${piddir}" ] || mkdir -p ${piddir} } start() { diff --git a/logrotate.d/apache2 b/logrotate.d/apache2 deleted file mode 100644 index 9dd431c..0000000 --- a/logrotate.d/apache2 +++ /dev/null @@ -1,11 +0,0 @@ -# Apache2 logrotate snipet for Gentoo Linux -# Contributes by Chuck Short -# -/var/log/apache2/*log { - missingok - notifempty - sharedscripts - postrotate - /etc/init.d/apache2 reload > /dev/null 2>&1 || true - endscript -} diff --git a/logrotate.d/consolekit b/logrotate.d/consolekit new file mode 100644 index 0000000..6e63e41 --- /dev/null +++ b/logrotate.d/consolekit @@ -0,0 +1,8 @@ +/var/log/ConsoleKit/history { + monthly + rotate 6 + delaycompress + compress + notifempty + missingok +} diff --git a/pam.d/mate-screensaver b/pam.d/mate-screensaver index 4bd6427..47e65a2 100644 --- a/pam.d/mate-screensaver +++ b/pam.d/mate-screensaver @@ -2,14 +2,14 @@ # Fedora Core auth include system-auth -auth optional pam_mate_keyring.so +auth optional pam_gnome_keyring.so account include system-auth password include system-auth session include system-auth # SuSE/Novell #auth include common-auth -#auth optional pam_mate_keyring.so +#auth optional pam_gnome_keyring.so #account include common-account #password include common-password #session include common-session diff --git a/portage/package.keywords/common b/portage/package.keywords/common index 75099e5..6d2b129 100644 --- a/portage/package.keywords/common +++ b/portage/package.keywords/common @@ -10,6 +10,7 @@ ~app-emulation/emul-linux-x86-qtlibs-20120520 ~app-emulation/emul-linux-x86-soundlibs-20120520 ~app-emulation/emul-linux-x86-xlibs-20120520 +~app-emulation/vagrant-1.4.3 app-emulation/virtualbox app-emulation/virtualbox-additions app-emulation/virtualbox-extpack-oracle @@ -58,6 +59,7 @@ dev-python/fbrehm-libs ~dev-python/iniparse-0.4 ~dev-python/jinja-2.7.1 ~dev-python/netaddr-0.7.10_p20130801 +~dev-python/netaddr-0.7.11 ~dev-python/netifaces-0.6 dev-python/pb-base dev-python/pb-logging @@ -71,6 +73,7 @@ dev-python/pb-logging ~dev-ruby/dnsruby-1.53 ~dev-ruby/zonecheck-3.0.4 +~dev-ruby/zonecheck-3.0.5 ~dev-util/kbuild-0.1.9998_pre20120806 ~dev-util/kbuild-0.1.9998_pre20131130 diff --git a/portage/package.use b/portage/package.use index 0b8981b..346392a 100644 --- a/portage/package.use +++ b/portage/package.use @@ -205,7 +205,7 @@ media-libs/libpng apng media-libs/libquicktime lame media-libs/libvorbis aotuv media-libs/libwmf -expat -media-libs/mesa g3dvl gles gles1 gles2 llvm shared-dricore xa xvmc +media-libs/mesa g3dvl gbm gles gles1 gles2 llvm shared-dricore xa xvmc media-libs/netpbm rle media-libs/openjpeg tools media-libs/phonon gstreamer diff --git a/runlevels/default/xdm b/runlevels/default/xdm new file mode 120000 index 0000000..af5b119 --- /dev/null +++ b/runlevels/default/xdm @@ -0,0 +1 @@ +/etc/init.d/xdm \ No newline at end of file diff --git a/ssh/ssh_host_ed25519_key b/ssh/ssh_host_ed25519_key new file mode 100644 index 0000000..8697261 --- /dev/null +++ b/ssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACC/csXoOEX1zs2ulPcnyc5GS3sa9rSwJnPUX0oVbbfvoQAAAJCD3jXAg941 +wAAAAAtzc2gtZWQyNTUxOQAAACC/csXoOEX1zs2ulPcnyc5GS3sa9rSwJnPUX0oVbbfvoQ +AAAEBP27g1NZ/yz7oKLaIY7Neu+9/YCzVqXS6Qv80OSimsk79yxeg4RfXOza6U9yfJzkZL +exr2tLAmc9RfShVtt++hAAAAC3Jvb3RAc2FtYXJhAQI= +-----END OPENSSH PRIVATE KEY----- diff --git a/ssh/ssh_host_ed25519_key.pub b/ssh/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..9f5a3b0 --- /dev/null +++ b/ssh/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL9yxeg4RfXOza6U9yfJzkZLexr2tLAmc9RfShVtt++h root@samara diff --git a/ssh/sshd_config b/ssh/sshd_config index 7854461..47e985c 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -24,6 +24,7 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! @@ -151,8 +152,8 @@ PasswordAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -168,6 +169,7 @@ UsePAM yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes PrintMotd no PrintLastLog no TCPKeepAlive yes @@ -208,6 +210,7 @@ Subsystem sftp /usr/lib64/misc/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server # Allow client to pass locale environment variables #367017 diff --git a/ssl/certs/4597689c.0 b/ssl/certs/4597689c.0 deleted file mode 120000 index 9dbdcda..0000000 --- a/ssl/certs/4597689c.0 +++ /dev/null @@ -1 +0,0 @@ -Equifax_Secure_eBusiness_CA_2.pem \ No newline at end of file diff --git a/ssl/certs/656b3e35.0 b/ssl/certs/656b3e35.0 deleted file mode 120000 index e375f5a..0000000 --- a/ssl/certs/656b3e35.0 +++ /dev/null @@ -1 +0,0 @@ -ca.pem \ No newline at end of file diff --git a/ssl/certs/9818ca0b.0 b/ssl/certs/9818ca0b.0 deleted file mode 120000 index 7571d9b..0000000 --- a/ssl/certs/9818ca0b.0 +++ /dev/null @@ -1 +0,0 @@ -TC_TrustCenter_Universal_CA_III.pem \ No newline at end of file diff --git a/ssl/certs/b097d71d.0 b/ssl/certs/b097d71d.0 deleted file mode 120000 index ddcc2c5..0000000 --- a/ssl/certs/b097d71d.0 +++ /dev/null @@ -1 +0,0 @@ -spi-ca-2003.pem \ No newline at end of file diff --git a/zonecheck/afnic.profile b/zonecheck/afnic.profile deleted file mode 100644 index 7dc1a9c..0000000 --- a/zonecheck/afnic.profile +++ /dev/null @@ -1,129 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/zonecheck/de.profile b/zonecheck/de.profile deleted file mode 100644 index 7e8a5a5..0000000 --- a/zonecheck/de.profile +++ /dev/null @@ -1,134 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/zonecheck/default.profile b/zonecheck/default.profile deleted file mode 100644 index 6902e1f..0000000 --- a/zonecheck/default.profile +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/zonecheck/reverse.profile b/zonecheck/reverse.profile deleted file mode 100644 index 2b5dc0d..0000000 --- a/zonecheck/reverse.profile +++ /dev/null @@ -1,108 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/zonecheck/rootservers b/zonecheck/rootservers deleted file mode 100644 index 239cd20..0000000 --- a/zonecheck/rootservers +++ /dev/null @@ -1,31 +0,0 @@ -# $Id: rootservers,v 1.8 2010/06/18 13:28:09 bortzmeyer Exp $ -# -# This file is in YAML format -# ( for more information about YAML see: http://yaml.org/ ) -# -# Tips: -# - don't use tabulation -# - don't forget the final dot of the name servers -# -# -# This list can be generated by the following shell-script (sh): -# -# for ns in `dig +short . ns | tr 'A-Z' 'a-z' | sort` ; do -# ips=`(dig +short $ns a; dig +short $ns aaaa) | tr '\n' ',' | sed 's/,$//'` -# echo "$ns: [ $ips ]" -# done -# TODO: bad syntax? - -a.root-servers.net.: [ 198.41.0.4 , 2001:503:ba3e::2:30 ] -b.root-servers.net.: [ 192.228.79.201 ] -c.root-servers.net.: [ 192.33.4.12 ] -d.root-servers.net.: [ 128.8.10.90 ] -e.root-servers.net.: [ 192.203.230.10 ] -f.root-servers.net.: [ 192.5.5.241 , 2001:500:2f::f ] -g.root-servers.net.: [ 192.112.36.4 ] -h.root-servers.net.: [ 128.63.2.53 , 2001:500:1::803f:235 ] -i.root-servers.net.: [ 192.36.148.17, 2001:7FE:0:0:0:0:0:53 ] -j.root-servers.net.: [ 192.58.128.30 , 2001:503:c27::2:30 ] -k.root-servers.net.: [ 193.0.14.129 , 2001:7fd::1 ] -l.root-servers.net.: [ 199.7.83.42 , 2001:500:3::42 ] -m.root-servers.net.: [ 202.12.27.33 , 2001:dc3::35 ] diff --git a/zonecheck/zc.conf b/zonecheck/zc.conf deleted file mode 100644 index d7fc6b9..0000000 --- a/zonecheck/zc.conf +++ /dev/null @@ -1,122 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- 2.39.5