Add some module hacks.

6 files changed, 98 insertions, 0 deletions

diff --git a/apache2/mods-available/deflate.conf b/apache2/mods-available/deflate.conf
new file mode 100644
index 0000000..d48cef3
--- /dev/null
+++ b/apache2/mods-available/deflate.conf
@@ -0,0 +1,15 @@
+<IfModule mod_deflate.c>
+	<IfModule mod_filter.c>
+		# these are known to be safe with MSIE 6
+		AddOutputFilterByType DEFLATE text/html text/plain text/xml
+
+		# everything else may cause problems with MSIE 6
+		AddOutputFilterByType DEFLATE text/css
+		AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
+		AddOutputFilterByType DEFLATE application/json
+		AddOutputFilterByType DEFLATE application/rss+xml
+		AddOutputFilterByType DEFLATE application/xml
+	</IfModule>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/apache2/mods-available/deflate.conf.diff b/apache2/mods-available/deflate.conf.diff
new file mode 100644
index 0000000..4032dd7
--- /dev/null
+++ b/apache2/mods-available/deflate.conf.diff
@@ -0,0 +1,10 @@
+--- deflate.conf.orig	2014-08-16 21:38:26.000000000 +0200
++++ deflate.conf	2016-04-28 03:30:27.000000000 +0200
+@@ -6,6 +6,7 @@
+ 		# everything else may cause problems with MSIE 6
+ 		AddOutputFilterByType DEFLATE text/css
+ 		AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
++		AddOutputFilterByType DEFLATE application/json
+ 		AddOutputFilterByType DEFLATE application/rss+xml
+ 		AddOutputFilterByType DEFLATE application/xml
+ 	</IfModule>
diff --git a/apache2/mods-available/gnutls.conf b/apache2/mods-available/gnutls.conf
new file mode 100644
index 0000000..f5cf5f8
--- /dev/null
+++ b/apache2/mods-available/gnutls.conf
@@ -0,0 +1,25 @@
+<IfModule mod_gnutls.c>
+
+  # The default method is to use a DBM backed cache.  It's not super fast, but
+  # it's portable and doesn't require another server to be running like
+  # memcached
+  GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+
+  # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
+  GnuTLSCacheTimeout 600
+
+  # mod_gnutls can optionaly use a memcached server to store SSL sessions.
+  # This is useful in a cluster environment, where you want all your servers to
+  # share a single SSL session cache
+  #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
+
+  # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
+  #  * only strong EC crypto suites supporting Perfect Forward Secrecy
+  #  * supported by all SNI-capable browsers
+  # Options:
+  #  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
+  #  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
+  #  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
+  GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+
+</IfModule>
diff --git a/apache2/mods-available/gnutls.conf.diff b/apache2/mods-available/gnutls.conf.diff
new file mode 100644
index 0000000..c8561b4
--- /dev/null
+++ b/apache2/mods-available/gnutls.conf.diff
@@ -0,0 +1,24 @@
+--- gnutls.conf.orig	2011-07-19 19:02:55.000000000 +0200
++++ gnutls.conf	2016-04-28 03:27:13.000000000 +0200
+@@ -5,9 +5,21 @@
+   # memcached
+   GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+ 
++  # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
++  GnuTLSCacheTimeout 600
++
+   # mod_gnutls can optionaly use a memcached server to store SSL sessions.
+   # This is useful in a cluster environment, where you want all your servers to
+   # share a single SSL session cache
+   #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
+ 
++  # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
++  #  * only strong EC crypto suites supporting Perfect Forward Secrecy
++  #  * supported by all SNI-capable browsers
++  # Options:
++  #  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
++  #  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
++  #  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
++  GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
++
+ </IfModule>
diff --git a/apache2/mods-available/userdir.conf b/apache2/mods-available/userdir.conf
new file mode 100644
index 0000000..8cce3c0
--- /dev/null
+++ b/apache2/mods-available/userdir.conf
@@ -0,0 +1,3 @@
+# enable per-vhost instead...
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/apache2/mods-available/userdir.conf.diff b/apache2/mods-available/userdir.conf.diff
new file mode 100644
index 0000000..294e8fc
--- /dev/null
+++ b/apache2/mods-available/userdir.conf.diff
@@ -0,0 +1,21 @@
+--- userdir.conf.orig	2014-08-16 21:38:26.000000000 +0200
++++ userdir.conf	2014-11-04 19:18:06.000000000 +0100
+@@ -1,17 +1,3 @@
+-<IfModule mod_userdir.c>
+-	UserDir public_html
+-	UserDir disabled root
+-
+-	<Directory /home/*/public_html>
+-		AllowOverride FileInfo AuthConfig Limit Indexes
+-		Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+-		<Limit GET POST OPTIONS>
+-			Require all granted
+-		</Limit>
+-		<LimitExcept GET POST OPTIONS>
+-			Require all denied
+-		</LimitExcept>
+-	</Directory>
+-</IfModule>
++# enable per-vhost instead...
+ 
+ # vim: syntax=apache ts=4 sw=4 sts=4 sr noet