From adea6485ea86d8e48ec53dfa9c91e10ab79cb57a Mon Sep 17 00:00:00 2001
From: Niels Abspoel <aboe76@gmail.com>
Date: Sun, 21 May 2017 23:31:24 +0200
Subject: [PATCH] update suse config file with latest changes

---
 apache/files/Suse/apache-2.4.config.jinja | 77 +++++++++++++++--------
 apache/map.jinja                          |  4 +-
 2 files changed, 53 insertions(+), 28 deletions(-)

diff --git a/apache/files/Suse/apache-2.4.config.jinja b/apache/files/Suse/apache-2.4.config.jinja
index 9f72a0a..4b2c40d 100644
--- a/apache/files/Suse/apache-2.4.config.jinja
+++ b/apache/files/Suse/apache-2.4.config.jinja
@@ -24,32 +24,32 @@
 #  | 
 #  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
 #  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
-#  |-- sysconfig.d/loadmodule.conf . . . . .  [*] load these modules
+#  |-- loadmodule.conf . . . . . . . . . . .  [*] load these modules
 #  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
 #  |-- mod_log_config.conf . . . . . . . . .  define logging formats
-#  |-- global.conf . . . . . . . . . . . . .  server-wide general settings
+#  |-- global.conf . . . . . . . . . . . . .  [*] server-wide general settings
 #  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
 #  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
+#  |-- mod_reqtimeout.conf . . . . . . . . .  set timeout and minimum data rate for receiving requests
+#  |-- mod_cgid-timeout.conf . . . . . . . .  set CGIDScriptTimeout if mod_cgid is loaded/active
 #  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
 #  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
 #  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
 #  |-- errors.conf . . . . . . . . . . . . .  customize error responses
 #  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
+#  |-- protocols.conf  . . . . . . . . . . .  Protocol settings that applies to default server _and all_ virtual hosts
 #  |
 #  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
 #  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
 #  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
 #  |
-#  |-- sysconfig.d/include.conf  . . . . . .  [*] your include files 
-#  |                                             (for each file to be included here, put its name 
-#  |                                              into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
-#  |
 #  `-- vhosts.d/ . . . . . . . . . . . . . .  for each virtual host, place one file here
 #       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
 #
 #
-# Files marked [*] are created from sysconfig upon server restart: instead of
-# these files, you edit /etc/sysconfig/apache2
+# Files marked [*] are NOT read when server is started via systemd service. When server
+# is started via service, defaults from /etc/sysconfig/apache2 are taken into account.
+#
 
 
 
@@ -77,15 +77,14 @@
 #  |-- mod_usertrack.conf
 #  |-- server-tuning.conf
 #  |-- ssl-global.conf
+#  |-- protocols.conf
 #  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
 #  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
 #  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
 #  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
 #  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
-#  |-- sysconfig.d/  . . . . . . . . . . . .  files that are created from /etc/sysconfig/apache2
-#  |   |-- global.conf
-#  |   |-- include.conf
-#  |   `-- loadmodule.conf
+#  |-- global.conf
+#  |-- loadmodule.conf
 #  |-- uid.conf
 #  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
 #      |-- vhost-ssl.template
@@ -112,8 +111,10 @@ Include /etc/apache2/server-tuning.conf
 # container, that host's errors will be logged there and not here.
 ErrorLog /var/log/apache2/error_log
 
-# generated from APACHE_MODULES in /etc/sysconfig/apache2
-Include /etc/apache2/sysconfig.d/loadmodule.conf
+# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2
+<IfDefine !SYSCONFIG>
+  Include /etc/apache2/loadmodule.conf
+</IfDefine>
 
 # IP addresses / ports to listen on
 Include /etc/apache2/listen.conf
@@ -121,13 +122,29 @@ Include /etc/apache2/listen.conf
 # predefined logging formats
 Include /etc/apache2/mod_log_config.conf
 
-# global settings managed by salt
-Include /etc/apache2/global.conf
+# generated from default values of global settings in /etc/sysconfig/apache2
+<IfDefine !SYSCONFIG>
+  Include /etc/apache2/global.conf
+</IfDefine>
 
 # optional mod_status, mod_info
 Include /etc/apache2/mod_status.conf
 Include /etc/apache2/mod_info.conf
 
+# mod_reqtimeout protects the server from the so-called "slowloris"
+# attack: The server is not swamped with requests in fast succession,
+# but with slowly transmitted request headers and body, thereby filling up
+# the request slots until the server runs out of them.
+# mod_reqtimeout is lightweight and should deliver good results
+# with the configured default values. You shouldn't notice it at all.
+Include /etc/apache2/mod_reqtimeout.conf
+
+# Fix for CVE-2014-0231 introduces new configuration parameter 
+# CGIDScriptTimeout. This directive and its effect prevent request 
+# workers to be eaten until starvation if cgi programs do not send 
+# output back to the server within the timout set by CGIDScriptTimeout.
+Include /etc/apache2/mod_cgid-timeout.conf
+
 # optional cookie-based user tracking
 # read the documentation before using it!!
 Include /etc/apache2/mod_usertrack.conf
@@ -146,18 +163,34 @@ Include /etc/apache2/errors.conf
 # any virtual host
 Include /etc/apache2/ssl-global.conf
 
+# global (server-wide) protocol configuration, that is not specific
+# to any virtual host
+Include /etc/apache2/protocols.conf
+
 # forbid access to the entire filesystem by default
 <Directory />
     Options None
     AllowOverride None
-    Require all denied
+    <IfModule !mod_access_compat.c>
+        Require all denied
+    </IfModule>
+    <IfModule mod_access_compat.c>
+        Order deny,allow
+        Deny from all
+    </IfModule>
 </Directory>
 
 # use .htaccess files for overriding,
 AccessFileName .htaccess
 # and never show them
 <Files ~ "^\.ht">
-    Require all denied
+    <IfModule !mod_access_compat.c>
+        Require all denied
+    </IfModule>
+    <IfModule mod_access_compat.c>
+        Order allow,deny
+        Deny from all
+    </IfModule>
 </Files>
 
 # List of resources to look for when the client requests a directory
@@ -177,14 +210,6 @@ DirectoryIndex index.html index.html.var
 Include /etc/apache2/default-server.conf
 
 
-# Another way to include your own files
-#
-# The file below is generated from /etc/sysconfig/apache2,
-# include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
-# APACHE_CONF_INCLUDE_DIRS
-Include /etc/apache2/sysconfig.d/include.conf
-
-
 ### Virtual server configuration ############################################
 #
 # VirtualHost: If you want to maintain multiple domains/hostnames on your
diff --git a/apache/map.jinja b/apache/map.jinja
index 70d4b43..404c832 100644
--- a/apache/map.jinja
+++ b/apache/map.jinja
@@ -74,8 +74,8 @@
     'Suse': {
         'server': 'apache2',
         'service': 'apache2',
-        'user': 'apache',
-        'group': 'apache',
+        'user': 'wwwrun',
+        'group': 'www',
         'configfile': '/etc/apache2/httpd.conf',
 
         'mod_wsgi': 'apache2-mod_wsgi',