From 61137eeaa6a78fb2351334b3a8a83c0b3644fd0c Mon Sep 17 00:00:00 2001
From: Robert Utnehmer <rutnehmer@inoxio.de>
Date: Wed, 02 Mar 2016 05:39:50 -0500
Subject: [PATCH] Fix #3787 Remove wrong fastcgi_param SCRIPT_FILENAME for Mailman in nginx_apps.vhost.master
---
server/conf/vhost.conf.master | 72 +++++++++++++++++++++++++++++++----
1 files changed, 63 insertions(+), 9 deletions(-)
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index a65f1d2..230f089 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -1,3 +1,4 @@
+<tmpl_hook name='apache2_vhost:header'>
<Directory {tmpl_var name='web_basedir'}/{tmpl_var name='domain'}>
AllowOverride None
@@ -9,8 +10,9 @@
</tmpl_if>
</Directory>
-<tmpl_loop name="vhosts">
+<tmpl_loop name='vhosts'>
<VirtualHost {tmpl_var name='ip_address'}:{tmpl_var name='port'}>
+<tmpl_hook name='apache2_vhost:vhost_header'>
<tmpl_if name='php' op='==' value='suphp'>
DocumentRoot <tmpl_var name='web_document_root'>
</tmpl_else>
@@ -51,12 +53,23 @@
<IfModule mod_ssl.c>
<tmpl_if name='ssl_enabled'>
- SSLEngine on
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ SSLHonorCipherOrder on
+ <IfModule mod_headers.c>
+ Header always add Strict-Transport-Security "max-age=15768000"
+ </IfModule>
SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt
SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key
<tmpl_if name='has_bundle_cert'>
<tmpl_if name='apache_version' op='<' value='2.4.8' format='version'>
SSLCertificateChainFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.bundle
+ </tmpl_if>
+ <tmpl_if name='apache_version' op='>=' value='2.4' format='version'>
+ SSLUseStapling on
+ SSLStaplingResponderTimeout 5
+ SSLStaplingReturnResponderErrors off
</tmpl_if>
</tmpl_if>
</tmpl_if>
@@ -203,6 +216,9 @@
<tmpl_if name='php' op='==' value='mod'>
# mod_php enabled
AddType application/x-httpd-php .php .php3 .php4 .php5
+ SetEnv TMP <tmpl_var name='document_root'>/tmp
+ SetEnv TMPDIR <tmpl_var name='document_root'>/tmp
+ SetEnv TEMP <tmpl_var name='document_root'>/tmp
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
@@ -231,9 +247,16 @@
# php as cgi enabled
ScriptAlias /php5-cgi <tmpl_var name='cgi_starter_path'><tmpl_var name='cgi_starter_script'>
Action php5-cgi /php5-cgi
- <FilesMatch "\.php[345]?$">
- SetHandler php5-cgi
- </FilesMatch>
+ <Directory {tmpl_var name='web_document_root_www'}>
+ <FilesMatch "\.php[345]?$">
+ SetHandler php5-cgi
+ </FilesMatch>
+ </Directory>
+ <Directory {tmpl_var name='web_document_root'}>
+ <FilesMatch "\.php[345]?$">
+ SetHandler php5-cgi
+ </FilesMatch>
+ </Directory>
<Directory {tmpl_var name='cgi_starter_path'}>
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all granted
@@ -263,7 +286,7 @@
ProcessLifeTime 3600
# MaxProcessCount 1000
DefaultMinClassProcessCount 0
- DefaultMaxClassProcessCount 100
+ DefaultMaxClassProcessCount 10
IPCConnectTimeout 3
IPCCommTimeout 600
BusyTimeout 3600
@@ -328,6 +351,9 @@
Alias /php5-fcgi {tmpl_var name='document_root'}/cgi-bin/php5-fcgi-{tmpl_var name='ip_address'}-{tmpl_var name='port'}-{tmpl_var name='domain'}
<tmpl_if name='use_tcp'>
FastCgiExternalServer {tmpl_var name='document_root'}/cgi-bin/php5-fcgi-{tmpl_var name='ip_address'}-{tmpl_var name='port'}-{tmpl_var name='domain'} -idle-timeout 300 -host 127.0.0.1:<tmpl_var name='fpm_port'> -pass-header Authorization
+ <IfModule mod_proxy_fcgi.c>
+ ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ fcgi://127.0.0.1:<tmpl_var name='fpm_port'><tmpl_var name='web_document_root'>/$1
+ </IfModule>
</tmpl_if>
<tmpl_if name='use_socket'>
FastCgiExternalServer {tmpl_var name='document_root'}/cgi-bin/php5-fcgi-{tmpl_var name='ip_address'}-{tmpl_var name='port'}-{tmpl_var name='domain'} -idle-timeout 300 -socket <tmpl_var name='fpm_socket'> -pass-header Authorization
@@ -369,25 +395,41 @@
<tmpl_if name="rewrite_enabled">
RewriteEngine on
+<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
+ RewriteRule ^ - [END]
+</tmpl_if>
<tmpl_if name='seo_redirect_enabled'>
RewriteCond %{HTTP_HOST} <tmpl_var name='seo_redirect_operator'>^<tmpl_var name='seo_redirect_origin_domain'>$ [NC]
- RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='seo_redirect_target_domain'>$1 [R=301,L]
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
+ RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='seo_redirect_target_domain'>$1 [R=301,NE,L]
</tmpl_if>
<tmpl_loop name="alias_seo_redirects">
RewriteCond %{HTTP_HOST} <tmpl_var name='alias_seo_redirect_operator'>^<tmpl_var name='alias_seo_redirect_origin_domain'>$ [NC]
- RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='alias_seo_redirect_target_domain'>$1 [R=301,L]
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
+ RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='alias_seo_redirect_target_domain'>$1 [R=301,NE,L]
</tmpl_loop>
<tmpl_loop name="redirects">
RewriteCond %{HTTP_HOST} <tmpl_var name='rewrite_domain'>$ [NC]
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
<tmpl_if name="rewrite_is_url" op="==" value="n">
RewriteCond %{REQUEST_URI} !^/webdav/
RewriteCond %{REQUEST_URI} !^/php5-fcgi/
RewriteCond %{REQUEST_URI} !^<tmpl_var name='rewrite_target'>
</tmpl_if>
- RewriteRule ^/(.*)$ <tmpl_var name='rewrite_target'><tmpl_if name="rewrite_add_path" op="==" value="y">$1</tmpl_if> <tmpl_if name='rewrite_type' value=''><tmpl_if name="rewrite_is_url" op="==" value="n">[PT]</tmpl_if></tmpl_else><tmpl_var name='rewrite_type'></tmpl_if>
+ RewriteRule ^/(.*)$ <tmpl_var name='rewrite_target'><tmpl_if name="rewrite_add_path" op="==" value="y">$1</tmpl_if> <tmpl_var name='rewrite_type'>
</tmpl_loop>
+<tmpl_if name='ssl_enabled'>
+<tmpl_else>
+<tmpl_if name='rewrite_to_https' op='==' value='y'>
+ RewriteCond %{HTTPS} off
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
+ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+</tmpl_if>
+</tmpl_if>
</tmpl_if>
# add support for apache mpm_itk
@@ -414,5 +456,17 @@
</IfModule>
<tmpl_var name='apache_directives'>
+<tmpl_hook name='apache2_vhost:vhost_footer'>
</VirtualHost>
+
+<tmpl_if name='apache_version' op='>=' value='2.4' format='version'>
+<tmpl_if name='ssl_enabled'>
+<IfModule mod_ssl.c>
+ SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</tmpl_if>
+</tmpl_if>
+
</tmpl_loop>
+
+<tmpl_hook name='apache2_vhost:footer'>
--
Gitblit v1.9.1