# HG changeset patch # User Matthias Förste # Date 1485788039 -3600 # Node ID 85a89053a2798b13dc7691615531ad33474c7445 # Parent a14d0bfd2e21b7efa0a5c32eaa730e95641e7e49 [moved to git] diff -r a14d0bfd2e21 -r 85a89053a279 .hgignore --- a/.hgignore Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,8 +0,0 @@ -syntax regexp: - -^TODO$ -^ius-dav-htpasswd\.conf$ -^_build|blib -^Build$ -^MYMETA\.(json|yml)$ -^libius-dav-htpasswd-perl-deps_.+_all\.deb$ diff -r a14d0bfd2e21 -r 85a89053a279 .hgtags --- a/.hgtags Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -460f4d75e40385570f12cc950dc4ed013c4b0793 0.2 diff -r a14d0bfd2e21 -r 85a89053a279 Build.PL --- a/Build.PL Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,72 +0,0 @@ -#!/usr/bin/perl - -use Module::Build; - -my $builder = Module::Build->subclass( - class => 'My::Module::Build', - code => <<'___CODE', - use strict; - use warnings; - use File::Temp; - sub ACTION_equivs { - my $self = shift; - my %provides = ( - 'POSIX' => 'perl-base', - 'File::Path' => 'perl-modules', - ); - my %deps = ( ( map { (my $d = $_ ) =~ s/::/-/g; - defined $provides{$_} ? $provides{$_} : 'lib' . lc $d . '-perl' - => $self->requires->{$_} == 0 ? '' : ' (>= ' . $self->requires->{$_} . ')' - } keys %{$self->requires} ), - ); - my $c = new File::Temp or die "Can't tempfile"; - print $c "Package: libius-dav-htpasswd-perl-deps\n"; - print $c 'Depends: ', join ', ', map { "$_$deps{$_}" } keys %deps; - system('equivs-build', $c->filename); - } - sub ACTION_install { - my $self = shift; - my $h = ($self->install_path('cgi-bin') =~ m|^(.*)/cgi-bin$|)[0] ; - my $u = my $g = ($h =~ m|/([^/]+)$|)[0]; - system(qw(chown -R), "$u:$g", $h) == 0 - or die "Can't 'chown -R $u:$g $h': $!"; - { no warnings 'qw'; - system(qw(chmod -R go=,-st), $h) == 0 - or die "Can't 'chmod -R go=,-st $h"; - } - $self->SUPER::ACTION_install; - } - sub get_metadata { - my ($self, @args) = @_; - my $data = $self->SUPER::get_metadata(@args); - # workaround double utf encoded characters in MYMETA.{yml,json} ('ö' - # instead of 'ö' for example): the author name is taken from the pod in - # lib/Ius/Dav/Htpasswd.pm and the pod parser used by Module::Build is - # assuming latin1 despite the '=encoding' command - use Encode; - map { $_ = decode('utf8', $_); } @{$data->{author}} if defined $data->{author}; - return $data; - } -___CODE -); - -my $build = $builder->new( - module_name => 'Ius::Dav::Htpasswd', - license => 'gpl', - create_license => 1, - requires => { - 'Apache::Htpasswd' => 0, - 'AppConfig' => 0, - 'File::Path' => 0, - 'POSIX' => 0, - 'String::MkPasswd' => 0 - }, - script_files => [ glob 'bin/*' ], - cgi_files => - { map { /\.(bak|orig)$/ ? () : ( $_ => $_ ) } glob 'cgi-bin/*' } -); -$build->add_build_element('cgi'); -$build->install_path( - 'cgi-bin' => $build->original_prefix( $build->installdirs ) - . '/lib/ius-dav-htpasswd/cgi-bin' ); -$build->create_build_script; diff -r a14d0bfd2e21 -r 85a89053a279 MANIFEST.SKIP --- a/MANIFEST.SKIP Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,21 +0,0 @@ -#!include_default -# Avoid configuration metadata file -^MYMETA\. - -# Avoid Module::Build generated and utility files. -\bBuild$ -\bBuild.bat$ -\b_build -\bBuild.COM$ -\bBUILD.COM$ -\bbuild.com$ -^MANIFEST\.SKIP - -# Avoid archives of this distribution -\bIus-Dav-Htpasswd-[\d\.\_]+ - -^\.hg(ignore|tags)$ -^libius-dav-htpasswd-perl-deps_.+_all\.deb$ -^TODO$ -^ius-dav-htpasswd\.conf$ -\.(bak|orig)$ diff -r a14d0bfd2e21 -r 85a89053a279 README --- a/README Tue Jul 15 15:39:57 2014 +0200 +++ b/README Mon Jan 30 15:53:59 2017 +0100 @@ -1,40 +1,1 @@ -Installation (on debian): - - * install dependencies - # perl ./Build.PL && ./Build equivs - # dpkg -i libius-dav-htpasswd-perl-deps_*_all.deb - # aptitude install - # aptitude install apache2-mpm-itk sudo - - * preinst - # mkdir -p $PREFIX/lib/ius-dav-htpasswd - # useradd -d $PREFIX/lib/ius-dav-htpasswd -r -U -s /bin/true ius-dav-htpasswd - # passwd -l ius-dav-htpasswd - - * installation - - # perl ./Build.PL && ./Build test && ./Build install - - * configuration - - # visudo - - [...] - - ius-dav-htpasswd debian-lenny = (root) NOPASSWD: $PREFIX/bin/ius-dav-htuseradd, $PREFIX/bin/ius-dav-htuserdel - - [...] - - # a2enmod dav_fs - # $EDITOR /etc/apache2/sites-available/ius-dav # see ssl-dav-vhost-apache-example.conf - # $EDITOR /etc/apache2/sites-available/ius-dav-htpasswd # see ssl-admin-vhost-apache-example.conf - # htpasswd [-c] $PREFIX/etc/ius-dav-htpasswd/htpasswd.admin ius-dav-htpasswd-admin - # htpasswd -c $PREFIX/etc/ius-dav-htpasswd/htpasswd.dav ius-dav-htpasswd-master # when using a master user - - # ln -s $PREFIX/bin/ius-dav-htuserexpiry /etc/cron.daily/ - - # $EDITOR /path/to/ius-dav-htpasswd.conf - - * nach dist-upgrade: - - # ./Build install uninst=1 +Ist jetzt im git. diff -r a14d0bfd2e21 -r 85a89053a279 bin/ius-dav-htuseradd --- a/bin/ius-dav-htuseradd Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,50 +0,0 @@ -#!/usr/bin/perl - -# Copyright (C) 2011 Matthias Förste -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# Matthias Förste - -use strict; -use warnings; - -use Ius::Dav::Htpasswd qw(mkpasswd readconfig useradd usage); - -use Getopt::Long; -use Pod::Usage; - -my ( $user, $expiry, $pass ); - -GetOptions( - 'u|user=s' => \$user, - 'e|expiry=i' => \$expiry, - 'h|help' => sub { usage( -exit => 0, -verbose => 1 ) }, - 'm|man' => sub { - usage( - -exit => 0, - - # "system('perldoc -V &>/dev/null')" appears shorter, but may not - # do what you expect ( it still returns 0 on debian squeeze with - # dash as system shell even if cannot find the command in $PATH) - -noperldoc => system('perldoc -V >/dev/null 2>&1'), - -verbose => 2 - ); - }, - ) - and defined $user - or usage; - -$pass = useradd readconfig, $user, mkpasswd, $expiry; -print "$pass\n"; diff -r a14d0bfd2e21 -r 85a89053a279 bin/ius-dav-htuserdel --- a/bin/ius-dav-htuserdel Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,42 +0,0 @@ -#!/usr/bin/perl - -# Copyright (C) 2011 Matthias Förste -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# Matthias Förste - -use strict; -use warnings; - -use Getopt::Long; -use Ius::Dav::Htpasswd qw(readconfig userdel usage); - -my $user; - -GetOptions( - 'u|user=s' => \$user, - "h|help" => sub { usage( -verbose => 0, -exitval => 0 ) }, - "m|man" => sub { - usage( - -verbose => 2, - -exitval => 0, - -noperldoc => ( `perldoc -V 2>/dev/null`, $? != 0 )[-1] - ); - }, - ) - and defined $user - or usage(); - -exit userdel readconfig, $user; diff -r a14d0bfd2e21 -r 85a89053a279 bin/ius-dav-htuserexpiry --- a/bin/ius-dav-htuserexpiry Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,43 +0,0 @@ -#!/usr/bin/perl - -# Copyright (C) 2011 Matthias Förste -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# Matthias Förste - -use strict; -use warnings; - -use Ius::Dav::Htpasswd qw(readconfig userexpiry usage); - -use Getopt::Long; -use Pod::Usage; - -GetOptions( - 'h|help' => sub { usage( -exit => 0, -verbose => 1 ) }, - 'm|man' => sub { - usage( - -exit => 0, - - # "system('perldoc -V &>/dev/null')" appears shorter, but may not - # do what you expect ( it still returns 0 on debian squeeze with - # dash as system shell even if cannot find the command in $PATH) - -noperldoc => system('perldoc -V >/dev/null 2>&1'), - -verbose => 2 - ); - }, -) or usage; - -exit userexpiry readconfig; diff -r a14d0bfd2e21 -r 85a89053a279 cgi-bin/ius-dav-htuseradd.cgi --- a/cgi-bin/ius-dav-htuseradd.cgi Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,106 +0,0 @@ -#!/usr/bin/perl - -# Copyright (C) 2011 Matthias Förste -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# Matthias Förste - -use warnings; - -# Using CGI::Fast will result in an Internal Server Error because we are -# restarting apache when everything else works -# use CGI::Fast; -use CGI; -use Ius::Dav::Htpasswd qw(mkpasswd readconfig useradd); - -my $css = <header( -charset => 'UTF-8' ); -print $q->start_html( - -title => $title, - -style => { -code => $css }, - -onload => q{document.forms['passwd'].elements['user'].focus();} - ), - $q->h3( { -id => 'header' }, $title ), - $q->hr; - -my $p; -$p->{$_} = $q->param($_) for qw(user expiry add del); - -print $q->start_form( -id => 'passwd' ), - $q->table( - $q->Tr( $q->td('Nutzername'), $q->td( $q->textfield('user') ) ), - $q->Tr( - $q->td('Gültigkeitsdauer in Tagen (default: 1)'), - $q->td( $q->textfield('expiry') ) - ), - $q->Tr( - $q->td( $q->submit( { -name => 'add', -value => 'Anlegen' } ) ), - $q->td( $q->submit( { -name => 'del', -value => 'Löschen' } ) ) - ) - ), - $q->end_form; - -my $doit = 0; - -my $conf = readconfig or die "Can't readconfig"; - -if ( defined $p->{add} and $p->{add} ne '' ) { - - print $q->hr; - my @cmd = ( qw(sudo ius-dav-htuseradd -u), $p->{user} ); - push @cmd, '-e', $p->{expiry} - if defined $p->{expiry} and $p->{expiry} ne ''; - - if ( my $pass = qx(@cmd) ) { - - my $url = "$conf->{dav_base_remote}/$p->{user}"; - - chomp $pass; - - print $q->table( - $q->Tr( - $q->td('Url:'), $q->td( $q->a( { -href => $url }, $url ) ) - ), - $q->Tr( $q->td('Passwort:'), $q->td($pass) ) - ); - - } - else { - print $q->p('Something went wrong'); - } - -} -elsif ( defined $p->{del} and $p->{del} ne '' ) { - - my @cmd = ( qw(sudo ius-dav-htuserdel -u), $p->{user} ); - print $q->hr, $q->p('Something went wrong') if system @cmd; - -} - -print $q->hr, $q->end_html; diff -r a14d0bfd2e21 -r 85a89053a279 ius-dav-htpasswd.conf.ex --- a/ius-dav-htpasswd.conf.ex Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,33 +0,0 @@ -# expire user after this many days per default -expiry = 1 - -# don't accept arguments less than expiry_min to the --expiry option -expiry_min = 1 - -# don't accept arguments greater than expiry_max to the --expiry option -expiry_max = 56 - - -# user directories will be placed below dav_base_local -dav_base_local = /srv/ius-dav - -# the username will be prefixed with dav_base_remote when displaying the uri -# for the directory of a newly created user (you can omit the trailing slash) -dav_base_remote = https://hostname/ - -# where to place/look for the htpasswd; note that we may want a different -# htpasswd file in the same directory to limit access to the admin cgi script -htpasswd = /usr/local/etc/ius-dav-htpasswd/htpasswd.dav - -# where to place/look for configuration snippets -conf_d = /usr/local/etc/ius-dav-htpasswd/apache.d - - -# webserver user -www_user = www-data - -# webserver group -www_group = www-data - -# master user with access to all directories (optional) -master_user = davius diff -r a14d0bfd2e21 -r 85a89053a279 lib/Ius/Dav/Htpasswd.pm --- a/lib/Ius/Dav/Htpasswd.pm Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,329 +0,0 @@ - -# Copyright (C) 2011 Matthias Förste -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# Matthias Förste - -=encoding utf8 -=cut - -package Ius::Dav::Htpasswd; - -use strict; -use warnings; - -use Apache::Htpasswd qw(); -use AppConfig qw(); -use File::Path qw(rmtree); -use POSIX qw(); -use String::MkPasswd qw(); - -BEGIN { - - our ( $VERSION, @ISA, @EXPORT_OK ); - use Exporter; - - # set the version for version checking - $VERSION = 0.2; - - @ISA = qw(Exporter); - @EXPORT_OK = qw(readconfig mkpasswd useradd userdel userexpiry usage); -} - -sub usage { - - use Pod::Usage; - use Pod::Find qw(pod_where); - - pod2usage( -input => pod_where( { -inc => 1 }, __PACKAGE__ ), @_ ); - -} - -sub readconfig { - - my $conf = new AppConfig( - qw( - expiry=i - expiry_min=i - expiry_max=i - dav_base_local=s - dav_base_remote=s - htpasswd=s - conf_d=s - www_user=s - www_group=s - master_user=s) - ) or die 'Failed to read config!'; - $conf->file($_) - for grep -e, map "$_/ius-dav-htpasswd.conf", - qw(/etc/ius-dav-htpasswd /usr/local/etc/ius-dav-htpasswd ~/.ius-dav-htpasswd .); - return { $conf->varlist('.') }; - -} - -sub validate { - - my ( $conf, $user, $expiry ) = @_; - - return unless $user =~ /^[[:alnum:]_]+$/; - - if ( defined $expiry ) { - return unless $expiry =~ /^[0-9]+$/; - return - unless $expiry >= $conf->{expiry_min} - and $expiry <= $conf->{expiry_max}; - } - - return 1; - -} - -sub useradd { - - my ( $conf, $user, $pass, $expiry ) = @_; - - for ( - qw(expiry expiry_min expiry_max dav_base_local htpasswd conf_d www_user www_group) - ) - { - die "Can't determine '$_' - please check configuration" - unless defined $conf->{$_}; - } - - $expiry = $conf->{expiry} unless defined $expiry and $expiry ne ''; - die 'Invalid input' unless validate $conf, $user, $expiry; - - my $user_dir = "$conf->{dav_base_local}/$user"; - mkdir "$user_dir" or die "Can't mkdir '$user_dir': $!"; - - my ( $www_user, $www_group ) = @{$conf}{qw(www_user www_group)}; - my $www_uid = getpwnam $www_user or die "Can't getpwnam '$www_user'"; - my $www_gid = getgrnam $www_group or die "Can't getgrnam '$www_group'"; - chown $www_uid, $www_gid, "$user_dir" - or die "Can't chown, '$www_uid', '$www_gid', '$user_dir': $!"; - - my $htpasswd_file = $conf->{htpasswd}; - unless ( -e $htpasswd_file ) { - open H, '>>', $htpasswd_file or die "Can't create '$htpasswd_file': $!"; - close H; - } - - my $htpasswd = new Apache::Htpasswd $htpasswd_file; - $htpasswd->htpasswd( $user, $pass ) - or die $htpasswd->error; - $htpasswd->writeInfo( $user, time + 24 * 60 * 60 * $expiry ) - or die $htpasswd->error; - - my $master_user = $conf->{master_user}; - my $conf_file = "$conf->{conf_d}/$user.conf"; - (my $loc = $conf->{dav_base_remote}) =~ s|^[^:]+://[^/]+||; - $loc .= "/$user"; - open C, '>', $conf_file or die "Can't open '$conf_file': $!"; - print C < - Dav On - Order Allow,Deny - Allow From All - AuthType Basic - AuthName "$user" - AuthUserFile "$htpasswd_file" - Require user $master_user $user - # don't allow script execution - Options Indexes - AllowOverride None - - - Order Allow,Deny - Allow From All - -# vi:ft=apache -EOC - close C; - - 0 == system qw(apache2ctl graceful) - or die "Can't 'apache2ctl graceful'!"; - - return $pass; - -} - -sub mkpasswd { return String::MkPasswd::mkpasswd -minspecial => 0; } - -sub userdel { - - my ( $conf, $user ) = @_; - - my $rc = 0; - - for (qw(dav_base_local htpasswd conf_d)) { - die "Can't determine '$_' - please check configuration" - unless defined $conf->{$_}; - } - - # avoid 'Found = in conditional, should be ==' warnings - no warnings qw(syntax); - my $user_dir = "$conf->{dav_base_local}/$user"; - my $err; - rmtree( $user_dir, error => $err ) - or $rc = -1 - and warn "Error(s) occurred during rmtree '$user_dir': ", - defined $err ? @{$err} : ''; - - my $htpasswd_file = $conf->{htpasswd}; - my $htpasswd = new Apache::Htpasswd $htpasswd_file; - $htpasswd->htDelete($user) - or $rc = -1 and warn "Can't htdelete '$user': ", $htpasswd->error; - - my $conf_file = "$conf->{conf_d}/$user.conf"; - unlink $conf_file - or $rc = -1 and warn "Can't unlink '$conf_file': $!"; - - 0 == system qw(apache2ctl graceful) - or $rc = -1 and warn "Can't 'apache2ctl graceful'!"; - - return $rc; - -} - -sub userexpiry { - - my ($conf) = @_; - - my $rc = 0; - - for (qw(htpasswd)) { - die "Can't determine '$_' - please check configuration" - unless defined $conf->{$_}; - } - - my $htpasswd_file = $conf->{htpasswd}; - my $htpasswd = new Apache::Htpasswd $htpasswd_file; - # empty @users does not indicate failure - my @users = $htpasswd->fetchUsers; - my $now = time; - - for my $u (@users) { - if ( my $e = $htpasswd->fetchInfo($u) ) { - userdel( $conf, $u ) - and warn "Error(s) occured during 'userdel $conf, $u'\n" - if $now >= $e; - } - else { - warn "Can't get expiry for '$u': ", $htpasswd->error, "\n"; - } - } - - return $rc; - -} - -1; - -__END__ - -=pod - -=head1 NAME - -ius-dav-useradd - -ius-dav-useradd.cgi - -ius-dav-userdel - -ius-dav-userexpiry - -Ius::Dav::Htpasswd - Add dav users to htpasswd and remove them after -expiration. - -=head1 SYNOPSIS - -ius-dav-useradd - -u|--user user - [-e|--expiry expiry] - -ius-dav-userdel - -u|--user user - -ius-dav-userexpiry - -common options - [-m|--man] - [-h|--help] - -=head1 DESCRIPTION - -=head2 ius-dav-useradd - -Make a directory for the user. Chown that directory to the webserver user and -group. Add the user to an htpasswd file. Add expiry information to that -htpasswd file. Place a config snippet for the users directory inside a -directory (which is included from the apache config). Reload apache. - -=head2 ius-dav-useradd.cgi - -This is a CGI Wrapper around ius-dav-useradd. - -=head2 ius-dav-userdel - -Removes the directory of the user. Removes the user from the htpasswd file. -Removes the config snippet for the users directory. Reload apache. - -=head2 ius-dav-userexpiry - -Check the htpasswd file and run deletion for any expired users found. - -=head1 OPTIONS - -=over - -=item B<-u|--user> I - -The name of the user to add or remove. - -=item B<-e|--expiry> I - -The time in days after which an added user will expire. Defaults to 1. - -=back - -=head1 FILES - -F - -F - -F<~/.ius-dav-htpasswd/ius-dav-htpasswd.conf> - -F<./ius-dav-htpasswd.conf> - -F - -F - -F - -=head1 REQUIRES - -Several perl modules (should be installed automatically). Some kind of cron -daemon to run the user expiry is recommended. - -=head1 AUTHOR - -Matthias Förste - -=cut - -# vim:sts=4 sw=4 aw ai sm: diff -r a14d0bfd2e21 -r 85a89053a279 ssl-admin-vhost-apache-example.conf --- a/ssl-admin-vhost-apache-example.conf Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,63 +0,0 @@ -# replace $PREFIX (usually with /usr or /usr/local) - -# note that you will need a wildcard certificate if you want namebased virtual -# hosts + ssl - - - DocumentRoot "$PREFIX/lib/ius-dav-htpasswd/cgi-bin" - AssignUserId "ius-dav-htpasswd" "ius-dav-htpasswd" - - ServerAdmin webmaster@localhost - ServerName ius-dav-htpasswd.domain.tld - - ErrorLog /var/log/apache2/error.log - LogLevel warn - CustomLog /var/log/apache2/ius-dav-htpasswd.domain.tld/ssl_access.log combined - - SSLEngine on - SSLCertificateFile /etc/ssl/certs/wildcard-certificate.pem - SSLCertificateKeyFile /etc/ssl/private/key-for-wildcard-certificate.pem - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - # local cgi scripts - - Order Deny,Allow - Deny from all - Allow from 127.0.0.0/8 - AuthType "Basic" - AuthName "ius-dav-htpasswd" - AuthUserFile "/path/to/ius-dav-admin-htpasswd" - Require valid-user - Options +ExecCGI - SetHandler cgi-script - - - - diff -r a14d0bfd2e21 -r 85a89053a279 ssl-dav-vhost-apache-example.conf --- a/ssl-dav-vhost-apache-example.conf Tue Jul 15 15:39:57 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,58 +0,0 @@ -# replace $PREFIX (usually with /usr or /usr/local) - -# note that you will need a wildcard certificate if you want namebased virtual -# hosts + ssl - - - DocumentRoot "/path/to/dav-base-directory" - AssignUserId "ius-dav" "ius-dav" - - ServerAdmin webmaster@localhost - ServerName ius-dav.domain.tld - - ErrorLog /var/log/apache2/error.log - LogLevel warn - CustomLog /var/log/apache2/ius-dav.domain.tld/ssl_access.log combined - - SSLEngine on - SSLCertificateFile /etc/ssl/certs/wildcard-certificate.pem - SSLCertificateKeyFile /etc/ssl/private/key-for-wildcard-certificate.pem - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - # no access to the webdav base directory is required - - Order Deny,Allow - Deny from all - - # /usr/local/etc/ius-dav-htpasswd or /etc/ius-dav-htpasswd for example - Include "/path/to/ius-dav-htpasswd-conf-dir/apache.d/*.conf" - - -