summaryrefslogtreecommitdiff
path: root/docs/configdiff
diff options
context:
space:
mode:
authorJan Dittberner <jan@dittberner.info>2016-05-20 00:28:30 +0200
committerJan Dittberner <jan@dittberner.info>2016-05-20 00:28:30 +0200
commit719bba6cc7191283c0f7435d4c0bd6afb8f5268b (patch)
treed7173de528e575da6d2e4db7a08f3e9f4d17264d /docs/configdiff
parent11ee94230dc06a2920af771cfe9aa3fe21cc2ebd (diff)
downloadcacert-infradocs-719bba6cc7191283c0f7435d4c0bd6afb8f5268b.tar.gz
cacert-infradocs-719bba6cc7191283c0f7435d4c0bd6afb8f5268b.tar.xz
cacert-infradocs-719bba6cc7191283c0f7435d4c0bd6afb8f5268b.zip
Document the git.cacert.org container
This commit adds documentation for the git container. The information has been gathered from https://wiki.cacert.org/SystemAdministration/Systems/Git?action=recall&rev=4 and the actual system.
Diffstat (limited to 'docs/configdiff')
-rw-r--r--docs/configdiff/git/git-apache-config.diff121
-rw-r--r--docs/configdiff/git/git-daemon-run.diff8
-rw-r--r--docs/configdiff/git/gitweb.conf.diff40
3 files changed, 169 insertions, 0 deletions
diff --git a/docs/configdiff/git/git-apache-config.diff b/docs/configdiff/git/git-apache-config.diff
new file mode 100644
index 0000000..ad2c182
--- /dev/null
+++ b/docs/configdiff/git/git-apache-config.diff
@@ -0,0 +1,121 @@
+diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
+--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
++++ git/etc/apache2/conf-available/security.conf 2016-05-20 00:15:49.874994024 +0200
+@@ -10,6 +10,17 @@
+ # Order Deny,Allow
+ # Deny from all
+ #</Directory>
++<Directory />
++ Options FollowSymLinks
++ AllowOverride None
++</Directory>
++
++<Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++</Directory>
+
+
+ # Changing the following options will not really affect the security of the
+diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
+--- orig/etc/apache2/mods-available/ssl.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/mods-available/ssl.conf 2016-01-02 16:13:42.695785273 +0100
+@@ -56,7 +56,8 @@
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+- SSLCipherSuite HIGH:!aNULL
++ #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
++ SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
+
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+@@ -65,7 +66,7 @@
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
+- #SSLHonorCipherOrder on
++ SSLHonorCipherOrder on
+
+ # The protocols to enable.
+ # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
+--- orig/etc/apache2/sites-available/000-default.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/sites-available/000-default.conf 2016-05-20 00:21:02.697250540 +0200
+@@ -11,11 +11,19 @@
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
++ RewriteEngine on
++ RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
++ RewriteCond %{HTTP_HOST} !^$
++ RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE]
++
++ Redirect / https://git.cacert.org/gitweb
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
+--- orig/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:05:51.022493172 +0200
++++ git/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:14:50.350565644 +0200
+@@ -2,13 +2,27 @@
+ <VirtualHost _default_:443>
+ ServerAdmin webmaster@localhost
+
++ Redirect /index.html /gitweb/
++
+ DocumentRoot /var/www/html
+
++ <Directory />
++ Options FollowSymLinks
++ AllowOverride None
++ </Directory>
++ <Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++ </Directory>
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+@@ -29,8 +43,8 @@
+ # /usr/share/doc/apache2/README.Debian.gz for more info.
+ # If both key and certificate are stored in the same file, only the
+ # SSLCertificateFile directive is needed.
+- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++ SSLCertificateFile /etc/ssl/public/git.c.o.chain.crt
++ SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+@@ -130,6 +144,12 @@
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
++ # HSTS
++ Header always set Strict-Transport-Security "max-age=31536000"
++ Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
++ Header always set X-Frame-Options "DENY"
++ Header always set X-XSS-Protection "1; mode=block"
++ Header always set X-Content-Type-Options "nosniff"
+ </VirtualHost>
+ </IfModule>
+
diff --git a/docs/configdiff/git/git-daemon-run.diff b/docs/configdiff/git/git-daemon-run.diff
new file mode 100644
index 0000000..abcca5a
--- /dev/null
+++ b/docs/configdiff/git/git-daemon-run.diff
@@ -0,0 +1,8 @@
+--- orig/etc/sv/git-daemon/run 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/sv/git-daemon/run 2014-02-06 01:46:55.424870926 +0100
+@@ -3,4 +3,4 @@
+ echo 'git-daemon starting.'
+ exec chpst -ugitdaemon \
+ "$(git --exec-path)"/git-daemon --verbose --reuseaddr \
+- --base-path=/var/lib /var/lib/git
++ --base-path=/var/cache/git /var/cache/git
diff --git a/docs/configdiff/git/gitweb.conf.diff b/docs/configdiff/git/gitweb.conf.diff
new file mode 100644
index 0000000..0e8e957
--- /dev/null
+++ b/docs/configdiff/git/gitweb.conf.diff
@@ -0,0 +1,40 @@
+--- orig/etc/gitweb.conf 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/gitweb.conf 2014-02-17 02:25:18.281157394 +0100
+@@ -1,5 +1,8 @@
+ # path to git projects (<project>.git)
+-$projectroot = "/var/lib/git";
++$projectroot = "/var/cache/git";
++
++# only show repos that are also served via git-daemon
++$export_ok = "git-daemon-export-ok";
+
+ # directory to use for temp files
+ $git_temp = "/tmp";
+@@ -13,6 +16,9 @@
+ # file with project list; by default, simply scan the projectroot dir.
+ #$projects_list = $projectroot;
+
++# Enable categories
++$projects_list_group_categories = 1;
++
+ # stylesheet to use
+ #@stylesheets = ("static/gitweb.css");
+
+@@ -28,3 +34,17 @@
+ # git-diff-tree(1) options to use for generated patches
+ #@diff_opts = ("-M");
+ @diff_opts = ();
++
++# auto generate fetch URLs
++@git_base_url_list = (
++ "git://git.cacert.org",
++ "ssh://git.cacert.org/var/cache/git");
++
++# Prevent XSS attacks
++$prevent_xss = 1;
++
++# enable gravatar support
++$feature{'avatar'}{'default'} = ['gravatar'];
++
++# enable syntax highlighting
++$feature{'highlight'}{'default'} = [1];