Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3190 → Rev 3191

/alcasar.sh
849,7 → 849,6
# Configuring & securing Lighttpd
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
861,7 → 860,7
$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
$SED "s?^#include conf_dir + \"/conf.d/fastcgi.conf\".*?include conf_dir + \"/conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
 
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
920,29 → 919,8
#############################################################
time_server()
{
# Set the Internet time server
[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
cat <<EOF > /etc/ntp/step-tickers
0.fr.pool.ntp.org # adapt to your country
1.fr.pool.ntp.org
2.fr.pool.ntp.org
EOF
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
cat <<EOF > /etc/ntp.conf
server 0.fr.pool.ntp.org # adapt to your country
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 127.127.1.0 # local clock si NTP internet indisponible ...
fudge 127.127.1.0 stratum 10
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
restrict 127.0.0.1
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
disable monitor
EOF
chown -R ntp:ntp /var/lib/ntp
# Synchronize now
ntpd -4 -q -g &
ntpdate pool.ntp.org &
} # End of time_server()
 
#####################################################################
1818,7 → 1796,7
{
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
$SED "s?^before =.*?before = paths-mageia.conf?g" /etc/fail2ban/jail.conf
 
# add 5 jails and their filters
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
/conf/lighttpd/vhosts.d/alcasar-with-ssl.conf
14,9 → 14,7
$SERVER["socket"] == "alcasar.localdomain:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem"
ssl.ca-file = "/etc/pki/tls/certs/server-chain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
ssl.verifyclient.ca-file = "/etc/pki/tls/certs/server-chain.pem"
var.server_name = "alcasar.localdomain"
server.name = server_name
server.document-root = "/var/www/html"
/conf/lighttpd/vhosts.d/alcasar-without-ssl.conf
14,9 → 14,7
$SERVER["socket"] == "alcasar.localdomain:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem"
ssl.ca-file = "/etc/pki/tls/certs/server-chain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
ssl.verifyclient.ca-file = "/etc/pki/tls/certs/server-chain.pem"
var.server_name = "alcasar.localdomain"
server.name = server_name
server.document-root = "/var/www/html"