Rewrite Apache configuration files

- Don't hijack the entire SSL site for sake of Plinth.

- Serve both HTTP and HTTPS sites with default configuration.

- plinth-ssl configuration only make SSL compulsory.

- Document modules required for configuration to work properly.

- Don't disable default site during FreedomBox setup run.  This is no
  longer required.

data/etc/apache2/sites-available/plinth-ssl.conf

@@ -1,46 +1,12 @@
-<VirtualHost *:443>
-
-    ## Enable SSL
-    SSLEngine on
-    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
-    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-
-    ## Use HTTP Strict Transport Security to force client to use secure
-    ## connections only
-    Header always set Strict-Transport-Security "max-age=31536000"
-
-    ## Shared options.
-    DocumentRoot /usr/share/plinth
-
-    ## Use this rule to hang plinth off of plinth.(servername)
-    # ServerName plinth
-    # ServerAlias plinth.*
-    # ProxyPass        /  http://localhost:8000/
-    # ProxyPassReverse /  http://localhost:8000/
-    # <Proxy *>
-    #     Order Deny,Allow
-    #     Deny from All
-    #     Allow from 10.0.0.0/8
-    #     Allow from 172.16.0.0/12
-    #     Allow from 192.168.0.0/16
-    # </Proxy>
-
-    ## Use this rule to hang plinth off a subdir.
-    ## Make sure to provide plinth with a default directory: /plinth
-    <Location /plinth>
-        ProxyPass        http://localhost:8000/plinth
-        RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
-
-        Order Deny,Allow
-        Deny from All
-        Allow from 127.0.0.0/8     # IPv4 local addresses
-        Allow from 169.254.0.0/16  # IPv4 link local addresses
-        Allow from 10.0.0.0/8      # IPv4 class A private addresses
-        Allow from 172.16.0.0/12   # IPv4 class B private addresses
-        Allow from 192.168.0.0/16  # IPv4 class C private addresses
-        Allow from ::1             # IPv6 local address
-        Allow from fe80::/10       # IPv6 link local addresses
-        Allow from fc00::/7        # IPv6 private addresses
-    </Location>
-
-</VirtualHost>
+##
+## When enabled allows only SSL traffic onto Plinth
+##
+## Requires the following Apache modules to be enabled:
+##   mod_rewrite
+##   mod_ssl
+##
+<Location /plinth>
+    RewriteEngine on
+    ReWriteCond %{HTTPS} !=on
+    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
+</Location>

data/etc/apache2/sites-available/plinth.conf

@@ -1,16 +1,26 @@
-<VirtualHost *:80>
+##
+## On all sites, provide Plinth on a default path: /plinth
+##
+## Requires the following Apache modules to be enabled:
+##   mod_headers
+##   mod_proxy
+##   mod_proxy_http
+##
+<Location /plinth>
+    ProxyPass        http://localhost:8000/plinth
+    ## Send the scheme from user's request to enable Plinth to redirect
+    ## URLs, set cookies, set absolute URLs (if any) properly.
+    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
 
-    ## Force SSL
-    RewriteEngine on
-    ReWriteCond %{SERVER_PORT} !^443$
-    ReWriteCond %{REQUEST_URI} ^/plinth
-    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
-
-    ## Shared options.
-    DocumentRoot /dev/null
-
-    ## Use this rule to hang plinth off of plinth.(servername)
-    # ServerName plinth
-    # ServerAlias plinth.*
-
-</VirtualHost>
+    ## Allow traffic only from private networks
+    Order Deny,Allow
+    Deny from All
+    Allow from 127.0.0.0/8     # IPv4 local addresses
+    Allow from 169.254.0.0/16  # IPv4 link local addresses
+    Allow from 10.0.0.0/8      # IPv4 class A private addresses
+    Allow from 172.16.0.0/12   # IPv4 class B private addresses
+    Allow from 192.168.0.0/16  # IPv4 class C private addresses
+    Allow from ::1             # IPv6 local address
+    Allow from fe80::/10       # IPv6 link local addresses
+    Allow from fc00::/7        # IPv6 private addresses
+</Location>

data/usr/lib/freedombox/setup.d/86_plinth

@@ -26,7 +26,6 @@ a2enmod proxy
 a2enmod proxy_http
 a2enmod rewrite
 a2enmod ssl
-a2dissite default
 a2ensite plinth.conf
 a2ensite plinth-ssl.conf