From f8f7dd22b5e6800c2a7ebb24e55453f5aa85a1b8 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Thu, 7 Jul 2022 16:26:31 -0700
Subject: [PATCH] apache: Merge old configuration files into a better location

- It is simpler to keep all the configuration in a single file. Any overrides
are expected to be done by writing additional configuration files with higher
priority.

- /etc/apache2/site-available/ is typically reserved for virtual host
configurations. Redirections and proxying for all virtual hosts rather belongs
in /etc/apache2/conf-available/.

- This looses the option of disabling plinth-ssl.conf when needed. In the
initial days of enabling TLS, there was a need felt to keep the option of easily
disabling redirection to TLS in case there is a need for it. However, TLS
certificate setup is mature and the limitations are well understood. There is no
longer a need for it. It still may be possible to avoid the redirection with an
additional configuration.

Tests:

- In a fresh container, setup succeeds. Redirecting to https:// for /plinth
works. FreedomBox web interface is available.

- Without the patch applied created a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s plinth and a2query
-s plinth-ssl show that sites are not enabled. Redirecting to https:// for
/plinth works. FreedomBox web interface is available.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 actions/apache                                |  5 ++--
 .../freedombox-tls.conf}                      |  7 +++---
 .../apache2/conf-available/freedombox.conf    | 23 +++++++++++++++++++
 data/etc/apache2/sites-available/plinth.conf  | 22 ------------------
 debian/freedombox.maintscript                 |  2 ++
 plinth/modules/apache/__init__.py             |  2 +-
 setup.py                                      |  2 ++
 7 files changed, 34 insertions(+), 29 deletions(-)
 rename data/etc/apache2/{sites-available/plinth-ssl.conf => conf-available/freedombox-tls.conf} (63%)
 delete mode 100644 data/etc/apache2/sites-available/plinth.conf

diff --git a/actions/apache b/actions/apache
index 2fbfb2403..e2554fc34 100755
--- a/actions/apache
+++ b/actions/apache
@@ -162,6 +162,7 @@ def subcommand_setup(arguments):
 
         # setup freedombox site
         webserver.enable('freedombox', kind='config')
+        webserver.enable('freedombox-tls', kind='config')
 
         # enable serving Debian javascript libraries
         webserver.enable('javascript-common', kind='config')
@@ -170,8 +171,8 @@ def subcommand_setup(arguments):
         webserver.enable('000-default', kind='site')
         webserver.disable('default-tls', kind='site')
         webserver.enable('default-ssl', kind='site')
-        webserver.enable('plinth', kind='site')
-        webserver.enable('plinth-ssl', kind='site')
+        webserver.disable('plinth', kind='site')
+        webserver.disable('plinth-ssl', kind='site')
 
 
 # TODO: Check that the (name, kind) is a managed by FreedomBox before
diff --git a/data/etc/apache2/sites-available/plinth-ssl.conf b/data/etc/apache2/conf-available/freedombox-tls.conf
similarity index 63%
rename from data/etc/apache2/sites-available/plinth-ssl.conf
rename to data/etc/apache2/conf-available/freedombox-tls.conf
index 202e1bf1b..8c1441c9c 100644
--- a/data/etc/apache2/sites-available/plinth-ssl.conf
+++ b/data/etc/apache2/conf-available/freedombox-tls.conf
@@ -1,8 +1,7 @@
 ##
-## When enabled allows only SSL traffic onto Plinth.  This is done by
-## redirecting non-secure traffic to secure traffic.  The redirect is
-## permanent as recommended in:
-## http://tools.ietf.org/html/rfc6797#section-7
+## Allow only TLS traffic onto FreedomBox service. This is done by redirecting
+## non-secure traffic to secure traffic. The redirect is permanent as
+## recommended in: http://tools.ietf.org/html/rfc6797#section-7
 ##
 ## Requires the following Apache modules to be enabled:
 ##   mod_rewrite
diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index 9a484e8e2..72bb34ea1 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -85,6 +85,29 @@ RedirectMatch "^/freedombox" "/plinth"
     Header set X-Content-Type-Options 'nosniff'
 </Location>
 
+##
+## On all sites, provide FreedomBox on a default path: /plinth
+##
+## Requires the following Apache modules to be enabled:
+##   mod_headers
+##   mod_proxy
+##   mod_proxy_http
+##
+<Location /plinth>
+    ProxyPass        http://127.0.0.1:8000/plinth
+    ## Send the scheme from user's request to enable Plinth to redirect
+    ## URLs, set cookies, set absolute URLs (if any) properly.
+    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
+
+    ## Ignore any X-FORWARDED-FOR headers sent by the client and their
+    ## proxies. Apache will still set this header with the remote
+    ## address of the client. Apache is the first and only trusted entry
+    ## point for FreedomBox. Any code that does not deal with this
+    ## header properly will remain safe. For example:
+    ## https://github.com/jazzband/django-axes/issues/286
+    RequestHeader    unset X-Forwarded-For
+</Location>
+
 ##
 ## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
 ## icon using <link rel=''>.
diff --git a/data/etc/apache2/sites-available/plinth.conf b/data/etc/apache2/sites-available/plinth.conf
deleted file mode 100644
index 41d4dbc3a..000000000
--- a/data/etc/apache2/sites-available/plinth.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-##
-## On all sites, provide Plinth on a default path: /plinth
-##
-## Requires the following Apache modules to be enabled:
-##   mod_headers
-##   mod_proxy
-##   mod_proxy_http
-##
-<Location /plinth>
-    ProxyPass        http://127.0.0.1:8000/plinth
-    ## Send the scheme from user's request to enable Plinth to redirect
-    ## URLs, set cookies, set absolute URLs (if any) properly.
-    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
-
-    ## Ignore any X-FORWARDED-FOR headers sent by the client and their
-    ## proxies. Apache will still set this header with the remote
-    ## address of the client. Apache is the first and only trusted entry
-    ## point for FreedomBox. Any code that does not deal with this
-    ## header properly will remain safe. For example:
-    ## https://github.com/jazzband/django-axes/issues/286
-    RequestHeader    unset X-Forwarded-For
-</Location>
diff --git a/debian/freedombox.maintscript b/debian/freedombox.maintscript
index f299b3cf9..286037ad7 100644
--- a/debian/freedombox.maintscript
+++ b/debian/freedombox.maintscript
@@ -17,3 +17,5 @@ rm_conffile /etc/plinth/modules-enabled/diaspora 21.16~
 rm_conffile /etc/plinth/modules-enabled/monkeysphere 21.16~
 rm_conffile /etc/plinth/modules-enabled/tahoe 21.16~
 rm_conffile /etc/plinth/modules-enabled/mldonkey 22.4~
+rm_conffile /etc/apache2/sites-available/plinth.conf 22.16~
+rm_conffile /etc/apache2/sites-available/plinth-ssl.conf 22.16~
diff --git a/plinth/modules/apache/__init__.py b/plinth/modules/apache/__init__.py
index 4a6b3a4d3..937577c38 100644
--- a/plinth/modules/apache/__init__.py
+++ b/plinth/modules/apache/__init__.py
@@ -23,7 +23,7 @@ class ApacheApp(app_module.App):
 
     app_id = 'apache'
 
-    _version = 9
+    _version = 10
 
     def __init__(self):
         """Create components for the app."""
diff --git a/setup.py b/setup.py
index 093a046b1..0cbc71e0a 100755
--- a/setup.py
+++ b/setup.py
@@ -53,6 +53,8 @@ DISABLED_APPS_TO_REMOVE = [
 
 REMOVED_FILES = [
     '/etc/apt/preferences.d/50freedombox3.pref',
+    '/etc/apache2/sites-available/plinth.conf',
+    '/etc/apache2/sites-available/plinth-ssl.conf',
 ]
 
 LOCALE_PATHS = ['plinth/locale']