apache: Merge old configuration files into a better location

- It is simpler to keep all the configuration in a single file. Any overrides
are expected to be done by writing additional configuration files with higher
priority.

- /etc/apache2/site-available/ is typically reserved for virtual host
configurations. Redirections and proxying for all virtual hosts rather belongs
in /etc/apache2/conf-available/.

- This looses the option of disabling plinth-ssl.conf when needed. In the
initial days of enabling TLS, there was a need felt to keep the option of easily
disabling redirection to TLS in case there is a need for it. However, TLS
certificate setup is mature and the limitations are well understood. There is no
longer a need for it. It still may be possible to avoid the redirection with an
additional configuration.

Tests:

- In a fresh container, setup succeeds. Redirecting to https:// for /plinth
works. FreedomBox web interface is available.

- Without the patch applied created a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s plinth and a2query
-s plinth-ssl show that sites are not enabled. Redirecting to https:// for
/plinth works. FreedomBox web interface is available.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

actions/apache

@@ -162,6 +162,7 @@ def subcommand_setup(arguments):
 
         # setup freedombox site
         webserver.enable('freedombox', kind='config')
+        webserver.enable('freedombox-tls', kind='config')
 
         # enable serving Debian javascript libraries
         webserver.enable('javascript-common', kind='config')
@@ -170,8 +171,8 @@ def subcommand_setup(arguments):
         webserver.enable('000-default', kind='site')
         webserver.disable('default-tls', kind='site')
         webserver.enable('default-ssl', kind='site')
-        webserver.enable('plinth', kind='site')
+        webserver.disable('plinth', kind='site')
-        webserver.enable('plinth-ssl', kind='site')
+        webserver.disable('plinth-ssl', kind='site')
 
 
 # TODO: Check that the (name, kind) is a managed by FreedomBox before

data/etc/apache2/conf-available/freedombox-tls.conf

@@ -1,8 +1,7 @@
 ##
-## When enabled allows only SSL traffic onto Plinth.  This is done by
+## Allow only TLS traffic onto FreedomBox service. This is done by redirecting
-## redirecting non-secure traffic to secure traffic.  The redirect is
+## non-secure traffic to secure traffic. The redirect is permanent as
-## permanent as recommended in:
+## recommended in: http://tools.ietf.org/html/rfc6797#section-7
-## http://tools.ietf.org/html/rfc6797#section-7
 ##
 ## Requires the following Apache modules to be enabled:
 ##   mod_rewrite

data/etc/apache2/conf-available/freedombox.conf

@@ -85,6 +85,29 @@ RedirectMatch "^/freedombox" "/plinth"
     Header set X-Content-Type-Options 'nosniff'
 </Location>
 
+##
+## On all sites, provide FreedomBox on a default path: /plinth
+##
+## Requires the following Apache modules to be enabled:
+##   mod_headers
+##   mod_proxy
+##   mod_proxy_http
+##
+<Location /plinth>
+    ProxyPass        http://127.0.0.1:8000/plinth
+    ## Send the scheme from user's request to enable Plinth to redirect
+    ## URLs, set cookies, set absolute URLs (if any) properly.
+    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
+
+    ## Ignore any X-FORWARDED-FOR headers sent by the client and their
+    ## proxies. Apache will still set this header with the remote
+    ## address of the client. Apache is the first and only trusted entry
+    ## point for FreedomBox. Any code that does not deal with this
+    ## header properly will remain safe. For example:
+    ## https://github.com/jazzband/django-axes/issues/286
+    RequestHeader    unset X-Forwarded-For
+</Location>
+
 ##
 ## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
 ## icon using <link rel=''>.

data/etc/apache2/sites-available/plinth.conf

@@ -1,22 +0,0 @@
-##
-## On all sites, provide Plinth on a default path: /plinth
-##
-## Requires the following Apache modules to be enabled:
-##   mod_headers
-##   mod_proxy
-##   mod_proxy_http
-##
-<Location /plinth>
-    ProxyPass        http://127.0.0.1:8000/plinth
-    ## Send the scheme from user's request to enable Plinth to redirect
-    ## URLs, set cookies, set absolute URLs (if any) properly.
-    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
-
-    ## Ignore any X-FORWARDED-FOR headers sent by the client and their
-    ## proxies. Apache will still set this header with the remote
-    ## address of the client. Apache is the first and only trusted entry
-    ## point for FreedomBox. Any code that does not deal with this
-    ## header properly will remain safe. For example:
-    ## https://github.com/jazzband/django-axes/issues/286
-    RequestHeader    unset X-Forwarded-For
-</Location>

debian/freedombox.maintscript

@@ -17,3 +17,5 @@ rm_conffile /etc/plinth/modules-enabled/diaspora 21.16~
 rm_conffile /etc/plinth/modules-enabled/monkeysphere 21.16~
 rm_conffile /etc/plinth/modules-enabled/tahoe 21.16~
 rm_conffile /etc/plinth/modules-enabled/mldonkey 22.4~
+rm_conffile /etc/apache2/sites-available/plinth.conf 22.16~
+rm_conffile /etc/apache2/sites-available/plinth-ssl.conf 22.16~

plinth/modules/apache/__init__.py

@@ -23,7 +23,7 @@ class ApacheApp(app_module.App):
 
     app_id = 'apache'
 
-    _version = 9
+    _version = 10
 
     def __init__(self):
         """Create components for the app."""

setup.py

@@ -53,6 +53,8 @@ DISABLED_APPS_TO_REMOVE = [
 
 REMOVED_FILES = [
     '/etc/apt/preferences.d/50freedombox3.pref',
+    '/etc/apache2/sites-available/plinth.conf',
+    '/etc/apache2/sites-available/plinth-ssl.conf',
 ]
 
 LOCALE_PATHS = ['plinth/locale']