Closes: #2109.
We moved from Nginx to Apache on ftp.freedombox.org. This changed the datetime
format in the index pages we were relying on to find the difference with local
image. Update this datetime format.
Tests:
- Run ./container update with an old image already in the .container directory.
New image will be downloaded and verified.
- Run ./container update immediately after downloading the latest image. No new
download is done.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- TLS configuration as recommended by Mozilla's SSL Configuration Generator with
'Intermediate' configuration. See:
https://wiki.mozilla.org/Security/Server_Side_TLS
- Disable ciphers that are weak or without forward secrecy.
- Allow client to choose ciphers as they will know best if they have support for
hardware-accelerated AES.
- TLS session tickets (RFC 5077) require restarting web server with an
appropriate frequency. See:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
- Send OCSP responses to the client and reduce their round trips.
- No need to increment apache app version number as it has already been
incremented in this release cycle for enabling HTTP/2 module.
Tests:
- FreedomBox interface is reachable with the changes.
- ssllabs.com gives an A+ rating on a server with these changes.
- All ciphers are shown as secure.
- Forward Secrecy rating is ROBUST.
- OCSP stapling shows as enabled.
- Client support seems to match the expected after dropping <= TLS1.1.
- Session resumption with tickets shows as disabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Enabling the module automatically sets 'Protocols h2 h2c http/1.1' in shipped
module configuration.
- HTTP/2 is given higher priority over HTTP/1.1 for supported clients.
- Clients not supporting HTTP/2 continue to work with HTTP/1.1.
- Clients work by using APLN extension in TLS to figure out that server supports
HTTP/2 and use it.
- HTTP/2 improves performance.
- Recommended by Mozilla's SSL configurator: https://ssl-config.mozilla.org/.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- We have switched to mod_ssl long time ago and are no longer using mod_gnutls.
- It is additional effort configure and test mod_gnutls.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
As of Lintian 2.105.0, remove-on-upgrade and other flags in DEBIAN/conffiles is
properly handled. False errors are no longer thrown. Drop the workaround
introduced for this purpose.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
As of lintian 2.105.0, the tag systemd-service-file-outside-lib has been
removed. Drop the override to avoid a lintian error.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Since Git 2.28, it is possible to change initial default branch name using
the configuration option init.defaultBranch.
Closes#2101.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This test is at the end so that it leaves scheduled backups disabled
while other tests are running.
Helps #2058.
Tests:
- Ran functional tests for backups. All tests passed.
- Confirmed that scheduled backups are disabled after backup tests are
complete.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Use the bullseye/ directory for more URL stability]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Full list of default extensions in MediaWiki
https://www.mediawiki.org/wiki/Bundled_extensions_and_skins
This initial set of extensions are chosen from:
- extensions that I've used myself over the past 3 years
- testing done in #1267
Extensions that are advanced features for administrators, meant for spam
control, advanced tags or suitable only to a specific kind of user are
not included.
Fixes#1382
More extensions can be enabled in the future if they're generally useful.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
When flags are updated and mediawiki is interface is loaded, somehow, it does
not always happen that the page immediate loaded reflects the changes. So, wait
for the change to reflect.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
We already did a version bump (8 to 9) to run the maintenance script
`update.php` for Debian testing. However, this had no effect on Debian
stable installations (essentially idempotent since no version change
happened then).
Bumping version to 10 to ensure that update.php script runs for
FreedomBoxes on Debian Bullseye.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes#1747
MediaWiki on Debian seems to store all uploaded files under images/
folder. The administrator can enable additional file types. In the
default configuration, only image files are permitted.
Manually tested that backup/restore works irrespective of file type.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- As recommended by Mozilla SSL Configuration Generator for 'intermediate'
compatibility configuration: https://ssl-config.mozilla.org/
- As recommended by IETF RFC 7525:
https://datatracker.ietf.org/doc/html/rfc7525#section-3.1.1
- As recommended by NIST: Guidelines for the Selection, Configuration, and Use
of Transport Layer Security (TLS) Implementations:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
- The following are now the client version requirements for FreedomBox web
interface: Firefox: 27, Android: 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7),
Java: 8u31, OpenSSL: 1.0.1, Opera: 20, Safari: 9
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Drop SSLv2, it is not valid anymore as per Apache manual]
[sunil: More detailed commit message and comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Signed-off-by: Fioddor Superconcentrado <fioddor@gmail.com>
[sunil: Limit the overrides to just the flag not understood by lintian]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Use php-fpm instead of using mod-php.
- Create database and setup permissions manually. Tables and initial data are
created during the initial setup process done by WordPress. Database upgrades
are handled by WordPress. Minor versions are upgraded automatically and major
version need user intervention.
- Backup/restore functionality including database.
- Install recommended extensions for performance.
- Setup and run cron jobs to ensure that scheduled publications are
completed (among other things). Service has systemd security features. Timer is
set to run every 10 minutes.
- Functional tests for adding/removing posts and backup/restore.
- Increase file upload size limit to 128MiB.
- A private mode (default) for keeping the setup process secure. Should be
disabled after first setup is completed. This uses a new approach using
file-based flag for different Apache configurations.
TODO:
- Find a nice way to allow WordPress to upload plugins/themes. Currently this
operation files and users are expected to manually scp the files to
/var/lib/wordpress/wp-content/{plugins,themes} directory.
Tests:
- Functional tests.
- Schedule publishing of a post. Notice that post got published.
- Test uploading a file larger than 2MiB.
- Test enabling permalinks. This leads to nicer looking URLs.
- Test adding images to posts/pages.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
