- TLS configuration as recommended by Mozilla's SSL Configuration Generator with
'Intermediate' configuration. See:
https://wiki.mozilla.org/Security/Server_Side_TLS
- Disable ciphers that are weak or without forward secrecy.
- Allow client to choose ciphers as they will know best if they have support for
hardware-accelerated AES.
- TLS session tickets (RFC 5077) require restarting web server with an
appropriate frequency. See:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
- Send OCSP responses to the client and reduce their round trips.
- No need to increment apache app version number as it has already been
incremented in this release cycle for enabling HTTP/2 module.
Tests:
- FreedomBox interface is reachable with the changes.
- ssllabs.com gives an A+ rating on a server with these changes.
- All ciphers are shown as secure.
- Forward Secrecy rating is ROBUST.
- OCSP stapling shows as enabled.
- Client support seems to match the expected after dropping <= TLS1.1.
- Session resumption with tickets shows as disabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Enabling the module automatically sets 'Protocols h2 h2c http/1.1' in shipped
module configuration.
- HTTP/2 is given higher priority over HTTP/1.1 for supported clients.
- Clients not supporting HTTP/2 continue to work with HTTP/1.1.
- Clients work by using APLN extension in TLS to figure out that server supports
HTTP/2 and use it.
- HTTP/2 improves performance.
- Recommended by Mozilla's SSL configurator: https://ssl-config.mozilla.org/.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When FreedomBox package is installed on a fresh Debian machine where a
snakeoil certificate doesn't exist, generate a new one.
Fixes#1923Fixes#1999
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[Veiko: Made added code comment more precise]
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Prevent leaking private info through Tor onion service or Pagekite.
Tests:
- When starting plinth, apache setup is run. Status module is
disabled, and apache2 is restarted.
- sunil: After upgrade, status page is not available.
- sunil: mod_status is available in stable (2.4.38-3+deb10u3) and
testing/unstable (2.4.46-1).
Closes: #1935.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
Enable by default so that app installation (algo during backup restore) does not
cause apache to restart and show error pages.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Trying to enable cgi module results in cgid being enabled. Checking for cgi
being enabled always results in failure.
Your MPM seems to be threaded. Selecting cgid instead of cgi.
Module cgid already enabled
No module matches cgi (disabled by site administrator)
This is the reason why installing ikiwiki was causing Apache restart even though
the modules required by ikiwiki are already enabled.
Closes: #1448.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
To avoid Apache restart during installation (although sso is an essential app
and this is not an issue).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
To avoid restart during installation (although since letsencrypt is an essential
app and this is not an issue).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Also try to automatically work for future versions of PHP.
Fixes#1413Fixes#1258
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Introduce a BackupApp class to store all information about application being
backed up. This cleans up apps lists vs. manifest lists spread out in the
code.
- Introduce ServiceHandler to abstract dealing with services and web
configuration.
- Add enable and disable actions in apache action.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Don't explicitly enable module php7.0. Rely on the package libapache2-mod-php
installing the current version of the package and enabling. This ensures that
when PHP version changes, the code is not broken.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
