From 4b6622264b59de3edb433a1f886faa2069a11960 Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Mon, 10 Feb 2014 14:38:55 +0100
Subject: [PATCH] more thoroughly disable default services; plus, various
 comments around

---
 apache/unfold-ssl.conf |  7 +++----
 debian/unfold.postinst | 15 ++++++++++++---
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/apache/unfold-ssl.conf b/apache/unfold-ssl.conf
index f75cc940..337ce787 100644
--- a/apache/unfold-ssl.conf
+++ b/apache/unfold-ssl.conf
@@ -1,4 +1,5 @@
 # see also unfold.conf
+# see also unfold-initi-ssl.sh
 #
 # NOTE on packaging
 # 
@@ -10,12 +11,10 @@
 # unfold-init-ssl.sh
 # service apache2 restart
 #
-# This port (not necessarily well picked) is configured 
-# with client-certificate required
+# This port is configured with client-certificate *required*
 # corresponding trusted roots (e.g. ple.gid and plc.gid) should be 
 # configured in /etc/unfold/trusted_roots
-# check Jordan's email and pointer to trac, although we do not want 
-# this to be optional on that port
+# 
 
 <VirtualHost *:443>
 	WSGIDaemonProcess unfold-ssl processes=2 threads=25
diff --git a/debian/unfold.postinst b/debian/unfold.postinst
index c5cd80da..bdc052ca 100644
--- a/debian/unfold.postinst
+++ b/debian/unfold.postinst
@@ -9,11 +9,20 @@ chmod -R 700 /var/unfold
 # upgrading end
 /usr/share/unfold/manage.py syncdb
 /usr/share/unfold/manage.py migrate
-# enable required stuff
+# be ready, enable ssl
 a2enmod ssl
-# name seems to depend on the debian distro
-a2dissite default || a2dissite 000-default || :
+# disable defaults; jessie seems to come with 000-default instead of just default
+# not quite sure about ssl, disable every possible combination
+for site in default default-ssl; do 
+    for prefix in "" "000-"; do
+	s=${prefix}${site}
+	a2dissite $s || :
+    done
+done
 a2ensite unfold.conf
 # create a server-side cert/key and passes on gids to rehash them
+# because we do not enable ssl by default it is maybe not quite right to call this
+# at install-time anymore, although it should not hurt either
 unfold-init-ssl.sh
+# restart in any case
 service apache2 restart
-- 
2.47.0