From 4b6622264b59de3edb433a1f886faa2069a11960 Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Mon, 10 Feb 2014 14:38:55 +0100 Subject: [PATCH] more thoroughly disable default services; plus, various comments around --- apache/unfold-ssl.conf | 7 +++---- debian/unfold.postinst | 15 ++++++++++++--- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/apache/unfold-ssl.conf b/apache/unfold-ssl.conf index f75cc940..337ce787 100644 --- a/apache/unfold-ssl.conf +++ b/apache/unfold-ssl.conf @@ -1,4 +1,5 @@ # see also unfold.conf +# see also unfold-initi-ssl.sh # # NOTE on packaging # @@ -10,12 +11,10 @@ # unfold-init-ssl.sh # service apache2 restart # -# This port (not necessarily well picked) is configured -# with client-certificate required +# This port is configured with client-certificate *required* # corresponding trusted roots (e.g. ple.gid and plc.gid) should be # configured in /etc/unfold/trusted_roots -# check Jordan's email and pointer to trac, although we do not want -# this to be optional on that port +# WSGIDaemonProcess unfold-ssl processes=2 threads=25 diff --git a/debian/unfold.postinst b/debian/unfold.postinst index c5cd80da..bdc052ca 100644 --- a/debian/unfold.postinst +++ b/debian/unfold.postinst @@ -9,11 +9,20 @@ chmod -R 700 /var/unfold # upgrading end /usr/share/unfold/manage.py syncdb /usr/share/unfold/manage.py migrate -# enable required stuff +# be ready, enable ssl a2enmod ssl -# name seems to depend on the debian distro -a2dissite default || a2dissite 000-default || : +# disable defaults; jessie seems to come with 000-default instead of just default +# not quite sure about ssl, disable every possible combination +for site in default default-ssl; do + for prefix in "" "000-"; do + s=${prefix}${site} + a2dissite $s || : + done +done a2ensite unfold.conf # create a server-side cert/key and passes on gids to rehash them +# because we do not enable ssl by default it is maybe not quite right to call this +# at install-time anymore, although it should not hurt either unfold-init-ssl.sh +# restart in any case service apache2 restart -- 2.43.0