From ebb14a4931cb65b505add2e56c9f1c9e5c90ec4d Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Tue, 5 Nov 2019 23:17:33 -0500
Subject: [PATCH] misc small updates

* Add option for symlinks
* Update ssl opttions from upstream
* Less verbose output
---
 web-conf | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/web-conf b/web-conf
index 074fddd..fddb537 100755
--- a/web-conf
+++ b/web-conf
@@ -40,6 +40,7 @@ EXTRA_SETTINGS_FILE can be - for stdin
 -i                Insecure, no ssl.
 -p PORT           Main port to listen on, default 443. 80 implies -i.
 -r DIR            DocumentRoot
+-s                Allow symlinks from the doucmentroot
 -h|--help         Print help and exit
 
 Note: Uses GNU getopt options parsing style
@@ -49,10 +50,11 @@ EOF
 
 ##### begin command line parsing ########
 
+symlinkarg=-
 ssl=true
 extra_settings=
 port=443
-temp=$(getopt -l help e:if:p:r:h "$@") || usage 1
+temp=$(getopt -l help e:if:p:r:sh "$@") || usage 1
 eval set -- "$temp"
 while true; do
     case $1 in
@@ -61,6 +63,7 @@ while true; do
         -i) ssl=false; shift ;;
         -p) port="$2"; shift 2 ;;
         -r) root="$2"; shift 2 ;;
+        -s) symlinkarg=+; shift ;;
         --) shift; break ;;
         -h|--help) usage ;;
         *) echo "$0: Internal error!" ; exit 1 ;;
@@ -116,7 +119,7 @@ fi
 if $ssl; then
     f=$cert_dir/fullchain.pem
     threedays=259200 # in seconds
-    if [[ ! -e $f ]] || openssl x509 -checkend $threedays -noout -in $f; then
+    if [[ ! -e $f ]] || ! openssl x509 -checkend $threedays -noout -in $f >/dev/null; then
         # cerbot needs an existing virtualhost.
         $0 -p 80 $t $h
         # when generating an example config, add all relevant security options:
@@ -146,7 +149,6 @@ if [[ $t == apache2 ]]; then
         case $(readlink -f "$f") in
             $vhost_file|$redir_file) continue ;;
         esac
-        echo "$f"
         for p in $(sed -rn "s,^\s*listen\s+(\S+).*,\1,Ip" "$f"); do
             case $p in
                 80) listen_80=true ;;&
@@ -162,7 +164,7 @@ ServerName $h
 ServerAlias www.$h
 DocumentRoot $root
 <Directory $root>
-  Options -Indexes -FollowSymlinks
+  Options -Indexes ${symlinkarg}FollowSymlinks
 </Directory>
 EOF
 
@@ -173,14 +175,14 @@ EOF
     # go faster!
     if [[ -e /etc/apache2/mods-available/http2.load ]]; then
         # https://httpd.apache.org/docs/2.4/mod/mod_http2.html
-        a2enmod http2
+        a2enmod -q http2
         cat >>$vhost_file <<EOF
 Protocols h2 http/1.1
 EOF
     fi
 
     if [[ $proxy ]]; then
-        a2enmod proxy proxy_http
+        a2enmod -q proxy proxy_http
         # fyi: trailing slash is important
         # reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
         # retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
@@ -192,7 +194,7 @@ EOF
 
 
     if $ssl; then
-        a2enmod headers
+        a2enmod -q headers
         https_arg=" https"
         common_ssl_conf=/etc/apache2/common-ssl.conf
         cat >>$vhost_file <<EOF
@@ -243,13 +245,19 @@ SSLProtocol             all -SSLv2 -SSLv3
 SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLHonorCipherOrder     on
 SSLCompression          off
-SSLSessionTickets       off
 
 SSLOptions +StrictRequire
 
 # Add vhost name to log entries:
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
 LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+
+#CustomLog /var/log/apache2/access.log vhost_combined
+#LogLevel warn
+#ErrorLog /var/log/apache2/error.log
+
+# Always ensure Cookies have "Secure" set (JAH 2012/1)
+#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
 EOF
 
         upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
@@ -283,7 +291,7 @@ EOF
     fi
 
 
-    a2enmod ssl rewrite # rewrite needed for httpredir
+    a2enmod -q ssl rewrite # rewrite needed for httpredir
     service apache2 restart
 
     # I rarely look at how much traffic I get, so let's keep that info
-- 
2.30.2