Merge branch 'master' of git://anonscm.debian.org/pkg-apache/apache2

18 files changed, 112 insertions, 21 deletions

diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf.in
index baf6d8aa..72220aab 100644
--- a/debian/config-dir/apache2.conf
+++ b/debian/config-dir/apache2.conf.in
@@ -71,7 +71,13 @@
 #
 # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
 #
-Mutex file:${APACHE_LOCK_DIR} default
+___MUTEX___Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# The directory where shm and other runtime files will be stored.
+#
+
+DefaultRuntimeDir ${APACHE_RUN_DIR}
 
 #
 # PidFile: The file in which the server should record its process
diff --git a/debian/config-dir/conf-available/security.conf b/debian/config-dir/conf-available/security.conf
index 599333b1..f9f69d49 100644
--- a/debian/config-dir/conf-available/security.conf
+++ b/debian/config-dir/conf-available/security.conf
@@ -7,8 +7,7 @@
 #
 #<Directory />
 #   AllowOverride None
-#   Order Deny,Allow
-#   Deny from all
+#   Require all denied
 #</Directory>
 
 
diff --git a/debian/config-dir/envvars b/debian/config-dir/envvars
index 91328ac7..708d1706 100644
--- a/debian/config-dir/envvars
+++ b/debian/config-dir/envvars
@@ -16,7 +16,7 @@ fi
 export APACHE_RUN_USER=www-data
 export APACHE_RUN_GROUP=www-data
 # temporary state file location. This might be changed to /run in Wheezy+1
-export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
+export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid
 export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
 export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
 # Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
diff --git a/debian/config-dir/mods-available/authnz_fcgi.load b/debian/config-dir/mods-available/authnz_fcgi.load
new file mode 100644
index 00000000..69d757c5
--- /dev/null
+++ b/debian/config-dir/mods-available/authnz_fcgi.load
@@ -0,0 +1 @@
+LoadModule authnz_fcgi_module /usr/lib/apache2/modules/mod_authnz_fcgi.so
diff --git a/debian/config-dir/mods-available/cern_meta.load b/debian/config-dir/mods-available/cern_meta.load
new file mode 100644
index 00000000..bcc7546a
--- /dev/null
+++ b/debian/config-dir/mods-available/cern_meta.load
@@ -0,0 +1 @@
+LoadModule cern_meta_module /usr/lib/apache2/modules/mod_cern_meta.so
diff --git a/debian/config-dir/mods-available/http2.load b/debian/config-dir/mods-available/http2.load
new file mode 100644
index 00000000..e5c769fe
--- /dev/null
+++ b/debian/config-dir/mods-available/http2.load
@@ -0,0 +1 @@
+LoadModule http2_module /usr/lib/apache2/modules/mod_http2.so
diff --git a/debian/config-dir/mods-available/ident.load b/debian/config-dir/mods-available/ident.load
new file mode 100644
index 00000000..f7c4c3ce
--- /dev/null
+++ b/debian/config-dir/mods-available/ident.load
@@ -0,0 +1 @@
+LoadModule ident_module /usr/lib/apache2/modules/mod_ident.so
diff --git a/debian/config-dir/mods-available/imagemap.load b/debian/config-dir/mods-available/imagemap.load
new file mode 100644
index 00000000..0fd55f8a
--- /dev/null
+++ b/debian/config-dir/mods-available/imagemap.load
@@ -0,0 +1 @@
+LoadModule imagemap_module /usr/lib/apache2/modules/mod_imagemap.so
diff --git a/debian/config-dir/mods-available/mpm_event.load b/debian/config-dir/mods-available/mpm_event.load
index 141d7a17..00d970ba 100644
--- a/debian/config-dir/mods-available/mpm_event.load
+++ b/debian/config-dir/mods-available/mpm_event.load
@@ -1,2 +1,2 @@
-# Conflicts: mpm_worker mpm_prefork mpm_itk
+# Conflicts: mpm_worker mpm_prefork
 LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
diff --git a/debian/config-dir/mods-available/mpm_prefork.load b/debian/config-dir/mods-available/mpm_prefork.load
index 3142c448..05da7a3b 100644
--- a/debian/config-dir/mods-available/mpm_prefork.load
+++ b/debian/config-dir/mods-available/mpm_prefork.load
@@ -1,2 +1,2 @@
-# Conflicts: mpm_event mpm_worker mpm_itk
+# Conflicts: mpm_event mpm_worker
 LoadModule mpm_prefork_module /usr/lib/apache2/modules/mod_mpm_prefork.so
diff --git a/debian/config-dir/mods-available/mpm_worker.load b/debian/config-dir/mods-available/mpm_worker.load
index 6357ab97..f9d0c4d2 100644
--- a/debian/config-dir/mods-available/mpm_worker.load
+++ b/debian/config-dir/mods-available/mpm_worker.load
@@ -1,2 +1,2 @@
-# Conflicts: mpm_event mpm_prefork mpm_itk
+# Conflicts: mpm_event mpm_prefork
 LoadModule mpm_worker_module /usr/lib/apache2/modules/mod_mpm_worker.so
diff --git a/debian/config-dir/mods-available/proxy_hcheck.load b/debian/config-dir/mods-available/proxy_hcheck.load
new file mode 100644
index 00000000..b70f421c
--- /dev/null
+++ b/debian/config-dir/mods-available/proxy_hcheck.load
@@ -0,0 +1,2 @@
+# Depends: proxy
+LoadModule proxy_hcheck_module /usr/lib/apache2/modules/mod_proxy_hcheck.so
diff --git a/debian/config-dir/mods-available/proxy_html.conf b/debian/config-dir/mods-available/proxy_html.conf
new file mode 100644
index 00000000..14692add
--- /dev/null
+++ b/debian/config-dir/mods-available/proxy_html.conf
@@ -0,0 +1,75 @@
+# Configuration example.
+#
+# For detailed information about these directives see
+# <URL:http://httpd.apache.org/docs/2.4/mod/mod_proxy_html.html>
+# and for mod_xml2enc see
+# <URL:http://httpd.apache.org/docs/2.4/mod/mod_xml2enc.html>
+#
+
+# All knowledge of HTML links has been removed from the mod_proxy_html
+# code itself, and is instead read from httpd.conf (or included file)
+# at server startup.  So you MUST declare it.  This will normally be
+# at top level, but can also be used in a <Location>.
+#
+# Here's the declaration for W3C HTML 4.01 and XHTML 1.0
+
+ProxyHTMLLinks	a		href
+ProxyHTMLLinks	area		href
+ProxyHTMLLinks	link		href
+ProxyHTMLLinks	img		src longdesc usemap
+ProxyHTMLLinks	object		classid codebase data usemap
+ProxyHTMLLinks	q		cite
+ProxyHTMLLinks	blockquote	cite
+ProxyHTMLLinks	ins		cite
+ProxyHTMLLinks	del		cite
+ProxyHTMLLinks	form		action
+ProxyHTMLLinks	input		src usemap
+ProxyHTMLLinks	head		profile
+ProxyHTMLLinks	base		href
+ProxyHTMLLinks	script		src for
+
+# To support scripting events (with ProxyHTMLExtended On),
+# you'll need to declare them too.
+
+ProxyHTMLEvents	onclick ondblclick onmousedown onmouseup \
+		onmouseover onmousemove onmouseout onkeypress \
+		onkeydown onkeyup onfocus onblur onload \
+		onunload onsubmit onreset onselect onchange
+
+# If you need to support legacy (pre-1998, aka "transitional") HTML or XHTML,
+# you'll need to uncomment the following deprecated link attributes.
+# Note that these are enabled in earlier mod_proxy_html versions
+#
+# ProxyHTMLLinks	frame		src longdesc
+# ProxyHTMLLinks	iframe		src longdesc
+# ProxyHTMLLinks	body		background
+# ProxyHTMLLinks	applet		codebase
+#
+# If you're dealing with proprietary HTML variants,
+# declare your own URL attributes here as required.
+#
+# ProxyHTMLLinks	myelement	myattr otherattr
+#
+###########
+# EXAMPLE #
+###########
+#
+# To define the URL /my-gateway/ as a gateway to an appserver with address
+# http://some.app.intranet/ on a private network, after loading the
+# modules and including this configuration file:
+#
+# ProxyRequests Off  <-- this is an important security setting
+# ProxyPass /my-gateway/ http://some.app.intranet/
+# <Location /my-gateway/>
+#	ProxyPassReverse /
+#	ProxyHTMLEnable On
+#	ProxyHTMLURLMap http://some.app.intranet/ /my-gateway/
+#	ProxyHTMLURLMap / /my-gateway/
+# </Location>
+#
+# Many (though not all) real-life setups are more complex.
+#
+# See the documentation at
+# http://apache.webthing.com/mod_proxy_html/
+# and the tutorial at
+# http://www.apachetutor.org/admin/reverseproxies
diff --git a/debian/config-dir/mods-available/proxy_html.load b/debian/config-dir/mods-available/proxy_html.load
index d8b248e9..50f1a2cd 100644
--- a/debian/config-dir/mods-available/proxy_html.load
+++ b/debian/config-dir/mods-available/proxy_html.load
@@ -1,2 +1,2 @@
-# Depends: proxy
+# Depends: proxy xml2enc
 LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so
diff --git a/debian/config-dir/mods-available/proxy_http2.load b/debian/config-dir/mods-available/proxy_http2.load
new file mode 100644
index 00000000..b251d0c5
--- /dev/null
+++ b/debian/config-dir/mods-available/proxy_http2.load
@@ -0,0 +1,2 @@
+# Depends: proxy http2
+LoadModule proxy_http2_module /usr/lib/apache2/modules/mod_proxy_http2.so
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf
index 2df23389..1dc4eea6 100644
--- a/debian/config-dir/mods-available/ssl.conf
+++ b/debian/config-dir/mods-available/ssl.conf
@@ -33,7 +33,7 @@
 	#   Configure the pass phrase gathering process.
 	#   The filtering dialog program (`builtin' is a internal
 	#   terminal dialog) has to provide the pass phrase on stdout.
-	SSLPassPhraseDialog  builtin
+	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
 
 	#   Inter-Process Session Cache:
 	#   Configure the SSL Session Cache: First the mechanism 
@@ -58,10 +58,19 @@
 	#   Enable only secure ciphers:
 	SSLCipherSuite HIGH:!aNULL
 
+	# SSL server cipher order preference:
+	# Use server priorities for cipher algorithm choice.
+	# Clients may prefer lower grade encryption.  You should enable this
+	# option if you want to enforce stronger encryption, and can afford
+	# the CPU cost, and did not override SSLCipherSuite in a way that puts
+	# insecure ciphers first.
+	# Default: Off
+	#SSLHonorCipherOrder on
+
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
 	#   SSL v2  is no longer supported
-	SSLProtocol all
+	SSLProtocol all -SSLv3
 
 	#   Allow insecure renegotiation with clients which do not yet support the
 	#   secure renegotiation protocol. Default: Off
diff --git a/debian/config-dir/mods-available/userdir.conf b/debian/config-dir/mods-available/userdir.conf
index a6c0da6c..2c334ecf 100644
--- a/debian/config-dir/mods-available/userdir.conf
+++ b/debian/config-dir/mods-available/userdir.conf
@@ -5,12 +5,7 @@
 	<Directory /home/*/public_html>
 		AllowOverride FileInfo AuthConfig Limit Indexes
 		Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
-		<Limit GET POST OPTIONS>
-			Require all granted
-		</Limit>
-		<LimitExcept GET POST OPTIONS>
-			Require all denied
-		</LimitExcept>
+		Require method GET POST OPTIONS
 	</Directory>
 </IfModule>
 
diff --git a/debian/config-dir/sites-available/default-ssl.conf b/debian/config-dir/sites-available/default-ssl.conf
index 432b9650..7e37a9c3 100644
--- a/debian/config-dir/sites-available/default-ssl.conf
+++ b/debian/config-dir/sites-available/default-ssl.conf
@@ -124,11 +124,9 @@
 		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 		#   "force-response-1.0" for this.
-		BrowserMatch "MSIE [2-6]" \
-				nokeepalive ssl-unclean-shutdown \
-				downgrade-1.0 force-response-1.0
-		# MSIE 7 and newer should be able to use keepalive
-		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+		# BrowserMatch "MSIE [2-6]" \
+		#		nokeepalive ssl-unclean-shutdown \
+		#		downgrade-1.0 force-response-1.0
 
 	</VirtualHost>
 </IfModule>