apache2 2.4.* configuration update

5 files changed, 153 insertions, 673 deletions

diff --git a/server/setup/05-service-settings/etc/apache2/apache2.conf b/server/setup/05-service-settings/etc/apache2/apache2.conf
index d1991c9..42afd0b 100644
--- a/server/setup/05-service-settings/etc/apache2/apache2.conf
+++ b/server/setup/05-service-settings/etc/apache2/apache2.conf
@@ -1,8 +1,8 @@
 # This is the main Apache server configuration file.  It contains the
 # configuration directives that give the server its instructions.
-# See http://httpd.apache.org/docs/2.2/ for detailed information about
-# the directives and /usr/share/doc/apache2-common/README.Debian.gz about
-# Debian specific hints.
+# See http://httpd.apache.org/docs/2.4/ for detailed information about
+# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
+# hints.
 #
 #
 # Summary of how the Apache 2 configuration works in Debian:
@@ -22,45 +22,30 @@
 #	|-- mods-enabled
 #	|	|-- *.load
 #	|	`-- *.conf
-#	|-- conf.d
-#	|	`-- *
+#	|-- conf-enabled
+#	|	`-- *.conf
 # 	`-- sites-enabled
-#	 	`-- *
+#	 	`-- *.conf
 #
 #
 # * apache2.conf is the main configuration file (this file). It puts the pieces
 #   together by including all remaining configuration files when starting up the
 #   web server.
 #
-#   In order to avoid conflicts with backup files, the Include directive is
-#   adapted to ignore files that:
-#   - do not begin with a letter or number
-#   - contain a character that is neither letter nor number nor _-:.
-#   - contain .dpkg
-#
-#   Yet we strongly suggest that all configuration files either end with a
-#   .conf or .load suffix in the file name. The next Debian release will
-#   ignore files not ending with .conf (or .load for mods-enabled).
-#
 # * ports.conf is always included from the main configuration file. It is
-#   supposed to determine listening ports for incoming connections, and which
-#   of these ports are used for name based virtual hosts.
+#   supposed to determine listening ports for incoming connections which can be
+#   customized anytime.
 #
-# * Configuration files in the mods-enabled/ and sites-enabled/ directories
-#   contain particular configuration snippets which manage modules or virtual
-#   host configurations, respectively.
+# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
+#   directories contain particular configuration snippets which manage modules,
+#   global configuration fragments, or virtual host configurations,
+#   respectively.
 #
 #   They are activated by symlinking available configuration files from their
 #   respective *-available/ counterparts. These should be managed by using our
-#   helpers a2enmod/a2dismod, a2ensite/a2dissite. See
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
 #   their respective man pages for detailed information.
 #
-# * Configuration files in the conf.d directory are either provided by other
-#   packages or may be added by the local administrator. Local additions
-#   should start with local- or end with .local.conf to avoid name clashes. All
-#   files in conf.d are considered (excluding the exceptions noted above) by
-#   the Apache 2 web server.
-#
 # * The binary is called apache2. Due to the use of environment variables, in
 #   the default configuration, apache2 needs to be started/stopped with
 #   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
@@ -75,8 +60,8 @@
 # configuration, error, and log files are kept.
 #
 # NOTE!  If you intend to place this on an NFS (or otherwise network)
-# mounted filesystem then please read the LockFile documentation (available
-# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
+# mounted filesystem then please read the Mutex documentation (available
+# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
 # you will save yourself a lot of trouble.
 #
 # Do NOT add a slash at the end of the directory path.
@@ -86,7 +71,13 @@
 #
 # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
 #
-LockFile ${APACHE_LOCK_DIR}/accept.lock
+Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# The directory where shm and other runtime files will be stored.
+#
+
+DefaultRuntimeDir ${APACHE_RUN_DIR}
 
 #
 # PidFile: The file in which the server should record its process
@@ -117,114 +108,15 @@ MaxKeepAliveRequests 100
 # KeepAliveTimeout: Number of seconds to wait for the next request from the
 # same client on the same connection.
 #
-# default: 5
+#KeepAliveTimeout 5
 KeepAliveTimeout 10
 
 
-##
-## Server-Pool Size Regulation (MPM specific)
-## 
-
-# prefork MPM
-# StartServers: number of server processes to start
-# MinSpareServers: minimum number of server processes which are kept spare
-# MaxSpareServers: maximum number of server processes which are kept spare
-# MaxClients: maximum number of server processes allowed to start
-# MaxRequestsPerChild: maximum number of requests a server process serves
-<IfModule mpm_prefork_module>
-    # defaults:
-    # StartServers          5
-    # MinSpareServers       5
-    # MaxSpareServers      10
-    # MaxClients          150
-    # MaxRequestsPerChild   0
-
-    StartServers          8
-    MinSpareServers       5
-    MaxSpareServers      20
-    MaxClients          256
-    MaxRequestsPerChild   0
-</IfModule>
-
-# worker MPM
-# StartServers: initial number of server processes to start
-# MinSpareThreads: minimum number of worker threads which are kept spare
-# MaxSpareThreads: maximum number of worker threads which are kept spare
-# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
-#              graceful restart. ThreadLimit can only be changed by stopping
-#              and starting Apache.
-# ThreadsPerChild: constant number of worker threads in each server process
-# MaxClients: maximum number of simultaneous client connections
-# MaxRequestsPerChild: maximum number of requests a server process serves
-<IfModule mpm_worker_module>
-    StartServers          2
-    MinSpareThreads      25
-    MaxSpareThreads      75 
-    ThreadLimit          64
-    ThreadsPerChild      25
-    MaxClients          150
-    MaxRequestsPerChild   0
-</IfModule>
-
-# event MPM
-# StartServers: initial number of server processes to start
-# MinSpareThreads: minimum number of worker threads which are kept spare
-# MaxSpareThreads: maximum number of worker threads which are kept spare
-# ThreadsPerChild: constant number of worker threads in each server process
-# MaxClients: maximum number of simultaneous client connections
-# MaxRequestsPerChild: maximum number of requests a server process serves
-<IfModule mpm_event_module>
-    StartServers          2
-    MinSpareThreads      25
-    MaxSpareThreads      75 
-    ThreadLimit          64
-    ThreadsPerChild      25
-    MaxClients          150
-    MaxRequestsPerChild   0
-</IfModule>
-
 # These need to be set in /etc/apache2/envvars
 User ${APACHE_RUN_USER}
 Group ${APACHE_RUN_GROUP}
 
 #
-# AccessFileName: The name of the file to look for in each directory
-# for additional configuration directives.  See also the AllowOverride
-# directive.
-#
-
-AccessFileName .htaccess
-
-#
-# The following lines prevent .htaccess and .htpasswd files from being 
-# viewed by Web clients. 
-#
-<Files ~ "^\.ht">
-    Order allow,deny
-    Deny from all
-    Satisfy all
-</Files>
-
-#
-# DefaultType is the default MIME type the server will use for a document
-# if it cannot otherwise determine one, such as from filename extensions.
-# If your server contains mostly text or HTML documents, "text/plain" is
-# a good value.  If most of your content is binary, such as applications
-# or images, you may want to use "application/octet-stream" instead to
-# keep browsers from trying to display binary files as though they are
-# text.
-#
-# It is also possible to omit any default MIME type and let the
-# client's browser guess an appropriate action instead. Typically the
-# browser will decide based on the file's extension then. In cases
-# where no good assumption can be made, letting the default MIME type
-# unset is suggested  instead of forcing the browser to accept
-# incorrect  metadata.
-#
-DefaultType None
-
-
-#
 # HostnameLookups: Log the names of clients or just their IP addresses
 # e.g., www.apache.org (on) or 204.62.129.132 (off).
 # The default is off because it'd be overall better for the net if people
@@ -243,23 +135,80 @@ HostnameLookups Off
 ErrorLog ${APACHE_LOG_DIR}/error.log
 
 #
-# LogLevel: Control the number of messages logged to the error_log.
-# Possible values include: debug, info, notice, warn, error, crit,
-# alert, emerg.
+# LogLevel: Control the severity of messages logged to the error_log.
+# Available values: trace8, ..., trace1, debug, info, notice, warn,
+# error, crit, alert, emerg.
+# It is also possible to configure the log level for particular modules, e.g.
+# "LogLevel info ssl:warn"
 #
 LogLevel warn
 
 # Include module configuration:
-Include mods-enabled/*.load
-Include mods-enabled/*.conf
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
 
-# Include list of ports to listen on and which to use for name based vhosts
+# Include list of ports to listen on
 Include ports.conf
 
+
+# Sets the default security model of the Apache2 HTTPD server. It does
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+
+<Directory /usr/share>
+	AllowOverride None
+	Require all granted
+</Directory>
+
+<Directory /var/www/>
+	Options Indexes FollowSymLinks
+	AllowOverride None
+	Require all granted
+</Directory>
+
+#<Directory /srv/>
+#	Options Indexes FollowSymLinks
+#	AllowOverride None
+#	Require all granted
+#</Directory>
+
+
+
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+	Require all denied
+</FilesMatch>
+
+
 #
 # The following directives define some format nicknames for use with
-# a CustomLog directive (see below).
-# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
+# a CustomLog directive.
+#
+# These deviate from the Common Log Format definitions in that they use %O
+# (the actual bytes sent including headers) instead of %b (the size of the
+# requested file), because the latter makes it impossible to detect partial
+# requests.
+#
+# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
+# Use mod_remoteip instead.
 #
 LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
@@ -268,10 +217,12 @@ LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent
 
 # Include of directories ignores editors' and dpkg's backup files,
-# see the comments above for details.
+# see README.Debian for details.
 
 # Include generic snippets of statements
-Include conf.d/
+IncludeOptional conf-enabled/*.conf
 
 # Include the virtual host configurations:
-Include sites-enabled/
+IncludeOptional sites-enabled/*.conf
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org
deleted file mode 100644
index f9101fa..0000000
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org
+++ /dev/null
@@ -1,247 +0,0 @@
-#
-# Almost any Apache directive may go into a VirtualHost container.
-# The first VirtualHost section is used for requests without a known
-# server name.
-#
-<VirtualHost *:80>
-    ServerAdmin [email protected]
-    ServerName jogamp.org
-    ServerAlias www.jogamp.org
-    ServerPath /jogamp.org/
-    RewriteEngine On
-
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-
-    DocumentRoot /srv/www/jogamp.org
-
-    # don't loose time with IP address lookups
-    HostnameLookups Off
-
-    # needed for named virtual hosts
-    UseCanonicalName Off
-
-    # configures the footer on server-generated documents
-    ServerSignature On
-
-	<Directory "/srv/www/jogamp.org">
-	    Options Indexes FollowSymLinks
-	    AllowOverride All
-	    Order allow,deny
-	    Allow from all
-	</Directory>
-
-    RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
-
-    #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
-
-    RewriteCond %{REQUEST_URI} ^/wiki/index.php$
-    RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
-    RewriteCond %{REQUEST_METHOD} ^GET$
-    RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE]
-
-    #
-    # Due to security concerns, session hijacking .. etc .. the whole
-    # bugzilla stream will go over https
-    #
-    RewriteCond %{REQUEST_URI} ^/bugzilla
-    RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE]
-
-    SetEnv GIT_PROJECT_ROOT /srv/scm
-    SetEnv GIT_HTTP_EXPORT_ALL
-    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
-	<Directory "/srv/www/jogamp.org/git">
-       DirectoryIndex gitweb.cgi
-       Allow from all
-       AllowOverride all
-       Order allow,deny
-       Options ExecCGI
-       <Files gitweb.cgi>
-       SetHandler cgi-script
-       </Files>
-       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
-    </Directory>
-
-	Alias /icons/ "/srv/www/jogamp.org/icons/"
-
-	<Directory "/srv/www/jogamp.org/icons">
-	    Options Indexes MultiViews
-	    AllowOverride None
-	    Order allow,deny
-	    Allow from all
-	</Directory>
-
-    #
-    # Due to security concerns, session hijacking .. etc .. the whole
-    # hudson and bugzilla stream will go over https
-    #
-    RewriteCond %{REQUEST_URI} ^/chuck
-    RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
-
-    #RewriteCond %{REQUEST_URI} ^/chuck
-    #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE]
-    #
-    #RewriteCond %{REQUEST_URI} ^/chuck
-    #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR]
-    #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC]
-    #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
-    #
-    # Cookies:
-    #   wikidb_mw_LoggedOut                       /
-    #   wikidb_mw__session                        /
-    #   wikidb_mw_Token                           /
-    #   wikidb_mw_UserID                          /
-    #   wikidb_mw_UserName                        /
-    #
-    #   Bugzilla_login                            /bugzilla
-    #   Bugzilla_logincookie                      /bugzilla
-    #   DEFAULTFORMAT                             /bugzilla
-    #
-    #   ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE  /chuck   
-    #   JSESSIONID                                /chuck
-    #
-
-	#
-	# http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
-	#
-	#ProxyRequests     Off
-    #ProxyPreserveHost On
-
-	# Local reverse proxy authorization override
-	# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
-	#<Proxy http://localhost:8089/chuck*>
-	#  Order deny,allow
-	#  Allow from all
-	#</Proxy>
-	#ProxyPass         /chuck  http://localhost:8080/chuck
-	#ProxyPassReverse  /chuck  http://localhost:8080/chuck
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName blog.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName bugzilla.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName wiki.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName scm.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName jogl.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName jocl.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName joal.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName demos.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName chuck.jogamp.org
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
-    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName jogamp.com
-    ServerAlias *.jogamp.com
-    ServerPath /jogamp.org/
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined
-
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
-
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
-
-    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
-    RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
-</VirtualHost>
-
-#
-# Directives to allow use of AWStats as a CGI
-#
-#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
-#Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
-#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
-#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
-
-#
-# This is to permit URL access to scripts/files in AWStats directory.
-#
-<Directory "/usr/local/awstats/wwwroot">
-    Options None
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-</Directory>
-
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl
deleted file mode 100644
index 062d2d5..0000000
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl
+++ /dev/null
@@ -1,256 +0,0 @@
-<IfModule mod_ssl.c>
-<VirtualHost *:443>
-
-    # General setup for the virtual host, inherited from global configuration
-    ServerName jogamp.org
-    ServerPath /jogamp.org/
-    RewriteEngine On
-    DocumentRoot /srv/www/jogamp.org
-
-    # Use separate log files for the SSL virtual host; note that LogLevel
-    # is not inherited from httpd.conf.
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
-    TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
-    LogLevel warn
-
-    #   SSL Engine Switch:
-    #   Enable/Disable SSL for this virtual host.
-    SSLEngine on
-
-    #   SSL Protocol support:
-    # List the enable protocol levels with which clients will be able to
-    # connect.  Disable SSLv2 access by default:
-    SSLProtocol all -SSLv2
-
-    #   SSL Cipher Suite:
-    # List the ciphers that the client is permitted to negotiate.
-    # See the mod_ssl documentation for a complete list.
-    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
-
-	#   A self-signed (snakeoil) certificate can be created by installing
-	#   the ssl-cert package. See
-	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
-	#   If both key and certificate are stored in the same file, only the
-	#   SSLCertificateFile directive is needed.
-	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
-	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-
-    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
-    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
-
-	#   Server Certificate Chain:
-	#   Point SSLCertificateChainFile at a file containing the
-	#   concatenation of PEM encoded CA certificates which form the
-	#   certificate chain for the server certificate. Alternatively
-	#   the referenced file can be the same as SSLCertificateFile
-	#   when the CA certificates are directly appended to the server
-	#   certificate for convinience.
-	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
-
-    SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
-
-	#   Certificate Authority (CA):
-	#   Set the CA certificate verification path where to find CA
-	#   certificates for client authentication or alternatively one
-	#   huge file containing all of them (file must be PEM encoded)
-	#   Note: Inside SSLCACertificatePath you need hash symlinks
-	#         to point to the certificate files. Use the provided
-	#         Makefile to update the hash symlinks after changes.
-	#SSLCACertificatePath /etc/ssl/certs/
-	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-
-	#   Certificate Revocation Lists (CRL):
-	#   Set the CA revocation path where to find CA CRLs for client
-	#   authentication or alternatively one huge file containing all
-	#   of them (file must be PEM encoded)
-	#   Note: Inside SSLCARevocationPath you need hash symlinks
-	#         to point to the certificate files. Use the provided
-	#         Makefile to update the hash symlinks after changes.
-	#SSLCARevocationPath /etc/apache2/ssl.crl/
-	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
-
-	#   Client Authentication (Type):
-	#   Client certificate verification type and depth.  Types are
-	#   none, optional, require and optional_no_ca.  Depth is a
-	#   number which specifies how deeply to verify the certificate
-	#   issuer chain before deciding the certificate is not valid.
-	#SSLVerifyClient require
-	#SSLVerifyDepth  10
-
-    #   Access Control:
-    #   With SSLRequire you can do per-directory access control based
-    #   on arbitrary complex boolean expressions containing server
-    #   variable checks and other lookup directives.  The syntax is a
-    #   mixture between C and Perl.  See the mod_ssl documentation
-    #   for more details.
-    #<Location />
-    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-    #</Location>
-
-    #   SSL Engine Options:
-    #   Set various options for the SSL engine.
-    #   o FakeBasicAuth:
-    #     Translate the client X.509 into a Basic Authorisation.  This means that
-    #     the standard Auth/DBMAuth methods can be used for access control.  The
-    #     user name is the `one line' version of the client's X.509 certificate.
-    #     Note that no password is obtained from the user. Every entry in the user
-    #     file needs this password: `xxj31ZMTZzkVA'.
-    #   o ExportCertData:
-    #     This exports two additional environment variables: SSL_CLIENT_CERT and
-    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-    #     server (always existing) and the client (only existing when client
-    #     authentication is used). This can be used to import the certificates
-    #     into CGI scripts.
-    #   o StdEnvVars:
-    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
-    #     Per default this exportation is switched off for performance reasons,
-    #     because the extraction step is an expensive operation and is usually
-    #     useless for serving static content. So one usually enables the
-    #     exportation for CGI and SSI requests only.
-    #   o StrictRequire:
-    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-    #     under a "Satisfy any" situation, i.e. when it applies access is denied
-    #     and no other module can change it.
-    #   o OptRenegotiate:
-    #     This enables optimized SSL connection renegotiation handling when SSL
-    #     directives are used in per-directory context. 
-    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
-        SSLOptions +StdEnvVars
-    </Files>
-
-	#   SSL Protocol Adjustments:
-	#   The safe and default but still SSL/TLS standard compliant shutdown
-	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
-	#   the close notify alert from client. When you need a different shutdown
-	#   approach you can use one of the following variables:
-	#   o ssl-unclean-shutdown:
-	#     This forces an unclean shutdown when the connection is closed, i.e. no
-	#     SSL close notify alert is send or allowed to received.  This violates
-	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-	#     this when you receive I/O errors because of the standard approach where
-	#     mod_ssl sends the close notify alert.
-	#   o ssl-accurate-shutdown:
-	#     This forces an accurate shutdown when the connection is closed, i.e. a
-	#     SSL close notify alert is send and mod_ssl waits for the close notify
-	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
-	#     practice often causes hanging connections with brain-dead browsers. Use
-	#     this only for browsers where you know that their SSL implementation
-	#     works correctly.
-	#   Notice: Most problems of broken clients are also related to the HTTP
-	#   keep-alive facility, so you usually additionally want to disable
-	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-	#   "force-response-1.0" for this.
-	BrowserMatch "MSIE [2-6]" \
-		nokeepalive ssl-unclean-shutdown \
-		downgrade-1.0 force-response-1.0
-	# MSIE 7 and newer should be able to use keepalive
-	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
-
-    #   Per-Server Logging:
-    #   The home of a custom SSL log file. Use this when you want a
-    #   compact non-error SSL logfile on a virtual host basis.
-    CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
-              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
-
-    # configures the footer on server-generated documents
-    ServerSignature On
-
-	<Directory "/srv/www/jogamp.org">
-	    Options Indexes FollowSymLinks
-	    AllowOverride All
-	    Order allow,deny
-	    Allow from all
-	</Directory>
-
-#	ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
-	<Directory /srv/www/jogamp.org/bugzilla>
-	    AddHandler cgi-script .cgi
-	    Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
-	    DirectoryIndex index.cgi
-        AllowOverride Limit FileInfo Indexes
-    </Directory>
-
-    SetEnv GIT_PROJECT_ROOT /srv/scm
-    SetEnv GIT_HTTP_EXPORT_ALL
-    ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
-	<Directory "/srv/www/jogamp.org/git">
-       DirectoryIndex gitweb.cgi
-       Allow from all
-       AllowOverride all
-       Order allow,deny
-       Options ExecCGI
-       <Files gitweb.cgi>
-       SetHandler cgi-script
-       </Files>
-       SetEnv  GITWEB_CONFIG  /srv/scm/gitweb.conf
-    </Directory>
-
-	Alias /icons/ "/srv/www/jogamp.org/icons/"
-
-	<Directory "/srv/www/jogamp.org/icons">
-	    Options Indexes MultiViews
-	    AllowOverride None
-	    Order allow,deny
-	    Allow from all
-	</Directory>
-
-    #
-    # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
-    #
-    ProxyRequests     Off
-    ProxyPreserveHost On
-
-    # Local reverse proxy authorization override
-    # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
-    <Proxy http://127.0.0.1:8080/chuck*>
-      Order deny,allow
-      Allow from all
-    </Proxy>
-
-    ProxyPass         /chuck  http://127.0.0.1:8080/chuck
-    ProxyPassReverse  /chuck  http://127.0.0.1:8080/chuck
-    ProxyPassReverse  /chuck  http://jogamp.org/chuck
-
-#   ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
-#   <Location /chuck/>
-#     ProxyPassReverse /
-#     Order deny,allow
-#     Allow from all
-#   </Location>
-    Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
-
-</VirtualHost>                                  
-
-<VirtualHost *:443>
-    ServerName jogamp.com
-    ServerAlias *.jogamp.com
-    ServerPath /jogamp.org/
-    SSLEngine on
-    ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
-    CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
-
-    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
-    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
-
-    RewriteEngine On
-    RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
-    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
-
-    RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
-    RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
-
-    RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
-    RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
-</VirtualHost>
-
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/001-jogamp.org-ssl b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
index 062d2d5..5bdcbf9 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/001-jogamp.org-ssl
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
@@ -25,7 +25,20 @@
     #   SSL Cipher Suite:
     # List the ciphers that the client is permitted to negotiate.
     # See the mod_ssl documentation for a complete list.
-    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+    # LOW: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+    # Enable only secure ciphers:
+    #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+    #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    #SSLCipherSuite DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    SSLCipherSuite DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA::HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    SSLHonorCipherOrder on
+
+    SetEnv no-gzip
+
+    # Add content to the 1st file of SSLCertificateFile
+    #    /etc/ssl/local/DH-1024.pem
+    # See https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh
 
 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See
@@ -35,8 +48,8 @@
 	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
-    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
-    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
+    SSLCertificateFile /etc/ssl/local/jogamp2016b-hostcert.pem
+    SSLCertificateKeyFile /etc/ssl/local/jogamp2016b-hostkey.apache.pem
 
 	#   Server Certificate Chain:
 	#   Point SSLCertificateChainFile at a file containing the
@@ -47,7 +60,9 @@
 	#   certificate for convinience.
 	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
 
-    SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+    #SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+    #SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert3-20151105.pem
+    SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert4-20171102.pem
 
 	#   Certificate Authority (CA):
 	#   Set the CA certificate verification path where to find CA
@@ -169,16 +184,20 @@
 	<Directory "/srv/www/jogamp.org">
 	    Options Indexes FollowSymLinks
 	    AllowOverride All
-	    Order allow,deny
-	    Allow from all
+        #Order allow,deny
+        #Allow from all
+        Require all granted
 	</Directory>
 
 #	ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
+
+    #PerlSwitches -w -T
+    #PerlConfigRequire /srv/www/jogamp.org/bugzilla/mod_perl.pl
 	<Directory /srv/www/jogamp.org/bugzilla>
 	    AddHandler cgi-script .cgi
 	    Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
-	    DirectoryIndex index.cgi
-        AllowOverride Limit FileInfo Indexes
+	    DirectoryIndex index.cgi index.html
+        AllowOverride Limit FileInfo AuthConfig Indexes Options
     </Directory>
 
     SetEnv GIT_PROJECT_ROOT /srv/scm
@@ -186,9 +205,10 @@
     ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
 	<Directory "/srv/www/jogamp.org/git">
        DirectoryIndex gitweb.cgi
-       Allow from all
        AllowOverride all
-       Order allow,deny
+       #Order allow,deny
+       #Allow from all
+       Require all granted
        Options ExecCGI
        <Files gitweb.cgi>
        SetHandler cgi-script
@@ -201,8 +221,9 @@
 	<Directory "/srv/www/jogamp.org/icons">
 	    Options Indexes MultiViews
 	    AllowOverride None
-	    Order allow,deny
-	    Allow from all
+        #Order allow,deny
+        #Allow from all
+        Require all granted
 	</Directory>
 
     #
@@ -214,8 +235,10 @@
     # Local reverse proxy authorization override
     # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
     <Proxy http://127.0.0.1:8080/chuck*>
-      Order deny,allow
-      Allow from all
+      #Order deny,allow
+      #Allow from all
+      #Require all denied
+      Require all granted
     </Proxy>
 
     ProxyPass         /chuck  http://127.0.0.1:8080/chuck
@@ -225,8 +248,9 @@
 #   ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
 #   <Location /chuck/>
 #     ProxyPassReverse /
-#     Order deny,allow
-#     Allow from all
+#     #Order deny,allow
+#     #Allow from all
+#     Require all denied
 #   </Location>
     Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
 
@@ -240,8 +264,9 @@
     ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
     CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
 
-    SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
-    SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
+    SSLCertificateFile /etc/ssl/local/jogamp2016a-hostcert.pem
+    SSLCertificateKeyFile /etc/ssl/local/jogamp2016a-hostkey.apache.pem
+    SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert3-20151105.pem
 
     RewriteEngine On
     RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/000-jogamp.org b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
index 4de7279..f40a8eb 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/000-jogamp.org
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
@@ -27,8 +27,9 @@
 	<Directory "/srv/www/jogamp.org">
 	    Options Indexes FollowSymLinks
 	    AllowOverride All
-	    Order allow,deny
-	    Allow from all
+        #Order allow,deny
+        #Allow from all
+        Require all granted
 	</Directory>
 
     RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
@@ -54,9 +55,10 @@
     ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
 	<Directory "/srv/www/jogamp.org/git">
        DirectoryIndex gitweb.cgi
-       Allow from all
        AllowOverride all
-       Order allow,deny
+       #Order allow,deny
+       #Allow from all
+       Require all granted
        Options ExecCGI
        <Files gitweb.cgi>
        SetHandler cgi-script
@@ -69,8 +71,9 @@
 	<Directory "/srv/www/jogamp.org/icons">
 	    Options Indexes MultiViews
 	    AllowOverride None
-	    Order allow,deny
-	    Allow from all
+        #Order allow,deny
+        #Allow from all
+        Require all granted
 	</Directory>
 
     #
@@ -112,8 +115,11 @@
 	# Local reverse proxy authorization override
 	# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
 	#<Proxy http://localhost:8089/chuck*>
-	#  Order deny,allow
-	#  Allow from all
+    #  #Order deny,allow
+    #  #Allow from all
+    #  Require all denied
+    #  #Require all denied
+    #  Require all granted
 	#</Proxy>
 	#ProxyPass         /chuck  http://localhost:8080/chuck
 	#ProxyPassReverse  /chuck  http://localhost:8080/chuck
@@ -241,7 +247,8 @@
 <Directory "/usr/local/awstats/wwwroot">
     Options None
     AllowOverride None
-    Order allow,deny
-    Allow from all
+    #Order allow,deny
+    #Allow from all
+    Require all granted
 </Directory>