summaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rw-r--r--server/setup/05-service-settings/README.txt39
-rw-r--r--server/setup/05-service-settings/etc/apache2/apache2.conf277
-rw-r--r--server/setup/05-service-settings/etc/apache2/apache2.diff1528
-rw-r--r--server/setup/05-service-settings/etc/apache2/mods-enabled.lst44
-rw-r--r--server/setup/05-service-settings/etc/apache2/ports.conf25
-rw-r--r--server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org247
-rw-r--r--server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl256
-rw-r--r--server/setup/05-service-settings/etc/xinetd.d/git15
-rw-r--r--server/setup/05-service-settings/srv/scm/gitweb.conf20
9 files changed, 2451 insertions, 0 deletions
diff --git a/server/setup/05-service-settings/README.txt b/server/setup/05-service-settings/README.txt
index 2cf28cc..9703292 100644
--- a/server/setup/05-service-settings/README.txt
+++ b/server/setup/05-service-settings/README.txt
@@ -32,6 +32,12 @@ Debian 7.00 (Wheezy)
- MySQL
- old server: backup DB
- run backup-mysql.sh on old server, result is e.g. backup-mysqldb-20130605162509.sql
+ - !!! strip all system-DB's (schema's) from the backup,
+ i.e. all which are not created for applications, e.g.:
+ - mysql
+ - users
+ - test
+ - t_*
- new server: import DB
- get backup backup-mysqldb-20130605162509.sql
@@ -41,6 +47,11 @@ Debian 7.00 (Wheezy)
- backup-2: backup-mysql.sh
- mysqlcheck --user=root --password --all-databases
+ - if things go wrong: re-install mysql
+ dpkg -P mysql-server mysql-server-5.5 mysql-server-core-5.5
+ rm -rf /var/lib/mysql/*
+ apt-get install mysql-server mysql-server-5.5 mysql-server-core-5.5
+
- Services
- mv /data/backup/srv/* /srv/
@@ -106,3 +117,31 @@ Debian 7.00 (Wheezy)
/etc/init.d/sendmail start
+10 GIT
+ xinetd for git
+ apt-get install xinetd
+ cp /etc/xinetd.d/git
+ /etc/init.d/xinetd restart
+
+ gitweb
+ We use deployed gitweb now, and simply deploy gitweb.conf
+ - ln -s /usr/share/gitweb DocumentRoot/git
+ - cp srv/scm/gitweb.conf
+
+11 apache2
+ - php
+ apt-get install php5-pgsql php5-ldap php5-imap php5-odbc php5-dev php5-common php5 php5-mysql php5-gd php5-xmlrpc \
+ php5-xsl php5-cli php5-intl php5-pspell php5-snmp php5-sasl
+
+ - misc for perl/bugzilla
+ - Perl: redo init (find closest mirror ..)
+ - perl -MCPAN -e shell
+ - o conf init
+ - Packages
+ - apt-get install libgd-gd2-perl libgd-graph-perl libgd-tools libgdal-perl libgdal-dev libgdata-dev libgd2-xpm-dev
+
+ - Sync config files in /etc/apache2/ with: etc/apache2/apache2.diff
+ - see also etc/apache2/mods-enabled.lst, etc ..
+
+ /etc/init.d/apache2 start
+
diff --git a/server/setup/05-service-settings/etc/apache2/apache2.conf b/server/setup/05-service-settings/etc/apache2/apache2.conf
new file mode 100644
index 0000000..d1991c9
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/apache2.conf
@@ -0,0 +1,277 @@
+# This is the main Apache server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.2/ for detailed information about
+# the directives and /usr/share/doc/apache2-common/README.Debian.gz about
+# Debian specific hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+# /etc/apache2/
+# |-- apache2.conf
+# | `-- ports.conf
+# |-- mods-enabled
+# | |-- *.load
+# | `-- *.conf
+# |-- conf.d
+# | `-- *
+# `-- sites-enabled
+# `-- *
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+# together by including all remaining configuration files when starting up the
+# web server.
+#
+# In order to avoid conflicts with backup files, the Include directive is
+# adapted to ignore files that:
+# - do not begin with a letter or number
+# - contain a character that is neither letter nor number nor _-:.
+# - contain .dpkg
+#
+# Yet we strongly suggest that all configuration files either end with a
+# .conf or .load suffix in the file name. The next Debian release will
+# ignore files not ending with .conf (or .load for mods-enabled).
+#
+# * ports.conf is always included from the main configuration file. It is
+# supposed to determine listening ports for incoming connections, and which
+# of these ports are used for name based virtual hosts.
+#
+# * Configuration files in the mods-enabled/ and sites-enabled/ directories
+# contain particular configuration snippets which manage modules or virtual
+# host configurations, respectively.
+#
+# They are activated by symlinking available configuration files from their
+# respective *-available/ counterparts. These should be managed by using our
+# helpers a2enmod/a2dismod, a2ensite/a2dissite. See
+# their respective man pages for detailed information.
+#
+# * Configuration files in the conf.d directory are either provided by other
+# packages or may be added by the local administrator. Local additions
+# should start with local- or end with .local.conf to avoid name clashes. All
+# files in conf.d are considered (excluding the exceptions noted above) by
+# the Apache 2 web server.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+# the default configuration, apache2 needs to be started/stopped with
+# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+# work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE! If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+LockFile ${APACHE_LOCK_DIR}/accept.lock
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+# default: 5
+KeepAliveTimeout 10
+
+
+##
+## Server-Pool Size Regulation (MPM specific)
+##
+
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_prefork_module>
+ # defaults:
+ # StartServers 5
+ # MinSpareServers 5
+ # MaxSpareServers 10
+ # MaxClients 150
+ # MaxRequestsPerChild 0
+
+ StartServers 8
+ MinSpareServers 5
+ MaxSpareServers 20
+ MaxClients 256
+ MaxRequestsPerChild 0
+</IfModule>
+
+# worker MPM
+# StartServers: initial number of server processes to start
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
+# graceful restart. ThreadLimit can only be changed by stopping
+# and starting Apache.
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_worker_module>
+ StartServers 2
+ MinSpareThreads 25
+ MaxSpareThreads 75
+ ThreadLimit 64
+ ThreadsPerChild 25
+ MaxClients 150
+ MaxRequestsPerChild 0
+</IfModule>
+
+# event MPM
+# StartServers: initial number of server processes to start
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_event_module>
+ StartServers 2
+ MinSpareThreads 25
+ MaxSpareThreads 75
+ ThreadLimit 64
+ ThreadsPerChild 25
+ MaxClients 150
+ MaxRequestsPerChild 0
+</IfModule>
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives. See also the AllowOverride
+# directive.
+#
+
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<Files ~ "^\.ht">
+ Order allow,deny
+ Deny from all
+ Satisfy all
+</Files>
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value. If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+# It is also possible to omit any default MIME type and let the
+# client's browser guess an appropriate action instead. Typically the
+# browser will decide based on the file's extension then. In cases
+# where no good assumption can be made, letting the default MIME type
+# unset is suggested instead of forcing the browser to accept
+# incorrect metadata.
+#
+DefaultType None
+
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+# Include module configuration:
+Include mods-enabled/*.load
+Include mods-enabled/*.conf
+
+# Include list of ports to listen on and which to use for name based vhosts
+Include ports.conf
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see the comments above for details.
+
+# Include generic snippets of statements
+Include conf.d/
+
+# Include the virtual host configurations:
+Include sites-enabled/
diff --git a/server/setup/05-service-settings/etc/apache2/apache2.diff b/server/setup/05-service-settings/etc/apache2/apache2.diff
new file mode 100644
index 0000000..f4aa836
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/apache2.diff
@@ -0,0 +1,1528 @@
+diff -Nur apache2.orig/apache2.conf apache2/apache2.conf
+--- apache2.orig/apache2.conf 2013-03-04 22:00:37.000000000 +0100
++++ apache2/apache2.conf 2013-06-06 07:21:33.251843000 +0200
+@@ -117,7 +117,9 @@
+ # KeepAliveTimeout: Number of seconds to wait for the next request from the
+ # same client on the same connection.
+ #
+-KeepAliveTimeout 5
++# default: 5
++KeepAliveTimeout 10
++
+
+ ##
+ ## Server-Pool Size Regulation (MPM specific)
+@@ -130,10 +132,17 @@
+ # MaxClients: maximum number of server processes allowed to start
+ # MaxRequestsPerChild: maximum number of requests a server process serves
+ <IfModule mpm_prefork_module>
+- StartServers 5
++ # defaults:
++ # StartServers 5
++ # MinSpareServers 5
++ # MaxSpareServers 10
++ # MaxClients 150
++ # MaxRequestsPerChild 0
++
++ StartServers 8
+ MinSpareServers 5
+- MaxSpareServers 10
+- MaxClients 150
++ MaxSpareServers 20
++ MaxClients 256
+ MaxRequestsPerChild 0
+ </IfModule>
+
+diff -Nur apache2.orig/mods-enabled/cgid.conf apache2/mods-enabled/cgid.conf
+--- apache2.orig/mods-enabled/cgid.conf 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/cgid.conf 2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,2 @@
++# Socket for cgid communication
++ScriptSock ${APACHE_RUN_DIR}/cgisock
+diff -Nur apache2.orig/mods-enabled/cgid.load apache2/mods-enabled/cgid.load
+--- apache2.orig/mods-enabled/cgid.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/cgid.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule cgid_module /usr/lib/apache2/modules/mod_cgid.so
+diff -Nur apache2.orig/mods-enabled/headers.load apache2/mods-enabled/headers.load
+--- apache2.orig/mods-enabled/headers.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/headers.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+diff -Nur apache2.orig/mods-enabled/proxy_ajp.load apache2/mods-enabled/proxy_ajp.load
+--- apache2.orig/mods-enabled/proxy_ajp.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_ajp.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_ajp_module /usr/lib/apache2/modules/mod_proxy_ajp.so
+diff -Nur apache2.orig/mods-enabled/proxy_balancer.conf apache2/mods-enabled/proxy_balancer.conf
+--- apache2.orig/mods-enabled/proxy_balancer.conf 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_balancer.conf 2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,16 @@
++<IfModule mod_proxy_balancer.c>
++
++# Balancer manager enables dynamic update of balancer members
++# (needs mod_status). Uncomment to enable.
++#
++#<IfModule mod_status.c>
++#<Location /balancer-manager>
++# SetHandler balancer-manager
++# Order deny,allow
++# Deny from all
++# Allow from 127.0.0.1 ::1
++# Satisfy all
++#</Location>
++#</IfModule>
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/proxy_balancer.load apache2/mods-enabled/proxy_balancer.load
+--- apache2.orig/mods-enabled/proxy_balancer.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_balancer.load 2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_balancer_module /usr/lib/apache2/modules/mod_proxy_balancer.so
+diff -Nur apache2.orig/mods-enabled/proxy.conf apache2/mods-enabled/proxy.conf
+--- apache2.orig/mods-enabled/proxy.conf 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy.conf 2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,26 @@
++<IfModule mod_proxy.c>
++
++# If you want to use apache2 as a forward proxy, uncomment the
++# 'ProxyRequests On' line and the <Proxy *> block below.
++# WARNING: Be careful to restrict access inside the <Proxy *> block.
++# Open proxy servers are dangerous both to your network and to the
++# Internet at large.
++#
++# If you only want to use apache2 as a reverse proxy/gateway in
++# front of some web application server, you DON'T need
++# 'ProxyRequests On'.
++
++#ProxyRequests On
++#<Proxy *>
++# AddDefaultCharset off
++# Order deny,allow
++# Deny from all
++# #Allow from .example.com
++#</Proxy>
++
++# Enable/disable the handling of HTTP/1.1 "Via:" headers.
++# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
++# Set to one of: Off | On | Full | Block
++#ProxyVia Off
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/proxy_connect.load apache2/mods-enabled/proxy_connect.load
+--- apache2.orig/mods-enabled/proxy_connect.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_connect.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_connect_module /usr/lib/apache2/modules/mod_proxy_connect.so
+diff -Nur apache2.orig/mods-enabled/proxy_ftp.conf apache2/mods-enabled/proxy_ftp.conf
+--- apache2.orig/mods-enabled/proxy_ftp.conf 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_ftp.conf 2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1,6 @@
++<IfModule mod_proxy_ftp.c>
++
++# Define the character set for proxied FTP listings. Default is ISO-8859-1
++ProxyFtpDirCharset UTF-8
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/proxy_ftp.load apache2/mods-enabled/proxy_ftp.load
+--- apache2.orig/mods-enabled/proxy_ftp.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_ftp.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_ftp_module /usr/lib/apache2/modules/mod_proxy_ftp.so
+diff -Nur apache2.orig/mods-enabled/proxy_http.load apache2/mods-enabled/proxy_http.load
+--- apache2.orig/mods-enabled/proxy_http.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_http.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
+diff -Nur apache2.orig/mods-enabled/proxy.load apache2/mods-enabled/proxy.load
+--- apache2.orig/mods-enabled/proxy.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
+diff -Nur apache2.orig/mods-enabled/proxy_scgi.load apache2/mods-enabled/proxy_scgi.load
+--- apache2.orig/mods-enabled/proxy_scgi.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/proxy_scgi.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1,2 @@
++# Depends: proxy
++LoadModule proxy_scgi_module /usr/lib/apache2/modules/mod_proxy_scgi.so
+diff -Nur apache2.orig/mods-enabled/rewrite.load apache2/mods-enabled/rewrite.load
+--- apache2.orig/mods-enabled/rewrite.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/rewrite.load 2012-10-21 20:41:12.000000000 +0200
+@@ -0,0 +1 @@
++LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
+diff -Nur apache2.orig/mods-enabled/ssl.conf apache2/mods-enabled/ssl.conf
+--- apache2.orig/mods-enabled/ssl.conf 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/ssl.conf 2013-03-04 22:00:37.000000000 +0100
+@@ -0,0 +1,82 @@
++<IfModule mod_ssl.c>
++#
++# Pseudo Random Number Generator (PRNG):
++# Configure one or more sources to seed the PRNG of the SSL library.
++# The seed data should be of good random quality.
++# WARNING! On some platforms /dev/random blocks if not enough entropy
++# is available. This means you then cannot use the /dev/random device
++# because it would lead to very long connection times (as long as
++# it requires to make more entropy available). But usually those
++# platforms additionally provide a /dev/urandom device which doesn't
++# block. So, if available, use this one instead. Read the mod_ssl User
++# Manual for more details.
++#
++SSLRandomSeed startup builtin
++SSLRandomSeed startup file:/dev/urandom 512
++SSLRandomSeed connect builtin
++SSLRandomSeed connect file:/dev/urandom 512
++
++##
++## SSL Global Context
++##
++## All SSL configuration in this context applies both to
++## the main server and all SSL-enabled virtual hosts.
++##
++
++#
++# Some MIME-types for downloading Certificates and CRLs
++#
++AddType application/x-x509-ca-cert .crt
++AddType application/x-pkcs7-crl .crl
++
++# Pass Phrase Dialog:
++# Configure the pass phrase gathering process.
++# The filtering dialog program (`builtin' is a internal
++# terminal dialog) has to provide the pass phrase on stdout.
++SSLPassPhraseDialog builtin
++
++# Inter-Process Session Cache:
++# Configure the SSL Session Cache: First the mechanism
++# to use and second the expiring timeout (in seconds).
++# (The mechanism dbm has known memory leaks and should not be used).
++#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
++SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
++SSLSessionCacheTimeout 300
++
++# Semaphore:
++# Configure the path to the mutual exclusion semaphore the
++# SSL engine uses internally for inter-process synchronization.
++SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
++
++# SSL Cipher Suite:
++# List the ciphers that the client is permitted to negotiate. See the
++# ciphers(1) man page from the openssl package for list of all available
++# options.
++# Enable only secure ciphers:
++SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
++
++# Speed-optimized SSL Cipher configuration:
++# If speed is your main concern (on busy HTTPS servers e.g.),
++# you might want to force clients to specific, performance
++# optimized ciphers. In this case, prepend those ciphers
++# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
++# Caveat: by giving precedence to RC4-SHA and AES128-SHA
++# (as in the example below), most connections will no longer
++# have perfect forward secrecy - if the server's key is
++# compromised, captures of past or future traffic must be
++# considered compromised, too.
++#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
++#SSLHonorCipherOrder on
++
++# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
++SSLProtocol all -SSLv2
++
++# Allow insecure renegotiation with clients which do not yet support the
++# secure renegotiation protocol. Default: Off
++#SSLInsecureRenegotiation on
++
++# Whether to forbid non-SNI clients to access name based virtual hosts.
++# Default: Off
++#SSLStrictSNIVHostCheck On
++
++</IfModule>
+diff -Nur apache2.orig/mods-enabled/ssl.load apache2/mods-enabled/ssl.load
+--- apache2.orig/mods-enabled/ssl.load 1970-01-01 01:00:00.000000000 +0100
++++ apache2/mods-enabled/ssl.load 2013-03-03 12:14:45.000000000 +0100
+@@ -0,0 +1 @@
++LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+diff -Nur apache2.orig/ports.conf apache2/ports.conf
+--- apache2.orig/ports.conf 2013-03-03 12:14:45.000000000 +0100
++++ apache2/ports.conf 2013-06-06 07:46:07.326283000 +0200
+@@ -6,9 +6,11 @@
+ # README.Debian.gz
+
+ NameVirtualHost *:80
++# NameVirtualHost *
+ Listen 80
+
+ <IfModule mod_ssl.c>
++ NameVirtualHost *:443
+ # If you add NameVirtualHost *:443 here, you will also have to change
+ # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
+ # to <VirtualHost *:443>
+diff -Nur apache2.orig/sites-available/jausoft.com-ssl apache2/sites-available/jausoft.com-ssl
+--- apache2.orig/sites-available/jausoft.com-ssl 1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-available/jausoft.com-ssl 2013-06-06 07:36:27.650753118 +0200
+@@ -0,0 +1,204 @@
++<IfModule mod_ssl.c>
++<VirtualHost jausoft.com:443>
++
++ # General setup for the virtual host, inherited from global configuration
++ ServerName jausoft.com
++ ServerPath /jausoft.com/
++ RewriteEngine On
++ DocumentRoot /srv/www/jausoft.com
++
++ # Use separate log files for the SSL virtual host; note that LogLevel
++ # is not inherited from httpd.conf.
++ ErrorLog ${APACHE_LOG_DIR}/jausoft.com-ssl-error.log
++ TransferLog ${APACHE_LOG_DIR}/jausoft.com-ssl-access.log
++ LogLevel warn
++
++ # SSL Engine Switch:
++ # Enable/Disable SSL for this virtual host.
++ SSLEngine on
++
++ # SSL Protocol support:
++ # List the enable protocol levels with which clients will be able to
++ # connect. Disable SSLv2 access by default:
++ SSLProtocol all -SSLv2
++
++ # SSL Cipher Suite:
++ # List the ciphers that the client is permitted to negotiate.
++ # See the mod_ssl documentation for a complete list.
++ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
++
++ # A self-signed (snakeoil) certificate can be created by installing
++ # the ssl-cert package. See
++ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
++ # If both key and certificate are stored in the same file, only the
++ # SSLCertificateFile directive is needed.
++ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
++ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++
++ SSLCertificateFile /etc/ssl/local/jausoft2013-hostcert.pem
++ SSLCertificateKeyFile /etc/ssl/local/jausoft2013-hostkey.apache.pem
++
++ # Server Certificate Chain:
++ # Point SSLCertificateChainFile at a file containing the
++ # concatenation of PEM encoded CA certificates which form the
++ # certificate chain for the server certificate. Alternatively
++ # the referenced file can be the same as SSLCertificateFile
++ # when the CA certificates are directly appended to the server
++ # certificate for convinience.
++ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
++
++ SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
++
++ # Certificate Authority (CA):
++ # Set the CA certificate verification path where to find CA
++ # certificates for client authentication or alternatively one
++ # huge file containing all of them (file must be PEM encoded)
++ # Note: Inside SSLCACertificatePath you need hash symlinks
++ # to point to the certificate files. Use the provided
++ # Makefile to update the hash symlinks after changes.
++ #SSLCACertificatePath /etc/ssl/certs/
++ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
++
++ # Certificate Revocation Lists (CRL):
++ # Set the CA revocation path where to find CA CRLs for client
++ # authentication or alternatively one huge file containing all
++ # of them (file must be PEM encoded)
++ # Note: Inside SSLCARevocationPath you need hash symlinks
++ # to point to the certificate files. Use the provided
++ # Makefile to update the hash symlinks after changes.
++ #SSLCARevocationPath /etc/apache2/ssl.crl/
++ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
++
++ # Client Authentication (Type):
++ # Client certificate verification type and depth. Types are
++ # none, optional, require and optional_no_ca. Depth is a
++ # number which specifies how deeply to verify the certificate
++ # issuer chain before deciding the certificate is not valid.
++ #SSLVerifyClient require
++ #SSLVerifyDepth 10
++
++ # Access Control:
++ # With SSLRequire you can do per-directory access control based
++ # on arbitrary complex boolean expressions containing server
++ # variable checks and other lookup directives. The syntax is a
++ # mixture between C and Perl. See the mod_ssl documentation
++ # for more details.
++ #<Location />
++ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
++ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
++ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
++ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
++ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
++ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
++ #</Location>
++
++ # SSL Engine Options:
++ # Set various options for the SSL engine.
++ # o FakeBasicAuth:
++ # Translate the client X.509 into a Basic Authorisation. This means that
++ # the standard Auth/DBMAuth methods can be used for access control. The
++ # user name is the `one line' version of the client's X.509 certificate.
++ # Note that no password is obtained from the user. Every entry in the user
++ # file needs this password: `xxj31ZMTZzkVA'.
++ # o ExportCertData:
++ # This exports two additional environment variables: SSL_CLIENT_CERT and
++ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
++ # server (always existing) and the client (only existing when client
++ # authentication is used). This can be used to import the certificates
++ # into CGI scripts.
++ # o StdEnvVars:
++ # This exports the standard SSL/TLS related `SSL_*' environment variables.
++ # Per default this exportation is switched off for performance reasons,
++ # because the extraction step is an expensive operation and is usually
++ # useless for serving static content. So one usually enables the
++ # exportation for CGI and SSI requests only.
++ # o StrictRequire:
++ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
++ # under a "Satisfy any" situation, i.e. when it applies access is denied
++ # and no other module can change it.
++ # o OptRenegotiate:
++ # This enables optimized SSL connection renegotiation handling when SSL
++ # directives are used in per-directory context.
++ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
++ <Files ~ "\.(cgi|shtml|phtml|php3?)$">
++ SSLOptions +StdEnvVars
++ </Files>
++
++ # SSL Protocol Adjustments:
++ # The safe and default but still SSL/TLS standard compliant shutdown
++ # approach is that mod_ssl sends the close notify alert but doesn't wait for
++ # the close notify alert from client. When you need a different shutdown
++ # approach you can use one of the following variables:
++ # o ssl-unclean-shutdown:
++ # This forces an unclean shutdown when the connection is closed, i.e. no
++ # SSL close notify alert is send or allowed to received. This violates
++ # the SSL/TLS standard but is needed for some brain-dead browsers. Use
++ # this when you receive I/O errors because of the standard approach where
++ # mod_ssl sends the close notify alert.
++ # o ssl-accurate-shutdown:
++ # This forces an accurate shutdown when the connection is closed, i.e. a
++ # SSL close notify alert is send and mod_ssl waits for the close notify
++ # alert of the client. This is 100% SSL/TLS standard compliant, but in
++ # practice often causes hanging connections with brain-dead browsers. Use
++ # this only for browsers where you know that their SSL implementation
++ # works correctly.
++ # Notice: Most problems of broken clients are also related to the HTTP
++ # keep-alive facility, so you usually additionally want to disable
++ # keep-alive for those clients, too. Use variable "nokeepalive" for this.
++ # Similarly, one has to force some clients to use HTTP/1.0 to workaround
++ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
++ # "force-response-1.0" for this.
++ BrowserMatch "MSIE [2-6]" \
++ nokeepalive ssl-unclean-shutdown \
++ downgrade-1.0 force-response-1.0
++ # MSIE 7 and newer should be able to use keepalive
++ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++
++ # Per-Server Logging:
++ # The home of a custom SSL log file. Use this when you want a
++ # compact non-error SSL logfile on a virtual host basis.
++ CustomLog /var/log/apache2/ssl_request_log \
++ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
++
++ ErrorLog ${APACHE_LOG_DIR}/jausoft.com-ssl-error.log
++ CustomLog ${APACHE_LOG_DIR}/jausoft.com-ssl-access.log common
++
++ # configures the footer on server-generated documents
++ ServerSignature On
++
++ <Directory "/srv/www/jausoft.com">
++ Options Indexes FollowSymLinks
++ AllowOverride All
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++
++ SetEnv GIT_PROJECT_ROOT /srv/scm
++ SetEnv GIT_HTTP_EXPORT_ALL
++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++ <Directory "/srv/www/jausoft.com/git">
++ DirectoryIndex gitweb.cgi
++ Allow from all
++ AllowOverride all
++ Order allow,deny
++ Options ExecCGI
++ <Files gitweb.cgi>
++ SetHandler cgi-script
++ </Files>
++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf
++ </Directory>
++
++ Alias /icons/ "/srv/www/jausoft.com/icons/"
++
++ <Directory "/srv/www/jausoft.com/icons">
++ Options Indexes MultiViews
++ AllowOverride None
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++
++</VirtualHost>
++</IfModule>
++
+diff -Nur apache2.orig/sites-available/jogamp.org apache2/sites-available/jogamp.org
+--- apache2.orig/sites-available/jogamp.org 1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-available/jogamp.org 2013-06-06 07:29:00.470204000 +0200
+@@ -0,0 +1,247 @@
++#
++# Almost any Apache directive may go into a VirtualHost container.
++# The first VirtualHost section is used for requests without a known
++# server name.
++#
++<VirtualHost *:80>
++ ServerAdmin [email protected]
++ ServerName jogamp.org
++ ServerAlias www.jogamp.org
++ ServerPath /jogamp.org/
++ RewriteEngine On
++
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++
++ DocumentRoot /srv/www/jogamp.org
++
++ # don't loose time with IP address lookups
++ HostnameLookups Off
++
++ # needed for named virtual hosts
++ UseCanonicalName Off
++
++ # configures the footer on server-generated documents
++ ServerSignature On
++
++ <Directory "/srv/www/jogamp.org">
++ Options Indexes FollowSymLinks
++ AllowOverride All
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++ RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++ #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++ RewriteCond %{REQUEST_URI} ^/wiki/index.php$
++ RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
++ RewriteCond %{REQUEST_METHOD} ^GET$
++ RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE]
++
++ #
++ # Due to security concerns, session hijacking .. etc .. the whole
++ # bugzilla stream will go over https
++ #
++ RewriteCond %{REQUEST_URI} ^/bugzilla
++ RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE]
++
++ SetEnv GIT_PROJECT_ROOT /srv/scm
++ SetEnv GIT_HTTP_EXPORT_ALL
++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++ <Directory "/srv/www/jogamp.org/git">
++ DirectoryIndex gitweb.cgi
++ Allow from all
++ AllowOverride all
++ Order allow,deny
++ Options ExecCGI
++ <Files gitweb.cgi>
++ SetHandler cgi-script
++ </Files>
++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf
++ </Directory>
++
++ Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++ <Directory "/srv/www/jogamp.org/icons">
++ Options Indexes MultiViews
++ AllowOverride None
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++ #
++ # Due to security concerns, session hijacking .. etc .. the whole
++ # hudson and bugzilla stream will go over https
++ #
++ RewriteCond %{REQUEST_URI} ^/chuck
++ RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++
++ #RewriteCond %{REQUEST_URI} ^/chuck
++ #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE]
++ #
++ #RewriteCond %{REQUEST_URI} ^/chuck
++ #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR]
++ #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC]
++ #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++ #
++ # Cookies:
++ # wikidb_mw_LoggedOut /
++ # wikidb_mw__session /
++ # wikidb_mw_Token /
++ # wikidb_mw_UserID /
++ # wikidb_mw_UserName /
++ #
++ # Bugzilla_login /bugzilla
++ # Bugzilla_logincookie /bugzilla
++ # DEFAULTFORMAT /bugzilla
++ #
++ # ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE /chuck
++ # JSESSIONID /chuck
++ #
++
++ #
++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++ #
++ #ProxyRequests Off
++ #ProxyPreserveHost On
++
++ # Local reverse proxy authorization override
++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++ #<Proxy http://localhost:8089/chuck*>
++ # Order deny,allow
++ # Allow from all
++ #</Proxy>
++ #ProxyPass /chuck http://localhost:8080/chuck
++ #ProxyPassReverse /chuck http://localhost:8080/chuck
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName blog.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName bugzilla.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName wiki.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName scm.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName jogl.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName jocl.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName joal.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName demos.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName chuck.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName jogamp.com
++ ServerAlias *.jogamp.com
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined
++
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
++#
++# Directives to allow use of AWStats as a CGI
++#
++#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
++#Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
++#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
++#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
++
++#
++# This is to permit URL access to scripts/files in AWStats directory.
++#
++<Directory "/usr/local/awstats/wwwroot">
++ Options None
++ AllowOverride None
++ Order allow,deny
++ Allow from all
++</Directory>
++
+diff -Nur apache2.orig/sites-available/jogamp.org-ssl apache2/sites-available/jogamp.org-ssl
+--- apache2.orig/sites-available/jogamp.org-ssl 1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-available/jogamp.org-ssl 2013-06-06 07:53:58.298005000 +0200
+@@ -0,0 +1,256 @@
++<IfModule mod_ssl.c>
++<VirtualHost *:443>
++
++ # General setup for the virtual host, inherited from global configuration
++ ServerName jogamp.org
++ ServerPath /jogamp.org/
++ RewriteEngine On
++ DocumentRoot /srv/www/jogamp.org
++
++ # Use separate log files for the SSL virtual host; note that LogLevel
++ # is not inherited from httpd.conf.
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++ TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
++ LogLevel warn
++
++ # SSL Engine Switch:
++ # Enable/Disable SSL for this virtual host.
++ SSLEngine on
++
++ # SSL Protocol support:
++ # List the enable protocol levels with which clients will be able to
++ # connect. Disable SSLv2 access by default:
++ SSLProtocol all -SSLv2
++
++ # SSL Cipher Suite:
++ # List the ciphers that the client is permitted to negotiate.
++ # See the mod_ssl documentation for a complete list.
++ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
++
++ # A self-signed (snakeoil) certificate can be created by installing
++ # the ssl-cert package. See
++ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
++ # If both key and certificate are stored in the same file, only the
++ # SSLCertificateFile directive is needed.
++ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
++ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++
++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++ # Server Certificate Chain:
++ # Point SSLCertificateChainFile at a file containing the
++ # concatenation of PEM encoded CA certificates which form the
++ # certificate chain for the server certificate. Alternatively
++ # the referenced file can be the same as SSLCertificateFile
++ # when the CA certificates are directly appended to the server
++ # certificate for convinience.
++ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
++
++ SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
++
++ # Certificate Authority (CA):
++ # Set the CA certificate verification path where to find CA
++ # certificates for client authentication or alternatively one
++ # huge file containing all of them (file must be PEM encoded)
++ # Note: Inside SSLCACertificatePath you need hash symlinks
++ # to point to the certificate files. Use the provided
++ # Makefile to update the hash symlinks after changes.
++ #SSLCACertificatePath /etc/ssl/certs/
++ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
++
++ # Certificate Revocation Lists (CRL):
++ # Set the CA revocation path where to find CA CRLs for client
++ # authentication or alternatively one huge file containing all
++ # of them (file must be PEM encoded)
++ # Note: Inside SSLCARevocationPath you need hash symlinks
++ # to point to the certificate files. Use the provided
++ # Makefile to update the hash symlinks after changes.
++ #SSLCARevocationPath /etc/apache2/ssl.crl/
++ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
++
++ # Client Authentication (Type):
++ # Client certificate verification type and depth. Types are
++ # none, optional, require and optional_no_ca. Depth is a
++ # number which specifies how deeply to verify the certificate
++ # issuer chain before deciding the certificate is not valid.
++ #SSLVerifyClient require
++ #SSLVerifyDepth 10
++
++ # Access Control:
++ # With SSLRequire you can do per-directory access control based
++ # on arbitrary complex boolean expressions containing server
++ # variable checks and other lookup directives. The syntax is a
++ # mixture between C and Perl. See the mod_ssl documentation
++ # for more details.
++ #<Location />
++ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
++ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
++ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
++ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
++ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
++ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
++ #</Location>
++
++ # SSL Engine Options:
++ # Set various options for the SSL engine.
++ # o FakeBasicAuth:
++ # Translate the client X.509 into a Basic Authorisation. This means that
++ # the standard Auth/DBMAuth methods can be used for access control. The
++ # user name is the `one line' version of the client's X.509 certificate.
++ # Note that no password is obtained from the user. Every entry in the user
++ # file needs this password: `xxj31ZMTZzkVA'.
++ # o ExportCertData:
++ # This exports two additional environment variables: SSL_CLIENT_CERT and
++ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
++ # server (always existing) and the client (only existing when client
++ # authentication is used). This can be used to import the certificates
++ # into CGI scripts.
++ # o StdEnvVars:
++ # This exports the standard SSL/TLS related `SSL_*' environment variables.
++ # Per default this exportation is switched off for performance reasons,
++ # because the extraction step is an expensive operation and is usually
++ # useless for serving static content. So one usually enables the
++ # exportation for CGI and SSI requests only.
++ # o StrictRequire:
++ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
++ # under a "Satisfy any" situation, i.e. when it applies access is denied
++ # and no other module can change it.
++ # o OptRenegotiate:
++ # This enables optimized SSL connection renegotiation handling when SSL
++ # directives are used in per-directory context.
++ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
++ <Files ~ "\.(cgi|shtml|phtml|php3?)$">
++ SSLOptions +StdEnvVars
++ </Files>
++
++ # SSL Protocol Adjustments:
++ # The safe and default but still SSL/TLS standard compliant shutdown
++ # approach is that mod_ssl sends the close notify alert but doesn't wait for
++ # the close notify alert from client. When you need a different shutdown
++ # approach you can use one of the following variables:
++ # o ssl-unclean-shutdown:
++ # This forces an unclean shutdown when the connection is closed, i.e. no
++ # SSL close notify alert is send or allowed to received. This violates
++ # the SSL/TLS standard but is needed for some brain-dead browsers. Use
++ # this when you receive I/O errors because of the standard approach where
++ # mod_ssl sends the close notify alert.
++ # o ssl-accurate-shutdown:
++ # This forces an accurate shutdown when the connection is closed, i.e. a
++ # SSL close notify alert is send and mod_ssl waits for the close notify
++ # alert of the client. This is 100% SSL/TLS standard compliant, but in
++ # practice often causes hanging connections with brain-dead browsers. Use
++ # this only for browsers where you know that their SSL implementation
++ # works correctly.
++ # Notice: Most problems of broken clients are also related to the HTTP
++ # keep-alive facility, so you usually additionally want to disable
++ # keep-alive for those clients, too. Use variable "nokeepalive" for this.
++ # Similarly, one has to force some clients to use HTTP/1.0 to workaround
++ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
++ # "force-response-1.0" for this.
++ BrowserMatch "MSIE [2-6]" \
++ nokeepalive ssl-unclean-shutdown \
++ downgrade-1.0 force-response-1.0
++ # MSIE 7 and newer should be able to use keepalive
++ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++
++ # Per-Server Logging:
++ # The home of a custom SSL log file. Use this when you want a
++ # compact non-error SSL logfile on a virtual host basis.
++ CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
++ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
++
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
++
++ # configures the footer on server-generated documents
++ ServerSignature On
++
++ <Directory "/srv/www/jogamp.org">
++ Options Indexes FollowSymLinks
++ AllowOverride All
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++# ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
++ <Directory /srv/www/jogamp.org/bugzilla>
++ AddHandler cgi-script .cgi
++ Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
++ DirectoryIndex index.cgi
++ AllowOverride Limit FileInfo Indexes
++ </Directory>
++
++ SetEnv GIT_PROJECT_ROOT /srv/scm
++ SetEnv GIT_HTTP_EXPORT_ALL
++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++ <Directory "/srv/www/jogamp.org/git">
++ DirectoryIndex gitweb.cgi
++ Allow from all
++ AllowOverride all
++ Order allow,deny
++ Options ExecCGI
++ <Files gitweb.cgi>
++ SetHandler cgi-script
++ </Files>
++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf
++ </Directory>
++
++ Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++ <Directory "/srv/www/jogamp.org/icons">
++ Options Indexes MultiViews
++ AllowOverride None
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++ #
++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++ #
++ ProxyRequests Off
++ ProxyPreserveHost On
++
++ # Local reverse proxy authorization override
++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++ <Proxy http://127.0.0.1:8080/chuck*>
++ Order deny,allow
++ Allow from all
++ </Proxy>
++
++ ProxyPass /chuck http://127.0.0.1:8080/chuck
++ ProxyPassReverse /chuck http://127.0.0.1:8080/chuck
++ ProxyPassReverse /chuck http://jogamp.org/chuck
++
++# ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
++# <Location /chuck/>
++# ProxyPassReverse /
++# Order deny,allow
++# Allow from all
++# </Location>
++ Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
++
++</VirtualHost>
++
++<VirtualHost *:443>
++ ServerName jogamp.com
++ ServerAlias *.jogamp.com
++ ServerPath /jogamp.org/
++ SSLEngine on
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
++
++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
+diff -Nur apache2.orig/sites-enabled/000-default apache2/sites-enabled/000-default
+--- apache2.orig/sites-enabled/000-default 2013-03-03 12:14:45.000000000 +0100
++++ apache2/sites-enabled/000-default 1970-01-01 01:00:00.000000000 +0100
+@@ -1,31 +0,0 @@
+-<VirtualHost *:80>
+- ServerAdmin webmaster@localhost
+-
+- DocumentRoot /var/www
+- <Directory />
+- Options FollowSymLinks
+- AllowOverride None
+- </Directory>
+- <Directory /var/www/>
+- Options Indexes FollowSymLinks MultiViews
+- AllowOverride None
+- Order allow,deny
+- allow from all
+- </Directory>
+-
+- ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+- <Directory "/usr/lib/cgi-bin">
+- AllowOverride None
+- Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+- Order allow,deny
+- Allow from all
+- </Directory>
+-
+- ErrorLog ${APACHE_LOG_DIR}/error.log
+-
+- # Possible values include: debug, info, notice, warn, error, crit,
+- # alert, emerg.
+- LogLevel warn
+-
+- CustomLog ${APACHE_LOG_DIR}/access.log combined
+-</VirtualHost>
+diff -Nur apache2.orig/sites-enabled/000-jogamp.org apache2/sites-enabled/000-jogamp.org
+--- apache2.orig/sites-enabled/000-jogamp.org 1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-enabled/000-jogamp.org 2013-06-06 07:29:00.470204000 +0200
+@@ -0,0 +1,247 @@
++#
++# Almost any Apache directive may go into a VirtualHost container.
++# The first VirtualHost section is used for requests without a known
++# server name.
++#
++<VirtualHost *:80>
++ ServerAdmin [email protected]
++ ServerName jogamp.org
++ ServerAlias www.jogamp.org
++ ServerPath /jogamp.org/
++ RewriteEngine On
++
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++
++ DocumentRoot /srv/www/jogamp.org
++
++ # don't loose time with IP address lookups
++ HostnameLookups Off
++
++ # needed for named virtual hosts
++ UseCanonicalName Off
++
++ # configures the footer on server-generated documents
++ ServerSignature On
++
++ <Directory "/srv/www/jogamp.org">
++ Options Indexes FollowSymLinks
++ AllowOverride All
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++ RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++ #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++ RewriteCond %{REQUEST_URI} ^/wiki/index.php$
++ RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
++ RewriteCond %{REQUEST_METHOD} ^GET$
++ RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE]
++
++ #
++ # Due to security concerns, session hijacking .. etc .. the whole
++ # bugzilla stream will go over https
++ #
++ RewriteCond %{REQUEST_URI} ^/bugzilla
++ RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE]
++
++ SetEnv GIT_PROJECT_ROOT /srv/scm
++ SetEnv GIT_HTTP_EXPORT_ALL
++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++ <Directory "/srv/www/jogamp.org/git">
++ DirectoryIndex gitweb.cgi
++ Allow from all
++ AllowOverride all
++ Order allow,deny
++ Options ExecCGI
++ <Files gitweb.cgi>
++ SetHandler cgi-script
++ </Files>
++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf
++ </Directory>
++
++ Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++ <Directory "/srv/www/jogamp.org/icons">
++ Options Indexes MultiViews
++ AllowOverride None
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++ #
++ # Due to security concerns, session hijacking .. etc .. the whole
++ # hudson and bugzilla stream will go over https
++ #
++ RewriteCond %{REQUEST_URI} ^/chuck
++ RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++
++ #RewriteCond %{REQUEST_URI} ^/chuck
++ #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE]
++ #
++ #RewriteCond %{REQUEST_URI} ^/chuck
++ #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR]
++ #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC]
++ #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
++ #
++ # Cookies:
++ # wikidb_mw_LoggedOut /
++ # wikidb_mw__session /
++ # wikidb_mw_Token /
++ # wikidb_mw_UserID /
++ # wikidb_mw_UserName /
++ #
++ # Bugzilla_login /bugzilla
++ # Bugzilla_logincookie /bugzilla
++ # DEFAULTFORMAT /bugzilla
++ #
++ # ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE /chuck
++ # JSESSIONID /chuck
++ #
++
++ #
++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++ #
++ #ProxyRequests Off
++ #ProxyPreserveHost On
++
++ # Local reverse proxy authorization override
++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++ #<Proxy http://localhost:8089/chuck*>
++ # Order deny,allow
++ # Allow from all
++ #</Proxy>
++ #ProxyPass /chuck http://localhost:8080/chuck
++ #ProxyPassReverse /chuck http://localhost:8080/chuck
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName blog.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName bugzilla.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName wiki.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName scm.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName jogl.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName jocl.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName joal.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName demos.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName chuck.jogamp.org
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++</VirtualHost>
++
++<VirtualHost *:80>
++ ServerName jogamp.com
++ ServerAlias *.jogamp.com
++ ServerPath /jogamp.org/
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined
++
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
++#
++# Directives to allow use of AWStats as a CGI
++#
++#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
++#Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
++#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
++#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
++
++#
++# This is to permit URL access to scripts/files in AWStats directory.
++#
++<Directory "/usr/local/awstats/wwwroot">
++ Options None
++ AllowOverride None
++ Order allow,deny
++ Allow from all
++</Directory>
++
+diff -Nur apache2.orig/sites-enabled/001-jogamp.org-ssl apache2/sites-enabled/001-jogamp.org-ssl
+--- apache2.orig/sites-enabled/001-jogamp.org-ssl 1970-01-01 01:00:00.000000000 +0100
++++ apache2/sites-enabled/001-jogamp.org-ssl 2013-06-06 07:53:58.298005000 +0200
+@@ -0,0 +1,256 @@
++<IfModule mod_ssl.c>
++<VirtualHost *:443>
++
++ # General setup for the virtual host, inherited from global configuration
++ ServerName jogamp.org
++ ServerPath /jogamp.org/
++ RewriteEngine On
++ DocumentRoot /srv/www/jogamp.org
++
++ # Use separate log files for the SSL virtual host; note that LogLevel
++ # is not inherited from httpd.conf.
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++ TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
++ LogLevel warn
++
++ # SSL Engine Switch:
++ # Enable/Disable SSL for this virtual host.
++ SSLEngine on
++
++ # SSL Protocol support:
++ # List the enable protocol levels with which clients will be able to
++ # connect. Disable SSLv2 access by default:
++ SSLProtocol all -SSLv2
++
++ # SSL Cipher Suite:
++ # List the ciphers that the client is permitted to negotiate.
++ # See the mod_ssl documentation for a complete list.
++ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
++
++ # A self-signed (snakeoil) certificate can be created by installing
++ # the ssl-cert package. See
++ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
++ # If both key and certificate are stored in the same file, only the
++ # SSLCertificateFile directive is needed.
++ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
++ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++
++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++ # Server Certificate Chain:
++ # Point SSLCertificateChainFile at a file containing the
++ # concatenation of PEM encoded CA certificates which form the
++ # certificate chain for the server certificate. Alternatively
++ # the referenced file can be the same as SSLCertificateFile
++ # when the CA certificates are directly appended to the server
++ # certificate for convinience.
++ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
++
++ SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
++
++ # Certificate Authority (CA):
++ # Set the CA certificate verification path where to find CA
++ # certificates for client authentication or alternatively one
++ # huge file containing all of them (file must be PEM encoded)
++ # Note: Inside SSLCACertificatePath you need hash symlinks
++ # to point to the certificate files. Use the provided
++ # Makefile to update the hash symlinks after changes.
++ #SSLCACertificatePath /etc/ssl/certs/
++ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
++
++ # Certificate Revocation Lists (CRL):
++ # Set the CA revocation path where to find CA CRLs for client
++ # authentication or alternatively one huge file containing all
++ # of them (file must be PEM encoded)
++ # Note: Inside SSLCARevocationPath you need hash symlinks
++ # to point to the certificate files. Use the provided
++ # Makefile to update the hash symlinks after changes.
++ #SSLCARevocationPath /etc/apache2/ssl.crl/
++ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
++
++ # Client Authentication (Type):
++ # Client certificate verification type and depth. Types are
++ # none, optional, require and optional_no_ca. Depth is a
++ # number which specifies how deeply to verify the certificate
++ # issuer chain before deciding the certificate is not valid.
++ #SSLVerifyClient require
++ #SSLVerifyDepth 10
++
++ # Access Control:
++ # With SSLRequire you can do per-directory access control based
++ # on arbitrary complex boolean expressions containing server
++ # variable checks and other lookup directives. The syntax is a
++ # mixture between C and Perl. See the mod_ssl documentation
++ # for more details.
++ #<Location />
++ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
++ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
++ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
++ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
++ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
++ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
++ #</Location>
++
++ # SSL Engine Options:
++ # Set various options for the SSL engine.
++ # o FakeBasicAuth:
++ # Translate the client X.509 into a Basic Authorisation. This means that
++ # the standard Auth/DBMAuth methods can be used for access control. The
++ # user name is the `one line' version of the client's X.509 certificate.
++ # Note that no password is obtained from the user. Every entry in the user
++ # file needs this password: `xxj31ZMTZzkVA'.
++ # o ExportCertData:
++ # This exports two additional environment variables: SSL_CLIENT_CERT and
++ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
++ # server (always existing) and the client (only existing when client
++ # authentication is used). This can be used to import the certificates
++ # into CGI scripts.
++ # o StdEnvVars:
++ # This exports the standard SSL/TLS related `SSL_*' environment variables.
++ # Per default this exportation is switched off for performance reasons,
++ # because the extraction step is an expensive operation and is usually
++ # useless for serving static content. So one usually enables the
++ # exportation for CGI and SSI requests only.
++ # o StrictRequire:
++ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
++ # under a "Satisfy any" situation, i.e. when it applies access is denied
++ # and no other module can change it.
++ # o OptRenegotiate:
++ # This enables optimized SSL connection renegotiation handling when SSL
++ # directives are used in per-directory context.
++ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
++ <Files ~ "\.(cgi|shtml|phtml|php3?)$">
++ SSLOptions +StdEnvVars
++ </Files>
++
++ # SSL Protocol Adjustments:
++ # The safe and default but still SSL/TLS standard compliant shutdown
++ # approach is that mod_ssl sends the close notify alert but doesn't wait for
++ # the close notify alert from client. When you need a different shutdown
++ # approach you can use one of the following variables:
++ # o ssl-unclean-shutdown:
++ # This forces an unclean shutdown when the connection is closed, i.e. no
++ # SSL close notify alert is send or allowed to received. This violates
++ # the SSL/TLS standard but is needed for some brain-dead browsers. Use
++ # this when you receive I/O errors because of the standard approach where
++ # mod_ssl sends the close notify alert.
++ # o ssl-accurate-shutdown:
++ # This forces an accurate shutdown when the connection is closed, i.e. a
++ # SSL close notify alert is send and mod_ssl waits for the close notify
++ # alert of the client. This is 100% SSL/TLS standard compliant, but in
++ # practice often causes hanging connections with brain-dead browsers. Use
++ # this only for browsers where you know that their SSL implementation
++ # works correctly.
++ # Notice: Most problems of broken clients are also related to the HTTP
++ # keep-alive facility, so you usually additionally want to disable
++ # keep-alive for those clients, too. Use variable "nokeepalive" for this.
++ # Similarly, one has to force some clients to use HTTP/1.0 to workaround
++ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
++ # "force-response-1.0" for this.
++ BrowserMatch "MSIE [2-6]" \
++ nokeepalive ssl-unclean-shutdown \
++ downgrade-1.0 force-response-1.0
++ # MSIE 7 and newer should be able to use keepalive
++ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++
++ # Per-Server Logging:
++ # The home of a custom SSL log file. Use this when you want a
++ # compact non-error SSL logfile on a virtual host basis.
++ CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
++ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
++
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
++
++ # configures the footer on server-generated documents
++ ServerSignature On
++
++ <Directory "/srv/www/jogamp.org">
++ Options Indexes FollowSymLinks
++ AllowOverride All
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++# ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
++ <Directory /srv/www/jogamp.org/bugzilla>
++ AddHandler cgi-script .cgi
++ Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
++ DirectoryIndex index.cgi
++ AllowOverride Limit FileInfo Indexes
++ </Directory>
++
++ SetEnv GIT_PROJECT_ROOT /srv/scm
++ SetEnv GIT_HTTP_EXPORT_ALL
++ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
++ <Directory "/srv/www/jogamp.org/git">
++ DirectoryIndex gitweb.cgi
++ Allow from all
++ AllowOverride all
++ Order allow,deny
++ Options ExecCGI
++ <Files gitweb.cgi>
++ SetHandler cgi-script
++ </Files>
++ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf
++ </Directory>
++
++ Alias /icons/ "/srv/www/jogamp.org/icons/"
++
++ <Directory "/srv/www/jogamp.org/icons">
++ Options Indexes MultiViews
++ AllowOverride None
++ Order allow,deny
++ Allow from all
++ </Directory>
++
++ #
++ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
++ #
++ ProxyRequests Off
++ ProxyPreserveHost On
++
++ # Local reverse proxy authorization override
++ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
++ <Proxy http://127.0.0.1:8080/chuck*>
++ Order deny,allow
++ Allow from all
++ </Proxy>
++
++ ProxyPass /chuck http://127.0.0.1:8080/chuck
++ ProxyPassReverse /chuck http://127.0.0.1:8080/chuck
++ ProxyPassReverse /chuck http://jogamp.org/chuck
++
++# ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
++# <Location /chuck/>
++# ProxyPassReverse /
++# Order deny,allow
++# Allow from all
++# </Location>
++ Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
++
++</VirtualHost>
++
++<VirtualHost *:443>
++ ServerName jogamp.com
++ ServerAlias *.jogamp.com
++ ServerPath /jogamp.org/
++ SSLEngine on
++ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
++ CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
++
++ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
++ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
++
++ RewriteEngine On
++ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
++
++ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
++ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
++</VirtualHost>
++
diff --git a/server/setup/05-service-settings/etc/apache2/mods-enabled.lst b/server/setup/05-service-settings/etc/apache2/mods-enabled.lst
new file mode 100644
index 0000000..c2df5c0
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/mods-enabled.lst
@@ -0,0 +1,44 @@
+alias.conf
+alias.load
+auth_basic.load
+authn_file.load
+authz_default.load
+authz_groupfile.load
+authz_host.load
+authz_user.load
+autoindex.conf
+autoindex.load
+cgid.conf
+cgid.load
+cgi.load
+deflate.conf
+deflate.load
+dir.conf
+dir.load
+env.load
+headers.load
+mime.conf
+mime.load
+negotiation.conf
+negotiation.load
+php5.conf
+php5.load
+proxy_ajp.load
+proxy_balancer.conf
+proxy_balancer.load
+proxy.conf
+proxy_connect.load
+proxy_ftp.conf
+proxy_ftp.load
+proxy_http.load
+proxy.load
+proxy_scgi.load
+reqtimeout.conf
+reqtimeout.load
+rewrite.load
+setenvif.conf
+setenvif.load
+ssl.conf
+ssl.load
+status.conf
+status.load
diff --git a/server/setup/05-service-settings/etc/apache2/ports.conf b/server/setup/05-service-settings/etc/apache2/ports.conf
new file mode 100644
index 0000000..a319afa
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/ports.conf
@@ -0,0 +1,25 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default
+# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
+# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
+# README.Debian.gz
+
+NameVirtualHost *:80
+# NameVirtualHost *
+Listen 80
+
+<IfModule mod_ssl.c>
+ NameVirtualHost *:443
+ # If you add NameVirtualHost *:443 here, you will also have to change
+ # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
+ # to <VirtualHost *:443>
+ # Server Name Indication for SSL named virtual hosts is currently not
+ # supported by MSIE on Windows XP.
+ Listen 443
+</IfModule>
+
+<IfModule mod_gnutls.c>
+ Listen 443
+</IfModule>
+
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org
new file mode 100644
index 0000000..f9101fa
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org
@@ -0,0 +1,247 @@
+#
+# Almost any Apache directive may go into a VirtualHost container.
+# The first VirtualHost section is used for requests without a known
+# server name.
+#
+<VirtualHost *:80>
+ ServerAdmin [email protected]
+ ServerName jogamp.org
+ ServerAlias www.jogamp.org
+ ServerPath /jogamp.org/
+ RewriteEngine On
+
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+
+ DocumentRoot /srv/www/jogamp.org
+
+ # don't loose time with IP address lookups
+ HostnameLookups Off
+
+ # needed for named virtual hosts
+ UseCanonicalName Off
+
+ # configures the footer on server-generated documents
+ ServerSignature On
+
+ <Directory "/srv/www/jogamp.org">
+ Options Indexes FollowSymLinks
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+ </Directory>
+
+ RewriteCond %{HTTP_HOST} ^www.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
+
+ #RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ #RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+
+ RewriteCond %{REQUEST_URI} ^/wiki/index.php$
+ RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
+ RewriteCond %{REQUEST_METHOD} ^GET$
+ RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L,NE]
+
+ #
+ # Due to security concerns, session hijacking .. etc .. the whole
+ # bugzilla stream will go over https
+ #
+ RewriteCond %{REQUEST_URI} ^/bugzilla
+ RewriteRule ^/bugzilla/(.*)$ https://%{SERVER_NAME}/bugzilla/$1 [R=301,L,NE]
+
+ SetEnv GIT_PROJECT_ROOT /srv/scm
+ SetEnv GIT_HTTP_EXPORT_ALL
+ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
+ <Directory "/srv/www/jogamp.org/git">
+ DirectoryIndex gitweb.cgi
+ Allow from all
+ AllowOverride all
+ Order allow,deny
+ Options ExecCGI
+ <Files gitweb.cgi>
+ SetHandler cgi-script
+ </Files>
+ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf
+ </Directory>
+
+ Alias /icons/ "/srv/www/jogamp.org/icons/"
+
+ <Directory "/srv/www/jogamp.org/icons">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+ </Directory>
+
+ #
+ # Due to security concerns, session hijacking .. etc .. the whole
+ # hudson and bugzilla stream will go over https
+ #
+ RewriteCond %{REQUEST_URI} ^/chuck
+ RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
+
+ #RewriteCond %{REQUEST_URI} ^/chuck
+ #RewriteRule ^/chuck/login(.*)$ https://%{SERVER_NAME}/chuck/login$1 [R=301,L,NE]
+ #
+ #RewriteCond %{REQUEST_URI} ^/chuck
+ #RewriteCond %{HTTP_COOKIE} JSESSIONID=(.*) [NC,OR]
+ #RewriteCond %{HTTP_COOKIE} ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE [NC]
+ #RewriteRule ^/chuck/(.*)$ https://%{SERVER_NAME}/chuck/$1 [R=301,L,NE]
+ #
+ # Cookies:
+ # wikidb_mw_LoggedOut /
+ # wikidb_mw__session /
+ # wikidb_mw_Token /
+ # wikidb_mw_UserID /
+ # wikidb_mw_UserName /
+ #
+ # Bugzilla_login /bugzilla
+ # Bugzilla_logincookie /bugzilla
+ # DEFAULTFORMAT /bugzilla
+ #
+ # ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE /chuck
+ # JSESSIONID /chuck
+ #
+
+ #
+ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
+ #
+ #ProxyRequests Off
+ #ProxyPreserveHost On
+
+ # Local reverse proxy authorization override
+ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
+ #<Proxy http://localhost:8089/chuck*>
+ # Order deny,allow
+ # Allow from all
+ #</Proxy>
+ #ProxyPass /chuck http://localhost:8080/chuck
+ #ProxyPassReverse /chuck http://localhost:8080/chuck
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName blog.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName bugzilla.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName wiki.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName scm.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/git/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName jogl.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName jocl.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName joal.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/%1/www/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName demos.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName chuck.jogamp.org
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-access_log combined
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.org$ [NC]
+ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName jogamp.com
+ ServerAlias *.jogamp.com
+ ServerPath /jogamp.org/
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-error_log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.com-access_log combined
+
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
+
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/%1/$1 [R=301,L,NE]
+
+ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
+ RewriteRule ^/(.*)$ http://jogamp.org/$1 [R=301,L,NE]
+</VirtualHost>
+
+#
+# Directives to allow use of AWStats as a CGI
+#
+#Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
+#Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
+#Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
+#ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
+
+#
+# This is to permit URL access to scripts/files in AWStats directory.
+#
+<Directory "/usr/local/awstats/wwwroot">
+ Options None
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+</Directory>
+
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl
new file mode 100644
index 0000000..062d2d5
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp.org-ssl
@@ -0,0 +1,256 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+
+ # General setup for the virtual host, inherited from global configuration
+ ServerName jogamp.org
+ ServerPath /jogamp.org/
+ RewriteEngine On
+ DocumentRoot /srv/www/jogamp.org
+
+ # Use separate log files for the SSL virtual host; note that LogLevel
+ # is not inherited from httpd.conf.
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
+ TransferLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log
+ LogLevel warn
+
+ # SSL Engine Switch:
+ # Enable/Disable SSL for this virtual host.
+ SSLEngine on
+
+ # SSL Protocol support:
+ # List the enable protocol levels with which clients will be able to
+ # connect. Disable SSLv2 access by default:
+ SSLProtocol all -SSLv2
+
+ # SSL Cipher Suite:
+ # List the ciphers that the client is permitted to negotiate.
+ # See the mod_ssl documentation for a complete list.
+ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+
+ # A self-signed (snakeoil) certificate can be created by installing
+ # the ssl-cert package. See
+ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+ # If both key and certificate are stored in the same file, only the
+ # SSLCertificateFile directive is needed.
+ # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+ # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
+ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+ # concatenation of PEM encoded CA certificates which form the
+ # certificate chain for the server certificate. Alternatively
+ # the referenced file can be the same as SSLCertificateFile
+ # when the CA certificates are directly appended to the server
+ # certificate for convinience.
+ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+ SSLCertificateChainFile /etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+
+ # Certificate Authority (CA):
+ # Set the CA certificate verification path where to find CA
+ # certificates for client authentication or alternatively one
+ # huge file containing all of them (file must be PEM encoded)
+ # Note: Inside SSLCACertificatePath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCACertificatePath /etc/ssl/certs/
+ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+ # Certificate Revocation Lists (CRL):
+ # Set the CA revocation path where to find CA CRLs for client
+ # authentication or alternatively one huge file containing all
+ # of them (file must be PEM encoded)
+ # Note: Inside SSLCARevocationPath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCARevocationPath /etc/apache2/ssl.crl/
+ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+ # Client Authentication (Type):
+ # Client certificate verification type and depth. Types are
+ # none, optional, require and optional_no_ca. Depth is a
+ # number which specifies how deeply to verify the certificate
+ # issuer chain before deciding the certificate is not valid.
+ #SSLVerifyClient require
+ #SSLVerifyDepth 10
+
+ # Access Control:
+ # With SSLRequire you can do per-directory access control based
+ # on arbitrary complex boolean expressions containing server
+ # variable checks and other lookup directives. The syntax is a
+ # mixture between C and Perl. See the mod_ssl documentation
+ # for more details.
+ #<Location />
+ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+ #</Location>
+
+ # SSL Engine Options:
+ # Set various options for the SSL engine.
+ # o FakeBasicAuth:
+ # Translate the client X.509 into a Basic Authorisation. This means that
+ # the standard Auth/DBMAuth methods can be used for access control. The
+ # user name is the `one line' version of the client's X.509 certificate.
+ # Note that no password is obtained from the user. Every entry in the user
+ # file needs this password: `xxj31ZMTZzkVA'.
+ # o ExportCertData:
+ # This exports two additional environment variables: SSL_CLIENT_CERT and
+ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+ # server (always existing) and the client (only existing when client
+ # authentication is used). This can be used to import the certificates
+ # into CGI scripts.
+ # o StdEnvVars:
+ # This exports the standard SSL/TLS related `SSL_*' environment variables.
+ # Per default this exportation is switched off for performance reasons,
+ # because the extraction step is an expensive operation and is usually
+ # useless for serving static content. So one usually enables the
+ # exportation for CGI and SSI requests only.
+ # o StrictRequire:
+ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+ # under a "Satisfy any" situation, i.e. when it applies access is denied
+ # and no other module can change it.
+ # o OptRenegotiate:
+ # This enables optimized SSL connection renegotiation handling when SSL
+ # directives are used in per-directory context.
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+ <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ SSLOptions +StdEnvVars
+ </Files>
+
+ # SSL Protocol Adjustments:
+ # The safe and default but still SSL/TLS standard compliant shutdown
+ # approach is that mod_ssl sends the close notify alert but doesn't wait for
+ # the close notify alert from client. When you need a different shutdown
+ # approach you can use one of the following variables:
+ # o ssl-unclean-shutdown:
+ # This forces an unclean shutdown when the connection is closed, i.e. no
+ # SSL close notify alert is send or allowed to received. This violates
+ # the SSL/TLS standard but is needed for some brain-dead browsers. Use
+ # this when you receive I/O errors because of the standard approach where
+ # mod_ssl sends the close notify alert.
+ # o ssl-accurate-shutdown:
+ # This forces an accurate shutdown when the connection is closed, i.e. a
+ # SSL close notify alert is send and mod_ssl waits for the close notify
+ # alert of the client. This is 100% SSL/TLS standard compliant, but in
+ # practice often causes hanging connections with brain-dead browsers. Use
+ # this only for browsers where you know that their SSL implementation
+ # works correctly.
+ # Notice: Most problems of broken clients are also related to the HTTP
+ # keep-alive facility, so you usually additionally want to disable
+ # keep-alive for those clients, too. Use variable "nokeepalive" for this.
+ # Similarly, one has to force some clients to use HTTP/1.0 to workaround
+ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+ # "force-response-1.0" for this.
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+ # Per-Server Logging:
+ # The home of a custom SSL log file. Use this when you want a
+ # compact non-error SSL logfile on a virtual host basis.
+ CustomLog /var/log/apache2/jogamp.org-ssl-request.log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.org-ssl-error.log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.org-ssl-access.log combined
+
+ # configures the footer on server-generated documents
+ ServerSignature On
+
+ <Directory "/srv/www/jogamp.org">
+ Options Indexes FollowSymLinks
+ AllowOverride All
+ Order allow,deny
+ Allow from all
+ </Directory>
+
+# ScriptAlias /cgi-bin/ "/srv/www/jogamp.org/bugzilla"
+ <Directory /srv/www/jogamp.org/bugzilla>
+ AddHandler cgi-script .cgi
+ Options +Indexes +ExecCGI -MultiViews +FollowSymLinks
+ DirectoryIndex index.cgi
+ AllowOverride Limit FileInfo Indexes
+ </Directory>
+
+ SetEnv GIT_PROJECT_ROOT /srv/scm
+ SetEnv GIT_HTTP_EXPORT_ALL
+ ScriptAlias /srv/scm/ /usr/lib/git-core/git-http-backend/
+ <Directory "/srv/www/jogamp.org/git">
+ DirectoryIndex gitweb.cgi
+ Allow from all
+ AllowOverride all
+ Order allow,deny
+ Options ExecCGI
+ <Files gitweb.cgi>
+ SetHandler cgi-script
+ </Files>
+ SetEnv GITWEB_CONFIG /srv/scm/gitweb.conf
+ </Directory>
+
+ Alias /icons/ "/srv/www/jogamp.org/icons/"
+
+ <Directory "/srv/www/jogamp.org/icons">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+ </Directory>
+
+ #
+ # http://wiki.hudson-ci.org/display/HUDSON/Running+Hudson+behind+Apache
+ #
+ ProxyRequests Off
+ ProxyPreserveHost On
+
+ # Local reverse proxy authorization override
+ # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
+ <Proxy http://127.0.0.1:8080/chuck*>
+ Order deny,allow
+ Allow from all
+ </Proxy>
+
+ ProxyPass /chuck http://127.0.0.1:8080/chuck
+ ProxyPassReverse /chuck http://127.0.0.1:8080/chuck
+ ProxyPassReverse /chuck http://jogamp.org/chuck
+
+# ProxyPass /chuck/ http://127.0.0.1:8080/chuck/
+# <Location /chuck/>
+# ProxyPassReverse /
+# Order deny,allow
+# Allow from all
+# </Location>
+ Header edit Location ^http://jogamp.org/chuck/ https://jogamp.org/chuck/
+
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName jogamp.com
+ ServerAlias *.jogamp.com
+ ServerPath /jogamp.org/
+ SSLEngine on
+ ErrorLog ${APACHE_LOG_DIR}/jogamp.com-ssl-error.log
+ CustomLog ${APACHE_LOG_DIR}/jogamp.com-ssl-access.log combined
+
+ SSLCertificateFile /etc/ssl/local/jogamp2013-hostcert.pem
+ SSLCertificateKeyFile /etc/ssl/local/jogamp2013-hostkey.apache.pem
+
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} ^www.jogamp\.com$ [NC]
+ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
+
+ RewriteCond %{HTTP_HOST} ^(.*)\.jogamp\.com$ [NC]
+ RewriteRule ^/(.*)$ https://jogamp.org/%1/$1 [R=301,L,NE]
+
+ RewriteCond %{HTTP_HOST} ^jogamp\.com$ [NC]
+ RewriteRule ^/(.*)$ https://jogamp.org/$1 [R=301,L,NE]
+</VirtualHost>
+
diff --git a/server/setup/05-service-settings/etc/xinetd.d/git b/server/setup/05-service-settings/etc/xinetd.d/git
new file mode 100644
index 0000000..fed3461
--- /dev/null
+++ b/server/setup/05-service-settings/etc/xinetd.d/git
@@ -0,0 +1,15 @@
+# default: off
+# description: The rsync server is a good addition to an ftp server, as it \
+# allows crc checksumming etc.
+service git
+{
+ disable = no
+ socket_type = stream
+ port = 9418
+ wait = no
+ user = nobody
+ server = /usr/bin/git
+ server_args = daemon --inetd --syslog --verbose --export-all /srv/scm
+ log_on_failure += USERID
+}
+
diff --git a/server/setup/05-service-settings/srv/scm/gitweb.conf b/server/setup/05-service-settings/srv/scm/gitweb.conf
new file mode 100644
index 0000000..36056e0
--- /dev/null
+++ b/server/setup/05-service-settings/srv/scm/gitweb.conf
@@ -0,0 +1,20 @@
+
+$git_temp = "/tmp";
+
+# The directories where your projects are. Must not end with a slash.
+$projectroot = "/srv/scm";
+
+# Base URLs for links displayed in the web interface.
+our @git_base_url_list = qw(git://jausoft.com/srv/scm http://jausoft.com/srv/scm);
+
+$feature{'blame'}{'default'} = [1];
+$feature{'blame'}{'override'} = 1;
+
+$feature{'pickaxe'}{'default'} = [1];
+$feature{'pickaxe'}{'override'} = 1;
+
+$feature{'snapshot'}{'default'} = [''];
+#$feature{'snapshot'}{'default'} = ['tbz2'];
+#$feature{'snapshot'}{'default'} = ['tbz2', 'tgz', 'zip', 't7z'];
+#$feature{'snapshot'}{'override'} = 2;
+