wtserver 0.52

distros/debian12/install_gitlab.sh

@@ -105,7 +105,8 @@ server {
 
 server {
 #   listen 80;
-    listen        443 ssl http2;
+    listen        443 ssl;
+    http2 on;
     server_name gitlab.$CFG_HOSTNAME_DOMAIN;
     server_tokens off; # don't show the version number, a security best practice
     root /opt/gitlab/embedded/service/gitlab-rails/public;

distros/debian12/install_mta.sh

@@ -124,7 +124,71 @@ EOF
 		-e "s/^#?disable_plaintext_auth\s*=\s*.*/disable_plaintext_auth = yes/" \
 		-e "s/^auth_mechanisms\s*=\s*.*/auth_mechanisms = plain login/" \
 		/etc/dovecot/conf.d/10-auth.conf
-    
+
+	    # Create a directory to store TLS-related things like "SSL" certificates.
+	    mkdir -p "$STORAGE_ROOT/ssl"
+
+	    # make directory readable
+	    chmod 755 $STORAGE_ROOT/ssl
+
+	    # Generate a new private key.
+	    #
+	    # The key is only as good as the entropy available to openssl so that it
+	    # can generate a random key. "OpenSSL’s built-in RSA key generator ....
+	    # is seeded on first use with (on Linux) 32 bytes read from /dev/urandom,
+	    # the process ID, user ID, and the current time in seconds. [During key
+	    # generation OpenSSL] mixes into the entropy pool the current time in seconds,
+	    # the process ID, and the possibly uninitialized contents of a ... buffer
+	    # ... dozens to hundreds of times."
+	    #
+	    # A perfect storm of issues can cause the generated key to be not very random:
+	    #
+	    #   * improperly seeded /dev/urandom, but see system.sh for how we mitigate this
+	    #   * the user ID of this process is always the same (we're root), so that seed is useless
+	    #   * zero'd memory (plausible on embedded systems, cloud VMs?)
+	    #   * a predictable process ID (likely on an embedded/virtualized system)
+	    #   * a system clock reset to a fixed time on boot
+	    #
+	    # Since we properly seed /dev/urandom in system.sh we should be fine, but I leave
+	    # in the rest of the notes in case that ever changes.
+	    if [ ! -f "$STORAGE_ROOT/ssl/ssl_private_key.pem" ]; then
+		# Set the umask so the key file is never world-readable.
+		(umask 077; hide_output \
+			openssl genrsa -out "$STORAGE_ROOT/ssl/ssl_private_key.pem" 4096)
+	    fi
+
+	    # Generate a self-signed SSL certificate because things like nginx, dovecot,
+	    # etc. won't even start without some certificate in place, and we need nginx
+	    # so we can offer the user a control panel to install a better certificate.
+	    if [ ! -f "$STORAGE_ROOT/ssl/ssl_certificate.pem" ]; then
+		# Generate a certificate signing request.
+		CSR=/tmp/ssl_cert_sign_req-$$.csr
+		hide_output \
+		#openssl req -new -key "$STORAGE_ROOT/ssl/ssl_private_key.pem" -out $CSR \
+		#  -sha256 -subj "/CN=$PRIMARY_HOSTNAME"
+		openssl req -new -key "$STORAGE_ROOT/ssl/ssl_private_key.pem" -out $CSR \
+		  -sha256 -subj "/CN=$CFG_HOSTNAME_DOMAIN"
+
+		# Generate the self-signed certificate.
+		#CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-selfsigned-$(date --rfc-3339=date | sed s/-//g).pem
+		CERT=$STORAGE_ROOT/ssl/$CFG_HOSTNAME_DOMAIN-selfsigned-$(date --rfc-3339=date | sed s/-//g).pem		
+		hide_output \
+		openssl x509 -req -days 365 \
+		  -in $CSR -signkey "$STORAGE_ROOT/ssl/ssl_private_key.pem" -out "$CERT"
+
+		# Delete the certificate signing request because it has no other purpose.
+		rm -f $CSR
+
+		# Symlink the certificate into the system certificate path, so system services
+		# can find it.
+		ln -s "$CERT" "$STORAGE_ROOT/ssl/ssl_certificate.pem"
+	    fi
+
+	    # We no longer generate Diffie-Hellman cipher bits. Following rfc7919 we use
+	    # a predefined finite field group, in this case ffdhe4096 from
+	    # https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
+	    cp -f $APWD/conf/dh4096.pem $STORAGE_ROOT/ssl/
+
 	    # Enable SSL, specify the location of the SSL certificate and private key files.
 	    # Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.3.7.2&config=intermediate&openssl-version=1.1.1,
 	    # except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2.

distros/debian12/install_owncloud.sh

@@ -597,7 +597,8 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
+    http2 on;
     server_name cloud.$CFG_HOSTNAME_DOMAIN;
 
     ssl_protocols TLSv1.2 TLSv1.3;
@@ -605,7 +606,7 @@ server {
     ssl_certificate_key /home/$SUDO_USER/.acme.sh/cloud.$CFG_HOSTNAME_DOMAIN/cloud.$CFG_HOSTNAME_DOMAIN.key;
 
     ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:10m;
+    #ssl_session_cache shared:SSL:10m;
     ssl_session_tickets off;
 
     # Add headers to serve security related headers

distros/debian12/install_phpmyadmin.sh

@@ -93,7 +93,7 @@ EOF
 
 server {
     listen 80;
-    server_name _;
+    server_name "";
     root /usr/share/phpmyadmin;
 
     index index.php index.html index.htm;

distros/debian12/install_webmail.sh

@@ -416,7 +416,8 @@ server {
 
 server {
     #listen 80 http2;
-    listen 443 ssl http2;
+    listen 443 ssl;
+    http2 on;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_certificate        /home/$SUDO_USER/.acme.sh/webmail.$CFG_HOSTNAME_DOMAIN/fullchain.cer;
     ssl_certificate_key    /home/$SUDO_USER/.acme.sh/webmail.$CFG_HOSTNAME_DOMAIN/webmail.$CFG_HOSTNAME_DOMAIN.key;
@@ -424,7 +425,7 @@ server {
     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256';
     ssl_prefer_server_ciphers on;
     ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:50m;
+    #ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
 
     # OCSP Stapling

distros/debian12/nginx_conf/nginx.conf

@@ -69,7 +69,7 @@ send_timeout 600;
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
 	ssl_prefer_server_ciphers on;
-
+        ssl_session_cache shared:SSL:50m;
 	##
 	# Logging Settings
 	##