Config related v19.x/Trixie updates - mostly webserver and security related

conf/apache-ssl

@@ -0,0 +1,52 @@
+#!/bin/bash -e
+
+# try to enable mod, if not available just continue
+a2enmod ssl || true
+
+# tweak mod_evasive defaults
+CONF=/etc/apache2/mods-available/ssl.conf
+if [[ -f "$CONF" ]]; then
+    # tighten ssl protocol support
+    ssl_protocol="# Hardened TKL default\nSSLProtocol -all +TLSv1.2 +TLSv1.3"
+    sed -Ei "\|^SSLProtocol| s|^(.*)|#\1\n$ssl_protocol|" "$CONF"
+
+    cipher_suites=$(cat <<EOF
+# Explict Cipher suites recommended by Mozilla
+# https://ssl-config.mozilla.org/#server=apache&version=2.4.65&config=intermediate&openssl=3.5.1&guideline=5.7
+# (updated by TurnKey "common/conf/turnkey.d/zz-ssl-ciphers" script)
+SSLCipherSuite ZZ_SSL_CIPHERS
+EOF
+    )
+    sed -Ei "\|^SSLCipherSuite| s|^(.*)|#\1\n$cipher_suites|" "$CONF"
+
+    cat >> "$CONF" <<EOF
+
+# Additional default TKL Apache SSL/TLS config
+
+SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
+
+# Explictly disable SSL compression (should default to off anyway...)
+# Note enabling SSL compression makes Apache vulnerable to CRIME attack.
+SSLCompression off
+
+# Default certificate file to use (provided by TurnKey)
+SSLCertificateFile /etc/ssl/private/cert.pem
+# Default TKL cert.pem includes key so this can remain unset
+#SSLCertificateKeyFile /etc/ssl/private/cert.key
+
+# enable HTTP/2, if available
+Protocols h2 http/1.1
+
+# OCSP Stapling
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
+# HTTP Strict Transport Security (mod_headers is required)
+Header always set Strict-Transport-Security "max-age=63072000"
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+EOF
+else
+    echo "fatal: conf file $CONF not found" >&2
+    exit 1
+fi

conf/tomcat

@@ -1,17 +1,30 @@
-#!/bin/sh -ex
+#!/bin/bash -ex
 
-fatal() { echo "FATAL [$(basename $0)]: $@" 1>&2; exit 1; }
+fatal() { echo "FATAL [$(basename "$0")]: $*" 1>&2; exit 1; }
 
-TOMCAT=tomcat10
+if [[ -e /var/lib/tomcat10 ]]; then
+    TOMCAT=tomcat10
+elif [[ -e /var/lib/tomcat11 ]]; then
+    TOMCAT=tomcat11
+else
+    fatal "Tomcat version could not be determined"
+fi
 
 CATALINA_HOME="/usr/share/$TOMCAT"
 CATALINA_BASE="/var/lib/$TOMCAT"
 CATALINA_TMPDIR="$CATALINA_BASE/temp"
 
-# identify JVM to use
-## We check for openjdk 17
-[ -e /usr/lib/jvm/java-17-openjdk-amd64 ] && JVM=java-17-openjdk-amd64
-[ -z "$JVM" ] && fatal "JVM to use could not be identified"
+# identify JVM to use - Trixie provides openjdk 21 & 25
+if [[ -e /usr/lib/jvm/java-21-openjdk-amd64 ]]; then
+    JVM=java-21-openjdk-amd64
+    JINFO=$(ls /usr/lib/jvm/.*java*21*jinfo)
+elif [[ -e /usr/lib/jvm/java-25-openjdk-amd64 ]]; then
+    JVM=java-25-openjdk-amd64
+    JINFO=$(ls /usr/lib/jvm/.*java*25*jinfo)
+else
+    fatal "JVM to use could not be identified"
+fi
+
 
 # configure java/tomcat environment
 cat >> /etc/environment<<EOF
@@ -22,15 +35,14 @@ JAVA_HOME="/usr/lib/jvm/${JVM}"
 EOF
 
 # this may not be 100% safe
-JINFO=$(ls /usr/lib/jvm/.*java*17*jinfo)
 JINFO=${JINFO%.jinfo}
 JINFO=${JINFO#*.}
 # not sure if this is actually needed
-update-java-alternatives --jre-headless -s $JINFO
+update-java-alternatives --jre-headless -s "$JINFO"
 sed -i "s/^#JAVA_HOME.*/JAVA_HOME=\/usr\/lib\/jvm\/${JVM}/" /etc/default/$TOMCAT
 
 # configure Apache if needed (Jk connector to Tomcat)
-if [ -e /etc/apache2/sites-available/jktomcat.conf ]; then
+if [[ -e /etc/apache2/sites-available/jktomcat.conf ]]; then
     a2dissite 000-default
     a2ensite jktomcat
 
@@ -46,12 +58,12 @@ fi
 # create convenience links to original conf that we overwrite
 conf_files="tomcat-users.xml server.xml"
 for conf in $conf_files; do
-    ln -s /usr/share/$TOMCAT/etc/$conf /etc/$TOMCAT/$conf.orig
+    ln -s "/usr/share/$TOMCAT/etc/$conf" "/etc/$TOMCAT/$conf.orig"
 done
 
 # from https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1232258
 create_link() {
-    ln -s $CATALINA_BASE/$1 $CATALINA_HOME/$1
+    ln -s "$CATALINA_BASE/$1" "$CATALINA_HOME/$1"
 }
 create_link common
 create_link server

conf/turnkey.d/postfix-local

@@ -20,16 +20,16 @@ postconf -e smtpd_banner='$myhostname ESMTP'
 #postconf -e smtpd_tls_cert_file=/etc/ssl/private/cert.pem
 #postconf -e smtpd_tls_key_file=/etc/ssl/private/cert.key
 
-# despite name, accepts more bits (i.e. > 1024 bits)
-postconf -e smtpd_tls_dh1024_param_file=/etc/ssl/private/dhparams.pem
-postconf -e smtpd_tls_mandatory_protocols='!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
-postconf -e smtpd_tls_protocols='!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+postconf -e smtpd_tls_auth_only=yes
+postconf -e tls_preempt_cipherlist=no
+postconf -e smtpd_tls_mandatory_protocols='>=TLSv1.2'
+postconf -e smtpd_tls_protocols='>=TLSv1.2'
+postconf -e smtp_tls_mandatory_ciphers=medium
 postconf -e smtpd_tls_mandatory_ciphers=medium
 
 # ciphers set by common/conf/turnkey.d/zz-ssl-ciphers
 postconf -e tls_medium_cipherlist="ZZ_SSL_CIPHERS"
-postconf -e tls_preempt_cipherlist=no
 
-service postfix start
+postmulti -x postfix start
 systemctl enable postfix@-.service
-service postfix stop
+postmulti -x postfix stop

conf/turnkey.d/zz-ssl-ciphers

@@ -6,57 +6,57 @@
 # It provides a common set of hardened SSL/TLS ciphers fo all webserver apps
 # Base configuration is provided by relevant overlay files
 
-set ${CERTFILE:="/etc/ssl/private/cert.pem"}
-set ${CRTFILE:="/usr/local/share/ca-certificates/cert.crt"}
-set ${KEYFILE:="/etc/ssl/private/cert.key"}
-set ${DHPARAMS:="/etc/ssl/private/dhparams.pem"}
+set "${CERTFILE:="/etc/ssl/private/cert.pem"}"
+set "${CRTFILE:="/usr/local/share/ca-certificates/cert.crt"}"
+set "${KEYFILE:="/etc/ssl/private/cert.key"}"
+set "${DHPARAMS:="/etc/ssl/private/dhparams.pem"}"
 
-# Secure Cipher List recommended by Mozilla https://ssl-config.mozilla.org/
-# See https://github.com/turnkeylinux/tracker/issues/1380 for more info
-# Note separate cipher list no longer required for Tomcat9
-SECURE_CIPHER_LIST="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+# "Intermediate" Secure Cipher List recommended by Mozilla:
+# https://ssl-config.mozilla.org/
 
-# Compatible Cipher List recommended for older clients - reduced security score (currently not used)
-COMPATIBLE_CIPHER_LIST="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+SECURE_CIPHER_LIST="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+
+# Tomcat 10 & 11 use slightly different cipher list - requires Java 10+
+TOMCAT_SECURE_CIPHER_LIST="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
 
 fatal() {
-    echo "fatal: $@" 1>&2
+    echo "fatal: $*" 1>&2
     exit 1
 }
 
 # Postfix
 CONF=/etc/postfix/main.cf
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     sed -i "/tls_medium_cipherlist/ s|ZZ_SSL_CIPHERS|$SECURE_CIPHER_LIST|" $CONF
 fi
 
 # Apache2
 CONF="/etc/apache2/mods-available/ssl.conf"
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     sed -i "s|^\(\s*SSLCipherSuite\s\+\).*$|\1${SECURE_CIPHER_LIST}|g" $CONF
     a2enmod ssl
     a2enconf security
 fi
 
 # Nginx
 CONF="/etc/nginx/snippets/ssl.conf"
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     # SSL enabled by default (see overlay)
     sed -i "s|ssl_ciphers '.*|ssl_ciphers '${SECURE_CIPHER_LIST}';|" $CONF
 fi
 
 # Lighttpd
 CONF="/etc/lighttpd/ssl-params.conf"
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     sed -i "/CipherString/ s|ZZ_SSL_CIPHERS|$SECURE_CIPHER_LIST|" $CONF
     lighty-enable-mod ssl
 fi
 
 # Tomcat
-# As of v15.x TKL uses Debian Tomcat default ciphers
+# Note uses slightly different cipher list in TKL v19.x
 for CONF in /etc/tomcat*/server.xml; do
-    if [ -f "$CONF" ]; then
-        sed -i "s|ciphers=|ciphers=\"${SECURE_CIPHER_LIST}\"|" $CONF
+    if [[ -f "$CONF" ]]; then
+        sed -i "s|ciphers=|ciphers=\"${TOMCAT_SECURE_CIPHER_LIST}\"|" "$CONF"
     fi
 done
 

overlays/apache/etc/apache2/conf-available/security.conf

@@ -1,16 +1,13 @@
-#
 # Disable access to the entire file system except for the directories that
 # are explicitly allowed later.
 #
-# This currently breaks the configurations that come with some web application
-# Debian packages.
+# This currently breaks some web app configurations
 #
 #<Directory />
 #   AllowOverride None
 #   Require all denied
 #</Directory>
 
-
 # Changing the following options will not really affect the security of the
 # server, but might make attacks slightly more difficult in some cases.
 
@@ -21,9 +18,6 @@
 # and compiled in modules.
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
-#ServerTokens Minimal
-#ServerTokens OS
-#ServerTokens Full
 ServerTokens Prod
 
 #
@@ -34,7 +28,6 @@ ServerTokens Prod
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
 ServerSignature Off
-#ServerSignature On
 
 #
 # Allow TRACE method
@@ -44,34 +37,35 @@ ServerSignature Off
 #
 # Set to one of:  On | Off | extended
 TraceEnable Off
-#TraceEnable On
 
 #
 # Forbid access to version control directories
 #
 # If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
+# probably deny access to their directories.
+#
+# Examples:
 #
-<DirectoryMatch "/\.svn">
-   Require all denied
-</DirectoryMatch>
-<DirectoryMatch "/\.git">
-   Require all denied
-</DirectoryMatch>
+#RedirectMatch 404 /\.git
+#RedirectMatch 404 /\.svn
+
+# Forbid acccess to any/all dot files/dirs
+RedirectMatch 404 "/\."
+# Note this will also deny access to .well-known so needs to be disabled if
+# using non-TurnKey Let's Encrypt tool - e.g. certbot
 
 #
 # Setting this header will prevent MSIE from interpreting files as something
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Content-Type-Options: "nosniff"
+Header set X-Content-Type-Options: "nosniff"
 
 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
-#
-#Header set X-Frame-Options: "sameorigin"
 
+Header set Content-Security-Policy "frame-ancestors 'self';"
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet