initial commit

apache/domain_validation.conf

@@ -0,0 +1,25 @@
+<VirtualHost *:9001>
+  ServerName domain_validation
+
+  ## Vhost docroot
+  DocumentRoot "/var/www/domain_validation/"
+
+  ## Directories, there should at least be a declaration for /var/www/domain_validation/
+
+  <Directory "/var/www/domain_validation/">
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  ## Logging
+  ErrorLog "/var/log/apache2/domain_validation_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/domain_validation_access.log" combined
+
+  ## Block access statements
+  # Block access to SCM directories.
+  <DirectoryMatch .*\.(svn|git|bzr|hg|ht)/.*>
+    Require all denied
+  </DirectoryMatch>
+</VirtualHost>

apache/parked_domains.conf

@@ -0,0 +1,25 @@
+<VirtualHost *:9002>
+  ServerName parked_domains
+
+  ## Vhost docroot
+  DocumentRoot /var/www/parked_domains/htdocs
+
+  ## Directories, there should at least be a declaration for /var/www/parked_domains/
+
+  <Directory "/var/www/parked_domains/htdocs/">
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  ## Logging
+  ErrorLog "/var/log/apache2/parked_domains_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/parked_domains_access.log" combined
+
+  ## Block access statements
+  # Block access to SCM directories.
+  <DirectoryMatch .*\.(svn|git|bzr|hg|ht)/.*>
+    Require all denied
+  </DirectoryMatch>
+</VirtualHost>

haproxy/domains-to-backends.map

@@ -0,0 +1,50 @@
+# HAProxy map file "domains-to-backends"
+# Managed by hand
+
+# hosted
+itguru.at be_itguru.at
+lists.lotusmail.org be_mail01
+lotusmail.org be_web01
+ananyabhakti.ru be_web01
+meditationband.at be_web01
+ronniger.at be_web01
+
+#mark.cc
+architekturphotos.at be_web01
+foodfotograf.at be_web01
+markl.cc be_web01
+portraitphotograph.at be_web01
+
+# manfred
+canto-violadamore.com be_vhost01
+ciarivari.at be_vhost01
+dimensions.at be_vhost01
+energiatech.net be_vhost01
+health-point.at be_vhost01
+janadallosova.com be_vhost01
+lackierungen.at be_vhost01
+manfredemerson.com be_vhost01
+parkett-design.at be_vhost01
+print-producer.com be_vhost01
+printproducer.at be_vhost01
+printproducer.com be_vhost01
+rechtsanwalt-dr-hans-otto-schmidt.at be_vhost01
+ruthemers.com be_vhost01
+women-in-balance.at be_vhost01
+
+# sahaja yoga
+lists.sahajayoga.at be_mail01
+sahajayoga.at be_web01
+shrimataji.at be_web01
+postgasse.at be_web01
+sahaja.yoga be_web01
+sahajawissen.org be_web01
+sahaja-yoga.at be_web01
+sahajayoga.wien be_web01
+sahajayogafakten.at be_web01
+yogameditation.at be_web01
+
+# yuvashakti
+m2r.at be_web01
+meditatetoregenerate.org be_web01
+yuvashakti.com be_web01

haproxy/haproxy.cfg

@@ -0,0 +1,152 @@
+# This file managed by hand
+global
+  chroot  /var/lib/haproxy
+  daemon  
+  group  haproxy
+  log /dev/log  len 2048 local1 info
+  maxconn  4096
+  pidfile  /var/run/haproxy.pid
+  ssl-default-bind-ciphers  HIGH+ECDHE:DHE+AES:!DSS:@STRENGTH
+  ssl-default-bind-options  ssl-min-ver TLSv1.0
+  ssl-default-server-ciphers  HIGH+ECDHE:DHE+AES:!DSS:@STRENGTH
+  ssl-default-server-options  ssl-min-ver TLSv1.2
+  ssl-dh-param-file  /etc/haproxy/ssl-dh-param-2048.pem
+  stats  socket /var/lib/haproxy/admin.sock mode 660 level admin
+  stats  socket /var/lib/haproxy/user.sock mode 666 level user
+  stats  timeout 30s
+  tune.ssl.default-dh-param  2048
+  user  haproxy
+
+defaults
+  fullconn  409
+  log  global
+  maxconn  4096
+  mode  http
+  option  redispatch
+  option  abortonclose
+  option  dontlognull
+  option  httplog
+  option  http-server-close
+  option  forwardfor except 127.0.0.1
+  option  logasap
+  retries  3
+  timeout  http-request 10s
+  timeout  queue 1m
+  timeout  connect 5s
+  timeout  client 1m
+  timeout  server 1m
+
+frontend ft_http_in
+  bind 0.0.0.0:6000 
+  mode http
+  acl domain_validation path,url_dec -m beg -i /.well-known
+  capture request header X-Forwarded-For len 50
+  capture request header Host len 40
+  capture request header User-Agent len 200
+  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_fc_sni]}\ {%sslc|%sslv|%[ssl_fc_is_resumed]|%[ssl_fc_alpn]|%[fc_http_major]}\ \"%[capture.req.method]\ %[capture.req.uri]\ %[capture.req.ver]\"
+  use_backend be_domain_validation if domain_validation
+  use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/http-domains-to-backends.map,be_redirect_https)]
+
+frontend ft_https_in
+  bind 0.0.0.0:7000 ssl crt /etc/letsencrypt/live/www.sahajayoga.at/bundle.pem crt /etc/ssl/certs/bundles/ alpn h2,http/1.1
+  mode http
+  acl domain_validation path,url_dec -m beg -i /.well-known
+  capture request header X-Forwarded-For len 50
+  capture request header Host len 40
+  capture request header User-Agent len 200
+  http-request set-header X-Forwarded-Port 443
+  http-request set-header X_FORWARDED_PROTO https
+  http-request set-header X-Forwarded-Proto https
+  http-request set-header X-Scheme https
+  http-response add-header Strict-Transport-Security max-age=31536000 if { res.hdr_cnt('Strict-Transport-Security') le 0 }
+  http-response add-header X-Frame-Options SAMEORIGIN if { res.hdr_cnt('X-Frame-Options') le 0 }
+  http-response del-header Server
+  http-response del-header X-Powered-By
+  http-response replace-header Set-Cookie ^((?:(?!\ [Ss]ecure).)*)$ \1;\ Secure
+  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_fc_sni]}\ {%sslc|%sslv|%[ssl_fc_is_resumed]|%[ssl_fc_alpn]|%[fc_http_major]}\ \"%[capture.req.method]\ %[capture.req.uri]\ %[capture.req.ver]\"
+  use_backend be_domain_validation if domain_validation
+  use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/domains-to-backends.map)]
+
+# Backends
+backend be_mail01
+  option httpchk GET / HTTP/1.1\r\nHost:\ localhost\r\nUser-Agent:\ HAProxy
+  server web01 192.168.122.20:80 check inter 5000
+
+backend be_web01
+  option httpchk GET / HTTP/1.1\r\nHost:\ localhost\r\nUser-Agent:\ HAProxy
+  server web01 192.168.122.10:80 check inter 5000
+
+backend be_vhost01
+  option httpchk GET / HTTP/1.1\r\nHost:\ localhost\r\nUser-Agent:\ HAProxy
+  server vhost01 144.76.238.57:80 check inter 10000
+
+# wlan ctl
+backend be_web02_8080
+  option httpchk GET / HTTP/1.1\r\nHost:\ localhost\r\nUser-Agent:\ HAProxy
+  server web02 192.168.122.19:8080 check inter 5000
+
+backend be_web02_8443
+  option httpchk GET / HTTP/1.1\r\nHost:\ localhost\r\nUser-Agent:\ HAProxy
+  server web02 192.168.122.19:8443 check inter 5000 weight 0 ssl verify none
+
+# captive portal  
+backend be_web02_8880
+  acl allowed_url path,url_dec -m beg -i /guest/s/
+  http-request deny if !allowed_url
+  option httpchk GET /guest/s/default/ HTTP/1.1\r\nHost:\ localhost\r\nUser-Agent:\ HAProxy
+  server web02 192.168.122.19:8880 check inter 5000
+#server localhost localhost:9002 check
+#http://192.168.122.19:8880/guest/s/mwandnqf/
+
+backend be_web02_8843
+  option httpchk GET / HTTP/1.1\r\nHost:\ localhost\r\nUser-Agent:\ HAProxy
+  server web02 192.168.122.19:8843 check inter 5000
+
+# Domain Validation for lets encrypt
+backend be_domain_validation
+  server localhost localhost:9001 check
+
+backend be_parked_domains
+  server localhost localhost:9002 check
+
+# Redirects
+backend be_redirect_http
+  redirect scheme http code 301
+
+backend be_redirect_https
+  redirect scheme https code 301 if !{ ssl_fc }
+
+backend be_sahajayoga.at_redirect
+  http-request redirect prefix https://www.sahajayoga.at/ code 301
+
+backend be_sahajayoga.org_redirect_302
+  http-request redirect prefix http://www.sahajayoga.org/ code 302
+  
+# backend be_ringring.net
+#   acl allowed_hosts_eml src 212.126.215.62 84.112.230.10
+#   acl allowed_hosts_user src 80.109.127.112
+#   acl allowed_hosts_kath src 80.109.127.112 85.13.177.171 85.13.149.12 80.108.36.11
+#   acl allowed_hosts_fax src 10.1.32.63 10.1.32.64
+#   acl restricted_services_eml path,url_dec -m beg -i /EML-Speech2Text-Transfer
+#   acl restricted_services_user path,url_dec -m beg -i /user_timer.php
+#   acl restricted_services_kath path,url_dec -m beg -i /kath
+#   acl restricted_services path,url_dec -m beg -i /errors
+#   acl restricted_services path,url_dec -m beg -i /fax
+#   cookie VOIP insert secure
+#   http-request deny if restricted_services_eml !allowed_hosts_eml
+#   http-request deny if restricted_services_user !allowed_hosts_user
+#   http-request deny if restricted_services_kath !allowed_hosts_kath
+#   http-request deny if restricted_services !allowed_hosts_fax
+#   option httpchk GET /home.php HTTP/1.1\r\nHost:\ www.ringring.net\r\nUser-Agent:\ HAProxy
+#   server voipweb01 voipweb01.app01.prod.rz01.riseops.at:80 cookie voipweb01 check inter 5000
+#   server voipweb02 voipweb02.app01.prod.rz01.riseops.at:80 cookie voipweb02 backup check inter 5000
+#   server errorpage rhs-prxa-prod.dmz01.prod.rz01.riseops.at:9002 backup
+
+listen stats
+  bind 0.0.0.0:8000 
+  stats enable
+  stats hide-version
+  stats realm Haproxy\ Statistics
+  stats uri /
+  stats auth stats:quiekovie0zei9gaTiuNe8engiquohCi
+  stats admin if TRUE

haproxy/http-domains-to-backends.map

@@ -0,0 +1,43 @@
+# HAProxy map file "http-domains-to-backends"
+
+# redirect to sahajayoga.org
+www.sahaja.yoga be_sahajayoga.org_redirect_302
+sahajayoga.international be_sahajayoga.org_redirect_302
+
+# Redirects to main sy.at wegsite
+coolyoga.at be_sahajayoga.at_redirect
+yoga.or.at be_sahajayoga.at_redirect
+sahaja-yoga.or.at be_sahajayoga.at_redirect
+sahajayoga.or.at be_sahajayoga.at_redirect
+sahaja.yoga.or.at be_sahajayoga.at_redirect
+sahajayoga.wien be_sahajayoga.at_redirect
+sahajayoga.co.at be_sahajayoga.at_redirect
+sahaja-yoga.co.at be_sahajayoga.at_redirect
+mysahaj.com be_sahajayoga.at_redirect
+
+# Parked Domains
+sahaj-meditation.de be_parked_domains
+sahaja-meditation.de be_parked_domains
+sahajameditation.de be_parked_domains
+sahajmeditation.de be_parked_domains
+sahajmeditation.at be_parked_domains
+sahajameditation.at be_parked_domains
+sahaja-meditation.at be_parked_domains
+sahaj-meditation.at be_parked_domains
+
+# manfred
+canto-violadamore.com be_vhost01
+ciarivari.at be_vhost01
+dimensions.at be_vhost01
+energiatech.net be_vhost01
+health-point.at be_vhost01
+janadallosova.com be_vhost01
+lackierungen.at be_vhost01
+manfredemerson.com be_vhost01
+parkett-design.at be_vhost01
+print-producer.com be_vhost01
+printproducer.at be_vhost01
+printproducer.com be_vhost01
+rechtsanwalt-dr-hans-otto-schmidt.at be_vhost01
+ruthemers.com be_vhost01
+women-in-balance.at be_vhost01

scripts/letsencrypt.sahajayoga.at.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+certbot --text --agree-tos certonly -a webroot --post-hook "/etc/letsencrypt/post-hook.d/10_update_haproxy" --webroot-path /var/www/domain_validation \
+  -d sahajayoga.at \
+  -d www.sahajayoga.at \