14 files changed, 664 insertions, 0 deletions
diff --git a/main/apache2/conf/0001-httpd.conf-ServerRoot.patch b/main/apache2/conf/0001-httpd.conf-ServerRoot.patch
new file mode 100644
index 0000000000..e69dea402d
--- /dev/null
+++ b/main/apache2/conf/0001-httpd.conf-ServerRoot.patch
@@ -0,0 +1,25 @@
+From 6f3ae7182eff18a41f6e6762c3f98c6516d79270 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Mon, 21 Sep 2015 12:16:16 +0300
+Subject: [PATCH 01/14] httpd.conf: ServerRoot
+
+---
+ docs/conf/httpd.conf.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index 6e41891..ddf9470 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -28,7 +28,7 @@
+ # same ServerRoot for multiple httpd daemons, you will need to change at
+ # least PidFile.
+ #
+-ServerRoot "@@ServerRoot@@"
++ServerRoot /var/www
+ 
+ #
+ # Mutex: Allows you to set the mutex mechanism and mutex file directory
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0002-httpd.conf-ServerTokens.patch b/main/apache2/conf/0002-httpd.conf-ServerTokens.patch
new file mode 100644
index 0000000000..e4b0529e9b
--- /dev/null
+++ b/main/apache2/conf/0002-httpd.conf-ServerTokens.patch
@@ -0,0 +1,55 @@
+From a581696f06b6ad80530bbee138cb4e870379284b Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 11:10:55 +0300
+Subject: [PATCH 02/14] httpd.conf: ServerTokens
+
+---
+ docs/conf/extra/httpd-default.conf.in | 10 ----------
+ docs/conf/httpd.conf.in               | 10 ++++++++++
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/docs/conf/extra/httpd-default.conf.in b/docs/conf/extra/httpd-default.conf.in
+index 7196922..a05ebc1 100644
+--- a/docs/conf/extra/httpd-default.conf.in
++++ b/docs/conf/extra/httpd-default.conf.in
+@@ -45,16 +45,6 @@ UseCanonicalName Off
+ AccessFileName .htaccess
+ 
+ #
+-# ServerTokens
+-# This directive configures what you return as the Server HTTP response
+-# Header. The default is 'Full' which sends information about the OS-Type
+-# and compiled in modules.
+-# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
+-# where Full conveys the most information, and Prod the least.
+-#
+-ServerTokens Full
+-
+-#
+ # Optionally add a line containing the server version and virtual host
+ # name to server-generated pages (internal error documents, FTP directory 
+ # listings, mod_status and mod_info output etc., but not CGI generated 
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index ddf9470..6a746e0 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -19,6 +19,16 @@
+ # will be interpreted as '/logs/access_log'.
+ 
+ #
++# ServerTokens
++# This directive configures what you return as the Server HTTP response
++# Header. The default is 'Full' which sends information about the OS-Type
++# and compiled in modules.
++# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
++# where Full conveys the most information, and Prod the least.
++#
++ServerTokens OS
++
++#
+ # ServerRoot: The top of the directory tree under which the server's
+ # configuration, error, and log files are kept.
+ #
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0003-httpd.conf-ServerSignature.patch b/main/apache2/conf/0003-httpd.conf-ServerSignature.patch
new file mode 100644
index 0000000000..1c921ea5f3
--- /dev/null
+++ b/main/apache2/conf/0003-httpd.conf-ServerSignature.patch
@@ -0,0 +1,55 @@
+From 1155dc5d32cceb5444d9c6ea7a3e560472c2c478 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 11:46:25 +0300
+Subject: [PATCH 03/14] httpd.conf: ServerSignature
+
+---
+ docs/conf/extra/httpd-default.conf.in | 10 ----------
+ docs/conf/httpd.conf.in               | 10 ++++++++++
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/docs/conf/extra/httpd-default.conf.in b/docs/conf/extra/httpd-default.conf.in
+index a05ebc1..dcc2fb5 100644
+--- a/docs/conf/extra/httpd-default.conf.in
++++ b/docs/conf/extra/httpd-default.conf.in
+@@ -45,16 +45,6 @@ UseCanonicalName Off
+ AccessFileName .htaccess
+ 
+ #
+-# Optionally add a line containing the server version and virtual host
+-# name to server-generated pages (internal error documents, FTP directory 
+-# listings, mod_status and mod_info output etc., but not CGI generated 
+-# documents or custom error documents).
+-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+-# Set to one of:  On | Off | EMail
+-#
+-ServerSignature Off
+-
+-#
+ # HostnameLookups: Log the names of clients or just their IP addresses
+ # e.g., www.apache.org (on) or 204.62.129.132 (off).
+ # The default is off because it'd be overall better for the net if people
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index 6a746e0..e92fefa 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -109,6 +109,16 @@ Group daemon
+ ServerAdmin you@example.com
+ 
+ #
++# Optionally add a line containing the server version and virtual host
++# name to server-generated pages (internal error documents, FTP directory
++# listings, mod_status and mod_info output etc., but not CGI generated
++# documents or custom error documents).
++# Set to "EMail" to also include a mailto: link to the ServerAdmin.
++# Set to one of:  On | Off | EMail
++#
++ServerSignature On
++
++#
+ # ServerName gives the name and port that the server uses to identify itself.
+ # This can often be determined automatically, but we recommend you specify
+ # it explicitly to prevent problems during startup.
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0004-httpd.conf-User-Group.patch b/main/apache2/conf/0004-httpd.conf-User-Group.patch
new file mode 100644
index 0000000000..51decc9487
--- /dev/null
+++ b/main/apache2/conf/0004-httpd.conf-User-Group.patch
@@ -0,0 +1,27 @@
+From c312314571194da82ca1e6124d55a44bcbff755d Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 11:31:31 +0300
+Subject: [PATCH 04/14] httpd.conf: User/Group
+
+---
+ docs/conf/httpd.conf.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index e92fefa..a1cf630 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -84,8 +84,8 @@ Listen @@Port@@
+ # It is usually good practice to create a dedicated user and group for
+ # running httpd, as with most system services.
+ #
+-User daemon
+-Group daemon
++User apache
++Group apache
+ 
+ </IfModule>
+ 
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0005-httpd.conf-ErrorLog-CustomLog-TransferLog.patch b/main/apache2/conf/0005-httpd.conf-ErrorLog-CustomLog-TransferLog.patch
new file mode 100644
index 0000000000..38cdab43a7
--- /dev/null
+++ b/main/apache2/conf/0005-httpd.conf-ErrorLog-CustomLog-TransferLog.patch
@@ -0,0 +1,66 @@
+From 952a6b229f190aa6b46ecb1a47ec464a092f51b4 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 11:40:22 +0300
+Subject: [PATCH 05/14] httpd.conf: ErrorLog/CustomLog/TransferLog
+
+---
+ docs/conf/extra/httpd-ssl.conf.in | 6 +++---
+ docs/conf/httpd.conf.in           | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
+index f093b32..65dae32 100644
+--- a/docs/conf/extra/httpd-ssl.conf.in
++++ b/docs/conf/extra/httpd-ssl.conf.in
+@@ -124,8 +124,8 @@ SSLSessionCacheTimeout  300
+ DocumentRoot "@exp_htdocsdir@"
+ ServerName www.example.com:@@SSLPort@@
+ ServerAdmin you@example.com
+-ErrorLog "@exp_logfiledir@/error_log"
+-TransferLog "@exp_logfiledir@/access_log"
++ErrorLog logs/ssl_error.log
++TransferLog logs/ssl_access.log
+ 
+ #   SSL Engine Switch:
+ #   Enable/Disable SSL for this virtual host.
+@@ -284,7 +284,7 @@ BrowserMatch "MSIE [2-5]" \
+ #   Per-Server Logging:
+ #   The home of a custom SSL log file. Use this when you want a
+ #   compact non-error SSL logfile on a virtual host basis.
+-CustomLog "@exp_logfiledir@/ssl_request_log" \
++CustomLog logs/ssl_request.log \
+           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+ 
+ </VirtualHost>                                  
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index a1cf630..565fb01 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -201,7 +201,7 @@ DocumentRoot "@exp_htdocsdir@"
+ # logged here.  If you *do* define an error logfile for a <VirtualHost>
+ # container, that host's errors will be logged there and not here.
+ #
+-ErrorLog "@rel_logfiledir@/error_log"
++ErrorLog logs/error.log
+ 
+ #
+ # LogLevel: Control the number of messages logged to the error_log.
+@@ -230,13 +230,13 @@ LogLevel warn
+     # define per-<VirtualHost> access logfiles, transactions will be
+     # logged therein and *not* in this file.
+     #
+-    CustomLog "@rel_logfiledir@/access_log" common
++    #CustomLog logs/access.log common
+ 
+     #
+     # If you prefer a logfile with access, agent, and referer information
+     # (Combined Logfile Format) you can use the following directive.
+     #
+-    #CustomLog "@rel_logfiledir@/access_log" combined
++    CustomLog logs/access.log combined
+ </IfModule>
+ 
+ <IfModule alias_module>
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0006-httpd-dav.conf-DavLockDB.patch b/main/apache2/conf/0006-httpd-dav.conf-DavLockDB.patch
new file mode 100644
index 0000000000..1e508074d5
--- /dev/null
+++ b/main/apache2/conf/0006-httpd-dav.conf-DavLockDB.patch
@@ -0,0 +1,25 @@
+From eb772e4dde3d849ce46836b3715c1990565781bd Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 12:46:16 +0300
+Subject: [PATCH 06/14] httpd-dav.conf: DavLockDB
+
+---
+ docs/conf/extra/httpd-dav.conf.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/conf/extra/httpd-dav.conf.in b/docs/conf/extra/httpd-dav.conf.in
+index f1d35e0..416110b 100644
+--- a/docs/conf/extra/httpd-dav.conf.in
++++ b/docs/conf/extra/httpd-dav.conf.in
+@@ -12,7 +12,7 @@
+ # on the directory where the DavLockDB is placed and on any directory where
+ # "Dav On" is specified.
+ 
+-DavLockDB "@@ServerRoot@@/var/DavLock"
++DavLockDB /var/lib/dav/lockdb
+ 
+ Alias /uploads "@@ServerRoot@@/uploads"
+ 
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0007-httpd-ssl.conf-SSLSessionCache.patch b/main/apache2/conf/0007-httpd-ssl.conf-SSLSessionCache.patch
new file mode 100644
index 0000000000..aaf7d027af
--- /dev/null
+++ b/main/apache2/conf/0007-httpd-ssl.conf-SSLSessionCache.patch
@@ -0,0 +1,25 @@
+From df8d7d5c9ec68e47d1edc2fcd566c2422ae7b71a Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 12:53:13 +0300
+Subject: [PATCH 07/14] httpd-ssl.conf: SSLSessionCache
+
+---
+ docs/conf/extra/httpd-ssl.conf.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
+index 65dae32..1680430 100644
+--- a/docs/conf/extra/httpd-ssl.conf.in
++++ b/docs/conf/extra/httpd-ssl.conf.in
+@@ -89,7 +89,7 @@ SSLPassPhraseDialog  builtin
+ #   Configure the SSL Session Cache: First the mechanism 
+ #   to use and second the expiring timeout (in seconds).
+ #SSLSessionCache         "dbm:@exp_runtimedir@/ssl_scache"
+-SSLSessionCache        "shmcb:@exp_runtimedir@/ssl_scache(512000)"
++SSLSessionCache        "shmcb:/var/cache/mod_ssl/scache(512000)"
+ SSLSessionCacheTimeout  300
+ 
+ #   OCSP Stapling (requires OpenSSL 0.9.8h or later)
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0008-httpd-ssl.conf-SSLRandomSeed.patch b/main/apache2/conf/0008-httpd-ssl.conf-SSLRandomSeed.patch
new file mode 100644
index 0000000000..7088022070
--- /dev/null
+++ b/main/apache2/conf/0008-httpd-ssl.conf-SSLRandomSeed.patch
@@ -0,0 +1,48 @@
+From ca356e7aa8b3b2fb441a831059d41ca53f705026 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 12:58:01 +0300
+Subject: [PATCH 08/14] httpd-ssl.conf: SSLRandomSeed
+
+---
+ docs/conf/extra/httpd-ssl.conf.in |  3 ++-
+ docs/conf/httpd.conf.in           | 10 +---------
+ 2 files changed, 3 insertions(+), 10 deletions(-)
+
+diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
+index 1680430..da506c8 100644
+--- a/docs/conf/extra/httpd-ssl.conf.in
++++ b/docs/conf/extra/httpd-ssl.conf.in
+@@ -24,7 +24,8 @@
+ # Manual for more details.
+ #
+ #SSLRandomSeed startup file:/dev/random  512
+-#SSLRandomSeed startup file:/dev/urandom 512
++SSLRandomSeed startup file:/dev/urandom 512
++SSLRandomSeed connect builtin
+ #SSLRandomSeed connect file:/dev/random  512
+ #SSLRandomSeed connect file:/dev/urandom 512
+ 
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index 565fb01..47fe513 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -417,15 +417,7 @@ Include @rel_sysconfdir@/extra/proxy-html.conf
+ 
+ # Secure (SSL/TLS) connections
+ #Include @rel_sysconfdir@/extra/httpd-ssl.conf
+-#
+-# Note: The following must must be present to support
+-#       starting without SSL on platforms with no /dev/random equivalent
+-#       but a statically compiled-in mod_ssl.
+-#
+-<IfModule ssl_module>
+-SSLRandomSeed startup builtin
+-SSLRandomSeed connect builtin
+-</IfModule>
++
+ #
+ # uncomment out the below to deal with user agents that deliberately
+ # violate open standards by misusing DNT (DNT *must* be a specific
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0009-httpd-ssl.conf-SSL-File.patch b/main/apache2/conf/0009-httpd-ssl.conf-SSL-File.patch
new file mode 100644
index 0000000000..efa4971073
--- /dev/null
+++ b/main/apache2/conf/0009-httpd-ssl.conf-SSL-File.patch
@@ -0,0 +1,73 @@
+From 50a5336a5c7f9ceb7d8e74175c7d5a6884283416 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 13:03:38 +0300
+Subject: [PATCH 09/14] httpd-ssl.conf SSL*File
+
+---
+ docs/conf/extra/httpd-ssl.conf.in | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
+index da506c8..4462fa6 100644
+--- a/docs/conf/extra/httpd-ssl.conf.in
++++ b/docs/conf/extra/httpd-ssl.conf.in
+@@ -142,9 +142,9 @@ SSLEngine on
+ #   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+ #   require an ECC certificate which can also be configured in
+ #   parallel.
+-SSLCertificateFile "@exp_sysconfdir@/server.crt"
+-#SSLCertificateFile "@exp_sysconfdir@/server-dsa.crt"
+-#SSLCertificateFile "@exp_sysconfdir@/server-ecc.crt"
++SSLCertificateFile /etc/ssl/apache2/server.pem
++#SSLCertificateFile /etc/ssl/apache2/server-dsa.pem
++#SSLCertificateFile /etc/ssl/apache2/server-ecc.pem
+ 
+ #   Server Private Key:
+ #   If the key is not combined with the certificate, use this
+@@ -152,9 +152,9 @@ SSLCertificateFile "@exp_sysconfdir@/server.crt"
+ #   you've both a RSA and a DSA private key you can configure
+ #   both in parallel (to also allow the use of DSA ciphers, etc.)
+ #   ECC keys, when in use, can also be configured in parallel
+-SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
+-#SSLCertificateKeyFile "@exp_sysconfdir@/server-dsa.key"
+-#SSLCertificateKeyFile "@exp_sysconfdir@/server-ecc.key"
++SSLCertificateKeyFile /etc/ssl/apache2/server.key
++#SSLCertificateKeyFile /etc/ssl/apache2/server-dsa.key
++#SSLCertificateKeyFile /etc/ssl/apache2/server-ecc.key
+ 
+ #   Server Certificate Chain:
+ #   Point SSLCertificateChainFile at a file containing the
+@@ -163,7 +163,7 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
+ #   the referenced file can be the same as SSLCertificateFile
+ #   when the CA certificates are directly appended to the server
+ #   certificate for convenience.
+-#SSLCertificateChainFile "@exp_sysconfdir@/server-ca.crt"
++#SSLCertificateChainFile /etc/ssl/apache2/server-ca.pem
+ 
+ #   Certificate Authority (CA):
+ #   Set the CA certificate verification path where to find CA
+@@ -172,8 +172,8 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
+ #   Note: Inside SSLCACertificatePath you need hash symlinks
+ #         to point to the certificate files. Use the provided
+ #         Makefile to update the hash symlinks after changes.
+-#SSLCACertificatePath "@exp_sysconfdir@/ssl.crt"
+-#SSLCACertificateFile "@exp_sysconfdir@/ssl.crt/ca-bundle.crt"
++#SSLCACertificatePath /etc/ssl/apache2/ssl.crt
++#SSLCACertificateFile /etc/ssl/apache2/ssl.crt/ca-bundle.pem
+ 
+ #   Certificate Revocation Lists (CRL):
+ #   Set the CA revocation path where to find CA CRLs for client
+@@ -184,8 +184,8 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
+ #   Note: Inside SSLCARevocationPath you need hash symlinks
+ #         to point to the certificate files. Use the provided
+ #         Makefile to update the hash symlinks after changes.
+-#SSLCARevocationPath "@exp_sysconfdir@/ssl.crl"
+-#SSLCARevocationFile "@exp_sysconfdir@/ssl.crl/ca-bundle.crl"
++#SSLCARevocationPath /etc/ssl/apache2/ssl.crl
++#SSLCARevocationFile /etc/ssl/apache2/ssl.crl/ca-bundle.crl
+ #SSLCARevocationCheck chain
+ 
+ #   Client Authentication (Type):
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0010-httpd-ssl.conf-SSL-CipherSuite.patch b/main/apache2/conf/0010-httpd-ssl.conf-SSL-CipherSuite.patch
new file mode 100644
index 0000000000..62fc5172d1
--- /dev/null
+++ b/main/apache2/conf/0010-httpd-ssl.conf-SSL-CipherSuite.patch
@@ -0,0 +1,27 @@
+From 68116c6b50712b4e3733da43292d066e3797cbcc Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 13:32:31 +0300
+Subject: [PATCH 10/14] httpd-ssl.conf: SSL*CipherSuite
+
+---
+ docs/conf/extra/httpd-ssl.conf.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
+index 4462fa6..4534852 100644
+--- a/docs/conf/extra/httpd-ssl.conf.in
++++ b/docs/conf/extra/httpd-ssl.conf.in
+@@ -50,8 +50,8 @@ Listen @@SSLPort@@
+ #   ensure these follow appropriate best practices for this deployment.
+ #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
+ #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
+-SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
+-SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
++SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!ADH
++SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!ADH
+ 
+ #  By the end of 2016, only TLSv1.2 ciphers should remain in use.
+ #  Older ciphers should be disallowed as soon as possible, while the
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0011-httpd.conf-IncludeOptional.patch b/main/apache2/conf/0011-httpd.conf-IncludeOptional.patch
new file mode 100644
index 0000000000..1a8056989d
--- /dev/null
+++ b/main/apache2/conf/0011-httpd.conf-IncludeOptional.patch
@@ -0,0 +1,70 @@
+From 537f190142ce17f01db06d0f9cdd4c8b163eee9c Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 11:27:24 +0300
+Subject: [PATCH 11/14] httpd.conf: IncludeOptional
+
+---
+ docs/conf/httpd.conf.in | 46 +++-------------------------------------------
+ 1 file changed, 3 insertions(+), 43 deletions(-)
+
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index 47fe513..545e663 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -373,50 +373,10 @@ LogLevel warn
+ #EnableMMAP off
+ #EnableSendfile on
+ 
+-# Supplemental configuration
+ #
+-# The configuration files in the @rel_sysconfdir@/extra/ directory can be 
+-# included to add extra features or to modify the default configuration of 
+-# the server, or you may simply copy their contents here and change as 
+-# necessary.
+-
+-# Server-pool management (MPM specific)
+-#Include @rel_sysconfdir@/extra/httpd-mpm.conf
+-
+-# Multi-language error messages
+-#Include @rel_sysconfdir@/extra/httpd-multilang-errordoc.conf
+-
+-# Fancy directory listings
+-#Include @rel_sysconfdir@/extra/httpd-autoindex.conf
+-
+-# Language settings
+-#Include @rel_sysconfdir@/extra/httpd-languages.conf
+-
+-# User home directories
+-#Include @rel_sysconfdir@/extra/httpd-userdir.conf
+-
+-# Real-time info on requests and configuration
+-#Include @rel_sysconfdir@/extra/httpd-info.conf
+-
+-# Virtual hosts
+-#Include @rel_sysconfdir@/extra/httpd-vhosts.conf
+-
+-# Local access to the Apache HTTP Server Manual
+-#Include @rel_sysconfdir@/extra/httpd-manual.conf
+-
+-# Distributed authoring and versioning (WebDAV)
+-#Include @rel_sysconfdir@/extra/httpd-dav.conf
+-
+-# Various default settings
+-#Include @rel_sysconfdir@/extra/httpd-default.conf
+-
+-# Configure mod_proxy_html to understand HTML4/XHTML1
+-<IfModule proxy_html_module>
+-Include @rel_sysconfdir@/extra/proxy-html.conf
+-</IfModule>
+-
+-# Secure (SSL/TLS) connections
+-#Include @rel_sysconfdir@/extra/httpd-ssl.conf
++# Load config files from the config directory "/etc/apache2/conf.d".
++#
++IncludeOptional /etc/apache2/conf.d/*.conf
+ 
+ #
+ # uncomment out the below to deal with user agents that deliberately
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0012-httpd.conf-MIMEMagicFile.patch b/main/apache2/conf/0012-httpd.conf-MIMEMagicFile.patch
new file mode 100644
index 0000000000..c83694eaf7
--- /dev/null
+++ b/main/apache2/conf/0012-httpd.conf-MIMEMagicFile.patch
@@ -0,0 +1,27 @@
+From 8496740e67572c4f0db4f06b6496bbe8b85e4e7b Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 14:59:32 +0300
+Subject: [PATCH 12/14] httpd.conf: MIMEMagicFile
+
+---
+ docs/conf/httpd.conf.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index 545e663..c6092b3 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -341,7 +341,9 @@ LogLevel warn
+ # contents of the file itself to determine its type.  The MIMEMagicFile
+ # directive tells the module where the hint definitions are located.
+ #
+-#MIMEMagicFile @rel_sysconfdir@/magic
++<IfModule mime_magic_module>
++    MIMEMagicFile @rel_sysconfdir@/magic
++</IfModule>
+ 
+ #
+ # Customizable error responses come in three flavors:
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0013-httpd-.conf-IfModule.patch b/main/apache2/conf/0013-httpd-.conf-IfModule.patch
new file mode 100644
index 0000000000..4707ae9592
--- /dev/null
+++ b/main/apache2/conf/0013-httpd-.conf-IfModule.patch
@@ -0,0 +1,69 @@
+From 5e2bee3638ad1b2a76b1512cc37382ec719f90df Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 15:05:30 +0300
+Subject: [PATCH 13/14] httpd-*.conf: IfModule
+
+---
+ docs/conf/extra/httpd-autoindex.conf.in | 2 ++
+ docs/conf/extra/httpd-info.conf.in      | 4 ++++
+ docs/conf/extra/httpd-userdir.conf.in   | 2 ++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/docs/conf/extra/httpd-autoindex.conf.in b/docs/conf/extra/httpd-autoindex.conf.in
+index 51b02ed..d8fea34 100644
+--- a/docs/conf/extra/httpd-autoindex.conf.in
++++ b/docs/conf/extra/httpd-autoindex.conf.in
+@@ -1,3 +1,4 @@
++<IfModule autoindex_module>
+ #
+ # Directives controlling the display of server-generated directory listings.
+ #
+@@ -91,3 +92,4 @@ HeaderName HEADER.html
+ #
+ IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+ 
++</IfModule>
+diff --git a/docs/conf/extra/httpd-info.conf.in b/docs/conf/extra/httpd-info.conf.in
+index 5cfdf69..4876982 100644
+--- a/docs/conf/extra/httpd-info.conf.in
++++ b/docs/conf/extra/httpd-info.conf.in
+@@ -6,6 +6,7 @@
+ #                   mod_info (for the server-info handler),
+ #                   mod_status (for the server-status handler)
+ 
++<IfModule status_module>
+ #
+ # Allow server status reports generated by mod_status,
+ # with the URL of http://servername/server-status
+@@ -23,7 +24,9 @@
+ # Off) when the "server-status" handler is called. The default is Off.
+ #
+ #ExtendedStatus On
++</IfModule>
+ 
++<IfModule info_module>
+ #
+ # Allow remote server configuration reports, with the URL of
+ #  http://servername/server-info (requires that mod_info.c be loaded).
+@@ -34,3 +37,4 @@
+     Require host .example.com
+     Require ip 127
+ </Location>
++</IfModule>
+diff --git a/docs/conf/extra/httpd-userdir.conf.in b/docs/conf/extra/httpd-userdir.conf.in
+index a744322..edd158f 100644
+--- a/docs/conf/extra/httpd-userdir.conf.in
++++ b/docs/conf/extra/httpd-userdir.conf.in
+@@ -1,3 +1,4 @@
++<IfModule userdir_module>
+ # Settings for user home directories
+ #
+ # Required module: mod_authz_core, mod_authz_host, mod_userdir
+@@ -19,3 +20,4 @@ UserDir public_html
+     Require method GET POST OPTIONS
+ </Directory>
+ 
++</IfModule>
+-- 
+2.5.0
+
diff --git a/main/apache2/conf/0014-httpd-.conf-LoadModule.patch b/main/apache2/conf/0014-httpd-.conf-LoadModule.patch
new file mode 100644
index 0000000000..f768a870b4
--- /dev/null
+++ b/main/apache2/conf/0014-httpd-.conf-LoadModule.patch
@@ -0,0 +1,72 @@
+From d820e295733d804e863925c45558ea7d461f1fde Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 11 Sep 2015 15:12:08 +0300
+Subject: [PATCH 14/14] httpd*.conf: LoadModule
+
+---
+ docs/conf/extra/httpd-dav.conf.in  | 3 +++
+ docs/conf/extra/httpd-ssl.conf.in  | 2 ++
+ docs/conf/extra/proxy-html.conf.in | 6 +++---
+ docs/conf/httpd.conf.in            | 2 ++
+ 4 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/docs/conf/extra/httpd-dav.conf.in b/docs/conf/extra/httpd-dav.conf.in
+index 416110b..1e225e4 100644
+--- a/docs/conf/extra/httpd-dav.conf.in
++++ b/docs/conf/extra/httpd-dav.conf.in
+@@ -4,6 +4,9 @@
+ # Required modules: mod_alias, mod_auth_digest, mod_authn_core, mod_authn_file,
+ #                   mod_authz_core, mod_authz_user, mod_dav, mod_dav_fs,
+ #                   mod_setenvif
++LoadModule auth_digest_module lib/apache2/mod_auth_digest.so
++LoadModule dav_module lib/apache2/mod_dav.so
++LoadModule dav_fs_module lib/apache2/mod_dav_fs.so
+ 
+ # The following example gives DAV write access to a directory called
+ # "uploads" under the ServerRoot directory.
+diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
+index 4534852..e27070e 100644
+--- a/docs/conf/extra/httpd-ssl.conf.in
++++ b/docs/conf/extra/httpd-ssl.conf.in
+@@ -10,6 +10,8 @@
+ #
+ # Required modules: mod_log_config, mod_setenvif, mod_ssl,
+ #          socache_shmcb_module (for default value of SSLSessionCache)
++LoadModule ssl_module lib/apache2/mod_ssl.so
++LoadModule socache_shmcb_module lib/apache2/mod_socache_shmcb.so
+ 
+ #
+ # Pseudo Random Number Generator (PRNG):
+diff --git a/docs/conf/extra/proxy-html.conf.in b/docs/conf/extra/proxy-html.conf.in
+index 683a091..0648e8e 100644
+--- a/docs/conf/extra/proxy-html.conf.in
++++ b/docs/conf/extra/proxy-html.conf.in
+@@ -10,9 +10,9 @@
+ # mangle pages in encodings other than ASCII or Unicode (utf-8).
+ #
+ # For Unix-family systems:
+-# LoadFile	/usr/lib/libxml2.so
+-# LoadModule	proxy_html_module	modules/mod_proxy_html.so
+-# LoadModule	xml2enc_module		modules/mod_xml2enc.so
++LoadFile	/usr/lib/libxml2.so
++LoadModule	proxy_html_module	modules/mod_proxy_html.so
++LoadModule	xml2enc_module		modules/mod_xml2enc.so
+ #
+ # For Windows (I don't know if there's a standard path for the libraries)
+ # LoadFile	C:/path/zlib.dll
+diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
+index c6092b3..929ebfc 100644
+--- a/docs/conf/httpd.conf.in
++++ b/docs/conf/httpd.conf.in
+@@ -75,6 +75,8 @@ Listen @@Port@@
+ #
+ @@LoadModule@@
+ 
++LoadModule negotiation_module lib/apache2/mod_negotiation.so
++
+ <IfModule unixd_module>
+ #
+ # If you wish httpd to run as a different user or group, you must run
+-- 
+2.5.0
+