Bug 238888 - www/h2o-devel: Add configtest rc(8) command, update h2o.conf
Summary: www/h2o-devel: Add configtest rc(8) command, update h2o.conf
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Dave Cottlehuber
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-30 01:08 UTC by Adam Weinberger
Modified: 2019-07-12 12:41 UTC (History)
0 users

See Also:
dch: maintainer-feedback+


Attachments
Add configtest command (1.56 KB, patch)
2019-06-30 01:08 UTC, Adam Weinberger
no flags Details | Diff
configtest, h2o.in/.conf fixes (1.79 KB, patch)
2019-06-30 01:23 UTC, Adam Weinberger
dch: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Weinberger freebsd_committer 2019-06-30 01:08:49 UTC
Created attachment 205427 [details]
Add configtest command

Hello!

The attached patch adds a 'configtest' command to the h2o rc(8) script.

Additionally, it removes from the h2o.conf everything that is already an h2o default.

I haven't tried, but I assume this patch will apply equally well to www/h2o.

It's worth noting that, despite the message in our h2o.conf, the default cipher list will NOT get an A+ rating on sslabs. I don't know enough about current best practices, but somebody should definitely re-examine that list before we steer users in the wrong direction. Perhaps we should consider using the SSL settings in the main upstream example conf (https://raw.githubusercontent.com/h2o/h2o/master/examples/h2o/h2o.conf).
Comment 1 Adam Weinberger freebsd_committer 2019-06-30 01:23:38 UTC
Created attachment 205428 [details]
configtest, h2o.in/.conf fixes

I've updated the patch to fix a bug in the h2o rc(8) script, where if `pid_file:` is followed by even a single space instead of only tabs, the script will fail to find the pid_file setting altogether.
Comment 2 Dave Cottlehuber freebsd_committer 2019-06-30 13:04:15 UTC
+1 LGTM

thanks Adam, this applies to www/h2o and www/h2o-devel cleanly, can you commit both please?

wrt defaults, they definitely were correct in 2017, but its 2019 now. I haven't
found a suitable combination to get an A+ but I don't have HSTS, nor CAA RR DNS
in my test environment which might be a limitation.

The h2o upstream list isn't right either, though. If we have a working config
I'll happily submit it upstream, and then we could simply link to that.
Comment 3 Dave Cottlehuber freebsd_committer 2019-06-30 13:04:57 UTC
Comment on attachment 205428 [details]
configtest, h2o.in/.conf fixes

SHIP IT
Comment 4 Adam Weinberger freebsd_committer 2019-06-30 14:19:57 UTC
What I use is 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH', and I get an A+ (though I also have HSTS). It prevents Windows XP and initial completely nonupgraded Windows 7 users from connecting, but I think that's a feature.
Comment 5 commit-hook freebsd_committer 2019-06-30 14:42:12 UTC
A commit references this bug:

Author: adamw
Date: Sun Jun 30 14:41:19 UTC 2019
New revision: 505423
URL: https://svnweb.freebsd.org/changeset/ports/505423

Log:
  h2o{,-devel}: Improve rc.d/h2o, freshen h2o.conf

  rc.d/h2o:
   - Add a configtest target
   - Fix a bug that could prevent the script from locating the PIDfile path

  h2o.conf:
   - Remove entries that are defaults

  PR:		238888
  Approved by:	maintainer (dch)
  MFH:		2019Q2

Changes:
  head/www/h2o/Makefile
  head/www/h2o/files/h2o.conf.sample.in
  head/www/h2o/files/h2o.in
  head/www/h2o-devel/Makefile
  head/www/h2o-devel/files/h2o.conf.sample.in
  head/www/h2o-devel/files/h2o.in
Comment 6 commit-hook freebsd_committer 2019-06-30 14:45:16 UTC
A commit references this bug:

Author: adamw
Date: Sun Jun 30 14:44:16 UTC 2019
New revision: 505424
URL: https://svnweb.freebsd.org/changeset/ports/505424

Log:
  MFH r502589:
  www/h2o*: Remove nop CMAKE_VERBOSE

  MFH r505423:
  h2o{,-devel}: Improve rc.d/h2o, freshen h2o.conf

  rc.d/h2o:
   - Add a configtest target
   - Fix a bug that could prevent the script from locating the PIDfile path

  h2o.conf:
   - Remove entries that are defaults

  PR:		238888
  Approved by:	maintainer (dch)

  Approved by:	portmgr (with hat)

Changes:
_U  branches/2019Q2/
  branches/2019Q2/www/h2o/Makefile
  branches/2019Q2/www/h2o/files/h2o.conf.sample.in
  branches/2019Q2/www/h2o/files/h2o.in
  branches/2019Q2/www/h2o-devel/Makefile
  branches/2019Q2/www/h2o-devel/files/h2o.conf.sample.in
  branches/2019Q2/www/h2o-devel/files/h2o.in
Comment 7 Adam Weinberger freebsd_committer 2019-06-30 14:47:58 UTC
Thanks for such a speedy review, Dave! I've committed this patch (and merged it to quarterly for the pidfile fix).

I'll keep this open to see if you'd like any changes for the ciphers (such as comment #4).