From 8da42fd74ad519b85d09d20878a08121d6f938ed Mon Sep 17 00:00:00 2001
From: Dan <dan@hostatic.ro>
Date: Thu, 2 Nov 2023 15:18:46 +0200
Subject: [PATCH 1/4] Add the CSP headers if they are set as an env variable at
 startup

---
 apache2/bin/start.sh       | 5 +++++
 apache2/conf/security.conf | 1 -
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/apache2/bin/start.sh b/apache2/bin/start.sh
index 96748bd..27b1659 100755
--- a/apache2/bin/start.sh
+++ b/apache2/bin/start.sh
@@ -45,5 +45,10 @@ for dir in \
     chmod 1777 "$dir";
 done
 
+# Add the CSP policy header if it has been set in the environment
+if [[ -v HTTPD_CSP ]]; then
+    echo "Header always set Content-Security-Policy \"${HTTPD_CSP}\"" >> /etc/apache2/security.conf
+fi
+
 # Start Apache2
 apache2 -D FOREGROUND
diff --git a/apache2/conf/security.conf b/apache2/conf/security.conf
index 2c8b233..8ce2d56 100644
--- a/apache2/conf/security.conf
+++ b/apache2/conf/security.conf
@@ -74,4 +74,3 @@ RequestHeader unset Proxy early
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

From 3dd2e1e874ae3e6e8f3004ec3c4d4c6de63106e4 Mon Sep 17 00:00:00 2001
From: Dan <dan@hostatic.ro>
Date: Fri, 3 Nov 2023 17:08:30 +0200
Subject: [PATCH 2/4] Let's use Apache2's built-in features to set the CSP
 policy header

---
 apache2/Dockerfile         |  2 +-
 apache2/bin/start.sh       |  7 ++++---
 apache2/conf/security.conf | 11 +++++++++--
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/apache2/Dockerfile b/apache2/Dockerfile
index 3ef1cce..8b15237 100644
--- a/apache2/Dockerfile
+++ b/apache2/Dockerfile
@@ -23,7 +23,7 @@ RUN a2enmod authz_groupfile \
 
 # Copy the default apache config
 COPY ./conf/apache2.conf /etc/apache2/apache2.conf
-COPY ./conf/security.conf /etc/apache2/security.conf
+COPY ./conf/security.conf /etc/apache2/conf-available/security.conf
 
 # Copy the startup script
 COPY ./bin/start.sh /usr/local/bin/start.sh
diff --git a/apache2/bin/start.sh b/apache2/bin/start.sh
index 27b1659..df30c7e 100755
--- a/apache2/bin/start.sh
+++ b/apache2/bin/start.sh
@@ -45,9 +45,10 @@ for dir in \
     chmod 1777 "$dir";
 done
 
-# Add the CSP policy header if it has been set in the environment
-if [[ -v HTTPD_CSP ]]; then
-    echo "Header always set Content-Security-Policy \"${HTTPD_CSP}\"" >> /etc/apache2/security.conf
+# If we do not define the HTTPD_CSP env var, let's set an empty one so
+# Apache stops complaining in the logs
+if [[ ! -v HTTPD_CSP ]]; then
+    export HTTPD_CSP=''
 fi
 
 # Start Apache2
diff --git a/apache2/conf/security.conf b/apache2/conf/security.conf
index 8ce2d56..febbd60 100644
--- a/apache2/conf/security.conf
+++ b/apache2/conf/security.conf
@@ -71,6 +71,13 @@ TraceEnable Off
 
 RequestHeader unset Proxy early
 
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
+#SSLRandomSeed startup builtin
+#SSLRandomSeed connect builtin
 
+# Set the CSP header if it was defined as an env variable
+PassEnv HTTPD_CSP
+<If "osenv('HTTPD_CSP') != ''">
+    Header always set Content-Security-Policy "${HTTPD_CSP}"
+</If>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

From 2a7a57e95d56980dc882509e085c8df41c359356 Mon Sep 17 00:00:00 2001
From: Dan <dan@hostatic.ro>
Date: Fri, 3 Nov 2023 17:12:59 +0200
Subject: [PATCH 3/4] We need the SSL module enabled as well

---
 apache2/Dockerfile         | 1 +
 apache2/conf/security.conf | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/apache2/Dockerfile b/apache2/Dockerfile
index 8b15237..b3b6558 100644
--- a/apache2/Dockerfile
+++ b/apache2/Dockerfile
@@ -16,6 +16,7 @@ RUN apt autoremove -y && apt clean && apt autoclean && rm -rf /var/lib/apt/lists
 RUN a2enmod authz_groupfile \
     xml2enc \
     headers \
+    ssl \
     proxy \
     proxy_connect \
     proxy_http \
diff --git a/apache2/conf/security.conf b/apache2/conf/security.conf
index febbd60..f4cb23e 100644
--- a/apache2/conf/security.conf
+++ b/apache2/conf/security.conf
@@ -71,8 +71,8 @@ TraceEnable Off
 
 RequestHeader unset Proxy early
 
-#SSLRandomSeed startup builtin
-#SSLRandomSeed connect builtin
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
 
 # Set the CSP header if it was defined as an env variable
 PassEnv HTTPD_CSP

From aa5cf3d25ef9655ff30253f5ea552feeeeb7b214 Mon Sep 17 00:00:00 2001
From: Dan <dan@hostatic.ro>
Date: Fri, 3 Nov 2023 17:23:26 +0200
Subject: [PATCH 4/4] Making sure the default vhost also logs to stdout

---
 apache2/Dockerfile              |  1 +
 apache2/conf/default-vhost.conf | 34 +++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 apache2/conf/default-vhost.conf

diff --git a/apache2/Dockerfile b/apache2/Dockerfile
index b3b6558..743e417 100644
--- a/apache2/Dockerfile
+++ b/apache2/Dockerfile
@@ -25,6 +25,7 @@ RUN a2enmod authz_groupfile \
 # Copy the default apache config
 COPY ./conf/apache2.conf /etc/apache2/apache2.conf
 COPY ./conf/security.conf /etc/apache2/conf-available/security.conf
+COPY ./conf/default-vhost.conf /etc/apache2/sites-available/000-default.conf
 
 # Copy the startup script
 COPY ./bin/start.sh /usr/local/bin/start.sh
diff --git a/apache2/conf/default-vhost.conf b/apache2/conf/default-vhost.conf
new file mode 100644
index 0000000..5d859cd
--- /dev/null
+++ b/apache2/conf/default-vhost.conf
@@ -0,0 +1,34 @@
+<VirtualHost *:80>
+    # The ServerName directive sets the request scheme, hostname and port that
+    # the server uses to identify itself. This is used when creating
+    # redirection URLs. In the context of virtual hosts, the ServerName
+    # specifies what hostname must appear in the request's Host: header to
+    # match this virtual host. For the default virtual host (this file) this
+    # value is not decisive as it is used as a last resort host regardless.
+    # However, you must set it for any further virtual host explicitly.
+    #ServerName www.example.com
+
+    ServerAdmin webmaster@localhost
+    DocumentRoot /var/www/html
+
+    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+    # error, crit, alert, emerg.
+    # It is also possible to configure the loglevel for particular
+    # modules, e.g.
+    #LogLevel info ssl:warn
+
+    #ErrorLog ${APACHE_LOG_DIR}/error.log
+    #CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+    ErrorLog /proc/self/fd/2
+    CustomLog /proc/self/fd/1 common
+
+    # For most configuration files from conf-available/, which are
+    # enabled or disabled at a global level, it is possible to
+    # include a line for only one particular virtual host. For example the
+    # following line enables the CGI configuration for this host only
+    # after it has been globally disabled with "a2disconf".
+    #Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet