mysql: grant users ALL perms on their dbs, remove mysql-fixperms Users were not given DROP permissions at the database level since that came with the risk of the user dropping their own database, with DROP permissions for individual tables granted by mysql-fixperms. This safeguard unfortunately breaks most software since installation and migration scripts usually assume a database wide grant has been issued and they can use SQL like "DROP TABLE ... IF EXISTS". Given this reality, grant users ALL permissions to their database. Regular backups are critical, and can mitigate the risk as best as it can be.
fwtool: allow udp/tcp for all user rules Ideally, we'd have separate tcp and udp support, but ... we need udp now (e.g. for lightweight game servers such as bzflag), and I don't want to invest more time into this code without fully refactoring it, as I've just kludged new things onto it for years.
apache: generalize localProxyRewrite into proxyRewrite Allow use of any proxy target instead of localhost (which has not had any use at hcoop for several years since we moved member logins/daemon to a server separate from apache), and allow passing rewrite flags. Apache will accept any combination of rewrite flags, despite all combinations not making any sense.
mailman: add MailmanForceSSL env var Since normal users cannot access the server mailman is on directly, they also can't set up a vhost to redirect http -> https for mailman. Use MailmanForceSSL to control generating a redirect to https for http vhosts. Silently does nothing when used with a vhost with an SSL cert (would just generate a redirect loop).
mailman: support ssl on mailman domains SSL only worked in mailmanVhost for lists.hcoop.net because the default vhost happens to use the *.hcoop.net certificate. Actually specify certificate so this works generally instead. Continuing the tradition of duplication between vhost and mailmanVhost.
apache: support SetEnvIf Trivial SetEnvIf implementation. Attribute is a regex as that is the maximal syntax accepted for the argument, and the env arguments are just a list of no_spaces. This may change to something more like rewriteRule flags, with additional syntax for each case supported by apache (ENV, !ENV, ENV=VAL), and stricter syntax checking for the arguments.
apache: allow #":" in rewrite_arg type We really should be escaping this in the [E=VAR:VAL] construct, but since the results of a user using #":" in the VAR aren't fatal or insecure (just surprising), allow it since otherwise you can't use constructs like "%{HTTP:header}".