ci(nix): Startup/configure apache for renegotiate test under nix

[dougch]

Resolved issues:

Partial for #3841

Description of changes:

This PR adds an Apache configuration and startup for the nix devShell, so the integration test renegotiate_apache will pass.

Call-outs:

Apache modules and configuration are somewhat distribution specific, in our current CI setup.

Instead of trying to patch/alter a distribution's apache configs, I've cat'ed together the minimum setup to get the renegotiate_apache test to pass, with as few configuration files as possible.

Testing:

[nix awslc] dougch:~/gitrepos/s2n-tls$ apache2_start
[nix awslc] dougch:~/gitrepos/s2n-tls$ curl -Sk  https://localhost:7777/
<html>
<head>
    <title>Renegotiation Testing Server</title>
</head>
<body>
<p>Welcome to the s2n renegotiation testing server! See the following endpoints:</p>

<ul>
    <li>
        <a href="/change_cipher_suite">/change_cipher_suite</a> forces a renegotiation by changing the negotiated
        cipher suite to AES-128-SHA.
    </li>
    <li>
        <a href="/mutual_auth">/mutual_auth</a> forces a renegotiation by enforcing mutual authentication.
    </li>
</ul>
</body>
</html>

Adhoc codebuild job of just the renegotiate_apache test.

How is this change tested (unit tests, fuzz tests, etc.)? locally, CI

Is this a refactor change? If so, how have you proved that the intended behavior hasn't changed?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[goatgoose]

If apache configuration is distribution specific, and can't be run with nix without a lot of assumptions, what is the benefit of running it with nix? Would another option be to just run apache in our ubuntu18 CI before running the renegotiate test with nix? If apache can only be run with nix on ubuntu18 anyway, I don't see much of a difference.

[goatgoose]

If apache configuration is distribution specific, and can't be run with nix without a lot of assumptions, what is the benefit of running it with nix? Would another option be to just run apache in our ubuntu18 CI before running the renegotiate test with nix? If apache can only be run with nix on ubuntu18 anyway, I don't see much of a difference.

We discussed this offline. I was confused - the ubuntu18 configuration was used, but this should work with other environments using nix as well.

[lrstewart]

Why is this necessary? Wouldn't we just want the defaults?

[goatgoose]

Is this configuration needed? How does it interact with the site-specific configuration?

s2n-tls/codebuild/bin/apache2/sites-enabled/renegotiate.conf

Lines 33 to 37 in aacb0ab

	SSLProtocol -ALL +TLSv1.2
	SSLHonorCipherOrder On
	SSLCipherSuite HIGH:!aNULL:!MD5
	SSLCompression Off
	SSLInsecureRenegotiation Off

[dougch]

it should only apply to the *:443/ default site

[lrstewart]

I have no idea what most of these character sets are, but since we now only support english (and spanish?), why include the obviously non-english ones?

[dougch]

Trimmed it down some more.

[lrstewart]

Why does our integ test server need spanish :P

[dougch]

It doesn't - removed.

[lrstewart]

#4592 (comment)

Unless this has to match some default, can we at least remove the commented out lines? This is almost 2k lines of config I don't think we understand or have really thought about. The most exotic type our integ test server needs is probably json...

[dougch]

Trimmed the comments from mime.types

[lrstewart]

I still think we can get the apache config more focused and minimal (especially mime.types), but this is fine.