diff options
author | elijah <elijah@riseup.net> | 2016-06-27 15:49:30 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2016-06-27 16:15:26 -0700 |
commit | b21a3e9126a1734b2cea975e57b5c9e8206f12fa (patch) | |
tree | 98d974e139f5068cd9189c2419e364846c73b411 | |
parent | 46f1c8ee0a12971b0d1b80eb7300941f9d696aa2 (diff) |
Fix the permissions on the DOMAIN/provider.json file for static sites.
4 files changed, 36 insertions, 7 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 697a7ff3..b34bd189 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -47,7 +47,7 @@ <% end %> AccessFileName .htaccess - Alias /provider.json /srv/leap/provider.json + Alias /provider.json /srv/static/public/provider.json <Location /provider.json> Header set X-Minimum-Client-Version 0.5 </Location> diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 41d6462e..3de8d695 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -11,7 +11,18 @@ class site_config::remove::files { + # + # Platform X removals + # + + tidy { + '/srv/leap/provider.json':; + } + + # # Platform 0.8 removals + # + tidy { '/etc/default/leap_mx':; '/etc/logrotate.d/mx':; diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4a722d62..8063d432 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -13,20 +13,34 @@ class site_static { $bootstrap = $static['bootstrap_files'] $tor = hiera('tor', false) + file { + '/srv/static/': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0744'; + '/srv/static/public': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0744'; + } + if $bootstrap['enabled'] { $bootstrap_domain = $bootstrap['domain'] $bootstrap_client = $bootstrap['client_version'] - file { '/srv/leap/provider.json': + file { '/srv/static/public/provider.json': content => $bootstrap['provider_json'], owner => 'www-data', group => 'www-data', - mode => '0444'; + mode => '0444', + notify => Service[apache]; } # It is important to always touch provider.json: the client needs to check x-min-client-version header, # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem # is that changing min client version won't alter the content of provider.json, so we must touch it. - exec { '/bin/touch /srv/leap/provider.json': - require => File['/srv/leap/provider.json']; + exec { '/bin/touch /srv/static/public/provider.json': + require => File['/srv/static/public/provider.json']; } } diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 6b969d1c..b3e5fc09 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -23,6 +23,10 @@ bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> +<Directory "/srv/static/public/"> + Require all granted +</Directory> + <VirtualHost *:80> ServerName <%= @domain %> ServerAlias www.<%= @domain %> @@ -46,7 +50,7 @@ #RewriteLogLevel 3 Include include.d/ssl_common.inc - + <%- if @tls_only -%> Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> @@ -63,7 +67,7 @@ AccessFileName .htaccess <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> - Alias /provider.json /srv/leap/provider.json + Alias /provider.json /srv/static/public/provider.json <Location /provider.json> Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> </Location> |