Merge branch 'develop' (0.5.0)

Conflicts: .gitignore Change-Id: I778f3e1f1f4832f5894bc149ead67e9a4becf304
author: Micah Anderson <micah@leap.se> 2014-04-22 14:13:46 -0400
committer: Micah Anderson <micah@leap.se> 2014-04-22 14:13:46 -0400
commit: 327d5c934e408f90011d7949b89ab01fed88998e (patch)
tree: 77cfefffc8f9ffe160c4413b26dd5ca5cdd6f1e8 /puppet/modules/site_apache
parent: ca11482dd7cd4ea8ffa69407ee2fd5b5e1b7981b (diff)
parent: 4295f334ea4f92d7fb47f7121a42633630c368d1 (diff)
10 files changed, 192 insertions, 51 deletions
diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security
new file mode 100644
index 00000000..a5ae5bdc
--- /dev/null
+++ b/puppet/modules/site_apache/files/conf.d/security
@@ -0,0 +1,55 @@
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages. It will be made the default for the release after lenny.
+#
+#<Directory />
+#	AllowOverride None
+#	Order Deny,Allow
+#	Deny from all
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+#ServerTokens Minimal
+ServerTokens Prod
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+#ServerSignature Off
+ServerSignature Off
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+#
+#TraceEnable Off
+TraceEnable On
+
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+Header set X-Frame-Options: "DENY"
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
new file mode 100644
index 00000000..72f24838
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -0,0 +1,26 @@
+class site_apache::common {
+  # installs x509 cert + key and common config
+  # that both nagios + leap webapp use
+
+  $web_domain       = hiera('domain')
+  $domain_name      = $web_domain['name']
+
+  include x509::variables
+  include site_config::x509::commercial::cert
+  include site_config::x509::commercial::key
+  include site_config::x509::commercial::ca
+
+  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+  include site_apache::module::rewrite
+
+  class { '::apache': no_default_site => true, ssl => true }
+
+  apache::vhost::file {
+    'common':
+      content => template('site_apache/vhosts.d/common.conf.erb')
+  }
+
+}
diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp
new file mode 100644
index 00000000..c1f5e185
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/module/alias.pp
@@ -0,0 +1,5 @@
+class site_apache::module::alias ( $ensure = present )
+{
+
+  apache::module { 'alias': ensure => $ensure }
+}
diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp
new file mode 100644
index 00000000..f73a5607
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/module/expires.pp
@@ -0,0 +1,4 @@
+class site_apache::module::expires ( $ensure = present )
+{
+  apache::module { 'expires': ensure => $ensure }
+}
diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp
new file mode 100644
index 00000000..f7caa28c
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/module/headers.pp
@@ -0,0 +1,5 @@
+class site_apache::module::headers ( $ensure = present )
+{
+
+  apache::module {'headers': ensure => $ensure }
+}
diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp
new file mode 100644
index 00000000..f106167a
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/module/removeip.pp
@@ -0,0 +1,5 @@
+class site_apache::module::removeip ( $ensure = present )
+{
+  package { 'libapache2-mod-removeip': ensure => $ensure }
+  apache::module { 'removeip': ensure => $ensure }
+}
diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp
new file mode 100644
index 00000000..7ad00a0c
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/module/rewrite.pp
@@ -0,0 +1,5 @@
+class site_apache::module::rewrite ( $ensure = present )
+{
+
+  apache::module { 'rewrite': ensure => $ensure }
+}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index ae894cd4..3360ac59 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -10,17 +10,26 @@ Listen 0.0.0.0:<%= api_port %>
   ServerName <%= api_domain %>
 
   SSLEngine on
-  SSLProtocol -all +SSLv3 +TLSv1
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLProtocol all -SSLv2
   SSLHonorCipherOrder on
+  SSLCompression off
+  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
 
   SSLCACertificatePath /etc/ssl/certs
-  SSLCertificateChainFile /etc/ssl/certs/leap_api.pem
-  SSLCertificateKeyFile /etc/x509/keys/leap_api.key
-  SSLCertificateFile /etc/x509/certs/leap_api.crt
+  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
+  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
+  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
 
   RequestHeader set X_FORWARDED_PROTO 'https'
 
+  <IfModule mod_headers.c>
+<% if @webapp['secure'] -%>
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+<% end -%>
+    Header always unset X-Powered-By
+    Header always unset X-Runtime
+  </IfModule>
+
   DocumentRoot /srv/leap/webapp/public
 
   # Check for maintenance file and redirect all requests
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
new file mode 100644
index 00000000..ed430510
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -0,0 +1,73 @@
+<VirtualHost *:80>
+  ServerName <%= domain %>
+  ServerAlias www.<%= domain %>
+  RewriteEngine On
+  RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName <%= domain_name %>
+  ServerAlias <%= domain %>
+  ServerAlias www.<%= domain %>
+
+  SSLEngine on
+  SSLProtocol all -SSLv2
+  SSLHonorCipherOrder on
+  SSLCompression off
+  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
+
+  SSLCACertificatePath /etc/ssl/certs
+  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
+  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
+  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt
+
+  RequestHeader set X_FORWARDED_PROTO 'https'
+
+  <IfModule mod_headers.c>
+<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+<% end -%>
+    Header always unset X-Powered-By
+    Header always unset X-Runtime
+  </IfModule>
+
+<% if (defined? @services) and (@services.include? 'webapp') -%>
+  DocumentRoot /srv/leap/webapp/public
+
+  RewriteEngine On
+  # Check for maintenance file and redirect all requests
+  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+  AllowEncodedSlashes on
+  PassengerAllowEncodedSlashes on
+  PassengerFriendlyErrorPages off
+  SetEnv TMPDIR /var/tmp
+
+  # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes)
+  <Location /assets/>
+    Header unset ETag
+    FileETag None
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+  </Location>
+<% end -%>
+
+
+<% if (defined? @services) and (@services.include? 'monitor') -%>
+ <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <% if (defined? @services) and (@services.include? 'webapp') -%>
+    PassengerEnabled off
+ <% end -%>
+    AllowOverride all
+    # Nagios won't work with setting this option to "DENY",
+    # as set in conf.d/security (#4169). Therefor we allow
+    # it here, only for nagios.
+    Header set X-Frame-Options: "ALLOW"
+  </DirectoryMatch>
+<% end -%>
+</VirtualHost>
+
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
deleted file mode 100644
index 4b051699..00000000
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ /dev/null
@@ -1,46 +0,0 @@
-<VirtualHost *:80>
-  ServerName <%= domain %>
-  ServerAlias www.<%= domain %>
-  RewriteEngine On
-  RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
-</VirtualHost>
-
-<VirtualHost *:443>
-  ServerName <%= domain %>
-  ServerAlias www.<%= domain %>
-
-  SSLEngine on
-  SSLProtocol -all +SSLv3 +TLSv1
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
-  SSLHonorCipherOrder on
-
-  SSLCACertificatePath /etc/ssl/certs
-  SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem
-  SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key
-  SSLCertificateFile /etc/x509/certs/leap_webapp.crt
-
-  RequestHeader set X_FORWARDED_PROTO 'https'
-
-  DocumentRoot /srv/leap/webapp/public
-
-  RewriteEngine On
-  # Check for maintenance file and redirect all requests
-  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
-  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
-  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
-  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
-
-  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
-  AllowEncodedSlashes on
-  PassengerAllowEncodedSlashes on
-  PassengerFriendlyErrorPages off
-  SetEnv TMPDIR /var/tmp
-
- <% if (defined? @services) and (@services.include? 'monitor') -%>
- <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
-    PassengerEnabled off
-    AllowOverride all
-  </DirectoryMatch>
- <% end -%>
-</VirtualHost>
-
author	Micah Anderson <micah@leap.se>	2014-04-22 14:13:46 -0400
committer	Micah Anderson <micah@leap.se>	2014-04-22 14:13:46 -0400
commit	327d5c934e408f90011d7949b89ab01fed88998e (patch)
tree	77cfefffc8f9ffe160c4413b26dd5ca5cdd6f1e8 /puppet/modules/site_apache
parent	ca11482dd7cd4ea8ffa69407ee2fd5b5e1b7981b (diff)
parent	4295f334ea4f92d7fb47f7121a42633630c368d1 (diff)