diff options
author | Micah Anderson <micah@leap.se> | 2015-09-15 11:52:20 -0400 |
---|---|---|
committer | Micah <micah@leap.se> | 2015-09-30 12:46:48 +0200 |
commit | 8b0910f1caf19884b6b46976b72536ee1f570ed5 (patch) | |
tree | 2990e1b3ae4a4c406754444c9d98b98ae658cbb2 /puppet/modules/site_webapp | |
parent | 659587b9a56274d87c8c8deda499ccea85f875b5 (diff) |
Fix server-status availability to tor hidden services (#7456)
Make the server-status information unavailable by putting the vhost on a
port that isn't configured as available to the tor hidden-service.
Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
Diffstat (limited to 'puppet/modules/site_webapp')
4 files changed, 56 insertions, 3 deletions
diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf new file mode 100644 index 00000000..84cb9ae0 --- /dev/null +++ b/puppet/modules/site_webapp/files/server-status.conf @@ -0,0 +1,28 @@ +# Keep track of extended status information for each request +ExtendedStatus On + +# Determine if mod_status displays the first 63 characters of a request or +# the last 63, assuming the request itself is greater than 63 chars. +# Default: Off +#SeeRequestTail On + +Listen 127.0.0.1:8162 +NameVirtualHost 127.0.0.1:8162 + +<VirtualHost 127.0.0.1:8162> + +<Location /server-status> + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 +</Location> + +</VirtualHost> + + +<IfModule mod_proxy.c> + # Show Proxy LoadBalancer status in mod_status + ProxyStatus On +</IfModule> + diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 93e172a0..ddd04a91 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -15,12 +15,13 @@ class site_webapp::apache { include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip + include site_webapp::common_vhost class { 'passenger': use_munin => false } apache::vhost::file { 'api': - content => template('site_apache/vhosts.d/api.conf.erb') + content => template('site_apache/vhosts.d/api.conf.erb'); } } diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp new file mode 100644 index 00000000..c57aad57 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/common_vhost.pp @@ -0,0 +1,18 @@ +class site_webapp::common_vhost { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } +} diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 16b6e2e7..99a756ca 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -32,12 +32,18 @@ class site_webapp::hidden_service { owner => 'debian-tor', group => 'debian-tor', mode => '0600'; + + '/etc/apache2/mods-enabled/status.conf': + ensure => absent, + notify => Service['apache']; } apache::vhost::file { 'hidden_service': - content => template('site_apache/vhosts.d/hidden_service.conf.erb') + content => template('site_apache/vhosts.d/hidden_service.conf.erb'); + 'server_status': + vhost_source => 'modules/site_webapp/server-status.conf'; } include site_shorewall::tor -}
\ No newline at end of file +} |