summaryrefslogtreecommitdiff
path: root/puppet/modules/site_webapp
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2015-09-15 11:52:20 -0400
committerMicah <micah@leap.se>2015-09-30 12:46:48 +0200
commit8b0910f1caf19884b6b46976b72536ee1f570ed5 (patch)
tree2990e1b3ae4a4c406754444c9d98b98ae658cbb2 /puppet/modules/site_webapp
parent659587b9a56274d87c8c8deda499ccea85f875b5 (diff)
Fix server-status availability to tor hidden services (#7456)
Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
Diffstat (limited to 'puppet/modules/site_webapp')
-rw-r--r--puppet/modules/site_webapp/files/server-status.conf28
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp3
-rw-r--r--puppet/modules/site_webapp/manifests/common_vhost.pp18
-rw-r--r--puppet/modules/site_webapp/manifests/hidden_service.pp10
4 files changed, 56 insertions, 3 deletions
diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf
new file mode 100644
index 00000000..84cb9ae0
--- /dev/null
+++ b/puppet/modules/site_webapp/files/server-status.conf
@@ -0,0 +1,28 @@
+# Keep track of extended status information for each request
+ExtendedStatus On
+
+# Determine if mod_status displays the first 63 characters of a request or
+# the last 63, assuming the request itself is greater than 63 chars.
+# Default: Off
+#SeeRequestTail On
+
+Listen 127.0.0.1:8162
+NameVirtualHost 127.0.0.1:8162
+
+<VirtualHost 127.0.0.1:8162>
+
+<Location /server-status>
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1
+</Location>
+
+</VirtualHost>
+
+
+<IfModule mod_proxy.c>
+ # Show Proxy LoadBalancer status in mod_status
+ ProxyStatus On
+</IfModule>
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 93e172a0..ddd04a91 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -15,12 +15,13 @@ class site_webapp::apache {
include site_apache::module::alias
include site_apache::module::expires
include site_apache::module::removeip
+ include site_webapp::common_vhost
class { 'passenger': use_munin => false }
apache::vhost::file {
'api':
- content => template('site_apache/vhosts.d/api.conf.erb')
+ content => template('site_apache/vhosts.d/api.conf.erb');
}
}
diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp
new file mode 100644
index 00000000..c57aad57
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/common_vhost.pp
@@ -0,0 +1,18 @@
+class site_webapp::common_vhost {
+ # installs x509 cert + key and common config
+ # that both nagios + leap webapp use
+
+ include x509::variables
+ include site_config::x509::commercial::cert
+ include site_config::x509::commercial::key
+ include site_config::x509::commercial::ca
+
+ Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+ apache::vhost::file {
+ 'common':
+ content => template('site_apache/vhosts.d/common.conf.erb')
+ }
+}
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 16b6e2e7..99a756ca 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -32,12 +32,18 @@ class site_webapp::hidden_service {
owner => 'debian-tor',
group => 'debian-tor',
mode => '0600';
+
+ '/etc/apache2/mods-enabled/status.conf':
+ ensure => absent,
+ notify => Service['apache'];
}
apache::vhost::file {
'hidden_service':
- content => template('site_apache/vhosts.d/hidden_service.conf.erb')
+ content => template('site_apache/vhosts.d/hidden_service.conf.erb');
+ 'server_status':
+ vhost_source => 'modules/site_webapp/server-status.conf';
}
include site_shorewall::tor
-} \ No newline at end of file
+}