add site_webapp class to install the certs/keys/CAs and virtual host configurations

author: Micah Anderson <micah@riseup.net> 2012-11-27 11:49:08 -0500
committer: Micah Anderson <micah@riseup.net> 2012-11-27 12:28:46 -0500
commit: 0876cc7c712f273991cbb1177d7416afd0a1462d (patch)
tree: 7b683253b28dc7c920e709f2734d5de267fc6c8a /puppet/modules
parent: a2e2f558bcfc4b35c7d81f282d73e06f78590113 (diff)
3 files changed, 136 insertions, 0 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
new file mode 100644
index 00000000..fc26190c
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -0,0 +1,36 @@
+<VirtualHost *:80>
+  ServerName <%= api_domain %>
+  RewriteEngine On
+  RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName <%= api_domain %>
+
+  SSLEngine on
+  SSLProtocol -all +SSLv3 +TLSv1
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLHonorCipherOrder on
+
+  SSLCACertificatePath /etc/ssl/certs
+  SSLCertificateChainFile /etc/ssl/certs/leap_api.crt
+  SSLCertificateKeyFile /etc/x509/keys/leap_api.key
+  SSLCertificateFile /etc/x509/certs/leap_api.crt
+
+  RequestHeader set X_FORWARDED_PROTO 'https'
+
+  DocumentRoot /srv/leap_webapp/public
+
+  # Check for maintenance file and redirect all requests
+  RewriteEngine On
+  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+  AllowEncodedSlashes on
+  PassengerAllowEncodedSlashes on
+  PassengerFriendlyErrorPages off
+  SetEnv TMPDIR /var/tmp
+</VirtualHost>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
new file mode 100644
index 00000000..bb035cd2
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
@@ -0,0 +1,39 @@
+<VirtualHost *:80>
+  ServerName <%= domain %>
+  ServerAlias www.<%= domain %>
+  RewriteEngine On
+  RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName <%= domain %>
+  ServerAlias www.<%= domain %>
+
+  SSLEngine on
+  SSLProtocol -all +SSLv3 +TLSv1
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLHonorCipherOrder on
+
+  SSLCACertificatePath /etc/ssl/certs
+  SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt
+  SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key
+  SSLCertificateFile /etc/x509/certs/leap_webapp.crt
+
+  RequestHeader set X_FORWARDED_PROTO 'https'
+
+  DocumentRoot /srv/leap_webapp/public
+
+  # Check for maintenance file and redirect all requests
+  RewriteEngine On
+  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+  AllowEncodedSlashes on
+  PassengerAllowEncodedSlashes on
+  PassengerFriendlyErrorPages off
+  SetEnv TMPDIR /var/tmp
+</VirtualHost>
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
new file mode 100644
index 00000000..d6470186
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -0,0 +1,61 @@
+class site_webapp::apache {
+
+  $api_domain       = hiera('api_domain')
+  $x509             = hiera('x509')
+  $commercial_key   = $x509['commercial_key']
+  $commercial_cert  = $x509['commercial_cert']
+  $commercial_root  = $x509['commercial_ca_cert']
+  $api_key          = $x509['key']
+  $api_cert         = $x509['cert']
+  $api_root         = $x509['ca_cert']
+
+  $apache_no_default_site = true
+  include apache::ssl
+
+  apache::module {
+    'rewrite': ensure => present;
+    'headers': ensure => present;
+  }
+
+  class { 'passenger': use_munin => false }
+
+  apache::vhost::file {
+    'leap_webapp':
+      content => template('site_apache/vhosts.d/leap_webapp.conf.erb')
+  }
+
+  apache::vhost::file {
+    'api':
+      content => template('site_apache/vhosts.d/api.conf.erb')
+  }
+
+  x509::key {
+    'leap_webapp':
+      content => $commercial_key,
+      notify  => Service[apache];
+
+    'leap_api':
+      content => $api_key,
+      notify  => Service[apache];
+  }
+
+  x509::cert {
+    'leap_webapp':
+      content => $commercial_cert,
+      notify  => Service[apache];
+
+    'leap_api':
+      content => $api_cert,
+      notify  => Service[apache];
+  }
+
+  x509::ca {
+    'leap_webapp':
+      content => $commercial_root,
+      notify  => Service[apache];
+
+    'leap_api':
+      content => $api_root,
+      notify  => Service[apache];
+  }
+}
author	Micah Anderson <micah@riseup.net>	2012-11-27 11:49:08 -0500
committer	Micah Anderson <micah@riseup.net>	2012-11-27 12:28:46 -0500
commit	0876cc7c712f273991cbb1177d7416afd0a1462d (patch)
tree	7b683253b28dc7c920e709f2734d5de267fc6c8a /puppet/modules
parent	a2e2f558bcfc4b35c7d81f282d73e06f78590113 (diff)