diff options
| -rw-r--r-- | provider_base/services/static.json | 2 | ||||
| -rw-r--r-- | puppet/modules/site_apt/manifests/preferences/passenger.pp | 10 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/domain.pp | 14 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/init.pp | 19 | ||||
| -rw-r--r-- | puppet/modules/site_static/manifests/location.pp | 8 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/amber.erb | 15 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/apache.conf.erb | 60 | ||||
| -rw-r--r-- | puppet/modules/site_static/templates/rack.erb | 22 |
8 files changed, 107 insertions, 43 deletions
diff --git a/provider_base/services/static.json b/provider_base/services/static.json index 3bbc1240..c8ca5b1a 100644 --- a/provider_base/services/static.json +++ b/provider_base/services/static.json @@ -1,6 +1,6 @@ { "static": { - "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq", + "formats": "=> try{static.domains.values.collect{|d| try{d.locations.values.collect{|l|l.format}} }.flatten.compact.uniq} || []", // include a copy of provider.json in case any of the configured domains happens to match provider.domain "bootstrap_files": { "domain": "= provider.domain", diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp new file mode 100644 index 00000000..af501b6b --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/passenger.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::passenger { + + apt::preferences_snippet { 'passenger': + package => 'libapache2-mod-passenger', + release => "${::lsbdistcodename}-backports", + priority => 999, + require => [Package['apache'], Class['ruby']]; + } + +} diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 0f54a975..6941b1a3 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,10 +1,11 @@ define site_static::domain ( - $locations, $ca_cert, $key, $cert, - $tls_only, - $aliases) { + $tls_only=true, + $locations=undef, + $aliases=undef, + $apache_config=undef) { $domain = $name $base_dir = '/srv/static' @@ -15,13 +16,6 @@ define site_static::domain ( x509::key { $domain: content => $key } x509::ca { "${domain}_ca": content => $ca_cert } - class { '::apache': no_default_site => true, ssl => true } - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip - include site_apache::module::rewrite - apache::vhost::file { $domain: content => template('site_static/apache.conf.erb') } diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 6b2cc1f3..6e347d35 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -11,8 +11,8 @@ class site_static { file { '/srv/leap/provider.json': content => $bootstrap['provider_json'], owner => 'www-data', - group => 'www-data', - mode => '0444'; + group => 'www-data', + mode => '0444'; } # It is important to always touch provider.json: the client needs to check x-min-client-version header, # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem @@ -22,6 +22,21 @@ class site_static { } } + class { '::apache': no_default_site => true, ssl => true } + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + include site_apache::module::rewrite + + if (member($formats, 'rack')) { + include site_apt::preferences::passenger + class { 'passenger': + use_munin => false, + require => Class['site_apt::preferences::passenger'] + } + } + if (member($formats, 'amber')) { include site_config::ruby::dev rubygems::gem{'amber-0.3.0': } diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 1ba6807e..9c749b00 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -2,6 +2,14 @@ define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" + if $format == undef { + fail("static_site location `${path}` is missing `format` field.") + } + + if ! member(['amber','rack'], $format) { + fail("Could not understand static_site location format `${format}`.") + } + if ($format == 'amber') { exec {"amber_build_${name}": cwd => $file_path, diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb new file mode 100644 index 00000000..17dc2ad6 --- /dev/null +++ b/puppet/modules/site_static/templates/amber.erb @@ -0,0 +1,15 @@ +<%- if @location_path == '' -%> + <Directory "<%= @directory %>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + </Directory> +<%- else -%> + AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" + Alias /<%=@location_path%> "<%=@directory%>/" + <Directory "<%=@directory%>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + </Directory> +<%- end -%> diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index b694d44c..b23c1bf9 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -2,20 +2,23 @@ ## ## An apache config for static websites. ## + def location_directory(name, location) - if location['format'] == 'amber' + if ['amber', 'rack'].include?(location['format']) File.join(@base_dir, name, 'public') else File.join(@base_dir, name) end end - document_root = '/var/www' - @locations.each do |name, location| - if location['path'] == '/' - document_root = location_directory(name, location) + + @document_root = begin + root = '/var/www' + @locations && @locations.each do |name, location| + root = location_directory(name, location) if location['path'] == '/' end + root.gsub(%r{^/|/$}, '') end - document_root = document_root.gsub(%r{^/|/$}, '') + bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> @@ -26,8 +29,10 @@ <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> +<%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] +<%- end -%> </VirtualHost> <VirtualHost *:443> @@ -46,8 +51,12 @@ SSLCompression off SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" +<%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" +<%- end -%> Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt @@ -55,37 +64,28 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot "/<%= document_root %>/" + DocumentRoot "/<%= @document_root %>/" AccessFileName .htaccess -<%- @locations.each do |name, location| -%> - <%- path = location['path'].gsub(%r{^/|/$}, '') -%> - <%- directory = location_directory(name, location) -%> - ## - ## <%= name %> - ## - <%- if path == '' -%> - <Directory "/<%= document_root %>/"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - </Directory> - <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> Alias /provider.json /srv/leap/provider.json <Location /provider.json> Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> </Location> - <%- end -%> - <%- else -%> - AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" - Alias /<%=path%> "/<%=directory%>/" - <Directory "/<%=directory%>/"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - </Directory> - <%- end -%> +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config %> +<%- end -%> +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> + ## + ## <%= name %> (<%= location['format'] %>) + ## +<%= scope.function_templatewlv([File.join(File.dirname(__FILE__), location['format']) + '.erb', local_vars]) %> <%- end -%> </VirtualHost> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb new file mode 100644 index 00000000..3e22e750 --- /dev/null +++ b/puppet/modules/site_static/templates/rack.erb @@ -0,0 +1,22 @@ + #PassengerLogLevel 1 + #RackEnv production + #PassengerFriendlyErrorPages on +<%- if @location_path == '' -%> + <Directory "<%=@directory%>"> + Order deny,allow + Allow from all + Options -MultiViews + </Directory> +<%- else -%> + Alias /<%=@location_path%> "<%=@directory%>" + <Location /<%=@location_path%>> + RackBaseURI /<%=@location_path%> + PassengerBaseURI /<%=@location_path%> + PassengerAppRoot "<%=File.dirname(@directory)%>" + </Location> + <Directory "<%=@directory%>"> + Order deny,allow + Allow from all + Options -MultiViews + </Directory> +<%- end -%> |