10 files changed, 77 insertions, 61 deletions
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 2b83ffa5..8a11759a 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -1,27 +1,30 @@
+# install basic apache modules needed for all services (nagios, webapp)
 class site_apache::common {
-  # installs x509 cert + key and common config
-  # that both nagios + leap webapp use
 
-  $web_domain       = hiera('domain')
-  $domain_name      = $web_domain['name']
+  include apache::module::rewrite
+  include apache::module::env
 
-  include x509::variables
-  include site_config::x509::commercial::cert
-  include site_config::x509::commercial::key
-  include site_config::x509::commercial::ca
-
-  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
-
-  include site_apache::module::rewrite
+  class { '::apache':
+    no_default_site  => true,
+    ssl              => true,
+    ssl_cipher_suite => 'HIGH:MEDIUM:!aNULL:!MD5'
+  }
 
-  class { '::apache': no_default_site => true, ssl => true }
+  # needed for the mod_ssl config
+  include apache::module::mime
 
-  apache::vhost::file {
-    'common':
-      content => template('site_apache/vhosts.d/common.conf.erb')
+  # load mods depending on apache version
+  if ( $::lsbdistcodename == 'jessie' ) {
+    # apache >= 2.4, debian jessie
+    # needed for mod_ssl config
+    include apache::module::socache_shmcb
+    # generally needed
+    include apache::module::mpm_prefork
+  } else {
+    # apache < 2.4, debian wheezy
+    # for "Order" directive, i.e. main apache2.conf
+    include apache::module::authz_host
   }
 
-  apache::config::include{ 'ssl_common.inc': }
+  include site_apache::common::tls
 }
diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp
new file mode 100644
index 00000000..040868bf
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common/tls.pp
@@ -0,0 +1,6 @@
+class site_apache::common::tls {
+  # class to setup common SSL configurations
+
+  apache::config::include{ 'ssl_common.inc': }
+
+}
diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp
deleted file mode 100644
index c1f5e185..00000000
--- a/puppet/modules/site_apache/manifests/module/alias.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::alias ( $ensure = present )
-{
-
-  apache::module { 'alias': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp
deleted file mode 100644
index f73a5607..00000000
--- a/puppet/modules/site_apache/manifests/module/expires.pp
+++ /dev/null
@@ -1,4 +0,0 @@
-class site_apache::module::expires ( $ensure = present )
-{
-  apache::module { 'expires': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp
deleted file mode 100644
index f7caa28c..00000000
--- a/puppet/modules/site_apache/manifests/module/headers.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::headers ( $ensure = present )
-{
-
-  apache::module {'headers': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp
deleted file mode 100644
index f106167a..00000000
--- a/puppet/modules/site_apache/manifests/module/removeip.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::removeip ( $ensure = present )
-{
-  package { 'libapache2-mod-removeip': ensure => $ensure }
-  apache::module { 'removeip': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp
deleted file mode 100644
index 7ad00a0c..00000000
--- a/puppet/modules/site_apache/manifests/module/rewrite.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::rewrite ( $ensure = present )
-{
-
-  apache::module { 'rewrite': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 0396f54b..bfa5d04d 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -1,18 +1,17 @@
 <VirtualHost *:80>
-  ServerName <%= api_domain %>
+  ServerName <%= @api_domain %>
   RewriteEngine On
-  RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L]
+  RewriteRule ^.*$ https://<%= @api_domain -%>:<%= @api_port -%>%{REQUEST_URI} [R=permanent,L]
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 </VirtualHost>
 
-Listen 0.0.0.0:<%= api_port %>
+Listen 0.0.0.0:<%= @api_port %>
 
-<VirtualHost *:<%= api_port -%>>
-  ServerName <%= api_domain %>
+<VirtualHost *:<%= @api_port -%>>
+  ServerName <%= @api_domain %>
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 
   SSLCACertificatePath /etc/ssl/certs
-  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
   SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
   SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
 
@@ -27,6 +26,12 @@ Listen 0.0.0.0:<%= api_port %>
   </IfModule>
 
   DocumentRoot /srv/leap/webapp/public
+  <% if scope.function_guess_apache_version([]) == '2.4' %>
+  <Directory /srv/leap/webapp/public>
+    AllowOverride None
+    Require all granted
+  </Directory>
+  <% end %>
 
   # Check for maintenance file and redirect all requests
   RewriteEngine On
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index ee5cd707..bf60e794 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -1,22 +1,21 @@
 <VirtualHost *:80>
-  ServerName <%= webapp_domain %>
-  ServerAlias <%= domain_name %>
-  ServerAlias <%= domain %>
-  ServerAlias www.<%= domain %>
+  ServerName <%= @webapp_domain %>
+  ServerAlias <%= @domain_name %>
+  ServerAlias <%= @domain %>
+  ServerAlias www.<%= @domain %>
   RewriteEngine On
-  RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
+  RewriteRule ^.*$ https://<%= @webapp_domain -%>%{REQUEST_URI} [R=permanent,L]
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 </VirtualHost>
 
 <VirtualHost *:443>
-  ServerName <%= webapp_domain %>
-  ServerAlias <%= domain_name %>
-  ServerAlias <%= domain %>
-  ServerAlias www.<%= domain %>
+  ServerName <%= @webapp_domain %>
+  ServerAlias <%= @domain_name %>
+  ServerAlias <%= @domain %>
+  ServerAlias www.<%= @domain %>
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 
   SSLCACertificatePath /etc/ssl/certs
-  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
   SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
   SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt
 
@@ -32,6 +31,12 @@
 
 <% if (defined? @services) and (@services.include? 'webapp') -%>
   DocumentRoot /srv/leap/webapp/public
+  <% if scope.function_guess_apache_version([]) == '2.4' %>
+  <Directory /srv/leap/webapp/public>
+    AllowOverride None
+    Require all granted
+  </Directory>
+  <% end %>
 
   RewriteEngine On
   # Check for maintenance file and redirect all requests
@@ -69,4 +74,3 @@
   </DirectoryMatch>
 <% end -%>
 </VirtualHost>
-
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
index 0c6f3b8e..232b1577 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -1,5 +1,5 @@
 <VirtualHost 127.0.0.1:80>
-  ServerName <%= tor_domain %>
+  ServerName <%= @tor_domain %>
 
   <IfModule mod_headers.c>
     Header always unset X-Powered-By
@@ -8,6 +8,12 @@
 
 <% if (defined? @services) and (@services.include? 'webapp') -%>
   DocumentRoot /srv/leap/webapp/public
+  <% if scope.function_guess_apache_version([]) == '2.4' %>
+  <Directory /srv/leap/webapp/public>
+    AllowOverride None
+    Require all granted
+  </Directory>
+  <% end %>
 
   RewriteEngine On
   # Check for maintenance file and redirect all requests
@@ -30,4 +36,20 @@
     ExpiresDefault "access plus 1 year"
   </Location>
 <% end -%>
+
+<% if (defined? @services) and (@services.include? 'static') -%>
+  DocumentRoot "/srv/static/root/public"
+  <% if scope.function_guess_apache_version([]) == '2.4' %>
+  <Directory /srv/static/root/public>
+    AllowOverride None
+    Require all granted
+  </Directory>
+  <% end %>
+  AccessFileName .htaccess
+
+  Alias /provider.json /srv/leap/provider.json
+  <Location /provider.json>
+    Header set X-Minimum-Client-Version 0.5
+  </Location>
+<% end -%>
 </VirtualHost>