From 8b0910f1caf19884b6b46976b72536ee1f570ed5 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 15 Sep 2015 11:52:20 -0400
Subject: Fix server-status availability to tor hidden services (#7456)

Make the server-status information unavailable by putting the vhost on a
port that isn't configured as available to the tor hidden-service.

Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
---
 puppet/modules/site_apache/manifests/common.pp     | 21 +--------------------
 puppet/modules/site_apache/manifests/common/tls.pp |  6 ++++++
 2 files changed, 7 insertions(+), 20 deletions(-)
 create mode 100644 puppet/modules/site_apache/manifests/common/tls.pp

(limited to 'puppet/modules/site_apache/manifests')

diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 2b83ffa5..64beb231 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -1,27 +1,8 @@
 class site_apache::common {
-  # installs x509 cert + key and common config
-  # that both nagios + leap webapp use
-
-  $web_domain       = hiera('domain')
-  $domain_name      = $web_domain['name']
-
-  include x509::variables
-  include site_config::x509::commercial::cert
-  include site_config::x509::commercial::key
-  include site_config::x509::commercial::ca
-
-  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
 
   include site_apache::module::rewrite
 
   class { '::apache': no_default_site => true, ssl => true }
 
-  apache::vhost::file {
-    'common':
-      content => template('site_apache/vhosts.d/common.conf.erb')
-  }
-
-  apache::config::include{ 'ssl_common.inc': }
+  include site_apache::common::tls
 }
diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp
new file mode 100644
index 00000000..040868bf
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common/tls.pp
@@ -0,0 +1,6 @@
+class site_apache::common::tls {
+  # class to setup common SSL configurations
+
+  apache::config::include{ 'ssl_common.inc': }
+
+}
-- 
cgit v1.2.3


From 20dd8f27004a5dac0ad68113f4b8038cb34bc791 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 5 Nov 2015 21:13:31 +0100
Subject: [bug] [jessie] Load needed modules for apache 2.4

- Related: #6920
---
 puppet/modules/site_apache/manifests/common.pp       | 20 +++++++++++++++++++-
 puppet/modules/site_apache/manifests/module/alias.pp |  5 -----
 .../modules/site_apache/manifests/module/expires.pp  |  4 ----
 .../modules/site_apache/manifests/module/headers.pp  |  5 -----
 .../modules/site_apache/manifests/module/removeip.pp |  5 -----
 .../modules/site_apache/manifests/module/rewrite.pp  |  5 -----
 6 files changed, 19 insertions(+), 25 deletions(-)
 delete mode 100644 puppet/modules/site_apache/manifests/module/alias.pp
 delete mode 100644 puppet/modules/site_apache/manifests/module/expires.pp
 delete mode 100644 puppet/modules/site_apache/manifests/module/headers.pp
 delete mode 100644 puppet/modules/site_apache/manifests/module/removeip.pp
 delete mode 100644 puppet/modules/site_apache/manifests/module/rewrite.pp

(limited to 'puppet/modules/site_apache/manifests')

diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 64beb231..6d63f5e1 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -1,8 +1,26 @@
+# install basic apache modules needed for all services (nagios, webapp)
 class site_apache::common {
 
-  include site_apache::module::rewrite
+  include apache::module::rewrite
+  include apache::module::env
 
   class { '::apache': no_default_site => true, ssl => true }
 
+  # needed for the mod_ssl config
+  include apache::module::mime
+
+  # load mods depending on apache version
+  if ( versioncmp($::apache_version, '2.4') >= 0 ) {
+    # apache >= 2.4, debian jessie
+    # needed for mod_ssl config
+    include apache::module::socache_shmcb
+    # generally needed
+    include apache::module::mpm_prefork
+  } else {
+    # apache < 2.4, debian wheezy
+    # for "Order" directive, i.e. main apache2.conf
+    include apache::module::authz_host
+  }
+
   include site_apache::common::tls
 }
diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp
deleted file mode 100644
index c1f5e185..00000000
--- a/puppet/modules/site_apache/manifests/module/alias.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::alias ( $ensure = present )
-{
-
-  apache::module { 'alias': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp
deleted file mode 100644
index f73a5607..00000000
--- a/puppet/modules/site_apache/manifests/module/expires.pp
+++ /dev/null
@@ -1,4 +0,0 @@
-class site_apache::module::expires ( $ensure = present )
-{
-  apache::module { 'expires': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp
deleted file mode 100644
index f7caa28c..00000000
--- a/puppet/modules/site_apache/manifests/module/headers.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::headers ( $ensure = present )
-{
-
-  apache::module {'headers': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp
deleted file mode 100644
index f106167a..00000000
--- a/puppet/modules/site_apache/manifests/module/removeip.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::removeip ( $ensure = present )
-{
-  package { 'libapache2-mod-removeip': ensure => $ensure }
-  apache::module { 'removeip': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp
deleted file mode 100644
index 7ad00a0c..00000000
--- a/puppet/modules/site_apache/manifests/module/rewrite.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::rewrite ( $ensure = present )
-{
-
-  apache::module { 'rewrite': ensure => $ensure }
-}
-- 
cgit v1.2.3


From 5e78892e07d94d3d3da8d97fef9d67a15297070d Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 16 Nov 2015 13:46:35 +0100
Subject: [bug] use $lsbdistcodename to query apache version

Using $::apache_version won't work because the facts are
evaluated before compiling the catalog and with this, before
the installation of apache. so on an install from scratch, this
fact won't contain anything.
---
 puppet/modules/site_apache/manifests/common.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'puppet/modules/site_apache/manifests')

diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 6d63f5e1..dadf7ea5 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -10,7 +10,7 @@ class site_apache::common {
   include apache::module::mime
 
   # load mods depending on apache version
-  if ( versioncmp($::apache_version, '2.4') >= 0 ) {
+  if ( $::lsbdistcodename == 'jessie' ) {
     # apache >= 2.4, debian jessie
     # needed for mod_ssl config
     include apache::module::socache_shmcb
-- 
cgit v1.2.3


From a33a7d634ab33f46814bd154882f3b1c9b3b3978 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 25 Feb 2016 15:59:55 +0100
Subject: remove couchdb_pwhash_alg leftover

---
 puppet/modules/site_apache/manifests/common.pp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'puppet/modules/site_apache/manifests')

diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index dadf7ea5..8a11759a 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -4,7 +4,11 @@ class site_apache::common {
   include apache::module::rewrite
   include apache::module::env
 
-  class { '::apache': no_default_site => true, ssl => true }
+  class { '::apache':
+    no_default_site  => true,
+    ssl              => true,
+    ssl_cipher_suite => 'HIGH:MEDIUM:!aNULL:!MD5'
+  }
 
   # needed for the mod_ssl config
   include apache::module::mime
-- 
cgit v1.2.3