From 2e5657647ed790eec8bd679c47eb57bd4eaed621 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 3 Jun 2016 12:02:09 -0700 Subject: auto run bundler when needed for site_static --- puppet/modules/site_static/manifests/location.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index d116de2f..ab2b7494 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -23,6 +23,19 @@ define site_static::location($path, $format, $source) { } } + if ($format == 'rack') { + # Run bundler if there is a Gemfile + exec { 'bundler_update': + cwd => $file_path, + command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"', + unless => '/usr/bin/bundle check --path vendor/bundle', + onlyif => 'test -f Gemfile', + user => 'www-data', + timeout => 600, + require => [Class['bundler::install'], Class['site_config::ruby::dev']]; + } + } + vcsrepo { $file_path: ensure => present, force => true, -- cgit v1.2.3 From b21a3e9126a1734b2cea975e57b5c9e8206f12fa Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 27 Jun 2016 15:49:30 -0700 Subject: Fix the permissions on the DOMAIN/provider.json file for static sites. --- puppet/modules/site_static/manifests/init.pp | 22 ++++++++++++++++++---- .../modules/site_static/templates/apache.conf.erb | 8 ++++++-- 2 files changed, 24 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4a722d62..8063d432 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -13,20 +13,34 @@ class site_static { $bootstrap = $static['bootstrap_files'] $tor = hiera('tor', false) + file { + '/srv/static/': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0744'; + '/srv/static/public': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0744'; + } + if $bootstrap['enabled'] { $bootstrap_domain = $bootstrap['domain'] $bootstrap_client = $bootstrap['client_version'] - file { '/srv/leap/provider.json': + file { '/srv/static/public/provider.json': content => $bootstrap['provider_json'], owner => 'www-data', group => 'www-data', - mode => '0444'; + mode => '0444', + notify => Service[apache]; } # It is important to always touch provider.json: the client needs to check x-min-client-version header, # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem # is that changing min client version won't alter the content of provider.json, so we must touch it. - exec { '/bin/touch /srv/leap/provider.json': - require => File['/srv/leap/provider.json']; + exec { '/bin/touch /srv/static/public/provider.json': + require => File['/srv/static/public/provider.json']; } } diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 6b969d1c..b3e5fc09 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -23,6 +23,10 @@ bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> + + Require all granted + + ServerName <%= @domain %> ServerAlias www.<%= @domain %> @@ -46,7 +50,7 @@ #RewriteLogLevel 3 Include include.d/ssl_common.inc - + <%- if @tls_only -%> Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> @@ -63,7 +67,7 @@ AccessFileName .htaccess <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> - Alias /provider.json /srv/leap/provider.json + Alias /provider.json /srv/static/public/provider.json Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> -- cgit v1.2.3 From 29d6b7dbbc3b9d8b11f0b215cad894fcfca9989c Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 23 Jun 2016 12:08:54 -0400 Subject: Make static tor hidden services work (#8212). When tor hidden services were enabled for static sites, only a very basic configuration was setup and it didn't take into account the different location configurations that can be configured for a static site. This commit resolves that by making a site_static::hidden_service class similar to the site_webapp::hidden_service class, and fixes up the apache vhost template to properly create the location blocks for the hidden service vhost. Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a --- .../site_static/manifests/hidden_service.pp | 37 ++++++++++++++++++ puppet/modules/site_static/manifests/init.pp | 20 +++++----- .../modules/site_static/templates/apache.conf.erb | 45 +++++++++++++++++++++- 3 files changed, 91 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_static/manifests/hidden_service.pp (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp new file mode 100644 index 00000000..f1f15f8e --- /dev/null +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -0,0 +1,37 @@ +# create hidden service for static sites +class site_static::hidden_service { + + include tor::daemon + tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] } + file { + '/var/lib/tor/webapp/': + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; + + '/var/lib/tor/static/private_key': + ensure => present, + source => "/srv/leap/files/nodes/${::hostname}/tor.key", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; + + '/var/lib/tor/static/hostname': + ensure => present, + content => "${::site_static::tor_domain}\n", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; + } + + # it is necessary to zero out the config of the status module + # because we are configuring our own version that is unavailable + # over the hidden service (see: #7456 and #7776) + apache::module { 'status': ensure => present, conf_content => ' ' } + + include site_shorewall::tor +} + diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 8063d432..4912fbab 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -7,11 +7,14 @@ class site_static { include site_config::x509::key include site_config::x509::ca_bundle - $static = hiera('static') - $domains = $static['domains'] - $formats = $static['formats'] - $bootstrap = $static['bootstrap_files'] - $tor = hiera('tor', false) + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + + $tor = hiera('tor', false) + $hidden_service = $tor['hidden_service'] + $tor_domain = "${hidden_service['address']}.onion" file { '/srv/static/': @@ -71,15 +74,14 @@ class site_static { } } - create_resources(site_static::domain, $domains) - if $tor { - $hidden_service = $tor['hidden_service'] if $hidden_service['active'] { - include site_webapp::hidden_service + include site_static::hidden_service } } + create_resources(site_static::domain, $domains) + include site_shorewall::defaults include site_shorewall::service::http include site_shorewall::service::https diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index b3e5fc09..2013e5ee 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -27,12 +27,52 @@ Require all granted +<%- if @tor -%> + + ServerName <%= @tor_domain %> + ServerAlias www.<%= @tor_domain %> + + + Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime + + + DocumentRoot "/<%= @document_root %>/" + AccessFileName .htaccess + +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> + Alias /provider.json /srv/leap/provider.json + + Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> + +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config.gsub(':percent:','%') %> +<%- end -%> + +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%- break unless File.exists?(template_path) -%> + ## + ## <%= name %> (<%= location['format'] %>) + ## +<%= scope.function_templatewlv([template_path, local_vars]) %> +<%- end -%> +<%- end -%> + + ServerName <%= @domain %> ServerAlias www.<%= @domain %> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> + <%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] @@ -50,13 +90,15 @@ #RewriteLogLevel 3 Include include.d/ssl_common.inc - + + <%- if @tls_only -%> Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> Header set X-Frame-Options "deny" Header always unset X-Powered-By Header always unset X-Runtime + SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt @@ -88,5 +130,4 @@ ## <%= scope.function_templatewlv([template_path, local_vars]) %> <%- end -%> - -- cgit v1.2.3 From 8e0fdbb46761505b9188c9ea2a6c0df0c55ac458 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 28 Jun 2016 21:56:31 -0400 Subject: Fix for when tor is not an array. When tor is not configured, then its possible to get this error on deploy: Error: tor is not a hash or array when accessing it with hidden_service at /srv/leap/puppet/modules/site_static/manifests/init.pp:16 on node rewdevstatic1.rewire.org This commit only accesses the array when its enabled. Change-Id: Ia75ac7a51179da980966adba0cc614b9cd642b0c --- puppet/modules/site_static/manifests/init.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4912fbab..0acfc223 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -11,10 +11,7 @@ class site_static { $domains = $static['domains'] $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] - $tor = hiera('tor', false) - $hidden_service = $tor['hidden_service'] - $tor_domain = "${hidden_service['address']}.onion" file { '/srv/static/': @@ -75,6 +72,8 @@ class site_static { } if $tor { + $hidden_service = $tor['hidden_service'] + $tor_domain = "${hidden_service['address']}.onion" if $hidden_service['active'] { include site_static::hidden_service } -- cgit v1.2.3 From cfb91a199c8c205b99c4424df77b0b6ed20e4288 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 30 Jun 2016 12:15:39 -0700 Subject: fix static site apache config --- puppet/modules/site_static/templates/amber.erb | 8 +- .../modules/site_static/templates/apache.conf.erb | 122 ++++++++++++--------- puppet/modules/site_static/templates/rack.erb | 6 +- 3 files changed, 79 insertions(+), 57 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb index 694f1136..b34458c3 100644 --- a/puppet/modules/site_static/templates/amber.erb +++ b/puppet/modules/site_static/templates/amber.erb @@ -4,10 +4,10 @@ <%- end -%> /"> AllowOverride FileInfo Indexes Options=All,MultiViews -<% if scope.function_guess_apache_version([]) == '2.4' %> +<%- if scope.function_guess_apache_version([]) == '2.4' -%> Require all granted -<% else %> +<%- else -%> Order deny,allow Allow from all -<% end %> - +<%- end -%> + \ No newline at end of file diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 2013e5ee..af9a520d 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -11,6 +11,9 @@ end end + # + # document root + # @document_root = begin root = '/var/www' @locations && @locations.each do |name, location| @@ -19,8 +22,52 @@ root.gsub(%r{^/|/$}, '') end + # + # provider.json + # + # if the domain is a bootstrap domain, we need to expose + # a /provider.json file. + # bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') bootstrap_client = scope.lookupvar('site_static::bootstrap_client') + if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) + provider_json = \ +%( + Alias /provider.json /srv/static/public/provider.json + + Header set X-Minimum-Client-Version #{bootstrap_client['min']} + +) + else + provider_json = "" + end + + # + # locations + # + locations = "" + @locations && @locations.each do |name, location| + location_path = location['path'].gsub(%r{^/|/$}, '') + directory = location_directory(name, location) + local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} + template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' + break unless File.exists?(template_path) + locations += \ +%( + # + # #{name} (#{location['format']}) + # +#{scope.function_templatewlv([template_path, local_vars])} +) + end + + # + # allow custom apache config + # + custom_apache_config = if @apache_config + @apache_config.gsub(':percent:','%') + end + -%> @@ -28,6 +75,9 @@ <%- if @tor -%> +## +## Tor +## ServerName <%= @tor_domain %> ServerAlias www.<%= @tor_domain %> @@ -41,31 +91,15 @@ DocumentRoot "/<%= @document_root %>/" AccessFileName .htaccess -<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> - Alias /provider.json /srv/leap/provider.json - - Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> - -<%- end -%> - -<%- if @apache_config -%> -<%= @apache_config.gsub(':percent:','%') %> -<%- end -%> - -<%- @locations && @locations.each do |name, location| -%> -<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> -<%- directory = location_directory(name, location) -%> -<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> -<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> -<%- break unless File.exists?(template_path) -%> - ## - ## <%= name %> (<%= location['format'] %>) - ## -<%= scope.function_templatewlv([template_path, local_vars]) %> -<%- end -%> -<%- end -%> +<%= provider_json %> +<%= custom_apache_config %> +<%= locations %> +<%- end -%> +## +## HTTP +## ServerName <%= @domain %> ServerAlias www.<%= @domain %> @@ -76,9 +110,16 @@ <%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] +<%- else -%> +<%= provider_json %> +<%= custom_apache_config %> +<%= locations %> <%- end -%> +## +## HTTPS +## ServerName <%= @domain %> ServerAlias www.<%= @domain %> @@ -90,14 +131,14 @@ #RewriteLogLevel 3 Include include.d/ssl_common.inc - + <%- if @tls_only -%> - Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" + Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> - Header set X-Frame-Options "deny" - Header always unset X-Powered-By - Header always unset X-Runtime + Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key @@ -108,26 +149,7 @@ DocumentRoot "/<%= @document_root %>/" AccessFileName .htaccess -<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> - Alias /provider.json /srv/static/public/provider.json - - Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> - -<%- end -%> - -<%- if @apache_config -%> -<%= @apache_config.gsub(':percent:','%') %> -<%- end -%> - -<%- @locations && @locations.each do |name, location| -%> -<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> -<%- directory = location_directory(name, location) -%> -<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> -<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> -<%- break unless File.exists?(template_path) -%> - ## - ## <%= name %> (<%= location['format'] %>) - ## -<%= scope.function_templatewlv([template_path, local_vars]) %> -<%- end -%> +<%= provider_json %> +<%= custom_apache_config %> +<%= locations %> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb index 431778bb..1cbf84d2 100644 --- a/puppet/modules/site_static/templates/rack.erb +++ b/puppet/modules/site_static/templates/rack.erb @@ -10,10 +10,10 @@ <%- end -%> "> Options -MultiViews -<% if scope.function_guess_apache_version([]) == '2.4' %> +<%- if scope.function_guess_apache_version([]) == '2.4' -%> Require all granted -<% else %> +<%- else -%> Order deny,allow Allow from all -<% end %> +<%- end -%> -- cgit v1.2.3 From 2aa19e3197e592ecabfa8d8b8ec29735b951ed08 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 21 Jul 2016 21:11:31 -0700 Subject: fix site_static's call to passenger --- puppet/modules/site_static/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 0acfc223..462e6e05 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -56,7 +56,7 @@ class site_static { if (member($formats, 'rack')) { include site_apt::preferences::passenger class { 'passenger': - use_munin => false, + manage_munin => false, require => Class['site_apt::preferences::passenger'] } } -- cgit v1.2.3 From 90e4bca777f6edfbde29b590313cf938f75c53a7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 5 Sep 2016 14:18:55 +0200 Subject: [style] lint ::site_static class --- puppet/modules/site_static/manifests/init.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 462e6e05..824619b4 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -16,14 +16,14 @@ class site_static { file { '/srv/static/': ensure => 'directory', - owner => 'root', - group => 'root', - mode => '0744'; + owner => 'root', + group => 'root', + mode => '0744'; '/srv/static/public': ensure => 'directory', - owner => 'root', - group => 'root', - mode => '0744'; + owner => 'root', + group => 'root', + mode => '0744'; } if $bootstrap['enabled'] { @@ -57,7 +57,7 @@ class site_static { include site_apt::preferences::passenger class { 'passenger': manage_munin => false, - require => Class['site_apt::preferences::passenger'] + require => Class['site_apt::preferences::passenger'] } } -- cgit v1.2.3 From a063280eab5e8749c74381aabbe641c30887e9f6 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 2 Sep 2016 12:35:09 -0700 Subject: [bugfix] static sites: only enable hidden service by default if one domain is configured The problem is that we have a single onion address per server, so if more than one domain is configured we need to make sure they don't both try to use the same onion address. --- puppet/modules/site_static/manifests/domain.pp | 1 + puppet/modules/site_static/manifests/init.pp | 8 ++++++++ puppet/modules/site_static/templates/apache.conf.erb | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index b26cc9e3..6cf2c653 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -4,6 +4,7 @@ define site_static::domain ( $key, $cert, $tls_only=true, + $use_hidden_service=false, $locations=undef, $aliases=undef, $apache_config=undef) { diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 824619b4..dd3f912d 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -77,6 +77,14 @@ class site_static { if $hidden_service['active'] { include site_static::hidden_service } + # Currently, we only support a single hidden service address per server. + # So if there is more than one domain configured, then we need to make sure + # we don't enable the hidden service for every domain. + if size(keys($domains)) == 1 { + $always_use_hidden_service = true + } else { + $always_use_hidden_service = false + } } create_resources(site_static::domain, $domains) diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index af9a520d..dd04ca43 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -74,7 +74,7 @@ Require all granted -<%- if @tor -%> +<%- if @tor && (@always_use_hidden_service || @use_hidden_service) -%> ## ## Tor ## -- cgit v1.2.3