From 8b0910f1caf19884b6b46976b72536ee1f570ed5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 11:52:20 -0400 Subject: Fix server-status availability to tor hidden services (#7456) Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb --- puppet/modules/site_static/manifests/init.pp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 1efc510b..f69ffba7 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -9,6 +9,7 @@ class site_static { $domains = $static['domains'] $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) if $bootstrap['enabled'] { $bootstrap_domain = $bootstrap['domain'] @@ -27,14 +28,11 @@ class site_static { } } - class { '::apache': no_default_site => true, ssl => true } include site_apache::module::headers include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip - include site_apache::module::rewrite - apache::config::include{ 'ssl_common.inc': } - + include site_apache::common include site_config::ruby::dev if (member($formats, 'rack')) { @@ -57,6 +55,13 @@ class site_static { create_resources(site_static::domain, $domains) + if $tor { + $hidden_service = $tor['hidden_service'] + if $hidden_service['active'] { + include site_webapp::hidden_service + } + } + include site_shorewall::defaults include site_shorewall::service::http include site_shorewall::service::https -- cgit v1.2.3 From 33b9876af4af85504107aae20feb57aaab5a17ad Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 11 Oct 2015 20:36:07 -0700 Subject: russian text requires amber 0.3.8 --- puppet/modules/site_static/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index f69ffba7..8df53075 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -44,7 +44,7 @@ class site_static { } if (member($formats, 'amber')) { - rubygems::gem{'amber-0.3.7': + rubygems::gem{'amber-0.3.8': require => Package['zlib1g-dev'] } -- cgit v1.2.3 From 91c638f7d30243f0c5c079659bd3bd1d32a7cc7c Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 19 Oct 2015 20:57:07 -0400 Subject: change apache header set for HSTS to be always, otherwise it wont be set for redirects (#7540) Change-Id: Ic77c64c03a99dad951f42633de04c352bed17c1e --- puppet/modules/site_static/templates/apache.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 4d61cc08..2853c5c7 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -48,7 +48,7 @@ Include include.d/ssl_common.inc <%- if @tls_only -%> - Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" + Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> Header set X-Frame-Options "deny" Header always unset X-Powered-By -- cgit v1.2.3 From 1629778659d1e7bf19f14fd42ad675169e88962c Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 20:17:55 -0500 Subject: fix site_apache module class names that were renamed (#7636) Change-Id: Iea1242b3c27d92cef7b217006211e57631fd7e62 --- puppet/modules/site_static/manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 8df53075..3b95ff13 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -28,10 +28,10 @@ class site_static { } } - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip + include apache::module::headers + include apache::module::alias + include apache::module::expires + include apache::module::removeip include site_apache::common include site_config::ruby::dev -- cgit v1.2.3 From 8a07c4d039eef1b73d9d03d4be215a43b255bfc4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 21:02:20 -0500 Subject: fix missing apache modules (#7638) Change-Id: I77fa50990b5ae60074c54738e8c19929b486d1d0 --- puppet/modules/site_static/manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 3b95ff13..e317f580 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -32,6 +32,8 @@ class site_static { include apache::module::alias include apache::module::expires include apache::module::removeip + include apache::module::dir + include apache::module::negotiation include site_apache::common include site_config::ruby::dev -- cgit v1.2.3 From 150579fb14716892cc3e4d7d9c0f81b30d56f03a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 13 Apr 2015 23:16:00 +0200 Subject: restructured site.pp, now only one class gets included in site.pp per service (Bug #6851) Also, moved global Exec{} defaults to site.pp Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd --- puppet/modules/site_static/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index e317f580..76ee6e19 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -1,6 +1,7 @@ class site_static { tag 'leap_service' + include site_config::default include site_config::x509::cert include site_config::x509::key include site_config::x509::ca_bundle -- cgit v1.2.3 From 33cf7e313cf9dfa2e5ac0e8eeb91cacb016ebe62 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 27 Jan 2016 21:03:58 +0100 Subject: [refactor] Optimize static apache vhost templates - Related: #7853 --- puppet/modules/site_static/templates/amber.erb | 10 ++-------- puppet/modules/site_static/templates/rack.erb | 10 ++-------- 2 files changed, 4 insertions(+), 16 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb index 17dc2ad6..48df555e 100644 --- a/puppet/modules/site_static/templates/amber.erb +++ b/puppet/modules/site_static/templates/amber.erb @@ -1,15 +1,9 @@ -<%- if @location_path == '' -%> - /"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - -<%- else -%> +<%- if @location_path != '' -%> AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" Alias /<%=@location_path%> "<%=@directory%>/" +<%- end -%> /"> AllowOverride FileInfo Indexes Options=All,MultiViews Order deny,allow Allow from all -<%- end -%> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb index aae91f1c..d70d3ddb 100644 --- a/puppet/modules/site_static/templates/rack.erb +++ b/puppet/modules/site_static/templates/rack.erb @@ -1,21 +1,15 @@ #PassengerLogLevel 1 #PassengerAppEnv production #PassengerFriendlyErrorPages on -<%- if @location_path == '' -%> - "> - Order deny,allow - Allow from all - Options -MultiViews - -<%- else -%> +<%- if @location_path != '' -%> Alias /<%=@location_path%> "<%=@directory%>" > PassengerBaseURI /<%=@location_path%> PassengerAppRoot "<%=File.dirname(@directory)%>" +<%- end -%> "> Order deny,allow Allow from all Options -MultiViews -<%- end -%> -- cgit v1.2.3 From 8effa368557761c23f5496d4a26554b9cec6036c Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 27 Jan 2016 21:12:07 +0100 Subject: [bug] [jessie] Fix apache 2.4 auth directives - Resolves: #7853 --- puppet/modules/site_static/templates/amber.erb | 4 ++++ puppet/modules/site_static/templates/rack.erb | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb index 48df555e..694f1136 100644 --- a/puppet/modules/site_static/templates/amber.erb +++ b/puppet/modules/site_static/templates/amber.erb @@ -4,6 +4,10 @@ <%- end -%> /"> AllowOverride FileInfo Indexes Options=All,MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> + Require all granted +<% else %> Order deny,allow Allow from all +<% end %> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb index d70d3ddb..431778bb 100644 --- a/puppet/modules/site_static/templates/rack.erb +++ b/puppet/modules/site_static/templates/rack.erb @@ -9,7 +9,11 @@ <%- end -%> "> + Options -MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> + Require all granted +<% else %> Order deny,allow Allow from all - Options -MultiViews +<% end %> -- cgit v1.2.3 From 4183a10168c61366448e39cf4db45eebc741a27e Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 13 Mar 2016 11:57:21 -0700 Subject: static site: don't call site_static::location unless locations are actually defined. --- puppet/modules/site_static/manifests/domain.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index b9177f25..5537d247 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -10,7 +10,9 @@ define site_static::domain ( $domain = $name $base_dir = '/srv/static' - create_resources(site_static::location, $locations) + if is_hash($locations) { + create_resources(site_static::location, $locations) + } x509::cert { $domain: content => $cert, -- cgit v1.2.3 From 22b788920defdd42b4abda144afd8ca69d0a9d37 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 18:19:44 +0200 Subject: [style] lint some custom manifests I used `puppet-lint -f FILE` to fix most issues, while finishing with manual intervention. --- puppet/modules/site_static/manifests/domain.pp | 6 +++--- puppet/modules/site_static/manifests/location.pp | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 5537d247..fd217b8f 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -16,15 +16,15 @@ define site_static::domain ( x509::cert { $domain: content => $cert, - notify => Service[apache] + notify => Service[apache] } x509::key { $domain: content => $key, - notify => Service[apache] + notify => Service[apache] } x509::ca { "${domain}_ca": content => $ca_cert, - notify => Service[apache] + notify => Service[apache] } apache::vhost::file { $domain: diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index ce2af9af..1adcce01 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -14,10 +14,10 @@ define site_static::location($path, $format, $source) { if ($format == 'amber') { exec {"amber_build_${name}": - cwd => $file_path, - command => 'amber rebuild', - user => 'www-data', - timeout => 600, + cwd => $file_path, + command => 'amber rebuild', + user => 'www-data', + timeout => 600, subscribe => Vcsrepo[$file_path] } } -- cgit v1.2.3 From 8370875d608ebddae09fcd05741bb77e0e31c122 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 18:28:29 +0200 Subject: [style] more manual linting for custom manifests --- puppet/modules/site_static/manifests/domain.pp | 1 + puppet/modules/site_static/manifests/init.pp | 5 +++-- puppet/modules/site_static/manifests/location.pp | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index fd217b8f..8b9378f2 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,3 +1,4 @@ +# configure static service for domain define site_static::domain ( $ca_cert, $key, diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 76ee6e19..4a722d62 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -1,3 +1,4 @@ +# deploy static service class site_static { tag 'leap_service' @@ -48,8 +49,8 @@ class site_static { if (member($formats, 'amber')) { rubygems::gem{'amber-0.3.8': - require => Package['zlib1g-dev'] - } + require => Package['zlib1g-dev'] + } package { 'zlib1g-dev': ensure => installed diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 1adcce01..d116de2f 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -1,3 +1,4 @@ +# configure static service for location define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" -- cgit v1.2.3 From 3b5ce74f81bb56af0b94a119a85649446a3d6e19 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 3 May 2016 13:21:17 -0400 Subject: migrate from obsolete SSLCertificateChainFile apache option (#8055) Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb --- puppet/modules/site_static/manifests/domain.pp | 8 +++----- puppet/modules/site_static/templates/apache.conf.erb | 1 - 2 files changed, 3 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 8b9378f2..b26cc9e3 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -11,22 +11,20 @@ define site_static::domain ( $domain = $name $base_dir = '/srv/static' + $cafile = "${cert}\n${ca_cert}" + if is_hash($locations) { create_resources(site_static::location, $locations) } x509::cert { $domain: - content => $cert, + content => $cafile, notify => Service[apache] } x509::key { $domain: content => $key, notify => Service[apache] } - x509::ca { "${domain}_ca": - content => $ca_cert, - notify => Service[apache] - } apache::vhost::file { $domain: content => template('site_static/apache.conf.erb') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 2853c5c7..6b969d1c 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -56,7 +56,6 @@ SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt - SSLCertificateChainFile /etc/ssl/certs/<%= @domain %>_ca.pem RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3