From 24f0cc3c64aab59db436e0827ba24ec08023100a Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 24 May 2014 01:35:54 -0700 Subject: added support for /provider.json served from static site. --- puppet/modules/site_static/manifests/domain.pp | 3 ++- puppet/modules/site_static/manifests/init.pp | 18 ++++++++++++++++++ puppet/modules/site_static/templates/apache.conf.erb | 14 ++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 8af2230f..0f54a975 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -3,7 +3,8 @@ define site_static::domain ( $ca_cert, $key, $cert, - $tls_only) { + $tls_only, + $aliases) { $domain = $name $base_dir = '/srv/static' diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4f6d895f..6b2cc1f3 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -3,6 +3,24 @@ class site_static { $static = hiera('static') $domains = $static['domains'] $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + + if $bootstrap['enabled'] { + $bootstrap_domain = $bootstrap['domain'] + $bootstrap_client = $bootstrap['client_version'] + file { '/srv/leap/provider.json': + content => $bootstrap['provider_json'], + owner => 'www-data', + group => 'www-data', + mode => '0444'; + } + # It is important to always touch provider.json: the client needs to check x-min-client-version header, + # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem + # is that changing min client version won't alter the content of provider.json, so we must touch it. + exec { '/bin/touch /srv/leap/provider.json': + require => File['/srv/leap/provider.json']; + } + } if (member($formats, 'amber')) { include site_config::ruby::dev diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 2abe1a98..b694d44c 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -16,11 +16,16 @@ end end document_root = document_root.gsub(%r{^/|/$}, '') + bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') + bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> ServerName <%= @domain %> ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] @@ -28,6 +33,9 @@ ServerName <%= @domain %> ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> #RewriteLog "/var/log/apache2/rewrite.log" #RewriteLogLevel 3 @@ -62,6 +70,12 @@ Order deny,allow Allow from all + <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> + Alias /provider.json /srv/leap/provider.json + + Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> + + <%- end -%> <%- else -%> AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" Alias /<%=path%> "/<%=directory%>/" -- cgit v1.2.3 From 4e3d168d103fea6476694997275c4df4821535f3 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 30 May 2014 14:52:26 -0700 Subject: static site: added rack support, added custom apache config --- puppet/modules/site_static/manifests/domain.pp | 14 ++--- puppet/modules/site_static/manifests/init.pp | 19 ++++++- puppet/modules/site_static/manifests/location.pp | 8 +++ puppet/modules/site_static/templates/amber.erb | 15 ++++++ .../modules/site_static/templates/apache.conf.erb | 60 +++++++++++----------- puppet/modules/site_static/templates/rack.erb | 22 ++++++++ 6 files changed, 96 insertions(+), 42 deletions(-) create mode 100644 puppet/modules/site_static/templates/amber.erb create mode 100644 puppet/modules/site_static/templates/rack.erb (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 0f54a975..6941b1a3 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,10 +1,11 @@ define site_static::domain ( - $locations, $ca_cert, $key, $cert, - $tls_only, - $aliases) { + $tls_only=true, + $locations=undef, + $aliases=undef, + $apache_config=undef) { $domain = $name $base_dir = '/srv/static' @@ -15,13 +16,6 @@ define site_static::domain ( x509::key { $domain: content => $key } x509::ca { "${domain}_ca": content => $ca_cert } - class { '::apache': no_default_site => true, ssl => true } - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip - include site_apache::module::rewrite - apache::vhost::file { $domain: content => template('site_static/apache.conf.erb') } diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 6b2cc1f3..6e347d35 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -11,8 +11,8 @@ class site_static { file { '/srv/leap/provider.json': content => $bootstrap['provider_json'], owner => 'www-data', - group => 'www-data', - mode => '0444'; + group => 'www-data', + mode => '0444'; } # It is important to always touch provider.json: the client needs to check x-min-client-version header, # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem @@ -22,6 +22,21 @@ class site_static { } } + class { '::apache': no_default_site => true, ssl => true } + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + include site_apache::module::rewrite + + if (member($formats, 'rack')) { + include site_apt::preferences::passenger + class { 'passenger': + use_munin => false, + require => Class['site_apt::preferences::passenger'] + } + } + if (member($formats, 'amber')) { include site_config::ruby::dev rubygems::gem{'amber-0.3.0': } diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 1ba6807e..9c749b00 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -2,6 +2,14 @@ define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" + if $format == undef { + fail("static_site location `${path}` is missing `format` field.") + } + + if ! member(['amber','rack'], $format) { + fail("Could not understand static_site location format `${format}`.") + } + if ($format == 'amber') { exec {"amber_build_${name}": cwd => $file_path, diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb new file mode 100644 index 00000000..17dc2ad6 --- /dev/null +++ b/puppet/modules/site_static/templates/amber.erb @@ -0,0 +1,15 @@ +<%- if @location_path == '' -%> + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + +<%- else -%> + AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" + Alias /<%=@location_path%> "<%=@directory%>/" + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + +<%- end -%> diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index b694d44c..b23c1bf9 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -2,20 +2,23 @@ ## ## An apache config for static websites. ## + def location_directory(name, location) - if location['format'] == 'amber' + if ['amber', 'rack'].include?(location['format']) File.join(@base_dir, name, 'public') else File.join(@base_dir, name) end end - document_root = '/var/www' - @locations.each do |name, location| - if location['path'] == '/' - document_root = location_directory(name, location) + + @document_root = begin + root = '/var/www' + @locations && @locations.each do |name, location| + root = location_directory(name, location) if location['path'] == '/' end + root.gsub(%r{^/|/$}, '') end - document_root = document_root.gsub(%r{^/|/$}, '') + bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> @@ -26,8 +29,10 @@ <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> +<%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] +<%- end -%> @@ -46,8 +51,12 @@ SSLCompression off SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" +<%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" +<%- end -%> Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt @@ -55,37 +64,28 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot "/<%= document_root %>/" + DocumentRoot "/<%= @document_root %>/" AccessFileName .htaccess -<%- @locations.each do |name, location| -%> - <%- path = location['path'].gsub(%r{^/|/$}, '') -%> - <%- directory = location_directory(name, location) -%> - ## - ## <%= name %> - ## - <%- if path == '' -%> - /"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - - <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> Alias /provider.json /srv/leap/provider.json Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> - <%- end -%> - <%- else -%> - AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" - Alias /<%=path%> "/<%=directory%>/" - /"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - - <%- end -%> +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config %> +<%- end -%> +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> + ## + ## <%= name %> (<%= location['format'] %>) + ## +<%= scope.function_templatewlv([File.join(File.dirname(__FILE__), location['format']) + '.erb', local_vars]) %> <%- end -%> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb new file mode 100644 index 00000000..3e22e750 --- /dev/null +++ b/puppet/modules/site_static/templates/rack.erb @@ -0,0 +1,22 @@ + #PassengerLogLevel 1 + #RackEnv production + #PassengerFriendlyErrorPages on +<%- if @location_path == '' -%> + "> + Order deny,allow + Allow from all + Options -MultiViews + +<%- else -%> + Alias /<%=@location_path%> "<%=@directory%>" + > + RackBaseURI /<%=@location_path%> + PassengerBaseURI /<%=@location_path%> + PassengerAppRoot "<%=File.dirname(@directory)%>" + + "> + Order deny,allow + Allow from all + Options -MultiViews + +<%- end -%> -- cgit v1.2.3 From 2b3b9243e7d0301f877b35246a809c50196e038c Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 1 Jun 2014 22:22:45 -0700 Subject: work around hiera's inability to escape '%' by using ':percent:' --- puppet/modules/site_static/templates/apache.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index b23c1bf9..a16d51f4 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -75,7 +75,7 @@ <%- end -%> <%- if @apache_config -%> -<%= @apache_config %> +<%= @apache_config.gsub(':percent:','%') %> <%- end -%> <%- @locations && @locations.each do |name, location| -%> -- cgit v1.2.3 From 0c4c0ab6863c4c1cf59d0e999c7ba7bd41d3546c Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 1 Jun 2014 23:21:12 -0700 Subject: remove superfluous RackBaseURI directive --- puppet/modules/site_static/templates/rack.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb index 3e22e750..aae91f1c 100644 --- a/puppet/modules/site_static/templates/rack.erb +++ b/puppet/modules/site_static/templates/rack.erb @@ -1,5 +1,5 @@ #PassengerLogLevel 1 - #RackEnv production + #PassengerAppEnv production #PassengerFriendlyErrorPages on <%- if @location_path == '' -%> "> @@ -10,7 +10,6 @@ <%- else -%> Alias /<%=@location_path%> "<%=@directory%>" > - RackBaseURI /<%=@location_path%> PassengerBaseURI /<%=@location_path%> PassengerAppRoot "<%=File.dirname(@directory)%>" -- cgit v1.2.3 From 455422ddd5152679eb8df5554e371dbcf2c28f27 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 2 Jun 2014 12:02:29 -0700 Subject: static site: better message for wrong location type. --- puppet/modules/site_static/manifests/location.pp | 6 ++++-- puppet/modules/site_static/templates/apache.conf.erb | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 9c749b00..ce2af9af 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -1,13 +1,15 @@ define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" + $allowed_formats = ['amber','rack'] if $format == undef { fail("static_site location `${path}` is missing `format` field.") } - if ! member(['amber','rack'], $format) { - fail("Could not understand static_site location format `${format}`.") + if ! member($allowed_formats, $format) { + $formats_str = join($allowed_formats, ', ') + fail("Unsupported static_site location format `${format}`. Supported formats include ${formats_str}.") } if ($format == 'amber') { diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index a16d51f4..07ac481d 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -82,10 +82,12 @@ <%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> <%- directory = location_directory(name, location) -%> <%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%- break unless File.exists?(template_path) -%> ## ## <%= name %> (<%= location['format'] %>) ## -<%= scope.function_templatewlv([File.join(File.dirname(__FILE__), location['format']) + '.erb', local_vars]) %> +<%= scope.function_templatewlv([template_path, local_vars]) %> <%- end -%> -- cgit v1.2.3