From b21a3e9126a1734b2cea975e57b5c9e8206f12fa Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 27 Jun 2016 15:49:30 -0700 Subject: Fix the permissions on the DOMAIN/provider.json file for static sites. --- .../templates/vhosts.d/hidden_service.conf.erb | 2 +- .../modules/site_config/manifests/remove/files.pp | 11 +++++++++++ puppet/modules/site_static/manifests/init.pp | 22 ++++++++++++++++++---- .../modules/site_static/templates/apache.conf.erb | 8 ++++++-- 4 files changed, 36 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 697a7ff3..b34bd189 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -47,7 +47,7 @@ <% end %> AccessFileName .htaccess - Alias /provider.json /srv/leap/provider.json + Alias /provider.json /srv/static/public/provider.json Header set X-Minimum-Client-Version 0.5 diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 41d6462e..3de8d695 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -11,7 +11,18 @@ class site_config::remove::files { + # + # Platform X removals + # + + tidy { + '/srv/leap/provider.json':; + } + + # # Platform 0.8 removals + # + tidy { '/etc/default/leap_mx':; '/etc/logrotate.d/mx':; diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4a722d62..8063d432 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -13,20 +13,34 @@ class site_static { $bootstrap = $static['bootstrap_files'] $tor = hiera('tor', false) + file { + '/srv/static/': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0744'; + '/srv/static/public': + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0744'; + } + if $bootstrap['enabled'] { $bootstrap_domain = $bootstrap['domain'] $bootstrap_client = $bootstrap['client_version'] - file { '/srv/leap/provider.json': + file { '/srv/static/public/provider.json': content => $bootstrap['provider_json'], owner => 'www-data', group => 'www-data', - mode => '0444'; + mode => '0444', + notify => Service[apache]; } # It is important to always touch provider.json: the client needs to check x-min-client-version header, # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem # is that changing min client version won't alter the content of provider.json, so we must touch it. - exec { '/bin/touch /srv/leap/provider.json': - require => File['/srv/leap/provider.json']; + exec { '/bin/touch /srv/static/public/provider.json': + require => File['/srv/static/public/provider.json']; } } diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 6b969d1c..b3e5fc09 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -23,6 +23,10 @@ bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> + + Require all granted + + ServerName <%= @domain %> ServerAlias www.<%= @domain %> @@ -46,7 +50,7 @@ #RewriteLogLevel 3 Include include.d/ssl_common.inc - + <%- if @tls_only -%> Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> @@ -63,7 +67,7 @@ AccessFileName .htaccess <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> - Alias /provider.json /srv/leap/provider.json + Alias /provider.json /srv/static/public/provider.json Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> -- cgit v1.2.3