Merge remote-tracking branch 'immerda/master'

Fixed apache_no_default_site variable to be a parameter to the apache class (no_default_site = false) Conflicts: files/include.d/Debian/ssl_defaults.inc manifests/base.pp manifests/config/file.pp manifests/vhost.pp manifests/vhost/php/standard.pp manifests/vhost/template.pp templates/vhosts/php/CentOS.erb templates/vhosts/php/Debian.erb
author: Micah Anderson <micah@riseup.net> 2013-04-12 13:23:29 -0400
committer: Micah Anderson <micah@riseup.net> 2013-04-12 14:37:28 -0400
commit: 115691c87bad3f5863f088e73603133b67c9f828 (patch)
tree: bbfd7b5c0d0c220ef3e52eb25acd4595a46b85d0 /files
parent: 2401aae6c4785c1e6a777756bebe70c38b889727 (diff)
parent: 5ec141dfbf218dd9b2f2611d788db98f74e65073 (diff)
10 files changed, 260 insertions, 18 deletions
diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc
index 5cc663f..7735ebb 100644
--- a/files/include.d/CentOS/ssl_defaults.inc
+++ b/files/include.d/CentOS/ssl_defaults.inc
@@ -1,9 +1,3 @@
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
-
 #   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
@@ -11,13 +5,16 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+#SSLProtocol all -SSLv2
+SSLProtocol -all +SSLv3 +TLSv1
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
 
+SSLHonorCipherOrder on
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -134,8 +131,5 @@ SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 
-#   Per-Server Logging:
-#   The home of a custom SSL log file. Use this when you want a
-#   compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+# set STS Header
+Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc
index 3a67cd3..7030ec8 100644
--- a/files/include.d/Debian/ssl_defaults.inc
+++ b/files/include.d/Debian/ssl_defaults.inc
@@ -11,13 +11,13 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol -all +SSLv3 +TLSv1
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
-
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+SSLHonorCipherOrder on
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -139,3 +139,6 @@ SetEnvIf User-Agent ".*MSIE.*" \
 #   compact non-error SSL logfile on a virtual host basis.
 CustomLog /var/log/apache2/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+# set STS Header
+Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc
index e7d2c36..67cf36f 100644
--- a/files/include.d/OpenBSD/ssl_defaults.inc
+++ b/files/include.d/OpenBSD/ssl_defaults.inc
@@ -1,4 +1,5 @@
 SSLEngine on
-SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
 SSLCertificateFile    /etc/ssl/server.crt
 SSLCertificateKeyFile /etc/ssl/private/server.key
diff --git a/files/include.d/silverstripe.inc b/files/include.d/silverstripe.inc
new file mode 100644
index 0000000..40c44e4
--- /dev/null
+++ b/files/include.d/silverstripe.inc
@@ -0,0 +1,17 @@
+# silverstripe .htaccess
+<Files *.ss>
+  Order deny,allow
+  Deny from all
+  #Allow from 127.0.0.1
+</Files>
+
+<IfModule mod_rewrite.c>
+  RewriteEngine On
+  #RewriteBase /
+
+  RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$)
+
+  RewriteCond %{REQUEST_URI} ^(.*)$
+  RewriteCond %{REQUEST_FILENAME} !-f
+  RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L]
+</IfModule>
diff --git a/files/itk_plus/conf.d/CentOS/ssl.conf b/files/itk_plus/conf.d/CentOS/ssl.conf
new file mode 100644
index 0000000..fb0c915
--- /dev/null
+++ b/files/itk_plus/conf.d/CentOS/ssl.conf
@@ -0,0 +1,75 @@
+#
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these 
+# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
+# 
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+
+LoadModule ssl_module modules/mod_ssl.so
+
+#
+# When we also provide SSL we have to listen to the 
+# the HTTPS port in addition.
+#
+NameVirtualHost *:443
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog  builtin
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
+SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout  300
+
+#   Semaphore:
+#   Configure the path to the mutual exclusion semaphore the
+#   SSL engine uses internally for inter-process synchronization. 
+SSLMutex default
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
diff --git a/files/munin/apache_activity b/files/munin/apache_activity
new file mode 100755
index 0000000..65fc072
--- /dev/null
+++ b/files/munin/apache_activity
@@ -0,0 +1,99 @@
+#!/usr/bin/perl
+#
+# Parameters supported:
+#
+# 	config
+# 	autoconf
+#
+# Configurable variables
+#
+# 	url      - Override default status-url
+#
+# Magic markers:
+#%# family=auto
+#%# capabilities=autoconf
+
+my $ret = undef;
+if (!eval "require LWP::UserAgent;") {
+    $ret = "LWP::UserAgent not found";
+}
+
+my $URL = exists $ENV{'url'} ? $ENV{'url'} : "http://127.0.0.1:%d/server-status?auto";
+my @PORTS = exists $ENV{'ports'} ? split(' ', $ENV{'ports'}) : (80);
+my %chars = (
+	     # '\_' => 'Waiting',
+	     # 'S' => 'Starting up',
+	     'R' => 'Reading request',
+	     'W' => 'Sending reply',
+	     'K' => 'Keepalive',
+	     'D' => 'DNS lookup',
+	     'C' => 'Closing',
+	     # 'L' => 'Logging',
+	     # 'G' => 'Gracefully finishing',
+	     # 'I' => 'Idle cleanup',
+	     # '\.' => 'Open slot',
+	     );
+
+#    "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
+#    "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
+#    "C" Closing connection, "L" Logging, "G" Gracefully finishing,
+#    "I" Idle cleanup of worker, "." Open slot with no current process
+
+if (exists $ARGV[0] and $ARGV[0] eq "autoconf") {
+    if ($ret) {
+	print "no ($ret)\n";
+	exit 1;
+    }
+    my $ua = LWP::UserAgent->new(timeout => 30);
+    my @badports;
+    
+    foreach my $port (@PORTS) {
+	my $url = sprintf $URL, $port;
+	my $response = $ua->request(HTTP::Request->new('GET',$url));
+	push @badports, $port unless $response->is_success and $response->content =~ /Scoreboard/im;
+    }
+    
+    if (@badports) {
+	print "no (no apache server-status on ports @badports)\n";
+	exit 1;
+    } else {
+	print "yes\n";
+	exit 0;
+    }
+}
+
+if (exists $ARGV[0] and $ARGV[0] eq "config") {
+    print "graph_title Apache activity\n";
+    print "graph_args --base 1000 -l 0\n";
+    print "graph_category apache\n";
+    print "graph_vlabel processes\n";
+    foreach my $port (@PORTS) {
+	while (my ($char, $val) = each (%chars)) {
+	    $char =~ s/\\\./dot/;
+            $char =~ s/\\\_/underline/;
+            print "activity_${port}_${char}.label ";
+	    print $val, "\n";
+            print "activity_${port}_${char}.type GAUGE\n";
+        }
+    }    
+    exit 0;
+}
+
+foreach my $port (@PORTS) {
+    my $ua = LWP::UserAgent->new (timeout => 30);
+    my $url = sprintf $URL, $port;
+    my $response = $ua->request (HTTP::Request->new('GET',$url));
+    if ($response->content =~ /^Scoreboard\:\s?(.*)$/sm) {
+	my $string = $1;
+	chomp $string;
+	my @act = split (//, $string);
+	foreach my $char (keys (%chars)) {
+	    my $num = scalar (grep (/$char/, @act));
+	    $char =~ s/\\\./dot/;
+	    $char =~ s/\\\_/underline/;
+	    print "activity_${port}_${char}.value $num\n";
+	}
+    }
+}
+
+
diff --git a/files/service/CentOS/httpd.itk_plus b/files/service/CentOS/httpd.itk_plus
new file mode 100644
index 0000000..4d74de2
--- /dev/null
+++ b/files/service/CentOS/httpd.itk_plus
@@ -0,0 +1,24 @@
+# Configuration file for the httpd service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model.  A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+#HTTPD=/usr/sbin/httpd.worker
+HTTPD=/usr/sbin/httpd
+HTTPD_LOCAL=/usr/sbin/httpd.itk
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set OPTIONS here.
+#
+#OPTIONS=
+
+#
+# By default, the httpd process is started in the C locale; to 
+# change the locale in which the server runs, the HTTPD_LANG
+# variable can be set.
+#
+#HTTPD_LANG=C
diff --git a/files/service/CentOS/httpd.worker b/files/service/CentOS/httpd.worker
new file mode 100644
index 0000000..290923f
--- /dev/null
+++ b/files/service/CentOS/httpd.worker
@@ -0,0 +1,22 @@
+# Configuration file for the httpd service.
+
+#
+# The default processing model (MPM) is the process-based
+# 'prefork' model.  A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+#
+HTTPD=/usr/sbin/httpd.worker
+
+#
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set OPTIONS here.
+#
+#OPTIONS=
+
+#
+# By default, the httpd process is started in the C locale; to 
+# change the locale in which the server runs, the HTTPD_LANG
+# variable can be set.
+#
+#HTTPD_LANG=C
diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf
index 9f8c4b6..d018bcc 100644
--- a/files/vhosts.d/CentOS/0-default_ssl.conf
+++ b/files/vhosts.d/CentOS/0-default_ssl.conf
@@ -8,6 +8,12 @@
     Include include.d/ssl_defaults.inc
     DocumentRoot /var/www/html
 
+    # Use separate log files for the SSL virtual host; note that LogLevel
+    # is not inherited from httpd.conf.
+    ErrorLog logs/ssl_error_log
+    TransferLog logs/ssl_access_log
+    LogLevel warn
+
     SSLCertificateFile /etc/pki/tls/certs/localhost.crt
     SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 </VirtualHost>
diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf
index 7efe879..a123de8 100644
--- a/files/vhosts.d/Gentoo/0-default_ssl.conf
+++ b/files/vhosts.d/Gentoo/0-default_ssl.conf
@@ -31,7 +31,8 @@ UseCanonicalName On
 	# List the ciphers that the client is permitted to negotiate.
 	# See the mod_ssl documentation for a complete list.
 	#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-    SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+    #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH
  
     SSLCertificateFile /e/certs/server.crt
     SSLCertificateKeyFile /e/certs/server.key
author	Micah Anderson <micah@riseup.net>	2013-04-12 13:23:29 -0400
committer	Micah Anderson <micah@riseup.net>	2013-04-12 14:37:28 -0400
commit	115691c87bad3f5863f088e73603133b67c9f828 (patch)
tree	bbfd7b5c0d0c220ef3e52eb25acd4595a46b85d0 /files
parent	2401aae6c4785c1e6a777756bebe70c38b889727 (diff)
parent	5ec141dfbf218dd9b2f2611d788db98f74e65073 (diff)