path: root/files
diff options
authorMicah Anderson <>2013-04-17 16:07:55 -0400
committerMicah Anderson <>2013-04-17 16:07:55 -0400
commit6844258b567b5065f5488a12f3f18208ff36ecb0 (patch)
tree57dc2fd942ca81584f85ea7f25ec77a6b845f88e /files
parentdafb060fc57957dbe9e5e90698537e781cebeaf6 (diff)
parent2f6d7891e115f921c157567e2aa5afd6199c310e (diff)
Merge remote-tracking branch 'shared/master' into leap
Conflicts: manifests/debian.pp
Diffstat (limited to 'files')
10 files changed, 260 insertions, 18 deletions
diff --git a/files/include.d/CentOS/ b/files/include.d/CentOS/
index 5cc663f..7735ebb 100644
--- a/files/include.d/CentOS/
+++ b/files/include.d/CentOS/
@@ -1,9 +1,3 @@
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
@@ -11,13 +5,16 @@ SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+#SSLProtocol all -SSLv2
+SSLProtocol -all +SSLv3 +TLSv1
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
+SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
@@ -134,8 +131,5 @@ SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
-# Per-Server Logging:
-# The home of a custom SSL log file. Use this when you want a
-# compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+# set STS Header
+Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/Debian/ b/files/include.d/Debian/
index 3a67cd3..7030ec8 100644
--- a/files/include.d/Debian/
+++ b/files/include.d/Debian/
@@ -11,13 +11,13 @@ SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol -all +SSLv3 +TLSv1
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
+SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
@@ -139,3 +139,6 @@ SetEnvIf User-Agent ".*MSIE.*" \
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+# set STS Header
+Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/OpenBSD/ b/files/include.d/OpenBSD/
index e7d2c36..67cf36f 100644
--- a/files/include.d/OpenBSD/
+++ b/files/include.d/OpenBSD/
@@ -1,4 +1,5 @@
SSLEngine on
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
diff --git a/files/include.d/ b/files/include.d/
new file mode 100644
index 0000000..40c44e4
--- /dev/null
+++ b/files/include.d/
@@ -0,0 +1,17 @@
+# silverstripe .htaccess
+<Files *.ss>
+ Order deny,allow
+ Deny from all
+ #Allow from
+<IfModule mod_rewrite.c>
+ RewriteEngine On
+ #RewriteBase /
+ RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$)
+ RewriteCond %{REQUEST_URI} ^(.*)$
+ RewriteCond %{REQUEST_FILENAME} !-f
+ RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L]
diff --git a/files/itk_plus/conf.d/CentOS/ssl.conf b/files/itk_plus/conf.d/CentOS/ssl.conf
new file mode 100644
index 0000000..fb0c915
--- /dev/null
+++ b/files/itk_plus/conf.d/CentOS/ssl.conf
@@ -0,0 +1,75 @@
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:>
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+LoadModule ssl_module modules/
+# When we also provide SSL we have to listen to the
+# the HTTPS port in addition.
+NameVirtualHost *:443
+## SSL Global Context
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+# Some MIME-types for downloading Certificates and CRLs
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl .crl
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog builtin
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
+SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout 300
+# Semaphore:
+# Configure the path to the mutual exclusion semaphore the
+# SSL engine uses internally for inter-process synchronization.
+SSLMutex default
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the
+# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
diff --git a/files/munin/apache_activity b/files/munin/apache_activity
new file mode 100755
index 0000000..65fc072
--- /dev/null
+++ b/files/munin/apache_activity
@@ -0,0 +1,99 @@
+# Parameters supported:
+# config
+# autoconf
+# Configurable variables
+# url - Override default status-url
+# Magic markers:
+#%# family=auto
+#%# capabilities=autoconf
+my $ret = undef;
+if (!eval "require LWP::UserAgent;") {
+ $ret = "LWP::UserAgent not found";
+my $URL = exists $ENV{'url'} ? $ENV{'url'} : "";
+my @PORTS = exists $ENV{'ports'} ? split(' ', $ENV{'ports'}) : (80);
+my %chars = (
+ # '\_' => 'Waiting',
+ # 'S' => 'Starting up',
+ 'R' => 'Reading request',
+ 'W' => 'Sending reply',
+ 'K' => 'Keepalive',
+ 'D' => 'DNS lookup',
+ 'C' => 'Closing',
+ # 'L' => 'Logging',
+ # 'G' => 'Gracefully finishing',
+ # 'I' => 'Idle cleanup',
+ # '\.' => 'Open slot',
+ );
+# "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
+# "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
+# "C" Closing connection, "L" Logging, "G" Gracefully finishing,
+# "I" Idle cleanup of worker, "." Open slot with no current process
+if (exists $ARGV[0] and $ARGV[0] eq "autoconf") {
+ if ($ret) {
+ print "no ($ret)\n";
+ exit 1;
+ }
+ my $ua = LWP::UserAgent->new(timeout => 30);
+ my @badports;
+ foreach my $port (@PORTS) {
+ my $url = sprintf $URL, $port;
+ my $response = $ua->request(HTTP::Request->new('GET',$url));
+ push @badports, $port unless $response->is_success and $response->content =~ /Scoreboard/im;
+ }
+ if (@badports) {
+ print "no (no apache server-status on ports @badports)\n";
+ exit 1;
+ } else {
+ print "yes\n";
+ exit 0;
+ }
+if (exists $ARGV[0] and $ARGV[0] eq "config") {
+ print "graph_title Apache activity\n";
+ print "graph_args --base 1000 -l 0\n";
+ print "graph_category apache\n";
+ print "graph_vlabel processes\n";
+ foreach my $port (@PORTS) {
+ while (my ($char, $val) = each (%chars)) {
+ $char =~ s/\\\./dot/;
+ $char =~ s/\\\_/underline/;
+ print "activity_${port}_${char}.label ";
+ print $val, "\n";
+ print "activity_${port}_${char}.type GAUGE\n";
+ }
+ }
+ exit 0;
+foreach my $port (@PORTS) {
+ my $ua = LWP::UserAgent->new (timeout => 30);
+ my $url = sprintf $URL, $port;
+ my $response = $ua->request (HTTP::Request->new('GET',$url));
+ if ($response->content =~ /^Scoreboard\:\s?(.*)$/sm) {
+ my $string = $1;
+ chomp $string;
+ my @act = split (//, $string);
+ foreach my $char (keys (%chars)) {
+ my $num = scalar (grep (/$char/, @act));
+ $char =~ s/\\\./dot/;
+ $char =~ s/\\\_/underline/;
+ print "activity_${port}_${char}.value $num\n";
+ }
+ }
diff --git a/files/service/CentOS/httpd.itk_plus b/files/service/CentOS/httpd.itk_plus
new file mode 100644
index 0000000..4d74de2
--- /dev/null
+++ b/files/service/CentOS/httpd.itk_plus
@@ -0,0 +1,24 @@
+# Configuration file for the httpd service.
+# The default processing model (MPM) is the process-based
+# 'prefork' model. A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set OPTIONS here.
+# By default, the httpd process is started in the C locale; to
+# change the locale in which the server runs, the HTTPD_LANG
+# variable can be set.
diff --git a/files/service/CentOS/httpd.worker b/files/service/CentOS/httpd.worker
new file mode 100644
index 0000000..290923f
--- /dev/null
+++ b/files/service/CentOS/httpd.worker
@@ -0,0 +1,22 @@
+# Configuration file for the httpd service.
+# The default processing model (MPM) is the process-based
+# 'prefork' model. A thread-based model, 'worker', is also
+# available, but does not work with some modules (such as PHP).
+# The service must be stopped before changing this variable.
+# To pass additional options (for instance, -D definitions) to the
+# httpd binary at startup, set OPTIONS here.
+# By default, the httpd process is started in the C locale; to
+# change the locale in which the server runs, the HTTPD_LANG
+# variable can be set.
diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf
index 9f8c4b6..d018bcc 100644
--- a/files/vhosts.d/CentOS/0-default_ssl.conf
+++ b/files/vhosts.d/CentOS/0-default_ssl.conf
@@ -8,6 +8,12 @@
Include include.d/
DocumentRoot /var/www/html
+ # Use separate log files for the SSL virtual host; note that LogLevel
+ # is not inherited from httpd.conf.
+ ErrorLog logs/ssl_error_log
+ TransferLog logs/ssl_access_log
+ LogLevel warn
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf
index 7efe879..a123de8 100644
--- a/files/vhosts.d/Gentoo/0-default_ssl.conf
+++ b/files/vhosts.d/Gentoo/0-default_ssl.conf
@@ -31,7 +31,8 @@ UseCanonicalName On
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCertificateFile /e/certs/server.crt
SSLCertificateKeyFile /e/certs/server.key