diff options
| author | mh <mh@immerda.ch> | 2010-08-16 19:01:24 +0200 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2010-08-16 19:20:22 +0200 |
| commit | 1bdb39c6dd8ccaf76d8a4aa2e9486069afd2d476 (patch) | |
| tree | 9809ed82773911d4306c9315796592b9f45a5550 /manifests/vhost.pp | |
| parent | 888e0d3dde723fff0ba11d8a24a4c2e64d299ea5 (diff) | |
impelement itk plus mode
itk plus mode is an additional mode to deploy itk based hostings
which should be a bit more performant. The idea is that we have
two apache-instances running:
A) prefork based, listening on the external interface
B) itk based, listening on the loopback interface
A) will serve all static webpages, as well as possibly serve all static
content of dynamic websites. All requests to dynamic content will be
redirected to B). The idea is that A) doesn't load any modules to server
dynamic content at all.
B) will serve all the dynamic scripts of a vhost.
This will mean that for vhosts (static ones) as well as static content (all
none dynamic scripts) we can benefit from the fast prefork model, while we
can use itk's security model for all the dynamic scripts.
There are two new additional run_modes:
- proxy-itk: this just passes all requests to apache instance B). This one
is similar to plain itk based mode and should be used for vhosts
that shouldn't (yet) changed to the mixed mode.
- static-itk: this passes only requests to dynamic scripts to B) while all
static content is served by A). Beware that the user with which
A) is running should be member of the run group of B) and all
static files need to readable by the group. This reduces
the security model you have with plain itk, as the prefork
apache user will be able to read php (config-) files of any
vhost that runs in static-itk mode. If you want to keep
the level of security for a certain vhost, you need to run
the specific vhost in proxy-itk mode.
Note 1: you cannot run vhosts in itk mode and others in proxy or static
itk mode. There is a duplicate file resource definition that
blocks that possibility.
Note 2: This mode works currently only on CentOS based systems, as no
work have been done so far to implement an init.d script that's
able to run 2 apache instances.
Diffstat (limited to 'manifests/vhost.pp')
| -rw-r--r-- | manifests/vhost.pp | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/manifests/vhost.pp b/manifests/vhost.pp index cc163eb..cb89359 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -14,6 +14,25 @@ # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost( $ensure = present, $path = 'absent', @@ -62,6 +81,8 @@ define apache::vhost( vhost_source => $vhost_source, vhost_destination => $vhost_destination, do_includes => $do_includes, + run_mode => $run_mode, + mode_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, use_mod_macro => $use_mod_macro, |