diff options
-rw-r--r-- | README | 91 | ||||
-rw-r--r-- | files/conf.d/Debian/ssl.conf | 1 | ||||
-rw-r--r-- | files/config/Debian/apache2.conf | 127 | ||||
-rw-r--r-- | files/include.d/Debian/ssl_defaults.inc | 138 | ||||
-rw-r--r-- | files/vhosts.d/Debian/0-default.conf | 41 | ||||
-rw-r--r-- | files/vhosts.d/Debian/0-default_ssl.conf | 170 | ||||
-rw-r--r-- | manifests/base.pp | 10 | ||||
-rw-r--r-- | manifests/config/file.pp | 28 | ||||
-rw-r--r-- | manifests/config/global.pp | 2 | ||||
-rw-r--r-- | manifests/config/include.pp | 2 | ||||
-rw-r--r-- | manifests/debian/module.pp | 18 | ||||
-rw-r--r-- | manifests/init.pp | 3 | ||||
-rw-r--r-- | manifests/module.pp | 33 | ||||
-rw-r--r-- | manifests/ssl/base.pp | 5 | ||||
-rw-r--r-- | manifests/ssl/debian.pp | 9 | ||||
-rw-r--r-- | manifests/vhost.pp | 2 |
16 files changed, 557 insertions, 123 deletions
@@ -1,5 +1,21 @@ -puppet module apache -==================== +puppet module for managing an Apache web server +=============================================== + +This module tries to manage apache on different distros in a similar manner. a +few additional directories have to be created as well some configuration files +have to be deployed to fit this schema. + +! Upgrade Notice ! + + currently deployed apache::config::file resources could be broken + so one should change occurences of this resource's argument from: + + source => "modules/site-apache/blah" + + to a full source specification string: + + source => "puppet:///modules/site-apache/blah" + written by immerda project group admin+puppet(at)immerda.ch @@ -12,14 +28,73 @@ original idea by David Schmitt License: GPLv3 -################################### +Usage +===== + +Installing Apache +----------------- + +To install Apache, simply include the 'apache' class in your manifests: + + include apache + +If you want to install Apache and also enable SSL support: + + include apache::ssl + +You can install the ITK worker model to enforce stronger, per-user security: + + include apache::itk -This module tries to manage apache on different distros in a -similar manner. a few additional directories have to be -created as well some configuration files have to be deployed -to fit this schema. +You can combine SSL support and the ITK worker model by including both classes. + +If you do not want the 0-default.conf and 0-default_ssl.conf virtualhosts +automatically created, then simply set $apache_no_default_site = true in your +node configuration. + +Configuring Apache +------------------ + +To deploy a global configuration file in the conf.d directory under Apache's +config directory, you can use the following: + +apache::config::global { 'filename': + content => 'Alias /thisApplication /usr/share/thisApplication/htdocs', +} + +To manage users in an htpasswd file: + +apache::htpasswd_user { "joe@$domain": + site => "$domain", + username => 'joe', + password => "$pass", + password_iscrypted = true, +} + +VirtualHost files +----------------- vhosts can be added with the vhosts define: (currently only plain vhosts file are supported) -apache::vhosts::file { '$domain' } +apache::vhosts::file { "$domain" } + +multiple shortcuts can be used to define a vhost with certain capabilities: + +apache::vhosts::php::drupal { "$domain" } + +Munin +----- + +If you are using munin, and have the puppet munin module installed, you can set +the variable $use_munin = true to have graphs setup for you. + +For now, though, this only enables the server-status page in apache. + +Shorewall +--------- + +If you have the shorewall module installed and are using it, you can set the +variable $use_shorewall = true to have a rule automatically defined for you to +let traffic come from the exterior into the web server via port 80, and also +443 if you're using the apache::ssl class. diff --git a/files/conf.d/Debian/ssl.conf b/files/conf.d/Debian/ssl.conf new file mode 100644 index 0000000..bcfe820 --- /dev/null +++ b/files/conf.d/Debian/ssl.conf @@ -0,0 +1 @@ +NameVirtualHost *:443 diff --git a/files/config/Debian/apache2.conf b/files/config/Debian/apache2.conf index 4af3074..1e97b4e 100644 --- a/files/config/Debian/apache2.conf +++ b/files/config/Debian/apache2.conf @@ -24,9 +24,9 @@ # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log" -# with ServerRoot set to "" will be interpreted by the -# server as "//var/log/apache2/foo.log". +# with "/", the value of ServerRoot is prepended -- so "foo.log" +# with ServerRoot set to "/etc/apache2" will be interpreted by the +# server as "/etc/apache2/foo.log". # ### Section 1: Global Environment @@ -42,21 +42,17 @@ # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation (available -# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>); +# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # -ServerRoot "/etc/apache2" +#ServerRoot "/etc/apache2" # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # -#<IfModule !mpm_winnt.c> -#<IfModule !mpm_netware.c> -LockFile /var/lock/apache2/accept.lock -#</IfModule> -#</IfModule> +LockFile ${APACHE_LOCK_DIR}/accept.lock # # PidFile: The file in which the server should record its process @@ -112,13 +108,34 @@ KeepAliveTimeout 15 # MaxClients: maximum number of simultaneous client connections # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a +# graceful restart. ThreadLimit can only be changed by stopping +# and starting Apache. # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_worker_module> StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadLimit 64 + ThreadsPerChild 25 + MaxClients 150 + MaxRequestsPerChild 0 +</IfModule> + +# event MPM +# StartServers: initial number of server processes to start +# MaxClients: maximum number of simultaneous client connections +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule mpm_event_module> + StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 + ThreadLimit 64 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> @@ -142,6 +159,7 @@ AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all + Satisfy all </Files> # @@ -172,7 +190,7 @@ HostnameLookups Off # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # -ErrorLog /var/log/apache2/error.log +ErrorLog ${APACHE_LOG_DIR}/error.log # # LogLevel: Control the number of messages logged to the error_log. @@ -182,100 +200,31 @@ ErrorLog /var/log/apache2/error.log LogLevel warn # Include module configuration: -Include /etc/apache2/mods-enabled/*.load -Include /etc/apache2/mods-enabled/*.conf +Include mods-enabled/*.load +Include mods-enabled/*.conf # Include all the user configurations: -Include /etc/apache2/httpd.conf +Include httpd.conf # Include ports listing -Include /etc/apache2/ports.conf +Include ports.conf # # The following directives define some format nicknames for use with # a CustomLog directive (see below). # If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i # -LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined -LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent -# -# Define an access log for VirtualHosts that don't define their own logfile -CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# Putting this all together, we can internationalize error responses. -# -# We use Alias to redirect any /error/HTTP_<error>.html.var response to -# our collection of by-error message multi-language collections. We use -# includes to substitute the appropriate text. -# -# You can modify the messages' appearance without changing any of the -# default HTTP_<error>.html.var files by adding the line: -# -# Alias /error/include/ "/your/include/path/" -# -# which allows you to create your own set of files by starting with the -# /usr/share/apache2/error/include/ files and copying them to /your/include/path/, -# even on a per-VirtualHost basis. The default include files will display -# your Apache version number and your ServerAdmin email address regardless -# of the setting of ServerSignature. -# -# The internationalized error documents require mod_alias, mod_include -# and mod_negotiation. To activate them, uncomment the following 30 lines. - -# Alias /error/ "/usr/share/apache2/error/" -# -# <Directory "/usr/share/apache2/error"> -# AllowOverride None -# Options IncludesNoExec -# AddOutputFilter Includes html -# AddHandler type-map var -# Order allow,deny -# Allow from all -# LanguagePriority en cs de es fr it nl sv pt-br ro -# ForceLanguagePriority Prefer Fallback -# </Directory> -# -# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var -# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var -# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var -# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var -# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var -# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var -# ErrorDocument 410 /error/HTTP_GONE.html.var -# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var -# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var -# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var -# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var -# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var -# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var -# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var -# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var -# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var -# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var - - - # Include of directories ignores editors' and dpkg's backup files, # see README.Debian for details. # Include generic snippets of statements -Include /etc/apache2/conf.d/ +Include conf.d/ # Include the virtual host configurations: -Include /etc/apache2/sites-enabled/ +Include sites-enabled/ diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index d1ec68d..7030ec8 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -1,6 +1,144 @@ +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog /var/log/apache2/ssl_error_log +TransferLog /var/log/apache2/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: SSLProtocol -all +SSLv3 +TLSv1 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH SSLHonorCipherOrder on +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +#SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +<Files ~ "\.(cgi|shtml|phtml|php3?)$"> + SSLOptions +StdEnvVars +</Files> +<Directory "/var/www/cgi-bin"> + SSLOptions +StdEnvVars +</Directory> + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog /var/log/apache2/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + # set STS Header Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/vhosts.d/Debian/0-default.conf b/files/vhosts.d/Debian/0-default.conf new file mode 100644 index 0000000..2cbd90f --- /dev/null +++ b/files/vhosts.d/Debian/0-default.conf @@ -0,0 +1,41 @@ +<VirtualHost *:80> + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/ + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + <Directory /var/www/> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + </Directory> + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + <Directory "/usr/lib/cgi-bin"> + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + </Directory> + + ErrorLog /var/log/apache2/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog /var/log/apache2/access.log combined + + Alias /doc/ "/usr/share/doc/" + <Directory "/usr/share/doc/"> + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + </Directory> + +</VirtualHost> diff --git a/files/vhosts.d/Debian/0-default_ssl.conf b/files/vhosts.d/Debian/0-default_ssl.conf new file mode 100644 index 0000000..870215c --- /dev/null +++ b/files/vhosts.d/Debian/0-default_ssl.conf @@ -0,0 +1,170 @@ +<IfModule mod_ssl.c> +<VirtualHost _default_:443> + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/ + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + <Directory /var/www/> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + </Directory> + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + <Directory "/usr/lib/cgi-bin"> + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + </Directory> + + ErrorLog /var/log/apache2/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog /var/log/apache2/ssl_access.log combined + + Alias /doc/ "/usr/share/doc/" + <Directory "/usr/share/doc/"> + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + </Directory> + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + #<Location /> + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + #</Location> + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + <FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars + </FilesMatch> + <Directory /usr/lib/cgi-bin> + SSLOptions +StdEnvVars + </Directory> + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +</VirtualHost> +</IfModule> diff --git a/manifests/base.pp b/manifests/base.pp index 64a9d17..35fc42e 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -48,13 +48,15 @@ class apache::base { require => File['vhosts_dir','config_dir','include_dir','modules_dir','htpasswd_dir','web_dir','default_apache_index'] } + apache::config::include{ 'defaults.inc': } + apache::config::global{ 'git.conf': } + if !$apache::no_default_site { + apache::vhost::file { '0-default': } + } + service{'apache': ensure => running, name => 'apache2', enable => true, } - - apache::config::include{ 'defaults.inc': } - apache::config::global{ 'git.conf': } - apache::vhost::file { '0-default': } } diff --git a/manifests/config/file.pp b/manifests/config/file.pp index 76328b5..308da68 100644 --- a/manifests/config/file.pp +++ b/manifests/config/file.pp @@ -2,6 +2,7 @@ # by default we assume it's a global configuration file define apache::config::file( $ensure = present, + $target = false, $type = 'global', $source = 'absent', $content = 'absent', @@ -50,12 +51,35 @@ define apache::config::file( } } default: { - File["apache_${name}"]{ - content => $content, + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet://${server}/modules/site-apache/${confdir}/${fqdn}/${name}", + "puppet://${server}/modules/site-apache/${confdir}/${apache_cluster_node}/${name}", + "puppet://${server}/modules/site-apache/${confdir}/${operatingsystem}.${lsbdistcodename}/${name}", + "puppet://${server}/modules/site-apache/${confdir}/${operatingsystem}/${name}", + "puppet://${server}/modules/site-apache/${confdir}/${name}", + "puppet://${server}/modules/apache/${confdir}/${operatingsystem}.${lsbdistcodename}/${name}", + "puppet://${server}/modules/apache/${confdir}/${operatingsystem}/${name}", + "puppet://${server}/modules/apache/${confdir}/${name}" + ], + default => $source, + } + File["apache_${name}"]{ + source => $real_source, + } + } + default: { + File["apache_${name}"]{ + content => $content, + } + } } } } } + case $::operatingsystem { openbsd: { info("no package dependency on ${::operatingsystem} for ${name}") } default: { diff --git a/manifests/config/global.pp b/manifests/config/global.pp index 5bb075b..8b0389b 100644 --- a/manifests/config/global.pp +++ b/manifests/config/global.pp @@ -2,12 +2,14 @@ # wrapper for apache::config::file define apache::config::global( $ensure = present, + $target = false, $source = 'absent', $content = 'absent', $destination = 'absent' ){ apache::config::file { "${name}": ensure => $ensure, + target => $target, type => 'global', source => $source, content => $content, diff --git a/manifests/config/include.pp b/manifests/config/include.pp index b58073f..4d676f0 100644 --- a/manifests/config/include.pp +++ b/manifests/config/include.pp @@ -1,12 +1,14 @@ # deploy apache configuration file (includes for vhosts) define apache::config::include( $ensure = present, + $target = false, $source = 'absent', $content = 'absent', $destination = 'absent' ){ apache::config::file { "${name}": ensure => $ensure, + target => $target, type => 'include', source => $source, content => $content, diff --git a/manifests/debian/module.pp b/manifests/debian/module.pp index 2c0f510..4c100fa 100644 --- a/manifests/debian/module.pp +++ b/manifests/debian/module.pp @@ -13,7 +13,15 @@ define apache::debian::module( } case $ensure { - 'present' : { + 'absent','purged': { + exec { "/usr/sbin/a2dismod ${name}": + onlyif => "/bin/sh -c '[ -L ${modules_dir}-enabled/${name}.load ] \\ + && [ ${modules_dir}-enabled/${name}.load -ef ${modules_dir}-available/${name}.load ]'", + notify => Service['apache'], + require => Package['apache'], + } + } + default : { exec { "/usr/sbin/a2enmod ${name}": unless => "/bin/sh -c '[ -L ${modules_dir}-enabled/${name}.load ] \\ && [ ${modules_dir}-enabled/${name}.load -ef ${modules_dir}-available/${name}.load ]'", @@ -24,14 +32,6 @@ define apache::debian::module( }, } } - 'absent': { - exec { "/usr/sbin/a2dismod ${name}": - onlyif => "/bin/sh -c '[ -L ${modules_dir}-enabled/${name}.load ] \\ - && [ ${modules_dir}-enabled/${name}.load -ef ${modules_dir}-available/${name}.load ]'", - notify => Service['apache'], - require => Package['apache'], - } - } } } diff --git a/manifests/init.pp b/manifests/init.pp index 612149d..574c212 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,7 +16,8 @@ class apache( $cluster_node = '', $manage_shorewall = false, - $manage_munin = false + $manage_munin = false, + $no_default_site = false ) { case $::operatingsystem { centos: { include apache::centos } diff --git a/manifests/module.pp b/manifests/module.pp new file mode 100644 index 0000000..42639bb --- /dev/null +++ b/manifests/module.pp @@ -0,0 +1,33 @@ +define apache::module ( + $ensure = present, $source = '', + $destination = '', $module = '', $package_name = 'absent' ) +{ + + $real_module = $module ? { + '' => $name, + default => $module, + } + + case $operatingsystem { + 'centos': { + apache::centos::module { "$real_module": + ensure => $ensure, source => $source, + destination => $destination + } + } + 'gentoo': { + apache::gentoo::module { "$real_module": + ensure => $ensure, source => $source, + destination => $destination + } + } + 'debian','ubuntu': { + apache::debian::module { "$real_module": + ensure => $ensure, package_name => $package_name + } + } + default: { + err('Your operating system does not have a module deployment mechanism defined') + } + } +} diff --git a/manifests/ssl/base.pp b/manifests/ssl/base.pp index 4aabb40..ff9baa5 100644 --- a/manifests/ssl/base.pp +++ b/manifests/ssl/base.pp @@ -1,4 +1,7 @@ class apache::ssl::base { - ::apache::config::include{ 'ssl_defaults.inc': } + ::apache::config::include{ 'ssl_defaults.inc': } + + if !$apache_no_default_site { ::apache::vhost::file{ '0-default_ssl': } + } } diff --git a/manifests/ssl/debian.pp b/manifests/ssl/debian.pp index 10b1631..99dfe36 100644 --- a/manifests/ssl/debian.pp +++ b/manifests/ssl/debian.pp @@ -1,9 +1,4 @@ class apache::ssl::debian inherits apache::ssl::base { - line { 'apache_debian_ssl_port': - file => "${apache::debian::config_dir}/ports.conf", - line => "Listen 443", - ensure => present, - require => Package['apache'], - notify => Service['apache'], - } + apache::debian::module { 'ssl': ensure => present } + apache::config::global { 'ssl.conf': } } diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 90af00d..dcb26a2 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -119,6 +119,4 @@ define apache::vhost( } default: { fail("no such vhost_mode: $vhost_mode defined for $name.") } } - } - |