diff options
40 files changed, 2952 insertions, 125 deletions
diff --git a/files/service/CentOS/httpd.itk_plus b/files/service/CentOS/httpd.itk_plus new file mode 100644 index 0000000..4d74de2 --- /dev/null +++ b/files/service/CentOS/httpd.itk_plus @@ -0,0 +1,24 @@ +# Configuration file for the httpd service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +#HTTPD=/usr/sbin/httpd.worker +HTTPD=/usr/sbin/httpd +HTTPD_LOCAL=/usr/sbin/httpd.itk + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set OPTIONS here. +# +#OPTIONS= + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the HTTPD_LANG +# variable can be set. +# +#HTTPD_LANG=C diff --git a/manifests/centos.pp b/manifests/centos.pp index ec29ccb..e8a413d 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -38,6 +38,18 @@ class apache::centos inherits apache::package { owner => root, group => 0, mode => 0644; } + line{ + 'pidfile_httpd.conf': + file => '/etc/httpd/conf/httpd.conf', + line => 'PidFile run/httpd.pid'; + 'listen_httpd.conf': + file => '/etc/httpd/conf/httpd.conf', + line => 'Listen 80'; + } + apache::config::global{'00-listen.conf': + ensure => absent, + } + include apache::logrotate::centos apache::config::global{ 'welcome.conf': } diff --git a/manifests/centos/itk.pp b/manifests/centos/itk.pp index 46a5225..9e97fa0 100644 --- a/manifests/centos/itk.pp +++ b/manifests/centos/itk.pp @@ -5,8 +5,6 @@ class apache::centos::itk inherits apache::centos { name => 'httpd-itk', } File['apache_service_config']{ - source => [ "puppet:///modules/site-apache/service/CentOS/${fqdn}/httpd.itk", - "puppet:///modules/site-apache/service/CentOS/httpd.itk", - "puppet:///modules/apache/service/CentOS/httpd.itk" ], + source => "puppet:///modules/apache/service/CentOS/httpd.itk" } } diff --git a/manifests/centos/itk_plus.pp b/manifests/centos/itk_plus.pp new file mode 100644 index 0000000..f73be04 --- /dev/null +++ b/manifests/centos/itk_plus.pp @@ -0,0 +1,15 @@ +# http://hostby.net/home/2008/07/12/centos-5-and-mpm-itk/ +class apache::centos::itk_plus inherits apache::centos::itk { + Line['pidfile_httpd.conf','listen_httpd.conf']{ + ensure => absent, + } + + Apache::Config::Global['00-listen.conf']{ + ensure => present, + content => template("apache/itk_plus/${operatingsystem}/00-listen.conf.erb"), + } + + File['apache_service_config']{ + source => "puppet:///modules/apache/service/CentOS/httpd.itk_plus" + } +} diff --git a/manifests/itk/lock.pp b/manifests/itk/lock.pp new file mode 100644 index 0000000..4ad95fa --- /dev/null +++ b/manifests/itk/lock.pp @@ -0,0 +1,4 @@ +class apache::itk::lock { + # This file resource is used to ensure that only one itk mode is used per host + file{'/var/www/.itk_mode_lock': ensure => absent } +} diff --git a/manifests/itk_plus.pp b/manifests/itk_plus.pp new file mode 100644 index 0000000..64d7c87 --- /dev/null +++ b/manifests/itk_plus.pp @@ -0,0 +1,10 @@ +# manifests/itk.pp +# +# see: http://mpm-itk.sesse.net/ + +class apache::itk_plus inherits apache::itk { + case $operatingsystem { + centos: { include ::apache::centos::itk_plus } + default: { fail("itk plus mode is currently only implemented for CentOS") } + } +} diff --git a/manifests/itk_plus/lock.pp b/manifests/itk_plus/lock.pp new file mode 100644 index 0000000..d540939 --- /dev/null +++ b/manifests/itk_plus/lock.pp @@ -0,0 +1,4 @@ +class apache::itk_plus::lock { + # This file resource is used to ensure that only one itk mode is used per host + file{'/var/www/.itk_mode_lock': ensure => absent } +} diff --git a/manifests/vhost.pp b/manifests/vhost.pp index cc163eb..cb89359 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -14,6 +14,25 @@ # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost( $ensure = present, $path = 'absent', @@ -62,6 +81,8 @@ define apache::vhost( vhost_source => $vhost_source, vhost_destination => $vhost_destination, do_includes => $do_includes, + run_mode => $run_mode, + mode_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, use_mod_macro => $use_mod_macro, diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index 32a80db..a471359 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -7,16 +7,48 @@ # - absent: standardpath (default) # - else: path to deploy # +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost::file( $ensure = present, $vhost_source = 'absent', $vhost_destination = 'absent', $content = 'absent', $do_includes = false, + $run_mode = 'normal', + $mod_security = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', $use_mod_macro = false ){ + if $mod_security { + case $run_mode { + 'itk': { include mod_security::itk } + 'proxy-itk','static-itk': { include mod_security::itk_plus } + default: { include mod_security } + } + } + + case $run_mode { + 'itk': { include ::apache::itk::lock } + 'proxy-itk','static-itk': { include ::apache::itk_plus::lock } + } $vhosts_dir = $operatingsystem ? { centos => "$apache::centos::config_dir/vhosts.d", gentoo => "$apache::gentoo::config_dir/vhosts.d", diff --git a/manifests/vhost/gitweb.pp b/manifests/vhost/gitweb.pp index 96e06b4..2bc15d0 100644 --- a/manifests/vhost/gitweb.pp +++ b/manifests/vhost/gitweb.pp @@ -3,6 +3,7 @@ # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::gitweb( $ensure = present, $domain = 'absent', @@ -45,6 +46,7 @@ define apache::vhost::gitweb( options => $options, additional_options => $additional_options, default_charset => $default_charset, + run_mode => 'normal', ssl_mode => $ssl_mode, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, diff --git a/manifests/vhost/modperl.pp b/manifests/vhost/modperl.pp index ef6b5d7..30083a3 100644 --- a/manifests/vhost/modperl.pp +++ b/manifests/vhost/modperl.pp @@ -1,14 +1,30 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # logmode: # - default: Do normal logging to CustomLog and ErrorLog # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::modperl( $ensure = present, $domain = 'absent', @@ -53,6 +69,7 @@ define apache::vhost::modperl( } default: { $real_cgi_binpath = $cgi_binpath } } + file{$real_cgi_binpath: ensure => directory, owner => $documentroot_owner, @@ -60,6 +77,11 @@ define apache::vhost::modperl( mode => $documentroot_mode; } + case $run_mode { + 'proxy-itk','static-itk': { include ::mod_perl::itk_plus } + default: { include ::mod_perl } + } + # create webdir ::apache::vhost::webdir{$name: ensure => $ensure, diff --git a/manifests/vhost/passenger.pp b/manifests/vhost/passenger.pp index 4a9b95e..c174079 100644 --- a/manifests/vhost/passenger.pp +++ b/manifests/vhost/passenger.pp @@ -1,10 +1,17 @@ # run_uid: the uid the vhost should run as with the mod_passenger module # run_gid: the gid the vhost should run as with the mod_passenger module +# # logmode: +# # - default: Do normal logging to CustomLog and ErrorLog # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*defaul*) activate mod_security +# define apache::vhost::passenger( $ensure = present, $domain = 'absent', @@ -20,10 +27,6 @@ define apache::vhost::passenger( $documentroot_owner = apache, $documentroot_group = 0, $documentroot_mode = 0640, - # TODO: think of a more generic way to handle user separation - # i.e. rename itk mode into something else - # e.g. default, moderate (use same user for access and run), strict (use different users for access and run) - $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', @@ -40,6 +43,9 @@ define apache::vhost::passenger( $htpasswd_file = 'absent', $htpasswd_path = 'absent' ){ + + include ::pasenger + if $manage_webdir { # create webdir ::apache::vhost::webdir{$name: @@ -67,7 +73,7 @@ define apache::vhost::passenger( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - run_mode => 'itk', + run_mode => 'normal', run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 7f48841..e56223a 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None @@ -15,6 +30,7 @@ # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::php::drupal( $ensure = present, $domain = 'absent', diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index a846e7b..a43e627 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*defaul*) don't activate mod_security +# - true: activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 1af9bf9..96e3ab1 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index cda1654..108b91f 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index 419a340..cf67d16 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index f015a2f..0983f17 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 56c3e94..290082f 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index aa92a0e..9437046 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None @@ -111,6 +126,12 @@ define apache::vhost::php::standard( include php::extensions::smarty } + case $run_mode { + 'proxy-itk','static-itk': { include ::php::itk_plus } + 'itk': { include ::php::itk } + default: { include ::php } + } + if $manage_webdir { # create webdir ::apache::vhost::webdir{$name: diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index ab348ac..40c171f 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 5e54782..9716dfb 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 63e7267..461a2d7 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None diff --git a/manifests/vhost/redirect.pp b/manifests/vhost/redirect.pp index 53b1a07..4bb7b67 100644 --- a/manifests/vhost/redirect.pp +++ b/manifests/vhost/redirect.pp @@ -1,5 +1,6 @@ # Redirect VHost to redirect hosts # Parameters: +# # - ensure: wether this vhost is `present` or `absent` # - domain: the domain to redirect (*name*) # - domainalias: A list of whitespace seperated domains to redirect @@ -10,11 +11,14 @@ # - true: enable ssl for this vhost # - force: enable ssl and redirect non-ssl to ssl # - only: enable ssl only +# # logmode: +# # - default: Do normal logging to CustomLog and ErrorLog # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::redirect( $ensure = present, $domain = 'absent', @@ -39,6 +43,7 @@ define apache::vhost::redirect( }, logmode => $logmode, allow_override => $allow_override, + run_mode => 'normal', mod_security => false, options => $target_url, ssl_mode => $ssl_mode, diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index 640e172..9d78ebd 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -1,11 +1,17 @@ # vhost_mode: which option is chosen to deploy the vhost # - template: generate it from a template (default) # - file: deploy a vhost file (apache::vhost::file will be called directly) +# # logmode: # - default: Do normal logging to CustomLog and ErrorLog # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost::static( $ensure = present, $domain = 'absent', diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index d7e9e07..36aa0cd 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -25,6 +25,28 @@ # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# define apache::vhost::template( $ensure = present, $path = 'absent', @@ -61,13 +83,6 @@ define apache::vhost::template( $ldap_auth = false, $ldap_user = 'any' ){ - if $mod_security { - case $run_mode { - 'itk': { include mod_security::itk } - default: { include mod_security } - } - } - $real_path = $path ? { 'absent' => $operatingsystem ? { openbsd => "/var/www/htdocs/$name", @@ -101,7 +116,11 @@ define apache::vhost::template( $real_htpasswd_path = $htpasswd_path } case $run_mode { - 'itk': { + 'proxy-itk': { $logfileprefix = 'proxy' } + 'static-itk': { $logfileprefix = 'static' } + } + case $run_mode { + 'itk','proxy-itk','static-itk': { case $run_uid { 'absent': { fail("you have to define run_uid for $name on $fqdn") } } @@ -144,6 +163,8 @@ define apache::vhost::template( apache::vhost::file{$name: ensure => $ensure, do_includes => $do_includes, + run_mode => $run_mode, + mod_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, use_mod_macro => $use_mod_macro, diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index 770424c..b4775d5 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -1,15 +1,28 @@ # Webdav vhost: to manage webdav accessible targets -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: this mode is not possible and will be rewritten to proxy-itk +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# # logmode: # - default: Do normal logging to CustomLog and ErrorLog # - nologs: Send every logging to /dev/null # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::webdav( $ensure = present, $domain = 'absent', @@ -66,6 +79,14 @@ define apache::vhost::webdav( documentroot_mode => $documentroot_mode, } } + + if $run_mode == 'static-itk' { + notice("static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk") + $real_run_mode = 'proxy-itk' + } else { + $real_run_mode = $run_mode + } + # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, @@ -80,7 +101,7 @@ define apache::vhost::webdav( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - run_mode => $run_mode, + run_mode => $real_run_mode, run_uid => $run_uid, run_gid => $run_gid, options => $options, diff --git a/templates/itk_plus/CentOS/00-listen.conf.erb b/templates/itk_plus/CentOS/00-listen.conf.erb new file mode 100644 index 0000000..9f2c626 --- /dev/null +++ b/templates/itk_plus/CentOS/00-listen.conf.erb @@ -0,0 +1,8 @@ +<IfDefine HttpdLocal> +Listen 127.0.0.1:80 +PidFile run/httpdlocal.pid +</IfDefine> +<IfDefine !HttpdLocal> +Listen <%= ipaddress %>:80 +PidFile run/httpd.pid +</IfDefine> diff --git a/templates/vhosts/perl/perl.erb b/templates/vhosts/perl/perl.erb index 5be25fa..5cb30bc 100644 --- a/templates/vhosts/perl/perl.erb +++ b/templates/vhosts/perl/perl.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -63,6 +70,7 @@ ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -80,6 +88,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -115,13 +124,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -147,6 +159,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -164,9 +177,210 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.pl + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.pl/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + + <%- unless htpasswd_file.to_s == 'absent' then -%> + <Directory "<%= cgi_binpath %>/"> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + </Directory> + <%- end -%> + ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.pl + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.pl/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- unless run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + + <%- if htpasswd_file.to_s == 'absent' then -%> + <Directory "<%= cgi_binpath %>/"> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + </Directory> + <%- end -%> + ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php/php.erb b/templates/vhosts/php/php.erb index 99c94e2..4d5d984 100644 --- a/templates/vhosts/php/php.erb +++ b/templates/vhosts/php/php.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -66,6 +73,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -83,6 +91,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -117,14 +126,17 @@ <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -153,6 +165,185 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -176,3 +367,6 @@ <%- end -%> </VirtualHost> <%- end -%> +</IfDefine> +<%- end -%> + diff --git a/templates/vhosts/php_drupal/php_drupal.erb b/templates/vhosts/php_drupal/php_drupal.erb index 9b6c3ef..db01248 100644 --- a/templates/vhosts/php_drupal/php_drupal.erb +++ b/templates/vhosts/php_drupal/php_drupal.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -31,11 +34,13 @@ <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -88,6 +93,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -105,6 +111,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -140,13 +147,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -197,6 +207,119 @@ Options +FollowSymLinks </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # Protect files and directories from prying eyes. + <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> + Order allow,deny + </FilesMatch> + + # Customized error messages. + ErrorDocument 404 /index.php + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + </Directory> + <Directory "<%= documentroot %>/files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + </Directory> + <%- end -%> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -220,3 +343,108 @@ <%- end -%> </VirtualHost> <%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # Protect files and directories from prying eyes. + <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> + Order allow,deny + </FilesMatch> + + # Customized error messages. + ErrorDocument 404 /index.php + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + </Directory> + <Directory "<%= documentroot %>/files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_gallery2/php_gallery.erb b/templates/vhosts/php_gallery2/php_gallery.erb index 8d10d02..fdcc89b 100644 --- a/templates/vhosts/php_gallery2/php_gallery.erb +++ b/templates/vhosts/php_gallery2/php_gallery.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -74,6 +81,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -91,6 +99,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -126,13 +135,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -169,6 +181,7 @@ RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -182,9 +195,201 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + # https -> see below + # Then, unset baseUri in config.php (to keep Gallery from trying to redirect users to either HTTP or HTTPS): + # $gallery->setConfig('baseUri', ''); + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + # Always rewrite login's (see above) + RewriteEngine On + RewriteCond %{HTTP_COOKIE} ="" + RewriteCond %{REQUEST_METHOD} =GET + RewriteCond %{QUERY_STRING} !subView=core\.UserLogin + RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_joomla/php_joomla.erb b/templates/vhosts/php_joomla/php_joomla.erb index 8803765..9911a15 100644 --- a/templates/vhosts/php_joomla/php_joomla.erb +++ b/templates/vhosts/php_joomla/php_joomla.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -75,6 +82,7 @@ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -106,6 +114,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -141,13 +150,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> Include include.d/joomla.inc @@ -175,6 +187,226 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch '^/'> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> + SecRuleRemoveById 960010 + </LocationMatch> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + Include include.d/joomla.inc + + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <Directory "<%= documentroot %>/administrator/"> + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch '^/'> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> + SecRuleRemoveById 960010 + </LocationMatch> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + Include include.d/joomla.inc + + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -212,3 +444,5 @@ <%- end -%> </VirtualHost> <%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_mediawiki/php_mediawiki.erb b/templates/vhosts/php_mediawiki/php_mediawiki.erb index 45a19c8..ac51dcc 100644 --- a/templates/vhosts/php_mediawiki/php_mediawiki.erb +++ b/templates/vhosts/php_mediawiki/php_mediawiki.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -61,6 +68,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -74,6 +82,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -109,13 +118,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -139,6 +151,7 @@ php_admin_value session.save_path <%= real_php_session_save_path %> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -152,9 +165,181 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%><%- unless options.to_s.include?('+FollowSymLinks') -%> +FollowSymLinks<% end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_silverstripe/php_silverstripe.erb b/templates/vhosts/php_silverstripe/php_silverstripe.erb index 8b739b7..888c066 100644 --- a/templates/vhosts/php_silverstripe/php_silverstripe.erb +++ b/templates/vhosts/php_silverstripe/php_silverstripe.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,19 +29,24 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> # silverstripe RedirectMatch /admin(.*) https://<%= servername %>/admin$1 RedirectMatch /Security(.*) https://<%= servername %>/Security$1 + <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -70,6 +78,7 @@ Deny from all #Allow from 127.0.0.1 </Files> + <IfModule mod_rewrite.c> RewriteEngine On #RewriteBase / @@ -83,6 +92,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -102,6 +112,7 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -136,14 +147,18 @@ <%- else -%> ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined + + <%- end -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -188,6 +203,7 @@ </IfModule> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -207,9 +223,231 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + # silverstripe + RedirectMatch /admin(.*) https://<%= servername %>/admin$1 + RedirectMatch /Security(.*) https://<%= servername %>/Security$1 + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + # silverstripe .htaccess + <Files *.ss> + Order deny,allow + Deny from all + #Allow from 127.0.0.1 + </Files> + + <IfModule mod_rewrite.c> + RewriteEngine On + #RewriteBase / + + RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) + + RewriteCond %{REQUEST_URI} ^(.*)$ + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] + </IfModule> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + + # silverstripe .htaccess + <Files *.ss> + Order deny,allow + Deny from all + #Allow from 127.0.0.1 + </Files> + <IfModule mod_rewrite.c> + RewriteEngine On + #RewriteBase / + + RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) + + RewriteCond %{REQUEST_URI} ^(.*)$ + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] + </IfModule> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> + diff --git a/templates/vhosts/php_simplemachine/php_simplemachine.erb b/templates/vhosts/php_simplemachine/php_simplemachine.erb index b2b0419..7042647 100644 --- a/templates/vhosts/php_simplemachine/php_simplemachine.erb +++ b/templates/vhosts/php_simplemachine/php_simplemachine.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -60,6 +67,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -77,6 +85,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -112,13 +121,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -141,6 +153,7 @@ php_admin_value session.save_path <%= real_php_session_save_path %> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -158,9 +171,189 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 99c94e2..c63cf77 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -66,6 +73,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -83,6 +91,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -118,13 +127,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -153,6 +165,7 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -170,9 +183,189 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_typo3/php_typo3.erb b/templates/vhosts/php_typo3/php_typo3.erb index c3bb0d4..6272576 100644 --- a/templates/vhosts/php_typo3/php_typo3.erb +++ b/templates/vhosts/php_typo3/php_typo3.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -61,8 +68,6 @@ php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> <%- end -%> </Directory> - <%- end -%> - <Directory "<%= documentroot %>/typo3/"> RewriteEngine on @@ -72,8 +77,17 @@ RewriteCond %{REQUEST_URI} (.*/typo3/.*) RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] </Directory> + <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <Location "/typo3"> + <IfModule mod_security2.c> + SecRuleEngine Off + SecAuditEngine Off + </IfModule> + </Location> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -93,6 +107,7 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -128,13 +143,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -162,9 +180,11 @@ php_admin_value allow_url_fopen On </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <Location "/typo3"> <IfModule mod_security2.c> SecRuleEngine Off + SecAuditEngine Off </IfModule> </Location> @@ -187,9 +207,214 @@ # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html SecRuleRemoveById "960010" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <Directory "<%= documentroot %>/typo3/"> + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/typo3/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> + <%- end -%> + <%- end -%> + + <Location "/typo3"> + <IfModule mod_security2.c> + SecRuleEngine Off + </IfModule> + </Location> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <Location "/typo3"> + <IfModule mod_security2.c> + SecRuleEngine Off + </IfModule> + </Location> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> diff --git a/templates/vhosts/php_wordpress/php_wordpress.erb b/templates/vhosts/php_wordpress/php_wordpress.erb index 5dbf9dc..2a90c69 100644 --- a/templates/vhosts/php_wordpress/php_wordpress.erb +++ b/templates/vhosts/php_wordpress/php_wordpress.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> @@ -63,6 +70,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -79,6 +87,7 @@ SecRuleRemoveById "960010" SecRuleRemoveById "950018" </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -114,13 +123,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> <Directory "<%= documentroot %>/"> AllowOverride <%= allow_override %> @@ -146,6 +158,99 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + SecRuleRemoveById "950018" + </IfModule> + <%- end -%> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1 + <%- else -%> + ProxyPass / http://127.0.0.1/ + <%- end -%> + ProxyPassReverse / http://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' then -%> + <%- if not ssl_mode.to_s == 'force' then -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + <%- end -%> + <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -168,3 +273,90 @@ <%- end -%> </VirtualHost> <%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + DocumentRoot <%= documentroot %>/ + DirectoryIndex index.htm index.html index.php + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s == 'static-itk' -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> + + <%- end -%> + <%- unless htpasswd_file.to_s == 'absent' then -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + <%- end -%> + </Directory> + <%- end -%> + + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + SecAuditEngine On + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + SecRuleRemoveById "960010" + SecRuleRemoveById "950018" + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> + diff --git a/templates/vhosts/webdav/webdav.erb b/templates/vhosts/webdav/webdav.erb index 6e66f30..a7dfa37 100644 --- a/templates/vhosts/webdav/webdav.erb +++ b/templates/vhosts/webdav/webdav.erb @@ -1,4 +1,7 @@ # <%= servername %> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +<IfDefine HttpdLocal> +<%- end -%> <%- unless ssl_mode.to_s == 'only' then -%> <VirtualHost *:80> Include include.d/defaults.inc @@ -26,16 +29,20 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> + <%- if ssl_mode.to_s == 'force' then -%> Redirect permanent / https://<%= servername %>/ + <%- end -%> <%- if default_charset.to_s != 'absent' then -%> AddDefaultCharset <%= default_charset %> + <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> + <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> DAVLockDB <%= real_dav_db_dir %>/DAVLock @@ -66,6 +73,7 @@ </Directory> <%- end -%> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -83,6 +91,7 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -118,13 +127,16 @@ ErrorLog <%= logdir %>/error_log CustomLog <%= logdir %>/access_log combined <%- end -%> - <%- if run_mode.to_s == 'itk' -%> + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> AssignUserId <%= run_uid+" "+run_gid %> </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> + <%- end -%> DAVLockDB <%= real_dav_db_dir %>/DAVLock <Directory "<%= documentroot %>/"> @@ -153,6 +165,7 @@ <%- end -%> </Directory> + <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> <IfModule mod_security2.c> <%- if mod_security.to_s == 'true' then -%> SecRuleEngine On @@ -170,9 +183,139 @@ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log </IfModule> + <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> </VirtualHost> <%- end -%> +<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> +</IfDefine> +<IfDefine !HttpdLocal> +<%- unless ssl_mode.to_s == 'only' then -%> +<VirtualHost *:80> + Include include.d/defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + ProxyPass / https://127.0.0.1/ + ProxyPassReverse / https://127.0.0.1/ + + <%- if ssl_mode.to_s == 'force' then -%> + Redirect permanent / https://<%= servername %>/ + + <%- end -%> + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> + +<%- unless ssl_mode.to_s == 'false' then -%> +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + + ServerName <%= servername %> + <%- unless serveralias.to_s.empty? then -%> + ServerAlias <%= serveralias %> + <%- end -%> + <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> + ServerAdmin <%= server_admin %> + <%- end -%> + + <%- case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null + <%- when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip + <%- else -%> + ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log + CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined + <%- end -%> + + ProxyPreserveHost On + ProxyRequests off + ProxyPass / http://127.0.0.1/ + ProxyPassReverse / http://127.0.0.1/ + + <%- if default_charset.to_s != 'absent' then -%> + AddDefaultCharset <%= default_charset %> + + <%- end -%> + <IfModule mod_security2.c> + <%- if mod_security.to_s == 'true' then -%> + SecRuleEngine On + <%- if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly + <%- else -%> + SecAuditEngine On + <%- end -%> + <%- else -%> + SecRuleEngine Off + SecAuditEngine Off + <%- end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log + </IfModule> + + <%- unless additional_options.to_s == 'absent' then -%> + <%= additional_options %> + <%- end -%> +</VirtualHost> +<%- end -%> +</IfDefine> +<%- end -%> |