diff options
50 files changed, 1740 insertions, 1709 deletions
@@ -147,7 +147,7 @@ modules/site_apache/{templates,files}/vhosts.d, searched in this order: "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${name}.conf", diff --git a/manifests/centos.pp b/manifests/centos.pp index caf46ce..3d9664d 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -28,17 +28,18 @@ class apache::centos inherits apache::package { path => '/var/www/html/index.html', } - if $::selinux != 'false' { + if str2bool($::selinux) { Selinux::Fcontext{ before => File[web_dir], } - $seltype_rw = $::lsbmajdistrelease ? { - 5 => 'httpd_sys_script_rw_t', + $seltype_rw = $::operatingsystemmajrelease ? { + 5 => 'httpd_sys_script_rw_t', default => 'httpd_sys_rw_content_t' } selinux::fcontext{ [ '/var/www/vhosts/[^/]*/www(/.*)?', '/var/www/vhosts/[^/]*/non_public(/.*)?', + '/var/www/vhosts/[^/]*/data(/.*)?', '/var/www/vhosts/[^/]*/g2data(/.*)?', '/var/www/vhosts/[^/]*/upload(/.*)?' ]: require => Package['apache'], diff --git a/manifests/config/file.pp b/manifests/config/file.pp index 947ce96..74d289d 100644 --- a/manifests/config/file.pp +++ b/manifests/config/file.pp @@ -25,10 +25,12 @@ define apache::config::file( default => $destination } file{"apache_${name}": - ensure => $ensure, - path => $real_destination, - notify => Service[apache], - owner => root, group => 0, mode => 0644; + ensure => $ensure, + path => $real_destination, + notify => Service[apache], + owner => root, + group => 0, + mode => '0644'; } case $ensure { @@ -46,25 +48,47 @@ define apache::config::file( case $content { 'absent': { $real_source = $source ? { - 'absent' => [ - "puppet:///modules/site_apache/${confdir}/${::fqdn}/${name}", - "puppet:///modules/site_apache/${confdir}/${apache::cluster_node}/${name}", - "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", - "puppet:///modules/site_apache/${confdir}/${::operatingsystem}/${name}", - "puppet:///modules/site_apache/${confdir}/${name}", - "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", - "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", - "puppet:///modules/apache/${confdir}/${name}" - ], - default => $source, + 'absent' => [ + "puppet:///modules/site_apache/${confdir}/${::fqdn}/${name}", + "puppet:///modules/site_apache/${confdir}/${apache::cluster_node}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/site_apache/${confdir}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/apache/${confdir}/${name}" + ], + default => $source } File["apache_${name}"]{ source => $real_source, } - } - default: { - File["apache_${name}"]{ - content => $content, + } + default: { + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet:///modules/site-apache/${confdir}/${::fqdn}/${name}", + "puppet:///modules/site-apache/${confdir}/${apache::cluster_node}/${name}", + "puppet:///modules/site-apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/site-apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/site-apache/${confdir}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/apache/${confdir}/${name}" + ], + default => $source, + } + File["apache_${name}"]{ + source => $real_source, + } + } + default: { + File["apache_${name}"]{ + content => $content, + } + } } } } diff --git a/manifests/debian.pp b/manifests/debian.pp index d009e25..6ae4cee 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,44 +1,44 @@ ### debian class apache::debian inherits apache::package { - $config_dir = '/etc/apache2' + $config_dir = '/etc/apache2' - Package[apache] { - name => 'apache2', - } - File[vhosts_dir] { - path => "${config_dir}/sites-enabled", - } - File[modules_dir] { - path => "${config_dir}/mods-enabled", - } - File[htpasswd_dir] { - path => '/var/www/htpasswds', - group => 'www-data', - } - File[default_apache_index] { - path => '/var/www/index.html', - } - file { 'apache_main_config': - path => "${config_dir}/apache2.conf", - source => [ "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", - "puppet:///modules/site_apache/config/Debian/${::fqdn}/apache2.conf", - "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/apache2.conf", - 'puppet:///modules/site_apache/config/Debian/apache2.conf', - "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", - "puppet:///modules/apache/config/Debian/${::fqdn}/apache2.conf", - "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/apache2.conf", - 'puppet:///modules/apache/config/Debian/apache2.conf' ], - require => Package['apache'], - notify => Service['apache'], - owner => root, - group => 0, - mode => '0644'; - } - apache::config::global{ 'charset': } - apache::config::global{ 'security': } - file { 'default_debian_apache_vhost': - ensure => absent, - path => '/etc/apache2/sites-enabled/000-default', - } + Package[apache] { + name => 'apache2', + } + File[vhosts_dir] { + path => "${config_dir}/sites-enabled", + } + File[modules_dir] { + path => "${config_dir}/mods-enabled", + } + File[htpasswd_dir] { + path => '/var/www/htpasswds', + group => 'www-data', + } + File[default_apache_index] { + path => '/var/www/index.html', + } + file { 'apache_main_config': + path => "${config_dir}/apache2.conf", + source => [ "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", + "puppet:///modules/site_apache/config/Debian/${::fqdn}/apache2.conf", + "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/apache2.conf", + 'puppet:///modules/site_apache/config/Debian/apache2.conf', + "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", + "puppet:///modules/apache/config/Debian/${::fqdn}/apache2.conf", + "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/apache2.conf", + 'puppet:///modules/apache/config/Debian/apache2.conf' ], + require => Package['apache'], + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; + } + apache::config::global{ 'charset': } + apache::config::global{ 'security': } + file { 'default_debian_apache_vhost': + ensure => absent, + path => '/etc/apache2/sites-enabled/000-default', + } } diff --git a/manifests/defaultphpdirs.pp b/manifests/defaultphpdirs.pp index 5485241..595744b 100644 --- a/manifests/defaultphpdirs.pp +++ b/manifests/defaultphpdirs.pp @@ -15,9 +15,9 @@ class apache::defaultphpdirs { mode => '0755'; } - if $::selinux != 'false' { - $seltype_rw = $::lsbmajdistrelease ? { - 5 => 'httpd_sys_script_rw_t', + if str2bool($::selinux) { + $seltype_rw = $::operatingsystemmajrelease ? { + 5 => 'httpd_sys_script_rw_t', default => 'httpd_sys_rw_content_t' } selinux::fcontext{ diff --git a/manifests/munin.pp b/manifests/munin.pp index 2a04e97..46af172 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -1,7 +1,8 @@ # manage apache monitoring things class apache::munin { - - include perl::extensions::libwww + if $::osfamily == 'Debian' { + include perl::extensions::libwww + } munin::plugin{ [ 'apache_accesses', 'apache_processes', 'apache_volume' ]: } munin::plugin::deploy { 'apache_activity': diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp index 1ba58f4..96a216a 100644 --- a/manifests/openbsd.pp +++ b/manifests/openbsd.pp @@ -1,67 +1,75 @@ ### openbsd class apache::openbsd inherits apache::base { - $config_dir = '/var/www' + $config_dir = '/var/www' - File[vhosts_dir]{ - path => "$config_dir/vhosts.d", - } - File[modules_dir]{ - path => "$config_dir/conf/modules", - } - File[config_dir]{ - path => "$config_dir/conf.d", - } - File[include_dir]{ - path => "$config_dir/include.d", - } - File['htpasswd_dir']{ - group => www, - } - File[web_dir]{ - group => daemon, - } - file_line{'enable_apache_on_boot': - path => '/etc/rc.conf.local', - line => 'httpd flags=""', - } - file{'apache_main_config': - path => "${config_dir}/conf/httpd.conf", - source => [ "puppet:///modules/site_apache/config/OpenBSD/${::fqdn}/httpd.conf", - "puppet:///modules/site_apache/config/OpenBSD/${apache::cluster_node}/httpd.conf", - "puppet:///modules/site_apache/config/OpenBSD//httpd.conf", - "puppet:///modules/apache/config/OpenBSD/httpd.conf" ], - notify => Service['apache'], - owner => root, group => 0, mode => 0644; - } - File[default_apache_index] { - path => '/var/www/htdocs/default/www/index.html', - } - file{'/opt/bin/restart_apache.sh': - source => "puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache.sh", - require => File['/opt/bin'], - owner => root, group => 0, mode => 0700; - } + File[vhosts_dir]{ + path => "${config_dir}/vhosts.d", + } + File[modules_dir]{ + path => "${config_dir}/conf/modules", + } + File[config_dir]{ + path => "${config_dir}/conf.d", + } + File[include_dir]{ + path => "${config_dir}/include.d", + } + File['htpasswd_dir']{ + group => www, + } + File[web_dir]{ + group => daemon, + } + file_line{'enable_apache_on_boot': + path => '/etc/rc.conf.local', + line => 'httpd flags=""', + } + file{'apache_main_config': + path => "${config_dir}/conf/httpd.conf", + source => ["puppet:///modules/site_apache/config/OpenBSD/${::fqdn}/httpd.conf", + "puppet:///modules/site_apache/config/OpenBSD/${apache::cluster_node}/httpd.conf", + 'puppet:///modules/site_apache/config/OpenBSD//httpd.conf', + 'puppet:///modules/apache/config/OpenBSD/httpd.conf' ], + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; + } + File[default_apache_index] { + path => '/var/www/htdocs/default/www/index.html', + } + file{'/opt/bin/restart_apache.sh': + source => 'puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache.sh', + require => File['/opt/bin'], + owner => root, + group => 0, + mode => '0700'; + } - ::apache::vhost::webdir{'default': } + ::apache::vhost::webdir{'default': + datadir => false, + } - Service['apache']{ - restart => '/opt/bin/restart_apache.sh', - status => 'apachectl status', - start => 'apachectl start', - stop => 'apachectl stop', - } - file{'/opt/bin/apache_logrotate.sh': - source => "puppet:///modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh", - require => File['/opt/bin'], - owner => root, group => 0, mode => 0700; - } - cron { 'update_apache_logrotation': - command => '/bin/sh /opt/bin/apache_logrotate.sh > /etc/newsyslog_apache.conf', - minute => '1', - hour => '1', - } - cron { 'run_apache_logrotation': - command => '/usr/bin/newsyslog -f /etc/newsyslog_apache.conf > /dev/null', - minute => '10', - } + Service['apache']{ + restart => '/opt/bin/restart_apache.sh', + status => 'apachectl status', + start => 'apachectl start', + stop => 'apachectl stop', + } + file{'/opt/bin/apache_logrotate.sh': + source => 'puppet:///modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh', + require => File['/opt/bin'], + owner => root, + group => 0, + mode => '0700'; + } + cron { 'update_apache_logrotation': + command => '/bin/sh /opt/bin/apache_logrotate.sh > /etc/newsyslog_apache.conf', + minute => '1', + hour => '1', + } + cron { 'run_apache_logrotation': + command => '/usr/bin/newsyslog -f /etc/newsyslog_apache.conf > /dev/null', + minute => '10', + } } diff --git a/manifests/ssl/base.pp b/manifests/ssl/base.pp index 7c17423..65bd5f7 100644 --- a/manifests/ssl/base.pp +++ b/manifests/ssl/base.pp @@ -1,3 +1,4 @@ +# basic defaults for ssl support class apache::ssl::base { ::apache::config::include{ 'ssl_defaults.inc': } diff --git a/manifests/status/debian.pp b/manifests/status/debian.pp index 678bc44..222b85c 100644 --- a/manifests/status/debian.pp +++ b/manifests/status/debian.pp @@ -1,3 +1,4 @@ +# enable status module on debian class apache::status::debian { ::apache::debian::module { 'status': } } diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index b42c4ce..087d478 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -33,42 +33,45 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog # # -# mod_security: Whether we use mod_security or not (will include mod_security module) +# mod_security: Whether we use mod_security or not +# (will include mod_security module) # - false: (*default*) don't activate mod_security # - true: activate mod_security # define apache::vhost::file( - $ensure = present, - $vhost_source = 'absent', - $vhost_destination = 'absent', - $content = 'absent', - $do_includes = false, - $run_mode = 'normal', - $logmode = 'default', - $ssl_mode = false, - $mod_security = false, - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $use_mod_macro = false + $ensure = present, + $vhost_source = 'absent', + $vhost_destination = 'absent', + $content = 'absent', + $do_includes = false, + $run_mode = 'normal', + $logmode = 'default', + $ssl_mode = false, + $mod_security = false, + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $use_mod_macro = false ){ $vhosts_dir = $::operatingsystem ? { - centos => "${apache::centos::config_dir}/vhosts.d", - gentoo => "${apache::gentoo::config_dir}/vhosts.d", - debian => "${apache::debian::config_dir}/sites-enabled", - ubuntu => "${apache::ubuntu::config_dir}/sites-enabled", + centos => "${apache::centos::config_dir}/vhosts.d", + gentoo => "${apache::gentoo::config_dir}/vhosts.d", + debian => "${apache::debian::config_dir}/sites-enabled", + ubuntu => "${apache::ubuntu::config_dir}/sites-enabled", openbsd => "${apache::openbsd::config_dir}/vhosts.d", default => '/etc/apache2/vhosts.d', } $real_vhost_destination = $vhost_destination ? { - 'absent' => "${vhosts_dir}/${name}.conf", - default => $vhost_destination, + 'absent' => "${vhosts_dir}/${name}.conf", + default => $vhost_destination, } file{"${name}.conf": - ensure => $ensure, - path => $real_vhost_destination, + ensure => $ensure, + path => $real_vhost_destination, require => File[vhosts_dir], - notify => Service[apache], - owner => root, group => 0, mode => 0644; + notify => Service[apache], + owner => root, + group => 0, + mode => '0644'; } if $ensure != 'absent' { if $do_includes { @@ -99,11 +102,11 @@ define apache::vhost::file( $real_vhost_source = $vhost_source ? { 'absent' => [ "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${name}.conf", - "puppet:///modules/apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", "puppet:///modules/apache/vhosts.d/${::operatingsystem}/${name}.conf", "puppet:///modules/apache/vhosts.d/${name}.conf" ], @@ -133,10 +136,12 @@ define apache::vhost::file( } if ($ensure!='absent') { File[$real_htpasswd_path]{ - source => [ "puppet:///modules/site_apache/htpasswds/${::fqdn}/${name}", + source => [ "puppet:///modules/site_apache/htpasswds/${::fqdn}/${name}", "puppet:///modules/site_apache/htpasswds/${apache::cluster_node}/${name}", "puppet:///modules/site_apache/htpasswds/${name}" ], - owner => root, group => 0, mode => 0644, + owner => root, + group => 0, + mode => '0644', } } } diff --git a/manifests/vhost/file/documentrootfile.pp b/manifests/vhost/file/documentrootfile.pp index 610d71c..c5bc72a 100644 --- a/manifests/vhost/file/documentrootfile.pp +++ b/manifests/vhost/file/documentrootfile.pp @@ -1,25 +1,27 @@ +# place a file in the documentroot define apache::vhost::file::documentrootfile( - $documentroot, - $filename, - $thedomain, - $owner='root', - $group='0', - $mode=440 + $documentroot, + $filename, + $thedomain, + $owner = 'root', + $group = '0', + $mode = '0440', ){ file{"${documentroot}/${filename}": source => [ "puppet:///modules/site_apache/vhost_varieties/${::fqdn}/${thedomain}/${filename}", "puppet:///modules/site_apache/vhost_varieties/${apache::cluster_node}/${thedomain}/${filename}", - "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}.${::operatingsystemmajrelease}/${thedomain}/${filename}", "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", "puppet:///modules/site_apache/vhost_varieties/${thedomain}/${filename}", "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}", - "puppet:///modules/apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${::operatingsystem}.${::operatingsystemmajrelease}/${thedomain}/${filename}", "puppet:///modules/apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", - "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}" - ], - ensure => file, + "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}", + ], require => Apache::Vhost::Webdir[$thedomain], - owner => $owner, group => $group, mode => $mode; + owner => $owner, + group => $group, + mode => $mode; } } diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 4025ada..4a41a20 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -32,109 +32,111 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog # define apache::vhost::php::drupal( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_drupal/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_directories = true, - $config_webwriteable = false, - $manage_config = true, - $manage_cron = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_drupal/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_directories = true, + $config_webwriteable = false, + $manage_config = true, + $manage_cron = true ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } - - if $manage_cron { - if $domain == 'absent' { - $real_domain = $name - } else { - $real_domain = $domain - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - file{"/etc/cron.d/drupal_cron_${name}": - content => "0 * * * * apache wget -O - -q -t 1 http://${real_domain}/cron.php\n", - owner => root, group => 0, mode => 0644; - } + if $manage_cron { + if $domain == 'absent' { + $real_domain = $name + } else { + $real_domain = $domain } - $std_drupal_php_settings = { - magic_quotes_gpc => 0, - register_globals => 0, - 'session.auto_start' => 0, - 'mbstring.http_input' => 'pass', - 'mbstring.http_output' => 'pass', - 'mbstring.encoding_translation' => 0, + file{"/etc/cron.d/drupal_cron_${name}": + content => "0 * * * * apache wget -O - -q -t 1 http://${real_domain}/cron.php\n", + owner => root, + group => 0, + mode => '0644'; } + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings =>merge($std_drupal_php_settings, $php_settings), - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => false, - manage_config => false, - } + $std_drupal_php_settings = { + magic_quotes_gpc => 0, + register_globals => 0, + 'session.auto_start' => 0, + 'mbstring.http_input' => 'pass', + 'mbstring.http_output' => 'pass', + 'mbstring.encoding_translation' => 0, + } + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => merge($std_drupal_php_settings, $php_settings), + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => false, + manage_config => false, + } } diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index d1876ff..78d5256 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -31,151 +31,109 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::gallery2( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = false, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_gallery2/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true, - $upload_dir = 'present' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_gallery2/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } - $gdatadir = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/g2data", - default => "/var/www/vhosts/${name}/g2data" - }, - default => "${path}/g2data" - } - if ($upload_dir == 'present') or ($upload_dir == 'absent') { - $real_upload_dir = $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/upload", - default => "/var/www/vhosts/${name}/upload" - } - } else { - $real_upload_dir = $upload_dir - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $upload_dir = "/var/www/vhosts/${name}/data/upload" + $gdata_dir = "/var/www/vhosts/${name}/data/gdata" + if $ensure != 'absent' { file{ - $gdatadir: - ensure => $ensure ? { - 'present' => directory, - default => absent - }, - owner => $documentroot_owner, group => $documentroot_group, mode => 0660; - $real_upload_dir: - owner => $documentroot_owner, group => $documentroot_group, mode => 0660; - } - if ($ensure == 'absent') or ($upload_dir == 'absent') { - File[$real_upload_dir]{ - ensure => absent, - purge => true, - force => true, - recurse => true - } - } else { - File[$real_upload_dir]{ - ensure => directory - } - } - - $gallery_php_settings = { - safe_mode => 'Off', - output_buffering => 'Off', + $gdata_dir: + ensure => 'directory', + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; + $upload_dir: + ensure => 'directory', + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; } + } - # php upload_tmp_dir - case $php_settings[upload_tmp_dir] { - '',undef: { - $php_settings[upload_tmp_dir] = "/var/www/upload_tmp_dir/$name" - } - } - # php session_save_path - case $php_settings['session.save_path'] { - '',undef: { - $php_settings['session.save_path'] = "/var/www/session.save_path/$name" - } - } - - if $upload_dir != 'absent' { - $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}:${real_upload_dir}" - } else { - $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}" - } - - $real_php_settings = merge($gallery_php_settings,$php_settings) + $gallery_php_settings = { + safe_mode => 'Off', + output_buffering => 'Off', + } + $real_php_settings = merge($gallery_php_settings,$php_settings) - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $real_php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - manage_config => $manage_config, - config_file => 'config.php', - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $real_php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + manage_config => $manage_config, + config_file => 'config.php', + } } diff --git a/manifests/vhost/php/global_exec_bin_dir.pp b/manifests/vhost/php/global_exec_bin_dir.pp index cbb9803..efcdaf7 100644 --- a/manifests/vhost/php/global_exec_bin_dir.pp +++ b/manifests/vhost/php/global_exec_bin_dir.pp @@ -1,6 +1,9 @@ +# manage global exec_bin_dir class apache::vhost::php::global_exec_bin_dir { file{'/var/www/php_safe_exec_bins': - ensure => directory, - owner => root, group => apache, mode => 0640; + ensure => directory, + owner => root, + group => apache, + mode => '0640'; } } diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 3962efa..38d41e7 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -25,41 +25,41 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = '0640', - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_joomla/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_joomla/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true ){ include ::apache::include::joomla @@ -73,30 +73,36 @@ define apache::vhost::php::joomla( if $mod_security_additional_options == 'absent' { $id_str = $::operatingsystem ? { - 'CentOS' => $::lsbmajdistrelease ? { + 'CentOS' => $::operatingsystemmajrelease ? { 5 => '', default => 'id:1199400,' }, default => '' } - $real_mod_security_additional_options = "# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - <LocationMatch \"^/\"> - SecRuleRemoveById 950013 - </LocationMatch> + $real_mod_security_additional_options = " + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch \"^/\"> + SecRuleRemoveById 950013 + </LocationMatch> - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" - # Exceptions for Joomla Component Expose - <LocationMatch \"^/components/com_expose/expose/manager/amfphp/gateway.php\"> - SecRuleRemoveById 960010 - </LocationMatch> + # Exceptions for Joomla Component Expose + <LocationMatch \"^/components/com_expose/expose/manager/amfphp/gateway.php\"> + SecRuleRemoveById 960010 + </LocationMatch> " } else { $real_mod_security_additional_options = $mod_security_additional_options } + $std_joomla_php_settings = { + 'allow_url_fopen' => 'on', + 'allow_url_include' => 'off', + } + # create vhost configuration file ::apache::vhost::php::webapp{ $name: @@ -115,7 +121,7 @@ define apache::vhost::php::joomla( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_settings => $php_settings, + php_settings => merge($std_joomla_php_settings, $php_settings), php_options => $php_options, do_includes => $do_includes, options => $options, diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index 502af53..3068c79 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -25,80 +25,80 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::mediawiki( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $manage_docroot = true, - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'FileInfo Limit', - $php_settings = {}, - $php_options = {}, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_mediawiki/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo Limit', + $php_settings = {}, + $php_options = {}, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_mediawiki/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' ){ - $mediawiki_php_settings = { - safe_mode => false, - } + $mediawiki_php_settings = { + safe_mode => false, + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - manage_docroot => $manage_docroot, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => merge($mediawiki_php_settings,$php_settings), - php_options => $php_options, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => false, - manage_config => false, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + manage_docroot => $manage_docroot, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => merge($mediawiki_php_settings,$php_settings), + php_options => $php_options, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => false, + manage_config => false, + } } diff --git a/manifests/vhost/php/safe_mode_bin.pp b/manifests/vhost/php/safe_mode_bin.pp index 4a3574d..1c82e19 100644 --- a/manifests/vhost/php/safe_mode_bin.pp +++ b/manifests/vhost/php/safe_mode_bin.pp @@ -1,14 +1,17 @@ +# safe_mode binaries define apache::vhost::php::safe_mode_bin( $ensure = 'present', $path ){ $substr=regsubst($name,'^.*\/','','G') - $real_path = "$path/$substr" + $real_path = "${path}/${substr}" + $target = $ensure ? { + 'present' => regsubst($name,'^.*@',''), + default => absent, + } file{$real_path: - ensure => $ensure ? { - 'present' => regsubst($name,'^.*@',''), - default => absent, - } + ensure => link, + target => $target, } } diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index da58296..e7c7f24 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -25,93 +25,93 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::silverstripe( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_silverstripe/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_silverstripe/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, ){ - include ::apache::include::silverstripe + include ::apache::include::silverstripe - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } - $modsec_rules = ["960010"] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $modsec_rules = ['960010'] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ "${documentroot}/assets" ], - manage_config => $manage_config, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/assets" ], + manage_config => $manage_config, + } } diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index b5178da..48386b6 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -25,99 +25,99 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::simplemachine( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ - "${documentroot}/agreement.txt", - "${documentroot}/attachments", - "${documentroot}/avatars", - "${documentroot}/cache", - "${documentroot}/Packages", - "${documentroot}/Packages/installed.list", - "${documentroot}/Smileys", - "${documentroot}/Themes", - "${documentroot}/Themes/default/languages/Install.english.php" - ], - manage_config => $manage_config, - config_webwriteable => $config_webwriteable, - config_file => 'Settings.php', - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ + "${documentroot}/agreement.txt", + "${documentroot}/attachments", + "${documentroot}/avatars", + "${documentroot}/cache", + "${documentroot}/Packages", + "${documentroot}/Packages/installed.list", + "${documentroot}/Smileys", + "${documentroot}/Themes", + "${documentroot}/Themes/default/languages/Install.english.php" + ], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'Settings.php', + } } diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 5f4ffdb..74be5d4 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -25,88 +25,88 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::spip( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'FileInfo', - $php_settings = {}, - $php_options = {}, - $template_partial = 'apache/vhosts/php/partial.erb', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo', + $php_settings = {}, + $php_options = {}, + $template_partial = 'apache/vhosts/php/partial.erb', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options=> $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - managed_directories => [ - "${documentroot}/IMG", - "${documentroot}/tmp", - "${documentroot}/local", - "${documentroot}/config" - ], - manage_config => false, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + managed_directories => [ + "${documentroot}/IMG", + "${documentroot}/tmp", + "${documentroot}/local", + "${documentroot}/config" + ], + manage_config => false, + } } diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 47ce64f..242a47d 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -25,232 +25,247 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::standard( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $logpath = 'absent', - $path = 'absent', - $manage_webdir = true, - $path_is_webdir = false, - $manage_docroot = true, - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $use_mod_macro = false, - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $logpath = 'absent', + $path = 'absent', + $manage_webdir = true, + $path_is_webdir = false, + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $use_mod_macro = false, + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' ){ - if $manage_webdir { - # create webdir - ::apache::vhost::webdir{$name: - ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - manage_docroot => $manage_docroot, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - } + if $manage_webdir { + # create webdir + ::apache::vhost::webdir{$name: + ensure => $ensure, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + manage_docroot => $manage_docroot, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, } + } - $real_path = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}", - default => "/var/www/vhosts/${name}" - }, - default => $path - } + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } - if $path_is_webdir { - $documentroot = $real_path - } else { - $documentroot = "${real_path}/www" - } - $logdir = $logpath ? { - 'absent' => "$real_path/logs", - default => $logpath - } + if $path_is_webdir { + $documentroot = $real_path + } else { + $documentroot = "${real_path}/www" + } + $logdir = $logpath ? { + 'absent' => "${real_path}/logs", + default => $logpath + } - $std_php_options = { - smarty => false, - pear => false, - } - $real_php_options = merge($std_php_options,$php_options) + $std_php_options = { + smarty => false, + pear => false, + } + $real_php_options = merge($std_php_options,$php_options) - if $real_php_options[smarty] { - include php::extensions::smarty - $smarty_path = '/usr/share/php/Smarty/:' - } else { - $smarty_path = '' - } + if $real_php_options[smarty] { + include php::extensions::smarty + $smarty_path = '/usr/share/php/Smarty/:' + } else { + $smarty_path = '' + } - if $real_php_options[pear] { - $pear_path = '/usr/share/pear/:' - } else { - $pear_path = '' - } + if $real_php_options[pear] { + $pear_path = '/usr/share/pear/:' + } else { + $pear_path = '' + } + if $logmode != 'nologs' { + $php_error_log = "${logdir}/php_error_log" + } else { + $php_error_log = undef + } + if $run_mode == 'fcgid' { + $safe_mode_gid = 'On' + } else { + $safe_mode_gid = undef + } - $std_php_settings = { - engine => 'On', - upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", - 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => has_key($php_options,'additional_open_basedir') ? { - true => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}", - false => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", - }, - safe_mode => $::operatingsystem ? { - debian => undef, - default => 'On', - }, - } - if $logmode != 'nologs' { - $std_php_settings[error_log] = "${logdir}/php_error_log" + if has_key($php_settings,'safe_mode_exec_dir') { + $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] + } else { + $php_safe_mode_exec_dir = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/bin", + default => "/var/www/vhosts/${name}/bin" + }, + default => "${path}/bin" } - if $run_mode == 'fcgid' { - $std_php_settings[safe_mode_gid] = 'On' + } + file{$php_safe_mode_exec_dir: + recurse => true, + force => true, + purge => true, + } + if has_key($php_options,'safe_mode_exec_bins') { + $std_php_settings_safe_mode_exec_dir = $php_safe_mode_exec_dir + $ensure_exec = $ensure ? { + 'present' => directory, + default => 'absent', } - - if has_key($php_settings,'safe_mode_exec_dir') { - $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] - } else { - $php_safe_mode_exec_dir = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/bin", - default => "/var/www/vhosts/${name}/bin" - }, - default => "${path}/bin" - } + File[$php_safe_mode_exec_dir]{ + ensure => $ensure_exec, + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0750', } - file{$php_safe_mode_exec_dir: - recurse => true, - force => true, - purge => true, + $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],'(.+)',"${name}@\\1") + apache::vhost::php::safe_mode_bin{ + $php_safe_mode_exec_bins_subst: + ensure => $ensure, + path => $php_safe_mode_exec_dir; } - if has_key($php_options,'safe_mode_exec_bins') { - $std_php_settings[safe_mode_exec_dir] = $php_safe_mode_exec_dir - File[$php_safe_mode_exec_dir]{ - ensure => $ensure ? { - 'present' => directory, - default => absent, - }, - owner => $documentroot_owner, group => $documentroot_group, mode => 0750, - } - $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],"(.+)","${name}@\\1") - apache::vhost::php::safe_mode_bin{ $php_safe_mode_exec_bins_subst: - ensure => $ensure, - path => $php_safe_mode_exec_dir - } - }else{ - File[$php_safe_mode_exec_dir]{ - ensure => absent, - } + } else { + $std_php_settings_safe_mode_exec_dir = undef + File[$php_safe_mode_exec_dir]{ + ensure => absent, } + } - if !has_key($php_settings,'default_charset') { - if $default_charset != 'absent' { - $std_php_settings[default_charset] = $default_charset ? { - 'On' => 'iso-8859-1', - default => $default_charset - } - } + if !has_key($php_settings,'default_charset') and ($default_charset != 'absent') { + $std_php_settings_default_charset = $default_charset ? { + 'On' => 'iso-8859-1', + default => $default_charset } + } else { + $std_php_settings_default_charset = undef + } - $real_php_settings = merge($std_php_settings,$php_settings) + $std_php_settings = { + engine => 'On', + upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", + 'session.save_path' => "/var/www/session.save_path/${name}", + open_basedir => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + safe_mode => $::operatingsystem ? { + debian => undef, + default => 'On', + }, + error_log => $php_error_log, + safe_mode_gid => $safe_mode_gid, + safe_mode_exec_dir => $std_php_settings_safe_mode_exec_dir, + default_charset => $std_php_settings_default_charset, + open_basedir => has_key($php_options,'additional_open_basedir') ? { + true => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}", + false => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + }, + } - if $ensure != 'absent' { - case $run_mode { - 'proxy-itk','static-itk': { - include ::php::itk_plus - } - 'itk': { include ::php::itk } - 'fcgid': { - include ::mod_fcgid - include ::php::mod_fcgid - include apache::include::mod_fcgid + $real_php_settings = merge($std_php_settings,$php_settings) + + if $ensure != 'absent' { + case $run_mode { + 'proxy-itk','static-itk': { + include ::php::itk_plus + } + 'itk': { include ::php::itk } + 'fcgid': { + include ::mod_fcgid + include ::php::mod_fcgid + include apache::include::mod_fcgid - mod_fcgid::starter {$name: - cgi_type => 'php', - cgi_type_options => $real_php_settings, - owner => $run_uid, - group => $run_gid, - notify => Service['apache'], - } + mod_fcgid::starter {$name: + php_tmp_dir => $real_php_settings[php_tmp_dir], + cgi_type => 'php', + cgi_type_options => delete($real_php_settings, php_tmp_dir), + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], } - default: { include ::php } } + default: { include ::php } } + } - ::apache::vhost::phpdirs{"${name}": - ensure => $ensure, - php_upload_tmp_dir => $real_php_settings[upload_tmp_dir], - php_session_save_path => $real_php_settings['session.save_path'], - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - } + ::apache::vhost::phpdirs{$name: + ensure => $ensure, + php_upload_tmp_dir => $real_php_settings[upload_tmp_dir], + php_session_save_path => $real_php_settings['session.save_path'], + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + } - # create vhost configuration file - ::apache::vhost{$name: - ensure => $ensure, - path => $path, - path_is_webdir => $path_is_webdir, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - logpath => $logpath, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - php_settings => $real_php_settings, - php_options => $real_php_options, - ssl_mode => $ssl_mode, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - use_mod_macro => $use_mod_macro, - passing_extension => 'php', - } + # create vhost configuration file + ::apache::vhost{$name: + ensure => $ensure, + path => $path, + path_is_webdir => $path_is_webdir, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + logpath => $logpath, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + php_settings => $real_php_settings, + php_options => $real_php_options, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + use_mod_macro => $use_mod_macro, + passing_extension => 'php', + } } diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index a9f12d8..518f898 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -25,123 +25,124 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::typo3( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_typo3/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_typo3/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - $modsec_rules = ["960010"] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) - if $mod_security_additional_options == 'absent' { - $real_mod_security_additional_options = '<Location "/typo3"> - SecRuleEngine Off - SecAuditEngine Off + $modsec_rules = ['960010'] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = ' + <Location "/typo3"> + SecRuleEngine Off + SecAuditEngine Off </Location> ' - } else { - $real_mod_security_additional_options = $mod_security_additional_options - } + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } - $typo3_php_settings = { - # turn allow_url_fopen on for the extension manager fetch - allow_url_fopen => 'On' - } - $real_php_settings = merge($typo3_php_settings,$php_settings) + $typo3_php_settings = { + # turn allow_url_fopen on for the extension manager fetch + allow_url_fopen => 'On' + } + $real_php_settings = merge($typo3_php_settings,$php_settings) - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $real_php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $real_mod_security_rules_to_disable, - mod_security_additional_options => $real_mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ "${documentroot}/typo3temp", - "${documentroot}/typo3temp/pics", - "${documentroot}/typo3temp/temp", - "${documentroot}/typo3temp/llxml", - "${documentroot}/typo3temp/cs", - "${documentroot}/typo3temp/GB", - "${documentroot}/typo3temp/locks", - "${documentroot}/typo3conf", - "${documentroot}/typo3conf/ext", - "${documentroot}/typo3conf/l10n", - # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions - "${documentroot}/uploads", - "${documentroot}/uploads/pics", - "${documentroot}/uploads/media", - "${documentroot}/uploads/tf", - "${documentroot}/fileadmin", - "${documentroot}/fileadmin/_temp_" - ], - manage_config => $manage_config, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $real_php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/typo3temp", + "${documentroot}/typo3temp/pics", + "${documentroot}/typo3temp/temp", + "${documentroot}/typo3temp/llxml", + "${documentroot}/typo3temp/cs", + "${documentroot}/typo3temp/GB", + "${documentroot}/typo3temp/locks", + "${documentroot}/typo3conf", + "${documentroot}/typo3conf/ext", + "${documentroot}/typo3conf/l10n", + # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions + "${documentroot}/uploads", + "${documentroot}/uploads/pics", + "${documentroot}/uploads/media", + "${documentroot}/uploads/tf", + "${documentroot}/fileadmin", + "${documentroot}/fileadmin/_temp_" + ], + manage_config => $manage_config, + } } diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 54905ca..1569260 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -25,124 +25,120 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::webapp( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $manage_webdir = true, - $manage_docroot = true, - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial, - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_file = 'absent', - $config_webwriteable = false, - $manage_directories = true, - $managed_directories = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $manage_webdir = true, + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial, + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_file = 'absent', + $config_webwriteable = false, + $manage_directories = true, + $managed_directories = 'absent', ){ - if ($ensure != 'absent') { - if $manage_directories and ($managed_directories != 'absent') { - ::apache::file::rw{ $managed_directories : - owner => $documentroot_owner, - group => $documentroot_group, - } - } + if ($ensure != 'absent') { + if $manage_directories and ($managed_directories != 'absent') { + ::apache::file::rw{ $managed_directories : + owner => $documentroot_owner, + group => $documentroot_group, + } + } - if $manage_config { - if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") } + if $manage_config { + if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") } - $real_path = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}", - default => "/var/www/vhosts/${name}" - }, - default => $path - } - if $path_is_webdir { - $documentroot = $real_path - } else { - $documentroot = "${real_path}/www" - } - ::apache::vhost::file::documentrootfile{"configurationfile_${name}": - documentroot => $documentroot, - filename => $config_file, - thedomain => $name, - owner => $documentroot_owner, - group => $documentroot_group, - } - if $config_webwriteable { - Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ - mode => 0660, - } - } else { - Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ - mode => 0440, - } - } + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + $documentroot = "${real_path}/www" + ::apache::vhost::file::documentrootfile{"configurationfile_${name}": + documentroot => $documentroot, + filename => $config_file, + thedomain => $name, + owner => $documentroot_owner, + group => $documentroot_group, + } + if $config_webwriteable { + Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ + mode => '0660', } + } else { + Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ + mode => '0440', + } + } } + } - # create vhost configuration file - ::apache::vhost::php::standard{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - manage_webdir => $manage_webdir, - manage_docroot => $manage_docroot, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - } + # create vhost configuration file + ::apache::vhost::php::standard{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + manage_webdir => $manage_webdir, + manage_docroot => $manage_docroot, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + } } diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 7a41ad7..268f33e 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -25,92 +25,92 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::wordpress( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'FileInfo', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_wordpress/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_wordpress/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } - $modsec_rules = ["960010", "950018"] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) - # create vhost configuration file - apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $real_mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => "${documentroot}/wp-content", - manage_config => $manage_config, - config_webwriteable => $config_webwriteable, - config_file => 'wp-config.php', - } + # create vhost configuration file + apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => "${documentroot}/wp-content", + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'wp-config.php', + } } diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index f1dbcc2..21b062e 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -13,70 +13,71 @@ # - true: activate mod_security # define apache::vhost::static( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $allow_override = 'None', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $ssl_mode = false, - $run_mode = 'normal', - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/static/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $mod_security = false, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $allow_override = 'None', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $ssl_mode = false, + $run_mode = 'normal', + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/static/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $mod_security = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent' ){ # create webdir ::apache::vhost::webdir{$name: - ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, + ensure => $ensure, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + datadir => false, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, } # create vhost configuration file ::apache::vhost{$name: - ensure => $ensure, - path => $path, - template_partial => $template_partial, - vhost_mode => $vhost_mode, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - allow_override => $allow_override, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - ssl_mode => $ssl_mode, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, + ensure => $ensure, + path => $path, + template_partial => $template_partial, + vhost_mode => $vhost_mode, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + allow_override => $allow_override, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index 003a308..e1b6c3f 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -24,100 +24,101 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog # define apache::vhost::webdav( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $path = 'absent', - $owner = root, - $group = apache, - $manage_webdir = true, - $path_is_webdir = false, - $logmode = 'default', - $logpath = 'absent', - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = false, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $ldap_auth = false, - $ldap_user = 'any', - $dav_db_dir = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $path = 'absent', + $owner = root, + $group = apache, + $manage_webdir = true, + $path_is_webdir = false, + $logmode = 'default', + $logpath = 'absent', + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $ldap_auth = false, + $ldap_user = 'any', + $dav_db_dir = 'absent' ){ - ::apache::vhost::davdbdir{$name: - ensure => $ensure, - dav_db_dir => $dav_db_dir, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - } + ::apache::vhost::davdbdir{$name: + ensure => $ensure, + dav_db_dir => $dav_db_dir, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + } - if $manage_webdir { - # create webdir - ::apache::vhost::webdir{$name: - ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - } + if $manage_webdir { + # create webdir + ::apache::vhost::webdir{$name: + ensure => $ensure, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + datadir => false, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, } + } - if $run_mode == 'static-itk' { - notice("static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk") - $real_run_mode = 'proxy-itk' - } else { - $real_run_mode = $run_mode - } + if $run_mode == 'static-itk' { + notice('static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk') + $real_run_mode = 'proxy-itk' + } else { + $real_run_mode = $run_mode + } - # create vhost configuration file - ::apache::vhost{$name: - ensure => $ensure, - path => $path, - path_is_webdir => $path_is_webdir, - logpath => $logpath, - logmode => $logmode, - template_partial => 'apache/vhosts/webdav/partial.erb', - vhost_mode => $vhost_mode, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - run_mode => $real_run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - ssl_mode => $ssl_mode, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - ldap_auth => $ldap_auth, - ldap_user => $ldap_user, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - } + # create vhost configuration file + ::apache::vhost{$name: + ensure => $ensure, + path => $path, + path_is_webdir => $path_is_webdir, + logpath => $logpath, + logmode => $logmode, + template_partial => 'apache/vhosts/webdav/partial.erb', + vhost_mode => $vhost_mode, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + run_mode => $real_run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + ldap_auth => $ldap_auth, + ldap_user => $ldap_user, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + } } diff --git a/manifests/vhost/webdir.pp b/manifests/vhost/webdir.pp index c9729f0..e0e2546 100644 --- a/manifests/vhost/webdir.pp +++ b/manifests/vhost/webdir.pp @@ -1,15 +1,16 @@ # create webdir define apache::vhost::webdir( - $ensure = present, - $path = 'absent', - $owner = root, - $group = apache, - $mode = 0640, - $run_mode = 'normal', - $manage_docroot = true, - $documentroot_owner = root, - $documentroot_group = apache, - $documentroot_mode = 0640, + $ensure = present, + $path = 'absent', + $owner = root, + $group = apache, + $mode = 0640, + $run_mode = 'normal', + $manage_docroot = true, + $datadir = true, + $documentroot_owner = root, + $documentroot_group = apache, + $documentroot_mode = 0640, $documentroot_recurse = false ){ $real_path = $path ? { @@ -68,6 +69,11 @@ define apache::vhost::webdir( } case $ensure { absent: { + exec{"cleanup_webdir_${real_path}": + command => "rm -rf ${real_path}", + onlyif => "test -d ${real_path}", + before => File[$real_path], + } file{$real_path: ensure => absent, purge => true, @@ -105,6 +111,14 @@ define apache::vhost::webdir( mode => $documentroot_mode; } } + if $datadir { + file{"${real_path}/data": + ensure => directory, + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => '0640'; + } + } case $::operatingsystem { centos: { include apache::logrotate::centos::vhosts } default: { #nothing diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index 809cd9b..79e713d 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -1,5 +1,5 @@ <% -vhost_parts = case ssl_mode +vhost_parts = case @ssl_mode when 'only' then [:ssl] when false,'false' then [:normal] else [:normal,:ssl] @@ -11,32 +11,32 @@ vhost_parts.each do |vhost_part| -%> <%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> - <% if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> +<% if @run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> + AssignUserId <%= "#{@run_uid} #{@run_gid}" %> </IfModule> - <% elsif run_mode.to_s == 'fcgid' && !(ssl_mode == 'force' && vhost_part == :normal) -%> +<% elsif @run_mode.to_s == 'fcgid' -%> <IfModule mod_fcgid.c> - SuexecUserGroup <%= run_uid+" "+run_gid %> + SuexecUserGroup <%= "#{@run_uid} #{@run_gid}" %> FcgidMaxRequestsPerProcess 5000 - FCGIWrapper /var/www/mod_fcgid-starters/<%= name %>/<%= name %>-starter .<%= passing_extension %> - AddHandler fcgid-script .<%= passing_extension %> + FCGIWrapper /var/www/mod_fcgid-starters/<%= @name %>/<%= @name %>-starter .<%= @passing_extension %> + AddHandler fcgid-script .<%= @passing_extension %> </IfModule> - <% end -%> - <% if ssl_mode == 'force' && vhost_part == :normal -%> +<% end -%> +<% if @ssl_mode == 'force' && vhost_part == :normal -%> RewriteEngine On RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - <% else -%> -<%= scope.function_templatewlv([template_partial, {'vhost_part' => vhost_part } ]) %> - <% end -%> -<%- unless template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> +<% end -%> +<%= scope.function_templatewlv([@template_partial, {'vhost_part' => vhost_part } ]) %> +<% unless @template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> <%= scope.function_template(['apache/vhosts/partials/mod_security.erb']) %> <% end -%> -<% unless additional_options.to_s == 'absent' -%> - <%= additional_options %> +<% unless @additional_options.to_s == 'absent' -%> + <%= @additional_options %> <% end -%> </VirtualHost> <% end -%> diff --git a/templates/vhosts/gitweb/partial.erb b/templates/vhosts/gitweb/partial.erb index 7238ebe..a8475f6 100644 --- a/templates/vhosts/gitweb/partial.erb +++ b/templates/vhosts/gitweb/partial.erb @@ -1,19 +1,16 @@ - <% unless ssl_mode.to_s == 'force' -%> - SetEnv GITWEB_CONFIG <%= gitweb_config %> - DirectoryIndex gitweb.cgi - <Directory "<%= documentroot %>/"> - <% if options.to_s != 'absent' or do_includes.to_s == 'true'-%> - Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% unless options.include?('+ExecCGI') -%> +ExecCGI<% end -%> - <% end -%> - - AddHandler cgi-script .cgi - <Files gitweb.cgi> - Options ExecCGI FollowSymLinks - SetHandler cgi-script - </Files> - RewriteEngine on - RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] + SetEnv GITWEB_CONFIG <%= @gitweb_config %> + DirectoryIndex gitweb.cgi + <Directory "<%= @documentroot %>/"> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true'-%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% unless @options.include?('+ExecCGI') -%> +ExecCGI<% end -%> +<% end -%> + AddHandler cgi-script .cgi + <Files gitweb.cgi> + Options ExecCGI FollowSymLinks + SetHandler cgi-script + </Files> + RewriteEngine on + RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> - <% end -%> + </Directory> diff --git a/templates/vhosts/itk_plus/partial.erb b/templates/vhosts/itk_plus/partial.erb index 5b05dd8..df04543 100644 --- a/templates/vhosts/itk_plus/partial.erb +++ b/templates/vhosts/itk_plus/partial.erb @@ -1,32 +1,31 @@ - ProxyPreserveHost On - ProxyRequests off + ProxyPreserveHost On + ProxyRequests off <% if vhost_part == :ssl -%> - SSLProxyEngine On - <%- if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ https://127.0.0.1/$1 - <%- else -%> - ProxyPass / https://127.0.0.1/ - <%- end -%> - ProxyPassReverse / https://127.0.0.1/ + SSLProxyEngine On +<% if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ https://127.0.0.1/$1 +<% else -%> + ProxyPass / https://127.0.0.1/ +<% end -%> + ProxyPassReverse / https://127.0.0.1/ <% else -%> - <% if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ http://127.0.0.1/$1 - <% else -%> - ProxyPass / http://127.0.0.1/ - <% end -%> - ProxyPassReverse / http://127.0.0.1/ -<% end %> +<% if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ http://127.0.0.1/$1 +<% else -%> + ProxyPass / http://127.0.0.1/ +<% end -%> + ProxyPassReverse / http://127.0.0.1/ +<% end -%> - <% if run_mode.to_s == 'static-itk' && (ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <% if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <% unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<% end -%> - - <% end -%> +<% if @run_mode.to_s == 'static-itk' && (@ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> + <Directory "<%= @documentroot %>/"> + AllowOverride <%= @allow_override %> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%> +<% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> - <% end -%> + </Directory> +<% end -%> diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb index 6ca1b03..ed83221 100644 --- a/templates/vhosts/partials/authentication.erb +++ b/templates/vhosts/partials/authentication.erb @@ -1,6 +1,6 @@ -<% unless htpasswd_file.to_s == 'absent' -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user -<% end -%>
\ No newline at end of file +<% unless @htpasswd_file.to_s == 'absent' -%> + AuthType Basic + AuthName "Access fuer <%= @servername %>" + AuthUserFile <%= @real_htpasswd_path %> + require valid-user +<% end -%> diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index d6d8c86..dbba367 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -2,19 +2,19 @@ <% if vhost_part == :ssl -%> Include include.d/ssl_defaults.inc <% end -%> - ServerName <%= servername %> -<% unless serveralias.empty? || (serveralias == 'absent') -%> - ServerAlias <%= serveralias %> + ServerName <%= @servername %> +<% unless @serveralias.empty? || (@serveralias == 'absent') -%> + ServerAlias <%= Array(@serveralias).join(' ') %> <% end -%> -<% unless server_admin.empty? || (server_admin == 'absent') -%> - ServerAdmin <%= server_admin %> +<% unless @server_admin.empty? || (@server_admin == 'absent') -%> + ServerAdmin <%= @server_admin %> <% end -%> -<% unless documentroot == 'really_absent' -%> - DocumentRoot <%= documentroot %>/ +<% unless @documentroot == 'really_absent' -%> + DocumentRoot <%= @documentroot %>/ <% end -%> -<% if default_charset != 'absent' then -%> - AddDefaultCharset <%= default_charset %> +<% if @default_charset != 'absent' -%> + AddDefaultCharset <%= @default_charset %> <% end -%> -<% if passing_extension != 'absent' -%> - DirectoryIndex index.htm index.html index.<%= passing_extension %> +<% if @passing_extension != 'absent' -%> + DirectoryIndex index.htm index.html index.<%= @passing_extension %> <% end -%> diff --git a/templates/vhosts/partials/logs.erb b/templates/vhosts/partials/logs.erb index 68403a8..136508f 100644 --- a/templates/vhosts/partials/logs.erb +++ b/templates/vhosts/partials/logs.erb @@ -1,14 +1,18 @@ -<% case logmode.to_s +<% case @logmode.to_s when 'nologs' -%> ErrorLog /dev/null CustomLog /dev/null +<% when 'noaccess' -%> + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog /dev/null noip <% when 'semianonym' -%> - ErrorLog <%= logdir %>/<%= logprefix %>error_log - CustomLog <%= logdir %>/<%= logprefix %>access_log noip + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip <% when 'anonym' -%> ErrorLog /dev/null - CustomLog <%= logdir %>/<%= logprefix %>access_log noip + CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip <% else -%> - ErrorLog <%= logdir %>/<%= logprefix %>error_log - CustomLog <%= logdir %>/<%= logprefix %>access_log combined + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog <%= @logdir %>/<%= @logprefix %>access_log combined <% end -%> + diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb index 5b4fca8..380e78f 100644 --- a/templates/vhosts/partials/mod_security.erb +++ b/templates/vhosts/partials/mod_security.erb @@ -1,27 +1,27 @@ <IfModule mod_security2.c> -<% if mod_security.to_s == 'true' then -%> +<% if @mod_security.to_s == 'true' -%> SecRuleEngine On -<% if mod_security_relevantonly.to_s == 'true' then -%> +<% if @mod_security_relevantonly.to_s == 'true' -%> SecAuditEngine RelevantOnly -<% else -%> +<% else -%> SecAuditEngine On -<% end -%> +<% end -%> <% else -%> SecRuleEngine Off SecAuditEngine Off <% end -%> SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log -<% unless mod_security_rules_to_disable.to_a.empty? -%> + SecAuditLogStorageDir <%= @logdir %>/ + SecAuditLog <%= @logdir %>/mod_security_audit.log + SecDebugLog <%= @logdir %>/mod_security_debug.log +<% unless (disabled_rules=Array(@mod_security_rules_to_disable)).empty? -%> -<% mod_security_rules_to_disable.to_a.each do |rule| -%> +<% disabled_rules.each do |rule| -%> SecRuleRemoveById "<%= rule %>" +<% end -%> <% end -%> -<% end -%> -<% unless mod_security_additional_options.to_s == 'absent' -%> +<% unless (s=@mod_security_additional_options).to_s == 'absent' -%> - <%= mod_security_additional_options %> + <%= s %> <% end -%> </IfModule> diff --git a/templates/vhosts/partials/php_settings.erb b/templates/vhosts/partials/php_settings.erb index 7840987..74f6ecf 100644 --- a/templates/vhosts/partials/php_settings.erb +++ b/templates/vhosts/partials/php_settings.erb @@ -1,19 +1,20 @@ -<% if run_mode != 'fcgid' - php_settings.reject{|k,v| v == :undef }.keys.sort.each do |key| - dvalue = php_settings[key].to_s.downcase +<% if @run_mode != 'fcgid' + @php_settings.reject{|k,v| (v == :undef) || v.nil? }.keys.sort.each do |key| + dvalue = @php_settings[key].to_s.downcase munged_value = if dvalue == 'true' - 'on' - elsif dvalue == 'false' - 'off' - elsif ['on','off'].include?(dvalue) - dvalue - else - php_settings[key] - end - if ['on','off' ].include?(munged_value) -%> + 'on' + elsif dvalue == 'false' + 'off' + elsif ['on','off'].include?(dvalue) + dvalue + else + @php_settings[key] + end + + if ['on','off' ].include?(munged_value) -%> php_admin_flag <%= key %> <%= munged_value %> -<% else -%> +<% else -%> php_admin_value <%= key %> <%= munged_value %> -<% end -%> -<% end -%> +<% end -%> +<% end -%> <% end -%> diff --git a/templates/vhosts/partials/std_override_options.erb b/templates/vhosts/partials/std_override_options.erb index 95a5e6a..6d8b74f 100644 --- a/templates/vhosts/partials/std_override_options.erb +++ b/templates/vhosts/partials/std_override_options.erb @@ -1,4 +1,4 @@ - AllowOverride <%= allow_override %> - <% if options.to_s != 'absent' || do_includes.to_s == 'true' || run_mode == 'fcgid' -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% if run_mode == 'fcgid' && !options.include?('+ExecCGI') -%> +ExecCGI<% end -%> - <% end -%> + AllowOverride <%= @allow_override %> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' || @run_mode == 'fcgid' -%> + Options <%- unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% if @run_mode == 'fcgid' && !@options.include?('+ExecCGI') -%> +ExecCGI<% end -%> +<% end -%> diff --git a/templates/vhosts/passenger/partial.erb b/templates/vhosts/passenger/partial.erb index 490649e..c3b63f5 100644 --- a/templates/vhosts/passenger/partial.erb +++ b/templates/vhosts/passenger/partial.erb @@ -1,7 +1,7 @@ - SetEnv GEM_HOME <%= gempath %> - <Directory <%= documentroot %>/> - AllowOverride <%= allow_override %> - Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless !options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> + SetEnv GEM_HOME <%= @gempath %> + <Directory <%= @documentroot %>/> + AllowOverride <%= @allow_override %> + Options <%- unless @options.to_s == 'absent' -%><%= @options %><%- end -%><%- unless !@options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> </Directory> diff --git a/templates/vhosts/perl/partial.erb b/templates/vhosts/perl/partial.erb index a8c30c3..8c1f0a5 100644 --- a/templates/vhosts/perl/partial.erb +++ b/templates/vhosts/perl/partial.erb @@ -1,15 +1,14 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> + </Directory> - <% unless htpasswd_file.to_s == 'absent' -%> - <Directory "<%= cgi_binpath %>/"> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - </Directory> - <% end -%> - ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ +<% unless @htpasswd_file.to_s == 'absent' -%> + <Directory "<%= @cgi_binpath %>/"> + AuthType Basic + AuthName "Access fuer <%= @servername %>" + AuthUserFile <%= @real_htpasswd_path %> + require valid-user + </Directory> +<% end -%> + ScriptAlias /cgi-bin/ <%= @cgi_binpath %>/ diff --git a/templates/vhosts/php/partial.erb b/templates/vhosts/php/partial.erb index f8e5c53..c19ae7b 100644 --- a/templates/vhosts/php/partial.erb +++ b/templates/vhosts/php/partial.erb @@ -1,7 +1,5 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> + </Directory> diff --git a/templates/vhosts/php_drupal/partial.erb b/templates/vhosts/php_drupal/partial.erb index 3c420b1..316942f 100644 --- a/templates/vhosts/php_drupal/partial.erb +++ b/templates/vhosts/php_drupal/partial.erb @@ -1,26 +1,22 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> + # Protect files and directories from prying eyes. + <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> + Order allow,deny + </FilesMatch> - # Protect files and directories from prying eyes. - <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> - Order allow,deny - </FilesMatch> - - # Customized error messages. - ErrorDocument 404 /index.php + # Customized error messages. + ErrorDocument 404 /index.php - RewriteEngine on - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] - </Directory> - <Directory "<%= documentroot %>/files/"> - SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 - Options None - Options +FollowSymLinks - </Directory> + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + </Directory> + <Directory "<%= @documentroot %>/files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + </Directory> diff --git a/templates/vhosts/php_gallery2/partial.erb b/templates/vhosts/php_gallery2/partial.erb index 448f720..218c0e7 100644 --- a/templates/vhosts/php_gallery2/partial.erb +++ b/templates/vhosts/php_gallery2/partial.erb @@ -1,16 +1,14 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> -<% if vhost_part != :ssl -%> - # Always rewrite login's - # Source: http://gallery.menalto.com/node/30558 - RewriteEngine On - RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] - RewriteCond %{QUERY_STRING} subView=core\.UserLogin - RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] -<% end -%> - </Directory> + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + </Directory> diff --git a/templates/vhosts/php_joomla/partial.erb b/templates/vhosts/php_joomla/partial.erb index 3046129..55445bf 100644 --- a/templates/vhosts/php_joomla/partial.erb +++ b/templates/vhosts/php_joomla/partial.erb @@ -1,32 +1,30 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - Include include.d/joomla.inc - </Directory> - - <Directory "<%= documentroot %>/administrator/"> - RewriteEngine on + Include include.d/joomla.inc + </Directory> + + <Directory "<%= @documentroot %>/administrator/"> + RewriteEngine on - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/administrator/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> - # Deny various directories that - # shouldn't be webaccessible - <Directory "<%= documentroot %>/tmp/"> - Deny From All - </Directory> - <Directory "<%= documentroot %>/logs/"> - Deny From All - </Directory> - <Directory "<%= documentroot %>/cli/"> - Deny From All - </Directory> + # Deny various directories that + # shouldn't be webaccessible + <Directory "<%= @documentroot %>/tmp/"> + Deny From All + </Directory> + <Directory "<%= @documentroot %>/logs/"> + Deny From All + </Directory> + <Directory "<%= @documentroot %>/cli/"> + Deny From All + </Directory> diff --git a/templates/vhosts/php_mediawiki/partial.erb b/templates/vhosts/php_mediawiki/partial.erb index cf30f5f..1ed6ee3 100644 --- a/templates/vhosts/php_mediawiki/partial.erb +++ b/templates/vhosts/php_mediawiki/partial.erb @@ -1,16 +1,7 @@ -<% if run_mode == 'fcgid' -%> +<% if @run_mode == 'fcgid' -%> RewriteEngine On RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/?index.php/(.*)$ /index.php?title=$1 [PT,L,QSA] <% end -%> <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> - <Directory "<%= documentroot %>/typo3/"> - RewriteEngine on - - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> diff --git a/templates/vhosts/php_silverstripe/partial.erb b/templates/vhosts/php_silverstripe/partial.erb index 89a6052..75a8193 100644 --- a/templates/vhosts/php_silverstripe/partial.erb +++ b/templates/vhosts/php_silverstripe/partial.erb @@ -1,16 +1,12 @@ -<% if vhost_part != :ssl && ![false,'false'].include?(ssl_mode) -%> - # silverstripe - RedirectMatch /admin(.*) https://<%= servername %>/admin$1 - RedirectMatch /Security(.*) https://<%= servername %>/Security$1 - -<% end -%> - <Directory "<%= documentroot %>/"> + # silverstripe + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteRule /(Security|admin)(.*) https://%{HTTP_HOST}/admin$1$2 [L,R,NE] + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - - Include include.d/silverstripe.inc - </Directory> + Include include.d/silverstripe.inc + </Directory> diff --git a/templates/vhosts/php_typo3/partial.erb b/templates/vhosts/php_typo3/partial.erb index 5c06570..edb2966 100644 --- a/templates/vhosts/php_typo3/partial.erb +++ b/templates/vhosts/php_typo3/partial.erb @@ -1,10 +1,9 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> - <Directory "<%= documentroot %>/typo3/"> - RewriteEngine on + <Directory "<%= @documentroot %>/typo3/"> + RewriteEngine on - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> + # Rewrite URLs to https that go for the admin area + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/typo3/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb index 972ab99..7b07f21 100644 --- a/templates/vhosts/php_wordpress/partial.erb +++ b/templates/vhosts/php_wordpress/partial.erb @@ -1,6 +1,19 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> -# fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh -<Directory "<%= documentroot %>/wp-content/w3tc/dbcache"> - Deny From All -</Directory> + # fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh + <Directory "<%= @documentroot %>/wp-content/w3tc/dbcache"> + Deny From All + </Directory> + + # simple wp-login brute force protection + # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ + RewriteEngine On + RewriteCond %{HTTP_COOKIE} !<%= cookie = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "cookie"]) %> + RewriteRule /wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L] + <Location /wordpress-login-<%= tmpuri %>.php> + CookieTracking on + CookieExpires 30 + CookieName <%= cookie %> + </Location> + RewriteRule /wordpress-login-<%= tmpuri %>.php /wp-login.php [NE] + diff --git a/templates/vhosts/proxy/partial.erb b/templates/vhosts/proxy/partial.erb index bbf3c64..0eecf82 100644 --- a/templates/vhosts/proxy/partial.erb +++ b/templates/vhosts/proxy/partial.erb @@ -1,8 +1,8 @@ - <Proxy *> - Order deny,allow - Allow from all + <Proxy *> + Order deny,allow + Allow from all <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Proxy> - ProxyRequests Off - ProxyPass / <%= options %>/ - ProxyPassReverse / <%= options %>/ + </Proxy> + ProxyRequests Off + ProxyPass / <%= @options %>/ + ProxyPassReverse / <%= @options %>/ diff --git a/templates/vhosts/redirect/partial.erb b/templates/vhosts/redirect/partial.erb index 3b7af7a..c8d7d11 100644 --- a/templates/vhosts/redirect/partial.erb +++ b/templates/vhosts/redirect/partial.erb @@ -1 +1 @@ - Redirect permanent / https://<%= options %> + Redirect permanent / https://<%= @options %> diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb index f2cc46b..dc6f11c 100644 --- a/templates/vhosts/static/partial.erb +++ b/templates/vhosts/static/partial.erb @@ -1,5 +1,4 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> + </Directory> diff --git a/templates/vhosts/webdav/partial.erb b/templates/vhosts/webdav/partial.erb index d89da50..09ce632 100644 --- a/templates/vhosts/webdav/partial.erb +++ b/templates/vhosts/webdav/partial.erb @@ -1,21 +1,21 @@ - DAVLockDB <%= real_dav_db_dir %>/DAVLock - <Directory "<%= documentroot %>/"> - Dav on - AllowOverride None - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- unless options.include?('Indexes') then -%> Indexes<%- end -%> + DAVLockDB <%= @real_dav_db_dir %>/DAVLock + <Directory "<%= @documentroot %>/"> + Dav on + AllowOverride None +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% unless @options.include?('Indexes') -%> Indexes<%- end -%> - <%- else -%> - Options Indexes +<% else -%> + Options Indexes - <%- end -%> +<% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <%- if ldap_auth.to_s == 'true' then -%> - Include include.d/ldap_auth.inc - <%- unless ldap_user.to_s == 'any' -%> - Require ldap-user <%= ldap_user.to_s %> - <%- else -%> - Require valid-user - <%- end -%> - <%- end -%> - </Directory> +<% if @ldap_auth.to_s == 'true' then -%> + Include include.d/ldap_auth.inc +<% unless ldap_user.to_s == 'any' -%> + Require ldap-user <%= ldap_user.to_s %> +<% else -%> + Require valid-user +<% end + end -%> + </Directory> |