diff options
159 files changed, 2650 insertions, 3557 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6583f29 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.tmp_*~ @@ -0,0 +1,10 @@ +written by immerda project group +admin+puppet(at)immerda.ch + +adapted by Puzzle ITC +haerry+puppet(at)puzzle.ch + +original idea by David Schmitt +<david(at)schmitt.edv-bus.at> + +License: GPLv3 @@ -5,28 +5,52 @@ This module tries to manage apache on different distros in a similar manner. a few additional directories have to be created as well some configuration files have to be deployed to fit this schema. -! Upgrade Notice ! +! Upgrade Notices ! - currently deployed apache::config::file resources could be broken - so one should change occurences of this resource's argument from: + * this module now only works with puppet 2.7 or newer - source => "modules/site-apache/blah" + * this module now uses parameterized classes, if you were using global + variables before, you need to change the class declarations in your manifests + + * this module now requires the stdlib module + + * this module no longer requires the common module + + * if using the munin module, you need a version of the munin module that is + at or newer than commit 77e0a70999a8c4c20ee8d9eb521b927c525ac653 (Feb 28, 2013) + + * if using munin, you will need to have the perl module installed + + * you must change your modules/site-apache to modules/site_apache + + * the $apache_no_default_site variable is no longer supported, you should + switch to passing the parameter "no_default_site => true" to the apache class - to a full source specification string: + * the $use_munin variable is no longer supported, you should switch to + passing the parameter 'manage_munin' to the apache class + + * the $use_shorewall variable is no longer supported, you should switch to + passing the parameter 'manage_shorewall' to the apache class + + * if you were using apache::vhost::file, or apache::vhost::template, there is a + wrapper called apache::vhost now that takes a $vhost_mode (either the default + 'template', or 'file), although you can continue to use the longer defines + + * Previously, apache::config::file resources would require the source to be a + full source specification, this is no longer needed, so please change any: source => "puppet:///modules/site-apache/blah" + to be: -written by immerda project group -admin+puppet(at)immerda.ch + source => "modules/site-apache/blah" -adapted by Puzzle ITC -haerry+puppet(at)puzzle.ch -original idea by David Schmitt -<david(at)schmitt.edv-bus.at> +Requirements: + + * puppet 2.7 or newer + * stdlib -License: GPLv3 Usage ===== @@ -38,6 +62,29 @@ To install Apache, simply include the 'apache' class in your manifests: include apache +This will give you a basic managed setup. You can pass a couple parameters to the +class to have the module do some things for you: + + * manage_shorewall: If you have the shorewall module installed and are using + it then rules will be automatically defined for you to let traffic come from + the exterior into the web server via port 80, and also 443 if you're using + the apache::ssl class. (Default: false) + + * manage_munin: If you have the munin module installed and are using it, then + some apache graphs will be configured for you. (Default: false) + + * no_default_site: If you do not want the 0-default.conf and + 0-default_ssl.conf virtualhosts automatically created in your node + configuration. (Default: false) + +For example: + + class { 'apache': + manage_shorewall => true, + manage_munin => true, + no_default_site => true + } + If you want to install Apache and also enable SSL support: include apache::ssl @@ -46,55 +93,133 @@ You can install the ITK worker model to enforce stronger, per-user security: include apache::itk +On CentOS you can include 'apache::itk_plus' to get that mode. Not currently +implemented for other operating systems + You can combine SSL support and the ITK worker model by including both classes. -If you do not want the 0-default.conf and 0-default_ssl.conf virtualhosts -automatically created, then simply set $apache_no_default_site = true in your -node configuration. Configuring Apache ------------------ -To deploy a global configuration file in the conf.d directory under Apache's -config directory, you can use the following: +To deploy a configuration files to the conf.d or include.d directory under +Apache's config directory, you can use the following: -apache::config::global { 'filename': +apache::config::file { 'filename': content => 'Alias /thisApplication /usr/share/thisApplication/htdocs', } +by default this will deploy a conf.d global configuration file called 'filename' +with that content. + +You can pass the parameter 'type => include' to add includes for vhosts + + To manage users in an htpasswd file: apache::htpasswd_user { "joe@$domain": - site => "$domain", - username => 'joe', - password => "$pass", - password_iscrypted = true, + ensure => present, # default: present + site => "$domain", # default: 'absent' - will use $name + username => 'joe', # default: 'absent' - will use $name + password => "pass", + password_iscrypted => false, # default: false - will sha1 hash the value + path => 'absent' # default: 'absent' - /var/www/htpasswds/${site} } +This will place an encrypted version of "pass" for user joe into +/var/www/htpasswds/${site} + +You will need to make sure that ${site} exists before this is done, see the +apache::vhost class below for how this is done. + VirtualHost files ----------------- -vhosts can be added with the vhosts define: -(currently only plain vhosts file are supported) +vhosts can be added with the apache::vhost define. + +You can ship a flat file containing the configuration, or a template. That is +controlled by the 'vhost_mode' parameter, which can be either 'file', or +'template' (default). -apache::vhosts::file { "$domain" } +Unless specified, the source will be automatically pulled from +modules/site_apache/{templates,files}/vhosts.d, searched in this order: -multiple shortcuts can be used to define a vhost with certain capabilities: + "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${name}.conf", -apache::vhosts::php::drupal { "$domain" } +otherwise you can pass a 'content' parameter to configure a template location that +it should be pulled from, or a 'vhost_source' parameter to specify the file source. -Munin ------ +For example: -If you are using munin, and have the puppet munin module installed, you can set -the variable $use_munin = true to have graphs setup for you. +This would deploy a the vhost for $domain, pulled from a file from the sources +listed above: + +apache::vhost { "$domain": vhost_mode => 'file' } + +apache::vhost { "$domain": + vhost_mode => 'file', + vhost_source => 'modules/site_configs/vhosts.d/${name}.conf" +} -For now, though, this only enables the server-status page in apache. -Shorewall ---------- +There are multiple other additional configurables that you can pass to each +vhost definition: + +* logmode: + - default: Do normal logging to CustomLog and ErrorLog + - nologs: Send every logging to /dev/null + - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null + - semianonym: Don't log ips for CustomLog, log normal ErrorLog + +* run_mode: controls in which mode the vhost should be run, there are different setups + possible: + - normal: (*default*) run vhost with the current active worker (default: prefork) don't + setup anything special + - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination + with 'proxy-itk' & 'static-itk' mode) + - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the + requests for the itk setup, that listens only on the loobpack device. + (Incompatibility: cannot be used in combination with the itk setup.) + - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static + content and proxies the dynamic calls to the itk setup, that listens only on + the loobpack device (Incompatibility: cannot be used in combination with + 'itk' mode) + +* mod_security: Whether we use mod_security or not (will include mod_security module) + - false: (*default*) don't activate mod_security + - true: activate mod_security + +For templates, you can pass various parameters that will automatically configure +the template accordingly (such as php_options and php_settings). Please see +manifests/vhost/template.pp for the full list. + +There are various pre-made vhost configurations that use good defaults that you can use: + +apache::vhost::gitweb - sets up a gitweb vhost +apache::vhost::modperl - uses modperl, with optional fastcgi +apache::vhost::passenger - setup passenger +apache::vhost::proxy - setup a proxy vhost +apache::vhost::redirect - vhost to redirect hosts +apache::vhost::static - a static vhost +apache::vhost::webdav - for managing webdave accessible targets + +Additionally, for php sites, there are several handy pre-made vhost configurations: + +apache::vhost::php::drupal +apache::vhost::php::gallery2 +apache::vhost::php::global_exec_bin_dir +apache::vhost::php::joomla +apache::vhost::php::mediawiki +apache::vhost::php::safe_mode_bin +apache::vhost::php::silverstripe +apache::vhost::php::simplemachine +apache::vhost::php::spip +apache::vhost::php::standard +apache::vhost::php::typo3 +apache::vhost::php::webapp +apache::vhost::php::wordpress -If you have the shorewall module installed and are using it, you can set the -variable $use_shorewall = true to have a rule automatically defined for you to -let traffic come from the exterior into the web server via port 80, and also -443 if you're using the apache::ssl class. diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index 5cc663f..7735ebb 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -1,9 +1,3 @@ -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog logs/ssl_error_log -TransferLog logs/ssl_access_log -LogLevel warn - # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on @@ -11,13 +5,16 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +#SSLProtocol all -SSLv2 +SSLProtocol -all +SSLv3 +TLSv1 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH +SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If @@ -134,8 +131,5 @@ SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index 3a67cd3..7030ec8 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -11,13 +11,13 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +SSLProtocol -all +SSLv3 +TLSv1 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 - +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH +SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If @@ -139,3 +139,6 @@ SetEnvIf User-Agent ".*MSIE.*" \ # compact non-error SSL logfile on a virtual host basis. CustomLog /var/log/apache2/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc index e7d2c36..67cf36f 100644 --- a/files/include.d/OpenBSD/ssl_defaults.inc +++ b/files/include.d/OpenBSD/ssl_defaults.inc @@ -1,4 +1,5 @@ SSLEngine on -SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key diff --git a/files/include.d/silverstripe.inc b/files/include.d/silverstripe.inc new file mode 100644 index 0000000..40c44e4 --- /dev/null +++ b/files/include.d/silverstripe.inc @@ -0,0 +1,17 @@ +# silverstripe .htaccess +<Files *.ss> + Order deny,allow + Deny from all + #Allow from 127.0.0.1 +</Files> + +<IfModule mod_rewrite.c> + RewriteEngine On + #RewriteBase / + + RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) + + RewriteCond %{REQUEST_URI} ^(.*)$ + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] +</IfModule> diff --git a/files/itk_plus/conf.d/CentOS/ssl.conf b/files/itk_plus/conf.d/CentOS/ssl.conf new file mode 100644 index 0000000..fb0c915 --- /dev/null +++ b/files/itk_plus/conf.d/CentOS/ssl.conf @@ -0,0 +1,75 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +NameVirtualHost *:443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec diff --git a/files/munin/apache_activity b/files/munin/apache_activity new file mode 100755 index 0000000..65fc072 --- /dev/null +++ b/files/munin/apache_activity @@ -0,0 +1,99 @@ +#!/usr/bin/perl +# +# Parameters supported: +# +# config +# autoconf +# +# Configurable variables +# +# url - Override default status-url +# +# Magic markers: +#%# family=auto +#%# capabilities=autoconf + +my $ret = undef; +if (!eval "require LWP::UserAgent;") { + $ret = "LWP::UserAgent not found"; +} + +my $URL = exists $ENV{'url'} ? $ENV{'url'} : "http://127.0.0.1:%d/server-status?auto"; +my @PORTS = exists $ENV{'ports'} ? split(' ', $ENV{'ports'}) : (80); +my %chars = ( + # '\_' => 'Waiting', + # 'S' => 'Starting up', + 'R' => 'Reading request', + 'W' => 'Sending reply', + 'K' => 'Keepalive', + 'D' => 'DNS lookup', + 'C' => 'Closing', + # 'L' => 'Logging', + # 'G' => 'Gracefully finishing', + # 'I' => 'Idle cleanup', + # '\.' => 'Open slot', + ); + +# "_" Waiting for Connection, "S" Starting up, "R" Reading Request, +# "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, +# "C" Closing connection, "L" Logging, "G" Gracefully finishing, +# "I" Idle cleanup of worker, "." Open slot with no current process + +if (exists $ARGV[0] and $ARGV[0] eq "autoconf") { + if ($ret) { + print "no ($ret)\n"; + exit 1; + } + my $ua = LWP::UserAgent->new(timeout => 30); + my @badports; + + foreach my $port (@PORTS) { + my $url = sprintf $URL, $port; + my $response = $ua->request(HTTP::Request->new('GET',$url)); + push @badports, $port unless $response->is_success and $response->content =~ /Scoreboard/im; + } + + if (@badports) { + print "no (no apache server-status on ports @badports)\n"; + exit 1; + } else { + print "yes\n"; + exit 0; + } +} + +if (exists $ARGV[0] and $ARGV[0] eq "config") { + print "graph_title Apache activity\n"; + print "graph_args --base 1000 -l 0\n"; + print "graph_category apache\n"; + print "graph_vlabel processes\n"; + foreach my $port (@PORTS) { + while (my ($char, $val) = each (%chars)) { + $char =~ s/\\\./dot/; + $char =~ s/\\\_/underline/; + print "activity_${port}_${char}.label "; + print $val, "\n"; + print "activity_${port}_${char}.type GAUGE\n"; + } + } + exit 0; +} + +foreach my $port (@PORTS) { + my $ua = LWP::UserAgent->new (timeout => 30); + my $url = sprintf $URL, $port; + my $response = $ua->request (HTTP::Request->new('GET',$url)); + if ($response->content =~ /^Scoreboard\:\s?(.*)$/sm) { + my $string = $1; + chomp $string; + my @act = split (//, $string); + foreach my $char (keys (%chars)) { + my $num = scalar (grep (/$char/, @act)); + $char =~ s/\\\./dot/; + $char =~ s/\\\_/underline/; + print "activity_${port}_${char}.value $num\n"; + } + } +} + + diff --git a/files/service/CentOS/httpd.itk_plus b/files/service/CentOS/httpd.itk_plus new file mode 100644 index 0000000..4d74de2 --- /dev/null +++ b/files/service/CentOS/httpd.itk_plus @@ -0,0 +1,24 @@ +# Configuration file for the httpd service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +#HTTPD=/usr/sbin/httpd.worker +HTTPD=/usr/sbin/httpd +HTTPD_LOCAL=/usr/sbin/httpd.itk + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set OPTIONS here. +# +#OPTIONS= + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the HTTPD_LANG +# variable can be set. +# +#HTTPD_LANG=C diff --git a/files/service/CentOS/httpd.worker b/files/service/CentOS/httpd.worker new file mode 100644 index 0000000..290923f --- /dev/null +++ b/files/service/CentOS/httpd.worker @@ -0,0 +1,22 @@ +# Configuration file for the httpd service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +HTTPD=/usr/sbin/httpd.worker + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set OPTIONS here. +# +#OPTIONS= + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the HTTPD_LANG +# variable can be set. +# +#HTTPD_LANG=C diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf index 9f8c4b6..d018bcc 100644 --- a/files/vhosts.d/CentOS/0-default_ssl.conf +++ b/files/vhosts.d/CentOS/0-default_ssl.conf @@ -8,6 +8,12 @@ Include include.d/ssl_defaults.inc DocumentRoot /var/www/html + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/ssl_error_log + TransferLog logs/ssl_access_log + LogLevel warn + SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key </VirtualHost> diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf index 7efe879..a123de8 100644 --- a/files/vhosts.d/Gentoo/0-default_ssl.conf +++ b/files/vhosts.d/Gentoo/0-default_ssl.conf @@ -31,7 +31,8 @@ UseCanonicalName On # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 + #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH SSLCertificateFile /e/certs/server.crt SSLCertificateKeyFile /e/certs/server.key diff --git a/manifests/base.pp b/manifests/base.pp index 984dc32..35fc42e 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,49 +1,62 @@ +# setup base apache class class apache::base { - file{'vhosts_dir': - path => '/etc/apache2/vhosts.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'config_dir': - path => '/etc/apache2/conf.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'include_dir': - path => '/etc/apache2/include.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'modules_dir': - path => '/etc/apache2/modules.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'htpasswd_dir': - path => '/var/www/htpasswds', - ensure => directory, - owner => root, group => apache, mode => 0640; - } - file{'web_dir': - path => '/var/www', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - service { apache: - name => 'apache2', - enable => true, - ensure => running, - } - file { 'default_apache_index': - path => '/var/www/localhost/htdocs/index.html', - ensure => file, - content => template('apache/default/default_index.erb'), - owner => root, group => 0, mode => 0644; - } + file{ + 'vhosts_dir': + ensure => directory, + path => '/etc/apache2/vhosts.d', + owner => root, + group => 0, + mode => '0644'; + 'config_dir': + ensure => directory, + path => '/etc/apache2/conf.d', + owner => root, + group => 0, + mode => '0644'; + 'include_dir': + ensure => directory, + path => '/etc/apache2/include.d', + owner => root, + group => 0, + mode => '0644'; + 'modules_dir': + ensure => directory, + path => '/etc/apache2/modules.d', + owner => root, + group => 0, + mode => '0644'; + 'htpasswd_dir': + ensure => directory, + path => '/var/www/htpasswds', + owner => root, + group => 'apache', + mode => '0640'; + 'web_dir': + ensure => directory, + path => '/var/www', + owner => root, + group => 0, + mode => '0644'; + 'default_apache_index': + path => '/var/www/localhost/htdocs/index.html', + content => template('apache/default/default_index.erb'), + owner => root, + group => 0, + mode => '0644'; + } + anchor{'apache::basic_dirs::ready': + require => File['vhosts_dir','config_dir','include_dir','modules_dir','htpasswd_dir','web_dir','default_apache_index'] + } apache::config::include{ 'defaults.inc': } apache::config::global{ 'git.conf': } - if !$apache_no_default_site { + if !$apache::no_default_site { apache::vhost::file { '0-default': } } + + service{'apache': + ensure => running, + name => 'apache2', + enable => true, + } } diff --git a/manifests/centos.pp b/manifests/centos.pp index cb47adc..caf46ce 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -6,36 +6,76 @@ class apache::centos inherits apache::package { name => 'httpd', } Service[apache]{ - name => 'httpd', + name => 'httpd', restart => '/etc/init.d/httpd graceful', } File[vhosts_dir]{ - path => "$config_dir/vhosts.d", + path => "${config_dir}/vhosts.d", } File[config_dir]{ - path => "$config_dir/conf.d", + path => "${config_dir}/conf.d", } File[include_dir]{ - path => "$config_dir/include.d", + path => "${config_dir}/include.d", } File[modules_dir]{ - path => "$config_dir/modules.d", + path => "${config_dir}/modules.d", } File[web_dir]{ - path => "/var/www/vhosts", + path => '/var/www/vhosts', } File[default_apache_index]{ path => '/var/www/html/index.html', } + if $::selinux != 'false' { + Selinux::Fcontext{ + before => File[web_dir], + } + $seltype_rw = $::lsbmajdistrelease ? { + 5 => 'httpd_sys_script_rw_t', + default => 'httpd_sys_rw_content_t' + } + selinux::fcontext{ + [ '/var/www/vhosts/[^/]*/www(/.*)?', + '/var/www/vhosts/[^/]*/non_public(/.*)?', + '/var/www/vhosts/[^/]*/g2data(/.*)?', + '/var/www/vhosts/[^/]*/upload(/.*)?' ]: + require => Package['apache'], + setype => $seltype_rw; + '/var/www/vhosts/[^/]*/logs(/.*)?': + require => Package['apache'], + setype => 'httpd_log_t'; + } + } file{'apache_service_config': - path => '/etc/sysconfig/httpd', - source => [ "puppet://$server/modules/site-apache/service/CentOS/${fqdn}/httpd", - "puppet://$server/modules/site-apache/service/CentOS/httpd", - "puppet://$server/modules/apache/service/CentOS/httpd" ], + path => '/etc/sysconfig/httpd', + source => [ "puppet:///modules/site_apache/service/CentOS/${::fqdn}/httpd", + 'puppet:///modules/site_apache/service/CentOS/httpd', + 'puppet:///modules/apache/service/CentOS/httpd' ], + require => Package['apache'], + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; + } + + # this is for later fixes + exec{ + 'adjust_pidfile': + command => 'sed -i "s/^#PidFile \(.*\)/PidFile \1/g" /etc/httpd/conf/httpd.conf', + unless => 'grep -qE \'^PidFile \' /etc/httpd/conf/httpd.conf', + require => Package['apache'], + notify => Service['apache']; + 'adjust_listen': + command => 'sed -i "s/^#Listen 80/Listen 80/g" /etc/httpd/conf/httpd.conf', + unless => 'grep -qE \'^Listen 80\' /etc/httpd/conf/httpd.conf', require => Package['apache'], - notify => Service['apache'], - owner => root, group => 0, mode => 0644; + notify => Service['apache']; + } + + apache::config::global{'00-listen.conf': + ensure => absent, } include apache::logrotate::centos diff --git a/manifests/centos/itk.pp b/manifests/centos/itk.pp index 94f0f1c..20f4270 100644 --- a/manifests/centos/itk.pp +++ b/manifests/centos/itk.pp @@ -5,8 +5,6 @@ class apache::centos::itk inherits apache::centos { name => 'httpd-itk', } File['apache_service_config']{ - source => [ "puppet://$server/modules/site-apache/service/CentOS/${fqdn}/httpd.itk", - "puppet://$server/modules/site-apache/service/CentOS/httpd.itk", - "puppet://$server/modules/apache/service/CentOS/httpd.itk" ], + source => "puppet:///modules/apache/service/${::operatingsystem}/httpd.itk" } } diff --git a/manifests/centos/itk_plus.pp b/manifests/centos/itk_plus.pp new file mode 100644 index 0000000..0df92c8 --- /dev/null +++ b/manifests/centos/itk_plus.pp @@ -0,0 +1,20 @@ +# http://hostby.net/home/2008/07/12/centos-5-and-mpm-itk/ +class apache::centos::itk_plus inherits apache::centos::itk { + Exec['adjust_pidfile']{ + command => "sed -i 's/^PidFile \\(.*\\)/#PidFile \\1/g' /etc/httpd/conf/httpd.conf", + unless => "grep -qE '^#PidFile ' /etc/httpd/conf/httpd.conf", + } + Exec['adjust_listen']{ + command => "sed -i 's/^Listen 80/#Listen 80/g' /etc/httpd/conf/httpd.conf", + unless => "grep -qE '^#Listen 80' /etc/httpd/conf/httpd.conf", + } + + Apache::Config::Global['00-listen.conf']{ + ensure => 'present', + content => template("apache/itk_plus/${::operatingsystem}/00-listen.conf.erb"), + } + + File['apache_service_config']{ + source => "puppet:///modules/apache/service/CentOS/httpd.itk_plus" + } +} diff --git a/manifests/centos/module.pp b/manifests/centos/module.pp index 4bbf251..3220d1f 100644 --- a/manifests/centos/module.pp +++ b/manifests/centos/module.pp @@ -3,20 +3,20 @@ define apache::centos::module( $source = '', $destination = '' ){ - $modules_dir = "$apache::centos::config_dir/modules.d" + $modules_dir = "${apache::centos::config_dir}/modules.d" $real_destination = $destination ? { '' => "${modules_dir}/${name}.so", default => $destination, } $real_source = $source ? { '' => [ - "puppet://$server/modules/site-apache/modules.d/${fqdn}/${name}.so", - "puppet://$server/modules/site-apache/modules.d/${apache_cluster_node}/${name}.so", - "puppet://$server/modules/site-apache/modules.d/${name}.so", - "puppet://$server/modules/apache/modules.d/${operatingsystem}/${name}.so", - "puppet://$server/modules/apache/modules.d/${name}.so" + "puppet:///modules/site_apache/modules.d/${::fqdn}/${name}.so", + "puppet:///modules/site_apache/modules.d/${apache::cluster_node}/${name}.so", + "puppet:///modules/site_apache/modules.d/${name}.so", + "puppet:///modules/apache/modules.d/${::operatingsystem}/${name}.so", + "puppet:///modules/apache/modules.d/${name}.so" ], - default => "puppet://$server/$source", + default => "puppet:///$source", } file{"modules_${name}.conf": ensure => $ensure, diff --git a/manifests/centos/worker.pp b/manifests/centos/worker.pp new file mode 100644 index 0000000..f374bb7 --- /dev/null +++ b/manifests/centos/worker.pp @@ -0,0 +1,5 @@ +class apache::centos::worker inherits apache::centos { + File['apache_service_config']{ + source => "puppet:///modules/apache/service/${::operatingsystem}/httpd.worker" + } +} diff --git a/manifests/config/file.pp b/manifests/config/file.pp index e04b631..308da68 100644 --- a/manifests/config/file.pp +++ b/manifests/config/file.pp @@ -14,7 +14,7 @@ define apache::config::file( default: { fail("Wrong config file type specified for ${name}") } } $real_destination = $destination ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { centos => "${apache::centos::config_dir}/${confdir}/${name}", gentoo => "${apache::gentoo::config_dir}/${name}", debian => "${apache::debian::config_dir}/${confdir}/${name}", @@ -30,16 +30,24 @@ define apache::config::file( notify => Service[apache], owner => root, group => 0, mode => 0644; } - - case $ensure { - 'absent','purged': { - # We want to avoid all stuff related to source and content - } - 'link': { - if $target != false { - File["apache_${name}"] { - target => $target, - } + if $ensure == 'present' { + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet:///modules/site_apache/${confdir}/${::fqdn}/${name}", + "puppet:///modules/site_apache/${confdir}/${apache::cluster_node}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/site_apache/${confdir}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/apache/${confdir}/${name}" + ], + default => $source + } + File["apache_${name}"]{ + source => $real_source, } } default: { @@ -69,10 +77,11 @@ define apache::config::file( } } } + } } - case $operatingsystem { - openbsd: { info("no package dependency on ${operatingsystem} for ${name}") } + case $::operatingsystem { + openbsd: { info("no package dependency on ${::operatingsystem} for ${name}") } default: { File["apache_${name}"]{ require => Package[apache], diff --git a/manifests/debian.pp b/manifests/debian.pp index 828245f..d009e25 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -20,10 +20,10 @@ class apache::debian inherits apache::package { } file { 'apache_main_config': path => "${config_dir}/apache2.conf", - source => [ "puppet:///modules/site-apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", - "puppet:///modules/site-apache/config/Debian/${::fqdn}/apache2.conf", - "puppet:///modules/site-apache/config/Debian.${::lsbdistcodename}/apache2.conf", - 'puppet:///modules/site-apache/config/Debian/apache2.conf', + source => [ "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", + "puppet:///modules/site_apache/config/Debian/${::fqdn}/apache2.conf", + "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/apache2.conf", + 'puppet:///modules/site_apache/config/Debian/apache2.conf', "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", "puppet:///modules/apache/config/Debian/${::fqdn}/apache2.conf", "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/apache2.conf", diff --git a/manifests/debian/itk.pp b/manifests/debian/itk.pp index 2dde883..718a81b 100644 --- a/manifests/debian/itk.pp +++ b/manifests/debian/itk.pp @@ -1,9 +1,9 @@ class apache::debian::itk inherits apache::debian { - File['htpasswd_dir']{ - group => 0, - mode => 0644, - } - Package['apache']{ - name => 'apache2-mpm-itk', - } + File['htpasswd_dir']{ + group => 0, + mode => 0644, + } + Package['apache']{ + name => 'apache2-mpm-itk', + } } diff --git a/manifests/debian/module.pp b/manifests/debian/module.pp index 55500ad..4c100fa 100644 --- a/manifests/debian/module.pp +++ b/manifests/debian/module.pp @@ -5,7 +5,7 @@ define apache::debian::module( $modules_dir = "${apache::debian::config_dir}/mods" if ($package_name != 'absent') { - package { "${package_name}": + package { $package_name: ensure => $ensure, notify => Service['apache'], require => Package['apache'], diff --git a/manifests/defaultdavdbdir.pp b/manifests/defaultdavdbdir.pp index 8b5e00f..c0e2a81 100644 --- a/manifests/defaultdavdbdir.pp +++ b/manifests/defaultdavdbdir.pp @@ -1,9 +1,17 @@ -# manifests/defaultphpdirs.pp - class apache::defaultdavdbdir { - file{'/var/www/dav_db_dir': - ensure => directory, - require => Package['apache'], - owner => root, group => 0, mode => 0755; + file { + '/var/www/dav_db_dir' : + ensure => directory, + require => Package['apache'], + owner => root, + group => 0, + mode => 0755 ; + } + if $::selinux != 'false' { + selinux::fcontext { + ['/var/www/dav_db_dir/.+(/.*)?'] : + setype => 'httpd_var_lib_t', + before => File['/var/www/dav_db_dir'] ; + } } } diff --git a/manifests/defaultphpdirs.pp b/manifests/defaultphpdirs.pp index fdbe8a5..5485241 100644 --- a/manifests/defaultphpdirs.pp +++ b/manifests/defaultphpdirs.pp @@ -1,14 +1,31 @@ -# manifests/defaultphpdirs.pp - +# setup some directories for php class apache::defaultphpdirs { - file{'/var/www/upload_tmp_dir': - ensure => directory, + file{ + '/var/www/upload_tmp_dir': + ensure => directory, require => Package['apache'], - owner => root, group => 0, mode => 0755; - } - file{'/var/www/session.save_path': - ensure => directory, + owner => root, + group => 0, + mode => '0755'; + '/var/www/session.save_path': + ensure => directory, require => Package['apache'], - owner => root, group => 0, mode => 0755; + owner => root, + group => 0, + mode => '0755'; + } + + if $::selinux != 'false' { + $seltype_rw = $::lsbmajdistrelease ? { + 5 => 'httpd_sys_script_rw_t', + default => 'httpd_sys_rw_content_t' + } + selinux::fcontext{ + [ '/var/www/upload_tmp_dir/.+(/.*)?', + '/var/www/session.save_path/.+(/.*)?' ]: + require => Package['apache'], + setype => $seltype_rw, + before => File['/var/www/upload_tmp_dir','/var/www/session.save_path']; + } } } diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 46ad8cb..86be087 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -26,7 +26,7 @@ class apache::gentoo inherits apache::package { # set the default for the ServerName file{"${config_dir}/modules.d/00_default_settings_ServerName.conf": - content => template('apache/modules_dir_00_default_settings_ServerName.conf.erb'), + content => "ServerName ${::fqdn}\n", require => Package[apache], owner => root, group => 0, mode => 0644; } diff --git a/manifests/gentoo/module.pp b/manifests/gentoo/module.pp index 7764c6f..1e9d03a 100644 --- a/manifests/gentoo/module.pp +++ b/manifests/gentoo/module.pp @@ -3,20 +3,20 @@ define apache::gentoo::module( $source = '', $destination = '' ){ - $modules_dir = "$apache::gentoo::config_dir/modules.d" + $modules_dir = "${apache::gentoo::config_dir}/modules.d" $real_destination = $destination ? { '' => "${modules_dir}/${name}.conf", default => $destination, } $real_source = $source ? { '' => [ - "puppet://$server/modules/site-apache/modules.d/${fqdn}/${name}.conf", - "puppet://$server/modules/site-apache/modules.d/${apache_cluster_node}/${name}.conf", - "puppet://$server/modules/site-apache/modules.d/${name}.conf", - "puppet://$server/modules/apache/modules.d/${operatingsystem}/${name}.conf", - "puppet://$server/modules/apache/modules.d/${name}.conf" + "puppet:///modules/site_apache/modules.d/${::fqdn}/${name}.conf", + "puppet:///modules/site_apache/modules.d/${apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/modules.d/${name}.conf", + "puppet:///modules/apache/modules.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/apache/modules.d/${name}.conf" ], - default => "puppet://$server/$source", + default => "puppet:///$source", } file{"modules_${name}.conf": ensure => $ensure, diff --git a/manifests/htpasswd_user.pp b/manifests/htpasswd_user.pp index 5a7c413..c4c5453 100644 --- a/manifests/htpasswd_user.pp +++ b/manifests/htpasswd_user.pp @@ -16,19 +16,18 @@ define apache::htpasswd_user( 'absent': { $real_site = $name } default: { $real_site = $site } } - case $path { - 'absent': { $real_path = "/var/www/htpasswds/${real_site}" } - default: { $real_path = $path } - } if $password_iscrypted { $real_password = $password } else { $real_password = htpasswd_sha1($password) } - line{"htpasswd_for_${real_site}": + file_line{"htpasswd_for_${real_site}": ensure => $ensure, - file => $real_path, + path => $path ? { + 'absent' => "/var/www/htpasswds/${real_site}", + default => $path + }, line => "${username}:${real_password}", } } diff --git a/manifests/joomla.pp b/manifests/include/joomla.pp index 45d0b48..5adae30 100644 --- a/manifests/joomla.pp +++ b/manifests/include/joomla.pp @@ -1,5 +1,3 @@ -# manifests/joomla.pp - -class apache::joomla { +class apache::include::joomla { apache::config::include{'joomla.inc': } } diff --git a/manifests/include/mod_fcgid.pp b/manifests/include/mod_fcgid.pp new file mode 100644 index 0000000..b3c1cdc --- /dev/null +++ b/manifests/include/mod_fcgid.pp @@ -0,0 +1,7 @@ +class apache::include::mod_fcgid { + apache::config::global{'mod_fcgid.conf': + content => "<IfModule mod_fcgid.c> + FcgidFixPathinfo 1 +</IfModule>\n" + } +} diff --git a/manifests/include/silverstripe.pp b/manifests/include/silverstripe.pp new file mode 100644 index 0000000..fd2484b --- /dev/null +++ b/manifests/include/silverstripe.pp @@ -0,0 +1,3 @@ +class apache::include::silverstripe { + apache::config::include{'silverstripe.inc': } +} diff --git a/manifests/init.pp b/manifests/init.pp index c6b24a8..574c212 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,31 +6,30 @@ # Marcel Härry haerry+puppet(at)puzzle.ch # Simon Josi josi+puppet(at)puzzle.ch # -# This program is free software; you can redistribute -# it and/or modify it under the terms of the GNU -# General Public License version 3 as published by +# This program is free software; you can redistribute +# it and/or modify it under the terms of the GNU +# General Public License version 3 as published by # the Free Software Foundation. # -# Global variables: -# -# $apache_default_user: Set this to the user with which the -# apache is running. -# $apache_default_group: Set this to the group with which the -# apache is running. -class apache { - case $operatingsystem { +# manage a simple apache +class apache( + $cluster_node = '', + $manage_shorewall = false, + $manage_munin = false, + $no_default_site = false +) { + case $::operatingsystem { centos: { include apache::centos } gentoo: { include apache::gentoo } - debian: { include apache::debian } - ubuntu: { include apache::ubuntu } + debian,ubuntu: { include apache::debian } openbsd: { include apache::openbsd } default: { include apache::base } } - if $use_munin { + if $apache::manage_munin { include apache::status } - if $use_shorewall { + if $apache::manage_shorewall { include shorewall::rules::http } } diff --git a/manifests/itk.pp b/manifests/itk.pp index 640b69c..5292343 100644 --- a/manifests/itk.pp +++ b/manifests/itk.pp @@ -3,7 +3,7 @@ # see: http://mpm-itk.sesse.net/ class apache::itk inherits apache { - case $operatingsystem { + case $::operatingsystem { centos: { include ::apache::centos::itk } debian: { include ::apache::debian::itk } default: { include ::apache::base::itk } diff --git a/manifests/itk/lock.pp b/manifests/itk/lock.pp new file mode 100644 index 0000000..4ad95fa --- /dev/null +++ b/manifests/itk/lock.pp @@ -0,0 +1,4 @@ +class apache::itk::lock { + # This file resource is used to ensure that only one itk mode is used per host + file{'/var/www/.itk_mode_lock': ensure => absent } +} diff --git a/manifests/itk_plus.pp b/manifests/itk_plus.pp new file mode 100644 index 0000000..7d9f721 --- /dev/null +++ b/manifests/itk_plus.pp @@ -0,0 +1,10 @@ +# manifests/itk.pp +# +# see: http://mpm-itk.sesse.net/ + +class apache::itk_plus inherits apache::itk { + case $::operatingsystem { + centos: { include ::apache::centos::itk_plus } + default: { fail("itk plus mode is currently only implemented for CentOS") } + } +} diff --git a/manifests/itk_plus/lock.pp b/manifests/itk_plus/lock.pp new file mode 100644 index 0000000..d540939 --- /dev/null +++ b/manifests/itk_plus/lock.pp @@ -0,0 +1,4 @@ +class apache::itk_plus::lock { + # This file resource is used to ensure that only one itk mode is used per host + file{'/var/www/.itk_mode_lock': ensure => absent } +} diff --git a/manifests/logrotate/centos.pp b/manifests/logrotate/centos.pp index 6571ada..4381205 100644 --- a/manifests/logrotate/centos.pp +++ b/manifests/logrotate/centos.pp @@ -1,8 +1,10 @@ +# add vhost folders to logrotation class apache::logrotate::centos { - # add vhost folders to logrotation augeas{'logrotate_httpd': changes => [ 'rm /files/etc/logrotate.d/httpd/rule/file', 'ins file before /files/etc/logrotate.d/httpd/rule/*[1]', 'set /files/etc/logrotate.d/httpd/rule/file[1] /var/log/httpd/*log' ], + onlyif => 'get /files/etc/logrotate.d/httpd/rule/file[1] != "/var/log/httpd/*log"', + require => Package['apache'], } } diff --git a/manifests/logrotate/centos/vhosts.pp b/manifests/logrotate/centos/vhosts.pp index 941f50d..b1159a1 100644 --- a/manifests/logrotate/centos/vhosts.pp +++ b/manifests/logrotate/centos/vhosts.pp @@ -1,10 +1,11 @@ +# add vhost folders to logrotation class apache::logrotate::centos::vhosts inherits apache::logrotate::centos { - # add vhost folders to logrotation Augeas['logrotate_httpd']{ changes => [ 'rm /files/etc/logrotate.d/httpd/rule/file', 'ins file before /files/etc/logrotate.d/httpd/rule/*[1]', 'ins file before /files/etc/logrotate.d/httpd/rule/*[1]', 'set /files/etc/logrotate.d/httpd/rule/file[1] /var/log/httpd/*log', 'set /files/etc/logrotate.d/httpd/rule/file[2] /var/www/vhosts/*/logs/*log' ], + onlyif => 'get /files/etc/logrotate.d/httpd/rule/file[2] != "/var/www/vhosts/*/logs/*log"', } } diff --git a/manifests/mod_dav_svn.pp b/manifests/mod_dav_svn.pp index a213043..bdcc4ab 100644 --- a/manifests/mod_dav_svn.pp +++ b/manifests/mod_dav_svn.pp @@ -1,6 +1,5 @@ class apache::mod_dav_svn { - include apache - package{mod_dav_svn: + package{'mod_dav_svn': ensure => installed, require => Package['apache'], notify => Service['apache'], diff --git a/manifests/mod_macro.pp b/manifests/mod_macro.pp index acee280..eed59e5 100644 --- a/manifests/mod_macro.pp +++ b/manifests/mod_macro.pp @@ -1,6 +1,5 @@ class apache::mod_macro { - include apache - package{mod_macro: + package{'mod_macro': ensure => installed, require => Package['apache'], notify => Service['apache'], diff --git a/manifests/munin.pp b/manifests/munin.pp new file mode 100644 index 0000000..2a04e97 --- /dev/null +++ b/manifests/munin.pp @@ -0,0 +1,11 @@ +# manage apache monitoring things +class apache::munin { + + include perl::extensions::libwww + + munin::plugin{ [ 'apache_accesses', 'apache_processes', 'apache_volume' ]: } + munin::plugin::deploy { 'apache_activity': + source => 'apache/munin/apache_activity', + seltype => 'munin_services_plugin_exec_t', + } +} diff --git a/manifests/noiplog.pp b/manifests/noiplog.pp new file mode 100644 index 0000000..355d7e6 --- /dev/null +++ b/manifests/noiplog.pp @@ -0,0 +1,5 @@ +class apache::noiplog { + apache::config::global{ 'noip_log.conf': + content => 'LogFormat "127.0.0.1 - - %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %V" noip'; + } +} diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp index 2cf5fd4..1ba58f4 100644 --- a/manifests/openbsd.pp +++ b/manifests/openbsd.pp @@ -20,16 +20,16 @@ class apache::openbsd inherits apache::base { File[web_dir]{ group => daemon, } - line{'enable_apache_on_boot': - file => '/etc/rc.conf.local', + file_line{'enable_apache_on_boot': + path => '/etc/rc.conf.local', line => 'httpd flags=""', } file{'apache_main_config': path => "${config_dir}/conf/httpd.conf", - source => [ "puppet://$server/modules/site-apache/config/OpenBSD/${fqdn}/httpd.conf", - "puppet://$server/modules/site-apache/config/OpenBSD/${apache_cluster_node}/httpd.conf", - "puppet://$server/modules/site-apache/config/OpenBSD//httpd.conf", - "puppet://$server/modules/apache/config/OpenBSD/httpd.conf" ], + source => [ "puppet:///modules/site_apache/config/OpenBSD/${::fqdn}/httpd.conf", + "puppet:///modules/site_apache/config/OpenBSD/${apache::cluster_node}/httpd.conf", + "puppet:///modules/site_apache/config/OpenBSD//httpd.conf", + "puppet:///modules/apache/config/OpenBSD/httpd.conf" ], notify => Service['apache'], owner => root, group => 0, mode => 0644; } @@ -37,7 +37,7 @@ class apache::openbsd inherits apache::base { path => '/var/www/htdocs/default/www/index.html', } file{'/opt/bin/restart_apache.sh': - source => "puppet://$server/modules/apache/scripts/OpenBSD/bin/restart_apache.sh", + source => "puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache.sh", require => File['/opt/bin'], owner => root, group => 0, mode => 0700; } @@ -51,7 +51,7 @@ class apache::openbsd inherits apache::base { stop => 'apachectl stop', } file{'/opt/bin/apache_logrotate.sh': - source => "puppet://$server/modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh", + source => "puppet:///modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh", require => File['/opt/bin'], owner => root, group => 0, mode => 0700; } diff --git a/manifests/package.pp b/manifests/package.pp index aa47c6c..3308b37 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -19,13 +19,13 @@ class apache::package inherits apache::base { File['modules_dir']{ require => Package[apache], } - File['web_dir']{ + File['include_dir']{ require => Package[apache], } - File['htpasswd_dir']{ + File['web_dir']{ require => Package[apache], } - File['include_dir']{ + File['htpasswd_dir']{ require => Package[apache], } } diff --git a/manifests/sftponly.pp b/manifests/sftponly.pp index 1f9793d..ece726b 100644 --- a/manifests/sftponly.pp +++ b/manifests/sftponly.pp @@ -1,5 +1,5 @@ class apache::sftponly { - case $operatingsystem { + case $::operatingsystem { centos: { include apache::sftponly::centos } } } diff --git a/manifests/sftponly/centos.pp b/manifests/sftponly/centos.pp index 12dd2d0..0f2a43d 100644 --- a/manifests/sftponly/centos.pp +++ b/manifests/sftponly/centos.pp @@ -1,10 +1,10 @@ +# manage sftponly group and apache +# user for access class apache::sftponly::centos { - augeas{"add_apache_to_group_sftponly": - context => "/files/etc/group", - changes => [ "ins user after sftponly/user[last()]", - "set sftponly/user[last()] apache" ], - onlyif => "match sftponly/*[../user='apache'] size == 0", + require user::groups::sftponly + user::groups::manage_user{'apache': + group => 'sftponly', require => Package['apache'], - notify => Service['apache'], + notify => Service['apache'], } } diff --git a/manifests/ssl.pp b/manifests/ssl.pp index c779da4..bfef7ad 100644 --- a/manifests/ssl.pp +++ b/manifests/ssl.pp @@ -1,13 +1,13 @@ # manifests/ssl.pp -class apache::ssl inherits apache { - case $operatingsystem { +class apache::ssl { + case $::operatingsystem { centos: { include apache::ssl::centos } openbsd: { include apache::ssl::openbsd } debian: { include apache::ssl::debian } defaults: { include apache::ssl::base } } - if $use_shorewall { + if $apache::manage_shorewall { include shorewall::rules::https } } diff --git a/manifests/ssl/centos.pp b/manifests/ssl/centos.pp index b2c8ad8..7bc8c89 100644 --- a/manifests/ssl/centos.pp +++ b/manifests/ssl/centos.pp @@ -5,4 +5,8 @@ class apache::ssl::centos inherits apache::ssl::base { require => Package[apache], } ::apache::config::global{ 'ssl.conf': } + + apache::config::global{'00-listen-ssl.conf': + ensure => absent, + } } diff --git a/manifests/ssl/itk.pp b/manifests/ssl/itk.pp index 62c96cf..5fd3aaf 100644 --- a/manifests/ssl/itk.pp +++ b/manifests/ssl/itk.pp @@ -1,7 +1,7 @@ # manifests/ssl/itk.pp class apache::ssl::itk inherits apache::ssl { - case $operatingsystem { + case $::operatingsystem { centos: { include apache::ssl::itk::centos } } } diff --git a/manifests/ssl/itk_plus.pp b/manifests/ssl/itk_plus.pp new file mode 100644 index 0000000..0c8e667 --- /dev/null +++ b/manifests/ssl/itk_plus.pp @@ -0,0 +1,6 @@ +class apache::ssl::itk_plus inherits apache::ssl::itk { + case $::operatingsystem { + centos: { include ::apache::ssl::itk_plus::centos } + default: { fail("itk plus mode is currently only implemented for CentOS") } + } +} diff --git a/manifests/ssl/itk_plus/centos.pp b/manifests/ssl/itk_plus/centos.pp new file mode 100644 index 0000000..00fb472 --- /dev/null +++ b/manifests/ssl/itk_plus/centos.pp @@ -0,0 +1,11 @@ +class apache::ssl::itk_plus::centos inherits apache::ssl::centos { + include apache::ssl::itk::centos + Apache::Config::Global['ssl.conf']{ + source => "modules/apache/itk_plus/conf.d/${::operatingsystem}/ssl.conf", + } + + Apache::Config::Global['00-listen-ssl.conf']{ + ensure => 'present', + content => template("apache/itk_plus/${::operatingsystem}/00-listen-ssl.conf.erb"), + } +} diff --git a/manifests/ssl/openbsd.pp b/manifests/ssl/openbsd.pp index 6d357ee..43bc680 100644 --- a/manifests/ssl/openbsd.pp +++ b/manifests/ssl/openbsd.pp @@ -1,16 +1,16 @@ class apache::ssl::openbsd inherits apache::openbsd { include apache::ssl::base - Line['enable_apache_on_boot']{ + File_line['enable_apache_on_boot']{ ensure => 'absent', } - line{'enable_apachessl_on_boot': - file => '/etc/rc.conf.local', + file_line{'enable_apachessl_on_boot': + path => '/etc/rc.conf.local', line => 'httpd flags="-DSSL"', } File['/opt/bin/restart_apache.sh']{ - source => "puppet://$server/modules/apache/scripts/OpenBSD/bin/restart_apache_ssl.sh", + source => "puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache_ssl.sh", } Service['apache']{ start => 'apachectl startssl', diff --git a/manifests/status.pp b/manifests/status.pp index d32069e..1f7ca89 100644 --- a/manifests/status.pp +++ b/manifests/status.pp @@ -1,12 +1,12 @@ -# manifests/status.pp - -class apache::status inherits apache { - case $operatingsystem { - centos: { include apache::status::centos } - defaults: { include apache::status::base } - } - if $use_munin { - include munin::plugins::apache - } +# enable apache status page +# manage munin plugins if requested +class apache::status { + case $::operatingsystem { + centos: { include apache::status::centos } + defaults: { include apache::status::base } + } + if $apache::manage_munin { + include apache::munin + } } diff --git a/manifests/ubuntu.pp b/manifests/ubuntu.pp deleted file mode 100644 index 0837296..0000000 --- a/manifests/ubuntu.pp +++ /dev/null @@ -1,3 +0,0 @@ -### ubuntu: similar to debian therefor inheritng from there -class apache::ubuntu inherits apache::debian {} - diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 1f2db90..dcb26a2 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -3,19 +3,39 @@ # vhost_mode: which option is choosed to deploy the vhost # - template: generate it from a template (default) # - file: deploy a vhost file (apache::vhost::file will be called directly) -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost( $ensure = present, $path = 'absent', $path_is_webdir = false, $logpath = 'absent', - $template_mode = 'static', + $logmode = 'default', $vhost_mode = 'template', + $template_partial = 'apache/vhosts/static/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $content = 'absent', @@ -23,15 +43,8 @@ define apache::vhost( $domainalias = 'absent', $server_admin = 'absent', $allow_override = 'None', - $php_safe_mode_exec_bin_dir = 'absent', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_use_smarty = false, - $php_use_pear = false, - $php_safe_mode = true, - $php_default_charset = 'absent', - $php_additional_open_basedirs = 'absent', - $php_additional_options = 'absent', + $php_settings = {}, + $php_options = {}, $cgi_binpath = 'absent', $default_charset = 'absent', $do_includes = false, @@ -40,15 +53,18 @@ define apache::vhost( $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', - $template_mode = 'static', $ssl_mode = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $use_mod_macro = false, $ldap_auth = false, - $ldap_user = 'any' + $ldap_user = 'any', + $passing_extension = 'absent', + $gempath = 'absent' ) { # file or template mode? case $vhost_mode { @@ -58,6 +74,8 @@ define apache::vhost( vhost_source => $vhost_source, vhost_destination => $vhost_destination, do_includes => $do_includes, + run_mode => $run_mode, + mod_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, use_mod_macro => $use_mod_macro, @@ -69,35 +87,34 @@ define apache::vhost( path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, + logmode => $logmode, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - php_safe_mode_exec_bin_dir => $php_safe_mode_exec_bin_dir, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, cgi_binpath => $cgi_binpath, allow_override => $allow_override, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, - php_use_smarty => $php_use_smarty, - php_use_pear => $php_use_pear, - php_safe_mode => $php_safe_mode, - php_default_charset => $php_default_charset, - php_additional_open_basedirs => $php_additional_open_basedirs, - php_additional_options => $php_additional_options, + php_settings => $php_settings, + php_options => $php_options, run_mode => $run_mode, run_uid => $run_uid, run_gid => $run_gid, - template_mode => $template_mode, + template_partial => $template_partial, ssl_mode => $ssl_mode, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, + passing_extension => $passing_extension, + gempath => $gempath, } } default: { fail("no such vhost_mode: $vhost_mode defined for $name.") } diff --git a/manifests/vhost/davdbdir.pp b/manifests/vhost/davdbdir.pp index a9528f7..459167c 100644 --- a/manifests/vhost/davdbdir.pp +++ b/manifests/vhost/davdbdir.pp @@ -11,7 +11,7 @@ define apache::vhost::davdbdir( case $dav_db_dir { 'absent': { include apache::defaultdavdbdir - $real_dav_db_dir = "/var/www/dav_db_dir/$name" + $real_dav_db_dir = "/var/www/dav_db_dir/${name}" } default: { $real_dav_db_dir = $dav_db_dir } } diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index 6d2cc32..b42c4ce 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -7,26 +7,60 @@ # - absent: standardpath (default) # - else: path to deploy # +# ssl_mode: wether this vhost supports ssl or not +# - false: don't enable ssl for this vhost (default) +# - true: enable ssl for this vhost +# - force: enable ssl and redirect non-ssl to ssl +# - only: enable ssl only +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost::file( $ensure = present, $vhost_source = 'absent', $vhost_destination = 'absent', $content = 'absent', $do_includes = false, + $run_mode = 'normal', + $logmode = 'default', + $ssl_mode = false, + $mod_security = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', $use_mod_macro = false ){ - $vhosts_dir = $operatingsystem ? { - centos => "$apache::centos::config_dir/vhosts.d", - gentoo => "$apache::gentoo::config_dir/vhosts.d", - debian => "$apache::debian::config_dir/sites-enabled", - ubuntu => "$apache::ubuntu::config_dir/sites-enabled", - openbsd => "$apache::openbsd::config_dir/vhosts.d", + $vhosts_dir = $::operatingsystem ? { + centos => "${apache::centos::config_dir}/vhosts.d", + gentoo => "${apache::gentoo::config_dir}/vhosts.d", + debian => "${apache::debian::config_dir}/sites-enabled", + ubuntu => "${apache::ubuntu::config_dir}/sites-enabled", + openbsd => "${apache::openbsd::config_dir}/vhosts.d", default => '/etc/apache2/vhosts.d', } $real_vhost_destination = $vhost_destination ? { - 'absent' => "$vhosts_dir/$name.conf", + 'absent' => "${vhosts_dir}/${name}.conf", default => $vhost_destination, } file{"${name}.conf": @@ -36,27 +70,44 @@ define apache::vhost::file( notify => Service[apache], owner => root, group => 0, mode => 0644; } - if $do_includes { + if $ensure != 'absent' { + if $do_includes { include ::apache::includes - } - if $use_mod_macro { + } + if $use_mod_macro { include ::apache::mod_macro - } - case $content { + } + case $logmode { + 'semianonym','anonym': { include apache::noiplog } + } + case $run_mode { + 'itk': { + include ::apache::itk::lock + if $mod_security { include mod_security::itk } + } + 'proxy-itk','static-itk': { + include ::apache::itk_plus::lock + if $mod_security { include mod_security::itk_plus } + } + default: { + if $mod_security { include mod_security } + } + } + + case $content { 'absent': { $real_vhost_source = $vhost_source ? { 'absent' => [ - "puppet://$server/modules/site-apache/vhosts.d/$fqdn/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$apache_cluster_node/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$operatingsystem.$lsbdistcodename/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$operatingsystem/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$operatingsystem.$lsbdistcodename/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$operatingsystem/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$name.conf" + "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${name}.conf", + "puppet:///modules/apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/apache/vhosts.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/apache/vhosts.d/${name}.conf" ], - default => "puppet://$server/$vhost_source", + default => "puppet:///${vhost_source}", } File["${name}.conf"]{ source => $real_vhost_source, @@ -67,21 +118,26 @@ define apache::vhost::file( content => $content, } } + } } case $htpasswd_file { 'absent','nodeploy': { info("don't deploy a htpasswd file for ${name}") } default: { if $htpasswd_path == 'absent' { - $real_htpasswd_path = "/var/www/htpasswds/$name" + $real_htpasswd_path = "/var/www/htpasswds/${name}" } else { $real_htpasswd_path = $htpasswd_path } file{$real_htpasswd_path: ensure => $ensure, - source => [ "puppet://$server/modules/site-apache/htpasswds/$fqdn/$name", - "puppet://$server/modules/site-apache/htpasswds/$apache_cluster_node/$name", - "puppet://$server/modules/site-apache/htpasswds/$name" ], - owner => root, group => 0, mode => 0644; + } + if ($ensure!='absent') { + File[$real_htpasswd_path]{ + source => [ "puppet:///modules/site_apache/htpasswds/${::fqdn}/${name}", + "puppet:///modules/site_apache/htpasswds/${apache::cluster_node}/${name}", + "puppet:///modules/site_apache/htpasswds/${name}" ], + owner => root, group => 0, mode => 0644, + } } } } diff --git a/manifests/vhost/file/documentrootfile.pp b/manifests/vhost/file/documentrootfile.pp index 441d605..610d71c 100644 --- a/manifests/vhost/file/documentrootfile.pp +++ b/manifests/vhost/file/documentrootfile.pp @@ -6,19 +6,19 @@ define apache::vhost::file::documentrootfile( $group='0', $mode=440 ){ - file{"$documentroot/$filename": - source => [ "puppet://$server/modules/site-apache/vhost_varieties/$fqdn/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$apache_cluster_node/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$operatingsystem.$lsbdistcodename/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$operatingsystem/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$operatingsystem.$lsbdistcodename/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$operatingsystem/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$thedomain/$filename" + file{"${documentroot}/${filename}": + source => [ "puppet:///modules/site_apache/vhost_varieties/${::fqdn}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${apache::cluster_node}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}" ], ensure => file, - require => Apache::Vhost::Webdir["$thedomain"], + require => Apache::Vhost::Webdir[$thedomain], owner => $owner, group => $group, mode => $mode; } } diff --git a/manifests/vhost/gitweb.pp b/manifests/vhost/gitweb.pp index 084b04c..dab4983 100644 --- a/manifests/vhost/gitweb.pp +++ b/manifests/vhost/gitweb.pp @@ -1,6 +1,13 @@ +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::gitweb( $ensure = present, $domain = 'absent', + $logmode = 'default', $domainalias = 'absent', $server_admin = 'absent', $owner = root, @@ -9,6 +16,7 @@ define apache::vhost::gitweb( $documentroot_group = 0, $documentroot_mode = 0640, $allow_override = 'None', + $template_partial = 'apache/vhosts/gitweb/partial.erb', $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -22,14 +30,15 @@ define apache::vhost::gitweb( ensure => $ensure, path => '/var/www/git', path_is_webdir => true, - logpath => $operatingsystem ? { + logpath => $::operatingsystem ? { centos => '/var/log/httpd', fedora => '/var/log/httpd', redhat => '/var/log/httpd', openbsd => '/var/www/logs', default => '/var/log/apache2' }, - template_mode => 'gitweb', + logmode => $logmode, + template_partial => $template_partial, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, @@ -38,6 +47,7 @@ define apache::vhost::gitweb( options => $options, additional_options => $additional_options, default_charset => $default_charset, + run_mode => 'normal', ssl_mode => $ssl_mode, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, diff --git a/manifests/vhost/modperl.pp b/manifests/vhost/modperl.pp index 98876e4..c93e6cf 100644 --- a/manifests/vhost/modperl.pp +++ b/manifests/vhost/modperl.pp @@ -1,14 +1,36 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::modperl( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -26,8 +48,11 @@ define apache::vhost::modperl( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/perl/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -37,23 +62,49 @@ define apache::vhost::modperl( case $cgi_binpath { 'absent': { $real_path = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}", default => "/var/www/vhosts/${name}" }, - default => "${path}" + default => $path } $real_cgi_binpath = "${real_path}/cgi-bin" } default: { $real_cgi_binpath = $cgi_binpath } } + file{$real_cgi_binpath: - ensure => directory, + ensure => $ensure ? { + 'absent' => 'absent', + default => directory + }, owner => $documentroot_owner, group => $documentroot_group, mode => $documentroot_mode; } + if $ensure != 'absent' { + case $run_mode { + 'proxy-itk','static-itk': { + include ::mod_perl::itk_plus + } + 'fcgid': { + include ::mod_fcgid + include apache::include::mod_fcgid + + # we don't need mod_perl if we run it as fcgid + include ::mod_perl::disable + mod_fcgid::starter {$name: + cgi_type => 'perl', + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], + } + } + default: { include ::mod_perl } + } + } + # create webdir ::apache::vhost::webdir{$name: ensure => $ensure, @@ -70,8 +121,9 @@ define apache::vhost::modperl( ::apache::vhost{$name: ensure => $ensure, path => $path, - template_mode => 'perl', + logmode => $logmode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, @@ -91,6 +143,9 @@ define apache::vhost::modperl( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + passing_extension => 'pl' } } diff --git a/manifests/vhost/passenger.pp b/manifests/vhost/passenger.pp index 732758e..6886f13 100644 --- a/manifests/vhost/passenger.pp +++ b/manifests/vhost/passenger.pp @@ -1,23 +1,31 @@ # run_uid: the uid the vhost should run as with the mod_passenger module # run_gid: the gid the vhost should run as with the mod_passenger module +# +# logmode: +# +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*defaul*) activate mod_security +# define apache::vhost::passenger( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $manage_webdir = true, $manage_docroot = true, - $template_mode = 'passenger', $owner = root, $group = apache, $documentroot_owner = apache, $documentroot_group = 0, $documentroot_mode = 0640, - # TODO: think of a more generic way to handle user separation - # i.e. rename itk mode into something else - # e.g. default, moderate (use same user for access and run), strict (use different users for access and run) - $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', @@ -27,13 +35,25 @@ define apache::vhost::passenger( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/passenger/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $htpasswd_path = 'absent', + $passenger_ree = false, + $passenger_app = 'rails' ){ + + if $passenger_ree { + include ::passenger::ree::apache + } else { + include ::passenger::apache + } + if $manage_webdir { # create webdir ::apache::vhost::webdir{$name: @@ -41,26 +61,62 @@ define apache::vhost::passenger( path => $path, owner => $owner, group => $group, - run_mode => $run_mode, + mode => 0644, + run_mode => 'normal', manage_docroot => $manage_docroot, documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, + documentroot_group => $run_gid, documentroot_mode => $documentroot_mode, } } + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + file{ + ["${real_path}/www/tmp", "${real_path}/www/log"]: + ensure => directory, + owner => $documentroot_owner, group => $run_gid, mode => 0660; + ["${real_path}/www/public", "${real_path}/gems"]: + ensure => directory, + owner => $documentroot_owner, group => $run_gid, mode => 0640; + } + if $passenger_app == 'rails' { + file{ + "${real_path}/www/config": + ensure => directory, + owner => $documentroot_owner, group => $run_gid, mode => 0640; + "${real_path}/www/config/environment.rb": + ensure => present, + owner => $run_uid, group => $run_gid, mode => 0640; + } + } else { + #rack based + file{ + "${real_path}/www/config.ru": + ensure => present, + owner => $run_uid, group => $run_gid, mode => 0640; + } + } # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, - path => $path, - template_mode => $template_mode, + path => "${real_path}/www/public", + path_is_webdir => true, + template_partial => $template_partial, + logmode => $logmode, + logpath => "${real_path}/logs", vhost_mode => $vhost_mode, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - run_mode => 'itk', + run_mode => 'normal', run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, @@ -73,6 +129,9 @@ define apache::vhost::passenger( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + gempath => "${real_path}/gems" } } diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index f23a434..4025ada 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -1,20 +1,42 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None # php_default_charset: default charset header for php. # *default*: absent, which will set the same as default_charset # of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::php::drupal( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +47,19 @@ define apache::vhost::php::drupal( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_drupal/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -47,7 +70,7 @@ define apache::vhost::php::drupal( $manage_cron = true ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, @@ -55,10 +78,25 @@ define apache::vhost::php::drupal( } if $manage_cron { - file{"/etc/cron.d/drupal_cron_${name}": - content => "0 * * * * apache wget -O - -q -t 1 http://${doamin}/cron.php\n", - owner => root, group => 0, mode => 0644; - } + if $domain == 'absent' { + $real_domain = $name + } else { + $real_domain = $domain + } + + file{"/etc/cron.d/drupal_cron_${name}": + content => "0 * * * * apache wget -O - -q -t 1 http://${real_domain}/cron.php\n", + owner => root, group => 0, mode => 0644; + } + } + + $std_drupal_php_settings = { + magic_quotes_gpc => 0, + register_globals => 0, + 'session.auto_start' => 0, + 'mbstring.http_input' => 'pass', + 'mbstring.http_output' => 'pass', + 'mbstring.encoding_translation' => 0, } # create vhost configuration file @@ -67,8 +105,8 @@ define apache::vhost::php::drupal( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_drupal', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -78,18 +116,19 @@ define apache::vhost::php::drupal( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings =>merge($std_drupal_php_settings, $php_settings), + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index 19240e9..d1876ff 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -1,20 +1,41 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*defaul*) don't activate mod_security +# - true: activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None # php_default_charset: default charset header for php. # *default*: absent, which will set the same as default_charset # of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::gallery2( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,49 +46,98 @@ define apache::vhost::php::gallery2( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', - $mod_security = true, + $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_gallery2/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent', $manage_config = true, $config_webwriteable = false, - $manage_directories = true + $manage_directories = true, + $upload_dir = 'present' ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } $gdatadir = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/g2data", default => "/var/www/vhosts/${name}/g2data" }, default => "${path}/g2data" } - file{$gdatadir: - ensure => $ensure ? { - 'present' => directory, - default => absent - }, - owner => $documentroot_owner, - group => $documentroot_group, - mode => 0660; + if ($upload_dir == 'present') or ($upload_dir == 'absent') { + $real_upload_dir = $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/upload", + default => "/var/www/vhosts/${name}/upload" + } + } else { + $real_upload_dir = $upload_dir } + file{ + $gdatadir: + ensure => $ensure ? { + 'present' => directory, + default => absent + }, + owner => $documentroot_owner, group => $documentroot_group, mode => 0660; + $real_upload_dir: + owner => $documentroot_owner, group => $documentroot_group, mode => 0660; + } + if ($ensure == 'absent') or ($upload_dir == 'absent') { + File[$real_upload_dir]{ + ensure => absent, + purge => true, + force => true, + recurse => true + } + } else { + File[$real_upload_dir]{ + ensure => directory + } + } + + $gallery_php_settings = { + safe_mode => 'Off', + output_buffering => 'Off', + } + + # php upload_tmp_dir + case $php_settings[upload_tmp_dir] { + '',undef: { + $php_settings[upload_tmp_dir] = "/var/www/upload_tmp_dir/$name" + } + } + # php session_save_path + case $php_settings['session.save_path'] { + '',undef: { + $php_settings['session.save_path'] = "/var/www/session.save_path/$name" + } + } + + if $upload_dir != 'absent' { + $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}:${real_upload_dir}" + } else { + $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}" + } + + $real_php_settings = merge($gallery_php_settings,$php_settings) # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -75,8 +145,8 @@ define apache::vhost::php::gallery2( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_gallery2', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -86,18 +156,19 @@ define apache::vhost::php::gallery2( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $real_php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $real_php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, @@ -106,6 +177,5 @@ define apache::vhost::php::gallery2( manage_config => $manage_config, config_file => 'config.php', } - } diff --git a/manifests/vhost/php/global_exec_bin_dir.pp b/manifests/vhost/php/global_exec_bin_dir.pp new file mode 100644 index 0000000..cbb9803 --- /dev/null +++ b/manifests/vhost/php/global_exec_bin_dir.pp @@ -0,0 +1,6 @@ +class apache::vhost::php::global_exec_bin_dir { + file{'/var/www/php_safe_exec_bins': + ensure => directory, + owner => root, group => apache, mode => 0640; + } +} diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 280792e..3962efa 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -1,114 +1,158 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $ssl_mode = false, - $vhost_mode = 'template', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_joomla/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true ){ - include ::apache::joomla + include ::apache::include::joomla - $documentroot = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - path => $path, - template_mode => 'php_joomla', - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ "$documentroot/administrator/backups", - "$documentroot/administrator/components", - "$documentroot/administrator/language", - "$documentroot/administrator/modules", - "$documentroot/administrator/templates", - "$documentroot/components", - "$documentroot/dmdocuments", - "$documentroot/images", - "$documentroot/language", - "$documentroot/media", - "$documentroot/modules", - "$documentroot/plugins", - "$documentroot/templates", - "$documentroot/cache", - "$documentroot/tmp", - "$documentroot/administrator/cache" ], - manage_config => $manage_config, - config_webwriteable => $config_webwriteable, - config_file => 'configuration.php', + if $mod_security_additional_options == 'absent' { + $id_str = $::operatingsystem ? { + 'CentOS' => $::lsbmajdistrelease ? { + 5 => '', + default => 'id:1199400,' + }, + default => '' } + $real_mod_security_additional_options = "# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch \"^/\"> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" + + # Exceptions for Joomla Component Expose + <LocationMatch \"^/components/com_expose/expose/manager/amfphp/gateway.php\"> + SecRuleRemoveById 960010 + </LocationMatch> +" + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } + + # create vhost configuration file + ::apache::vhost::php::webapp{ + $name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/administrator/backups", + "${documentroot}/administrator/components", + "${documentroot}/administrator/language", + "${documentroot}/administrator/modules", + "${documentroot}/administrator/templates", + "${documentroot}/components", + "${documentroot}/dmdocuments", + "${documentroot}/images", + "${documentroot}/language", + "${documentroot}/media", + "${documentroot}/modules", + "${documentroot}/plugins", + "${documentroot}/templates", + "${documentroot}/cache", + "${documentroot}/tmp", + "${documentroot}/administrator/cache" ], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'configuration.php', + } } diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index d24ada9..502af53 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::mediawiki( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $manage_docroot = true, $owner = root, @@ -25,32 +40,38 @@ define apache::vhost::php::mediawiki( $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', - $allow_override = 'FileInfo', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_default_charset = 'absent', - $php_safe_mode_exec_bins = 'absent', + $allow_override = 'FileInfo Limit', + $php_settings = {}, + $php_options = {}, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_mediawiki/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent' ){ + + $mediawiki_php_settings = { + safe_mode => false, + } + # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, manage_docroot => $manage_docroot, - template_mode => 'php_mediawiki', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -60,16 +81,18 @@ define apache::vhost::php::mediawiki( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_default_charset => $php_default_charset, + php_settings => merge($mediawiki_php_settings,$php_settings), + php_options => $php_options, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, diff --git a/manifests/vhost/php/safe_mode_bin.pp b/manifests/vhost/php/safe_mode_bin.pp index e04557c..4a3574d 100644 --- a/manifests/vhost/php/safe_mode_bin.pp +++ b/manifests/vhost/php/safe_mode_bin.pp @@ -1,9 +1,3 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users -# run_uid: the uid the vhost should run as with the itk module -# run_gid: the gid the vhost should run as with the itk module define apache::vhost::php::safe_mode_bin( $ensure = 'present', $path @@ -12,7 +6,7 @@ define apache::vhost::php::safe_mode_bin( $real_path = "$path/$substr" file{$real_path: ensure => $ensure ? { - 'present' => regsubst($name,'^.*_',''), + 'present' => regsubst($name,'^.*@',''), default => absent, } } diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index 3838d55..da58296 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::silverstripe( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::silverstripe( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_silverstripe/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -45,13 +61,18 @@ define apache::vhost::php::silverstripe( $config_webwriteable = false, $manage_directories = true ){ + + include ::apache::include::silverstripe + $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -59,8 +80,8 @@ define apache::vhost::php::silverstripe( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_silverstripe', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -70,25 +91,25 @@ define apache::vhost::php::silverstripe( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/assets" - ], + managed_directories => [ "${documentroot}/assets" ], manage_config => $manage_config, } diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index f1ea170..b5178da 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::simplemachine( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::simplemachine( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -46,7 +62,7 @@ define apache::vhost::php::simplemachine( $manage_directories = true ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, @@ -59,8 +75,8 @@ define apache::vhost::php::simplemachine( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_simplemachine', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -70,30 +86,35 @@ define apache::vhost::php::simplemachine( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, managed_directories => [ - "$documentroot/attachments", - "$documentroot/Packages", - "$documentroot/Themes", - "$documentroot/agreement.txt", - "$documentroot/Packages/installed.list", - "$documentroot/avatars" ], + "${documentroot}/agreement.txt", + "${documentroot}/attachments", + "${documentroot}/avatars", + "${documentroot}/cache", + "${documentroot}/Packages", + "${documentroot}/Packages/installed.list", + "${documentroot}/Smileys", + "${documentroot}/Themes", + "${documentroot}/Themes/default/languages/Install.english.php" + ], manage_config => $manage_config, config_webwriteable => $config_webwriteable, config_file => 'Settings.php', diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 5064e77..5f4ffdb 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::spip( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,16 +40,17 @@ define apache::vhost::php::spip( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'FileInfo', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, + $template_partial = 'apache/vhosts/php/partial.erb', $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -43,7 +59,7 @@ define apache::vhost::php::spip( $htpasswd_path = 'absent' ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, @@ -56,8 +72,8 @@ define apache::vhost::php::spip( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_spip', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -67,23 +83,29 @@ define apache::vhost::php::spip( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options=> $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, - managed_directories => [ "$documentroot/IMG", "$documentroot/tmp", "$documentroot/local", "$documentroot/config" ], + managed_directories => [ + "${documentroot}/IMG", + "${documentroot}/tmp", + "${documentroot}/local", + "${documentroot}/config" + ], manage_config => false, } } diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 6a83a42..53fa8f9 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -1,24 +1,40 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::standard( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', + $logpath = 'absent', $path = 'absent', $manage_webdir = true, + $path_is_webdir = false, $manage_docroot = true, - $template_mode = 'php', $owner = root, $group = apache, $documentroot_owner = apache, @@ -28,15 +44,8 @@ define apache::vhost::php::standard( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_use_smarty = false, - $php_use_pear = false, - $php_safe_mode = true, - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', - $php_additional_open_basedirs = 'absent', - $php_additional_options = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -44,95 +53,179 @@ define apache::vhost::php::standard( $use_mod_macro = false, $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent' ){ - $real_php_default_charset = $php_default_charset ? { - 'absent' => $default_charset ? { - 'On' => 'iso-8859-1', - default => $default_charset - }, - default => $php_default_charset - } - - ::apache::vhost::phpdirs{"${name}": + if $manage_webdir { + # create webdir + ::apache::vhost::webdir{$name: ensure => $ensure, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + manage_docroot => $manage_docroot, documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, + } } - $php_safe_mode_exec_bin_dir = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/bin", - default => "/var/www/vhosts/${name}/bin" - }, - default => "${path}/bin" + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + + if $path_is_webdir { + $documentroot = $real_path + } else { + $documentroot = "${real_path}/www" + } + $logdir = $logpath ? { + 'absent' => "$real_path/logs", + default => $logpath } - file{$php_safe_mode_exec_bin_dir: + + $std_php_options = { + smarty => false, + pear => false, + } + $real_php_options = merge($std_php_options,$php_options) + + if $real_php_options[smarty] { + include php::extensions::smarty + $smarty_path = '/usr/share/php/Smarty/:' + } else { + $smarty_path = '' + } + + if $real_php_options[pear] { + $pear_path = '/usr/share/pear/:' + } else { + $pear_path = '' + } + + + $std_php_settings = { + engine => 'On', + upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", + 'session.save_path' => "/var/www/session.save_path/${name}", + open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + safe_mode => 'On', + } + if $logmode != 'nologs' { + $std_php_settings[error_log] = "${logdir}/php_error_log" + } + if $run_mode == 'fcgid' { + $std_php_settings[safe_mode_gid] = 'On' + } + + if has_key($php_settings,'safe_mode_exec_dir') { + $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] + } else { + $php_safe_mode_exec_dir = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/bin", + default => "/var/www/vhosts/${name}/bin" + }, + default => "${path}/bin" + } + } + file{$php_safe_mode_exec_dir: recurse => true, force => true, purge => true, } - if $php_safe_mode_exec_bins != 'absent' { - File[$php_safe_mode_exec_bin_dir]{ + if has_key($php_options,'safe_mode_exec_bins') { + $std_php_settings[safe_mode_exec_dir] = $php_safe_mode_exec_dir + File[$php_safe_mode_exec_dir]{ ensure => $ensure ? { 'present' => directory, default => absent, }, - source => "puppet://$server/modules/common/empty", owner => $documentroot_owner, group => $documentroot_group, mode => 0750, } - $php_safe_mode_exec_bins_subst = regsubst($php_safe_mode_exec_bins,"(.+)","${name}_\\1") + $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],"(.+)","${name}@\\1") apache::vhost::php::safe_mode_bin{ $php_safe_mode_exec_bins_subst: ensure => $ensure, - path => $php_safe_mode_exec_bin_dir + path => $php_safe_mode_exec_dir } }else{ - File[$php_safe_mode_exec_bin_dir]{ + File[$php_safe_mode_exec_dir]{ ensure => absent, } } - if $php_use_smarty { - include php::extensions::smarty + if !has_key($php_settings,'default_charset') { + if $default_charset != 'absent' { + $std_php_settings[default_charset] = $default_charset ? { + 'On' => 'iso-8859-1', + default => $default_charset + } + } } - if $manage_webdir { - # create webdir - ::apache::vhost::webdir{$name: + $real_php_settings = merge($std_php_settings,$php_settings) + + if $ensure != 'absent' { + case $run_mode { + 'proxy-itk','static-itk': { + include ::php::itk_plus + } + 'itk': { include ::php::itk } + 'fcgid': { + include ::mod_fcgid + include ::php::mod_fcgid + include apache::include::mod_fcgid + + mod_fcgid::starter {$name: + cgi_type => 'php', + cgi_type_options => $real_php_settings, + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], + } + } + default: { include ::php } + } + } + + ::apache::vhost::phpdirs{"${name}": ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - manage_docroot => $manage_docroot, + php_upload_tmp_dir => $real_php_settings[upload_tmp_dir], + php_session_save_path => $real_php_settings['session.save_path'], documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, - } + run_mode => $run_mode, + run_uid => $run_uid, } # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, path => $path, - template_mode => $template_mode, + path_is_webdir => $path_is_webdir, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, + logpath => $logpath, run_mode => $run_mode, run_uid => $run_uid, run_gid => $run_gid, @@ -141,21 +234,17 @@ define apache::vhost::php::standard( options => $options, additional_options => $additional_options, default_charset => $default_charset, - php_safe_mode_exec_bin_dir => $php_safe_mode_exec_bin_dir, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_use_smarty => $php_use_smarty, - php_use_pear => $php_use_pear, - php_safe_mode => $php_safe_mode, - php_default_charset => $real_php_default_charset, - php_additional_open_basedirs => $php_additional_open_basedirs, - php_additional_options => $php_additional_options, + php_settings => $real_php_settings, + php_options => $real_php_options, ssl_mode => $ssl_mode, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, + passing_extension => 'php', } } diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index dec227c..a9f12d8 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::typo3( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::typo3( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_typo3/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -46,21 +62,39 @@ define apache::vhost::php::typo3( $manage_directories = true ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '<Location "/typo3"> + SecRuleEngine Off + SecAuditEngine Off + </Location> +' + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } + + $typo3_php_settings = { + # turn allow_url_fopen on for the extension manager fetch + allow_url_fopen => 'On' + } + $real_php_settings = merge($typo3_php_settings,$php_settings) + # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_typo3', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -70,40 +104,41 @@ define apache::vhost::php::typo3( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $real_php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/typo3temp", - "$documentroot/typo3temp/pics", - "$documentroot/typo3temp/temp", - "$documentroot/typo3temp/llxml", - "$documentroot/typo3temp/cs", - "$documentroot/typo3temp/GB", - "$documentroot/typo3temp/locks", - "$documentroot/typo3conf", - "$documentroot/typo3conf/ext", - "$documentroot/typo3conf/l10n", - # "$documentroot/typo3/ext/", # only needed for ext manager installing global extensions - "$documentroot/uploads", - "$documentroot/uploads/pics", - "$documentroot/uploads/media", - "$documentroot/uploads/tf", - "$documentroot/fileadmin", - "$documentroot/fileadmin/_temp_" + managed_directories => [ "${documentroot}/typo3temp", + "${documentroot}/typo3temp/pics", + "${documentroot}/typo3temp/temp", + "${documentroot}/typo3temp/llxml", + "${documentroot}/typo3temp/cs", + "${documentroot}/typo3temp/GB", + "${documentroot}/typo3temp/locks", + "${documentroot}/typo3conf", + "${documentroot}/typo3conf/ext", + "${documentroot}/typo3conf/l10n", + # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions + "${documentroot}/uploads", + "${documentroot}/uploads/pics", + "${documentroot}/uploads/media", + "${documentroot}/uploads/tf", + "${documentroot}/fileadmin", + "${documentroot}/fileadmin/_temp_" ], manage_config => $manage_config, } diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 22e932a..54905ca 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -1,24 +1,38 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::webapp( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $manage_webdir = true, $manage_docroot = true, - $template_mode, $owner = root, $group = apache, $documentroot_owner = apache, @@ -28,18 +42,19 @@ define apache::vhost::php::webapp( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial, $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -59,7 +74,20 @@ define apache::vhost::php::webapp( } if $manage_config { - if $config_file == 'absent' { fail("No config file defined for ${name} on ${fqdn}, if you'd like to manage the config, you have to add one!") } + if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") } + + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + if $path_is_webdir { + $documentroot = $real_path + } else { + $documentroot = "${real_path}/www" + } ::apache::vhost::file::documentrootfile{"configurationfile_${name}": documentroot => $documentroot, filename => $config_file, @@ -85,10 +113,10 @@ define apache::vhost::php::webapp( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, manage_webdir => $manage_webdir, manage_docroot => $manage_docroot, - template_mode => $template_mode, owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -98,18 +126,19 @@ define apache::vhost::php::webapp( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index c4e77f2..7a41ad7 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::wordpress( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::wordpress( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'FileInfo', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_wordpress/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -47,21 +63,23 @@ define apache::vhost::php::wordpress( ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file - ::apache::vhost::php::webapp{$name: + apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_wordpress', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -71,24 +89,25 @@ define apache::vhost::php::wordpress( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => "$documentroot/wp-content", + managed_directories => "${documentroot}/wp-content", manage_config => $manage_config, config_webwriteable => $config_webwriteable, config_file => 'wp-config.php', diff --git a/manifests/vhost/phpdirs.pp b/manifests/vhost/phpdirs.pp index 24413d0..5936da6 100644 --- a/manifests/vhost/phpdirs.pp +++ b/manifests/vhost/phpdirs.pp @@ -1,49 +1,39 @@ define apache::vhost::phpdirs( - $ensure = present, - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0750, - $run_mode = 'normal', - $run_uid = 'absent' + $ensure = present, + $php_upload_tmp_dir, + $php_session_save_path, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0750, + $run_mode = 'normal', + $run_uid = 'absent' ){ - # php upload_tmp_dir - case $php_upload_tmp_dir { - 'absent': { - include apache::defaultphpdirs - $real_php_upload_tmp_dir = "/var/www/upload_tmp_dir/$name" - } - default: { $real_php_upload_tmp_dir = $php_upload_tmp_dir } + case $ensure { + absent : { + file { + [$php_upload_tmp_dir, $php_session_save_path] : + ensure => absent, + purge => true, + force => true, + recurse => true, + } } - # php session_save_path - case $php_session_save_path { - 'absent': { - include apache::defaultphpdirs - $real_php_session_save_path = "/var/www/session.save_path/$name" - } - default: { $real_php_session_save_path = $php_session_save_path } - } - - case $ensure { - absent: { - file{[$real_php_upload_tmp_dir, $real_php_session_save_path ]: - ensure => absent, - purge => true, - force => true, - recurse => true, - } - } - default: { - file{[$real_php_upload_tmp_dir, $real_php_session_save_path ]: - ensure => directory, - owner => $run_mode ? { - 'itk' => $run_uid, - default => $documentroot_owner - }, - group => $documentroot_group, mode => $documentroot_mode; - } - } + default : { + include apache::defaultphpdirs + file { + [$php_upload_tmp_dir, $php_session_save_path] : + ensure => directory, + owner => $run_mode ? { + 'itk' => $run_uid, + 'static-itk' => $run_uid, + 'proxy-itk' => $run_uid, + 'fcgid' => $run_uid, + default => $documentroot_owner + }, + group => $documentroot_group, + mode => $documentroot_mode ; + } } + } } diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp new file mode 100644 index 0000000..1c3b500 --- /dev/null +++ b/manifests/vhost/proxy.pp @@ -0,0 +1,65 @@ +# Proxy VHost +# Parameters: +# +# - ensure: wether this vhost is `present` or `absent` +# - domain: the domain to redirect (*name*) +# - domainalias: A list of whitespace seperated domains to redirect +# - target_url: the url to be proxied. Note: We don't want http://example.com/foobar only example.com/foobar +# - server_admin: the email that is shown as responsible +# - ssl_mode: wether this vhost supports ssl or not +# - false: don't enable ssl for this vhost (default) +# - true: enable ssl for this vhost +# - force: enable ssl and redirect non-ssl to ssl +# - only: enable ssl only +# +# logmode: +# +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +define apache::vhost::proxy( + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $htpasswd_file = 'absent', + $target_url, + $server_admin = 'absent', + $logmode = 'default', + $mod_security = false, + $ssl_mode = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $additional_options = 'absent' +){ + # create vhost configuration file + # we use the options field as the target_url + ::apache::vhost::template{$name: + ensure => $ensure, + template_partial => 'apache/vhosts/proxy/partial.erb', + domain => $domain, + path => 'really_absent', + path_is_webdir => true, + htpasswd_file => $htpasswd_file, + domainalias => $domainalias, + server_admin => $server_admin, + logpath => $::operatingsystem ? { + openbsd => '/var/www/logs', + centos => '/var/log/httpd', + default => '/var/log/apache2' + }, + logmode => $logmode, + allow_override => $allow_override, + run_mode => 'normal', + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + options => $target_url, + ssl_mode => $ssl_mode, + additional_options => $additional_options, + } +} + diff --git a/manifests/vhost/redirect.pp b/manifests/vhost/redirect.pp index 10b78bf..a106c59 100644 --- a/manifests/vhost/redirect.pp +++ b/manifests/vhost/redirect.pp @@ -1,5 +1,6 @@ # Redirect VHost to redirect hosts # Parameters: +# # - ensure: wether this vhost is `present` or `absent` # - domain: the domain to redirect (*name*) # - domainalias: A list of whitespace seperated domains to redirect @@ -10,23 +11,41 @@ # - true: enable ssl for this vhost # - force: enable ssl and redirect non-ssl to ssl # - only: enable ssl only +# +# logmode: +# +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::redirect( $ensure = present, $domain = 'absent', $domainalias = 'absent', $target_url, $server_admin = 'absent', + $logmode = 'default', $ssl_mode = false ){ # create vhost configuration file # we use the options field as the target_url ::apache::vhost::template{$name: ensure => $ensure, - template_mode => 'redirect', + template_partial => 'apache/vhosts/redirect/partial.erb', domain => $domain, + path => 'really_absent', + path_is_webdir => true, domainalias => $domainalias, server_admin => $server_admin, + logpath => $::operatingsystem ? { + openbsd => '/var/www/logs', + centos => '/var/log/httpd', + default => '/var/log/apache2' + }, + logmode => $logmode, allow_override => $allow_override, + run_mode => 'normal', mod_security => false, options => $target_url, ssl_mode => $ssl_mode, diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index 307dfbe..f1dbcc2 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -1,11 +1,23 @@ # vhost_mode: which option is chosen to deploy the vhost # - template: generate it from a template (default) # - file: deploy a vhost file (apache::vhost::file will be called directly) +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost::static( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -18,13 +30,17 @@ define apache::vhost::static( $additional_options = 'absent', $default_charset = 'absent', $ssl_mode = false, + $run_mode = 'normal', $vhost_mode = 'template', + $template_partial = 'apache/vhosts/static/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent', $mod_security = false, - $mod_security_relevantonly = true + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent' ){ # create webdir ::apache::vhost::webdir{$name: @@ -32,7 +48,7 @@ define apache::vhost::static( path => $path, owner => $owner, group => $group, - run_mode => 'normal', + run_mode => $run_mode, documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, @@ -42,13 +58,14 @@ define apache::vhost::static( ::apache::vhost{$name: ensure => $ensure, path => $path, - template_mode => 'static', + template_partial => $template_partial, vhost_mode => $vhost_mode, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, allow_override => $allow_override, do_includes => $do_includes, options => $options, @@ -59,6 +76,8 @@ define apache::vhost::static( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index 324a96a..55d41d9 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -1,8 +1,6 @@ -# template_mode: -# - php: for a default php application -# - static: for a static application (default) -# - perl: for a mod_perl application -# - php_joomla: for a joomla application +# template_partial: +# which template should be used to generate the type specific part +# of the vhost entry. # # domainalias: # - absent: no domainalias is set (*default*) @@ -14,137 +12,145 @@ # - true: enable ssl for this vhost # - force: enable ssl and redirect non-ssl to ssl # - only: enable ssl only -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# define apache::vhost::template( - $ensure = present, - $path = 'absent', - $path_is_webdir = false, - $logpath = 'absent', - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $allow_override = 'None', - $php_safe_mode_exec_bin_dir = 'absent', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $dav_db_dir = 'absent', - $cgi_binpath = 'absent', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $php_use_smarty = false, - $php_use_pear = false, - $php_safe_mode = true, - $php_default_charset = 'absent', - $php_additional_open_basedirs = 'absent', - $php_additional_options = 'absent', - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $template_mode = 'static', - $ssl_mode = false, - $mod_security = true, - $mod_security_relevantonly = true, - $use_mod_macro = false, - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $ldap_auth = false, - $ldap_user = 'any' + $ensure = present, + $path = 'absent', + $path_is_webdir = false, + $logpath = 'absent', + $logmode = 'default', + $logprefix = '', + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $allow_override = 'None', + $dav_db_dir = 'absent', + $cgi_binpath = 'absent', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $php_options = {}, + $php_settings = {}, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $template_partial = 'apache/vhosts/static/partial.erb', + $template_vars = {}, + $ssl_mode = false, + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $use_mod_macro = false, + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $ldap_auth = false, + $ldap_user = 'any', + $passing_extension = 'absent', + $gempath = 'absent' ){ - if $mod_security { - case $run_mode { - 'itk': { include mod_security::itk } - default: { include mod_security } - } - } - $real_path = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/$name", - default => "/var/www/vhosts/$name" + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" }, - default => $path + default => $path } if $path_is_webdir { - $documentroot = "$real_path" + $documentroot = $real_path } else { - $documentroot = "$real_path/www" + $documentroot = "${real_path}/www" } $logdir = $logpath ? { - 'absent' => "$real_path/logs", - default => $logpath + 'absent' => "${real_path}/logs", + default => $logpath } $servername = $domain ? { - 'absent' => $name, - default => $domain + 'absent' => $name, + default => $domain } $serveralias = $domainalias ? { - 'absent' => '', - 'www' => "www.${servername}", - default => $domainalias + 'absent' => '', + 'www' => "www.${servername}", + default => $domainalias } if $htpasswd_path == 'absent' { - $real_htpasswd_path = "/var/www/htpasswds/$name" + $real_htpasswd_path = "/var/www/htpasswds/${name}" } else { $real_htpasswd_path = $htpasswd_path } case $run_mode { - 'itk': { + 'proxy-itk': { $logfileprefix = 'proxy' } + 'static-itk': { $logfileprefix = 'static' } + } + case $run_mode { + 'fcgid','itk','proxy-itk','static-itk': { case $run_uid { - 'absent': { fail("you have to define run_uid for $name on $fqdn") } + 'absent': { fail("you have to define run_uid for ${name} on ${::fqdn}") } } case $run_gid { - 'absent': { fail("you have to define run_gid for $name on $fqdn") } + 'absent': { fail("you have to define run_gid for ${name} on ${::fqdn}") } } } } - - # set default dirs for templates - # php php_safe_mode_exec_bin directory - case $php_safe_mode_exec_bin_dir { - 'absent': { - $real_php_safe_mode_exec_bin_dir = "/var/www/vhosts/$name/bin" - } - default: { $real_php_safe_mode_exec_bin_dir = $php_safe_mode_exec_bin_dir } - } - # php upload_tmp_dir - case $php_upload_tmp_dir { - 'absent': { - $real_php_upload_tmp_dir = "/var/www/upload_tmp_dir/$name" - } - default: { $real_php_upload_tmp_dir = $php_upload_tmp_dir } - } - # php session_save_path - case $php_session_save_path { - 'absent': { - $real_php_session_save_path = "/var/www/session.save_path/$name" - } - default: { $real_php_session_save_path = $php_session_save_path } - } # dav db dir case $dav_db_dir { 'absent': { - $real_dav_db_dir = "/var/www/dav_db_dir/$name" + $real_dav_db_dir = "/var/www/dav_db_dir/${name}" } default: { $real_dav_db_dir = $dav_db_dir } } apache::vhost::file{$name: - ensure => $ensure, - content => template("apache/vhosts/$template_mode/$operatingsystem.erb"), - do_includes => $do_includes, + ensure => $ensure, + do_includes => $do_includes, + run_mode => $run_mode, + ssl_mode => $ssl_mode, + logmode => $logmode, + mod_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, use_mod_macro => $use_mod_macro, } + if $ensure != 'absent' { + Apache::Vhost::File[$name]{ + content => $run_mode ? { + 'proxy-itk' => template('apache/vhosts/itk_plus.erb'), + 'static-itk' => template('apache/vhosts/itk_plus.erb'), + default => template('apache/vhosts/default.erb'), + } + } + } } diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index 73c4a7a..003a308 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -1,10 +1,28 @@ # Webdav vhost: to manage webdav accessible targets -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: this mode is not possible and will be rewritten to proxy-itk +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::webdav( $ensure = present, $domain = 'absent', @@ -15,6 +33,7 @@ define apache::vhost::webdav( $group = apache, $manage_webdir = true, $path_is_webdir = false, + $logmode = 'default', $logpath = 'absent', $documentroot_owner = apache, $documentroot_group = 0, @@ -27,6 +46,8 @@ define apache::vhost::webdav( $default_charset = 'absent', $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -37,7 +58,7 @@ define apache::vhost::webdav( $ldap_user = 'any', $dav_db_dir = 'absent' ){ - ::apache::vhost::davdbdir{"${name}": + ::apache::vhost::davdbdir{$name: ensure => $ensure, dav_db_dir => $dav_db_dir, documentroot_owner => $documentroot_owner, @@ -60,20 +81,29 @@ define apache::vhost::webdav( documentroot_mode => $documentroot_mode, } } + + if $run_mode == 'static-itk' { + notice("static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk") + $real_run_mode = 'proxy-itk' + } else { + $real_run_mode = $run_mode + } + # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, - template_mode => 'webdav', + logmode => $logmode, + template_partial => 'apache/vhosts/webdav/partial.erb', vhost_mode => $vhost_mode, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - run_mode => $run_mode, + run_mode => $real_run_mode, run_uid => $run_uid, run_gid => $run_gid, options => $options, @@ -85,6 +115,9 @@ define apache::vhost::webdav( ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/webdir.pp b/manifests/vhost/webdir.pp index 4fa9003..c9729f0 100644 --- a/manifests/vhost/webdir.pp +++ b/manifests/vhost/webdir.pp @@ -1,125 +1,116 @@ # create webdir define apache::vhost::webdir( - $ensure = present, - $path = 'absent', - $owner = root, - $group = apache, - $mode = 0640, - $run_mode = 'normal', - $manage_docroot = true, - $documentroot_owner = root, - $documentroot_group = apache, - $documentroot_mode = 0640, - $documentroot_recurse = false + $ensure = present, + $path = 'absent', + $owner = root, + $group = apache, + $mode = 0640, + $run_mode = 'normal', + $manage_docroot = true, + $documentroot_owner = root, + $documentroot_group = apache, + $documentroot_mode = 0640, + $documentroot_recurse = false ){ - $real_path = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/${name}", - default => "/var/www/vhosts/${name}" - }, - default => "${path}" - } + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } - if ($run_mode == 'itk') and ($mode == '0640'){ - $real_mode = 0644 - } else { - $real_mode = $mode - } + if (($run_mode =~ /^(static\-|proxy\-)?itk$/) or $run_mode == 'fcgid') and ($mode == '0640'){ + $real_mode = 0644 + } else { + $real_mode = $mode + } - $documentroot = "${real_path}/www" - $logdir = "${real_path}/logs" + $documentroot = "${real_path}/www" + $logdir = "${real_path}/logs" - if $owner == 'apache' { - if $apache_default_user == '' { - $real_owner = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $owner - } - } else { - $real_owner = $apache_default_user - } - } else { - $real_owner = $owner + if $owner == 'apache' { + $real_owner = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $owner } - if $group == 'apache' { - if $apache_default_group == '' { - $real_group = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $group - } - } else { - $real_group = $apache_default_group - } - } else { - $real_group = $group + } else { + $real_owner = $owner + } + if $group == 'apache' { + $real_group = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $group } + } else { + $real_group = $group + } - if $documentroot_owner == 'apache' { - if $apache_default_user == '' { - $real_documentroot_owner = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $documentroot_owner - } - } else { - $real_documentroot_owner = $apache_default_user - } - } else { - $real_documentroot_owner = $documentroot_owner + if $documentroot_owner == 'apache' { + $real_documentroot_owner = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $documentroot_owner } - if $documentroot_group == 'apache' { - if $apache_default_group == '' { - $real_documentroot_group = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $documentroot_group - } - } else { - $real_documentroot_group = $apache_default_group + } else { + $real_documentroot_owner = $documentroot_owner + } + if $documentroot_group == 'apache' { + $real_documentroot_group = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $documentroot_group + } + } else { + $real_documentroot_group = $documentroot_group + } + case $ensure { + absent: { + file{$real_path: + ensure => absent, + purge => true, + recurse => true, + force => true; } - } else { - $real_documentroot_group = $documentroot_group } - case $ensure { - absent: { - if $manage_docroot { - $managed_directories = [ "$real_path", "${real_path}/private", "$logdir", "$documentroot" ] - } else { - $managed_directories = [ "$real_path", "${real_path}/private", "$logdir" ] - } - file{$managed_directories: - ensure => absent, - purge => true, - recurse => true, - force => true, - } + default: { + file{ + $real_path: + ensure => directory, + require => Anchor['apache::basic_dirs::ready'], + owner => $real_owner, + group => $real_group, + mode => $real_mode; + $logdir: + ensure => directory, + before => Service['apache'], + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => '0660'; + "${real_path}/private": + ensure => directory, + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => '0600'; + } + if $manage_docroot { + file{$documentroot: + ensure => directory, + before => Service['apache'], + recurse => $documentroot_recurse, + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => $documentroot_mode; } - default: { - file{"$real_path": - ensure => directory, - owner => $real_owner, group => $real_group, mode => $real_mode; - } - if $manage_docroot { - file{"$documentroot": - ensure => directory, - recurse => $documentroot_recurse, - owner => $real_documentroot_owner, group => $real_documentroot_group, mode => $documentroot_mode; - } - } - file{"$logdir": - ensure => directory, - owner => $real_documentroot_owner, group => $real_documentroot_group, mode => 0660; - } - case $operatingsystem { - centos: { include apache::logrotate::centos::vhosts } - } - file{"${real_path}/private": - ensure => directory, - owner => $real_documentroot_owner, group => $real_documentroot_group, mode => 0600; - } + } + case $::operatingsystem { + centos: { include apache::logrotate::centos::vhosts } + default: { #nothing } + } } + } } diff --git a/manifests/worker.pp b/manifests/worker.pp new file mode 100644 index 0000000..9a7b3be --- /dev/null +++ b/manifests/worker.pp @@ -0,0 +1,5 @@ +class apache::worker inherits apache { + case $::operatingsystem { + centos: { include ::apache::centos::worker } + } +} diff --git a/templates/default/default_index.erb b/templates/default/default_index.erb index dbe9954..b35ecd9 100644 --- a/templates/default/default_index.erb +++ b/templates/default/default_index.erb @@ -1,13 +1,13 @@ <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> - <title><%= hostname %></title> + <title><%= scope.lookupvar('::hostname') %></title> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> </head> <body> <h1> No page @ this location</h1> <p> - <small><em><%= hostname %></em></small> + <small><em><%= scope.lookupvar('::hostname') %></em></small> </p> </body> </html> diff --git a/templates/itk_plus/CentOS/00-listen-ssl.conf.erb b/templates/itk_plus/CentOS/00-listen-ssl.conf.erb new file mode 100644 index 0000000..83f7bee --- /dev/null +++ b/templates/itk_plus/CentOS/00-listen-ssl.conf.erb @@ -0,0 +1,6 @@ +<IfDefine HttpdLocal> +Listen 127.0.0.1:443 +</IfDefine> +<IfDefine !HttpdLocal> +Listen <%= scope.lookupvar('::ipaddress') %>:443 +</IfDefine> diff --git a/templates/itk_plus/CentOS/00-listen.conf.erb b/templates/itk_plus/CentOS/00-listen.conf.erb new file mode 100644 index 0000000..30b2046 --- /dev/null +++ b/templates/itk_plus/CentOS/00-listen.conf.erb @@ -0,0 +1,8 @@ +<IfDefine HttpdLocal> +Listen 127.0.0.1:80 +PidFile run/httpdlocal.pid +</IfDefine> +<IfDefine !HttpdLocal> +Listen <%= scope.lookupvar('::ipaddress') %>:80 +PidFile run/httpd.pid +</IfDefine> diff --git a/templates/modules_dir_00_default_settings_ServerName.conf.erb b/templates/modules_dir_00_default_settings_ServerName.conf.erb deleted file mode 100644 index 93c048a..0000000 --- a/templates/modules_dir_00_default_settings_ServerName.conf.erb +++ /dev/null @@ -1,2 +0,0 @@ -ServerName <%= fqdn %> - diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb new file mode 100644 index 0000000..809cd9b --- /dev/null +++ b/templates/vhosts/default.erb @@ -0,0 +1,42 @@ +<% +vhost_parts = case ssl_mode + when 'only' then [:ssl] + when false,'false' then [:normal] + else [:normal,:ssl] +end +vhost_parts.each do |vhost_part| -%> +<VirtualHost *:<%= vhost_part == :ssl ? '443' : '80' %> > + +<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', {'vhost_part' => vhost_part } ]) %> + +<%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> + + <% if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> + <IfModule mpm_itk_module> + AssignUserId <%= run_uid+" "+run_gid %> + </IfModule> + + <% elsif run_mode.to_s == 'fcgid' && !(ssl_mode == 'force' && vhost_part == :normal) -%> + <IfModule mod_fcgid.c> + SuexecUserGroup <%= run_uid+" "+run_gid %> + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/<%= name %>/<%= name %>-starter .<%= passing_extension %> + AddHandler fcgid-script .<%= passing_extension %> + </IfModule> + + <% end -%> + <% if ssl_mode == 'force' && vhost_part == :normal -%> + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] + <% else -%> +<%= scope.function_templatewlv([template_partial, {'vhost_part' => vhost_part } ]) %> + <% end -%> +<%- unless template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> +<%= scope.function_template(['apache/vhosts/partials/mod_security.erb']) %> +<% end -%> +<% unless additional_options.to_s == 'absent' -%> + <%= additional_options %> +<% end -%> +</VirtualHost> +<% end -%> diff --git a/templates/vhosts/gitweb/CentOS.erb b/templates/vhosts/gitweb/CentOS.erb deleted file mode 120000 index a3f2135..0000000 --- a/templates/vhosts/gitweb/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -gitweb.erb
\ No newline at end of file diff --git a/templates/vhosts/gitweb/Debian.erb b/templates/vhosts/gitweb/Debian.erb deleted file mode 120000 index a3f2135..0000000 --- a/templates/vhosts/gitweb/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -gitweb.erb
\ No newline at end of file diff --git a/templates/vhosts/gitweb/gitweb.erb b/templates/vhosts/gitweb/gitweb.erb deleted file mode 100644 index 23b723f..0000000 --- a/templates/vhosts/gitweb/gitweb.erb +++ /dev/null @@ -1,140 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - - SetEnv GITWEB_CONFIG <%= gitweb_config %> - DirectoryIndex gitweb.cgi - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%><%- unless options.include?('+ExecCGI') then -%> +ExecCGI<%- end -%> - <%- end -%> - - AddHandler cgi-script .cgi - <Files gitweb.cgi> - Options ExecCGI FollowSymLinks - SetHandler cgi-script - </Files> - RewriteEngine on - RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] - - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - - SetEnv GITWEB_CONFIG <%= gitweb_config %> - DirectoryIndex gitweb.cgi - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%><%- unless options.include?('+ExecCGI') then -%> +ExecCGI<%- end -%> - <%- end -%> - - AddHandler cgi-script .cgi - <Files gitweb.cgi> - Options ExecCGI FollowSymLinks - SetHandler cgi-script - </Files> - RewriteEngine on - RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] - - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - - <%- end %> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/gitweb/partial.erb b/templates/vhosts/gitweb/partial.erb new file mode 100644 index 0000000..7238ebe --- /dev/null +++ b/templates/vhosts/gitweb/partial.erb @@ -0,0 +1,19 @@ + <% unless ssl_mode.to_s == 'force' -%> + SetEnv GITWEB_CONFIG <%= gitweb_config %> + DirectoryIndex gitweb.cgi + <Directory "<%= documentroot %>/"> + <% if options.to_s != 'absent' or do_includes.to_s == 'true'-%> + Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% unless options.include?('+ExecCGI') -%> +ExecCGI<% end -%> + <% end -%> + + AddHandler cgi-script .cgi + <Files gitweb.cgi> + Options ExecCGI FollowSymLinks + SetHandler cgi-script + </Files> + RewriteEngine on + RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + </Directory> + <% end -%> diff --git a/templates/vhosts/itk_plus.erb b/templates/vhosts/itk_plus.erb new file mode 100644 index 0000000..b546196 --- /dev/null +++ b/templates/vhosts/itk_plus.erb @@ -0,0 +1,6 @@ +<IfDefine HttpdLocal> +<%= scope.function_template(['apache/vhost/default.erb']) %> +</IfDefine> +<IfDefine !HttpdLocal> +<%= scope.function_templatewlv(['apache/vhost/default.erb', {'template_partial' => 'apache/vhosts/itk_plus/partial.erb' }]) %> +</IfDefine> diff --git a/templates/vhosts/itk_plus/partial.erb b/templates/vhosts/itk_plus/partial.erb new file mode 100644 index 0000000..5b05dd8 --- /dev/null +++ b/templates/vhosts/itk_plus/partial.erb @@ -0,0 +1,32 @@ + + ProxyPreserveHost On + ProxyRequests off +<% if vhost_part == :ssl -%> + SSLProxyEngine On + <%- if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ https://127.0.0.1/$1 + <%- else -%> + ProxyPass / https://127.0.0.1/ + <%- end -%> + ProxyPassReverse / https://127.0.0.1/ +<% else -%> + <% if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ http://127.0.0.1/$1 + <% else -%> + ProxyPass / http://127.0.0.1/ + <% end -%> + ProxyPassReverse / http://127.0.0.1/ +<% end %> + + <% if run_mode.to_s == 'static-itk' && (ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> + <Directory "<%= documentroot %>/"> + AllowOverride <%= allow_override %> + <% if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <% unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<% end -%> + + <% end -%> +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + </Directory> + <% end -%> + + diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb new file mode 100644 index 0000000..6ca1b03 --- /dev/null +++ b/templates/vhosts/partials/authentication.erb @@ -0,0 +1,6 @@ +<% unless htpasswd_file.to_s == 'absent' -%> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user +<% end -%>
\ No newline at end of file diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb new file mode 100644 index 0000000..d6d8c86 --- /dev/null +++ b/templates/vhosts/partials/header_default.erb @@ -0,0 +1,20 @@ + Include include.d/defaults.inc +<% if vhost_part == :ssl -%> + Include include.d/ssl_defaults.inc +<% end -%> + ServerName <%= servername %> +<% unless serveralias.empty? || (serveralias == 'absent') -%> + ServerAlias <%= serveralias %> +<% end -%> +<% unless server_admin.empty? || (server_admin == 'absent') -%> + ServerAdmin <%= server_admin %> +<% end -%> +<% unless documentroot == 'really_absent' -%> + DocumentRoot <%= documentroot %>/ +<% end -%> +<% if default_charset != 'absent' then -%> + AddDefaultCharset <%= default_charset %> +<% end -%> +<% if passing_extension != 'absent' -%> + DirectoryIndex index.htm index.html index.<%= passing_extension %> +<% end -%> diff --git a/templates/vhosts/partials/logs.erb b/templates/vhosts/partials/logs.erb new file mode 100644 index 0000000..68403a8 --- /dev/null +++ b/templates/vhosts/partials/logs.erb @@ -0,0 +1,14 @@ +<% case logmode.to_s + when 'nologs' -%> + ErrorLog /dev/null + CustomLog /dev/null +<% when 'semianonym' -%> + ErrorLog <%= logdir %>/<%= logprefix %>error_log + CustomLog <%= logdir %>/<%= logprefix %>access_log noip +<% when 'anonym' -%> + ErrorLog /dev/null + CustomLog <%= logdir %>/<%= logprefix %>access_log noip +<% else -%> + ErrorLog <%= logdir %>/<%= logprefix %>error_log + CustomLog <%= logdir %>/<%= logprefix %>access_log combined +<% end -%> diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb new file mode 100644 index 0000000..5b4fca8 --- /dev/null +++ b/templates/vhosts/partials/mod_security.erb @@ -0,0 +1,27 @@ + <IfModule mod_security2.c> +<% if mod_security.to_s == 'true' then -%> + SecRuleEngine On +<% if mod_security_relevantonly.to_s == 'true' then -%> + SecAuditEngine RelevantOnly +<% else -%> + SecAuditEngine On +<% end -%> +<% else -%> + SecRuleEngine Off + SecAuditEngine Off +<% end -%> + SecAuditLogType Concurrent + SecAuditLogStorageDir <%= logdir %>/ + SecAuditLog <%= logdir %>/mod_security_audit.log + SecDebugLog <%= logdir %>/mod_security_debug.log +<% unless mod_security_rules_to_disable.to_a.empty? -%> + +<% mod_security_rules_to_disable.to_a.each do |rule| -%> + SecRuleRemoveById "<%= rule %>" +<% end -%> +<% end -%> +<% unless mod_security_additional_options.to_s == 'absent' -%> + + <%= mod_security_additional_options %> +<% end -%> + </IfModule> diff --git a/templates/vhosts/partials/php_settings.erb b/templates/vhosts/partials/php_settings.erb new file mode 100644 index 0000000..7840987 --- /dev/null +++ b/templates/vhosts/partials/php_settings.erb @@ -0,0 +1,19 @@ +<% if run_mode != 'fcgid' + php_settings.reject{|k,v| v == :undef }.keys.sort.each do |key| + dvalue = php_settings[key].to_s.downcase + munged_value = if dvalue == 'true' + 'on' + elsif dvalue == 'false' + 'off' + elsif ['on','off'].include?(dvalue) + dvalue + else + php_settings[key] + end + if ['on','off' ].include?(munged_value) -%> + php_admin_flag <%= key %> <%= munged_value %> +<% else -%> + php_admin_value <%= key %> <%= munged_value %> +<% end -%> +<% end -%> +<% end -%> diff --git a/templates/vhosts/partials/std_override_options.erb b/templates/vhosts/partials/std_override_options.erb new file mode 100644 index 0000000..95a5e6a --- /dev/null +++ b/templates/vhosts/partials/std_override_options.erb @@ -0,0 +1,4 @@ + AllowOverride <%= allow_override %> + <% if options.to_s != 'absent' || do_includes.to_s == 'true' || run_mode == 'fcgid' -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% if run_mode == 'fcgid' && !options.include?('+ExecCGI') -%> +ExecCGI<% end -%> + <% end -%> diff --git a/templates/vhosts/passenger/CentOS.erb b/templates/vhosts/passenger/CentOS.erb deleted file mode 120000 index c5062da..0000000 --- a/templates/vhosts/passenger/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -passenger.erb
\ No newline at end of file diff --git a/templates/vhosts/passenger/Debian.erb b/templates/vhosts/passenger/Debian.erb deleted file mode 120000 index c5062da..0000000 --- a/templates/vhosts/passenger/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -passenger.erb
\ No newline at end of file diff --git a/templates/vhosts/passenger/partial.erb b/templates/vhosts/passenger/partial.erb new file mode 100644 index 0000000..490649e --- /dev/null +++ b/templates/vhosts/passenger/partial.erb @@ -0,0 +1,7 @@ + SetEnv GEM_HOME <%= gempath %> + <Directory <%= documentroot %>/> + AllowOverride <%= allow_override %> + Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless !options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + </Directory> diff --git a/templates/vhosts/passenger/passenger.erb b/templates/vhosts/passenger/passenger.erb deleted file mode 100644 index 2c23dce..0000000 --- a/templates/vhosts/passenger/passenger.erb +++ /dev/null @@ -1,118 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/public - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/public - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/perl/CentOS.erb b/templates/vhosts/perl/CentOS.erb deleted file mode 120000 index c721da2..0000000 --- a/templates/vhosts/perl/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -perl.erb
\ No newline at end of file diff --git a/templates/vhosts/perl/Debian.erb b/templates/vhosts/perl/Debian.erb deleted file mode 120000 index c721da2..0000000 --- a/templates/vhosts/perl/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -perl.erb
\ No newline at end of file diff --git a/templates/vhosts/perl/partial.erb b/templates/vhosts/perl/partial.erb new file mode 100644 index 0000000..a8c30c3 --- /dev/null +++ b/templates/vhosts/perl/partial.erb @@ -0,0 +1,15 @@ + <Directory "<%= documentroot %>/"> +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + </Directory> + + <% unless htpasswd_file.to_s == 'absent' -%> + <Directory "<%= cgi_binpath %>/"> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + </Directory> + <% end -%> + ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ diff --git a/templates/vhosts/perl/perl.erb b/templates/vhosts/perl/perl.erb deleted file mode 100644 index 0582e73..0000000 --- a/templates/vhosts/perl/perl.erb +++ /dev/null @@ -1,148 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - - <%- unless htpasswd_file.to_s == 'absent' then -%> - <Directory "<%= cgi_binpath %>/"> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - </Directory> - <%- end -%> - ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - - ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ - <%- unless htpasswd_file.to_s == 'absent' then -%> - <Directory "<%= cgi_binpath %>/"> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php/CentOS.erb b/templates/vhosts/php/CentOS.erb deleted file mode 100644 index bb88741..0000000 --- a/templates/vhosts/php/CentOS.erb +++ /dev/null @@ -1,164 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' -%>/usr/share/Smarty:<%- end -%><%- if php_use_pear.to_s == 'true' -%>/usr/share/pear:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %><% unless php_additional_open_basedirs.to_s == 'absent' %><%- php_additional_open_basedirs.each do |php_additional_open_basedir| -%>:<%= php_additional_open_basedir %><%- end -%><%- end %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - <%- unless php_additional_options.to_s == 'absent' then -%> - <%- php_additional_options.each do |php_additional_option| -%> - <%= php_additional_option %> - <%- end -%> - <%- end -%> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' -%>/usr/share/php/Smarty/:<%- end -%><%- if php_use_pear.to_s == 'true' -%>/usr/share/pear/:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %><% unless php_additional_open_basedirs.to_s == 'absent' %><%- php_additional_open_basedirs.each do |php_additional_open_basedir| -%>:<%= php_additional_open_basedir %><%- end -%><%- end %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - <%- unless php_additional_options.to_s == 'absent' then -%> - <%- php_additional_options.each do |php_additional_option| -%> - <%= php_additional_option %> - <%- end -%> - <%- end -%> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php/Debian.erb b/templates/vhosts/php/Debian.erb deleted file mode 100644 index 1f24fec..0000000 --- a/templates/vhosts/php/Debian.erb +++ /dev/null @@ -1,164 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' || php_use_pear.to_s == 'true' -%>/usr/share/php:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %><% unless php_additional_open_basedirs.to_s == 'absent' %><%- php_additional_open_basedirs.each do |php_additional_open_basedir| -%>:<%= php_additional_open_basedir %><%- end -%><%- end %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - <%- unless php_additional_options.to_s == 'absent' then -%> - <%- php_additional_options.each do |php_additional_option| -%> - <%= php_additional_option %> - <%- end -%> - <%- end -%> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' || php_use_pear.to_s == 'true' -%>/usr/share/php:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %><% unless php_additional_open_basedirs.to_s == 'absent' %><%- php_additional_open_basedirs.each do |php_additional_open_basedir| -%>:<%= php_additional_open_basedir %><%- end -%><%- end %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - <%- unless php_additional_options.to_s == 'absent' then -%> - <%- php_additional_options.each do |php_additional_option| -%> - <%= php_additional_option %> - <%- end -%> - <%- end -%> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php/partial.erb b/templates/vhosts/php/partial.erb new file mode 100644 index 0000000..f8e5c53 --- /dev/null +++ b/templates/vhosts/php/partial.erb @@ -0,0 +1,7 @@ + <Directory "<%= documentroot %>/"> +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + </Directory> diff --git a/templates/vhosts/php_drupal/CentOS.erb b/templates/vhosts/php_drupal/CentOS.erb deleted file mode 120000 index 5e933a5..0000000 --- a/templates/vhosts/php_drupal/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_drupal.erb
\ No newline at end of file diff --git a/templates/vhosts/php_drupal/Debian.erb b/templates/vhosts/php_drupal/Debian.erb deleted file mode 120000 index 5e933a5..0000000 --- a/templates/vhosts/php_drupal/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_drupal.erb
\ No newline at end of file diff --git a/templates/vhosts/php_drupal/partial.erb b/templates/vhosts/php_drupal/partial.erb new file mode 100644 index 0000000..3c420b1 --- /dev/null +++ b/templates/vhosts/php_drupal/partial.erb @@ -0,0 +1,26 @@ + <Directory "<%= documentroot %>/"> +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> + + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> + + # Protect files and directories from prying eyes. + <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> + Order allow,deny + </FilesMatch> + + # Customized error messages. + ErrorDocument 404 /index.php + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + </Directory> + <Directory "<%= documentroot %>/files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + </Directory> diff --git a/templates/vhosts/php_drupal/php_drupal.erb b/templates/vhosts/php_drupal/php_drupal.erb deleted file mode 100644 index 0367a53..0000000 --- a/templates/vhosts/php_drupal/php_drupal.erb +++ /dev/null @@ -1,198 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - - php_value magic_quotes_gpc 0 - php_value register_globals 0 - php_value session.auto_start 0 - php_value mbstring.http_input pass - php_value mbstring.http_output pass - php_value mbstring.encoding_translation 0 - - # Protect files and directories from prying eyes. - <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> - Order allow,deny - </FilesMatch> - - # Customized error messages. - ErrorDocument 404 /index.php - - RewriteEngine on - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] - </Directory> - <Directory "<%= documentroot %>/files/"> - SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 - Options None - Options +FollowSymLinks - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - - php_value magic_quotes_gpc 0 - php_value register_globals 0 - php_value session.auto_start 0 - php_value mbstring.http_input pass - php_value mbstring.http_output pass - php_value mbstring.encoding_translation 0 - - # Protect files and directories from prying eyes. - <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> - Order allow,deny - </FilesMatch> - - # Customized error messages. - ErrorDocument 404 /index.php - - RewriteEngine on - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] - </Directory> - <Directory "<%= documentroot %>/files/"> - SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 - Options None - Options +FollowSymLinks - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_gallery2/CentOS.erb b/templates/vhosts/php_gallery2/CentOS.erb deleted file mode 120000 index 99be70b..0000000 --- a/templates/vhosts/php_gallery2/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_gallery.erb
\ No newline at end of file diff --git a/templates/vhosts/php_gallery2/Debian.erb b/templates/vhosts/php_gallery2/Debian.erb deleted file mode 120000 index 99be70b..0000000 --- a/templates/vhosts/php_gallery2/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_gallery.erb
\ No newline at end of file diff --git a/templates/vhosts/php_gallery2/partial.erb b/templates/vhosts/php_gallery2/partial.erb new file mode 100644 index 0000000..448f720 --- /dev/null +++ b/templates/vhosts/php_gallery2/partial.erb @@ -0,0 +1,16 @@ + <Directory "<%= documentroot %>/"> +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + +<% if vhost_part != :ssl -%> + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] +<% end -%> + </Directory> diff --git a/templates/vhosts/php_gallery2/php_gallery.erb b/templates/vhosts/php_gallery2/php_gallery.erb deleted file mode 100644 index 522b53c..0000000 --- a/templates/vhosts/php_gallery2/php_gallery.erb +++ /dev/null @@ -1,166 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - php_admin_flag safe_mode Off - php_admin_value output_buffering Off - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %>:<%= gdatadir %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - # Always rewrite login's - # Source: http://gallery.menalto.com/node/30558 - RewriteEngine On - RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] - RewriteCond %{QUERY_STRING} subView=core\.UserLogin - RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] - # https -> see below - # Then, unset baseUri in config.php (to keep Gallery from trying to redirect users to either HTTP or HTTPS): - # $gallery->setConfig('baseUri', ''); - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - php_admin_flag safe_mode Off - php_admin_value output_buffering Off - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %>:<%= gdatadir %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - # turn allow_url_fopen on for the extension manager fetch - php_admin_value allow_url_fopen On - - # Always rewrite login's (see above) - RewriteEngine On - RewriteCond %{HTTP_COOKIE} ="" - RewriteCond %{REQUEST_METHOD} =GET - RewriteCond %{QUERY_STRING} !subView=core\.UserLogin - RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_joomla/CentOS.erb b/templates/vhosts/php_joomla/CentOS.erb deleted file mode 120000 index 307fc29..0000000 --- a/templates/vhosts/php_joomla/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_joomla.erb
\ No newline at end of file diff --git a/templates/vhosts/php_joomla/Debian.erb b/templates/vhosts/php_joomla/Debian.erb deleted file mode 120000 index 307fc29..0000000 --- a/templates/vhosts/php_joomla/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_joomla.erb
\ No newline at end of file diff --git a/templates/vhosts/php_joomla/partial.erb b/templates/vhosts/php_joomla/partial.erb new file mode 100644 index 0000000..3046129 --- /dev/null +++ b/templates/vhosts/php_joomla/partial.erb @@ -0,0 +1,32 @@ + <Directory "<%= documentroot %>/"> +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + + Include include.d/joomla.inc + </Directory> + + <Directory "<%= documentroot %>/administrator/"> + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> + + # Deny various directories that + # shouldn't be webaccessible + <Directory "<%= documentroot %>/tmp/"> + Deny From All + </Directory> + <Directory "<%= documentroot %>/logs/"> + Deny From All + </Directory> + <Directory "<%= documentroot %>/cli/"> + Deny From All + </Directory> + diff --git a/templates/vhosts/php_joomla/php_joomla.erb b/templates/vhosts/php_joomla/php_joomla.erb deleted file mode 100644 index 18caff8..0000000 --- a/templates/vhosts/php_joomla/php_joomla.erb +++ /dev/null @@ -1,190 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - Include include.d/joomla.inc - - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - </Directory> - <%- end -%> - - <Directory "<%= documentroot %>/administrator/"> - RewriteEngine on - - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/administrator/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - <LocationMatch '^/'> - SecRuleRemoveById 950013 - </LocationMatch> - - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" \ - "allow,phase:1,nolog,ctl:ruleEngine=Off" - - # Exceptions for Joomla Component Expose - <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> - SecRuleRemoveById 960010 - </LocationMatch> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - Include include.d/joomla.inc - - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - <LocationMatch '^/'> - SecRuleRemoveById 950013 - </LocationMatch> - - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" \ - "allow,phase:1,nolog,ctl:ruleEngine=Off" - - # Exceptions for Joomla Component Expose - <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> - SecRuleRemoveById 960010 - </LocationMatch> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_mediawiki/CentOS.erb b/templates/vhosts/php_mediawiki/CentOS.erb deleted file mode 120000 index 8080262..0000000 --- a/templates/vhosts/php_mediawiki/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_mediawiki.erb
\ No newline at end of file diff --git a/templates/vhosts/php_mediawiki/Debian.erb b/templates/vhosts/php_mediawiki/Debian.erb deleted file mode 120000 index 8080262..0000000 --- a/templates/vhosts/php_mediawiki/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_mediawiki.erb
\ No newline at end of file diff --git a/templates/vhosts/php_mediawiki/partial.erb b/templates/vhosts/php_mediawiki/partial.erb new file mode 100644 index 0000000..cf30f5f --- /dev/null +++ b/templates/vhosts/php_mediawiki/partial.erb @@ -0,0 +1,16 @@ +<% if run_mode == 'fcgid' -%> + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f + RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d + RewriteRule ^/?index.php/(.*)$ /index.php?title=$1 [PT,L,QSA] +<% end -%> +<%= scope.function_template(['apache/vhosts/php/partial.erb']) %> + <Directory "<%= documentroot %>/typo3/"> + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/typo3/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> diff --git a/templates/vhosts/php_mediawiki/php_mediawiki.erb b/templates/vhosts/php_mediawiki/php_mediawiki.erb deleted file mode 100644 index cabe0c5..0000000 --- a/templates/vhosts/php_mediawiki/php_mediawiki.erb +++ /dev/null @@ -1,136 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%><%- unless options.to_s.include?('+FollowSymLinks') -%> +FollowSymLinks<% end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - php_admin_value safe_mode off - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir /var/www/mediawiki/:<%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - php_admin_value safe_mode off - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir /var/www/mediawiki/:<%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_silverstripe/CentOS.erb b/templates/vhosts/php_silverstripe/CentOS.erb deleted file mode 120000 index 9ac244f..0000000 --- a/templates/vhosts/php_silverstripe/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_silverstripe.erb
\ No newline at end of file diff --git a/templates/vhosts/php_silverstripe/Debian.erb b/templates/vhosts/php_silverstripe/Debian.erb deleted file mode 120000 index 9ac244f..0000000 --- a/templates/vhosts/php_silverstripe/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_silverstripe.erb
\ No newline at end of file diff --git a/templates/vhosts/php_silverstripe/partial.erb b/templates/vhosts/php_silverstripe/partial.erb new file mode 100644 index 0000000..89a6052 --- /dev/null +++ b/templates/vhosts/php_silverstripe/partial.erb @@ -0,0 +1,16 @@ +<% if vhost_part != :ssl && ![false,'false'].include?(ssl_mode) -%> + # silverstripe + RedirectMatch /admin(.*) https://<%= servername %>/admin$1 + RedirectMatch /Security(.*) https://<%= servername %>/Security$1 + +<% end -%> + <Directory "<%= documentroot %>/"> + +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + + Include include.d/silverstripe.inc + </Directory> diff --git a/templates/vhosts/php_silverstripe/php_silverstripe.erb b/templates/vhosts/php_silverstripe/php_silverstripe.erb deleted file mode 100644 index 671fc5c..0000000 --- a/templates/vhosts/php_silverstripe/php_silverstripe.erb +++ /dev/null @@ -1,191 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - # silverstripe - RedirectMatch /admin(.*) https://<%= servername %>/admin$1 - RedirectMatch /Security(.*) https://<%= servername %>/Security$1 - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - - # silverstripe .htaccess - <Files *.ss> - Order deny,allow - Deny from all - #Allow from 127.0.0.1 - </Files> - <IfModule mod_rewrite.c> - RewriteEngine On - #RewriteBase / - - RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) - - RewriteCond %{REQUEST_URI} ^(.*)$ - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] - </IfModule> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - # turn allow_url_fopen on for the extension manager fetch - php_admin_value allow_url_fopen On - - # silverstripe .htaccess - <Files *.ss> - Order deny,allow - Deny from all - #Allow from 127.0.0.1 - </Files> - <IfModule mod_rewrite.c> - RewriteEngine On - #RewriteBase / - - RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$) - - RewriteCond %{REQUEST_URI} ^(.*)$ - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L] - </IfModule> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_simplemachine/CentOS.erb b/templates/vhosts/php_simplemachine/CentOS.erb deleted file mode 120000 index de3c614..0000000 --- a/templates/vhosts/php_simplemachine/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_simplemachine.erb
\ No newline at end of file diff --git a/templates/vhosts/php_simplemachine/Debian.erb b/templates/vhosts/php_simplemachine/Debian.erb deleted file mode 120000 index de3c614..0000000 --- a/templates/vhosts/php_simplemachine/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_simplemachine.erb
\ No newline at end of file diff --git a/templates/vhosts/php_simplemachine/php_simplemachine.erb b/templates/vhosts/php_simplemachine/php_simplemachine.erb deleted file mode 100644 index ddb59ed..0000000 --- a/templates/vhosts/php_simplemachine/php_simplemachine.erb +++ /dev/null @@ -1,142 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_spip/CentOS.erb b/templates/vhosts/php_spip/CentOS.erb deleted file mode 120000 index 1ca4aec..0000000 --- a/templates/vhosts/php_spip/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_spip.erb
\ No newline at end of file diff --git a/templates/vhosts/php_spip/Debian.erb b/templates/vhosts/php_spip/Debian.erb deleted file mode 120000 index 1ca4aec..0000000 --- a/templates/vhosts/php_spip/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_spip.erb
\ No newline at end of file diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb deleted file mode 100644 index 4a6c829..0000000 --- a/templates/vhosts/php_spip/php_spip.erb +++ /dev/null @@ -1,154 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' -%>/usr/share/php/Smarty/:<%- end -%><%- if php_use_pear.to_s == 'true' -%>/usr/share/pear/:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- if php_safe_mode.to_s == 'false' -%> - php_admin_flag safe_mode Off - <%- end -%> - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%- if php_use_smarty.to_s == 'true' -%>/usr/share/php/Smarty/:<%- end -%><%- if php_use_pear.to_s == 'true' -%>/usr/share/pear/:<%- end -%><%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_typo3/CentOS.erb b/templates/vhosts/php_typo3/CentOS.erb deleted file mode 120000 index 398f400..0000000 --- a/templates/vhosts/php_typo3/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_typo3.erb
\ No newline at end of file diff --git a/templates/vhosts/php_typo3/Debian.erb b/templates/vhosts/php_typo3/Debian.erb deleted file mode 120000 index 398f400..0000000 --- a/templates/vhosts/php_typo3/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_typo3.erb
\ No newline at end of file diff --git a/templates/vhosts/php_typo3/partial.erb b/templates/vhosts/php_typo3/partial.erb new file mode 100644 index 0000000..5c06570 --- /dev/null +++ b/templates/vhosts/php_typo3/partial.erb @@ -0,0 +1,10 @@ +<%= scope.function_template(['apache/vhosts/php/partial.erb']) %> + <Directory "<%= documentroot %>/typo3/"> + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/typo3/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> diff --git a/templates/vhosts/php_typo3/php_typo3.erb b/templates/vhosts/php_typo3/php_typo3.erb deleted file mode 100644 index fbdde07..0000000 --- a/templates/vhosts/php_typo3/php_typo3.erb +++ /dev/null @@ -1,171 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - </Directory> - <%- end -%> - - <Directory "<%= documentroot %>/typo3/"> - RewriteEngine on - - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> - - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - # turn allow_url_fopen on for the extension manager fetch - php_admin_value allow_url_fopen On - </Directory> - - <Location "/typo3"> - <IfModule mod_security2.c> - SecRuleEngine Off - </IfModule> - </Location> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/php_wordpress/CentOS.erb b/templates/vhosts/php_wordpress/CentOS.erb deleted file mode 120000 index 36dc938..0000000 --- a/templates/vhosts/php_wordpress/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -php_wordpress.erb
\ No newline at end of file diff --git a/templates/vhosts/php_wordpress/Debian.erb b/templates/vhosts/php_wordpress/Debian.erb deleted file mode 120000 index 36dc938..0000000 --- a/templates/vhosts/php_wordpress/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -php_wordpress.erb
\ No newline at end of file diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb new file mode 100644 index 0000000..972ab99 --- /dev/null +++ b/templates/vhosts/php_wordpress/partial.erb @@ -0,0 +1,6 @@ +<%= scope.function_template(['apache/vhosts/php/partial.erb']) %> + +# fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh +<Directory "<%= documentroot %>/wp-content/w3tc/dbcache"> + Deny From All +</Directory> diff --git a/templates/vhosts/php_wordpress/php_wordpress.erb b/templates/vhosts/php_wordpress/php_wordpress.erb deleted file mode 100644 index 72f4907..0000000 --- a/templates/vhosts/php_wordpress/php_wordpress.erb +++ /dev/null @@ -1,146 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - SecRuleRemoveById "950018" - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - php_admin_flag engine on - <%- unless php_default_charset.to_s == 'absent' then -%> - php_admin_value default_charset <%= php_default_charset %> - <%- end -%> - php_admin_value open_basedir <%= documentroot %>:<%= real_php_upload_tmp_dir %>:<%= real_php_session_save_path %> - php_admin_value upload_tmp_dir <%= real_php_upload_tmp_dir %> - php_admin_value session.save_path <%= real_php_session_save_path %> - <%- unless php_safe_mode_exec_bins.to_s == 'absent' then -%> - php_admin_value safe_mode_exec_dir <%= real_php_safe_mode_exec_bin_dir %> - <%- end -%> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - SecRuleRemoveById "950018" - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/proxy/partial.erb b/templates/vhosts/proxy/partial.erb new file mode 100644 index 0000000..bbf3c64 --- /dev/null +++ b/templates/vhosts/proxy/partial.erb @@ -0,0 +1,8 @@ + <Proxy *> + Order deny,allow + Allow from all +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + </Proxy> + ProxyRequests Off + ProxyPass / <%= options %>/ + ProxyPassReverse / <%= options %>/ diff --git a/templates/vhosts/redirect/CentOS.erb b/templates/vhosts/redirect/CentOS.erb deleted file mode 120000 index 12a8583..0000000 --- a/templates/vhosts/redirect/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -redirect.erb
\ No newline at end of file diff --git a/templates/vhosts/redirect/Debian.erb b/templates/vhosts/redirect/Debian.erb deleted file mode 120000 index 12a8583..0000000 --- a/templates/vhosts/redirect/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -redirect.erb
\ No newline at end of file diff --git a/templates/vhosts/redirect/OpenBSD.erb b/templates/vhosts/redirect/OpenBSD.erb deleted file mode 120000 index 12a8583..0000000 --- a/templates/vhosts/redirect/OpenBSD.erb +++ /dev/null @@ -1 +0,0 @@ -redirect.erb
\ No newline at end of file diff --git a/templates/vhosts/redirect/partial.erb b/templates/vhosts/redirect/partial.erb new file mode 100644 index 0000000..3b7af7a --- /dev/null +++ b/templates/vhosts/redirect/partial.erb @@ -0,0 +1 @@ + Redirect permanent / https://<%= options %> diff --git a/templates/vhosts/redirect/redirect.erb b/templates/vhosts/redirect/redirect.erb deleted file mode 100644 index 4fdd8c2..0000000 --- a/templates/vhosts/redirect/redirect.erb +++ /dev/null @@ -1,41 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - - ErrorLog logs/redirect_<%= servername %>_error.log - CustomLog logs/redirect_<%= servername %>_access.log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <% else -%> - Redirect permanent / http://<%= options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - - ErrorLog logs/redirect_<%= servername %>_error.log - CustomLog logs/redirect_<%= servername %>_access.log combined - - Redirect permanent / https://<%= options %> - -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/static/CentOS.erb b/templates/vhosts/static/CentOS.erb deleted file mode 120000 index f10517f..0000000 --- a/templates/vhosts/static/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -static.erb
\ No newline at end of file diff --git a/templates/vhosts/static/Debian.erb b/templates/vhosts/static/Debian.erb deleted file mode 120000 index f10517f..0000000 --- a/templates/vhosts/static/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -static.erb
\ No newline at end of file diff --git a/templates/vhosts/static/OpenBSD.erb b/templates/vhosts/static/OpenBSD.erb deleted file mode 120000 index f10517f..0000000 --- a/templates/vhosts/static/OpenBSD.erb +++ /dev/null @@ -1 +0,0 @@ -static.erb
\ No newline at end of file diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb new file mode 100644 index 0000000..f2cc46b --- /dev/null +++ b/templates/vhosts/static/partial.erb @@ -0,0 +1,5 @@ + <Directory "<%= documentroot %>/"> +<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> + +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + </Directory> diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb deleted file mode 100644 index 05354d6..0000000 --- a/templates/vhosts/static/static.erb +++ /dev/null @@ -1,120 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - - <%- if not ssl_mode.to_s == 'force' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - - <%- if options.to_s != 'absent' or htpasswd_file.to_s != 'absent' then -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%= options %><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%> - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - </Directory> - <%- end %> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> diff --git a/templates/vhosts/webdav/CentOS.erb b/templates/vhosts/webdav/CentOS.erb deleted file mode 120000 index 872843a..0000000 --- a/templates/vhosts/webdav/CentOS.erb +++ /dev/null @@ -1 +0,0 @@ -webdav.erb
\ No newline at end of file diff --git a/templates/vhosts/webdav/Debian.erb b/templates/vhosts/webdav/Debian.erb deleted file mode 120000 index 872843a..0000000 --- a/templates/vhosts/webdav/Debian.erb +++ /dev/null @@ -1 +0,0 @@ -webdav.erb
\ No newline at end of file diff --git a/templates/vhosts/webdav/partial.erb b/templates/vhosts/webdav/partial.erb new file mode 100644 index 0000000..d89da50 --- /dev/null +++ b/templates/vhosts/webdav/partial.erb @@ -0,0 +1,21 @@ + DAVLockDB <%= real_dav_db_dir %>/DAVLock + <Directory "<%= documentroot %>/"> + Dav on + AllowOverride None + <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- unless options.include?('Indexes') then -%> Indexes<%- end -%> + + <%- else -%> + Options Indexes + + <%- end -%> +<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> + <%- if ldap_auth.to_s == 'true' then -%> + Include include.d/ldap_auth.inc + <%- unless ldap_user.to_s == 'any' -%> + Require ldap-user <%= ldap_user.to_s %> + <%- else -%> + Require valid-user + <%- end -%> + <%- end -%> + </Directory> diff --git a/templates/vhosts/webdav/webdav.erb b/templates/vhosts/webdav/webdav.erb deleted file mode 100644 index e24cb31..0000000 --- a/templates/vhosts/webdav/webdav.erb +++ /dev/null @@ -1,157 +0,0 @@ -# <%= servername %> -<%- unless ssl_mode.to_s == 'only' then -%> -<VirtualHost *:80> - Include include.d/defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if ssl_mode.to_s == 'force' then -%> - Redirect permanent / https://<%= servername %>/ - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if not ssl_mode.to_s == 'force' then -%> - DAVLockDB <%= real_dav_db_dir %>/DAVLock - <Directory "<%= documentroot %>/"> - Dav on - AllowOverride None - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- unless options.include?('Indexes') then -%> Indexes<%- end -%> - - <%- else -%> - Options Indexes - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - <%- if ldap_auth.to_s == 'true' then -%> - Include include.d/ldap_auth.inc - <%- unless ldap_user.to_s == 'any' -%> - Require ldap-user <%= ldap_user.to_s %> - <%- else -%> - Require valid-user - <%- end -%> - <%- end -%> - </Directory> - <%- end -%> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> - -<%- unless ssl_mode.to_s == 'false' then -%> -<VirtualHost *:443> - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - ServerName <%= servername %> - <%- unless serveralias.to_s.empty? then -%> - ServerAlias <%= serveralias %> - <%- end -%> - <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%> - ServerAdmin <%= server_admin %> - <%- end -%> - DocumentRoot <%= documentroot %>/ - - ErrorLog <%= logdir %>/error_log - CustomLog <%= logdir %>/access_log combined - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - <%- if run_mode.to_s == 'itk' -%> - <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> - </IfModule> - <%- end -%> - <%- if default_charset.to_s != 'absent' then -%> - AddDefaultCharset <%= default_charset %> - <%- end -%> - DAVLockDB <%= real_dav_db_dir %>/DAVLock - <Directory "<%= documentroot %>/"> - Dav on - AllowOverride None - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- unless options.include?('Indexes') then -%> Indexes<%- end -%> - - <%- else -%> - Options Indexes - - <%- end -%> - <%- unless htpasswd_file.to_s == 'absent' then -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - <%- end -%> - <%- if ldap_auth.to_s == 'true' then -%> - Include include.d/ldap_auth.inc - <%- unless ldap_user.to_s == 'any' -%> - Require ldap-user <%= ldap_user.to_s %> - <%- else -%> - Require valid-user - <%- end -%> - <%- end -%> - </Directory> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> - - <%- unless additional_options.to_s == 'absent' then -%> - <%= additional_options %> - <%- end -%> -</VirtualHost> -<%- end -%> |