diff options
Diffstat (limited to 'manifests')
69 files changed, 1842 insertions, 927 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 984dc32..35fc42e 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,49 +1,62 @@ +# setup base apache class class apache::base { - file{'vhosts_dir': - path => '/etc/apache2/vhosts.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'config_dir': - path => '/etc/apache2/conf.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'include_dir': - path => '/etc/apache2/include.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'modules_dir': - path => '/etc/apache2/modules.d', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - file{'htpasswd_dir': - path => '/var/www/htpasswds', - ensure => directory, - owner => root, group => apache, mode => 0640; - } - file{'web_dir': - path => '/var/www', - ensure => directory, - owner => root, group => 0, mode => 0755; - } - service { apache: - name => 'apache2', - enable => true, - ensure => running, - } - file { 'default_apache_index': - path => '/var/www/localhost/htdocs/index.html', - ensure => file, - content => template('apache/default/default_index.erb'), - owner => root, group => 0, mode => 0644; - } + file{ + 'vhosts_dir': + ensure => directory, + path => '/etc/apache2/vhosts.d', + owner => root, + group => 0, + mode => '0644'; + 'config_dir': + ensure => directory, + path => '/etc/apache2/conf.d', + owner => root, + group => 0, + mode => '0644'; + 'include_dir': + ensure => directory, + path => '/etc/apache2/include.d', + owner => root, + group => 0, + mode => '0644'; + 'modules_dir': + ensure => directory, + path => '/etc/apache2/modules.d', + owner => root, + group => 0, + mode => '0644'; + 'htpasswd_dir': + ensure => directory, + path => '/var/www/htpasswds', + owner => root, + group => 'apache', + mode => '0640'; + 'web_dir': + ensure => directory, + path => '/var/www', + owner => root, + group => 0, + mode => '0644'; + 'default_apache_index': + path => '/var/www/localhost/htdocs/index.html', + content => template('apache/default/default_index.erb'), + owner => root, + group => 0, + mode => '0644'; + } + anchor{'apache::basic_dirs::ready': + require => File['vhosts_dir','config_dir','include_dir','modules_dir','htpasswd_dir','web_dir','default_apache_index'] + } apache::config::include{ 'defaults.inc': } apache::config::global{ 'git.conf': } - if !$apache_no_default_site { + if !$apache::no_default_site { apache::vhost::file { '0-default': } } + + service{'apache': + ensure => running, + name => 'apache2', + enable => true, + } } diff --git a/manifests/centos.pp b/manifests/centos.pp index cb47adc..caf46ce 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -6,36 +6,76 @@ class apache::centos inherits apache::package { name => 'httpd', } Service[apache]{ - name => 'httpd', + name => 'httpd', restart => '/etc/init.d/httpd graceful', } File[vhosts_dir]{ - path => "$config_dir/vhosts.d", + path => "${config_dir}/vhosts.d", } File[config_dir]{ - path => "$config_dir/conf.d", + path => "${config_dir}/conf.d", } File[include_dir]{ - path => "$config_dir/include.d", + path => "${config_dir}/include.d", } File[modules_dir]{ - path => "$config_dir/modules.d", + path => "${config_dir}/modules.d", } File[web_dir]{ - path => "/var/www/vhosts", + path => '/var/www/vhosts', } File[default_apache_index]{ path => '/var/www/html/index.html', } + if $::selinux != 'false' { + Selinux::Fcontext{ + before => File[web_dir], + } + $seltype_rw = $::lsbmajdistrelease ? { + 5 => 'httpd_sys_script_rw_t', + default => 'httpd_sys_rw_content_t' + } + selinux::fcontext{ + [ '/var/www/vhosts/[^/]*/www(/.*)?', + '/var/www/vhosts/[^/]*/non_public(/.*)?', + '/var/www/vhosts/[^/]*/g2data(/.*)?', + '/var/www/vhosts/[^/]*/upload(/.*)?' ]: + require => Package['apache'], + setype => $seltype_rw; + '/var/www/vhosts/[^/]*/logs(/.*)?': + require => Package['apache'], + setype => 'httpd_log_t'; + } + } file{'apache_service_config': - path => '/etc/sysconfig/httpd', - source => [ "puppet://$server/modules/site-apache/service/CentOS/${fqdn}/httpd", - "puppet://$server/modules/site-apache/service/CentOS/httpd", - "puppet://$server/modules/apache/service/CentOS/httpd" ], + path => '/etc/sysconfig/httpd', + source => [ "puppet:///modules/site_apache/service/CentOS/${::fqdn}/httpd", + 'puppet:///modules/site_apache/service/CentOS/httpd', + 'puppet:///modules/apache/service/CentOS/httpd' ], + require => Package['apache'], + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; + } + + # this is for later fixes + exec{ + 'adjust_pidfile': + command => 'sed -i "s/^#PidFile \(.*\)/PidFile \1/g" /etc/httpd/conf/httpd.conf', + unless => 'grep -qE \'^PidFile \' /etc/httpd/conf/httpd.conf', + require => Package['apache'], + notify => Service['apache']; + 'adjust_listen': + command => 'sed -i "s/^#Listen 80/Listen 80/g" /etc/httpd/conf/httpd.conf', + unless => 'grep -qE \'^Listen 80\' /etc/httpd/conf/httpd.conf', require => Package['apache'], - notify => Service['apache'], - owner => root, group => 0, mode => 0644; + notify => Service['apache']; + } + + apache::config::global{'00-listen.conf': + ensure => absent, } include apache::logrotate::centos diff --git a/manifests/centos/itk.pp b/manifests/centos/itk.pp index 94f0f1c..20f4270 100644 --- a/manifests/centos/itk.pp +++ b/manifests/centos/itk.pp @@ -5,8 +5,6 @@ class apache::centos::itk inherits apache::centos { name => 'httpd-itk', } File['apache_service_config']{ - source => [ "puppet://$server/modules/site-apache/service/CentOS/${fqdn}/httpd.itk", - "puppet://$server/modules/site-apache/service/CentOS/httpd.itk", - "puppet://$server/modules/apache/service/CentOS/httpd.itk" ], + source => "puppet:///modules/apache/service/${::operatingsystem}/httpd.itk" } } diff --git a/manifests/centos/itk_plus.pp b/manifests/centos/itk_plus.pp new file mode 100644 index 0000000..0df92c8 --- /dev/null +++ b/manifests/centos/itk_plus.pp @@ -0,0 +1,20 @@ +# http://hostby.net/home/2008/07/12/centos-5-and-mpm-itk/ +class apache::centos::itk_plus inherits apache::centos::itk { + Exec['adjust_pidfile']{ + command => "sed -i 's/^PidFile \\(.*\\)/#PidFile \\1/g' /etc/httpd/conf/httpd.conf", + unless => "grep -qE '^#PidFile ' /etc/httpd/conf/httpd.conf", + } + Exec['adjust_listen']{ + command => "sed -i 's/^Listen 80/#Listen 80/g' /etc/httpd/conf/httpd.conf", + unless => "grep -qE '^#Listen 80' /etc/httpd/conf/httpd.conf", + } + + Apache::Config::Global['00-listen.conf']{ + ensure => 'present', + content => template("apache/itk_plus/${::operatingsystem}/00-listen.conf.erb"), + } + + File['apache_service_config']{ + source => "puppet:///modules/apache/service/CentOS/httpd.itk_plus" + } +} diff --git a/manifests/centos/module.pp b/manifests/centos/module.pp index 4bbf251..3220d1f 100644 --- a/manifests/centos/module.pp +++ b/manifests/centos/module.pp @@ -3,20 +3,20 @@ define apache::centos::module( $source = '', $destination = '' ){ - $modules_dir = "$apache::centos::config_dir/modules.d" + $modules_dir = "${apache::centos::config_dir}/modules.d" $real_destination = $destination ? { '' => "${modules_dir}/${name}.so", default => $destination, } $real_source = $source ? { '' => [ - "puppet://$server/modules/site-apache/modules.d/${fqdn}/${name}.so", - "puppet://$server/modules/site-apache/modules.d/${apache_cluster_node}/${name}.so", - "puppet://$server/modules/site-apache/modules.d/${name}.so", - "puppet://$server/modules/apache/modules.d/${operatingsystem}/${name}.so", - "puppet://$server/modules/apache/modules.d/${name}.so" + "puppet:///modules/site_apache/modules.d/${::fqdn}/${name}.so", + "puppet:///modules/site_apache/modules.d/${apache::cluster_node}/${name}.so", + "puppet:///modules/site_apache/modules.d/${name}.so", + "puppet:///modules/apache/modules.d/${::operatingsystem}/${name}.so", + "puppet:///modules/apache/modules.d/${name}.so" ], - default => "puppet://$server/$source", + default => "puppet:///$source", } file{"modules_${name}.conf": ensure => $ensure, diff --git a/manifests/centos/worker.pp b/manifests/centos/worker.pp new file mode 100644 index 0000000..f374bb7 --- /dev/null +++ b/manifests/centos/worker.pp @@ -0,0 +1,5 @@ +class apache::centos::worker inherits apache::centos { + File['apache_service_config']{ + source => "puppet:///modules/apache/service/${::operatingsystem}/httpd.worker" + } +} diff --git a/manifests/config/file.pp b/manifests/config/file.pp index e04b631..308da68 100644 --- a/manifests/config/file.pp +++ b/manifests/config/file.pp @@ -14,7 +14,7 @@ define apache::config::file( default: { fail("Wrong config file type specified for ${name}") } } $real_destination = $destination ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { centos => "${apache::centos::config_dir}/${confdir}/${name}", gentoo => "${apache::gentoo::config_dir}/${name}", debian => "${apache::debian::config_dir}/${confdir}/${name}", @@ -30,16 +30,24 @@ define apache::config::file( notify => Service[apache], owner => root, group => 0, mode => 0644; } - - case $ensure { - 'absent','purged': { - # We want to avoid all stuff related to source and content - } - 'link': { - if $target != false { - File["apache_${name}"] { - target => $target, - } + if $ensure == 'present' { + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet:///modules/site_apache/${confdir}/${::fqdn}/${name}", + "puppet:///modules/site_apache/${confdir}/${apache::cluster_node}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/site_apache/${confdir}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/apache/${confdir}/${name}" + ], + default => $source + } + File["apache_${name}"]{ + source => $real_source, } } default: { @@ -69,10 +77,11 @@ define apache::config::file( } } } + } } - case $operatingsystem { - openbsd: { info("no package dependency on ${operatingsystem} for ${name}") } + case $::operatingsystem { + openbsd: { info("no package dependency on ${::operatingsystem} for ${name}") } default: { File["apache_${name}"]{ require => Package[apache], diff --git a/manifests/debian.pp b/manifests/debian.pp index e07920f..d009e25 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class apache::debian inherits apache::package { $config_dir = '/etc/apache2' Package[apache] { - name => 'apache2', + name => 'apache2', } File[vhosts_dir] { path => "${config_dir}/sites-enabled", @@ -12,28 +12,33 @@ class apache::debian inherits apache::package { path => "${config_dir}/mods-enabled", } File[htpasswd_dir] { - path => "/var/www/htpasswds", - group => 'www-data', + path => '/var/www/htpasswds', + group => 'www-data', } File[default_apache_index] { path => '/var/www/index.html', } file { 'apache_main_config': - path => "${config_dir}/apache2.conf", - source => [ "puppet://$server/modules/site-apache/config/Debian.${lsbdistcodename}/${fqdn}/apache2.conf", - "puppet://$server/modules/site-apache/config/Debian/{$fqdn}/apache2.conf", - "puppet://$server/modules/site-apache/config/Debian.${lsbdistcodename}/apache2.conf", - "puppet://$server/modules/site-apache/config/Debian/apache2.conf", - "puppet://$server/modules/apache/config/Debian/apache2.conf" ], + path => "${config_dir}/apache2.conf", + source => [ "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", + "puppet:///modules/site_apache/config/Debian/${::fqdn}/apache2.conf", + "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/apache2.conf", + 'puppet:///modules/site_apache/config/Debian/apache2.conf', + "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/${::fqdn}/apache2.conf", + "puppet:///modules/apache/config/Debian/${::fqdn}/apache2.conf", + "puppet:///modules/apache/config/Debian.${::lsbdistcodename}/apache2.conf", + 'puppet:///modules/apache/config/Debian/apache2.conf' ], require => Package['apache'], - notify => Service['apache'], - owner => root, group => 0, mode => 0644; + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; } apache::config::global{ 'charset': } apache::config::global{ 'security': } file { 'default_debian_apache_vhost': - path => '/etc/apache2/sites-enabled/000-default', ensure => absent, + path => '/etc/apache2/sites-enabled/000-default', } } diff --git a/manifests/debian/itk.pp b/manifests/debian/itk.pp index 2dde883..718a81b 100644 --- a/manifests/debian/itk.pp +++ b/manifests/debian/itk.pp @@ -1,9 +1,9 @@ class apache::debian::itk inherits apache::debian { - File['htpasswd_dir']{ - group => 0, - mode => 0644, - } - Package['apache']{ - name => 'apache2-mpm-itk', - } + File['htpasswd_dir']{ + group => 0, + mode => 0644, + } + Package['apache']{ + name => 'apache2-mpm-itk', + } } diff --git a/manifests/debian/module.pp b/manifests/debian/module.pp index 55500ad..4c100fa 100644 --- a/manifests/debian/module.pp +++ b/manifests/debian/module.pp @@ -5,7 +5,7 @@ define apache::debian::module( $modules_dir = "${apache::debian::config_dir}/mods" if ($package_name != 'absent') { - package { "${package_name}": + package { $package_name: ensure => $ensure, notify => Service['apache'], require => Package['apache'], diff --git a/manifests/defaultdavdbdir.pp b/manifests/defaultdavdbdir.pp index 8b5e00f..c0e2a81 100644 --- a/manifests/defaultdavdbdir.pp +++ b/manifests/defaultdavdbdir.pp @@ -1,9 +1,17 @@ -# manifests/defaultphpdirs.pp - class apache::defaultdavdbdir { - file{'/var/www/dav_db_dir': - ensure => directory, - require => Package['apache'], - owner => root, group => 0, mode => 0755; + file { + '/var/www/dav_db_dir' : + ensure => directory, + require => Package['apache'], + owner => root, + group => 0, + mode => 0755 ; + } + if $::selinux != 'false' { + selinux::fcontext { + ['/var/www/dav_db_dir/.+(/.*)?'] : + setype => 'httpd_var_lib_t', + before => File['/var/www/dav_db_dir'] ; + } } } diff --git a/manifests/defaultphpdirs.pp b/manifests/defaultphpdirs.pp index fdbe8a5..5485241 100644 --- a/manifests/defaultphpdirs.pp +++ b/manifests/defaultphpdirs.pp @@ -1,14 +1,31 @@ -# manifests/defaultphpdirs.pp - +# setup some directories for php class apache::defaultphpdirs { - file{'/var/www/upload_tmp_dir': - ensure => directory, + file{ + '/var/www/upload_tmp_dir': + ensure => directory, require => Package['apache'], - owner => root, group => 0, mode => 0755; - } - file{'/var/www/session.save_path': - ensure => directory, + owner => root, + group => 0, + mode => '0755'; + '/var/www/session.save_path': + ensure => directory, require => Package['apache'], - owner => root, group => 0, mode => 0755; + owner => root, + group => 0, + mode => '0755'; + } + + if $::selinux != 'false' { + $seltype_rw = $::lsbmajdistrelease ? { + 5 => 'httpd_sys_script_rw_t', + default => 'httpd_sys_rw_content_t' + } + selinux::fcontext{ + [ '/var/www/upload_tmp_dir/.+(/.*)?', + '/var/www/session.save_path/.+(/.*)?' ]: + require => Package['apache'], + setype => $seltype_rw, + before => File['/var/www/upload_tmp_dir','/var/www/session.save_path']; + } } } diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 46ad8cb..86be087 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -26,7 +26,7 @@ class apache::gentoo inherits apache::package { # set the default for the ServerName file{"${config_dir}/modules.d/00_default_settings_ServerName.conf": - content => template('apache/modules_dir_00_default_settings_ServerName.conf.erb'), + content => "ServerName ${::fqdn}\n", require => Package[apache], owner => root, group => 0, mode => 0644; } diff --git a/manifests/gentoo/module.pp b/manifests/gentoo/module.pp index 7764c6f..1e9d03a 100644 --- a/manifests/gentoo/module.pp +++ b/manifests/gentoo/module.pp @@ -3,20 +3,20 @@ define apache::gentoo::module( $source = '', $destination = '' ){ - $modules_dir = "$apache::gentoo::config_dir/modules.d" + $modules_dir = "${apache::gentoo::config_dir}/modules.d" $real_destination = $destination ? { '' => "${modules_dir}/${name}.conf", default => $destination, } $real_source = $source ? { '' => [ - "puppet://$server/modules/site-apache/modules.d/${fqdn}/${name}.conf", - "puppet://$server/modules/site-apache/modules.d/${apache_cluster_node}/${name}.conf", - "puppet://$server/modules/site-apache/modules.d/${name}.conf", - "puppet://$server/modules/apache/modules.d/${operatingsystem}/${name}.conf", - "puppet://$server/modules/apache/modules.d/${name}.conf" + "puppet:///modules/site_apache/modules.d/${::fqdn}/${name}.conf", + "puppet:///modules/site_apache/modules.d/${apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/modules.d/${name}.conf", + "puppet:///modules/apache/modules.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/apache/modules.d/${name}.conf" ], - default => "puppet://$server/$source", + default => "puppet:///$source", } file{"modules_${name}.conf": ensure => $ensure, diff --git a/manifests/htpasswd_user.pp b/manifests/htpasswd_user.pp index 5a7c413..c4c5453 100644 --- a/manifests/htpasswd_user.pp +++ b/manifests/htpasswd_user.pp @@ -16,19 +16,18 @@ define apache::htpasswd_user( 'absent': { $real_site = $name } default: { $real_site = $site } } - case $path { - 'absent': { $real_path = "/var/www/htpasswds/${real_site}" } - default: { $real_path = $path } - } if $password_iscrypted { $real_password = $password } else { $real_password = htpasswd_sha1($password) } - line{"htpasswd_for_${real_site}": + file_line{"htpasswd_for_${real_site}": ensure => $ensure, - file => $real_path, + path => $path ? { + 'absent' => "/var/www/htpasswds/${real_site}", + default => $path + }, line => "${username}:${real_password}", } } diff --git a/manifests/joomla.pp b/manifests/include/joomla.pp index 45d0b48..5adae30 100644 --- a/manifests/joomla.pp +++ b/manifests/include/joomla.pp @@ -1,5 +1,3 @@ -# manifests/joomla.pp - -class apache::joomla { +class apache::include::joomla { apache::config::include{'joomla.inc': } } diff --git a/manifests/include/mod_fcgid.pp b/manifests/include/mod_fcgid.pp new file mode 100644 index 0000000..b3c1cdc --- /dev/null +++ b/manifests/include/mod_fcgid.pp @@ -0,0 +1,7 @@ +class apache::include::mod_fcgid { + apache::config::global{'mod_fcgid.conf': + content => "<IfModule mod_fcgid.c> + FcgidFixPathinfo 1 +</IfModule>\n" + } +} diff --git a/manifests/include/silverstripe.pp b/manifests/include/silverstripe.pp new file mode 100644 index 0000000..fd2484b --- /dev/null +++ b/manifests/include/silverstripe.pp @@ -0,0 +1,3 @@ +class apache::include::silverstripe { + apache::config::include{'silverstripe.inc': } +} diff --git a/manifests/init.pp b/manifests/init.pp index c6b24a8..542e7aa 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,32 +6,35 @@ # Marcel Härry haerry+puppet(at)puzzle.ch # Simon Josi josi+puppet(at)puzzle.ch # -# This program is free software; you can redistribute -# it and/or modify it under the terms of the GNU -# General Public License version 3 as published by +# This program is free software; you can redistribute +# it and/or modify it under the terms of the GNU +# General Public License version 3 as published by # the Free Software Foundation. # -# Global variables: -# -# $apache_default_user: Set this to the user with which the -# apache is running. -# $apache_default_group: Set this to the group with which the -# apache is running. -class apache { - case $operatingsystem { +# manage a simple apache +class apache( + $cluster_node = '', + $manage_shorewall = false, + $manage_munin = false, + $no_default_site = false, + $ssl = false +) { + case $::operatingsystem { centos: { include apache::centos } gentoo: { include apache::gentoo } - debian: { include apache::debian } - ubuntu: { include apache::ubuntu } + debian,ubuntu: { include apache::debian } openbsd: { include apache::openbsd } default: { include apache::base } } - if $use_munin { + if $apache::manage_munin { include apache::status } - if $use_shorewall { + if $apache::manage_shorewall { include shorewall::rules::http } + if $ssl { + include apache::ssl + } } diff --git a/manifests/itk.pp b/manifests/itk.pp index 640b69c..5292343 100644 --- a/manifests/itk.pp +++ b/manifests/itk.pp @@ -3,7 +3,7 @@ # see: http://mpm-itk.sesse.net/ class apache::itk inherits apache { - case $operatingsystem { + case $::operatingsystem { centos: { include ::apache::centos::itk } debian: { include ::apache::debian::itk } default: { include ::apache::base::itk } diff --git a/manifests/itk/lock.pp b/manifests/itk/lock.pp new file mode 100644 index 0000000..4ad95fa --- /dev/null +++ b/manifests/itk/lock.pp @@ -0,0 +1,4 @@ +class apache::itk::lock { + # This file resource is used to ensure that only one itk mode is used per host + file{'/var/www/.itk_mode_lock': ensure => absent } +} diff --git a/manifests/itk_plus.pp b/manifests/itk_plus.pp new file mode 100644 index 0000000..7d9f721 --- /dev/null +++ b/manifests/itk_plus.pp @@ -0,0 +1,10 @@ +# manifests/itk.pp +# +# see: http://mpm-itk.sesse.net/ + +class apache::itk_plus inherits apache::itk { + case $::operatingsystem { + centos: { include ::apache::centos::itk_plus } + default: { fail("itk plus mode is currently only implemented for CentOS") } + } +} diff --git a/manifests/itk_plus/lock.pp b/manifests/itk_plus/lock.pp new file mode 100644 index 0000000..d540939 --- /dev/null +++ b/manifests/itk_plus/lock.pp @@ -0,0 +1,4 @@ +class apache::itk_plus::lock { + # This file resource is used to ensure that only one itk mode is used per host + file{'/var/www/.itk_mode_lock': ensure => absent } +} diff --git a/manifests/logrotate/centos.pp b/manifests/logrotate/centos.pp index 6571ada..4381205 100644 --- a/manifests/logrotate/centos.pp +++ b/manifests/logrotate/centos.pp @@ -1,8 +1,10 @@ +# add vhost folders to logrotation class apache::logrotate::centos { - # add vhost folders to logrotation augeas{'logrotate_httpd': changes => [ 'rm /files/etc/logrotate.d/httpd/rule/file', 'ins file before /files/etc/logrotate.d/httpd/rule/*[1]', 'set /files/etc/logrotate.d/httpd/rule/file[1] /var/log/httpd/*log' ], + onlyif => 'get /files/etc/logrotate.d/httpd/rule/file[1] != "/var/log/httpd/*log"', + require => Package['apache'], } } diff --git a/manifests/logrotate/centos/vhosts.pp b/manifests/logrotate/centos/vhosts.pp index 941f50d..b1159a1 100644 --- a/manifests/logrotate/centos/vhosts.pp +++ b/manifests/logrotate/centos/vhosts.pp @@ -1,10 +1,11 @@ +# add vhost folders to logrotation class apache::logrotate::centos::vhosts inherits apache::logrotate::centos { - # add vhost folders to logrotation Augeas['logrotate_httpd']{ changes => [ 'rm /files/etc/logrotate.d/httpd/rule/file', 'ins file before /files/etc/logrotate.d/httpd/rule/*[1]', 'ins file before /files/etc/logrotate.d/httpd/rule/*[1]', 'set /files/etc/logrotate.d/httpd/rule/file[1] /var/log/httpd/*log', 'set /files/etc/logrotate.d/httpd/rule/file[2] /var/www/vhosts/*/logs/*log' ], + onlyif => 'get /files/etc/logrotate.d/httpd/rule/file[2] != "/var/www/vhosts/*/logs/*log"', } } diff --git a/manifests/mod_dav_svn.pp b/manifests/mod_dav_svn.pp index a213043..bdcc4ab 100644 --- a/manifests/mod_dav_svn.pp +++ b/manifests/mod_dav_svn.pp @@ -1,6 +1,5 @@ class apache::mod_dav_svn { - include apache - package{mod_dav_svn: + package{'mod_dav_svn': ensure => installed, require => Package['apache'], notify => Service['apache'], diff --git a/manifests/mod_macro.pp b/manifests/mod_macro.pp index acee280..eed59e5 100644 --- a/manifests/mod_macro.pp +++ b/manifests/mod_macro.pp @@ -1,6 +1,5 @@ class apache::mod_macro { - include apache - package{mod_macro: + package{'mod_macro': ensure => installed, require => Package['apache'], notify => Service['apache'], diff --git a/manifests/munin.pp b/manifests/munin.pp new file mode 100644 index 0000000..2a04e97 --- /dev/null +++ b/manifests/munin.pp @@ -0,0 +1,11 @@ +# manage apache monitoring things +class apache::munin { + + include perl::extensions::libwww + + munin::plugin{ [ 'apache_accesses', 'apache_processes', 'apache_volume' ]: } + munin::plugin::deploy { 'apache_activity': + source => 'apache/munin/apache_activity', + seltype => 'munin_services_plugin_exec_t', + } +} diff --git a/manifests/noiplog.pp b/manifests/noiplog.pp new file mode 100644 index 0000000..355d7e6 --- /dev/null +++ b/manifests/noiplog.pp @@ -0,0 +1,5 @@ +class apache::noiplog { + apache::config::global{ 'noip_log.conf': + content => 'LogFormat "127.0.0.1 - - %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %V" noip'; + } +} diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp index 2cf5fd4..1ba58f4 100644 --- a/manifests/openbsd.pp +++ b/manifests/openbsd.pp @@ -20,16 +20,16 @@ class apache::openbsd inherits apache::base { File[web_dir]{ group => daemon, } - line{'enable_apache_on_boot': - file => '/etc/rc.conf.local', + file_line{'enable_apache_on_boot': + path => '/etc/rc.conf.local', line => 'httpd flags=""', } file{'apache_main_config': path => "${config_dir}/conf/httpd.conf", - source => [ "puppet://$server/modules/site-apache/config/OpenBSD/${fqdn}/httpd.conf", - "puppet://$server/modules/site-apache/config/OpenBSD/${apache_cluster_node}/httpd.conf", - "puppet://$server/modules/site-apache/config/OpenBSD//httpd.conf", - "puppet://$server/modules/apache/config/OpenBSD/httpd.conf" ], + source => [ "puppet:///modules/site_apache/config/OpenBSD/${::fqdn}/httpd.conf", + "puppet:///modules/site_apache/config/OpenBSD/${apache::cluster_node}/httpd.conf", + "puppet:///modules/site_apache/config/OpenBSD//httpd.conf", + "puppet:///modules/apache/config/OpenBSD/httpd.conf" ], notify => Service['apache'], owner => root, group => 0, mode => 0644; } @@ -37,7 +37,7 @@ class apache::openbsd inherits apache::base { path => '/var/www/htdocs/default/www/index.html', } file{'/opt/bin/restart_apache.sh': - source => "puppet://$server/modules/apache/scripts/OpenBSD/bin/restart_apache.sh", + source => "puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache.sh", require => File['/opt/bin'], owner => root, group => 0, mode => 0700; } @@ -51,7 +51,7 @@ class apache::openbsd inherits apache::base { stop => 'apachectl stop', } file{'/opt/bin/apache_logrotate.sh': - source => "puppet://$server/modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh", + source => "puppet:///modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh", require => File['/opt/bin'], owner => root, group => 0, mode => 0700; } diff --git a/manifests/package.pp b/manifests/package.pp index aa47c6c..3308b37 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -19,13 +19,13 @@ class apache::package inherits apache::base { File['modules_dir']{ require => Package[apache], } - File['web_dir']{ + File['include_dir']{ require => Package[apache], } - File['htpasswd_dir']{ + File['web_dir']{ require => Package[apache], } - File['include_dir']{ + File['htpasswd_dir']{ require => Package[apache], } } diff --git a/manifests/sftponly.pp b/manifests/sftponly.pp index 1f9793d..ece726b 100644 --- a/manifests/sftponly.pp +++ b/manifests/sftponly.pp @@ -1,5 +1,5 @@ class apache::sftponly { - case $operatingsystem { + case $::operatingsystem { centos: { include apache::sftponly::centos } } } diff --git a/manifests/sftponly/centos.pp b/manifests/sftponly/centos.pp index 12dd2d0..0f2a43d 100644 --- a/manifests/sftponly/centos.pp +++ b/manifests/sftponly/centos.pp @@ -1,10 +1,10 @@ +# manage sftponly group and apache +# user for access class apache::sftponly::centos { - augeas{"add_apache_to_group_sftponly": - context => "/files/etc/group", - changes => [ "ins user after sftponly/user[last()]", - "set sftponly/user[last()] apache" ], - onlyif => "match sftponly/*[../user='apache'] size == 0", + require user::groups::sftponly + user::groups::manage_user{'apache': + group => 'sftponly', require => Package['apache'], - notify => Service['apache'], + notify => Service['apache'], } } diff --git a/manifests/ssl.pp b/manifests/ssl.pp index c779da4..bfef7ad 100644 --- a/manifests/ssl.pp +++ b/manifests/ssl.pp @@ -1,13 +1,13 @@ # manifests/ssl.pp -class apache::ssl inherits apache { - case $operatingsystem { +class apache::ssl { + case $::operatingsystem { centos: { include apache::ssl::centos } openbsd: { include apache::ssl::openbsd } debian: { include apache::ssl::debian } defaults: { include apache::ssl::base } } - if $use_shorewall { + if $apache::manage_shorewall { include shorewall::rules::https } } diff --git a/manifests/ssl/centos.pp b/manifests/ssl/centos.pp index b2c8ad8..7bc8c89 100644 --- a/manifests/ssl/centos.pp +++ b/manifests/ssl/centos.pp @@ -5,4 +5,8 @@ class apache::ssl::centos inherits apache::ssl::base { require => Package[apache], } ::apache::config::global{ 'ssl.conf': } + + apache::config::global{'00-listen-ssl.conf': + ensure => absent, + } } diff --git a/manifests/ssl/itk.pp b/manifests/ssl/itk.pp index 62c96cf..5fd3aaf 100644 --- a/manifests/ssl/itk.pp +++ b/manifests/ssl/itk.pp @@ -1,7 +1,7 @@ # manifests/ssl/itk.pp class apache::ssl::itk inherits apache::ssl { - case $operatingsystem { + case $::operatingsystem { centos: { include apache::ssl::itk::centos } } } diff --git a/manifests/ssl/itk_plus.pp b/manifests/ssl/itk_plus.pp new file mode 100644 index 0000000..0c8e667 --- /dev/null +++ b/manifests/ssl/itk_plus.pp @@ -0,0 +1,6 @@ +class apache::ssl::itk_plus inherits apache::ssl::itk { + case $::operatingsystem { + centos: { include ::apache::ssl::itk_plus::centos } + default: { fail("itk plus mode is currently only implemented for CentOS") } + } +} diff --git a/manifests/ssl/itk_plus/centos.pp b/manifests/ssl/itk_plus/centos.pp new file mode 100644 index 0000000..00fb472 --- /dev/null +++ b/manifests/ssl/itk_plus/centos.pp @@ -0,0 +1,11 @@ +class apache::ssl::itk_plus::centos inherits apache::ssl::centos { + include apache::ssl::itk::centos + Apache::Config::Global['ssl.conf']{ + source => "modules/apache/itk_plus/conf.d/${::operatingsystem}/ssl.conf", + } + + Apache::Config::Global['00-listen-ssl.conf']{ + ensure => 'present', + content => template("apache/itk_plus/${::operatingsystem}/00-listen-ssl.conf.erb"), + } +} diff --git a/manifests/ssl/openbsd.pp b/manifests/ssl/openbsd.pp index 6d357ee..43bc680 100644 --- a/manifests/ssl/openbsd.pp +++ b/manifests/ssl/openbsd.pp @@ -1,16 +1,16 @@ class apache::ssl::openbsd inherits apache::openbsd { include apache::ssl::base - Line['enable_apache_on_boot']{ + File_line['enable_apache_on_boot']{ ensure => 'absent', } - line{'enable_apachessl_on_boot': - file => '/etc/rc.conf.local', + file_line{'enable_apachessl_on_boot': + path => '/etc/rc.conf.local', line => 'httpd flags="-DSSL"', } File['/opt/bin/restart_apache.sh']{ - source => "puppet://$server/modules/apache/scripts/OpenBSD/bin/restart_apache_ssl.sh", + source => "puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache_ssl.sh", } Service['apache']{ start => 'apachectl startssl', diff --git a/manifests/status.pp b/manifests/status.pp index d32069e..1f7ca89 100644 --- a/manifests/status.pp +++ b/manifests/status.pp @@ -1,12 +1,12 @@ -# manifests/status.pp - -class apache::status inherits apache { - case $operatingsystem { - centos: { include apache::status::centos } - defaults: { include apache::status::base } - } - if $use_munin { - include munin::plugins::apache - } +# enable apache status page +# manage munin plugins if requested +class apache::status { + case $::operatingsystem { + centos: { include apache::status::centos } + defaults: { include apache::status::base } + } + if $apache::manage_munin { + include apache::munin + } } diff --git a/manifests/ubuntu.pp b/manifests/ubuntu.pp deleted file mode 100644 index 0837296..0000000 --- a/manifests/ubuntu.pp +++ /dev/null @@ -1,3 +0,0 @@ -### ubuntu: similar to debian therefor inheritng from there -class apache::ubuntu inherits apache::debian {} - diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 1f2db90..dcb26a2 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -3,19 +3,39 @@ # vhost_mode: which option is choosed to deploy the vhost # - template: generate it from a template (default) # - file: deploy a vhost file (apache::vhost::file will be called directly) -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost( $ensure = present, $path = 'absent', $path_is_webdir = false, $logpath = 'absent', - $template_mode = 'static', + $logmode = 'default', $vhost_mode = 'template', + $template_partial = 'apache/vhosts/static/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $content = 'absent', @@ -23,15 +43,8 @@ define apache::vhost( $domainalias = 'absent', $server_admin = 'absent', $allow_override = 'None', - $php_safe_mode_exec_bin_dir = 'absent', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_use_smarty = false, - $php_use_pear = false, - $php_safe_mode = true, - $php_default_charset = 'absent', - $php_additional_open_basedirs = 'absent', - $php_additional_options = 'absent', + $php_settings = {}, + $php_options = {}, $cgi_binpath = 'absent', $default_charset = 'absent', $do_includes = false, @@ -40,15 +53,18 @@ define apache::vhost( $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', - $template_mode = 'static', $ssl_mode = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $use_mod_macro = false, $ldap_auth = false, - $ldap_user = 'any' + $ldap_user = 'any', + $passing_extension = 'absent', + $gempath = 'absent' ) { # file or template mode? case $vhost_mode { @@ -58,6 +74,8 @@ define apache::vhost( vhost_source => $vhost_source, vhost_destination => $vhost_destination, do_includes => $do_includes, + run_mode => $run_mode, + mod_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, use_mod_macro => $use_mod_macro, @@ -69,35 +87,34 @@ define apache::vhost( path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, + logmode => $logmode, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - php_safe_mode_exec_bin_dir => $php_safe_mode_exec_bin_dir, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, cgi_binpath => $cgi_binpath, allow_override => $allow_override, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, - php_use_smarty => $php_use_smarty, - php_use_pear => $php_use_pear, - php_safe_mode => $php_safe_mode, - php_default_charset => $php_default_charset, - php_additional_open_basedirs => $php_additional_open_basedirs, - php_additional_options => $php_additional_options, + php_settings => $php_settings, + php_options => $php_options, run_mode => $run_mode, run_uid => $run_uid, run_gid => $run_gid, - template_mode => $template_mode, + template_partial => $template_partial, ssl_mode => $ssl_mode, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, + passing_extension => $passing_extension, + gempath => $gempath, } } default: { fail("no such vhost_mode: $vhost_mode defined for $name.") } diff --git a/manifests/vhost/davdbdir.pp b/manifests/vhost/davdbdir.pp index a9528f7..459167c 100644 --- a/manifests/vhost/davdbdir.pp +++ b/manifests/vhost/davdbdir.pp @@ -11,7 +11,7 @@ define apache::vhost::davdbdir( case $dav_db_dir { 'absent': { include apache::defaultdavdbdir - $real_dav_db_dir = "/var/www/dav_db_dir/$name" + $real_dav_db_dir = "/var/www/dav_db_dir/${name}" } default: { $real_dav_db_dir = $dav_db_dir } } diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index 6d2cc32..b42c4ce 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -7,26 +7,60 @@ # - absent: standardpath (default) # - else: path to deploy # +# ssl_mode: wether this vhost supports ssl or not +# - false: don't enable ssl for this vhost (default) +# - true: enable ssl for this vhost +# - force: enable ssl and redirect non-ssl to ssl +# - only: enable ssl only +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost::file( $ensure = present, $vhost_source = 'absent', $vhost_destination = 'absent', $content = 'absent', $do_includes = false, + $run_mode = 'normal', + $logmode = 'default', + $ssl_mode = false, + $mod_security = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', $use_mod_macro = false ){ - $vhosts_dir = $operatingsystem ? { - centos => "$apache::centos::config_dir/vhosts.d", - gentoo => "$apache::gentoo::config_dir/vhosts.d", - debian => "$apache::debian::config_dir/sites-enabled", - ubuntu => "$apache::ubuntu::config_dir/sites-enabled", - openbsd => "$apache::openbsd::config_dir/vhosts.d", + $vhosts_dir = $::operatingsystem ? { + centos => "${apache::centos::config_dir}/vhosts.d", + gentoo => "${apache::gentoo::config_dir}/vhosts.d", + debian => "${apache::debian::config_dir}/sites-enabled", + ubuntu => "${apache::ubuntu::config_dir}/sites-enabled", + openbsd => "${apache::openbsd::config_dir}/vhosts.d", default => '/etc/apache2/vhosts.d', } $real_vhost_destination = $vhost_destination ? { - 'absent' => "$vhosts_dir/$name.conf", + 'absent' => "${vhosts_dir}/${name}.conf", default => $vhost_destination, } file{"${name}.conf": @@ -36,27 +70,44 @@ define apache::vhost::file( notify => Service[apache], owner => root, group => 0, mode => 0644; } - if $do_includes { + if $ensure != 'absent' { + if $do_includes { include ::apache::includes - } - if $use_mod_macro { + } + if $use_mod_macro { include ::apache::mod_macro - } - case $content { + } + case $logmode { + 'semianonym','anonym': { include apache::noiplog } + } + case $run_mode { + 'itk': { + include ::apache::itk::lock + if $mod_security { include mod_security::itk } + } + 'proxy-itk','static-itk': { + include ::apache::itk_plus::lock + if $mod_security { include mod_security::itk_plus } + } + default: { + if $mod_security { include mod_security } + } + } + + case $content { 'absent': { $real_vhost_source = $vhost_source ? { 'absent' => [ - "puppet://$server/modules/site-apache/vhosts.d/$fqdn/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$apache_cluster_node/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$operatingsystem.$lsbdistcodename/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$operatingsystem/$name.conf", - "puppet://$server/modules/site-apache/vhosts.d/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$operatingsystem.$lsbdistcodename/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$operatingsystem/$name.conf", - "puppet://$server/modules/apache/vhosts.d/$name.conf" + "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${name}.conf", + "puppet:///modules/apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/apache/vhosts.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/apache/vhosts.d/${name}.conf" ], - default => "puppet://$server/$vhost_source", + default => "puppet:///${vhost_source}", } File["${name}.conf"]{ source => $real_vhost_source, @@ -67,21 +118,26 @@ define apache::vhost::file( content => $content, } } + } } case $htpasswd_file { 'absent','nodeploy': { info("don't deploy a htpasswd file for ${name}") } default: { if $htpasswd_path == 'absent' { - $real_htpasswd_path = "/var/www/htpasswds/$name" + $real_htpasswd_path = "/var/www/htpasswds/${name}" } else { $real_htpasswd_path = $htpasswd_path } file{$real_htpasswd_path: ensure => $ensure, - source => [ "puppet://$server/modules/site-apache/htpasswds/$fqdn/$name", - "puppet://$server/modules/site-apache/htpasswds/$apache_cluster_node/$name", - "puppet://$server/modules/site-apache/htpasswds/$name" ], - owner => root, group => 0, mode => 0644; + } + if ($ensure!='absent') { + File[$real_htpasswd_path]{ + source => [ "puppet:///modules/site_apache/htpasswds/${::fqdn}/${name}", + "puppet:///modules/site_apache/htpasswds/${apache::cluster_node}/${name}", + "puppet:///modules/site_apache/htpasswds/${name}" ], + owner => root, group => 0, mode => 0644, + } } } } diff --git a/manifests/vhost/file/documentrootfile.pp b/manifests/vhost/file/documentrootfile.pp index 441d605..610d71c 100644 --- a/manifests/vhost/file/documentrootfile.pp +++ b/manifests/vhost/file/documentrootfile.pp @@ -6,19 +6,19 @@ define apache::vhost::file::documentrootfile( $group='0', $mode=440 ){ - file{"$documentroot/$filename": - source => [ "puppet://$server/modules/site-apache/vhost_varieties/$fqdn/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$apache_cluster_node/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$operatingsystem.$lsbdistcodename/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$operatingsystem/$thedomain/$filename", - "puppet://$server/modules/site-apache/vhost_varieties/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$operatingsystem.$lsbdistcodename/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$operatingsystem/$thedomain/$filename", - "puppet://$server/modules/apache/vhost_varieties/$thedomain/$filename" + file{"${documentroot}/${filename}": + source => [ "puppet:///modules/site_apache/vhost_varieties/${::fqdn}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${apache::cluster_node}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}" ], ensure => file, - require => Apache::Vhost::Webdir["$thedomain"], + require => Apache::Vhost::Webdir[$thedomain], owner => $owner, group => $group, mode => $mode; } } diff --git a/manifests/vhost/gitweb.pp b/manifests/vhost/gitweb.pp index 084b04c..dab4983 100644 --- a/manifests/vhost/gitweb.pp +++ b/manifests/vhost/gitweb.pp @@ -1,6 +1,13 @@ +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::gitweb( $ensure = present, $domain = 'absent', + $logmode = 'default', $domainalias = 'absent', $server_admin = 'absent', $owner = root, @@ -9,6 +16,7 @@ define apache::vhost::gitweb( $documentroot_group = 0, $documentroot_mode = 0640, $allow_override = 'None', + $template_partial = 'apache/vhosts/gitweb/partial.erb', $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -22,14 +30,15 @@ define apache::vhost::gitweb( ensure => $ensure, path => '/var/www/git', path_is_webdir => true, - logpath => $operatingsystem ? { + logpath => $::operatingsystem ? { centos => '/var/log/httpd', fedora => '/var/log/httpd', redhat => '/var/log/httpd', openbsd => '/var/www/logs', default => '/var/log/apache2' }, - template_mode => 'gitweb', + logmode => $logmode, + template_partial => $template_partial, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, @@ -38,6 +47,7 @@ define apache::vhost::gitweb( options => $options, additional_options => $additional_options, default_charset => $default_charset, + run_mode => 'normal', ssl_mode => $ssl_mode, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, diff --git a/manifests/vhost/modperl.pp b/manifests/vhost/modperl.pp index 98876e4..c93e6cf 100644 --- a/manifests/vhost/modperl.pp +++ b/manifests/vhost/modperl.pp @@ -1,14 +1,36 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::modperl( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -26,8 +48,11 @@ define apache::vhost::modperl( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/perl/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -37,23 +62,49 @@ define apache::vhost::modperl( case $cgi_binpath { 'absent': { $real_path = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}", default => "/var/www/vhosts/${name}" }, - default => "${path}" + default => $path } $real_cgi_binpath = "${real_path}/cgi-bin" } default: { $real_cgi_binpath = $cgi_binpath } } + file{$real_cgi_binpath: - ensure => directory, + ensure => $ensure ? { + 'absent' => 'absent', + default => directory + }, owner => $documentroot_owner, group => $documentroot_group, mode => $documentroot_mode; } + if $ensure != 'absent' { + case $run_mode { + 'proxy-itk','static-itk': { + include ::mod_perl::itk_plus + } + 'fcgid': { + include ::mod_fcgid + include apache::include::mod_fcgid + + # we don't need mod_perl if we run it as fcgid + include ::mod_perl::disable + mod_fcgid::starter {$name: + cgi_type => 'perl', + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], + } + } + default: { include ::mod_perl } + } + } + # create webdir ::apache::vhost::webdir{$name: ensure => $ensure, @@ -70,8 +121,9 @@ define apache::vhost::modperl( ::apache::vhost{$name: ensure => $ensure, path => $path, - template_mode => 'perl', + logmode => $logmode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, @@ -91,6 +143,9 @@ define apache::vhost::modperl( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + passing_extension => 'pl' } } diff --git a/manifests/vhost/passenger.pp b/manifests/vhost/passenger.pp index 732758e..6886f13 100644 --- a/manifests/vhost/passenger.pp +++ b/manifests/vhost/passenger.pp @@ -1,23 +1,31 @@ # run_uid: the uid the vhost should run as with the mod_passenger module # run_gid: the gid the vhost should run as with the mod_passenger module +# +# logmode: +# +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*defaul*) activate mod_security +# define apache::vhost::passenger( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $manage_webdir = true, $manage_docroot = true, - $template_mode = 'passenger', $owner = root, $group = apache, $documentroot_owner = apache, $documentroot_group = 0, $documentroot_mode = 0640, - # TODO: think of a more generic way to handle user separation - # i.e. rename itk mode into something else - # e.g. default, moderate (use same user for access and run), strict (use different users for access and run) - $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', @@ -27,13 +35,25 @@ define apache::vhost::passenger( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/passenger/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $htpasswd_path = 'absent', + $passenger_ree = false, + $passenger_app = 'rails' ){ + + if $passenger_ree { + include ::passenger::ree::apache + } else { + include ::passenger::apache + } + if $manage_webdir { # create webdir ::apache::vhost::webdir{$name: @@ -41,26 +61,62 @@ define apache::vhost::passenger( path => $path, owner => $owner, group => $group, - run_mode => $run_mode, + mode => 0644, + run_mode => 'normal', manage_docroot => $manage_docroot, documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, + documentroot_group => $run_gid, documentroot_mode => $documentroot_mode, } } + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + file{ + ["${real_path}/www/tmp", "${real_path}/www/log"]: + ensure => directory, + owner => $documentroot_owner, group => $run_gid, mode => 0660; + ["${real_path}/www/public", "${real_path}/gems"]: + ensure => directory, + owner => $documentroot_owner, group => $run_gid, mode => 0640; + } + if $passenger_app == 'rails' { + file{ + "${real_path}/www/config": + ensure => directory, + owner => $documentroot_owner, group => $run_gid, mode => 0640; + "${real_path}/www/config/environment.rb": + ensure => present, + owner => $run_uid, group => $run_gid, mode => 0640; + } + } else { + #rack based + file{ + "${real_path}/www/config.ru": + ensure => present, + owner => $run_uid, group => $run_gid, mode => 0640; + } + } # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, - path => $path, - template_mode => $template_mode, + path => "${real_path}/www/public", + path_is_webdir => true, + template_partial => $template_partial, + logmode => $logmode, + logpath => "${real_path}/logs", vhost_mode => $vhost_mode, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - run_mode => 'itk', + run_mode => 'normal', run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, @@ -73,6 +129,9 @@ define apache::vhost::passenger( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + gempath => "${real_path}/gems" } } diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index f23a434..4025ada 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -1,20 +1,42 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None # php_default_charset: default charset header for php. # *default*: absent, which will set the same as default_charset # of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::php::drupal( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +47,19 @@ define apache::vhost::php::drupal( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_drupal/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -47,7 +70,7 @@ define apache::vhost::php::drupal( $manage_cron = true ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, @@ -55,10 +78,25 @@ define apache::vhost::php::drupal( } if $manage_cron { - file{"/etc/cron.d/drupal_cron_${name}": - content => "0 * * * * apache wget -O - -q -t 1 http://${doamin}/cron.php\n", - owner => root, group => 0, mode => 0644; - } + if $domain == 'absent' { + $real_domain = $name + } else { + $real_domain = $domain + } + + file{"/etc/cron.d/drupal_cron_${name}": + content => "0 * * * * apache wget -O - -q -t 1 http://${real_domain}/cron.php\n", + owner => root, group => 0, mode => 0644; + } + } + + $std_drupal_php_settings = { + magic_quotes_gpc => 0, + register_globals => 0, + 'session.auto_start' => 0, + 'mbstring.http_input' => 'pass', + 'mbstring.http_output' => 'pass', + 'mbstring.encoding_translation' => 0, } # create vhost configuration file @@ -67,8 +105,8 @@ define apache::vhost::php::drupal( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_drupal', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -78,18 +116,19 @@ define apache::vhost::php::drupal( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings =>merge($std_drupal_php_settings, $php_settings), + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index 19240e9..d1876ff 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -1,20 +1,41 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*defaul*) don't activate mod_security +# - true: activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None # php_default_charset: default charset header for php. # *default*: absent, which will set the same as default_charset # of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::gallery2( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,49 +46,98 @@ define apache::vhost::php::gallery2( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', - $mod_security = true, + $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_gallery2/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent', $manage_config = true, $config_webwriteable = false, - $manage_directories = true + $manage_directories = true, + $upload_dir = 'present' ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } $gdatadir = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/g2data", default => "/var/www/vhosts/${name}/g2data" }, default => "${path}/g2data" } - file{$gdatadir: - ensure => $ensure ? { - 'present' => directory, - default => absent - }, - owner => $documentroot_owner, - group => $documentroot_group, - mode => 0660; + if ($upload_dir == 'present') or ($upload_dir == 'absent') { + $real_upload_dir = $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/upload", + default => "/var/www/vhosts/${name}/upload" + } + } else { + $real_upload_dir = $upload_dir } + file{ + $gdatadir: + ensure => $ensure ? { + 'present' => directory, + default => absent + }, + owner => $documentroot_owner, group => $documentroot_group, mode => 0660; + $real_upload_dir: + owner => $documentroot_owner, group => $documentroot_group, mode => 0660; + } + if ($ensure == 'absent') or ($upload_dir == 'absent') { + File[$real_upload_dir]{ + ensure => absent, + purge => true, + force => true, + recurse => true + } + } else { + File[$real_upload_dir]{ + ensure => directory + } + } + + $gallery_php_settings = { + safe_mode => 'Off', + output_buffering => 'Off', + } + + # php upload_tmp_dir + case $php_settings[upload_tmp_dir] { + '',undef: { + $php_settings[upload_tmp_dir] = "/var/www/upload_tmp_dir/$name" + } + } + # php session_save_path + case $php_settings['session.save_path'] { + '',undef: { + $php_settings['session.save_path'] = "/var/www/session.save_path/$name" + } + } + + if $upload_dir != 'absent' { + $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}:${real_upload_dir}" + } else { + $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}" + } + + $real_php_settings = merge($gallery_php_settings,$php_settings) # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -75,8 +145,8 @@ define apache::vhost::php::gallery2( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_gallery2', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -86,18 +156,19 @@ define apache::vhost::php::gallery2( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $real_php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $real_php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, @@ -106,6 +177,5 @@ define apache::vhost::php::gallery2( manage_config => $manage_config, config_file => 'config.php', } - } diff --git a/manifests/vhost/php/global_exec_bin_dir.pp b/manifests/vhost/php/global_exec_bin_dir.pp new file mode 100644 index 0000000..cbb9803 --- /dev/null +++ b/manifests/vhost/php/global_exec_bin_dir.pp @@ -0,0 +1,6 @@ +class apache::vhost::php::global_exec_bin_dir { + file{'/var/www/php_safe_exec_bins': + ensure => directory, + owner => root, group => apache, mode => 0640; + } +} diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 280792e..3962efa 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -1,114 +1,158 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $ssl_mode = false, - $vhost_mode = 'template', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_joomla/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true ){ - include ::apache::joomla + include ::apache::include::joomla - $documentroot = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - path => $path, - template_mode => 'php_joomla', - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ "$documentroot/administrator/backups", - "$documentroot/administrator/components", - "$documentroot/administrator/language", - "$documentroot/administrator/modules", - "$documentroot/administrator/templates", - "$documentroot/components", - "$documentroot/dmdocuments", - "$documentroot/images", - "$documentroot/language", - "$documentroot/media", - "$documentroot/modules", - "$documentroot/plugins", - "$documentroot/templates", - "$documentroot/cache", - "$documentroot/tmp", - "$documentroot/administrator/cache" ], - manage_config => $manage_config, - config_webwriteable => $config_webwriteable, - config_file => 'configuration.php', + if $mod_security_additional_options == 'absent' { + $id_str = $::operatingsystem ? { + 'CentOS' => $::lsbmajdistrelease ? { + 5 => '', + default => 'id:1199400,' + }, + default => '' } + $real_mod_security_additional_options = "# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch \"^/\"> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" + + # Exceptions for Joomla Component Expose + <LocationMatch \"^/components/com_expose/expose/manager/amfphp/gateway.php\"> + SecRuleRemoveById 960010 + </LocationMatch> +" + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } + + # create vhost configuration file + ::apache::vhost::php::webapp{ + $name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/administrator/backups", + "${documentroot}/administrator/components", + "${documentroot}/administrator/language", + "${documentroot}/administrator/modules", + "${documentroot}/administrator/templates", + "${documentroot}/components", + "${documentroot}/dmdocuments", + "${documentroot}/images", + "${documentroot}/language", + "${documentroot}/media", + "${documentroot}/modules", + "${documentroot}/plugins", + "${documentroot}/templates", + "${documentroot}/cache", + "${documentroot}/tmp", + "${documentroot}/administrator/cache" ], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'configuration.php', + } } diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index d24ada9..502af53 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::mediawiki( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $manage_docroot = true, $owner = root, @@ -25,32 +40,38 @@ define apache::vhost::php::mediawiki( $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', - $allow_override = 'FileInfo', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_default_charset = 'absent', - $php_safe_mode_exec_bins = 'absent', + $allow_override = 'FileInfo Limit', + $php_settings = {}, + $php_options = {}, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_mediawiki/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent' ){ + + $mediawiki_php_settings = { + safe_mode => false, + } + # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, manage_docroot => $manage_docroot, - template_mode => 'php_mediawiki', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -60,16 +81,18 @@ define apache::vhost::php::mediawiki( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_default_charset => $php_default_charset, + php_settings => merge($mediawiki_php_settings,$php_settings), + php_options => $php_options, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, diff --git a/manifests/vhost/php/safe_mode_bin.pp b/manifests/vhost/php/safe_mode_bin.pp index e04557c..4a3574d 100644 --- a/manifests/vhost/php/safe_mode_bin.pp +++ b/manifests/vhost/php/safe_mode_bin.pp @@ -1,9 +1,3 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users -# run_uid: the uid the vhost should run as with the itk module -# run_gid: the gid the vhost should run as with the itk module define apache::vhost::php::safe_mode_bin( $ensure = 'present', $path @@ -12,7 +6,7 @@ define apache::vhost::php::safe_mode_bin( $real_path = "$path/$substr" file{$real_path: ensure => $ensure ? { - 'present' => regsubst($name,'^.*_',''), + 'present' => regsubst($name,'^.*@',''), default => absent, } } diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index 3838d55..da58296 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::silverstripe( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::silverstripe( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_silverstripe/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -45,13 +61,18 @@ define apache::vhost::php::silverstripe( $config_webwriteable = false, $manage_directories = true ){ + + include ::apache::include::silverstripe + $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -59,8 +80,8 @@ define apache::vhost::php::silverstripe( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_silverstripe', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -70,25 +91,25 @@ define apache::vhost::php::silverstripe( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/assets" - ], + managed_directories => [ "${documentroot}/assets" ], manage_config => $manage_config, } diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index f1ea170..b5178da 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::simplemachine( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::simplemachine( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -46,7 +62,7 @@ define apache::vhost::php::simplemachine( $manage_directories = true ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, @@ -59,8 +75,8 @@ define apache::vhost::php::simplemachine( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_simplemachine', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -70,30 +86,35 @@ define apache::vhost::php::simplemachine( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, managed_directories => [ - "$documentroot/attachments", - "$documentroot/Packages", - "$documentroot/Themes", - "$documentroot/agreement.txt", - "$documentroot/Packages/installed.list", - "$documentroot/avatars" ], + "${documentroot}/agreement.txt", + "${documentroot}/attachments", + "${documentroot}/avatars", + "${documentroot}/cache", + "${documentroot}/Packages", + "${documentroot}/Packages/installed.list", + "${documentroot}/Smileys", + "${documentroot}/Themes", + "${documentroot}/Themes/default/languages/Install.english.php" + ], manage_config => $manage_config, config_webwriteable => $config_webwriteable, config_file => 'Settings.php', diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 5064e77..5f4ffdb 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::spip( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,16 +40,17 @@ define apache::vhost::php::spip( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'FileInfo', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, + $template_partial = 'apache/vhosts/php/partial.erb', $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -43,7 +59,7 @@ define apache::vhost::php::spip( $htpasswd_path = 'absent' ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, @@ -56,8 +72,8 @@ define apache::vhost::php::spip( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_spip', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -67,23 +83,29 @@ define apache::vhost::php::spip( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options=> $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, - managed_directories => [ "$documentroot/IMG", "$documentroot/tmp", "$documentroot/local", "$documentroot/config" ], + managed_directories => [ + "${documentroot}/IMG", + "${documentroot}/tmp", + "${documentroot}/local", + "${documentroot}/config" + ], manage_config => false, } } diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 6a83a42..53fa8f9 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -1,24 +1,40 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::standard( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', + $logpath = 'absent', $path = 'absent', $manage_webdir = true, + $path_is_webdir = false, $manage_docroot = true, - $template_mode = 'php', $owner = root, $group = apache, $documentroot_owner = apache, @@ -28,15 +44,8 @@ define apache::vhost::php::standard( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_use_smarty = false, - $php_use_pear = false, - $php_safe_mode = true, - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', - $php_additional_open_basedirs = 'absent', - $php_additional_options = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -44,95 +53,179 @@ define apache::vhost::php::standard( $use_mod_macro = false, $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent' ){ - $real_php_default_charset = $php_default_charset ? { - 'absent' => $default_charset ? { - 'On' => 'iso-8859-1', - default => $default_charset - }, - default => $php_default_charset - } - - ::apache::vhost::phpdirs{"${name}": + if $manage_webdir { + # create webdir + ::apache::vhost::webdir{$name: ensure => $ensure, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + manage_docroot => $manage_docroot, documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, + } } - $php_safe_mode_exec_bin_dir = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/bin", - default => "/var/www/vhosts/${name}/bin" - }, - default => "${path}/bin" + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + + if $path_is_webdir { + $documentroot = $real_path + } else { + $documentroot = "${real_path}/www" + } + $logdir = $logpath ? { + 'absent' => "$real_path/logs", + default => $logpath } - file{$php_safe_mode_exec_bin_dir: + + $std_php_options = { + smarty => false, + pear => false, + } + $real_php_options = merge($std_php_options,$php_options) + + if $real_php_options[smarty] { + include php::extensions::smarty + $smarty_path = '/usr/share/php/Smarty/:' + } else { + $smarty_path = '' + } + + if $real_php_options[pear] { + $pear_path = '/usr/share/pear/:' + } else { + $pear_path = '' + } + + + $std_php_settings = { + engine => 'On', + upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", + 'session.save_path' => "/var/www/session.save_path/${name}", + open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + safe_mode => 'On', + } + if $logmode != 'nologs' { + $std_php_settings[error_log] = "${logdir}/php_error_log" + } + if $run_mode == 'fcgid' { + $std_php_settings[safe_mode_gid] = 'On' + } + + if has_key($php_settings,'safe_mode_exec_dir') { + $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] + } else { + $php_safe_mode_exec_dir = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/bin", + default => "/var/www/vhosts/${name}/bin" + }, + default => "${path}/bin" + } + } + file{$php_safe_mode_exec_dir: recurse => true, force => true, purge => true, } - if $php_safe_mode_exec_bins != 'absent' { - File[$php_safe_mode_exec_bin_dir]{ + if has_key($php_options,'safe_mode_exec_bins') { + $std_php_settings[safe_mode_exec_dir] = $php_safe_mode_exec_dir + File[$php_safe_mode_exec_dir]{ ensure => $ensure ? { 'present' => directory, default => absent, }, - source => "puppet://$server/modules/common/empty", owner => $documentroot_owner, group => $documentroot_group, mode => 0750, } - $php_safe_mode_exec_bins_subst = regsubst($php_safe_mode_exec_bins,"(.+)","${name}_\\1") + $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],"(.+)","${name}@\\1") apache::vhost::php::safe_mode_bin{ $php_safe_mode_exec_bins_subst: ensure => $ensure, - path => $php_safe_mode_exec_bin_dir + path => $php_safe_mode_exec_dir } }else{ - File[$php_safe_mode_exec_bin_dir]{ + File[$php_safe_mode_exec_dir]{ ensure => absent, } } - if $php_use_smarty { - include php::extensions::smarty + if !has_key($php_settings,'default_charset') { + if $default_charset != 'absent' { + $std_php_settings[default_charset] = $default_charset ? { + 'On' => 'iso-8859-1', + default => $default_charset + } + } } - if $manage_webdir { - # create webdir - ::apache::vhost::webdir{$name: + $real_php_settings = merge($std_php_settings,$php_settings) + + if $ensure != 'absent' { + case $run_mode { + 'proxy-itk','static-itk': { + include ::php::itk_plus + } + 'itk': { include ::php::itk } + 'fcgid': { + include ::mod_fcgid + include ::php::mod_fcgid + include apache::include::mod_fcgid + + mod_fcgid::starter {$name: + cgi_type => 'php', + cgi_type_options => $real_php_settings, + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], + } + } + default: { include ::php } + } + } + + ::apache::vhost::phpdirs{"${name}": ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - manage_docroot => $manage_docroot, + php_upload_tmp_dir => $real_php_settings[upload_tmp_dir], + php_session_save_path => $real_php_settings['session.save_path'], documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, - } + run_mode => $run_mode, + run_uid => $run_uid, } # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, path => $path, - template_mode => $template_mode, + path_is_webdir => $path_is_webdir, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, + logpath => $logpath, run_mode => $run_mode, run_uid => $run_uid, run_gid => $run_gid, @@ -141,21 +234,17 @@ define apache::vhost::php::standard( options => $options, additional_options => $additional_options, default_charset => $default_charset, - php_safe_mode_exec_bin_dir => $php_safe_mode_exec_bin_dir, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_use_smarty => $php_use_smarty, - php_use_pear => $php_use_pear, - php_safe_mode => $php_safe_mode, - php_default_charset => $real_php_default_charset, - php_additional_open_basedirs => $php_additional_open_basedirs, - php_additional_options => $php_additional_options, + php_settings => $real_php_settings, + php_options => $real_php_options, ssl_mode => $ssl_mode, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, + passing_extension => 'php', } } diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index dec227c..a9f12d8 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::typo3( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::typo3( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_typo3/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -46,21 +62,39 @@ define apache::vhost::php::typo3( $manage_directories = true ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '<Location "/typo3"> + SecRuleEngine Off + SecAuditEngine Off + </Location> +' + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } + + $typo3_php_settings = { + # turn allow_url_fopen on for the extension manager fetch + allow_url_fopen => 'On' + } + $real_php_settings = merge($typo3_php_settings,$php_settings) + # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_typo3', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -70,40 +104,41 @@ define apache::vhost::php::typo3( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $real_php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/typo3temp", - "$documentroot/typo3temp/pics", - "$documentroot/typo3temp/temp", - "$documentroot/typo3temp/llxml", - "$documentroot/typo3temp/cs", - "$documentroot/typo3temp/GB", - "$documentroot/typo3temp/locks", - "$documentroot/typo3conf", - "$documentroot/typo3conf/ext", - "$documentroot/typo3conf/l10n", - # "$documentroot/typo3/ext/", # only needed for ext manager installing global extensions - "$documentroot/uploads", - "$documentroot/uploads/pics", - "$documentroot/uploads/media", - "$documentroot/uploads/tf", - "$documentroot/fileadmin", - "$documentroot/fileadmin/_temp_" + managed_directories => [ "${documentroot}/typo3temp", + "${documentroot}/typo3temp/pics", + "${documentroot}/typo3temp/temp", + "${documentroot}/typo3temp/llxml", + "${documentroot}/typo3temp/cs", + "${documentroot}/typo3temp/GB", + "${documentroot}/typo3temp/locks", + "${documentroot}/typo3conf", + "${documentroot}/typo3conf/ext", + "${documentroot}/typo3conf/l10n", + # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions + "${documentroot}/uploads", + "${documentroot}/uploads/pics", + "${documentroot}/uploads/media", + "${documentroot}/uploads/tf", + "${documentroot}/fileadmin", + "${documentroot}/fileadmin/_temp_" ], manage_config => $manage_config, } diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 22e932a..54905ca 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -1,24 +1,38 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::webapp( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $manage_webdir = true, $manage_docroot = true, - $template_mode, $owner = root, $group = apache, $documentroot_owner = apache, @@ -28,18 +42,19 @@ define apache::vhost::php::webapp( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial, $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -59,7 +74,20 @@ define apache::vhost::php::webapp( } if $manage_config { - if $config_file == 'absent' { fail("No config file defined for ${name} on ${fqdn}, if you'd like to manage the config, you have to add one!") } + if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") } + + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + if $path_is_webdir { + $documentroot = $real_path + } else { + $documentroot = "${real_path}/www" + } ::apache::vhost::file::documentrootfile{"configurationfile_${name}": documentroot => $documentroot, filename => $config_file, @@ -85,10 +113,10 @@ define apache::vhost::php::webapp( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, manage_webdir => $manage_webdir, manage_docroot => $manage_docroot, - template_mode => $template_mode, owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -98,18 +126,19 @@ define apache::vhost::php::webapp( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index c4e77f2..7a41ad7 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -1,20 +1,35 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::wordpress( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -25,18 +40,19 @@ define apache::vhost::php::wordpress( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'FileInfo', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_wordpress/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -47,21 +63,23 @@ define apache::vhost::php::wordpress( ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file - ::apache::vhost::php::webapp{$name: + apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, - template_mode => 'php_wordpress', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, @@ -71,24 +89,25 @@ define apache::vhost::php::wordpress( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => "$documentroot/wp-content", + managed_directories => "${documentroot}/wp-content", manage_config => $manage_config, config_webwriteable => $config_webwriteable, config_file => 'wp-config.php', diff --git a/manifests/vhost/phpdirs.pp b/manifests/vhost/phpdirs.pp index 24413d0..5936da6 100644 --- a/manifests/vhost/phpdirs.pp +++ b/manifests/vhost/phpdirs.pp @@ -1,49 +1,39 @@ define apache::vhost::phpdirs( - $ensure = present, - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0750, - $run_mode = 'normal', - $run_uid = 'absent' + $ensure = present, + $php_upload_tmp_dir, + $php_session_save_path, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0750, + $run_mode = 'normal', + $run_uid = 'absent' ){ - # php upload_tmp_dir - case $php_upload_tmp_dir { - 'absent': { - include apache::defaultphpdirs - $real_php_upload_tmp_dir = "/var/www/upload_tmp_dir/$name" - } - default: { $real_php_upload_tmp_dir = $php_upload_tmp_dir } + case $ensure { + absent : { + file { + [$php_upload_tmp_dir, $php_session_save_path] : + ensure => absent, + purge => true, + force => true, + recurse => true, + } } - # php session_save_path - case $php_session_save_path { - 'absent': { - include apache::defaultphpdirs - $real_php_session_save_path = "/var/www/session.save_path/$name" - } - default: { $real_php_session_save_path = $php_session_save_path } - } - - case $ensure { - absent: { - file{[$real_php_upload_tmp_dir, $real_php_session_save_path ]: - ensure => absent, - purge => true, - force => true, - recurse => true, - } - } - default: { - file{[$real_php_upload_tmp_dir, $real_php_session_save_path ]: - ensure => directory, - owner => $run_mode ? { - 'itk' => $run_uid, - default => $documentroot_owner - }, - group => $documentroot_group, mode => $documentroot_mode; - } - } + default : { + include apache::defaultphpdirs + file { + [$php_upload_tmp_dir, $php_session_save_path] : + ensure => directory, + owner => $run_mode ? { + 'itk' => $run_uid, + 'static-itk' => $run_uid, + 'proxy-itk' => $run_uid, + 'fcgid' => $run_uid, + default => $documentroot_owner + }, + group => $documentroot_group, + mode => $documentroot_mode ; + } } + } } diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp new file mode 100644 index 0000000..1c3b500 --- /dev/null +++ b/manifests/vhost/proxy.pp @@ -0,0 +1,65 @@ +# Proxy VHost +# Parameters: +# +# - ensure: wether this vhost is `present` or `absent` +# - domain: the domain to redirect (*name*) +# - domainalias: A list of whitespace seperated domains to redirect +# - target_url: the url to be proxied. Note: We don't want http://example.com/foobar only example.com/foobar +# - server_admin: the email that is shown as responsible +# - ssl_mode: wether this vhost supports ssl or not +# - false: don't enable ssl for this vhost (default) +# - true: enable ssl for this vhost +# - force: enable ssl and redirect non-ssl to ssl +# - only: enable ssl only +# +# logmode: +# +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +define apache::vhost::proxy( + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $htpasswd_file = 'absent', + $target_url, + $server_admin = 'absent', + $logmode = 'default', + $mod_security = false, + $ssl_mode = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $additional_options = 'absent' +){ + # create vhost configuration file + # we use the options field as the target_url + ::apache::vhost::template{$name: + ensure => $ensure, + template_partial => 'apache/vhosts/proxy/partial.erb', + domain => $domain, + path => 'really_absent', + path_is_webdir => true, + htpasswd_file => $htpasswd_file, + domainalias => $domainalias, + server_admin => $server_admin, + logpath => $::operatingsystem ? { + openbsd => '/var/www/logs', + centos => '/var/log/httpd', + default => '/var/log/apache2' + }, + logmode => $logmode, + allow_override => $allow_override, + run_mode => 'normal', + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + options => $target_url, + ssl_mode => $ssl_mode, + additional_options => $additional_options, + } +} + diff --git a/manifests/vhost/redirect.pp b/manifests/vhost/redirect.pp index 10b78bf..a106c59 100644 --- a/manifests/vhost/redirect.pp +++ b/manifests/vhost/redirect.pp @@ -1,5 +1,6 @@ # Redirect VHost to redirect hosts # Parameters: +# # - ensure: wether this vhost is `present` or `absent` # - domain: the domain to redirect (*name*) # - domainalias: A list of whitespace seperated domains to redirect @@ -10,23 +11,41 @@ # - true: enable ssl for this vhost # - force: enable ssl and redirect non-ssl to ssl # - only: enable ssl only +# +# logmode: +# +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::redirect( $ensure = present, $domain = 'absent', $domainalias = 'absent', $target_url, $server_admin = 'absent', + $logmode = 'default', $ssl_mode = false ){ # create vhost configuration file # we use the options field as the target_url ::apache::vhost::template{$name: ensure => $ensure, - template_mode => 'redirect', + template_partial => 'apache/vhosts/redirect/partial.erb', domain => $domain, + path => 'really_absent', + path_is_webdir => true, domainalias => $domainalias, server_admin => $server_admin, + logpath => $::operatingsystem ? { + openbsd => '/var/www/logs', + centos => '/var/log/httpd', + default => '/var/log/apache2' + }, + logmode => $logmode, allow_override => $allow_override, + run_mode => 'normal', mod_security => false, options => $target_url, ssl_mode => $ssl_mode, diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index 307dfbe..f1dbcc2 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -1,11 +1,23 @@ # vhost_mode: which option is chosen to deploy the vhost # - template: generate it from a template (default) # - file: deploy a vhost file (apache::vhost::file will be called directly) +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# define apache::vhost::static( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -18,13 +30,17 @@ define apache::vhost::static( $additional_options = 'absent', $default_charset = 'absent', $ssl_mode = false, + $run_mode = 'normal', $vhost_mode = 'template', + $template_partial = 'apache/vhosts/static/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', $htpasswd_path = 'absent', $mod_security = false, - $mod_security_relevantonly = true + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent' ){ # create webdir ::apache::vhost::webdir{$name: @@ -32,7 +48,7 @@ define apache::vhost::static( path => $path, owner => $owner, group => $group, - run_mode => 'normal', + run_mode => $run_mode, documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, @@ -42,13 +58,14 @@ define apache::vhost::static( ::apache::vhost{$name: ensure => $ensure, path => $path, - template_mode => 'static', + template_partial => $template_partial, vhost_mode => $vhost_mode, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, allow_override => $allow_override, do_includes => $do_includes, options => $options, @@ -59,6 +76,8 @@ define apache::vhost::static( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index 324a96a..55d41d9 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -1,8 +1,6 @@ -# template_mode: -# - php: for a default php application -# - static: for a static application (default) -# - perl: for a mod_perl application -# - php_joomla: for a joomla application +# template_partial: +# which template should be used to generate the type specific part +# of the vhost entry. # # domainalias: # - absent: no domainalias is set (*default*) @@ -14,137 +12,145 @@ # - true: enable ssl for this vhost # - force: enable ssl and redirect non-ssl to ssl # - only: enable ssl only -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# define apache::vhost::template( - $ensure = present, - $path = 'absent', - $path_is_webdir = false, - $logpath = 'absent', - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $allow_override = 'None', - $php_safe_mode_exec_bin_dir = 'absent', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $dav_db_dir = 'absent', - $cgi_binpath = 'absent', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $php_use_smarty = false, - $php_use_pear = false, - $php_safe_mode = true, - $php_default_charset = 'absent', - $php_additional_open_basedirs = 'absent', - $php_additional_options = 'absent', - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $template_mode = 'static', - $ssl_mode = false, - $mod_security = true, - $mod_security_relevantonly = true, - $use_mod_macro = false, - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $ldap_auth = false, - $ldap_user = 'any' + $ensure = present, + $path = 'absent', + $path_is_webdir = false, + $logpath = 'absent', + $logmode = 'default', + $logprefix = '', + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $allow_override = 'None', + $dav_db_dir = 'absent', + $cgi_binpath = 'absent', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $php_options = {}, + $php_settings = {}, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $template_partial = 'apache/vhosts/static/partial.erb', + $template_vars = {}, + $ssl_mode = false, + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $use_mod_macro = false, + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $ldap_auth = false, + $ldap_user = 'any', + $passing_extension = 'absent', + $gempath = 'absent' ){ - if $mod_security { - case $run_mode { - 'itk': { include mod_security::itk } - default: { include mod_security } - } - } - $real_path = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/$name", - default => "/var/www/vhosts/$name" + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" }, - default => $path + default => $path } if $path_is_webdir { - $documentroot = "$real_path" + $documentroot = $real_path } else { - $documentroot = "$real_path/www" + $documentroot = "${real_path}/www" } $logdir = $logpath ? { - 'absent' => "$real_path/logs", - default => $logpath + 'absent' => "${real_path}/logs", + default => $logpath } $servername = $domain ? { - 'absent' => $name, - default => $domain + 'absent' => $name, + default => $domain } $serveralias = $domainalias ? { - 'absent' => '', - 'www' => "www.${servername}", - default => $domainalias + 'absent' => '', + 'www' => "www.${servername}", + default => $domainalias } if $htpasswd_path == 'absent' { - $real_htpasswd_path = "/var/www/htpasswds/$name" + $real_htpasswd_path = "/var/www/htpasswds/${name}" } else { $real_htpasswd_path = $htpasswd_path } case $run_mode { - 'itk': { + 'proxy-itk': { $logfileprefix = 'proxy' } + 'static-itk': { $logfileprefix = 'static' } + } + case $run_mode { + 'fcgid','itk','proxy-itk','static-itk': { case $run_uid { - 'absent': { fail("you have to define run_uid for $name on $fqdn") } + 'absent': { fail("you have to define run_uid for ${name} on ${::fqdn}") } } case $run_gid { - 'absent': { fail("you have to define run_gid for $name on $fqdn") } + 'absent': { fail("you have to define run_gid for ${name} on ${::fqdn}") } } } } - - # set default dirs for templates - # php php_safe_mode_exec_bin directory - case $php_safe_mode_exec_bin_dir { - 'absent': { - $real_php_safe_mode_exec_bin_dir = "/var/www/vhosts/$name/bin" - } - default: { $real_php_safe_mode_exec_bin_dir = $php_safe_mode_exec_bin_dir } - } - # php upload_tmp_dir - case $php_upload_tmp_dir { - 'absent': { - $real_php_upload_tmp_dir = "/var/www/upload_tmp_dir/$name" - } - default: { $real_php_upload_tmp_dir = $php_upload_tmp_dir } - } - # php session_save_path - case $php_session_save_path { - 'absent': { - $real_php_session_save_path = "/var/www/session.save_path/$name" - } - default: { $real_php_session_save_path = $php_session_save_path } - } # dav db dir case $dav_db_dir { 'absent': { - $real_dav_db_dir = "/var/www/dav_db_dir/$name" + $real_dav_db_dir = "/var/www/dav_db_dir/${name}" } default: { $real_dav_db_dir = $dav_db_dir } } apache::vhost::file{$name: - ensure => $ensure, - content => template("apache/vhosts/$template_mode/$operatingsystem.erb"), - do_includes => $do_includes, + ensure => $ensure, + do_includes => $do_includes, + run_mode => $run_mode, + ssl_mode => $ssl_mode, + logmode => $logmode, + mod_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, use_mod_macro => $use_mod_macro, } + if $ensure != 'absent' { + Apache::Vhost::File[$name]{ + content => $run_mode ? { + 'proxy-itk' => template('apache/vhosts/itk_plus.erb'), + 'static-itk' => template('apache/vhosts/itk_plus.erb'), + default => template('apache/vhosts/default.erb'), + } + } + } } diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index 73c4a7a..003a308 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -1,10 +1,28 @@ # Webdav vhost: to manage webdav accessible targets -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: this mode is not possible and will be rewritten to proxy-itk +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*default*) don't activate mod_security +# - true: activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# define apache::vhost::webdav( $ensure = present, $domain = 'absent', @@ -15,6 +33,7 @@ define apache::vhost::webdav( $group = apache, $manage_webdir = true, $path_is_webdir = false, + $logmode = 'default', $logpath = 'absent', $documentroot_owner = apache, $documentroot_group = 0, @@ -27,6 +46,8 @@ define apache::vhost::webdav( $default_charset = 'absent', $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -37,7 +58,7 @@ define apache::vhost::webdav( $ldap_user = 'any', $dav_db_dir = 'absent' ){ - ::apache::vhost::davdbdir{"${name}": + ::apache::vhost::davdbdir{$name: ensure => $ensure, dav_db_dir => $dav_db_dir, documentroot_owner => $documentroot_owner, @@ -60,20 +81,29 @@ define apache::vhost::webdav( documentroot_mode => $documentroot_mode, } } + + if $run_mode == 'static-itk' { + notice("static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk") + $real_run_mode = 'proxy-itk' + } else { + $real_run_mode = $run_mode + } + # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, - template_mode => 'webdav', + logmode => $logmode, + template_partial => 'apache/vhosts/webdav/partial.erb', vhost_mode => $vhost_mode, vhost_source => $vhost_source, vhost_destination => $vhost_destination, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, - run_mode => $run_mode, + run_mode => $real_run_mode, run_uid => $run_uid, run_gid => $run_gid, options => $options, @@ -85,6 +115,9 @@ define apache::vhost::webdav( ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/webdir.pp b/manifests/vhost/webdir.pp index 4fa9003..c9729f0 100644 --- a/manifests/vhost/webdir.pp +++ b/manifests/vhost/webdir.pp @@ -1,125 +1,116 @@ # create webdir define apache::vhost::webdir( - $ensure = present, - $path = 'absent', - $owner = root, - $group = apache, - $mode = 0640, - $run_mode = 'normal', - $manage_docroot = true, - $documentroot_owner = root, - $documentroot_group = apache, - $documentroot_mode = 0640, - $documentroot_recurse = false + $ensure = present, + $path = 'absent', + $owner = root, + $group = apache, + $mode = 0640, + $run_mode = 'normal', + $manage_docroot = true, + $documentroot_owner = root, + $documentroot_group = apache, + $documentroot_mode = 0640, + $documentroot_recurse = false ){ - $real_path = $path ? { - 'absent' => $operatingsystem ? { - openbsd => "/var/www/htdocs/${name}", - default => "/var/www/vhosts/${name}" - }, - default => "${path}" - } + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } - if ($run_mode == 'itk') and ($mode == '0640'){ - $real_mode = 0644 - } else { - $real_mode = $mode - } + if (($run_mode =~ /^(static\-|proxy\-)?itk$/) or $run_mode == 'fcgid') and ($mode == '0640'){ + $real_mode = 0644 + } else { + $real_mode = $mode + } - $documentroot = "${real_path}/www" - $logdir = "${real_path}/logs" + $documentroot = "${real_path}/www" + $logdir = "${real_path}/logs" - if $owner == 'apache' { - if $apache_default_user == '' { - $real_owner = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $owner - } - } else { - $real_owner = $apache_default_user - } - } else { - $real_owner = $owner + if $owner == 'apache' { + $real_owner = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $owner } - if $group == 'apache' { - if $apache_default_group == '' { - $real_group = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $group - } - } else { - $real_group = $apache_default_group - } - } else { - $real_group = $group + } else { + $real_owner = $owner + } + if $group == 'apache' { + $real_group = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $group } + } else { + $real_group = $group + } - if $documentroot_owner == 'apache' { - if $apache_default_user == '' { - $real_documentroot_owner = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $documentroot_owner - } - } else { - $real_documentroot_owner = $apache_default_user - } - } else { - $real_documentroot_owner = $documentroot_owner + if $documentroot_owner == 'apache' { + $real_documentroot_owner = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $documentroot_owner } - if $documentroot_group == 'apache' { - if $apache_default_group == '' { - $real_documentroot_group = $operatingsystem ? { - openbsd => 'www', - debian => 'www-data', - default => $documentroot_group - } - } else { - $real_documentroot_group = $apache_default_group + } else { + $real_documentroot_owner = $documentroot_owner + } + if $documentroot_group == 'apache' { + $real_documentroot_group = $::operatingsystem ? { + openbsd => 'www', + debian => 'www-data', + default => $documentroot_group + } + } else { + $real_documentroot_group = $documentroot_group + } + case $ensure { + absent: { + file{$real_path: + ensure => absent, + purge => true, + recurse => true, + force => true; } - } else { - $real_documentroot_group = $documentroot_group } - case $ensure { - absent: { - if $manage_docroot { - $managed_directories = [ "$real_path", "${real_path}/private", "$logdir", "$documentroot" ] - } else { - $managed_directories = [ "$real_path", "${real_path}/private", "$logdir" ] - } - file{$managed_directories: - ensure => absent, - purge => true, - recurse => true, - force => true, - } + default: { + file{ + $real_path: + ensure => directory, + require => Anchor['apache::basic_dirs::ready'], + owner => $real_owner, + group => $real_group, + mode => $real_mode; + $logdir: + ensure => directory, + before => Service['apache'], + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => '0660'; + "${real_path}/private": + ensure => directory, + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => '0600'; + } + if $manage_docroot { + file{$documentroot: + ensure => directory, + before => Service['apache'], + recurse => $documentroot_recurse, + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => $documentroot_mode; } - default: { - file{"$real_path": - ensure => directory, - owner => $real_owner, group => $real_group, mode => $real_mode; - } - if $manage_docroot { - file{"$documentroot": - ensure => directory, - recurse => $documentroot_recurse, - owner => $real_documentroot_owner, group => $real_documentroot_group, mode => $documentroot_mode; - } - } - file{"$logdir": - ensure => directory, - owner => $real_documentroot_owner, group => $real_documentroot_group, mode => 0660; - } - case $operatingsystem { - centos: { include apache::logrotate::centos::vhosts } - } - file{"${real_path}/private": - ensure => directory, - owner => $real_documentroot_owner, group => $real_documentroot_group, mode => 0600; - } + } + case $::operatingsystem { + centos: { include apache::logrotate::centos::vhosts } + default: { #nothing } + } } + } } diff --git a/manifests/worker.pp b/manifests/worker.pp new file mode 100644 index 0000000..9a7b3be --- /dev/null +++ b/manifests/worker.pp @@ -0,0 +1,5 @@ +class apache::worker inherits apache { + case $::operatingsystem { + centos: { include ::apache::centos::worker } + } +} |