diff options
Diffstat (limited to 'templates/vhosts')
25 files changed, 275 insertions, 253 deletions
diff --git a/templates/vhosts/0-default_ssl.conf.erb b/templates/vhosts/0-default_ssl.conf.erb new file mode 100644 index 0000000..86e4979 --- /dev/null +++ b/templates/vhosts/0-default_ssl.conf.erb @@ -0,0 +1,21 @@ +############################################################ +### This file is managed by PUPPET! #### +### Only modify in repo or you will loose the changes! #### +############################################################ + +<VirtualHost *:443> + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + DocumentRoot /var/www/html + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/ssl_error_log + TransferLog logs/ssl_access_log + LogLevel warn + +<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb', + {'configuration' => {}}]) %> +</VirtualHost> + +# vim: ts=4 filetype=apache diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index 809cd9b..1ef8023 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -1,5 +1,5 @@ <% -vhost_parts = case ssl_mode +vhost_parts = case @ssl_mode when 'only' then [:ssl] when false,'false' then [:normal] else [:normal,:ssl] @@ -7,36 +7,38 @@ end vhost_parts.each do |vhost_part| -%> <VirtualHost *:<%= vhost_part == :ssl ? '443' : '80' %> > -<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', {'vhost_part' => vhost_part } ]) %> +<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', + {'vhost_part' => vhost_part, + 'configuration' => @configuration,}]) %> <%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> - <% if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> +<% if @run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> <IfModule mpm_itk_module> - AssignUserId <%= run_uid+" "+run_gid %> + AssignUserId <%= "#{@run_uid} #{@run_gid}" %> </IfModule> - <% elsif run_mode.to_s == 'fcgid' && !(ssl_mode == 'force' && vhost_part == :normal) -%> +<% elsif @run_mode.to_s == 'fcgid' -%> <IfModule mod_fcgid.c> - SuexecUserGroup <%= run_uid+" "+run_gid %> + SuexecUserGroup <%= "#{@run_uid} #{@run_gid}" %> FcgidMaxRequestsPerProcess 5000 - FCGIWrapper /var/www/mod_fcgid-starters/<%= name %>/<%= name %>-starter .<%= passing_extension %> - AddHandler fcgid-script .<%= passing_extension %> + FCGIWrapper /var/www/mod_fcgid-starters/<%= @name %>/<%= @name %>-starter .<%= @passing_extension %> + AddHandler fcgid-script .<%= @passing_extension %> </IfModule> - <% end -%> - <% if ssl_mode == 'force' && vhost_part == :normal -%> +<% end -%> +<% if @ssl_mode == 'force' && vhost_part == :normal -%> RewriteEngine On RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - <% else -%> -<%= scope.function_templatewlv([template_partial, {'vhost_part' => vhost_part } ]) %> - <% end -%> -<%- unless template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> +<% end -%> +<%= scope.function_templatewlv([@template_partial, {'vhost_part' => vhost_part } ]) %> +<% unless @template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> <%= scope.function_template(['apache/vhosts/partials/mod_security.erb']) %> <% end -%> -<% unless additional_options.to_s == 'absent' -%> - <%= additional_options %> +<% unless @additional_options.to_s == 'absent' -%> + <%= @additional_options %> <% end -%> </VirtualHost> <% end -%> diff --git a/templates/vhosts/gitweb/partial.erb b/templates/vhosts/gitweb/partial.erb index 7238ebe..a8475f6 100644 --- a/templates/vhosts/gitweb/partial.erb +++ b/templates/vhosts/gitweb/partial.erb @@ -1,19 +1,16 @@ - <% unless ssl_mode.to_s == 'force' -%> - SetEnv GITWEB_CONFIG <%= gitweb_config %> - DirectoryIndex gitweb.cgi - <Directory "<%= documentroot %>/"> - <% if options.to_s != 'absent' or do_includes.to_s == 'true'-%> - Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% unless options.include?('+ExecCGI') -%> +ExecCGI<% end -%> - <% end -%> - - AddHandler cgi-script .cgi - <Files gitweb.cgi> - Options ExecCGI FollowSymLinks - SetHandler cgi-script - </Files> - RewriteEngine on - RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] + SetEnv GITWEB_CONFIG <%= @gitweb_config %> + DirectoryIndex gitweb.cgi + <Directory "<%= @documentroot %>/"> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true'-%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% unless @options.include?('+ExecCGI') -%> +ExecCGI<% end -%> +<% end -%> + AddHandler cgi-script .cgi + <Files gitweb.cgi> + Options ExecCGI FollowSymLinks + SetHandler cgi-script + </Files> + RewriteEngine on + RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> - <% end -%> + </Directory> diff --git a/templates/vhosts/itk_plus/partial.erb b/templates/vhosts/itk_plus/partial.erb index 5b05dd8..df04543 100644 --- a/templates/vhosts/itk_plus/partial.erb +++ b/templates/vhosts/itk_plus/partial.erb @@ -1,32 +1,31 @@ - ProxyPreserveHost On - ProxyRequests off + ProxyPreserveHost On + ProxyRequests off <% if vhost_part == :ssl -%> - SSLProxyEngine On - <%- if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ https://127.0.0.1/$1 - <%- else -%> - ProxyPass / https://127.0.0.1/ - <%- end -%> - ProxyPassReverse / https://127.0.0.1/ + SSLProxyEngine On +<% if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ https://127.0.0.1/$1 +<% else -%> + ProxyPass / https://127.0.0.1/ +<% end -%> + ProxyPassReverse / https://127.0.0.1/ <% else -%> - <% if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ http://127.0.0.1/$1 - <% else -%> - ProxyPass / http://127.0.0.1/ - <% end -%> - ProxyPassReverse / http://127.0.0.1/ -<% end %> +<% if run_mode.to_s == 'static-itk' -%> + ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ http://127.0.0.1/$1 +<% else -%> + ProxyPass / http://127.0.0.1/ +<% end -%> + ProxyPassReverse / http://127.0.0.1/ +<% end -%> - <% if run_mode.to_s == 'static-itk' && (ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> - <Directory "<%= documentroot %>/"> - AllowOverride <%= allow_override %> - <% if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <% unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<% end -%> - - <% end -%> +<% if @run_mode.to_s == 'static-itk' && (@ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> + <Directory "<%= @documentroot %>/"> + AllowOverride <%= @allow_override %> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%> +<% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> - <% end -%> + </Directory> +<% end -%> diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb index 6ca1b03..ed83221 100644 --- a/templates/vhosts/partials/authentication.erb +++ b/templates/vhosts/partials/authentication.erb @@ -1,6 +1,6 @@ -<% unless htpasswd_file.to_s == 'absent' -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user -<% end -%>
\ No newline at end of file +<% unless @htpasswd_file.to_s == 'absent' -%> + AuthType Basic + AuthName "Access fuer <%= @servername %>" + AuthUserFile <%= @real_htpasswd_path %> + require valid-user +<% end -%> diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index d6d8c86..cd4d04c 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -1,20 +1,22 @@ Include include.d/defaults.inc <% if vhost_part == :ssl -%> Include include.d/ssl_defaults.inc +<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb', + {'configuration' => configuration}]) %> <% end -%> - ServerName <%= servername %> -<% unless serveralias.empty? || (serveralias == 'absent') -%> - ServerAlias <%= serveralias %> + ServerName <%= @servername %> +<% unless @serveralias.empty? || (@serveralias == 'absent') -%> + ServerAlias <%= Array(@serveralias).sort.join(' ') %> <% end -%> -<% unless server_admin.empty? || (server_admin == 'absent') -%> - ServerAdmin <%= server_admin %> +<% unless @server_admin.empty? || (@server_admin == 'absent') -%> + ServerAdmin <%= @server_admin %> <% end -%> -<% unless documentroot == 'really_absent' -%> - DocumentRoot <%= documentroot %>/ +<% unless @documentroot == 'really_absent' -%> + DocumentRoot <%= @documentroot %>/ <% end -%> -<% if default_charset != 'absent' then -%> - AddDefaultCharset <%= default_charset %> +<% if @default_charset != 'absent' -%> + AddDefaultCharset <%= @default_charset %> <% end -%> -<% if passing_extension != 'absent' -%> - DirectoryIndex index.htm index.html index.<%= passing_extension %> +<% if @passing_extension != 'absent' -%> + DirectoryIndex index.htm index.html index.<%= @passing_extension %> <% end -%> diff --git a/templates/vhosts/partials/logs.erb b/templates/vhosts/partials/logs.erb index 68403a8..136508f 100644 --- a/templates/vhosts/partials/logs.erb +++ b/templates/vhosts/partials/logs.erb @@ -1,14 +1,18 @@ -<% case logmode.to_s +<% case @logmode.to_s when 'nologs' -%> ErrorLog /dev/null CustomLog /dev/null +<% when 'noaccess' -%> + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog /dev/null noip <% when 'semianonym' -%> - ErrorLog <%= logdir %>/<%= logprefix %>error_log - CustomLog <%= logdir %>/<%= logprefix %>access_log noip + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip <% when 'anonym' -%> ErrorLog /dev/null - CustomLog <%= logdir %>/<%= logprefix %>access_log noip + CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip <% else -%> - ErrorLog <%= logdir %>/<%= logprefix %>error_log - CustomLog <%= logdir %>/<%= logprefix %>access_log combined + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog <%= @logdir %>/<%= @logprefix %>access_log combined <% end -%> + diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb index 5b4fca8..380e78f 100644 --- a/templates/vhosts/partials/mod_security.erb +++ b/templates/vhosts/partials/mod_security.erb @@ -1,27 +1,27 @@ <IfModule mod_security2.c> -<% if mod_security.to_s == 'true' then -%> +<% if @mod_security.to_s == 'true' -%> SecRuleEngine On -<% if mod_security_relevantonly.to_s == 'true' then -%> +<% if @mod_security_relevantonly.to_s == 'true' -%> SecAuditEngine RelevantOnly -<% else -%> +<% else -%> SecAuditEngine On -<% end -%> +<% end -%> <% else -%> SecRuleEngine Off SecAuditEngine Off <% end -%> SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log -<% unless mod_security_rules_to_disable.to_a.empty? -%> + SecAuditLogStorageDir <%= @logdir %>/ + SecAuditLog <%= @logdir %>/mod_security_audit.log + SecDebugLog <%= @logdir %>/mod_security_debug.log +<% unless (disabled_rules=Array(@mod_security_rules_to_disable)).empty? -%> -<% mod_security_rules_to_disable.to_a.each do |rule| -%> +<% disabled_rules.each do |rule| -%> SecRuleRemoveById "<%= rule %>" +<% end -%> <% end -%> -<% end -%> -<% unless mod_security_additional_options.to_s == 'absent' -%> +<% unless (s=@mod_security_additional_options).to_s == 'absent' -%> - <%= mod_security_additional_options %> + <%= s %> <% end -%> </IfModule> diff --git a/templates/vhosts/partials/php_settings.erb b/templates/vhosts/partials/php_settings.erb index 7840987..74f6ecf 100644 --- a/templates/vhosts/partials/php_settings.erb +++ b/templates/vhosts/partials/php_settings.erb @@ -1,19 +1,20 @@ -<% if run_mode != 'fcgid' - php_settings.reject{|k,v| v == :undef }.keys.sort.each do |key| - dvalue = php_settings[key].to_s.downcase +<% if @run_mode != 'fcgid' + @php_settings.reject{|k,v| (v == :undef) || v.nil? }.keys.sort.each do |key| + dvalue = @php_settings[key].to_s.downcase munged_value = if dvalue == 'true' - 'on' - elsif dvalue == 'false' - 'off' - elsif ['on','off'].include?(dvalue) - dvalue - else - php_settings[key] - end - if ['on','off' ].include?(munged_value) -%> + 'on' + elsif dvalue == 'false' + 'off' + elsif ['on','off'].include?(dvalue) + dvalue + else + @php_settings[key] + end + + if ['on','off' ].include?(munged_value) -%> php_admin_flag <%= key %> <%= munged_value %> -<% else -%> +<% else -%> php_admin_value <%= key %> <%= munged_value %> -<% end -%> -<% end -%> +<% end -%> +<% end -%> <% end -%> diff --git a/templates/vhosts/partials/ssl.erb b/templates/vhosts/partials/ssl.erb new file mode 100644 index 0000000..c9f3933 --- /dev/null +++ b/templates/vhosts/partials/ssl.erb @@ -0,0 +1,8 @@ + SSLCertificateFile <%= configuration['ssl_certificate_file'] || scope.lookupvar('apache::default_ssl_certificate_file') %> + SSLCertificateKeyFile <%= configuration['ssl_certificate_key_file'] || scope.lookupvar('apache::default_ssl_certificate_key_file') %> +<% if configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') != 'absent' -%> + SSLCertificateChainFile <%= configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') %> +<% end -%> +<% if configuration['hsts'] -%> + Header add Strict-Transport-Security "max-age=<%= (configuration['hsts']['age'] || 15768000) rescue 15768000 %>" +<% end -%> diff --git a/templates/vhosts/partials/std_override_options.erb b/templates/vhosts/partials/std_override_options.erb index 95a5e6a..6d8b74f 100644 --- a/templates/vhosts/partials/std_override_options.erb +++ b/templates/vhosts/partials/std_override_options.erb @@ -1,4 +1,4 @@ - AllowOverride <%= allow_override %> - <% if options.to_s != 'absent' || do_includes.to_s == 'true' || run_mode == 'fcgid' -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% if run_mode == 'fcgid' && !options.include?('+ExecCGI') -%> +ExecCGI<% end -%> - <% end -%> + AllowOverride <%= @allow_override %> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' || @run_mode == 'fcgid' -%> + Options <%- unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% if @run_mode == 'fcgid' && !@options.include?('+ExecCGI') -%> +ExecCGI<% end -%> +<% end -%> diff --git a/templates/vhosts/passenger/partial.erb b/templates/vhosts/passenger/partial.erb index 490649e..c3b63f5 100644 --- a/templates/vhosts/passenger/partial.erb +++ b/templates/vhosts/passenger/partial.erb @@ -1,7 +1,7 @@ - SetEnv GEM_HOME <%= gempath %> - <Directory <%= documentroot %>/> - AllowOverride <%= allow_override %> - Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless !options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> + SetEnv GEM_HOME <%= @gempath %> + <Directory <%= @documentroot %>/> + AllowOverride <%= @allow_override %> + Options <%- unless @options.to_s == 'absent' -%><%= @options %><%- end -%><%- unless !@options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> </Directory> diff --git a/templates/vhosts/perl/partial.erb b/templates/vhosts/perl/partial.erb index a8c30c3..8c1f0a5 100644 --- a/templates/vhosts/perl/partial.erb +++ b/templates/vhosts/perl/partial.erb @@ -1,15 +1,14 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> + </Directory> - <% unless htpasswd_file.to_s == 'absent' -%> - <Directory "<%= cgi_binpath %>/"> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - </Directory> - <% end -%> - ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ +<% unless @htpasswd_file.to_s == 'absent' -%> + <Directory "<%= @cgi_binpath %>/"> + AuthType Basic + AuthName "Access fuer <%= @servername %>" + AuthUserFile <%= @real_htpasswd_path %> + require valid-user + </Directory> +<% end -%> + ScriptAlias /cgi-bin/ <%= @cgi_binpath %>/ diff --git a/templates/vhosts/php/partial.erb b/templates/vhosts/php/partial.erb index f8e5c53..c19ae7b 100644 --- a/templates/vhosts/php/partial.erb +++ b/templates/vhosts/php/partial.erb @@ -1,7 +1,5 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> + </Directory> diff --git a/templates/vhosts/php_drupal/partial.erb b/templates/vhosts/php_drupal/partial.erb index 3c420b1..316942f 100644 --- a/templates/vhosts/php_drupal/partial.erb +++ b/templates/vhosts/php_drupal/partial.erb @@ -1,26 +1,22 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> + # Protect files and directories from prying eyes. + <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> + Order allow,deny + </FilesMatch> - # Protect files and directories from prying eyes. - <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> - Order allow,deny - </FilesMatch> - - # Customized error messages. - ErrorDocument 404 /index.php + # Customized error messages. + ErrorDocument 404 /index.php - RewriteEngine on - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] - </Directory> - <Directory "<%= documentroot %>/files/"> - SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 - Options None - Options +FollowSymLinks - </Directory> + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + </Directory> + <Directory "<%= @documentroot %>/files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + </Directory> diff --git a/templates/vhosts/php_gallery2/partial.erb b/templates/vhosts/php_gallery2/partial.erb index 448f720..218c0e7 100644 --- a/templates/vhosts/php_gallery2/partial.erb +++ b/templates/vhosts/php_gallery2/partial.erb @@ -1,16 +1,14 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> -<% if vhost_part != :ssl -%> - # Always rewrite login's - # Source: http://gallery.menalto.com/node/30558 - RewriteEngine On - RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] - RewriteCond %{QUERY_STRING} subView=core\.UserLogin - RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] -<% end -%> - </Directory> + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + </Directory> diff --git a/templates/vhosts/php_joomla/partial.erb b/templates/vhosts/php_joomla/partial.erb index 3046129..55445bf 100644 --- a/templates/vhosts/php_joomla/partial.erb +++ b/templates/vhosts/php_joomla/partial.erb @@ -1,32 +1,30 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - Include include.d/joomla.inc - </Directory> - - <Directory "<%= documentroot %>/administrator/"> - RewriteEngine on + Include include.d/joomla.inc + </Directory> + + <Directory "<%= @documentroot %>/administrator/"> + RewriteEngine on - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/administrator/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + </Directory> - # Deny various directories that - # shouldn't be webaccessible - <Directory "<%= documentroot %>/tmp/"> - Deny From All - </Directory> - <Directory "<%= documentroot %>/logs/"> - Deny From All - </Directory> - <Directory "<%= documentroot %>/cli/"> - Deny From All - </Directory> + # Deny various directories that + # shouldn't be webaccessible + <Directory "<%= @documentroot %>/tmp/"> + Deny From All + </Directory> + <Directory "<%= @documentroot %>/logs/"> + Deny From All + </Directory> + <Directory "<%= @documentroot %>/cli/"> + Deny From All + </Directory> diff --git a/templates/vhosts/php_mediawiki/partial.erb b/templates/vhosts/php_mediawiki/partial.erb index cf30f5f..1ed6ee3 100644 --- a/templates/vhosts/php_mediawiki/partial.erb +++ b/templates/vhosts/php_mediawiki/partial.erb @@ -1,16 +1,7 @@ -<% if run_mode == 'fcgid' -%> +<% if @run_mode == 'fcgid' -%> RewriteEngine On RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/?index.php/(.*)$ /index.php?title=$1 [PT,L,QSA] <% end -%> <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> - <Directory "<%= documentroot %>/typo3/"> - RewriteEngine on - - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> diff --git a/templates/vhosts/php_silverstripe/partial.erb b/templates/vhosts/php_silverstripe/partial.erb index 89a6052..75a8193 100644 --- a/templates/vhosts/php_silverstripe/partial.erb +++ b/templates/vhosts/php_silverstripe/partial.erb @@ -1,16 +1,12 @@ -<% if vhost_part != :ssl && ![false,'false'].include?(ssl_mode) -%> - # silverstripe - RedirectMatch /admin(.*) https://<%= servername %>/admin$1 - RedirectMatch /Security(.*) https://<%= servername %>/Security$1 - -<% end -%> - <Directory "<%= documentroot %>/"> + # silverstripe + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteRule /(Security|admin)(.*) https://%{HTTP_HOST}/admin$1$2 [L,R,NE] + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - - Include include.d/silverstripe.inc - </Directory> + Include include.d/silverstripe.inc + </Directory> diff --git a/templates/vhosts/php_typo3/partial.erb b/templates/vhosts/php_typo3/partial.erb index 5c06570..afb756d 100644 --- a/templates/vhosts/php_typo3/partial.erb +++ b/templates/vhosts/php_typo3/partial.erb @@ -1,10 +1,10 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> - <Directory "<%= documentroot %>/typo3/"> - RewriteEngine on + <Directory "<%= @documentroot %>/typo3/"> + RewriteEngine on - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - </Directory> + # Rewrite URLs to https that go for the admin area + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteCond %{REQUEST_URI} (.*/typo3/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R,NE] + </Directory> diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb index 972ab99..5e6ebd5 100644 --- a/templates/vhosts/php_wordpress/partial.erb +++ b/templates/vhosts/php_wordpress/partial.erb @@ -1,6 +1,19 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> -# fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh -<Directory "<%= documentroot %>/wp-content/w3tc/dbcache"> - Deny From All -</Directory> + # fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh + <Directory "<%= @documentroot %>/wp-content/w3tc/dbcache"> + Deny From All + </Directory> + + # simple wp-login brute force protection + # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ + RewriteEngine On + RewriteCond %{HTTP_COOKIE} !<%= cookie = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "cookie"]) %> + RewriteRule ^/wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L] + <Location /wordpress-login-<%= tmpuri %>.php> + CookieTracking on + CookieExpires 30 + CookieName <%= cookie %> + </Location> + RewriteRule ^/wordpress-login-<%= tmpuri %>.php /wp-login.php [NE] + diff --git a/templates/vhosts/proxy/partial.erb b/templates/vhosts/proxy/partial.erb index bbf3c64..0eecf82 100644 --- a/templates/vhosts/proxy/partial.erb +++ b/templates/vhosts/proxy/partial.erb @@ -1,8 +1,8 @@ - <Proxy *> - Order deny,allow - Allow from all + <Proxy *> + Order deny,allow + Allow from all <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Proxy> - ProxyRequests Off - ProxyPass / <%= options %>/ - ProxyPassReverse / <%= options %>/ + </Proxy> + ProxyRequests Off + ProxyPass / <%= @options %>/ + ProxyPassReverse / <%= @options %>/ diff --git a/templates/vhosts/redirect/partial.erb b/templates/vhosts/redirect/partial.erb index 3b7af7a..c8d7d11 100644 --- a/templates/vhosts/redirect/partial.erb +++ b/templates/vhosts/redirect/partial.erb @@ -1 +1 @@ - Redirect permanent / https://<%= options %> + Redirect permanent / https://<%= @options %> diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb index f2cc46b..dc6f11c 100644 --- a/templates/vhosts/static/partial.erb +++ b/templates/vhosts/static/partial.erb @@ -1,5 +1,4 @@ - <Directory "<%= documentroot %>/"> + <Directory "<%= @documentroot %>/"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - </Directory> + </Directory> diff --git a/templates/vhosts/webdav/partial.erb b/templates/vhosts/webdav/partial.erb index d89da50..09ce632 100644 --- a/templates/vhosts/webdav/partial.erb +++ b/templates/vhosts/webdav/partial.erb @@ -1,21 +1,21 @@ - DAVLockDB <%= real_dav_db_dir %>/DAVLock - <Directory "<%= documentroot %>/"> - Dav on - AllowOverride None - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- unless options.include?('Indexes') then -%> Indexes<%- end -%> + DAVLockDB <%= @real_dav_db_dir %>/DAVLock + <Directory "<%= @documentroot %>/"> + Dav on + AllowOverride None +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% unless @options.include?('Indexes') -%> Indexes<%- end -%> - <%- else -%> - Options Indexes +<% else -%> + Options Indexes - <%- end -%> +<% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <%- if ldap_auth.to_s == 'true' then -%> - Include include.d/ldap_auth.inc - <%- unless ldap_user.to_s == 'any' -%> - Require ldap-user <%= ldap_user.to_s %> - <%- else -%> - Require valid-user - <%- end -%> - <%- end -%> - </Directory> +<% if @ldap_auth.to_s == 'true' then -%> + Include include.d/ldap_auth.inc +<% unless ldap_user.to_s == 'any' -%> + Require ldap-user <%= ldap_user.to_s %> +<% else -%> + Require valid-user +<% end + end -%> + </Directory> |