From 94154f5877a041058e2b083cff1047604d14f202 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 12 Jun 2013 00:50:20 +0200 Subject: remove unnecessary template part from mediawiki we also have likely anonymization in place, hence all ips are from localhost --- templates/vhosts/php_mediawiki/partial.erb | 9 --------- templates/vhosts/php_typo3/partial.erb | 1 - 2 files changed, 10 deletions(-) diff --git a/templates/vhosts/php_mediawiki/partial.erb b/templates/vhosts/php_mediawiki/partial.erb index cf30f5f..4a37aec 100644 --- a/templates/vhosts/php_mediawiki/partial.erb +++ b/templates/vhosts/php_mediawiki/partial.erb @@ -5,12 +5,3 @@ RewriteRule ^/?index.php/(.*)$ /index.php?title=$1 [PT,L,QSA] <% end -%> <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> - /typo3/"> - RewriteEngine on - - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - diff --git a/templates/vhosts/php_typo3/partial.erb b/templates/vhosts/php_typo3/partial.erb index 5c06570..117869f 100644 --- a/templates/vhosts/php_typo3/partial.erb +++ b/templates/vhosts/php_typo3/partial.erb @@ -3,7 +3,6 @@ RewriteEngine on # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} (.*/typo3/.*) RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] -- cgit v1.2.3 From 8ec33f650271c95c7a02983b7950ad7276fae189 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 13 Aug 2013 13:57:02 +0200 Subject: be more efficient when cleaning up the webdirectory --- manifests/vhost/webdir.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/vhost/webdir.pp b/manifests/vhost/webdir.pp index c9729f0..507ab25 100644 --- a/manifests/vhost/webdir.pp +++ b/manifests/vhost/webdir.pp @@ -68,6 +68,11 @@ define apache::vhost::webdir( } case $ensure { absent: { + exec{"cleanup_webdir_${real_path}": + command => "rm -rf ${real_path}", + onlyif => "test -d ${real_path}", + before => File[$real_path], + } file{$real_path: ensure => absent, purge => true, -- cgit v1.2.3 From ae8c350b15952fb92a77bbf21f47565c768fb1c8 Mon Sep 17 00:00:00 2001 From: o Date: Thu, 12 Sep 2013 20:14:35 +0200 Subject: pass the php_tmp_dir option to fcgid --- manifests/vhost/php/standard.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 53fa8f9..a4f46b6 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -190,11 +190,12 @@ define apache::vhost::php::standard( include apache::include::mod_fcgid mod_fcgid::starter {$name: - cgi_type => 'php', + cgi_type => 'php', cgi_type_options => $real_php_settings, - owner => $run_uid, - group => $run_gid, - notify => Service['apache'], + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], + php_tmp_dir => $real_php_settings[php_tmp_dir] } } default: { include ::php } -- cgit v1.2.3 From cb5fc23d113fc0e383f6d891399b4385eb952cf3 Mon Sep 17 00:00:00 2001 From: o Date: Thu, 12 Sep 2013 20:34:10 +0200 Subject: initialize the variable --- manifests/vhost/php/standard.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index a4f46b6..f724580 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -118,11 +118,12 @@ define apache::vhost::php::standard( $std_php_settings = { - engine => 'On', - upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", + engine => 'On', + upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", - safe_mode => 'On', + open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + safe_mode => 'On', + php_tmp_dir => false, } if $logmode != 'nologs' { $std_php_settings[error_log] = "${logdir}/php_error_log" -- cgit v1.2.3 From 76ded9761da817a5d72e14a23b49582c1127aacd Mon Sep 17 00:00:00 2001 From: o Date: Thu, 12 Sep 2013 20:59:22 +0200 Subject: remove the variable again --- manifests/vhost/php/standard.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index f724580..3c98a8a 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -122,8 +122,7 @@ define apache::vhost::php::standard( upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", - safe_mode => 'On', - php_tmp_dir => false, + safe_mode => 'On' } if $logmode != 'nologs' { $std_php_settings[error_log] = "${logdir}/php_error_log" @@ -191,12 +190,12 @@ define apache::vhost::php::standard( include apache::include::mod_fcgid mod_fcgid::starter {$name: + php_tmp_dir => $real_php_settings[php_tmp_dir], cgi_type => 'php', - cgi_type_options => $real_php_settings, + cgi_type_options => delete($real_php_settings, php_tmp_dir), owner => $run_uid, group => $run_gid, notify => Service['apache'], - php_tmp_dir => $real_php_settings[php_tmp_dir] } } default: { include ::php } -- cgit v1.2.3 From c651a8eeabe12d1126e1b095f178fe8bef105f66 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 18 Sep 2013 23:12:43 +0200 Subject: joomla requires allow_url_fopen to update itself :( http://docs.joomla.org/Security_Checklist/Hosting_and_Server_Setup#Use_allow_url_fopen --- manifests/vhost/php/joomla.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 3962efa..78b392e 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -97,6 +97,11 @@ define apache::vhost::php::joomla( $real_mod_security_additional_options = $mod_security_additional_options } + $std_joomla_php_settings = { + 'allow_url_fopen' => 'on', + 'allow_url_include' => 'off', + } + # create vhost configuration file ::apache::vhost::php::webapp{ $name: @@ -115,7 +120,7 @@ define apache::vhost::php::joomla( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_settings => $php_settings, + php_settings => merge($std_joomla_php_settings, $php_settings), php_options => $php_options, do_includes => $do_includes, options => $options, -- cgit v1.2.3 From 433427998f99a255d9e997d2a580f694d0d1a2f8 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 9 Oct 2013 23:18:09 +0200 Subject: make it possible to only log error_logs --- templates/vhosts/partials/logs.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/vhosts/partials/logs.erb b/templates/vhosts/partials/logs.erb index 68403a8..2ee736a 100644 --- a/templates/vhosts/partials/logs.erb +++ b/templates/vhosts/partials/logs.erb @@ -2,6 +2,9 @@ when 'nologs' -%> ErrorLog /dev/null CustomLog /dev/null +<% when 'noaccess' -%> + ErrorLog <%= logdir %>/<%= logprefix %>error_log + CustomLog /dev/null <% when 'semianonym' -%> ErrorLog <%= logdir %>/<%= logprefix %>error_log CustomLog <%= logdir %>/<%= logprefix %>access_log noip -- cgit v1.2.3 From c3a52f63c2a97b8d6135bd3131b36550d97d388a Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 23 Oct 2013 11:56:26 +0200 Subject: we need to pass a second argument --- templates/vhosts/partials/logs.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhosts/partials/logs.erb b/templates/vhosts/partials/logs.erb index 2ee736a..711c382 100644 --- a/templates/vhosts/partials/logs.erb +++ b/templates/vhosts/partials/logs.erb @@ -4,7 +4,7 @@ CustomLog /dev/null <% when 'noaccess' -%> ErrorLog <%= logdir %>/<%= logprefix %>error_log - CustomLog /dev/null + CustomLog /dev/null noip <% when 'semianonym' -%> ErrorLog <%= logdir %>/<%= logprefix %>error_log CustomLog <%= logdir %>/<%= logprefix %>access_log noip -- cgit v1.2.3 From 26e498007ae101aba154acc8435729768e9590ff Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Dec 2013 17:26:14 +0100 Subject: reduce dependency on lsb modules, rather use the builtin facts --- README | 2 +- manifests/centos.pp | 6 +-- manifests/config/file.pp | 30 ++++++++------- manifests/debian.pp | 34 +++++++++-------- manifests/defaultphpdirs.pp | 6 +-- manifests/vhost/file.pp | 63 +++++++++++++++++--------------- manifests/vhost/file/documentrootfile.pp | 26 +++++++------ manifests/vhost/php/joomla.pp | 2 +- 8 files changed, 90 insertions(+), 79 deletions(-) diff --git a/README b/README index 6eee262..c67c255 100644 --- a/README +++ b/README @@ -144,7 +144,7 @@ modules/site_apache/{templates,files}/vhosts.d, searched in this order: "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${name}.conf", diff --git a/manifests/centos.pp b/manifests/centos.pp index caf46ce..02adf77 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -28,12 +28,12 @@ class apache::centos inherits apache::package { path => '/var/www/html/index.html', } - if $::selinux != 'false' { + if str2bool($::selinux) { Selinux::Fcontext{ before => File[web_dir], } - $seltype_rw = $::lsbmajdistrelease ? { - 5 => 'httpd_sys_script_rw_t', + $seltype_rw = $::operatingsystemmajrelease ? { + 5 => 'httpd_sys_script_rw_t', default => 'httpd_sys_rw_content_t' } selinux::fcontext{ diff --git a/manifests/config/file.pp b/manifests/config/file.pp index 308da68..29e6736 100644 --- a/manifests/config/file.pp +++ b/manifests/config/file.pp @@ -25,10 +25,12 @@ define apache::config::file( default => $destination } file{"apache_${name}": - ensure => $ensure, - path => $real_destination, - notify => Service[apache], - owner => root, group => 0, mode => 0644; + ensure => $ensure, + path => $real_destination, + notify => Service[apache], + owner => root, + group => 0, + mode => '0644'; } if $ensure == 'present' { case $content { @@ -37,10 +39,10 @@ define apache::config::file( 'absent' => [ "puppet:///modules/site_apache/${confdir}/${::fqdn}/${name}", "puppet:///modules/site_apache/${confdir}/${apache::cluster_node}/${name}", - "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", "puppet:///modules/site_apache/${confdir}/${::operatingsystem}/${name}", "puppet:///modules/site_apache/${confdir}/${name}", - "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::lsbdistcodename}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", "puppet:///modules/apache/${confdir}/${name}" ], @@ -55,14 +57,14 @@ define apache::config::file( 'absent': { $real_source = $source ? { 'absent' => [ - "puppet://${server}/modules/site-apache/${confdir}/${fqdn}/${name}", - "puppet://${server}/modules/site-apache/${confdir}/${apache_cluster_node}/${name}", - "puppet://${server}/modules/site-apache/${confdir}/${operatingsystem}.${lsbdistcodename}/${name}", - "puppet://${server}/modules/site-apache/${confdir}/${operatingsystem}/${name}", - "puppet://${server}/modules/site-apache/${confdir}/${name}", - "puppet://${server}/modules/apache/${confdir}/${operatingsystem}.${lsbdistcodename}/${name}", - "puppet://${server}/modules/apache/${confdir}/${operatingsystem}/${name}", - "puppet://${server}/modules/apache/${confdir}/${name}" + "puppet:///modules/site-apache/${confdir}/${::fqdn}/${name}", + "puppet:///modules/site-apache/${confdir}/${apache::cluster_node}/${name}", + "puppet:///modules/site-apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/site-apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/site-apache/${confdir}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/apache/${confdir}/${name}" ], default => $source, } diff --git a/manifests/debian.pp b/manifests/debian.pp index 345feae..7d1191d 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,36 +3,38 @@ class apache::debian inherits apache::package { $config_dir = '/etc/apache2' Package[apache] { - name => 'apache2', + name => 'apache2', } File[vhosts_dir] { - path => "${config_dir}/sites-enabled", + path => "${config_dir}/sites-enabled", } File[modules_dir] { - path => "${config_dir}/mods-enabled", + path => "${config_dir}/mods-enabled", } File[htpasswd_dir] { - path => "/var/www/htpasswds", - group => 'www-data', + path => '/var/www/htpasswds', + group => 'www-data', } File[default_apache_index] { - path => '/var/www/index.html', + path => '/var/www/index.html', } file { 'apache_main_config': - path => "${config_dir}/apache2.conf", - source => [ "puppet:///modules/site_apache/config/Debian/{$::fqdn}/apache2.conf", - "puppet:///modules/site_apache/config/Debian.${::lsbdistcodename}/apache2.conf", - "puppet:///modules/site_apache/config/Debian/apache2.conf", - "puppet:///modules/apache/config/Debian/apache2.conf" ], - require => Package['apache'], - notify => Service['apache'], - owner => root, group => 0, mode => 0644; + path => "${config_dir}/apache2.conf", + source => ["puppet:///modules/site_apache/config/Debian/${::fqdn}/apache2.conf", + "puppet:///modules/site_apache/config/Debian.${::operatingsystemmajrelease}/apache2.conf", + 'puppet:///modules/site_apache/config/Debian/apache2.conf', + 'puppet:///modules/apache/config/Debian/apache2.conf' ], + require => Package['apache'], + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; } apache::config::global{ 'charset': } apache::config::global{ 'security': } file { 'default_debian_apache_vhost': - path => '/etc/apache2/sites-enabled/000-default', - ensure => absent, + ensure => absent, + path => '/etc/apache2/sites-enabled/000-default', } } diff --git a/manifests/defaultphpdirs.pp b/manifests/defaultphpdirs.pp index 5485241..595744b 100644 --- a/manifests/defaultphpdirs.pp +++ b/manifests/defaultphpdirs.pp @@ -15,9 +15,9 @@ class apache::defaultphpdirs { mode => '0755'; } - if $::selinux != 'false' { - $seltype_rw = $::lsbmajdistrelease ? { - 5 => 'httpd_sys_script_rw_t', + if str2bool($::selinux) { + $seltype_rw = $::operatingsystemmajrelease ? { + 5 => 'httpd_sys_script_rw_t', default => 'httpd_sys_rw_content_t' } selinux::fcontext{ diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index b42c4ce..9155cfc 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -33,42 +33,45 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog # # -# mod_security: Whether we use mod_security or not (will include mod_security module) +# mod_security: Whether we use mod_security or not +# (will include mod_security module) # - false: (*default*) don't activate mod_security # - true: activate mod_security # define apache::vhost::file( - $ensure = present, - $vhost_source = 'absent', - $vhost_destination = 'absent', - $content = 'absent', - $do_includes = false, - $run_mode = 'normal', - $logmode = 'default', - $ssl_mode = false, - $mod_security = false, - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $use_mod_macro = false + $ensure = present, + $vhost_source = 'absent', + $vhost_destination = 'absent', + $content = 'absent', + $do_includes = false, + $run_mode = 'normal', + $logmode = 'default', + $ssl_mode = false, + $mod_security = false, + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $use_mod_macro = false ){ $vhosts_dir = $::operatingsystem ? { - centos => "${apache::centos::config_dir}/vhosts.d", - gentoo => "${apache::gentoo::config_dir}/vhosts.d", - debian => "${apache::debian::config_dir}/sites-enabled", - ubuntu => "${apache::ubuntu::config_dir}/sites-enabled", + centos => "${apache::centos::config_dir}/vhosts.d", + gentoo => "${apache::gentoo::config_dir}/vhosts.d", + debian => "${apache::debian::config_dir}/sites-enabled", + ubuntu => "${apache::ubuntu::config_dir}/sites-enabled", openbsd => "${apache::openbsd::config_dir}/vhosts.d", default => '/etc/apache2/vhosts.d', } $real_vhost_destination = $vhost_destination ? { - 'absent' => "${vhosts_dir}/${name}.conf", - default => $vhost_destination, + 'absent' => "${vhosts_dir}/${name}.conf", + default => $vhost_destination, } file{"${name}.conf": - ensure => $ensure, - path => $real_vhost_destination, + ensure => $ensure, + path => $real_vhost_destination, require => File[vhosts_dir], - notify => Service[apache], - owner => root, group => 0, mode => 0644; + notify => Service[apache], + owner => root, + group => 0, + mode => '0644'; } if $ensure != 'absent' { if $do_includes { @@ -98,12 +101,12 @@ define apache::vhost::file( 'absent': { $real_vhost_source = $vhost_source ? { 'absent' => [ - "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/{::fqdn}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${name}.conf", - "puppet:///modules/apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf", + "puppet:///modules/apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", "puppet:///modules/apache/vhosts.d/${::operatingsystem}/${name}.conf", "puppet:///modules/apache/vhosts.d/${name}.conf" ], @@ -133,10 +136,12 @@ define apache::vhost::file( } if ($ensure!='absent') { File[$real_htpasswd_path]{ - source => [ "puppet:///modules/site_apache/htpasswds/${::fqdn}/${name}", + source => [ "puppet:///modules/site_apache/htpasswds/${::fqdn}/${name}", "puppet:///modules/site_apache/htpasswds/${apache::cluster_node}/${name}", "puppet:///modules/site_apache/htpasswds/${name}" ], - owner => root, group => 0, mode => 0644, + owner => root, + group => 0, + mode => '0644', } } } diff --git a/manifests/vhost/file/documentrootfile.pp b/manifests/vhost/file/documentrootfile.pp index 610d71c..c5bc72a 100644 --- a/manifests/vhost/file/documentrootfile.pp +++ b/manifests/vhost/file/documentrootfile.pp @@ -1,25 +1,27 @@ +# place a file in the documentroot define apache::vhost::file::documentrootfile( - $documentroot, - $filename, - $thedomain, - $owner='root', - $group='0', - $mode=440 + $documentroot, + $filename, + $thedomain, + $owner = 'root', + $group = '0', + $mode = '0440', ){ file{"${documentroot}/${filename}": source => [ "puppet:///modules/site_apache/vhost_varieties/${::fqdn}/${thedomain}/${filename}", "puppet:///modules/site_apache/vhost_varieties/${apache::cluster_node}/${thedomain}/${filename}", - "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}.${::operatingsystemmajrelease}/${thedomain}/${filename}", "puppet:///modules/site_apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", "puppet:///modules/site_apache/vhost_varieties/${thedomain}/${filename}", "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}", - "puppet:///modules/apache/vhost_varieties/${::operatingsystem}.${::lsbdistcodename}/${thedomain}/${filename}", + "puppet:///modules/apache/vhost_varieties/${::operatingsystem}.${::operatingsystemmajrelease}/${thedomain}/${filename}", "puppet:///modules/apache/vhost_varieties/${::operatingsystem}/${thedomain}/${filename}", - "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}" - ], - ensure => file, + "puppet:///modules/apache/vhost_varieties/${thedomain}/${filename}", + ], require => Apache::Vhost::Webdir[$thedomain], - owner => $owner, group => $group, mode => $mode; + owner => $owner, + group => $group, + mode => $mode; } } diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 78b392e..30282e2 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -73,7 +73,7 @@ define apache::vhost::php::joomla( if $mod_security_additional_options == 'absent' { $id_str = $::operatingsystem ? { - 'CentOS' => $::lsbmajdistrelease ? { + 'CentOS' => $::operatingsystemmajrelease ? { 5 => '', default => 'id:1199400,' }, -- cgit v1.2.3 From 9fabf0bf2af83980c2135486432b46ae87499457 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 29 Dec 2013 15:23:23 +0100 Subject: fix typo from the latest linting --- manifests/vhost/file.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index 9155cfc..087d478 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -101,7 +101,7 @@ define apache::vhost::file( 'absent': { $real_vhost_source = $vhost_source ? { 'absent' => [ - "puppet:///modules/site_apache/vhosts.d/{::fqdn}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${apache::cluster_node}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", -- cgit v1.2.3 From e7e1cf15633fefe2f1fc1443c9ec4c01bd14abc9 Mon Sep 17 00:00:00 2001 From: o Date: Wed, 19 Feb 2014 13:20:58 +0100 Subject: don't redirect https traffic terminated beforehand --- templates/vhosts/default.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index 809cd9b..5201406 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -28,6 +28,7 @@ vhost_parts.each do |vhost_part| -%> <% if ssl_mode == 'force' && vhost_part == :normal -%> RewriteEngine On RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] <% else -%> <%= scope.function_templatewlv([template_partial, {'vhost_part' => vhost_part } ]) %> -- cgit v1.2.3 From 266a521842e55c5afdb9fe849c3fe392bb0b4ae2 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 23 Feb 2014 14:38:49 +0100 Subject: linting --- manifests/openbsd.pp | 128 ++++++------ manifests/vhost/php/standard.pp | 430 ++++++++++++++++++++-------------------- manifests/vhost/static.pp | 114 +++++------ manifests/vhost/webdav.pp | 180 ++++++++--------- manifests/vhost/webdir.pp | 20 +- 5 files changed, 441 insertions(+), 431 deletions(-) diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp index 1ba58f4..095f9ea 100644 --- a/manifests/openbsd.pp +++ b/manifests/openbsd.pp @@ -1,67 +1,73 @@ ### openbsd class apache::openbsd inherits apache::base { - $config_dir = '/var/www' + $config_dir = '/var/www' - File[vhosts_dir]{ - path => "$config_dir/vhosts.d", - } - File[modules_dir]{ - path => "$config_dir/conf/modules", - } - File[config_dir]{ - path => "$config_dir/conf.d", - } - File[include_dir]{ - path => "$config_dir/include.d", - } - File['htpasswd_dir']{ - group => www, - } - File[web_dir]{ - group => daemon, - } - file_line{'enable_apache_on_boot': - path => '/etc/rc.conf.local', - line => 'httpd flags=""', - } - file{'apache_main_config': - path => "${config_dir}/conf/httpd.conf", - source => [ "puppet:///modules/site_apache/config/OpenBSD/${::fqdn}/httpd.conf", - "puppet:///modules/site_apache/config/OpenBSD/${apache::cluster_node}/httpd.conf", - "puppet:///modules/site_apache/config/OpenBSD//httpd.conf", - "puppet:///modules/apache/config/OpenBSD/httpd.conf" ], - notify => Service['apache'], - owner => root, group => 0, mode => 0644; - } - File[default_apache_index] { - path => '/var/www/htdocs/default/www/index.html', - } - file{'/opt/bin/restart_apache.sh': - source => "puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache.sh", - require => File['/opt/bin'], - owner => root, group => 0, mode => 0700; - } + File[vhosts_dir]{ + path => "${config_dir}/vhosts.d", + } + File[modules_dir]{ + path => "${config_dir}/conf/modules", + } + File[config_dir]{ + path => "${config_dir}/conf.d", + } + File[include_dir]{ + path => "${config_dir}/include.d", + } + File['htpasswd_dir']{ + group => www, + } + File[web_dir]{ + group => daemon, + } + file_line{'enable_apache_on_boot': + path => '/etc/rc.conf.local', + line => 'httpd flags=""', + } + file{'apache_main_config': + path => "${config_dir}/conf/httpd.conf", + source => ["puppet:///modules/site_apache/config/OpenBSD/${::fqdn}/httpd.conf", + "puppet:///modules/site_apache/config/OpenBSD/${apache::cluster_node}/httpd.conf", + 'puppet:///modules/site_apache/config/OpenBSD//httpd.conf', + 'puppet:///modules/apache/config/OpenBSD/httpd.conf' ], + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; + } + File[default_apache_index] { + path => '/var/www/htdocs/default/www/index.html', + } + file{'/opt/bin/restart_apache.sh': + source => 'puppet:///modules/apache/scripts/OpenBSD/bin/restart_apache.sh', + require => File['/opt/bin'], + owner => root, + group => 0, + mode => '0700'; + } - ::apache::vhost::webdir{'default': } + ::apache::vhost::webdir{'default': } - Service['apache']{ - restart => '/opt/bin/restart_apache.sh', - status => 'apachectl status', - start => 'apachectl start', - stop => 'apachectl stop', - } - file{'/opt/bin/apache_logrotate.sh': - source => "puppet:///modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh", - require => File['/opt/bin'], - owner => root, group => 0, mode => 0700; - } - cron { 'update_apache_logrotation': - command => '/bin/sh /opt/bin/apache_logrotate.sh > /etc/newsyslog_apache.conf', - minute => '1', - hour => '1', - } - cron { 'run_apache_logrotation': - command => '/usr/bin/newsyslog -f /etc/newsyslog_apache.conf > /dev/null', - minute => '10', - } + Service['apache']{ + restart => '/opt/bin/restart_apache.sh', + status => 'apachectl status', + start => 'apachectl start', + stop => 'apachectl stop', + } + file{'/opt/bin/apache_logrotate.sh': + source => 'puppet:///modules/apache/scripts/OpenBSD/bin/apache_logrotate.sh', + require => File['/opt/bin'], + owner => root, + group => 0, + mode => '0700'; + } + cron { 'update_apache_logrotation': + command => '/bin/sh /opt/bin/apache_logrotate.sh > /etc/newsyslog_apache.conf', + minute => '1', + hour => '1', + } + cron { 'run_apache_logrotation': + command => '/usr/bin/newsyslog -f /etc/newsyslog_apache.conf > /dev/null', + minute => '10', + } } diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 3c98a8a..2f381ce 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -25,227 +25,231 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::standard( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $logpath = 'absent', - $path = 'absent', - $manage_webdir = true, - $path_is_webdir = false, - $manage_docroot = true, - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $use_mod_macro = false, - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $logpath = 'absent', + $path = 'absent', + $manage_webdir = true, + $path_is_webdir = false, + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $use_mod_macro = false, + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' ){ - if $manage_webdir { - # create webdir - ::apache::vhost::webdir{$name: - ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - manage_docroot => $manage_docroot, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, + if $manage_webdir { + # create webdir + ::apache::vhost::webdir{$name: + ensure => $ensure, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + manage_docroot => $manage_docroot, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + } + } + + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + + if $path_is_webdir { + $documentroot = $real_path + } else { + $documentroot = "${real_path}/www" + } + $logdir = $logpath ? { + 'absent' => "${real_path}/logs", + default => $logpath + } + + $std_php_options = { + smarty => false, + pear => false, + } + $real_php_options = merge($std_php_options,$php_options) + + if $real_php_options[smarty] { + include php::extensions::smarty + $smarty_path = '/usr/share/php/Smarty/:' + } else { + $smarty_path = '' + } + + if $real_php_options[pear] { + $pear_path = '/usr/share/pear/:' + } else { + $pear_path = '' + } + + + $std_php_settings = { + engine => 'On', + upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", + 'session.save_path' => "/var/www/session.save_path/${name}", + open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + safe_mode => 'On' + } + if $logmode != 'nologs' { + $std_php_settings[error_log] = "${logdir}/php_error_log" + } + if $run_mode == 'fcgid' { + $std_php_settings[safe_mode_gid] = 'On' + } + + if has_key($php_settings,'safe_mode_exec_dir') { + $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] + } else { + $php_safe_mode_exec_dir = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/bin", + default => "/var/www/vhosts/${name}/bin" + }, + default => "${path}/bin" + } + } + file{$php_safe_mode_exec_dir: + recurse => true, + force => true, + purge => true, + } + if has_key($php_options,'safe_mode_exec_bins') { + $std_php_settings[safe_mode_exec_dir] = $php_safe_mode_exec_dir + $ensure_exec = $ensure ? { + 'present' => directory, + default => 'absent', + } + File[$php_safe_mode_exec_dir]{ + ensure => $ensure_exec, + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0750', + } + $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],'(.+)',"${name}@\\1") + apache::vhost::php::safe_mode_bin{ + $php_safe_mode_exec_bins_subst: + ensure => $ensure, + path => $php_safe_mode_exec_dir; + } + }else{ + File[$php_safe_mode_exec_dir]{ + ensure => absent, + } + } + + if !has_key($php_settings,'default_charset') { + if $default_charset != 'absent' { + $std_php_settings[default_charset] = $default_charset ? { + 'On' => 'iso-8859-1', + default => $default_charset } } + } - $real_path = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}", - default => "/var/www/vhosts/${name}" - }, - default => $path - } + $real_php_settings = merge($std_php_settings,$php_settings) - if $path_is_webdir { - $documentroot = $real_path - } else { - $documentroot = "${real_path}/www" - } - $logdir = $logpath ? { - 'absent' => "$real_path/logs", - default => $logpath - } - - $std_php_options = { - smarty => false, - pear => false, - } - $real_php_options = merge($std_php_options,$php_options) - - if $real_php_options[smarty] { - include php::extensions::smarty - $smarty_path = '/usr/share/php/Smarty/:' - } else { - $smarty_path = '' - } - - if $real_php_options[pear] { - $pear_path = '/usr/share/pear/:' - } else { - $pear_path = '' - } - - - $std_php_settings = { - engine => 'On', - upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", - 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", - safe_mode => 'On' - } - if $logmode != 'nologs' { - $std_php_settings[error_log] = "${logdir}/php_error_log" - } - if $run_mode == 'fcgid' { - $std_php_settings[safe_mode_gid] = 'On' - } - - if has_key($php_settings,'safe_mode_exec_dir') { - $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] - } else { - $php_safe_mode_exec_dir = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/bin", - default => "/var/www/vhosts/${name}/bin" - }, - default => "${path}/bin" + if $ensure != 'absent' { + case $run_mode { + 'proxy-itk','static-itk': { + include ::php::itk_plus } - } - file{$php_safe_mode_exec_dir: - recurse => true, - force => true, - purge => true, - } - if has_key($php_options,'safe_mode_exec_bins') { - $std_php_settings[safe_mode_exec_dir] = $php_safe_mode_exec_dir - File[$php_safe_mode_exec_dir]{ - ensure => $ensure ? { - 'present' => directory, - default => absent, - }, - owner => $documentroot_owner, group => $documentroot_group, mode => 0750, - } - $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],"(.+)","${name}@\\1") - apache::vhost::php::safe_mode_bin{ $php_safe_mode_exec_bins_subst: - ensure => $ensure, - path => $php_safe_mode_exec_dir - } - }else{ - File[$php_safe_mode_exec_dir]{ - ensure => absent, - } - } - - if !has_key($php_settings,'default_charset') { - if $default_charset != 'absent' { - $std_php_settings[default_charset] = $default_charset ? { - 'On' => 'iso-8859-1', - default => $default_charset - } - } - } - - $real_php_settings = merge($std_php_settings,$php_settings) - - if $ensure != 'absent' { - case $run_mode { - 'proxy-itk','static-itk': { - include ::php::itk_plus + 'itk': { include ::php::itk } + 'fcgid': { + include ::mod_fcgid + include ::php::mod_fcgid + include apache::include::mod_fcgid + + mod_fcgid::starter {$name: + php_tmp_dir => $real_php_settings[php_tmp_dir], + cgi_type => 'php', + cgi_type_options => delete($real_php_settings, php_tmp_dir), + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], } - 'itk': { include ::php::itk } - 'fcgid': { - include ::mod_fcgid - include ::php::mod_fcgid - include apache::include::mod_fcgid - - mod_fcgid::starter {$name: - php_tmp_dir => $real_php_settings[php_tmp_dir], - cgi_type => 'php', - cgi_type_options => delete($real_php_settings, php_tmp_dir), - owner => $run_uid, - group => $run_gid, - notify => Service['apache'], - } - } - default: { include ::php } } - } - - ::apache::vhost::phpdirs{"${name}": - ensure => $ensure, - php_upload_tmp_dir => $real_php_settings[upload_tmp_dir], - php_session_save_path => $real_php_settings['session.save_path'], - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - } - - # create vhost configuration file - ::apache::vhost{$name: - ensure => $ensure, - path => $path, - path_is_webdir => $path_is_webdir, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - logpath => $logpath, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - php_settings => $real_php_settings, - php_options => $real_php_options, - ssl_mode => $ssl_mode, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - use_mod_macro => $use_mod_macro, - passing_extension => 'php', - } + default: { include ::php } + } + } + + ::apache::vhost::phpdirs{$name: + ensure => $ensure, + php_upload_tmp_dir => $real_php_settings[upload_tmp_dir], + php_session_save_path => $real_php_settings['session.save_path'], + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + } + + # create vhost configuration file + ::apache::vhost{$name: + ensure => $ensure, + path => $path, + path_is_webdir => $path_is_webdir, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + logpath => $logpath, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + php_settings => $real_php_settings, + php_options => $real_php_options, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + use_mod_macro => $use_mod_macro, + passing_extension => 'php', + } } diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index f1dbcc2..a315e05 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -13,70 +13,70 @@ # - true: activate mod_security # define apache::vhost::static( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $allow_override = 'None', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $ssl_mode = false, - $run_mode = 'normal', - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/static/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $mod_security = false, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $allow_override = 'None', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $ssl_mode = false, + $run_mode = 'normal', + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/static/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $mod_security = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent' ){ # create webdir ::apache::vhost::webdir{$name: - ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, + ensure => $ensure, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, } # create vhost configuration file ::apache::vhost{$name: - ensure => $ensure, - path => $path, - template_partial => $template_partial, - vhost_mode => $vhost_mode, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - allow_override => $allow_override, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - ssl_mode => $ssl_mode, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, + ensure => $ensure, + path => $path, + template_partial => $template_partial, + vhost_mode => $vhost_mode, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + allow_override => $allow_override, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index 003a308..5570dcc 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -24,100 +24,100 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog # define apache::vhost::webdav( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $path = 'absent', - $owner = root, - $group = apache, - $manage_webdir = true, - $path_is_webdir = false, - $logmode = 'default', - $logpath = 'absent', - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = false, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $ldap_auth = false, - $ldap_user = 'any', - $dav_db_dir = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $path = 'absent', + $owner = root, + $group = apache, + $manage_webdir = true, + $path_is_webdir = false, + $logmode = 'default', + $logpath = 'absent', + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $ldap_auth = false, + $ldap_user = 'any', + $dav_db_dir = 'absent' ){ - ::apache::vhost::davdbdir{$name: - ensure => $ensure, - dav_db_dir => $dav_db_dir, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - } + ::apache::vhost::davdbdir{$name: + ensure => $ensure, + dav_db_dir => $dav_db_dir, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + } - if $manage_webdir { - # create webdir - ::apache::vhost::webdir{$name: - ensure => $ensure, - path => $path, - owner => $owner, - group => $group, - run_mode => $run_mode, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - } + if $manage_webdir { + # create webdir + ::apache::vhost::webdir{$name: + ensure => $ensure, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, } + } - if $run_mode == 'static-itk' { - notice("static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk") - $real_run_mode = 'proxy-itk' - } else { - $real_run_mode = $run_mode - } + if $run_mode == 'static-itk' { + notice("static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk") + $real_run_mode = 'proxy-itk' + } else { + $real_run_mode = $run_mode + } - # create vhost configuration file - ::apache::vhost{$name: - ensure => $ensure, - path => $path, - path_is_webdir => $path_is_webdir, - logpath => $logpath, - logmode => $logmode, - template_partial => 'apache/vhosts/webdav/partial.erb', - vhost_mode => $vhost_mode, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - run_mode => $real_run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - ssl_mode => $ssl_mode, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - ldap_auth => $ldap_auth, - ldap_user => $ldap_user, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - } + # create vhost configuration file + ::apache::vhost{$name: + ensure => $ensure, + path => $path, + path_is_webdir => $path_is_webdir, + logpath => $logpath, + logmode => $logmode, + template_partial => 'apache/vhosts/webdav/partial.erb', + vhost_mode => $vhost_mode, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + run_mode => $real_run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + ldap_auth => $ldap_auth, + ldap_user => $ldap_user, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + } } diff --git a/manifests/vhost/webdir.pp b/manifests/vhost/webdir.pp index 507ab25..1e663e5 100644 --- a/manifests/vhost/webdir.pp +++ b/manifests/vhost/webdir.pp @@ -1,15 +1,15 @@ # create webdir define apache::vhost::webdir( - $ensure = present, - $path = 'absent', - $owner = root, - $group = apache, - $mode = 0640, - $run_mode = 'normal', - $manage_docroot = true, - $documentroot_owner = root, - $documentroot_group = apache, - $documentroot_mode = 0640, + $ensure = present, + $path = 'absent', + $owner = root, + $group = apache, + $mode = 0640, + $run_mode = 'normal', + $manage_docroot = true, + $documentroot_owner = root, + $documentroot_group = apache, + $documentroot_mode = 0640, $documentroot_recurse = false ){ $real_path = $path ? { -- cgit v1.2.3 From bcb25abcb26f7ebb522f3c0dc3288c6a97ccf158 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 23 Feb 2014 15:17:06 +0100 Subject: introduce a datadir for all dynamic hostings --- manifests/centos.pp | 1 + manifests/openbsd.pp | 4 +++- manifests/vhost/php/standard.pp | 2 +- manifests/vhost/static.pp | 1 + manifests/vhost/webdav.pp | 1 + manifests/vhost/webdir.pp | 9 +++++++++ 6 files changed, 16 insertions(+), 2 deletions(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index 02adf77..3d9664d 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -39,6 +39,7 @@ class apache::centos inherits apache::package { selinux::fcontext{ [ '/var/www/vhosts/[^/]*/www(/.*)?', '/var/www/vhosts/[^/]*/non_public(/.*)?', + '/var/www/vhosts/[^/]*/data(/.*)?', '/var/www/vhosts/[^/]*/g2data(/.*)?', '/var/www/vhosts/[^/]*/upload(/.*)?' ]: require => Package['apache'], diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp index 095f9ea..96a216a 100644 --- a/manifests/openbsd.pp +++ b/manifests/openbsd.pp @@ -46,7 +46,9 @@ class apache::openbsd inherits apache::base { mode => '0700'; } - ::apache::vhost::webdir{'default': } + ::apache::vhost::webdir{'default': + datadir => false, + } Service['apache']{ restart => '/opt/bin/restart_apache.sh', diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 2f381ce..160f638 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -121,7 +121,7 @@ define apache::vhost::php::standard( engine => 'On', upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + open_basedir => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", safe_mode => 'On' } if $logmode != 'nologs' { diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index a315e05..21b062e 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -49,6 +49,7 @@ define apache::vhost::static( owner => $owner, group => $group, run_mode => $run_mode, + datadir => false, documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index 5570dcc..f90cf8d 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -76,6 +76,7 @@ define apache::vhost::webdav( owner => $owner, group => $group, run_mode => $run_mode, + datadir => false, documentroot_owner => $documentroot_owner, documentroot_group => $documentroot_group, documentroot_mode => $documentroot_mode, diff --git a/manifests/vhost/webdir.pp b/manifests/vhost/webdir.pp index 1e663e5..e0e2546 100644 --- a/manifests/vhost/webdir.pp +++ b/manifests/vhost/webdir.pp @@ -7,6 +7,7 @@ define apache::vhost::webdir( $mode = 0640, $run_mode = 'normal', $manage_docroot = true, + $datadir = true, $documentroot_owner = root, $documentroot_group = apache, $documentroot_mode = 0640, @@ -110,6 +111,14 @@ define apache::vhost::webdir( mode => $documentroot_mode; } } + if $datadir { + file{"${real_path}/data": + ensure => directory, + owner => $real_documentroot_owner, + group => $real_documentroot_group, + mode => '0640'; + } + } case $::operatingsystem { centos: { include apache::logrotate::centos::vhosts } default: { #nothing -- cgit v1.2.3 From 06edce9d49b8d21e6bb47c70286fa4e6c4b9eb6e Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 23 Feb 2014 15:17:35 +0100 Subject: linting --- manifests/vhost/webdav.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index f90cf8d..e1b6c3f 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -84,7 +84,7 @@ define apache::vhost::webdav( } if $run_mode == 'static-itk' { - notice("static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk") + notice('static-itk mode is not possible for webdav vhosts, rewriting it to proxy-itk') $real_run_mode = 'proxy-itk' } else { $real_run_mode = $run_mode -- cgit v1.2.3 From ede2a6e5ff2f85bcd1d236e0352bf9baf498a841 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 23 Feb 2014 15:33:29 +0100 Subject: linting --- manifests/ssl/base.pp | 1 + manifests/status/debian.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/ssl/base.pp b/manifests/ssl/base.pp index 7c17423..65bd5f7 100644 --- a/manifests/ssl/base.pp +++ b/manifests/ssl/base.pp @@ -1,3 +1,4 @@ +# basic defaults for ssl support class apache::ssl::base { ::apache::config::include{ 'ssl_defaults.inc': } diff --git a/manifests/status/debian.pp b/manifests/status/debian.pp index 678bc44..222b85c 100644 --- a/manifests/status/debian.pp +++ b/manifests/status/debian.pp @@ -1,3 +1,4 @@ +# enable status module on debian class apache::status::debian { ::apache::debian::module { 'status': } } -- cgit v1.2.3 From b062ecae42d47438dd4e7d2727e3581ccbbe5781 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 23 Feb 2014 15:43:18 +0100 Subject: this is only required on debian --- manifests/munin.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/munin.pp b/manifests/munin.pp index 2a04e97..46af172 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -1,7 +1,8 @@ # manage apache monitoring things class apache::munin { - - include perl::extensions::libwww + if $::osfamily == 'Debian' { + include perl::extensions::libwww + } munin::plugin{ [ 'apache_accesses', 'apache_processes', 'apache_volume' ]: } munin::plugin::deploy { 'apache_activity': -- cgit v1.2.3 From e944403f922f0ae19e60747b60cbf2d999496312 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Mon, 24 Feb 2014 13:24:44 -0500 Subject: remove safe_mode flag from defaults under Debian (removed from PHP 5.4 which is in wheezy) --- manifests/vhost/php/standard.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 53fa8f9..fa6b298 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -122,7 +122,10 @@ define apache::vhost::php::standard( upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", - safe_mode => 'On', + safe_mode => $::operatingsystem ? { + debian => undef, + default => 'On', + }, } if $logmode != 'nologs' { $std_php_settings[error_log] = "${logdir}/php_error_log" -- cgit v1.2.3 From 3e031fe7ca946580b8c94e9b77f855c054802cfb Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Mon, 24 Feb 2014 13:43:18 -0500 Subject: append to standard paths instead of override --- manifests/vhost/php/standard.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index fa6b298..bdb290e 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -121,7 +121,10 @@ define apache::vhost::php::standard( engine => 'On', upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + open_basedir => has_key($php_settings,'open_basedir') ? { + true => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_settings[open_basedir]}", + false => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + }, safe_mode => $::operatingsystem ? { debian => undef, default => 'On', -- cgit v1.2.3 From 588dd5342e97e5a659d76aa59aa5d913a8181368 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Mon, 24 Feb 2014 15:44:15 -0500 Subject: pass additional open_basedir paths in $php_options hash instead --- manifests/vhost/php/standard.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index bdb290e..47ce64f 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -121,8 +121,8 @@ define apache::vhost::php::standard( engine => 'On', upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => has_key($php_settings,'open_basedir') ? { - true => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_settings[open_basedir]}", + open_basedir => has_key($php_options,'additional_open_basedir') ? { + true => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}", false => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", }, safe_mode => $::operatingsystem ? { -- cgit v1.2.3 From c0697dae3212159c54e8c2ea8eb4f1a1ae1439a3 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 16 Mar 2014 12:19:09 +0100 Subject: make it possible that domainalias can be an array --- templates/vhosts/partials/header_default.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index d6d8c86..de707c9 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -4,7 +4,7 @@ <% end -%> ServerName <%= servername %> <% unless serveralias.empty? || (serveralias == 'absent') -%> - ServerAlias <%= serveralias %> + ServerAlias <%= Array(serveralias).join(' ') %> <% end -%> <% unless server_admin.empty? || (server_admin == 'absent') -%> ServerAdmin <%= server_admin %> -- cgit v1.2.3 From df43214cdce1f474fa11ab1c1752fdd28a2ae19e Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 14 Apr 2014 22:53:49 +0200 Subject: an initial https connection might still end up as http on the backend. in that case we don't want to redirect --- templates/vhosts/default.erb | 13 ++++++------- templates/vhosts/gitweb/partial.erb | 6 ++---- templates/vhosts/php_silverstripe/partial.erb | 9 +++++---- 3 files changed, 13 insertions(+), 15 deletions(-) diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index 5201406..2eab3d7 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -11,12 +11,12 @@ vhost_parts.each do |vhost_part| -%> <%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> - <% if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> +<% if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> AssignUserId <%= run_uid+" "+run_gid %> - <% elsif run_mode.to_s == 'fcgid' && !(ssl_mode == 'force' && vhost_part == :normal) -%> +<% elsif run_mode.to_s == 'fcgid' && !(ssl_mode == 'force' && vhost_part == :normal) -%> SuexecUserGroup <%= run_uid+" "+run_gid %> FcgidMaxRequestsPerProcess 5000 @@ -24,16 +24,15 @@ vhost_parts.each do |vhost_part| -%> AddHandler fcgid-script .<%= passing_extension %> - <% end -%> - <% if ssl_mode == 'force' && vhost_part == :normal -%> +<% end -%> +<% if ssl_mode == 'force' && vhost_part == :normal -%> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] - <% else -%> +<% end -%> <%= scope.function_templatewlv([template_partial, {'vhost_part' => vhost_part } ]) %> - <% end -%> -<%- unless template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> +<% unless template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> <%= scope.function_template(['apache/vhosts/partials/mod_security.erb']) %> <% end -%> <% unless additional_options.to_s == 'absent' -%> diff --git a/templates/vhosts/gitweb/partial.erb b/templates/vhosts/gitweb/partial.erb index 7238ebe..c04f1c3 100644 --- a/templates/vhosts/gitweb/partial.erb +++ b/templates/vhosts/gitweb/partial.erb @@ -1,10 +1,9 @@ - <% unless ssl_mode.to_s == 'force' -%> SetEnv GITWEB_CONFIG <%= gitweb_config %> DirectoryIndex gitweb.cgi /"> - <% if options.to_s != 'absent' or do_includes.to_s == 'true'-%> +<% if options.to_s != 'absent' || do_includes.to_s == 'true'-%> Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% unless options.include?('+ExecCGI') -%> +ExecCGI<% end -%> - <% end -%> +<% end -%> AddHandler cgi-script .cgi @@ -16,4 +15,3 @@ <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <% end -%> diff --git a/templates/vhosts/php_silverstripe/partial.erb b/templates/vhosts/php_silverstripe/partial.erb index 89a6052..9ff32db 100644 --- a/templates/vhosts/php_silverstripe/partial.erb +++ b/templates/vhosts/php_silverstripe/partial.erb @@ -1,9 +1,10 @@ -<% if vhost_part != :ssl && ![false,'false'].include?(ssl_mode) -%> # silverstripe - RedirectMatch /admin(.*) https://<%= servername %>/admin$1 - RedirectMatch /Security(.*) https://<%= servername %>/Security$1 + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteRule /admin(.*) https://<%= servername %>/admin$1 [L,R,NE] + RewriteRule /Security(.*) https://<%= servername %>/Security$1 [L,R,NE] -<% end -%> /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> -- cgit v1.2.3 From c52c48534d76b0a9c965784bd12eb1c1fccd94c6 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 14 Apr 2014 22:54:24 +0200 Subject: cleanup identation of if then else, especially for the produced file --- templates/vhosts/itk_plus/partial.erb | 24 ++++++++++----------- templates/vhosts/partials/authentication.erb | 2 +- templates/vhosts/partials/header_default.erb | 2 +- templates/vhosts/partials/mod_security.erb | 12 +++++------ templates/vhosts/partials/php_settings.erb | 25 +++++++++++----------- templates/vhosts/partials/std_override_options.erb | 4 ++-- templates/vhosts/php_drupal/partial.erb | 2 +- templates/vhosts/php_joomla/partial.erb | 2 +- 8 files changed, 37 insertions(+), 36 deletions(-) diff --git a/templates/vhosts/itk_plus/partial.erb b/templates/vhosts/itk_plus/partial.erb index 5b05dd8..9c5a1ac 100644 --- a/templates/vhosts/itk_plus/partial.erb +++ b/templates/vhosts/itk_plus/partial.erb @@ -3,30 +3,30 @@ ProxyRequests off <% if vhost_part == :ssl -%> SSLProxyEngine On - <%- if run_mode.to_s == 'static-itk' -%> +<% if run_mode.to_s == 'static-itk' -%> ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ https://127.0.0.1/$1 - <%- else -%> +<% else -%> ProxyPass / https://127.0.0.1/ - <%- end -%> +<% end -%> ProxyPassReverse / https://127.0.0.1/ <% else -%> - <% if run_mode.to_s == 'static-itk' -%> +<% if run_mode.to_s == 'static-itk' -%> ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ http://127.0.0.1/$1 - <% else -%> +<% else -%> ProxyPass / http://127.0.0.1/ - <% end -%> +<% end -%> ProxyPassReverse / http://127.0.0.1/ -<% end %> +<% end -%> - <% if run_mode.to_s == 'static-itk' && (ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> +<% if run_mode.to_s == 'static-itk' && (ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> /"> AllowOverride <%= allow_override %> - <% if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <% unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<% end -%> +<% if options.to_s != 'absent' or do_includes.to_s == 'true' -%> + Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') -%> +Includes<% end -%> - <% end -%> +<% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <% end -%> +<% end -%> diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb index 6ca1b03..a6ebf3e 100644 --- a/templates/vhosts/partials/authentication.erb +++ b/templates/vhosts/partials/authentication.erb @@ -3,4 +3,4 @@ AuthName "Access fuer <%= servername %>" AuthUserFile <%= real_htpasswd_path %> require valid-user -<% end -%> \ No newline at end of file +<% end -%> diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index de707c9..398b0ce 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -12,7 +12,7 @@ <% unless documentroot == 'really_absent' -%> DocumentRoot <%= documentroot %>/ <% end -%> -<% if default_charset != 'absent' then -%> +<% if default_charset != 'absent' -%> AddDefaultCharset <%= default_charset %> <% end -%> <% if passing_extension != 'absent' -%> diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb index 5b4fca8..f0602d8 100644 --- a/templates/vhosts/partials/mod_security.erb +++ b/templates/vhosts/partials/mod_security.erb @@ -1,11 +1,11 @@ -<% if mod_security.to_s == 'true' then -%> +<% if mod_security.to_s == 'true' -%> SecRuleEngine On -<% if mod_security_relevantonly.to_s == 'true' then -%> +<% if mod_security_relevantonly.to_s == 'true' -%> SecAuditEngine RelevantOnly -<% else -%> +<% else -%> SecAuditEngine On -<% end -%> +<% end -%> <% else -%> SecRuleEngine Off SecAuditEngine Off @@ -16,9 +16,9 @@ SecDebugLog <%= logdir %>/mod_security_debug.log <% unless mod_security_rules_to_disable.to_a.empty? -%> -<% mod_security_rules_to_disable.to_a.each do |rule| -%> +<% mod_security_rules_to_disable.to_a.each do |rule| -%> SecRuleRemoveById "<%= rule %>" -<% end -%> +<% end -%> <% end -%> <% unless mod_security_additional_options.to_s == 'absent' -%> diff --git a/templates/vhosts/partials/php_settings.erb b/templates/vhosts/partials/php_settings.erb index 7840987..fe55967 100644 --- a/templates/vhosts/partials/php_settings.erb +++ b/templates/vhosts/partials/php_settings.erb @@ -2,18 +2,19 @@ php_settings.reject{|k,v| v == :undef }.keys.sort.each do |key| dvalue = php_settings[key].to_s.downcase munged_value = if dvalue == 'true' - 'on' - elsif dvalue == 'false' - 'off' - elsif ['on','off'].include?(dvalue) - dvalue - else - php_settings[key] - end - if ['on','off' ].include?(munged_value) -%> + 'on' + elsif dvalue == 'false' + 'off' + elsif ['on','off'].include?(dvalue) + dvalue + else + php_settings[key] + end + + if ['on','off' ].include?(munged_value) -%> php_admin_flag <%= key %> <%= munged_value %> -<% else -%> +<% else -%> php_admin_value <%= key %> <%= munged_value %> -<% end -%> -<% end -%> +<% end -%> +<% end -%> <% end -%> diff --git a/templates/vhosts/partials/std_override_options.erb b/templates/vhosts/partials/std_override_options.erb index 95a5e6a..a69250d 100644 --- a/templates/vhosts/partials/std_override_options.erb +++ b/templates/vhosts/partials/std_override_options.erb @@ -1,4 +1,4 @@ AllowOverride <%= allow_override %> - <% if options.to_s != 'absent' || do_includes.to_s == 'true' || run_mode == 'fcgid' -%> +<% if options.to_s != 'absent' || do_includes.to_s == 'true' || run_mode == 'fcgid' -%> Options <%- unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% if run_mode == 'fcgid' && !options.include?('+ExecCGI') -%> +ExecCGI<% end -%> - <% end -%> +<% end -%> diff --git a/templates/vhosts/php_drupal/partial.erb b/templates/vhosts/php_drupal/partial.erb index 3c420b1..10f1a30 100644 --- a/templates/vhosts/php_drupal/partial.erb +++ b/templates/vhosts/php_drupal/partial.erb @@ -1,7 +1,7 @@ /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - + <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> diff --git a/templates/vhosts/php_joomla/partial.erb b/templates/vhosts/php_joomla/partial.erb index 3046129..89999e9 100644 --- a/templates/vhosts/php_joomla/partial.erb +++ b/templates/vhosts/php_joomla/partial.erb @@ -7,7 +7,7 @@ Include include.d/joomla.inc - + /administrator/"> RewriteEngine on -- cgit v1.2.3 From 49d954d80d8b340dfcfdf939092d57754c3449f8 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 14 Apr 2014 23:03:56 +0200 Subject: more identation fixing --- templates/vhosts/gitweb/partial.erb | 24 ++++++------ templates/vhosts/itk_plus/partial.erb | 26 ++++++------- templates/vhosts/partials/authentication.erb | 8 ++-- templates/vhosts/partials/std_override_options.erb | 4 +- templates/vhosts/passenger/partial.erb | 4 +- templates/vhosts/perl/partial.erb | 22 +++++------ templates/vhosts/php/partial.erb | 4 +- templates/vhosts/php_drupal/partial.erb | 35 +++++++++-------- templates/vhosts/php_gallery2/partial.erb | 16 ++++---- templates/vhosts/php_joomla/partial.erb | 44 +++++++++++----------- templates/vhosts/php_silverstripe/partial.erb | 18 ++++----- templates/vhosts/php_typo3/partial.erb | 14 +++---- templates/vhosts/php_wordpress/partial.erb | 8 ++-- templates/vhosts/proxy/partial.erb | 14 +++---- templates/vhosts/redirect/partial.erb | 2 +- templates/vhosts/static/partial.erb | 4 +- templates/vhosts/webdav/partial.erb | 36 +++++++++--------- 17 files changed, 141 insertions(+), 142 deletions(-) diff --git a/templates/vhosts/gitweb/partial.erb b/templates/vhosts/gitweb/partial.erb index c04f1c3..35c574e 100644 --- a/templates/vhosts/gitweb/partial.erb +++ b/templates/vhosts/gitweb/partial.erb @@ -1,17 +1,17 @@ - SetEnv GITWEB_CONFIG <%= gitweb_config %> - DirectoryIndex gitweb.cgi - /"> + SetEnv GITWEB_CONFIG <%= gitweb_config %> + DirectoryIndex gitweb.cgi + /"> <% if options.to_s != 'absent' || do_includes.to_s == 'true'-%> - Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% unless options.include?('+ExecCGI') -%> +ExecCGI<% end -%> + Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% unless options.include?('+ExecCGI') -%> +ExecCGI<% end -%> <% end -%> - AddHandler cgi-script .cgi - - Options ExecCGI FollowSymLinks - SetHandler cgi-script - - RewriteEngine on - RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] + AddHandler cgi-script .cgi + + Options ExecCGI FollowSymLinks + SetHandler cgi-script + + RewriteEngine on + RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT] <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - + diff --git a/templates/vhosts/itk_plus/partial.erb b/templates/vhosts/itk_plus/partial.erb index 9c5a1ac..39aa6c8 100644 --- a/templates/vhosts/itk_plus/partial.erb +++ b/templates/vhosts/itk_plus/partial.erb @@ -1,32 +1,32 @@ - ProxyPreserveHost On - ProxyRequests off + ProxyPreserveHost On + ProxyRequests off <% if vhost_part == :ssl -%> - SSLProxyEngine On + SSLProxyEngine On <% if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ https://127.0.0.1/$1 + ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ https://127.0.0.1/$1 <% else -%> - ProxyPass / https://127.0.0.1/ + ProxyPass / https://127.0.0.1/ <% end -%> - ProxyPassReverse / https://127.0.0.1/ + ProxyPassReverse / https://127.0.0.1/ <% else -%> <% if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ http://127.0.0.1/$1 + ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ http://127.0.0.1/$1 <% else -%> - ProxyPass / http://127.0.0.1/ + ProxyPass / http://127.0.0.1/ <% end -%> - ProxyPassReverse / http://127.0.0.1/ + ProxyPassReverse / http://127.0.0.1/ <% end -%> <% if run_mode.to_s == 'static-itk' && (ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> - /"> - AllowOverride <%= allow_override %> + /"> + AllowOverride <%= allow_override %> <% if options.to_s != 'absent' or do_includes.to_s == 'true' -%> - Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') -%> +Includes<% end -%> + Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') -%> +Includes<% end -%> <% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - + <% end -%> diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb index a6ebf3e..76f7870 100644 --- a/templates/vhosts/partials/authentication.erb +++ b/templates/vhosts/partials/authentication.erb @@ -1,6 +1,6 @@ <% unless htpasswd_file.to_s == 'absent' -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user <% end -%> diff --git a/templates/vhosts/partials/std_override_options.erb b/templates/vhosts/partials/std_override_options.erb index a69250d..f35354d 100644 --- a/templates/vhosts/partials/std_override_options.erb +++ b/templates/vhosts/partials/std_override_options.erb @@ -1,4 +1,4 @@ - AllowOverride <%= allow_override %> + AllowOverride <%= allow_override %> <% if options.to_s != 'absent' || do_includes.to_s == 'true' || run_mode == 'fcgid' -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% if run_mode == 'fcgid' && !options.include?('+ExecCGI') -%> +ExecCGI<% end -%> + Options <%- unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% if run_mode == 'fcgid' && !options.include?('+ExecCGI') -%> +ExecCGI<% end -%> <% end -%> diff --git a/templates/vhosts/passenger/partial.erb b/templates/vhosts/passenger/partial.erb index 490649e..2f4a068 100644 --- a/templates/vhosts/passenger/partial.erb +++ b/templates/vhosts/passenger/partial.erb @@ -1,7 +1,7 @@ SetEnv GEM_HOME <%= gempath %> /> - AllowOverride <%= allow_override %> - Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless !options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> + AllowOverride <%= allow_override %> + Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless !options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> diff --git a/templates/vhosts/perl/partial.erb b/templates/vhosts/perl/partial.erb index a8c30c3..888c268 100644 --- a/templates/vhosts/perl/partial.erb +++ b/templates/vhosts/perl/partial.erb @@ -1,15 +1,15 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - + - <% unless htpasswd_file.to_s == 'absent' -%> - /"> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user - - <% end -%> - ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ +<% unless htpasswd_file.to_s == 'absent' -%> + /"> + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user + +<% end -%> + ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ diff --git a/templates/vhosts/php/partial.erb b/templates/vhosts/php/partial.erb index f8e5c53..1c75d48 100644 --- a/templates/vhosts/php/partial.erb +++ b/templates/vhosts/php/partial.erb @@ -1,7 +1,7 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - + diff --git a/templates/vhosts/php_drupal/partial.erb b/templates/vhosts/php_drupal/partial.erb index 10f1a30..959e9d1 100644 --- a/templates/vhosts/php_drupal/partial.erb +++ b/templates/vhosts/php_drupal/partial.erb @@ -1,26 +1,25 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - # Protect files and directories from prying eyes. - - Order allow,deny - + # Protect files and directories from prying eyes. + + Order allow,deny + - # Customized error messages. - ErrorDocument 404 /index.php + # Customized error messages. + ErrorDocument 404 /index.php - RewriteEngine on - RewriteCond %{REQUEST_FILENAME} !-f - RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] - - /files/"> - SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 - Options None - Options +FollowSymLinks - + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + + /files/"> + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + diff --git a/templates/vhosts/php_gallery2/partial.erb b/templates/vhosts/php_gallery2/partial.erb index 448f720..26d33ee 100644 --- a/templates/vhosts/php_gallery2/partial.erb +++ b/templates/vhosts/php_gallery2/partial.erb @@ -1,4 +1,4 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> @@ -6,11 +6,11 @@ <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> <% if vhost_part != :ssl -%> - # Always rewrite login's - # Source: http://gallery.menalto.com/node/30558 - RewriteEngine On - RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] - RewriteCond %{QUERY_STRING} subView=core\.UserLogin - RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] <% end -%> - + diff --git a/templates/vhosts/php_joomla/partial.erb b/templates/vhosts/php_joomla/partial.erb index 89999e9..64e73a9 100644 --- a/templates/vhosts/php_joomla/partial.erb +++ b/templates/vhosts/php_joomla/partial.erb @@ -1,32 +1,32 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - Include include.d/joomla.inc - + Include include.d/joomla.inc + - /administrator/"> - RewriteEngine on + /administrator/"> + RewriteEngine on - # Rewrite URLs to https that go for the admin area - RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/administrator/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + - # Deny various directories that - # shouldn't be webaccessible - /tmp/"> - Deny From All - - /logs/"> - Deny From All - - /cli/"> - Deny From All - + # Deny various directories that + # shouldn't be webaccessible + /tmp/"> + Deny From All + + /logs/"> + Deny From All + + /cli/"> + Deny From All + diff --git a/templates/vhosts/php_silverstripe/partial.erb b/templates/vhosts/php_silverstripe/partial.erb index 9ff32db..b57fd1e 100644 --- a/templates/vhosts/php_silverstripe/partial.erb +++ b/templates/vhosts/php_silverstripe/partial.erb @@ -1,11 +1,11 @@ - # silverstripe - RewriteEngine On - RewriteCond %{HTTPS} !=on - RewriteCond %{HTTP:X-Forwarded-Proto} !=https - RewriteRule /admin(.*) https://<%= servername %>/admin$1 [L,R,NE] - RewriteRule /Security(.*) https://<%= servername %>/Security$1 [L,R,NE] + # silverstripe + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteRule /admin(.*) https://<%= servername %>/admin$1 [L,R,NE] + RewriteRule /Security(.*) https://<%= servername %>/Security$1 [L,R,NE] - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> @@ -13,5 +13,5 @@ <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - Include include.d/silverstripe.inc - + Include include.d/silverstripe.inc + diff --git a/templates/vhosts/php_typo3/partial.erb b/templates/vhosts/php_typo3/partial.erb index 117869f..89f2f60 100644 --- a/templates/vhosts/php_typo3/partial.erb +++ b/templates/vhosts/php_typo3/partial.erb @@ -1,9 +1,9 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> - /typo3/"> - RewriteEngine on + /typo3/"> + RewriteEngine on - # Rewrite URLs to https that go for the admin area - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] - + # Rewrite URLs to https that go for the admin area + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/typo3/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb index 972ab99..00e1fcd 100644 --- a/templates/vhosts/php_wordpress/partial.erb +++ b/templates/vhosts/php_wordpress/partial.erb @@ -1,6 +1,6 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> -# fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh -/wp-content/w3tc/dbcache"> - Deny From All - + # fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh + /wp-content/w3tc/dbcache"> + Deny From All + diff --git a/templates/vhosts/proxy/partial.erb b/templates/vhosts/proxy/partial.erb index bbf3c64..ec84dd4 100644 --- a/templates/vhosts/proxy/partial.erb +++ b/templates/vhosts/proxy/partial.erb @@ -1,8 +1,8 @@ - - Order deny,allow - Allow from all + + Order deny,allow + Allow from all <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - - ProxyRequests Off - ProxyPass / <%= options %>/ - ProxyPassReverse / <%= options %>/ + + ProxyRequests Off + ProxyPass / <%= options %>/ + ProxyPassReverse / <%= options %>/ diff --git a/templates/vhosts/redirect/partial.erb b/templates/vhosts/redirect/partial.erb index 3b7af7a..f6b76e6 100644 --- a/templates/vhosts/redirect/partial.erb +++ b/templates/vhosts/redirect/partial.erb @@ -1 +1 @@ - Redirect permanent / https://<%= options %> + Redirect permanent / https://<%= options %> diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb index f2cc46b..3b40a96 100644 --- a/templates/vhosts/static/partial.erb +++ b/templates/vhosts/static/partial.erb @@ -1,5 +1,5 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - + diff --git a/templates/vhosts/webdav/partial.erb b/templates/vhosts/webdav/partial.erb index d89da50..b97e128 100644 --- a/templates/vhosts/webdav/partial.erb +++ b/templates/vhosts/webdav/partial.erb @@ -1,21 +1,21 @@ - DAVLockDB <%= real_dav_db_dir %>/DAVLock - /"> - Dav on - AllowOverride None - <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- unless options.include?('Indexes') then -%> Indexes<%- end -%> + DAVLockDB <%= real_dav_db_dir %>/DAVLock + /"> + Dav on + AllowOverride None +<% if options.to_s != 'absent' or do_includes.to_s == 'true' -%> + Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless options.include?('Indexes') -%> Indexes<%- end -%> - <%- else -%> - Options Indexes +<% else -%> + Options Indexes - <%- end -%> +<% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <%- if ldap_auth.to_s == 'true' then -%> - Include include.d/ldap_auth.inc - <%- unless ldap_user.to_s == 'any' -%> - Require ldap-user <%= ldap_user.to_s %> - <%- else -%> - Require valid-user - <%- end -%> - <%- end -%> - +<% if ldap_auth.to_s == 'true' then -%> + Include include.d/ldap_auth.inc +<% unless ldap_user.to_s == 'any' -%> + Require ldap-user <%= ldap_user.to_s %> +<% else -%> + Require valid-user +<% end + end -%> + -- cgit v1.2.3 From ad5af8623f3db9ea1e0d5b552b4cfc8276431f38 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 14 Apr 2014 23:12:54 +0200 Subject: only forward on https --- templates/vhosts/php_gallery2/partial.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/vhosts/php_gallery2/partial.erb b/templates/vhosts/php_gallery2/partial.erb index 26d33ee..e17f0ec 100644 --- a/templates/vhosts/php_gallery2/partial.erb +++ b/templates/vhosts/php_gallery2/partial.erb @@ -5,12 +5,12 @@ <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> -<% if vhost_part != :ssl -%> # Always rewrite login's # Source: http://gallery.menalto.com/node/30558 RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] RewriteCond %{QUERY_STRING} subView=core\.UserLogin RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] -<% end -%> -- cgit v1.2.3 From ea9c9348444ad90bdc44d2083ddca5cd2ebd9c0a Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 14 Apr 2014 23:13:00 +0200 Subject: fix identation --- templates/vhosts/partials/authentication.erb | 9 +++++---- templates/vhosts/partials/logs.erb | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb index 76f7870..b81f543 100644 --- a/templates/vhosts/partials/authentication.erb +++ b/templates/vhosts/partials/authentication.erb @@ -1,6 +1,7 @@ <% unless htpasswd_file.to_s == 'absent' -%> - AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> - require valid-user + AuthType Basic + AuthName "Access fuer <%= servername %>" + AuthUserFile <%= real_htpasswd_path %> + require valid-user <% end -%> + diff --git a/templates/vhosts/partials/logs.erb b/templates/vhosts/partials/logs.erb index 711c382..98c834d 100644 --- a/templates/vhosts/partials/logs.erb +++ b/templates/vhosts/partials/logs.erb @@ -15,3 +15,4 @@ ErrorLog <%= logdir %>/<%= logprefix %>error_log CustomLog <%= logdir %>/<%= logprefix %>access_log combined <% end -%> + -- cgit v1.2.3 From fba5450ddae35d1744ba078fe733abd60f519aa1 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 14 Apr 2014 23:15:43 +0200 Subject: remove that extra line --- templates/vhosts/partials/authentication.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb index b81f543..bf43a58 100644 --- a/templates/vhosts/partials/authentication.erb +++ b/templates/vhosts/partials/authentication.erb @@ -4,4 +4,3 @@ AuthUserFile <%= real_htpasswd_path %> require valid-user <% end -%> - -- cgit v1.2.3 From 3b7b7a3a578a479fe3586e293676c407a39695df Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 14 Apr 2014 23:44:14 +0200 Subject: include fcgi config also on http although they might get redirected, because requests might still hit the backend plain --- templates/vhosts/default.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index 2eab3d7..e4bbd4f 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -16,7 +16,7 @@ vhost_parts.each do |vhost_part| -%> AssignUserId <%= run_uid+" "+run_gid %> -<% elsif run_mode.to_s == 'fcgid' && !(ssl_mode == 'force' && vhost_part == :normal) -%> +<% elsif run_mode.to_s == 'fcgid' -%> SuexecUserGroup <%= run_uid+" "+run_gid %> FcgidMaxRequestsPerProcess 5000 -- cgit v1.2.3 From d4a70a927e41c181aa07d467a2478db74439aadb Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 17 Apr 2014 22:08:52 +0200 Subject: linting --- manifests/vhost/php/drupal.pp | 198 +++++++++++---------- manifests/vhost/php/gallery2.pp | 275 +++++++++++++++-------------- manifests/vhost/php/global_exec_bin_dir.pp | 7 +- manifests/vhost/php/joomla.pp | 93 +++++----- manifests/vhost/php/mediawiki.pp | 144 +++++++-------- manifests/vhost/php/safe_mode_bin.pp | 13 +- manifests/vhost/php/silverstripe.pp | 166 ++++++++--------- manifests/vhost/php/simplemachine.pp | 184 +++++++++---------- manifests/vhost/php/spip.pp | 162 ++++++++--------- manifests/vhost/php/typo3.pp | 223 +++++++++++------------ manifests/vhost/php/webapp.pp | 222 ++++++++++++----------- manifests/vhost/php/wordpress.pp | 168 +++++++++--------- 12 files changed, 933 insertions(+), 922 deletions(-) diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 4025ada..4a41a20 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -32,109 +32,111 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog # define apache::vhost::php::drupal( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_drupal/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_directories = true, - $config_webwriteable = false, - $manage_config = true, - $manage_cron = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_drupal/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_directories = true, + $config_webwriteable = false, + $manage_config = true, + $manage_cron = true ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } - - if $manage_cron { - if $domain == 'absent' { - $real_domain = $name - } else { - $real_domain = $domain - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - file{"/etc/cron.d/drupal_cron_${name}": - content => "0 * * * * apache wget -O - -q -t 1 http://${real_domain}/cron.php\n", - owner => root, group => 0, mode => 0644; - } + if $manage_cron { + if $domain == 'absent' { + $real_domain = $name + } else { + $real_domain = $domain } - $std_drupal_php_settings = { - magic_quotes_gpc => 0, - register_globals => 0, - 'session.auto_start' => 0, - 'mbstring.http_input' => 'pass', - 'mbstring.http_output' => 'pass', - 'mbstring.encoding_translation' => 0, + file{"/etc/cron.d/drupal_cron_${name}": + content => "0 * * * * apache wget -O - -q -t 1 http://${real_domain}/cron.php\n", + owner => root, + group => 0, + mode => '0644'; } + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings =>merge($std_drupal_php_settings, $php_settings), - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => false, - manage_config => false, - } + $std_drupal_php_settings = { + magic_quotes_gpc => 0, + register_globals => 0, + 'session.auto_start' => 0, + 'mbstring.http_input' => 'pass', + 'mbstring.http_output' => 'pass', + 'mbstring.encoding_translation' => 0, + } + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => merge($std_drupal_php_settings, $php_settings), + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => false, + manage_config => false, + } } diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index d1876ff..d2f2e6a 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -31,151 +31,156 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::gallery2( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = false, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_gallery2/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true, - $upload_dir = 'present' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_gallery2/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, + $upload_dir = 'present' ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $gdatadir = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/g2data", + default => "/var/www/vhosts/${name}/g2data" + }, + default => "${path}/g2data" + } + if ($upload_dir == 'present') or ($upload_dir == 'absent') { + $real_upload_dir = $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/upload", + default => "/var/www/vhosts/${name}/upload" } - $gdatadir = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/g2data", - default => "/var/www/vhosts/${name}/g2data" - }, - default => "${path}/g2data" + } else { + $real_upload_dir = $upload_dir + } + $ensure_dir = $ensure ? { + 'present' => directory, + default => absent + } + file{ + $gdatadir: + ensure => $ensure_dir, + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; + $real_upload_dir: + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; + } + if ($ensure == 'absent') or ($upload_dir == 'absent') { + File[$real_upload_dir]{ + ensure => absent, + purge => true, + force => true, + recurse => true } - if ($upload_dir == 'present') or ($upload_dir == 'absent') { - $real_upload_dir = $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/upload", - default => "/var/www/vhosts/${name}/upload" - } - } else { - $real_upload_dir = $upload_dir - } - file{ - $gdatadir: - ensure => $ensure ? { - 'present' => directory, - default => absent - }, - owner => $documentroot_owner, group => $documentroot_group, mode => 0660; - $real_upload_dir: - owner => $documentroot_owner, group => $documentroot_group, mode => 0660; - } - if ($ensure == 'absent') or ($upload_dir == 'absent') { - File[$real_upload_dir]{ - ensure => absent, - purge => true, - force => true, - recurse => true - } - } else { - File[$real_upload_dir]{ - ensure => directory - } + } else { + File[$real_upload_dir]{ + ensure => directory } + } - $gallery_php_settings = { - safe_mode => 'Off', - output_buffering => 'Off', - } + $gallery_php_settings = { + safe_mode => 'Off', + output_buffering => 'Off', + } - # php upload_tmp_dir - case $php_settings[upload_tmp_dir] { - '',undef: { - $php_settings[upload_tmp_dir] = "/var/www/upload_tmp_dir/$name" - } + # php upload_tmp_dir + case $php_settings[upload_tmp_dir] { + '',undef: { + $php_settings[upload_tmp_dir] = "/var/www/upload_tmp_dir/${name}" } - # php session_save_path - case $php_settings['session.save_path'] { - '',undef: { - $php_settings['session.save_path'] = "/var/www/session.save_path/$name" - } + } + # php session_save_path + case $php_settings['session.save_path'] { + '',undef: { + $php_settings['session.save_path'] = "/var/www/session.save_path/${name}" } + } - if $upload_dir != 'absent' { - $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}:${real_upload_dir}" - } else { - $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}" - } + if $upload_dir != 'absent' { + $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}:${real_upload_dir}" + } else { + $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}" + } - $real_php_settings = merge($gallery_php_settings,$php_settings) + $real_php_settings = merge($gallery_php_settings,$php_settings) - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $real_php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - manage_config => $manage_config, - config_file => 'config.php', - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $real_php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + manage_config => $manage_config, + config_file => 'config.php', + } } diff --git a/manifests/vhost/php/global_exec_bin_dir.pp b/manifests/vhost/php/global_exec_bin_dir.pp index cbb9803..efcdaf7 100644 --- a/manifests/vhost/php/global_exec_bin_dir.pp +++ b/manifests/vhost/php/global_exec_bin_dir.pp @@ -1,6 +1,9 @@ +# manage global exec_bin_dir class apache::vhost::php::global_exec_bin_dir { file{'/var/www/php_safe_exec_bins': - ensure => directory, - owner => root, group => apache, mode => 0640; + ensure => directory, + owner => root, + group => apache, + mode => '0640'; } } diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 30282e2..38d41e7 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -25,41 +25,41 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = '0640', - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_joomla/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_joomla/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true ){ include ::apache::include::joomla @@ -79,19 +79,20 @@ define apache::vhost::php::joomla( }, default => '' } - $real_mod_security_additional_options = "# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - - SecRuleRemoveById 950013 - + $real_mod_security_additional_options = " + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + + SecRuleRemoveById 950013 + - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" - # Exceptions for Joomla Component Expose - - SecRuleRemoveById 960010 - + # Exceptions for Joomla Component Expose + + SecRuleRemoveById 960010 + " } else { $real_mod_security_additional_options = $mod_security_additional_options diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index 502af53..3068c79 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -25,80 +25,80 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::mediawiki( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $manage_docroot = true, - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'FileInfo Limit', - $php_settings = {}, - $php_options = {}, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_mediawiki/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo Limit', + $php_settings = {}, + $php_options = {}, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_mediawiki/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' ){ - $mediawiki_php_settings = { - safe_mode => false, - } + $mediawiki_php_settings = { + safe_mode => false, + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - manage_docroot => $manage_docroot, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => merge($mediawiki_php_settings,$php_settings), - php_options => $php_options, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => false, - manage_config => false, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + manage_docroot => $manage_docroot, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => merge($mediawiki_php_settings,$php_settings), + php_options => $php_options, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => false, + manage_config => false, + } } diff --git a/manifests/vhost/php/safe_mode_bin.pp b/manifests/vhost/php/safe_mode_bin.pp index 4a3574d..1c82e19 100644 --- a/manifests/vhost/php/safe_mode_bin.pp +++ b/manifests/vhost/php/safe_mode_bin.pp @@ -1,14 +1,17 @@ +# safe_mode binaries define apache::vhost::php::safe_mode_bin( $ensure = 'present', $path ){ $substr=regsubst($name,'^.*\/','','G') - $real_path = "$path/$substr" + $real_path = "${path}/${substr}" + $target = $ensure ? { + 'present' => regsubst($name,'^.*@',''), + default => absent, + } file{$real_path: - ensure => $ensure ? { - 'present' => regsubst($name,'^.*@',''), - default => absent, - } + ensure => link, + target => $target, } } diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index da58296..e7c7f24 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -25,93 +25,93 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::silverstripe( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_silverstripe/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_silverstripe/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, ){ - include ::apache::include::silverstripe + include ::apache::include::silverstripe - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } - $modsec_rules = ["960010"] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $modsec_rules = ['960010'] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ "${documentroot}/assets" ], - manage_config => $manage_config, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/assets" ], + manage_config => $manage_config, + } } diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index b5178da..48386b6 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -25,99 +25,99 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::simplemachine( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ - "${documentroot}/agreement.txt", - "${documentroot}/attachments", - "${documentroot}/avatars", - "${documentroot}/cache", - "${documentroot}/Packages", - "${documentroot}/Packages/installed.list", - "${documentroot}/Smileys", - "${documentroot}/Themes", - "${documentroot}/Themes/default/languages/Install.english.php" - ], - manage_config => $manage_config, - config_webwriteable => $config_webwriteable, - config_file => 'Settings.php', - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ + "${documentroot}/agreement.txt", + "${documentroot}/attachments", + "${documentroot}/avatars", + "${documentroot}/cache", + "${documentroot}/Packages", + "${documentroot}/Packages/installed.list", + "${documentroot}/Smileys", + "${documentroot}/Themes", + "${documentroot}/Themes/default/languages/Install.english.php" + ], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'Settings.php', + } } diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 5f4ffdb..74be5d4 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -25,88 +25,88 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::spip( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'FileInfo', - $php_settings = {}, - $php_options = {}, - $template_partial = 'apache/vhosts/php/partial.erb', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo', + $php_settings = {}, + $php_options = {}, + $template_partial = 'apache/vhosts/php/partial.erb', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options=> $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - managed_directories => [ - "${documentroot}/IMG", - "${documentroot}/tmp", - "${documentroot}/local", - "${documentroot}/config" - ], - manage_config => false, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + managed_directories => [ + "${documentroot}/IMG", + "${documentroot}/tmp", + "${documentroot}/local", + "${documentroot}/config" + ], + manage_config => false, + } } diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index a9f12d8..518f898 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -25,123 +25,124 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::typo3( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_typo3/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_typo3/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - $modsec_rules = ["960010"] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) - if $mod_security_additional_options == 'absent' { - $real_mod_security_additional_options = ' - SecRuleEngine Off - SecAuditEngine Off + $modsec_rules = ['960010'] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = ' + + SecRuleEngine Off + SecAuditEngine Off ' - } else { - $real_mod_security_additional_options = $mod_security_additional_options - } + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } - $typo3_php_settings = { - # turn allow_url_fopen on for the extension manager fetch - allow_url_fopen => 'On' - } - $real_php_settings = merge($typo3_php_settings,$php_settings) + $typo3_php_settings = { + # turn allow_url_fopen on for the extension manager fetch + allow_url_fopen => 'On' + } + $real_php_settings = merge($typo3_php_settings,$php_settings) - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $real_php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $real_mod_security_rules_to_disable, - mod_security_additional_options => $real_mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ "${documentroot}/typo3temp", - "${documentroot}/typo3temp/pics", - "${documentroot}/typo3temp/temp", - "${documentroot}/typo3temp/llxml", - "${documentroot}/typo3temp/cs", - "${documentroot}/typo3temp/GB", - "${documentroot}/typo3temp/locks", - "${documentroot}/typo3conf", - "${documentroot}/typo3conf/ext", - "${documentroot}/typo3conf/l10n", - # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions - "${documentroot}/uploads", - "${documentroot}/uploads/pics", - "${documentroot}/uploads/media", - "${documentroot}/uploads/tf", - "${documentroot}/fileadmin", - "${documentroot}/fileadmin/_temp_" - ], - manage_config => $manage_config, - } + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $real_php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/typo3temp", + "${documentroot}/typo3temp/pics", + "${documentroot}/typo3temp/temp", + "${documentroot}/typo3temp/llxml", + "${documentroot}/typo3temp/cs", + "${documentroot}/typo3temp/GB", + "${documentroot}/typo3temp/locks", + "${documentroot}/typo3conf", + "${documentroot}/typo3conf/ext", + "${documentroot}/typo3conf/l10n", + # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions + "${documentroot}/uploads", + "${documentroot}/uploads/pics", + "${documentroot}/uploads/media", + "${documentroot}/uploads/tf", + "${documentroot}/fileadmin", + "${documentroot}/fileadmin/_temp_" + ], + manage_config => $manage_config, + } } diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 54905ca..1569260 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -25,124 +25,120 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::webapp( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $manage_webdir = true, - $manage_docroot = true, - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial, - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_file = 'absent', - $config_webwriteable = false, - $manage_directories = true, - $managed_directories = 'absent' + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $manage_webdir = true, + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial, + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_file = 'absent', + $config_webwriteable = false, + $manage_directories = true, + $managed_directories = 'absent', ){ - if ($ensure != 'absent') { - if $manage_directories and ($managed_directories != 'absent') { - ::apache::file::rw{ $managed_directories : - owner => $documentroot_owner, - group => $documentroot_group, - } - } + if ($ensure != 'absent') { + if $manage_directories and ($managed_directories != 'absent') { + ::apache::file::rw{ $managed_directories : + owner => $documentroot_owner, + group => $documentroot_group, + } + } - if $manage_config { - if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") } + if $manage_config { + if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") } - $real_path = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}", - default => "/var/www/vhosts/${name}" - }, - default => $path - } - if $path_is_webdir { - $documentroot = $real_path - } else { - $documentroot = "${real_path}/www" - } - ::apache::vhost::file::documentrootfile{"configurationfile_${name}": - documentroot => $documentroot, - filename => $config_file, - thedomain => $name, - owner => $documentroot_owner, - group => $documentroot_group, - } - if $config_webwriteable { - Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ - mode => 0660, - } - } else { - Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ - mode => 0440, - } - } + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + $documentroot = "${real_path}/www" + ::apache::vhost::file::documentrootfile{"configurationfile_${name}": + documentroot => $documentroot, + filename => $config_file, + thedomain => $name, + owner => $documentroot_owner, + group => $documentroot_group, + } + if $config_webwriteable { + Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ + mode => '0660', } + } else { + Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ + mode => '0440', + } + } } + } - # create vhost configuration file - ::apache::vhost::php::standard{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - manage_webdir => $manage_webdir, - manage_docroot => $manage_docroot, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - } + # create vhost configuration file + ::apache::vhost::php::standard{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + manage_webdir => $manage_webdir, + manage_docroot => $manage_docroot, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + } } diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 7a41ad7..268f33e 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -25,92 +25,92 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::wordpress( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'FileInfo', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_wordpress/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_wordpress/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true ){ - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } - $modsec_rules = ["960010", "950018"] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) - # create vhost configuration file - apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $real_mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => "${documentroot}/wp-content", - manage_config => $manage_config, - config_webwriteable => $config_webwriteable, - config_file => 'wp-config.php', - } + # create vhost configuration file + apache::vhost::php::webapp{$name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => "${documentroot}/wp-content", + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'wp-config.php', + } } -- cgit v1.2.3 From 41d778fe47c20f2d4c37b4c3089d50fbac6535a3 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 18 Apr 2014 10:58:56 +0200 Subject: address puppet 3.x deprecation warnings --- manifests/vhost/php/gallery2.pp | 77 +++++----------------- manifests/vhost/php/standard.pp | 45 ++++++++----- templates/vhosts/default.erb | 20 +++--- templates/vhosts/gitweb/partial.erb | 8 +-- templates/vhosts/itk_plus/partial.erb | 14 ++-- templates/vhosts/partials/authentication.erb | 6 +- templates/vhosts/partials/header_default.erb | 22 +++---- templates/vhosts/partials/logs.erb | 14 ++-- templates/vhosts/partials/mod_security.erb | 18 ++--- templates/vhosts/partials/php_settings.erb | 8 +-- templates/vhosts/partials/std_override_options.erb | 6 +- templates/vhosts/passenger/partial.erb | 8 +-- templates/vhosts/perl/partial.erb | 12 ++-- templates/vhosts/php/partial.erb | 2 +- templates/vhosts/php_drupal/partial.erb | 4 +- templates/vhosts/php_gallery2/partial.erb | 2 +- templates/vhosts/php_joomla/partial.erb | 10 +-- templates/vhosts/php_mediawiki/partial.erb | 2 +- templates/vhosts/php_silverstripe/partial.erb | 6 +- templates/vhosts/php_typo3/partial.erb | 2 +- templates/vhosts/php_wordpress/partial.erb | 2 +- templates/vhosts/proxy/partial.erb | 4 +- templates/vhosts/redirect/partial.erb | 2 +- templates/vhosts/static/partial.erb | 2 +- templates/vhosts/webdav/partial.erb | 10 +-- 25 files changed, 134 insertions(+), 172 deletions(-) diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index d2f2e6a..78d5256 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -66,7 +66,6 @@ define apache::vhost::php::gallery2( $manage_config = true, $config_webwriteable = false, $manage_directories = true, - $upload_dir = 'present' ){ $documentroot = $path ? { 'absent' => $::operatingsystem ? { @@ -75,73 +74,27 @@ define apache::vhost::php::gallery2( }, default => "${path}/www" } - $gdatadir = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/g2data", - default => "/var/www/vhosts/${name}/g2data" - }, - default => "${path}/g2data" - } - if ($upload_dir == 'present') or ($upload_dir == 'absent') { - $real_upload_dir = $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/upload", - default => "/var/www/vhosts/${name}/upload" - } - } else { - $real_upload_dir = $upload_dir - } - $ensure_dir = $ensure ? { - 'present' => directory, - default => absent - } - file{ - $gdatadir: - ensure => $ensure_dir, - owner => $documentroot_owner, - group => $documentroot_group, - mode => '0660'; - $real_upload_dir: - owner => $documentroot_owner, - group => $documentroot_group, - mode => '0660'; - } - if ($ensure == 'absent') or ($upload_dir == 'absent') { - File[$real_upload_dir]{ - ensure => absent, - purge => true, - force => true, - recurse => true - } - } else { - File[$real_upload_dir]{ - ensure => directory + $upload_dir = "/var/www/vhosts/${name}/data/upload" + $gdata_dir = "/var/www/vhosts/${name}/data/gdata" + if $ensure != 'absent' { + file{ + $gdata_dir: + ensure => 'directory', + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; + $upload_dir: + ensure => 'directory', + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; } } $gallery_php_settings = { - safe_mode => 'Off', + safe_mode => 'Off', output_buffering => 'Off', } - - # php upload_tmp_dir - case $php_settings[upload_tmp_dir] { - '',undef: { - $php_settings[upload_tmp_dir] = "/var/www/upload_tmp_dir/${name}" - } - } - # php session_save_path - case $php_settings['session.save_path'] { - '',undef: { - $php_settings['session.save_path'] = "/var/www/session.save_path/${name}" - } - } - - if $upload_dir != 'absent' { - $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}:${real_upload_dir}" - } else { - $gallery_php_settings[open_basedir] = "${documentroot}:${php_settings[upload_tmp_dir]}:${php_settings['session.save_path']}:${gdatadir}" - } - $real_php_settings = merge($gallery_php_settings,$php_settings) # create vhost configuration file diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 160f638..c34e339 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -116,19 +116,15 @@ define apache::vhost::php::standard( $pear_path = '' } - - $std_php_settings = { - engine => 'On', - upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", - 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", - safe_mode => 'On' - } if $logmode != 'nologs' { - $std_php_settings[error_log] = "${logdir}/php_error_log" + $php_error_log = "${logdir}/php_error_log" + } else { + $php_error_log = undef } if $run_mode == 'fcgid' { - $std_php_settings[safe_mode_gid] = 'On' + $safe_mode_gid = 'On' + } else { + $safe_mode_gid = undef } if has_key($php_settings,'safe_mode_exec_dir') { @@ -148,7 +144,7 @@ define apache::vhost::php::standard( purge => true, } if has_key($php_options,'safe_mode_exec_bins') { - $std_php_settings[safe_mode_exec_dir] = $php_safe_mode_exec_dir + $std_php_settings_safe_mode_exec_dir = $php_safe_mode_exec_dir $ensure_exec = $ensure ? { 'present' => directory, default => 'absent', @@ -165,19 +161,32 @@ define apache::vhost::php::standard( ensure => $ensure, path => $php_safe_mode_exec_dir; } - }else{ + } else { + $std_php_settings_safe_mode_exec_dir = undef File[$php_safe_mode_exec_dir]{ ensure => absent, } } - if !has_key($php_settings,'default_charset') { - if $default_charset != 'absent' { - $std_php_settings[default_charset] = $default_charset ? { - 'On' => 'iso-8859-1', - default => $default_charset - } + if !has_key($php_settings,'default_charset') and ($default_charset != 'absent') { + $std_php_settings_default_charset = $default_charset ? { + 'On' => 'iso-8859-1', + default => $default_charset } + } else { + $std_php_settings_default_charset = undef + } + + $std_php_settings = { + engine => 'On', + upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", + 'session.save_path' => "/var/www/session.save_path/${name}", + open_basedir => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + safe_mode => 'On', + error_log => $php_error_log, + safe_mode_gid => $safe_mode_gid, + safe_mode_exec_dir => $std_php_settings_safe_mode_exec_dir, + default_charset => $std_php_settings_default_charset, } $real_php_settings = merge($std_php_settings,$php_settings) diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index e4bbd4f..bf6485c 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -1,5 +1,5 @@ <% -vhost_parts = case ssl_mode +vhost_parts = case @ssl_mode when 'only' then [:ssl] when false,'false' then [:normal] else [:normal,:ssl] @@ -13,30 +13,30 @@ vhost_parts.each do |vhost_part| -%> <% if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> - AssignUserId <%= run_uid+" "+run_gid %> + AssignUserId <%= "#{@run_uid} #{@run_gid}" %> <% elsif run_mode.to_s == 'fcgid' -%> - SuexecUserGroup <%= run_uid+" "+run_gid %> + SuexecUserGroup <%= "#{@run_uid} #{@run_gid}" %> FcgidMaxRequestsPerProcess 5000 - FCGIWrapper /var/www/mod_fcgid-starters/<%= name %>/<%= name %>-starter .<%= passing_extension %> - AddHandler fcgid-script .<%= passing_extension %> + FCGIWrapper /var/www/mod_fcgid-starters/<%= @name %>/<%= @name %>-starter .<%= @passing_extension %> + AddHandler fcgid-script .<%= @passing_extension %> <% end -%> -<% if ssl_mode == 'force' && vhost_part == :normal -%> +<% if @ssl_mode == 'force' && vhost_part == :normal -%> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] <% end -%> -<%= scope.function_templatewlv([template_partial, {'vhost_part' => vhost_part } ]) %> -<% unless template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> +<%= scope.function_templatewlv([@template_partial, {'vhost_part' => vhost_part } ]) %> +<% unless @template_partial == 'apache/vhosts/itk_plus/partial.erb' -%> <%= scope.function_template(['apache/vhosts/partials/mod_security.erb']) %> <% end -%> -<% unless additional_options.to_s == 'absent' -%> - <%= additional_options %> +<% unless @additional_options.to_s == 'absent' -%> + <%= @additional_options %> <% end -%> <% end -%> diff --git a/templates/vhosts/gitweb/partial.erb b/templates/vhosts/gitweb/partial.erb index 35c574e..d7765bf 100644 --- a/templates/vhosts/gitweb/partial.erb +++ b/templates/vhosts/gitweb/partial.erb @@ -1,8 +1,8 @@ - SetEnv GITWEB_CONFIG <%= gitweb_config %> + SetEnv GITWEB_CONFIG <%= @gitweb_config %> DirectoryIndex gitweb.cgi - /"> -<% if options.to_s != 'absent' || do_includes.to_s == 'true'-%> - Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% unless options.include?('+ExecCGI') -%> +ExecCGI<% end -%> + /"> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true'-%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% unless @options.include?('+ExecCGI') -%> +ExecCGI<% end -%> <% end -%> AddHandler cgi-script .cgi diff --git a/templates/vhosts/itk_plus/partial.erb b/templates/vhosts/itk_plus/partial.erb index 39aa6c8..78e8d27 100644 --- a/templates/vhosts/itk_plus/partial.erb +++ b/templates/vhosts/itk_plus/partial.erb @@ -4,25 +4,25 @@ <% if vhost_part == :ssl -%> SSLProxyEngine On <% if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ https://127.0.0.1/$1 + ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ https://127.0.0.1/$1 <% else -%> ProxyPass / https://127.0.0.1/ <% end -%> ProxyPassReverse / https://127.0.0.1/ <% else -%> <% if run_mode.to_s == 'static-itk' -%> - ProxyPassMatch ^/(.*\.<%= passing_extension %>/?.*)$ http://127.0.0.1/$1 + ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ http://127.0.0.1/$1 <% else -%> ProxyPass / http://127.0.0.1/ <% end -%> ProxyPassReverse / http://127.0.0.1/ <% end -%> -<% if run_mode.to_s == 'static-itk' && (ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> - /"> - AllowOverride <%= allow_override %> -<% if options.to_s != 'absent' or do_includes.to_s == 'true' -%> - Options <% unless options.to_s == 'absent' -%><%= options %><% end -%><% if do_includes.to_s == 'true' and not options.include?('+Includes') -%> +Includes<% end -%> +<% if @run_mode.to_s == 'static-itk' && (@ssl_mode.to_s != 'force' || vhost_part == :ssl) -%> + /"> + AllowOverride <%= @allow_override %> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%> <% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> diff --git a/templates/vhosts/partials/authentication.erb b/templates/vhosts/partials/authentication.erb index bf43a58..ed83221 100644 --- a/templates/vhosts/partials/authentication.erb +++ b/templates/vhosts/partials/authentication.erb @@ -1,6 +1,6 @@ -<% unless htpasswd_file.to_s == 'absent' -%> +<% unless @htpasswd_file.to_s == 'absent' -%> AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> + AuthName "Access fuer <%= @servername %>" + AuthUserFile <%= @real_htpasswd_path %> require valid-user <% end -%> diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index 398b0ce..dbba367 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -2,19 +2,19 @@ <% if vhost_part == :ssl -%> Include include.d/ssl_defaults.inc <% end -%> - ServerName <%= servername %> -<% unless serveralias.empty? || (serveralias == 'absent') -%> - ServerAlias <%= Array(serveralias).join(' ') %> + ServerName <%= @servername %> +<% unless @serveralias.empty? || (@serveralias == 'absent') -%> + ServerAlias <%= Array(@serveralias).join(' ') %> <% end -%> -<% unless server_admin.empty? || (server_admin == 'absent') -%> - ServerAdmin <%= server_admin %> +<% unless @server_admin.empty? || (@server_admin == 'absent') -%> + ServerAdmin <%= @server_admin %> <% end -%> -<% unless documentroot == 'really_absent' -%> - DocumentRoot <%= documentroot %>/ +<% unless @documentroot == 'really_absent' -%> + DocumentRoot <%= @documentroot %>/ <% end -%> -<% if default_charset != 'absent' -%> - AddDefaultCharset <%= default_charset %> +<% if @default_charset != 'absent' -%> + AddDefaultCharset <%= @default_charset %> <% end -%> -<% if passing_extension != 'absent' -%> - DirectoryIndex index.htm index.html index.<%= passing_extension %> +<% if @passing_extension != 'absent' -%> + DirectoryIndex index.htm index.html index.<%= @passing_extension %> <% end -%> diff --git a/templates/vhosts/partials/logs.erb b/templates/vhosts/partials/logs.erb index 98c834d..136508f 100644 --- a/templates/vhosts/partials/logs.erb +++ b/templates/vhosts/partials/logs.erb @@ -1,18 +1,18 @@ -<% case logmode.to_s +<% case @logmode.to_s when 'nologs' -%> ErrorLog /dev/null CustomLog /dev/null <% when 'noaccess' -%> - ErrorLog <%= logdir %>/<%= logprefix %>error_log + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log CustomLog /dev/null noip <% when 'semianonym' -%> - ErrorLog <%= logdir %>/<%= logprefix %>error_log - CustomLog <%= logdir %>/<%= logprefix %>access_log noip + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip <% when 'anonym' -%> ErrorLog /dev/null - CustomLog <%= logdir %>/<%= logprefix %>access_log noip + CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip <% else -%> - ErrorLog <%= logdir %>/<%= logprefix %>error_log - CustomLog <%= logdir %>/<%= logprefix %>access_log combined + ErrorLog <%= @logdir %>/<%= @logprefix %>error_log + CustomLog <%= @logdir %>/<%= @logprefix %>access_log combined <% end -%> diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb index f0602d8..380e78f 100644 --- a/templates/vhosts/partials/mod_security.erb +++ b/templates/vhosts/partials/mod_security.erb @@ -1,7 +1,7 @@ -<% if mod_security.to_s == 'true' -%> +<% if @mod_security.to_s == 'true' -%> SecRuleEngine On -<% if mod_security_relevantonly.to_s == 'true' -%> +<% if @mod_security_relevantonly.to_s == 'true' -%> SecAuditEngine RelevantOnly <% else -%> SecAuditEngine On @@ -11,17 +11,17 @@ SecAuditEngine Off <% end -%> SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log -<% unless mod_security_rules_to_disable.to_a.empty? -%> + SecAuditLogStorageDir <%= @logdir %>/ + SecAuditLog <%= @logdir %>/mod_security_audit.log + SecDebugLog <%= @logdir %>/mod_security_debug.log +<% unless (disabled_rules=Array(@mod_security_rules_to_disable)).empty? -%> -<% mod_security_rules_to_disable.to_a.each do |rule| -%> +<% disabled_rules.each do |rule| -%> SecRuleRemoveById "<%= rule %>" <% end -%> <% end -%> -<% unless mod_security_additional_options.to_s == 'absent' -%> +<% unless (s=@mod_security_additional_options).to_s == 'absent' -%> - <%= mod_security_additional_options %> + <%= s %> <% end -%> diff --git a/templates/vhosts/partials/php_settings.erb b/templates/vhosts/partials/php_settings.erb index fe55967..74f6ecf 100644 --- a/templates/vhosts/partials/php_settings.erb +++ b/templates/vhosts/partials/php_settings.erb @@ -1,6 +1,6 @@ -<% if run_mode != 'fcgid' - php_settings.reject{|k,v| v == :undef }.keys.sort.each do |key| - dvalue = php_settings[key].to_s.downcase +<% if @run_mode != 'fcgid' + @php_settings.reject{|k,v| (v == :undef) || v.nil? }.keys.sort.each do |key| + dvalue = @php_settings[key].to_s.downcase munged_value = if dvalue == 'true' 'on' elsif dvalue == 'false' @@ -8,7 +8,7 @@ elsif ['on','off'].include?(dvalue) dvalue else - php_settings[key] + @php_settings[key] end if ['on','off' ].include?(munged_value) -%> diff --git a/templates/vhosts/partials/std_override_options.erb b/templates/vhosts/partials/std_override_options.erb index f35354d..6d8b74f 100644 --- a/templates/vhosts/partials/std_override_options.erb +++ b/templates/vhosts/partials/std_override_options.erb @@ -1,4 +1,4 @@ - AllowOverride <%= allow_override %> -<% if options.to_s != 'absent' || do_includes.to_s == 'true' || run_mode == 'fcgid' -%> - Options <%- unless options.to_s == 'absent' then -%><%= options %><% end -%><% if do_includes.to_s == 'true' && !options.include?('+Includes') -%> +Includes<% end -%><% if run_mode == 'fcgid' && !options.include?('+ExecCGI') -%> +ExecCGI<% end -%> + AllowOverride <%= @allow_override %> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' || @run_mode == 'fcgid' -%> + Options <%- unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% if @run_mode == 'fcgid' && !@options.include?('+ExecCGI') -%> +ExecCGI<% end -%> <% end -%> diff --git a/templates/vhosts/passenger/partial.erb b/templates/vhosts/passenger/partial.erb index 2f4a068..c3b63f5 100644 --- a/templates/vhosts/passenger/partial.erb +++ b/templates/vhosts/passenger/partial.erb @@ -1,7 +1,7 @@ - SetEnv GEM_HOME <%= gempath %> - /> - AllowOverride <%= allow_override %> - Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless !options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> + SetEnv GEM_HOME <%= @gempath %> + /> + AllowOverride <%= @allow_override %> + Options <%- unless @options.to_s == 'absent' -%><%= @options %><%- end -%><%- unless !@options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> diff --git a/templates/vhosts/perl/partial.erb b/templates/vhosts/perl/partial.erb index 888c268..7ed3e71 100644 --- a/templates/vhosts/perl/partial.erb +++ b/templates/vhosts/perl/partial.erb @@ -1,15 +1,15 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> -<% unless htpasswd_file.to_s == 'absent' -%> - /"> +<% unless @htpasswd_file.to_s == 'absent' -%> + /"> AuthType Basic - AuthName "Access fuer <%= servername %>" - AuthUserFile <%= real_htpasswd_path %> + AuthName "Access fuer <%= @servername %>" + AuthUserFile <%= @real_htpasswd_path %> require valid-user <% end -%> - ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ + ScriptAlias /cgi-bin/ <%= @cgi_binpath %>/ diff --git a/templates/vhosts/php/partial.erb b/templates/vhosts/php/partial.erb index 1c75d48..82df269 100644 --- a/templates/vhosts/php/partial.erb +++ b/templates/vhosts/php/partial.erb @@ -1,4 +1,4 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> diff --git a/templates/vhosts/php_drupal/partial.erb b/templates/vhosts/php_drupal/partial.erb index 959e9d1..2c5f562 100644 --- a/templates/vhosts/php_drupal/partial.erb +++ b/templates/vhosts/php_drupal/partial.erb @@ -1,4 +1,4 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> @@ -18,7 +18,7 @@ RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] - /files/"> + /files/"> SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 Options None Options +FollowSymLinks diff --git a/templates/vhosts/php_gallery2/partial.erb b/templates/vhosts/php_gallery2/partial.erb index e17f0ec..000f969 100644 --- a/templates/vhosts/php_gallery2/partial.erb +++ b/templates/vhosts/php_gallery2/partial.erb @@ -1,4 +1,4 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> diff --git a/templates/vhosts/php_joomla/partial.erb b/templates/vhosts/php_joomla/partial.erb index 64e73a9..5a0f720 100644 --- a/templates/vhosts/php_joomla/partial.erb +++ b/templates/vhosts/php_joomla/partial.erb @@ -1,4 +1,4 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> @@ -8,7 +8,7 @@ Include include.d/joomla.inc - /administrator/"> + /administrator/"> RewriteEngine on # Rewrite URLs to https that go for the admin area @@ -20,13 +20,13 @@ # Deny various directories that # shouldn't be webaccessible - /tmp/"> + /tmp/"> Deny From All - /logs/"> + /logs/"> Deny From All - /cli/"> + /cli/"> Deny From All diff --git a/templates/vhosts/php_mediawiki/partial.erb b/templates/vhosts/php_mediawiki/partial.erb index 4a37aec..1ed6ee3 100644 --- a/templates/vhosts/php_mediawiki/partial.erb +++ b/templates/vhosts/php_mediawiki/partial.erb @@ -1,4 +1,4 @@ -<% if run_mode == 'fcgid' -%> +<% if @run_mode == 'fcgid' -%> RewriteEngine On RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d diff --git a/templates/vhosts/php_silverstripe/partial.erb b/templates/vhosts/php_silverstripe/partial.erb index b57fd1e..8fb87e4 100644 --- a/templates/vhosts/php_silverstripe/partial.erb +++ b/templates/vhosts/php_silverstripe/partial.erb @@ -2,10 +2,10 @@ RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !=https - RewriteRule /admin(.*) https://<%= servername %>/admin$1 [L,R,NE] - RewriteRule /Security(.*) https://<%= servername %>/Security$1 [L,R,NE] + RewriteRule /admin(.*) https://%{HTTP_HOST}/admin$1 [L,R,NE] + RewriteRule /Security(.*) https://%{HTTP_HOST}/Security$1 [L,R,NE] - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> diff --git a/templates/vhosts/php_typo3/partial.erb b/templates/vhosts/php_typo3/partial.erb index 89f2f60..edb2966 100644 --- a/templates/vhosts/php_typo3/partial.erb +++ b/templates/vhosts/php_typo3/partial.erb @@ -1,5 +1,5 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> - /typo3/"> + /typo3/"> RewriteEngine on # Rewrite URLs to https that go for the admin area diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb index 00e1fcd..42f3cb5 100644 --- a/templates/vhosts/php_wordpress/partial.erb +++ b/templates/vhosts/php_wordpress/partial.erb @@ -1,6 +1,6 @@ <%= scope.function_template(['apache/vhosts/php/partial.erb']) %> # fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh - /wp-content/w3tc/dbcache"> + /wp-content/w3tc/dbcache"> Deny From All diff --git a/templates/vhosts/proxy/partial.erb b/templates/vhosts/proxy/partial.erb index ec84dd4..0eecf82 100644 --- a/templates/vhosts/proxy/partial.erb +++ b/templates/vhosts/proxy/partial.erb @@ -4,5 +4,5 @@ <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> ProxyRequests Off - ProxyPass / <%= options %>/ - ProxyPassReverse / <%= options %>/ + ProxyPass / <%= @options %>/ + ProxyPassReverse / <%= @options %>/ diff --git a/templates/vhosts/redirect/partial.erb b/templates/vhosts/redirect/partial.erb index f6b76e6..c8d7d11 100644 --- a/templates/vhosts/redirect/partial.erb +++ b/templates/vhosts/redirect/partial.erb @@ -1 +1 @@ - Redirect permanent / https://<%= options %> + Redirect permanent / https://<%= @options %> diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb index 3b40a96..ae8743f 100644 --- a/templates/vhosts/static/partial.erb +++ b/templates/vhosts/static/partial.erb @@ -1,4 +1,4 @@ - /"> + /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> diff --git a/templates/vhosts/webdav/partial.erb b/templates/vhosts/webdav/partial.erb index b97e128..09ce632 100644 --- a/templates/vhosts/webdav/partial.erb +++ b/templates/vhosts/webdav/partial.erb @@ -1,16 +1,16 @@ - DAVLockDB <%= real_dav_db_dir %>/DAVLock - /"> + DAVLockDB <%= @real_dav_db_dir %>/DAVLock + /"> Dav on AllowOverride None -<% if options.to_s != 'absent' or do_includes.to_s == 'true' -%> - Options <%- unless options.to_s == 'absent' -%><%= options %><%- end -%><%- unless options.include?('Indexes') -%> Indexes<%- end -%> +<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%> + Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% unless @options.include?('Indexes') -%> Indexes<%- end -%> <% else -%> Options Indexes <% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> -<% if ldap_auth.to_s == 'true' then -%> +<% if @ldap_auth.to_s == 'true' then -%> Include include.d/ldap_auth.inc <% unless ldap_user.to_s == 'any' -%> Require ldap-user <%= ldap_user.to_s %> -- cgit v1.2.3 From 714d84fe978f1852c650756e1f044ffb5a7aff82 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 18 Apr 2014 11:26:03 +0200 Subject: fix another deprecation warning --- templates/vhosts/default.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index bf6485c..79e713d 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -11,12 +11,12 @@ vhost_parts.each do |vhost_part| -%> <%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> -<% if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> +<% if @run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%> AssignUserId <%= "#{@run_uid} #{@run_gid}" %> -<% elsif run_mode.to_s == 'fcgid' -%> +<% elsif @run_mode.to_s == 'fcgid' -%> SuexecUserGroup <%= "#{@run_uid} #{@run_gid}" %> FcgidMaxRequestsPerProcess 5000 -- cgit v1.2.3 From 1ed74a3beb4498ed1566a94c49da3fb4c57cef0e Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 19 Apr 2014 16:49:43 +0200 Subject: combine the checks like this, otherwise we always redirect on security --- templates/vhosts/php_silverstripe/partial.erb | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/templates/vhosts/php_silverstripe/partial.erb b/templates/vhosts/php_silverstripe/partial.erb index 8fb87e4..75a8193 100644 --- a/templates/vhosts/php_silverstripe/partial.erb +++ b/templates/vhosts/php_silverstripe/partial.erb @@ -2,16 +2,11 @@ RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{HTTP:X-Forwarded-Proto} !=https - RewriteRule /admin(.*) https://%{HTTP_HOST}/admin$1 [L,R,NE] - RewriteRule /Security(.*) https://%{HTTP_HOST}/Security$1 [L,R,NE] + RewriteRule /(Security|admin)(.*) https://%{HTTP_HOST}/admin$1$2 [L,R,NE] /"> - <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - Include include.d/silverstripe.inc -- cgit v1.2.3 From bc953036d453e57383dcd7aad33c203104061ceb Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 19 Apr 2014 16:53:53 +0200 Subject: remove unnecessary new lines --- templates/vhosts/gitweb/partial.erb | 1 - templates/vhosts/itk_plus/partial.erb | 1 - templates/vhosts/perl/partial.erb | 1 - templates/vhosts/php/partial.erb | 2 -- templates/vhosts/php_drupal/partial.erb | 3 --- templates/vhosts/php_gallery2/partial.erb | 2 -- templates/vhosts/php_joomla/partial.erb | 2 -- templates/vhosts/static/partial.erb | 1 - 8 files changed, 13 deletions(-) diff --git a/templates/vhosts/gitweb/partial.erb b/templates/vhosts/gitweb/partial.erb index d7765bf..a8475f6 100644 --- a/templates/vhosts/gitweb/partial.erb +++ b/templates/vhosts/gitweb/partial.erb @@ -4,7 +4,6 @@ <% if @options.to_s != 'absent' || @do_includes.to_s == 'true'-%> Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% unless @options.include?('+ExecCGI') -%> +ExecCGI<% end -%> <% end -%> - AddHandler cgi-script .cgi Options ExecCGI FollowSymLinks diff --git a/templates/vhosts/itk_plus/partial.erb b/templates/vhosts/itk_plus/partial.erb index 78e8d27..df04543 100644 --- a/templates/vhosts/itk_plus/partial.erb +++ b/templates/vhosts/itk_plus/partial.erb @@ -23,7 +23,6 @@ AllowOverride <%= @allow_override %> <% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%> Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%> - <% end -%> <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> diff --git a/templates/vhosts/perl/partial.erb b/templates/vhosts/perl/partial.erb index 7ed3e71..8c1f0a5 100644 --- a/templates/vhosts/perl/partial.erb +++ b/templates/vhosts/perl/partial.erb @@ -1,6 +1,5 @@ /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> diff --git a/templates/vhosts/php/partial.erb b/templates/vhosts/php/partial.erb index 82df269..c19ae7b 100644 --- a/templates/vhosts/php/partial.erb +++ b/templates/vhosts/php/partial.erb @@ -1,7 +1,5 @@ /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> diff --git a/templates/vhosts/php_drupal/partial.erb b/templates/vhosts/php_drupal/partial.erb index 2c5f562..316942f 100644 --- a/templates/vhosts/php_drupal/partial.erb +++ b/templates/vhosts/php_drupal/partial.erb @@ -1,10 +1,7 @@ /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - # Protect files and directories from prying eyes. Order allow,deny diff --git a/templates/vhosts/php_gallery2/partial.erb b/templates/vhosts/php_gallery2/partial.erb index 000f969..218c0e7 100644 --- a/templates/vhosts/php_gallery2/partial.erb +++ b/templates/vhosts/php_gallery2/partial.erb @@ -1,8 +1,6 @@ /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> # Always rewrite login's diff --git a/templates/vhosts/php_joomla/partial.erb b/templates/vhosts/php_joomla/partial.erb index 5a0f720..55445bf 100644 --- a/templates/vhosts/php_joomla/partial.erb +++ b/templates/vhosts/php_joomla/partial.erb @@ -1,8 +1,6 @@ /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> Include include.d/joomla.inc diff --git a/templates/vhosts/static/partial.erb b/templates/vhosts/static/partial.erb index ae8743f..dc6f11c 100644 --- a/templates/vhosts/static/partial.erb +++ b/templates/vhosts/static/partial.erb @@ -1,5 +1,4 @@ /"> <%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %> - <%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %> -- cgit v1.2.3 From bec7183cee93188cf7f0f8cda38a620da6ec0f17 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 19 Apr 2014 17:23:52 +0200 Subject: introduce a simple wp-login brute force protection --- templates/vhosts/php_wordpress/partial.erb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb index 42f3cb5..1a02d68 100644 --- a/templates/vhosts/php_wordpress/partial.erb +++ b/templates/vhosts/php_wordpress/partial.erb @@ -4,3 +4,16 @@ /wp-content/w3tc/dbcache"> Deny From All + + # simple wp-login brute force protection + # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ + RewriteEngine On + RewriteCond %{HTTP_COOKIE} !<%= cookie = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "cookie"]) %> +RewriteRule /wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L] +.php> + CookieTracking on + CookieExpires 30 + CookieName <%= cookie %> + + RewriteRule /wordpress-login-<%= tmpuri %>.php /wp-login.php [NE] + -- cgit v1.2.3 From e14622cd4495a9c0ccae391f6168dec21dba0985 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 19 Apr 2014 17:31:23 +0200 Subject: correct alignment --- templates/vhosts/php_wordpress/partial.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb index 1a02d68..7b07f21 100644 --- a/templates/vhosts/php_wordpress/partial.erb +++ b/templates/vhosts/php_wordpress/partial.erb @@ -9,11 +9,11 @@ # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ RewriteEngine On RewriteCond %{HTTP_COOKIE} !<%= cookie = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "cookie"]) %> -RewriteRule /wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L] -.php> + RewriteRule /wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L] + .php> CookieTracking on CookieExpires 30 CookieName <%= cookie %> - - RewriteRule /wordpress-login-<%= tmpuri %>.php /wp-login.php [NE] + + RewriteRule /wordpress-login-<%= tmpuri %>.php /wp-login.php [NE] -- cgit v1.2.3 From 3522b97b81e00f6a590cd930c2c69166d6140d43 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 19 Apr 2014 18:49:14 +0200 Subject: linting --- manifests/config/file.pp | 168 +++++++++++++++++++++++------------------------ 1 file changed, 84 insertions(+), 84 deletions(-) diff --git a/manifests/config/file.pp b/manifests/config/file.pp index 74d289d..7b05869 100644 --- a/manifests/config/file.pp +++ b/manifests/config/file.pp @@ -1,106 +1,106 @@ # deploy apache configuration file # by default we assume it's a global configuration file define apache::config::file( - $ensure = present, - $target = false, - $type = 'global', - $source = 'absent', - $content = 'absent', - $destination = 'absent' + $ensure = present, + $target = false, + $type = 'global', + $source = 'absent', + $content = 'absent', + $destination = 'absent' ){ - case $type { - 'include': { $confdir = 'include.d' } - 'global': { $confdir = 'conf.d' } - default: { fail("Wrong config file type specified for ${name}") } - } - $real_destination = $destination ? { - 'absent' => $::operatingsystem ? { - centos => "${apache::centos::config_dir}/${confdir}/${name}", - gentoo => "${apache::gentoo::config_dir}/${name}", - debian => "${apache::debian::config_dir}/${confdir}/${name}", - ubuntu => "${apache::ubuntu::config_dir}/${confdir}/${name}", - openbsd => "${apache::openbsd::config_dir}/${confdir}/${name}", - default => "/etc/apache2/${confdir}/${name}", - }, - default => $destination - } - file{"apache_${name}": - ensure => $ensure, - path => $real_destination, - notify => Service[apache], - owner => root, - group => 0, - mode => '0644'; - } + case $type { + 'include': { $confdir = 'include.d' } + 'global': { $confdir = 'conf.d' } + default: { fail("Wrong config file type specified for ${name}") } + } + $real_destination = $destination ? { + 'absent' => $::operatingsystem ? { + centos => "${apache::centos::config_dir}/${confdir}/${name}", + gentoo => "${apache::gentoo::config_dir}/${name}", + debian => "${apache::debian::config_dir}/${confdir}/${name}", + ubuntu => "${apache::ubuntu::config_dir}/${confdir}/${name}", + openbsd => "${apache::openbsd::config_dir}/${confdir}/${name}", + default => "/etc/apache2/${confdir}/${name}", + }, + default => $destination + } + file{"apache_${name}": + ensure => $ensure, + path => $real_destination, + notify => Service[apache], + owner => root, + group => 0, + mode => '0644'; + } - case $ensure { - 'absent', 'purged': { - # We want to avoid all stuff related to source and content + case $ensure { + 'absent', 'purged': { + # We want to avoid all stuff related to source and content + } + 'link': { + if $target { + File["apache_${name}"] { + target => $target, + } } - 'link': { - if $target != false { - File["apache_${name}"] { - target => $target, + } + default: { + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet:///modules/site_apache/${confdir}/${::fqdn}/${name}", + "puppet:///modules/site_apache/${confdir}/${apache::cluster_node}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/site_apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/site_apache/${confdir}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/apache/${confdir}/${name}" + ], + default => $source + } + File["apache_${name}"]{ + source => $real_source, } } - } - default: { - case $content { - 'absent': { - $real_source = $source ? { + default: { + case $content { + 'absent': { + $real_source = $source ? { 'absent' => [ - "puppet:///modules/site_apache/${confdir}/${::fqdn}/${name}", - "puppet:///modules/site_apache/${confdir}/${apache::cluster_node}/${name}", - "puppet:///modules/site_apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", - "puppet:///modules/site_apache/${confdir}/${::operatingsystem}/${name}", - "puppet:///modules/site_apache/${confdir}/${name}", + "puppet:///modules/site-apache/${confdir}/${::fqdn}/${name}", + "puppet:///modules/site-apache/${confdir}/${apache::cluster_node}/${name}", + "puppet:///modules/site-apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", + "puppet:///modules/site-apache/${confdir}/${::operatingsystem}/${name}", + "puppet:///modules/site-apache/${confdir}/${name}", "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", "puppet:///modules/apache/${confdir}/${name}" ], - default => $source - } - File["apache_${name}"]{ - source => $real_source, + default => $source, + } + File["apache_${name}"]{ + source => $real_source, + } } - } - default: { - case $content { - 'absent': { - $real_source = $source ? { - 'absent' => [ - "puppet:///modules/site-apache/${confdir}/${::fqdn}/${name}", - "puppet:///modules/site-apache/${confdir}/${apache::cluster_node}/${name}", - "puppet:///modules/site-apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", - "puppet:///modules/site-apache/${confdir}/${::operatingsystem}/${name}", - "puppet:///modules/site-apache/${confdir}/${name}", - "puppet:///modules/apache/${confdir}/${::operatingsystem}.${::operatingsystemmajrelease}/${name}", - "puppet:///modules/apache/${confdir}/${::operatingsystem}/${name}", - "puppet:///modules/apache/${confdir}/${name}" - ], - default => $source, - } - File["apache_${name}"]{ - source => $real_source, - } - } - default: { - File["apache_${name}"]{ - content => $content, - } - } + default: { + File["apache_${name}"]{ + content => $content, + } } } } } } + } - case $::operatingsystem { - openbsd: { info("no package dependency on ${::operatingsystem} for ${name}") } - default: { - File["apache_${name}"]{ - require => Package[apache], - } - } + case $::operatingsystem { + openbsd: { info("no package dependency on ${::operatingsystem} for ${name}") } + default: { + File["apache_${name}"]{ + require => Package[apache], + } } + } } -- cgit v1.2.3 From 7a1c4171e81dd4550e403fc211b582d610e20671 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 19 Apr 2014 19:09:16 +0200 Subject: fix merge regression and add data-dir back to open_basedir --- manifests/vhost/php/standard.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 242a47d..2d6d8cb 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -181,7 +181,6 @@ define apache::vhost::php::standard( engine => 'On', upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", - open_basedir => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", safe_mode => $::operatingsystem ? { debian => undef, default => 'On', @@ -191,8 +190,8 @@ define apache::vhost::php::standard( safe_mode_exec_dir => $std_php_settings_safe_mode_exec_dir, default_charset => $std_php_settings_default_charset, open_basedir => has_key($php_options,'additional_open_basedir') ? { - true => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}", - false => "${smarty_path}${pear_path}${documentroot}:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", + true => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}", + false => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", }, } -- cgit v1.2.3 From 30512c2321f5f979bdfe7400593a10d0936da1e0 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 25 Apr 2014 18:00:53 +0200 Subject: use builtin language function instead of an own one --- manifests/centos.pp | 1 - manifests/vhost/php/standard.pp | 17 ++++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index 3d9664d..554e7b2 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -40,7 +40,6 @@ class apache::centos inherits apache::package { [ '/var/www/vhosts/[^/]*/www(/.*)?', '/var/www/vhosts/[^/]*/non_public(/.*)?', '/var/www/vhosts/[^/]*/data(/.*)?', - '/var/www/vhosts/[^/]*/g2data(/.*)?', '/var/www/vhosts/[^/]*/upload(/.*)?' ]: require => Package['apache'], setype => $seltype_rw; diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 2d6d8cb..2eb231d 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -127,7 +127,7 @@ define apache::vhost::php::standard( $safe_mode_gid = undef } - if has_key($php_settings,'safe_mode_exec_dir') { + if ('safe_mode_exec_dir' in $php_settings) { $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] } else { $php_safe_mode_exec_dir = $path ? { @@ -143,7 +143,7 @@ define apache::vhost::php::standard( force => true, purge => true, } - if has_key($php_options,'safe_mode_exec_bins') { + if ('safe_mode_exec_bins' in $php_settings) { $std_php_settings_safe_mode_exec_dir = $php_safe_mode_exec_dir $ensure_exec = $ensure ? { 'present' => directory, @@ -168,7 +168,7 @@ define apache::vhost::php::standard( } } - if !has_key($php_settings,'default_charset') and ($default_charset != 'absent') { + if !('default_charset' in $php_settings) and ($default_charset != 'absent') { $std_php_settings_default_charset = $default_charset ? { 'On' => 'iso-8859-1', default => $default_charset @@ -177,6 +177,12 @@ define apache::vhost::php::standard( $std_php_settings_default_charset = undef } + if ('additional_open_basedir' in $php_options) { + $the_open_basedir = "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}" + } else { + $the_open_basedir = "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}" + } + $std_php_settings = { engine => 'On', upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", @@ -189,10 +195,7 @@ define apache::vhost::php::standard( safe_mode_gid => $safe_mode_gid, safe_mode_exec_dir => $std_php_settings_safe_mode_exec_dir, default_charset => $std_php_settings_default_charset, - open_basedir => has_key($php_options,'additional_open_basedir') ? { - true => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}", - false => "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}", - }, + open_basedir => $the_open_basedir, } $real_php_settings = merge($std_php_settings,$php_settings) -- cgit v1.2.3 From ec203880b50e58dae5159e7279d0d14ec4b0b5d6 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 26 Apr 2014 11:13:05 +0200 Subject: fix a regression from the last change: safe_mode_exec_bins is in php_options not php_settings --- manifests/vhost/php/standard.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 2eb231d..699edeb 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -143,7 +143,7 @@ define apache::vhost::php::standard( force => true, purge => true, } - if ('safe_mode_exec_bins' in $php_settings) { + if ('safe_mode_exec_bins' in $php_options) { $std_php_settings_safe_mode_exec_dir = $php_safe_mode_exec_dir $ensure_exec = $ensure ? { 'present' => directory, -- cgit v1.2.3 From ccf10e2a2831141472d2c71ada7c29d8834bb072 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 28 Apr 2014 14:32:37 +0200 Subject: do not forward if https is already set as forwarded header --- templates/vhosts/php_typo3/partial.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/vhosts/php_typo3/partial.erb b/templates/vhosts/php_typo3/partial.erb index edb2966..afb756d 100644 --- a/templates/vhosts/php_typo3/partial.erb +++ b/templates/vhosts/php_typo3/partial.erb @@ -4,6 +4,7 @@ # Rewrite URLs to https that go for the admin area RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteCond %{REQUEST_URI} (.*/typo3/.*) - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R,NE] -- cgit v1.2.3 From b407de3da9e9cf265bfb6b392f3a331eaaf0ef3b Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Apr 2014 15:13:02 +0200 Subject: ensure that this only works in the root directory --- templates/vhosts/php_wordpress/partial.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/vhosts/php_wordpress/partial.erb b/templates/vhosts/php_wordpress/partial.erb index 7b07f21..5e6ebd5 100644 --- a/templates/vhosts/php_wordpress/partial.erb +++ b/templates/vhosts/php_wordpress/partial.erb @@ -9,11 +9,11 @@ # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ RewriteEngine On RewriteCond %{HTTP_COOKIE} !<%= cookie = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "cookie"]) %> - RewriteRule /wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L] + RewriteRule ^/wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L] .php> CookieTracking on CookieExpires 30 CookieName <%= cookie %> - RewriteRule /wordpress-login-<%= tmpuri %>.php /wp-login.php [NE] + RewriteRule ^/wordpress-login-<%= tmpuri %>.php /wp-login.php [NE] -- cgit v1.2.3 From 736cbf13fa0df0dfbc7d8e2308410c71726af7bf Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 6 May 2014 00:51:37 +0200 Subject: sort the array --- templates/vhosts/partials/header_default.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index dbba367..266fc79 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -4,7 +4,7 @@ <% end -%> ServerName <%= @servername %> <% unless @serveralias.empty? || (@serveralias == 'absent') -%> - ServerAlias <%= Array(@serveralias).join(' ') %> + ServerAlias <%= Array(@serveralias).sort.join(' ') %> <% end -%> <% unless @server_admin.empty? || (@server_admin == 'absent') -%> ServerAdmin <%= @server_admin %> -- cgit v1.2.3 From 489b2a01cf737b8da59f311d15329f2c32a43352 Mon Sep 17 00:00:00 2001 From: tr Date: Wed, 21 May 2014 11:42:17 +0200 Subject: change char to us-ascii --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 542e7aa..87149d8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,7 +3,7 @@ # # Copyright 2008, admin(at)immerda.ch # Copyright 2008, Puzzle ITC GmbH -# Marcel Härry haerry+puppet(at)puzzle.ch +# Marcel Haerry haerry+puppet(at)puzzle.ch # Simon Josi josi+puppet(at)puzzle.ch # # This program is free software; you can redistribute -- cgit v1.2.3 From 02cfba03d2439b26dce8c37210dcbb85196fb5f4 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 25 May 2014 16:47:39 +0200 Subject: adapt to new naming --- manifests/vhost/php/standard.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 699edeb..69d0fa8 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -212,7 +212,7 @@ define apache::vhost::php::standard( include apache::include::mod_fcgid mod_fcgid::starter {$name: - php_tmp_dir => $real_php_settings[php_tmp_dir], + tmp_dir => $real_php_settings[php_tmp_dir], cgi_type => 'php', cgi_type_options => delete($real_php_settings, php_tmp_dir), owner => $run_uid, -- cgit v1.2.3 From 0bbe37a35fe98d67c2c25989d9585e31e42dc3c0 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 25 May 2014 17:27:21 +0200 Subject: integrate php54 from scl support --- manifests/vhost/php/standard.pp | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 69d0fa8..8498a82 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -46,6 +46,7 @@ define apache::vhost::php::standard( $allow_override = 'None', $php_settings = {}, $php_options = {}, + $php_installation = 'system', $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -61,7 +62,7 @@ define apache::vhost::php::standard( $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', - $htpasswd_path = 'absent' + $htpasswd_path = 'absent', ){ if $manage_webdir { @@ -188,8 +189,11 @@ define apache::vhost::php::standard( upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", safe_mode => $::operatingsystem ? { - debian => undef, - default => 'On', + debian => undef, + default => $php_installation ? { + 'system' => 'On', + default => undef, + } }, error_log => $php_error_log, safe_mode_gid => $safe_mode_gid, @@ -219,6 +223,13 @@ define apache::vhost::php::standard( group => $run_gid, notify => Service['apache'], } + if $php_installation == 'scl54' { + require php::scl::php54 + Mod_fcgid::Starter[$name]{ + binary => '/opt/rh/php54/root/usr/bin/php-cgi', + additional_cmds => 'source /opt/rh/php54/enable', + } + } } default: { include ::php } } -- cgit v1.2.3 From e1a0f0d0b172c59ec707cbc9c94475c770a07385 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 26 May 2014 07:48:11 +0200 Subject: on newer installations (php >= 5.4) we should not use safe_mode things --- manifests/vhost/php/standard.pp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 8498a82..69e7db8 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -122,11 +122,6 @@ define apache::vhost::php::standard( } else { $php_error_log = undef } - if $run_mode == 'fcgid' { - $safe_mode_gid = 'On' - } else { - $safe_mode_gid = undef - } if ('safe_mode_exec_dir' in $php_settings) { $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] @@ -184,6 +179,18 @@ define apache::vhost::php::standard( $the_open_basedir = "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}" } + if $run_mode == 'fcgid' { + $safe_mode_gid = $::operatingsystem ? { + debian => undef, + default => $php_installation ? { + 'system' => 'On', + default => undef, + } + } + } else { + $safe_mode_gid = undef + } + $std_php_settings = { engine => 'On', upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", -- cgit v1.2.3 From a16d08298f46a0ff27e562b2b16ef3510e5c65e3 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 29 May 2014 15:56:42 +0200 Subject: take safe mode setting outside --- manifests/vhost/php/standard.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 69e7db8..e0eb1e6 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -191,18 +191,19 @@ define apache::vhost::php::standard( $safe_mode_gid = undef } + $safe_mode = $::operatingsystem ? { + debian => undef, + default => $php_installation ? { + 'system' => 'On', + default => undef, + } + } $std_php_settings = { engine => 'On', upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", 'session.save_path' => "/var/www/session.save_path/${name}", - safe_mode => $::operatingsystem ? { - debian => undef, - default => $php_installation ? { - 'system' => 'On', - default => undef, - } - }, error_log => $php_error_log, + safe_mode => $safe_mode, safe_mode_gid => $safe_mode_gid, safe_mode_exec_dir => $std_php_settings_safe_mode_exec_dir, default_charset => $std_php_settings_default_charset, -- cgit v1.2.3 From a59012ff522a534aebd128236b8520eff413578b Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Jul 2014 21:34:31 +0200 Subject: linting --- manifests/vhost.pp | 152 ++++++++++++++++++++++++++--------------------------- 1 file changed, 76 insertions(+), 76 deletions(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index dcb26a2..2f3a79e 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -29,94 +29,94 @@ # - true: activate mod_security # define apache::vhost( - $ensure = present, - $path = 'absent', - $path_is_webdir = false, - $logpath = 'absent', - $logmode = 'default', - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/static/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $content = 'absent', - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $cgi_binpath = 'absent', - $default_charset = 'absent', - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $ssl_mode = false, - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $use_mod_macro = false, - $ldap_auth = false, - $ldap_user = 'any', - $passing_extension = 'absent', - $gempath = 'absent' + $ensure = present, + $path = 'absent', + $path_is_webdir = false, + $logpath = 'absent', + $logmode = 'default', + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/static/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $content = 'absent', + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $cgi_binpath = 'absent', + $default_charset = 'absent', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $ssl_mode = false, + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $use_mod_macro = false, + $ldap_auth = false, + $ldap_user = 'any', + $passing_extension = 'absent', + $gempath = 'absent' ) { # file or template mode? case $vhost_mode { 'file': { apache::vhost::file{$name: - ensure => $ensure, - vhost_source => $vhost_source, + ensure => $ensure, + vhost_source => $vhost_source, vhost_destination => $vhost_destination, - do_includes => $do_includes, - run_mode => $run_mode, - mod_security => $mod_security, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - use_mod_macro => $use_mod_macro, + do_includes => $do_includes, + run_mode => $run_mode, + mod_security => $mod_security, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + use_mod_macro => $use_mod_macro, } } 'template': { apache::vhost::template{$name: - ensure => $ensure, - path => $path, - path_is_webdir => $path_is_webdir, - logpath => $logpath, - logmode => $logmode, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - cgi_binpath => $cgi_binpath, - allow_override => $allow_override, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - php_settings => $php_settings, - php_options => $php_options, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - template_partial => $template_partial, - ssl_mode => $ssl_mode, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - ldap_auth => $ldap_auth, - ldap_user => $ldap_user, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, + ensure => $ensure, + path => $path, + path_is_webdir => $path_is_webdir, + logpath => $logpath, + logmode => $logmode, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + cgi_binpath => $cgi_binpath, + allow_override => $allow_override, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + php_settings => $php_settings, + php_options => $php_options, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + template_partial => $template_partial, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + ldap_auth => $ldap_auth, + ldap_user => $ldap_user, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, mod_security_additional_options => $mod_security_additional_options, - use_mod_macro => $use_mod_macro, - passing_extension => $passing_extension, - gempath => $gempath, + use_mod_macro => $use_mod_macro, + passing_extension => $passing_extension, + gempath => $gempath, } } - default: { fail("no such vhost_mode: $vhost_mode defined for $name.") } + default: { fail("No such vhost_mode: ${vhost_mode} defined for ${name}.") } } } -- cgit v1.2.3 From e4def9b31f5697b763235f3cdd7fd361927ce997 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Jul 2014 21:35:19 +0200 Subject: pass down the logprefix --- manifests/vhost.pp | 2 ++ manifests/vhost/php/standard.pp | 2 ++ 2 files changed, 4 insertions(+) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 2f3a79e..0b3e4f3 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -34,6 +34,7 @@ define apache::vhost( $path_is_webdir = false, $logpath = 'absent', $logmode = 'default', + $logprefix = '', $vhost_mode = 'template', $template_partial = 'apache/vhosts/static/partial.erb', $vhost_source = 'absent', @@ -88,6 +89,7 @@ define apache::vhost( path_is_webdir => $path_is_webdir, logpath => $logpath, logmode => $logmode, + logprefix => $logprefix, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index e0eb1e6..bf7248c 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -31,6 +31,7 @@ define apache::vhost::php::standard( $server_admin = 'absent', $logmode = 'default', $logpath = 'absent', + $logprefix = '', $path = 'absent', $manage_webdir = true, $path_is_webdir = false, @@ -268,6 +269,7 @@ define apache::vhost::php::standard( server_admin => $server_admin, logmode => $logmode, logpath => $logpath, + logprefix => $logprefix, run_mode => $run_mode, run_uid => $run_uid, run_gid => $run_gid, -- cgit v1.2.3 From 058dbb366b96cae1f8fb0def65f73a698f1c375d Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 18 Jul 2014 10:09:41 +0200 Subject: make our autoconfig setup public --- files/conf.d/mozilla_autoconfig.conf | 6 +++ manifests/mozilla_autoconfig.pp | 37 ++++++++++++++++ templates/webfiles/autoconfig/config.shtml.erb | 58 ++++++++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 files/conf.d/mozilla_autoconfig.conf create mode 100644 manifests/mozilla_autoconfig.pp create mode 100644 templates/webfiles/autoconfig/config.shtml.erb diff --git a/files/conf.d/mozilla_autoconfig.conf b/files/conf.d/mozilla_autoconfig.conf new file mode 100644 index 0000000..6e4f7db --- /dev/null +++ b/files/conf.d/mozilla_autoconfig.conf @@ -0,0 +1,6 @@ +Alias /.well-known/autoconfig/mail/config-v1.1.xml /var/www/autoconfig/config.shtml + + Options +Includes + AddType application/xml .shtml + AddOutputFilter INCLUDES .shtml + diff --git a/manifests/mozilla_autoconfig.pp b/manifests/mozilla_autoconfig.pp new file mode 100644 index 0000000..f16e5ec --- /dev/null +++ b/manifests/mozilla_autoconfig.pp @@ -0,0 +1,37 @@ +# setup autoconfig infos +# +# this will create a global autoconfig file, that maps +# any of your hosted domains on this host to a certain +# provider configuration. Which means, that you get a zero +# setup autoconfig for any domain that you host the website +# and the emails for. +# By default you only need to define the provider, which +# is usually your main domain. Everything else should be +# derived from that. +# You can however still fine tune things from it. +class apache::mozilla_autoconfig( + $provider, + $display_name = undef, + $shortname = undef, + $imap_server = undef, + $pop_server = undef, + $smtp_server = undef, + $documentation_url = undef, +) { + apache::config::global { 'mozilla_autoconfig.conf': } + + file{ + '/var/www/autoconfig': + ensure => directory, + require => Package['apache'], + owner => root, + group => apache, + mode => '0640'; + '/var/www/autoconfig/config.shtml': + content => template('apache/webfiles/autoconfig/config.shtml.erb'), + owner => root, + group => apache, + mode => '0640', + before => Service['apache'], + } +} diff --git a/templates/webfiles/autoconfig/config.shtml.erb b/templates/webfiles/autoconfig/config.shtml.erb new file mode 100644 index 0000000..3a3d6bb --- /dev/null +++ b/templates/webfiles/autoconfig/config.shtml.erb @@ -0,0 +1,58 @@ + + + + + + + + + <%= @display_name || @provider %> Mail () + <%= @shortname || @provider.split('.').first %> + + <%= @imap_server || "imap.#{@provider}" %> + 143 + STARTTLS + password-cleartext + %EMAILADDRESS% + + + <%= @imap_server || "imap.#{@provider}" %> + 993 + SSL + password-cleartext + %EMAILADDRESS% + + + <%= @pop_server || "pop.#{@provider}" %> + 110 + STARTTLS + password-cleartext + %EMAILADDRESS% + + + <%= @pop_server || "pop.#{@provider}" %> + 995 + SSL + password-cleartext + %EMAILADDRESS% + + + <%= @smtp_server || "smtp.#{@provider}" %> + 587 + STARTTLS + password-cleartext + %EMAILADDRESS% + + + <%= @smtp_server || "smtp.#{@provider}"%> + 465 + SSL + password-cleartext + %EMAILADDRESS% + + "> + Allgemeine Beschreibung der Einstellungen + Generic settings page + + + -- cgit v1.2.3 From f7ef79b62be080b66cfb68cb6102cb3be2ea07d5 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 31 Aug 2014 13:35:48 +0200 Subject: add scl55 support --- manifests/vhost/php/standard.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index bf7248c..f22e920 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -238,6 +238,12 @@ define apache::vhost::php::standard( binary => '/opt/rh/php54/root/usr/bin/php-cgi', additional_cmds => 'source /opt/rh/php54/enable', } + } elsif $php_installation == 'scl55' { + require php::scl::php55 + Mod_fcgid::Starter[$name]{ + binary => '/opt/rh/php55/root/usr/bin/php-cgi', + additional_cmds => 'source /opt/rh/php55/enable', + } } } default: { include ::php } -- cgit v1.2.3 From 5697121bc552de20af35f4700f8ab08ea2d8d329 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 7 Sep 2014 23:08:28 +0200 Subject: be sure to parse the right php.ini --- manifests/vhost/php/standard.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index f22e920..86373a4 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -237,12 +237,14 @@ define apache::vhost::php::standard( Mod_fcgid::Starter[$name]{ binary => '/opt/rh/php54/root/usr/bin/php-cgi', additional_cmds => 'source /opt/rh/php54/enable', + rc => '/opt/rh/php54/root/etc', } } elsif $php_installation == 'scl55' { require php::scl::php55 Mod_fcgid::Starter[$name]{ binary => '/opt/rh/php55/root/usr/bin/php-cgi', additional_cmds => 'source /opt/rh/php55/enable', + rc => '/opt/rh/php55/root/etc', } } } -- cgit v1.2.3 From 55df69cb0e722a3ce3c70e7db63ceb711f11e4ba Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 7 Sep 2014 23:21:48 +0200 Subject: set the rc correctly also for std. php --- manifests/vhost/php/standard.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 86373a4..52743f9 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -231,6 +231,7 @@ define apache::vhost::php::standard( owner => $run_uid, group => $run_gid, notify => Service['apache'], + rc => '/etc', } if $php_installation == 'scl54' { require php::scl::php54 -- cgit v1.2.3 From 5b8288629495c1b84a61880c9bcfef21e84b4b12 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 7 Sep 2014 23:24:25 +0200 Subject: no need for that --- manifests/vhost/php/standard.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 52743f9..86373a4 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -231,7 +231,6 @@ define apache::vhost::php::standard( owner => $run_uid, group => $run_gid, notify => Service['apache'], - rc => '/etc', } if $php_installation == 'scl54' { require php::scl::php54 -- cgit v1.2.3 From 9a5b4d4b56ce78d918ef6a978047bdc4d9bfb72a Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 12 Oct 2014 12:18:05 +0200 Subject: a first shot of tests --- .gitignore | 5 + .rspec | 2 + Gemfile | 13 + Puppetfile | 15 + Rakefile | 26 ++ manifests/file/rw.pp | 17 +- manifests/gentoo.pp | 59 ++-- manifests/init.pp | 8 +- manifests/vhost/php/silverstripe.pp | 2 +- manifests/vhost/php/typo3.pp | 2 +- manifests/vhost/php/wordpress.pp | 2 +- spec/classes/init_spec.rb | 43 +++ spec/defines/vhost_file_spec.rb | 131 ++++++++ spec/defines/vhost_php_drupal_spec.rb | 187 +++++++++++ spec/defines/vhost_php_gallery2_spec.rb | 162 ++++++++++ spec/defines/vhost_php_joomla_spec.rb | 279 ++++++++++++++++ spec/defines/vhost_php_standard_spec.rb | 534 +++++++++++++++++++++++++++++++ spec/defines/vhost_php_webapp_spec.rb | 261 +++++++++++++++ spec/defines/vhost_php_wordpress_spec.rb | 171 ++++++++++ spec/defines/vhost_spec.rb | 202 ++++++++++++ spec/defines/vhost_static_spec.rb | 54 ++++ spec/defines/vhost_template_spec.rb | 297 +++++++++++++++++ spec/spec_helper.rb | 13 + 23 files changed, 2443 insertions(+), 42 deletions(-) create mode 100644 .rspec create mode 100644 Gemfile create mode 100644 Puppetfile create mode 100644 Rakefile create mode 100644 spec/classes/init_spec.rb create mode 100644 spec/defines/vhost_file_spec.rb create mode 100644 spec/defines/vhost_php_drupal_spec.rb create mode 100644 spec/defines/vhost_php_gallery2_spec.rb create mode 100644 spec/defines/vhost_php_joomla_spec.rb create mode 100644 spec/defines/vhost_php_standard_spec.rb create mode 100644 spec/defines/vhost_php_webapp_spec.rb create mode 100644 spec/defines/vhost_php_wordpress_spec.rb create mode 100644 spec/defines/vhost_spec.rb create mode 100644 spec/defines/vhost_static_spec.rb create mode 100644 spec/defines/vhost_template_spec.rb create mode 100644 spec/spec_helper.rb diff --git a/.gitignore b/.gitignore index 6583f29..cb918d8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,6 @@ .tmp_*~ +.librarian +.tmp +spec/fixtures/modules +spec/fixtures/manifests +*.lock diff --git a/.rspec b/.rspec new file mode 100644 index 0000000..8c18f1a --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--format documentation +--color diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..b1fc981 --- /dev/null +++ b/Gemfile @@ -0,0 +1,13 @@ +source 'https://rubygems.org' + +if ENV.key?('PUPPET_VERSION') + puppetversion = "~> #{ENV['PUPPET_VERSION']}" +else + puppetversion = ['>= 3.3.1'] +end + +gem 'puppet', puppetversion +gem 'puppet-lint', '>=0.3.2' +gem 'puppetlabs_spec_helper', '>=0.2.0' +gem 'rake', '>=0.9.2.2' +gem 'librarian-puppet', '>=0.9.10' diff --git a/Puppetfile b/Puppetfile new file mode 100644 index 0000000..86d58ae --- /dev/null +++ b/Puppetfile @@ -0,0 +1,15 @@ +# empty + +forge 'https://forgeapi.puppetlabs.com' + +mod 'shorewall', :git => 'https://git-ipuppet.immerda.ch/module-shorewall' +mod 'templatewlv', :git => 'https://git-ipuppet.immerda.ch/module-templatewlv' +mod 'mod_security', :git => 'https://git-ipuppet.immerda.ch/module-mod_security' +mod 'mod_fcgid', :git => 'https://git-ipuppet.immerda.ch/module-mod_fcgid' +mod 'php', :git => 'https://git-ipuppet.immerda.ch/module-php' +mod 'perl', :git => 'https://git-ipuppet.immerda.ch/module-perl' +mod 'scl', :git => 'https://git-ipuppet.immerda.ch/module-scl' +mod 'yum', :git => 'https://git-ipuppet.immerda.ch/module-yum' +mod 'puppetlabs-stdlib' +mod 'puppetlabs-concat' +#mod 'munin', :git => 'https://git-ipuppet.immerda.ch/module-munin' diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..ec1c52b --- /dev/null +++ b/Rakefile @@ -0,0 +1,26 @@ +require 'bundler' +Bundler.require(:rake) + +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' + +Rake::Task[:lint].clear +PuppetLint::RakeTask.new :lint do |config| + config.ignore_paths = ["spec/**/*.pp", "vendor/**/*.pp"] + config.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}' + config.disable_checks = [ "class_inherits_from_params_class", "80chars" ] +end + +# use librarian-puppet to manage fixtures instead of .fixtures.yml +# offers more possibilities like explicit version management, forge downloads,... +task :librarian_spec_prep do + sh "librarian-puppet install --path=spec/fixtures/modules/" + pwd = `pwd`.strip + unless File.directory?("#{pwd}/spec/fixtures/modules/apache") + sh "ln -s #{pwd} #{pwd}/spec/fixtures/modules/apache" + end +end +task :spec_prep => :librarian_spec_prep + + +task :default => [:spec, :lint] diff --git a/manifests/file/rw.pp b/manifests/file/rw.pp index 87b666f..0f258bf 100644 --- a/manifests/file/rw.pp +++ b/manifests/file/rw.pp @@ -1,12 +1,13 @@ +# a file that is writable by apache define apache::file::rw( - $owner = root, - $group = 0, - $mode = 0660 + $owner = root, + $group = 0, + $mode = '0660', ) { - apache::file{$name: - owner => $owner, - group => $group, - mode => $mode, - } + apache::file{$name: + owner => $owner, + group => $group, + mode => $mode, + } } diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 86be087..3a13977 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -1,34 +1,39 @@ ### gentoo class apache::gentoo inherits apache::package { - $config_dir = '/etc/apache2' + $config_dir = '/etc/apache2' - # needs module gentoo - gentoo::etcconfd { - apache2: require => "Package[apache]", - notify => Service[apache], - } - Package[apache]{ - category => 'www-servers', - } - File[vhosts_dir]{ - path => "$config_dir/vhosts.d", - } - File[modules_dir]{ - path => "$config_dir/modules.d", - } + # needs module gentoo + gentoo::etcconfd { + 'apache2': + require => Package['apache'], + notify => Service['apache'], + } + Package['apache']{ + category => 'www-servers', + } + File[vhosts_dir]{ + path => "${config_dir}/vhosts.d", + } + File[modules_dir]{ + path => "${config_dir}/modules.d", + } - apache::gentoo::module { '00_default_settings': } - apache::gentoo::module { '00_error_documents': } - apache::config::file { 'default_vhost.include': - source => "apache/vhosts.d/default_vhost.include", - destination => "$config_dir/vhosts.d/default_vhost.include", - } + apache::gentoo::module{ + '00_default_settings':; + '00_error_documents':; + } + apache::config::file { 'default_vhost.include': + source => 'apache/vhosts.d/default_vhost.include', + destination => "${config_dir}/vhosts.d/default_vhost.include", + } - # set the default for the ServerName - file{"${config_dir}/modules.d/00_default_settings_ServerName.conf": - content => "ServerName ${::fqdn}\n", - require => Package[apache], - owner => root, group => 0, mode => 0644; - } + # set the default for the ServerName + file{"${config_dir}/modules.d/00_default_settings_ServerName.conf": + content => "ServerName ${::fqdn}\n", + require => Package[apache], + owner => root, + group => 0, + mode => '0644'; + } } diff --git a/manifests/init.pp b/manifests/init.pp index 87149d8..a974c9c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -14,11 +14,11 @@ # manage a simple apache class apache( - $cluster_node = '', + $cluster_node = '', $manage_shorewall = false, - $manage_munin = false, - $no_default_site = false, - $ssl = false + $manage_munin = false, + $no_default_site = false, + $ssl = false ) { case $::operatingsystem { centos: { include apache::centos } diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index e7c7f24..81b0d7f 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -72,7 +72,7 @@ define apache::vhost::php::silverstripe( default => "${path}/www" } $modsec_rules = ['960010'] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file ::apache::vhost::php::webapp{$name: diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index 518f898..a963c70 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -70,7 +70,7 @@ define apache::vhost::php::typo3( } $modsec_rules = ['960010'] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules) if $mod_security_additional_options == 'absent' { $real_mod_security_additional_options = ' diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 268f33e..00e1898 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -70,7 +70,7 @@ define apache::vhost::php::wordpress( default => "${path}/www" } $modsec_rules = ["960010", "950018"] - $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file apache::vhost::php::webapp{$name: diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb new file mode 100644 index 0000000..baf2647 --- /dev/null +++ b/spec/classes/init_spec.rb @@ -0,0 +1,43 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache', :type => 'class' do + describe 'with standard' do + #puppet-rspec bug + #it { should compile.with_all_deps } + + it { should contain_class('apache::base') } + it { should_not contain_class('apache::status') } + it { should_not contain_class('shorewall::rules::http') } + it { should_not contain_class('apache::ssl') } + context 'on centos' do + let(:facts) { + { + :operatingsystem => 'CentOS', + } + } + it { should contain_class('apache::centos') } + end + end + describe 'with params' do + let(:facts) { + { + :concat_basedir => '/var/lib/puppet/concat' + } + } + let(:params){ + { + :manage_shorewall => true, + # there is puppet-librarian bug in using that module + #:manage_munin => true, + :ssl => true, + } + } + #puppet-rspec bug + #it { should compile.with_all_deps } + + it { should contain_class('apache::base') } + it { should_not contain_class('apache::status') } + it { should contain_class('shorewall::rules::http') } + it { should contain_class('apache::ssl') } + end +end diff --git a/spec/defines/vhost_file_spec.rb b/spec/defines/vhost_file_spec.rb new file mode 100644 index 0000000..ed9ac5e --- /dev/null +++ b/spec/defines/vhost_file_spec.rb @@ -0,0 +1,131 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::file', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + } + } + let(:pre_condition) { + 'include apache' + } + describe 'with standard' do + it { should contain_file('example.com.conf').with( + :ensure => 'present', + :source => [ "puppet:///modules/site_apache/vhosts.d/apache.example.com/example.com.conf", + "puppet:///modules/site_apache/vhosts.d//example.com.conf", + "puppet:///modules/site_apache/vhosts.d/./example.com.conf", + "puppet:///modules/site_apache/vhosts.d//example.com.conf", + "puppet:///modules/site_apache/vhosts.d/example.com.conf", + "puppet:///modules/apache/vhosts.d/./example.com.conf", + "puppet:///modules/apache/vhosts.d//example.com.conf", + "puppet:///modules/apache/vhosts.d/example.com.conf" ], + :path => '/etc/apache2/vhosts.d/example.com.conf', + :require => 'File[vhosts_dir]', + :notify => 'Service[apache]', + :owner => 'root', + :group => 0, + :mode => '0644', + )} + it { should_not contain_file('/var/www/htpasswds/example.com') } + it { should_not contain_class('apache::includes') } + it { should_not contain_class('apache::mod_macro') } + it { should_not contain_class('apache::noiplog') } + it { should_not contain_class('apache::itk::lock') } + it { should_not contain_class('mod_security::itk_plus') } + it { should_not contain_class('mod_security') } + end + context 'on centos' do + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + it { should contain_file('example.com.conf').with( + :ensure => 'present', + :source => [ "puppet:///modules/site_apache/vhosts.d/apache.example.com/example.com.conf", + "puppet:///modules/site_apache/vhosts.d//example.com.conf", + "puppet:///modules/site_apache/vhosts.d/CentOS.7/example.com.conf", + "puppet:///modules/site_apache/vhosts.d/CentOS/example.com.conf", + "puppet:///modules/site_apache/vhosts.d/example.com.conf", + "puppet:///modules/apache/vhosts.d/CentOS.7/example.com.conf", + "puppet:///modules/apache/vhosts.d/CentOS/example.com.conf", + "puppet:///modules/apache/vhosts.d/example.com.conf" ], + :path => '/etc/httpd/vhosts.d/example.com.conf', + :require => 'File[vhosts_dir]', + :notify => 'Service[apache]', + :owner => 'root', + :group => 0, + :mode => '0644', + )} + it { should_not contain_file('/var/www/htpasswds/example.com') } + it { should_not contain_class('apache::includes') } + it { should_not contain_class('apache::mod_macro') } + it { should_not contain_class('apache::noiplog') } + it { should_not contain_class('apache::itk::lock') } + it { should_not contain_class('mod_security::itk_plus') } + it { should_not contain_class('mod_security') } + context 'with params' do + let(:params) { + { + :vhost_destination => '/tmp/a/example.com.conf', + :vhost_source => 'modules/my_module/example.com.conf', + :htpasswd_file => true, + :do_includes => true, + :mod_security => true, + :use_mod_macro => true, + :logmode => 'anonym', + } + } + it { should contain_file('example.com.conf').with( + :ensure => 'present', + :source => 'puppet:///modules/my_module/example.com.conf', + :path => '/tmp/a/example.com.conf', + :require => 'File[vhosts_dir]', + :notify => 'Service[apache]', + :owner => 'root', + :group => 0, + :mode => '0644', + )} + it { should contain_file('/var/www/htpasswds/example.com').with( + :source => [ "puppet:///modules/site_apache/htpasswds/apache.example.com/example.com", + "puppet:///modules/site_apache/htpasswds//example.com", + "puppet:///modules/site_apache/htpasswds/example.com" ], + :owner => 'root', + :group => 0, + :mode => '0644', + )} + it { should contain_class('apache::includes') } + it { should contain_class('apache::mod_macro') } + it { should contain_class('apache::noiplog') } + it { should_not contain_class('apache::itk::lock') } + it { should_not contain_class('mod_security::itk_plus') } + it { should contain_class('mod_security') } + end + context 'with content' do + let(:params) { + { + :content => "\n Servername example.com\n" + } + } + it { should contain_file('example.com.conf').with( + :ensure => 'present', + :path => '/etc/httpd/vhosts.d/example.com.conf', + :require => 'File[vhosts_dir]', + :notify => 'Service[apache]', + :owner => 'root', + :group => 0, + :mode => '0644', + )} + it { should contain_file('example.com.conf').with_content( +" + Servername example.com +" + )} + it { should_not contain_file('/var/www/htpasswds/example.com') } + end + end +end diff --git a/spec/defines/vhost_php_drupal_spec.rb b/spec/defines/vhost_php_drupal_spec.rb new file mode 100644 index 0000000..5256746 --- /dev/null +++ b/spec/defines/vhost_php_drupal_spec.rb @@ -0,0 +1,187 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::php::drupal', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + describe 'with standard' do + it { should contain_file('/etc/cron.d/drupal_cron_example.com').with( + :content => "0 * * * * apache wget -O - -q -t 1 http://example.com/cron.php\n", + :owner => 'root', + :group => 0, + :mode => '0644', + )} + # only test the differences from the default + it { should contain_apache__vhost__php__webapp('example.com').with( + :manage_directories => false, + :template_partial => 'apache/vhosts/php_drupal/partial.erb', + :manage_config => false, + :php_settings => { + 'magic_quotes_gpc' => 0, + 'register_globals' => 0, + 'session.auto_start' => 0, + 'mbstring.http_input' => 'pass', + 'mbstring.http_output' => 'pass', + 'mbstring.encoding_translation' => 0, + } + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value magic_quotes_gpc 0 + php_admin_value mbstring.encoding_translation 0 + php_admin_value mbstring.http_input pass + php_admin_value mbstring.http_output pass + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_value register_globals 0 + php_admin_flag safe_mode on + php_admin_value session.auto_start 0 + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + # Protect files and directories from prying eyes. + + Order allow,deny + + + # Customized error messages. + ErrorDocument 404 /index.php + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + + + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with mod_fcgid' do + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + } + } + it { should contain_file('/etc/cron.d/drupal_cron_example.com').with( + :content => "0 * * * * apache wget -O - -q -t 1 http://example.com/cron.php\n", + :owner => 'root', + :group => 0, + :mode => '0644', + )} + # only test variables that are tuned + it { should contain_apache__vhost__php__webapp('example.com').with( + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + :manage_directories => false, + :template_partial => 'apache/vhosts/php_drupal/partial.erb', + :manage_config => false, + :php_settings => { + 'magic_quotes_gpc' => 0, + 'register_globals' => 0, + 'session.auto_start' => 0, + 'mbstring.http_input' => 'pass', + 'mbstring.http_output' => 'pass', + 'mbstring.encoding_translation' => 0, + }, + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + # Protect files and directories from prying eyes. + + Order allow,deny + + + # Customized error messages. + ErrorDocument 404 /index.php + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] + + + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 + Options None + Options +FollowSymLinks + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end +end diff --git a/spec/defines/vhost_php_gallery2_spec.rb b/spec/defines/vhost_php_gallery2_spec.rb new file mode 100644 index 0000000..9f2325e --- /dev/null +++ b/spec/defines/vhost_php_gallery2_spec.rb @@ -0,0 +1,162 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::php::gallery2', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + describe 'with standard' do + # only test the differences from the default + it { should contain_apache__vhost__php__webapp('example.com').with( + :manage_directories => true, + :template_partial => 'apache/vhosts/php_gallery2/partial.erb', + :php_settings => { + 'safe_mode' => 'Off', + 'output_buffering' => 'Off', + }, + :manage_config => true, + :config_webwriteable => false, + :config_file => 'config.php', + )} + it { should contain_file('/var/www/vhosts/example.com/data/upload').with( + :ensure => 'directory', + :owner => 'apache', + :group => 0, + :mode => '0660', + )} + it { should contain_file('/var/www/vhosts/example.com/data/gdata').with( + :ensure => 'directory', + :owner => 'apache', + :group => 0, + :mode => '0660', + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag output_buffering off + php_admin_flag safe_mode off + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with mod_fcgid' do + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + } + } + # only test variables that are tuned + it { should contain_apache__vhost__php__webapp('example.com').with( + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + :template_partial => 'apache/vhosts/php_gallery2/partial.erb', + :php_settings => { + 'safe_mode' => 'Off', + 'output_buffering' => 'Off', + }, + :manage_directories => true, + :manage_config => true, + :config_webwriteable => false, + :config_file => 'config.php', + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + + # Always rewrite login's + # Source: http://gallery.menalto.com/node/30558 + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR] + RewriteCond %{QUERY_STRING} subView=core\\.UserLogin + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L] + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end +end diff --git a/spec/defines/vhost_php_joomla_spec.rb b/spec/defines/vhost_php_joomla_spec.rb new file mode 100644 index 0000000..000154d --- /dev/null +++ b/spec/defines/vhost_php_joomla_spec.rb @@ -0,0 +1,279 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::php::joomla', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + describe 'with standard' do + it { should contain_class('apache::include::joomla') } + # only test the differences from the default + it { should contain_apache__vhost__php__webapp('example.com').with( + :template_partial => 'apache/vhosts/php_joomla/partial.erb', + :php_settings => { + 'allow_url_fopen' => 'on', + 'allow_url_include' => 'off', + }, + :manage_config => true, + :config_webwriteable => false, + :config_file => 'configuration.php', + :manage_directories => true, + :managed_directories => [ "/var/www/vhosts/example.com/www/administrator/backups", + "/var/www/vhosts/example.com/www/administrator/components", + "/var/www/vhosts/example.com/www/administrator/language", + "/var/www/vhosts/example.com/www/administrator/modules", + "/var/www/vhosts/example.com/www/administrator/templates", + "/var/www/vhosts/example.com/www/components", + "/var/www/vhosts/example.com/www/dmdocuments", + "/var/www/vhosts/example.com/www/images", + "/var/www/vhosts/example.com/www/language", + "/var/www/vhosts/example.com/www/media", + "/var/www/vhosts/example.com/www/modules", + "/var/www/vhosts/example.com/www/plugins", + "/var/www/vhosts/example.com/www/templates", + "/var/www/vhosts/example.com/www/cache", + "/var/www/vhosts/example.com/www/tmp", + "/var/www/vhosts/example.com/www/administrator/cache" ], + :mod_security_additional_options => " + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + + SecRuleRemoveById 950013 + + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"id:1199400,allow,phase:1,nolog,ctl:ruleEngine=Off\" + + # Exceptions for Joomla Component Expose + + SecRuleRemoveById 960010 + +" + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + php_admin_flag allow_url_fopen on + php_admin_flag allow_url_include off + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag safe_mode on + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + Include include.d/joomla.inc + + + + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\\.[0-9]+\\.[0-9]+\\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + + + # Deny various directories that + # shouldn't be webaccessible + + Deny From All + + + Deny From All + + + Deny From All + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + + SecRuleRemoveById 950013 + + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"id:1199400,allow,phase:1,nolog,ctl:ruleEngine=Off\" + + # Exceptions for Joomla Component Expose + + SecRuleRemoveById 960010 + + + + + +" +)} + end + describe 'with mod_fcgid' do + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + } + } + it { should contain_class('apache::include::joomla') } + # only test the differences from the default + it { should contain_apache__vhost__php__webapp('example.com').with( + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + :template_partial => 'apache/vhosts/php_joomla/partial.erb', + :php_settings => { + 'allow_url_fopen' => 'on', + 'allow_url_include' => 'off', + }, + :manage_config => true, + :config_webwriteable => false, + :config_file => 'configuration.php', + :manage_directories => true, + :managed_directories => [ "/var/www/vhosts/example.com/www/administrator/backups", + "/var/www/vhosts/example.com/www/administrator/components", + "/var/www/vhosts/example.com/www/administrator/language", + "/var/www/vhosts/example.com/www/administrator/modules", + "/var/www/vhosts/example.com/www/administrator/templates", + "/var/www/vhosts/example.com/www/components", + "/var/www/vhosts/example.com/www/dmdocuments", + "/var/www/vhosts/example.com/www/images", + "/var/www/vhosts/example.com/www/language", + "/var/www/vhosts/example.com/www/media", + "/var/www/vhosts/example.com/www/modules", + "/var/www/vhosts/example.com/www/plugins", + "/var/www/vhosts/example.com/www/templates", + "/var/www/vhosts/example.com/www/cache", + "/var/www/vhosts/example.com/www/tmp", + "/var/www/vhosts/example.com/www/administrator/cache" ], + :mod_security_additional_options => " + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + + SecRuleRemoveById 950013 + + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"id:1199400,allow,phase:1,nolog,ctl:ruleEngine=Off\" + + # Exceptions for Joomla Component Expose + + SecRuleRemoveById 960010 + +" + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + + Include include.d/joomla.inc + + + + RewriteEngine on + + # Rewrite URLs to https that go for the admin area + RewriteCond %{REMOTE_ADDR} !^127\\.[0-9]+\\.[0-9]+\\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} (.*/administrator/.*) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] + + + # Deny various directories that + # shouldn't be webaccessible + + Deny From All + + + Deny From All + + + Deny From All + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + + SecRuleRemoveById 950013 + + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"id:1199400,allow,phase:1,nolog,ctl:ruleEngine=Off\" + + # Exceptions for Joomla Component Expose + + SecRuleRemoveById 960010 + + + + + +" +)} + end +end diff --git a/spec/defines/vhost_php_standard_spec.rb b/spec/defines/vhost_php_standard_spec.rb new file mode 100644 index 0000000..159d4b8 --- /dev/null +++ b/spec/defines/vhost_php_standard_spec.rb @@ -0,0 +1,534 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::php::standard', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + describe 'with standard' do + # only test variables that are tuned + it { should contain_apache__vhost__webdir('example.com') } + it { should_not contain_class('mod_fcgid') } + it { should_not contain_class('php::mod_fcgid') } + it { should_not contain_class('apache::include::mod_fcgid') } + it { should_not contain_class('php::scl::php54') } + it { should_not contain_class('php::scl::php55') } + it { should_not contain_class('php::extensions::smarty') } + it { should contain_class('php') } + it { should_not contain_mod_fcgid__starter('example.com') } + + # only test variables that are tuned + it { should contain_apache__vhost__phpdirs('example.com').with( + :php_upload_tmp_dir => '/var/www/upload_tmp_dir/example.com', + :php_session_save_path => '/var/www/session.save_path/example.com', + )} + # only test variables that are tuned + it { should contain_apache__vhost('example.com').with( + :template_partial => 'apache/vhosts/php/partial.erb', + :passing_extension => 'php' + )} + + it { should have_apache__vhost__php__safe_mode_bin_resource_count(0) } + it { should contain_file('/var/www/vhosts/example.com/bin').with( + :ensure => 'absent', + :recurse => true, + :force => true, + :purge => true, + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag safe_mode on + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with standard and params' do + let(:params) { + { + :php_settings => { + 'safe_mode' => 'Off', + } + } + } + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag safe_mode off + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with mod_fcgid' do + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + } + } + # only test variables that are tuned + it { should contain_apache__vhost__webdir('example.com') } + it { should contain_class('mod_fcgid') } + it { should contain_class('php::mod_fcgid') } + it { should contain_class('apache::include::mod_fcgid') } + it { should_not contain_class('php::scl::php54') } + it { should_not contain_class('php::scl::php55') } + it { should_not contain_class('php::extensions::smarty') } + it { should contain_mod_fcgid__starter('example.com').with( + :tmp_dir => false, + :cgi_type => 'php', + :cgi_type_options => { + "engine" =>"On", + "upload_tmp_dir" =>"/var/www/upload_tmp_dir/example.com", + "session.save_path" =>"/var/www/session.save_path/example.com", + "error_log" =>"/var/www/vhosts/example.com/logs/php_error_log", + "safe_mode" =>"On", + "safe_mode_gid" =>"On", + "safe_mode_exec_dir"=>:undef, + "default_charset" =>:undef, + "open_basedir" =>"/var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com" + }, + :owner => 'foo', + :group => 'bar', + :notify => 'Service[apache]', + ) } + + # only test variables that are tuned + it { should contain_apache__vhost__phpdirs('example.com').with( + :php_upload_tmp_dir => '/var/www/upload_tmp_dir/example.com', + :php_session_save_path => '/var/www/session.save_path/example.com', + )} + # only test variables that are tuned + it { should contain_apache__vhost('example.com').with( + :template_partial => 'apache/vhosts/php/partial.erb', + :passing_extension => 'php' + )} + + it { should have_apache__vhost__php__safe_mode_bin_resource_count(0) } + it { should contain_file('/var/www/vhosts/example.com/bin').with( + :ensure => 'absent', + :recurse => true, + :force => true, + :purge => true, + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with mod_fcgid scl 5.4' do + let(:pre_condition){ 'include yum::prerequisites' } + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + :php_installation => 'scl54', + } + } + # only test variables that are tuned + it { should contain_apache__vhost__webdir('example.com') } + it { should contain_class('mod_fcgid') } + it { should contain_class('php::mod_fcgid') } + it { should contain_class('apache::include::mod_fcgid') } + it { should contain_class('php::scl::php54') } + it { should_not contain_class('php::scl::php55') } + it { should_not contain_class('php::extensions::smarty') } + it { should contain_mod_fcgid__starter('example.com').with( + :tmp_dir => false, + :cgi_type => 'php', + :cgi_type_options => { + "engine" =>"On", + "upload_tmp_dir" =>"/var/www/upload_tmp_dir/example.com", + "session.save_path" =>"/var/www/session.save_path/example.com", + "error_log" =>"/var/www/vhosts/example.com/logs/php_error_log", + "safe_mode" =>:undef, + "safe_mode_gid" =>:undef, + "safe_mode_exec_dir"=>:undef, + "default_charset" =>:undef, + "open_basedir" =>"/var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com" + }, + :binary => '/opt/rh/php54/root/usr/bin/php-cgi', + :additional_cmds => 'source /opt/rh/php54/enable', + :rc => '/opt/rh/php54/root/etc', + :owner => 'foo', + :group => 'bar', + :notify => 'Service[apache]', + ) } + + # only test variables that are tuned + it { should contain_apache__vhost__phpdirs('example.com').with( + :php_upload_tmp_dir => '/var/www/upload_tmp_dir/example.com', + :php_session_save_path => '/var/www/session.save_path/example.com', + )} + # only test variables that are tuned + it { should contain_apache__vhost('example.com').with( + :template_partial => 'apache/vhosts/php/partial.erb', + :passing_extension => 'php' + )} + + it { should have_apache__vhost__php__safe_mode_bin_resource_count(0) } + it { should contain_file('/var/www/vhosts/example.com/bin').with( + :ensure => 'absent', + :recurse => true, + :force => true, + :purge => true, + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with mod_fcgid with scl55' do + let(:pre_condition){ 'include yum::prerequisites' } + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + :php_installation => 'scl55', + } + } + # only test variables that are tuned + it { should contain_apache__vhost__webdir('example.com') } + it { should contain_class('mod_fcgid') } + it { should contain_class('php::mod_fcgid') } + it { should contain_class('apache::include::mod_fcgid') } + it { should_not contain_class('php::scl::php54') } + it { should contain_class('php::scl::php55') } + it { should_not contain_class('php::extensions::smarty') } + it { should contain_mod_fcgid__starter('example.com').with( + :tmp_dir => false, + :cgi_type => 'php', + :cgi_type_options => { + "engine" =>"On", + "upload_tmp_dir" =>"/var/www/upload_tmp_dir/example.com", + "session.save_path" =>"/var/www/session.save_path/example.com", + "error_log" =>"/var/www/vhosts/example.com/logs/php_error_log", + "safe_mode" =>:undef, + "safe_mode_gid" =>:undef, + "safe_mode_exec_dir"=>:undef, + "default_charset" =>:undef, + "open_basedir" =>"/var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com" + }, + :binary => '/opt/rh/php55/root/usr/bin/php-cgi', + :additional_cmds => 'source /opt/rh/php55/enable', + :rc => '/opt/rh/php55/root/etc', + :owner => 'foo', + :group => 'bar', + :notify => 'Service[apache]', + ) } + + # only test variables that are tuned + it { should contain_apache__vhost__phpdirs('example.com').with( + :php_upload_tmp_dir => '/var/www/upload_tmp_dir/example.com', + :php_session_save_path => '/var/www/session.save_path/example.com', + )} + # only test variables that are tuned + it { should contain_apache__vhost('example.com').with( + :template_partial => 'apache/vhosts/php/partial.erb', + :passing_extension => 'php' + )} + + it { should have_apache__vhost__php__safe_mode_bin_resource_count(0) } + it { should contain_file('/var/www/vhosts/example.com/bin').with( + :ensure => 'absent', + :recurse => true, + :force => true, + :purge => true, + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with mod_fcgid and params' do + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + :logmode => 'nologs', + :php_options => { + 'smarty' => true, + 'pear' => true, + 'safe_mode_exec_bins' => ['/usr/bin/cat'], + } + } + } + # only test variables that are tuned + it { should contain_apache__vhost__webdir('example.com') } + it { should contain_class('mod_fcgid') } + it { should contain_class('php::mod_fcgid') } + it { should contain_class('apache::include::mod_fcgid') } + it { should_not contain_class('php::scl::php54') } + it { should_not contain_class('php::scl::php55') } + it { should contain_class('php::extensions::smarty') } + it { should contain_mod_fcgid__starter('example.com').with( + :tmp_dir => false, + :cgi_type => 'php', + :cgi_type_options => { + "engine" =>"On", + "upload_tmp_dir" =>"/var/www/upload_tmp_dir/example.com", + "session.save_path" =>"/var/www/session.save_path/example.com", + "error_log" =>:undef, + "safe_mode" =>"On", + "safe_mode_gid" =>"On", + "safe_mode_exec_dir"=>"/var/www/vhosts/example.com/bin", + "default_charset" =>:undef, + "open_basedir" =>"/usr/share/php/Smarty/:/usr/share/pear/:/var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com" + }, + :owner => 'foo', + :group => 'bar', + :notify => 'Service[apache]', + ) } + + # only test variables that are tuned + it { should contain_apache__vhost__phpdirs('example.com').with( + :php_upload_tmp_dir => '/var/www/upload_tmp_dir/example.com', + :php_session_save_path => '/var/www/session.save_path/example.com', + )} + # only test variables that are tuned + it { should contain_apache__vhost('example.com').with( + :template_partial => 'apache/vhosts/php/partial.erb', + :passing_extension => 'php' + )} + + it { should have_apache__vhost__php__safe_mode_bin_resource_count(1) } + it { should contain_apache__vhost__php__safe_mode_bin('example.com@/usr/bin/cat').with( + :ensure => 'present', + :path => '/var/www/vhosts/example.com/bin', + )} + it { should contain_file('/var/www/vhosts/example.com/bin').with( + :ensure => 'directory', + :owner => 'apache', + :group => '0', + :recurse => true, + :force => true, + :purge => true, + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /dev/null + CustomLog /dev/null + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end +end diff --git a/spec/defines/vhost_php_webapp_spec.rb b/spec/defines/vhost_php_webapp_spec.rb new file mode 100644 index 0000000..bdebb14 --- /dev/null +++ b/spec/defines/vhost_php_webapp_spec.rb @@ -0,0 +1,261 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::php::webapp', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + describe 'with standard' do + let(:params){ + { + :manage_config => false, + :template_partial => 'apache/vhosts/php/partial.erb', + } + } + # only test variables that are tuned + it { should have_apache__file__rw_resource_count(0) } + it { should_not contain_apache__vhost__file__documentrootfile('configurationfile_example.com') } + it { should contain_apache__vhost__php__standard('example.com') } + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag safe_mode on + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with mod_fcgid' do + let(:params){ + { + :manage_config => false, + :template_partial => 'apache/vhosts/php/partial.erb', + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + } + } + # only test variables that are tuned + it { should have_apache__file__rw_resource_count(0) } + it { should_not contain_apache__vhost__file__documentrootfile('configurationfile_example.com') } + it { should contain_apache__vhost__php__standard('example.com') } + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride None + Options +ExecCGI + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + context 'with config file and directories' do + describe 'with standard' do + let(:params){ + { + :manage_config => true, + :managed_directories => [ '/tmp/a', '/tmp/b' ], + :config_file => 'config.php', + :template_partial => 'apache/vhosts/php/partial.erb', + } + } + # only test variables that are tuned + it { should have_apache__file__rw_resource_count(2) } + it { should contain_apache__file__rw('/tmp/a').with( + :owner => 'apache', + :group => 0, + )} + it { should contain_apache__file__rw('/tmp/b').with( + :owner => 'apache', + :group => 0, + )} + it { should contain_apache__vhost__file__documentrootfile('configurationfile_example.com').with( + :documentroot => '/var/www/vhosts/example.com/www', + :filename => 'config.php', + :thedomain => 'example.com', + :owner => 'apache', + :group => 0, + :mode => '0440', + ) } + it { should contain_apache__vhost__php__standard('example.com') } + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag safe_mode on + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with standard but writable' do + let(:params){ + { + :manage_config => true, + :config_webwriteable => true, + :managed_directories => [ '/tmp/a', '/tmp/b' ], + :config_file => 'config.php', + :template_partial => 'apache/vhosts/php/partial.erb', + } + } + # only test variables that are tuned + it { should have_apache__file__rw_resource_count(2) } + it { should contain_apache__file__rw('/tmp/a').with( + :owner => 'apache', + :group => 0, + )} + it { should contain_apache__file__rw('/tmp/b').with( + :owner => 'apache', + :group => 0, + )} + it { should contain_apache__vhost__file__documentrootfile('configurationfile_example.com').with( + :documentroot => '/var/www/vhosts/example.com/www', + :filename => 'config.php', + :thedomain => 'example.com', + :owner => 'apache', + :group => 0, + :mode => '0660', + ) } + it { should contain_apache__vhost__php__standard('example.com') } + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag safe_mode on + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + end +end diff --git a/spec/defines/vhost_php_wordpress_spec.rb b/spec/defines/vhost_php_wordpress_spec.rb new file mode 100644 index 0000000..203f969 --- /dev/null +++ b/spec/defines/vhost_php_wordpress_spec.rb @@ -0,0 +1,171 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::php::wordpress', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + describe 'with standard' do + # only test the differences from the default + it { should contain_apache__vhost__php__webapp('example.com').with( + :mod_security_rules_to_disable => ["960010", "950018"], + :manage_directories => true, + :managed_directories => '/var/www/vhosts/example.com/www/wp-content', + :template_partial => 'apache/vhosts/php_wordpress/partial.erb', + :manage_config => true, + :config_webwriteable => false, + :config_file => 'wp-config.php', + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride FileInfo + + php_admin_flag engine on + php_admin_value error_log /var/www/vhosts/example.com/logs/php_error_log + php_admin_value open_basedir /var/www/vhosts/example.com/www:/var/www/vhosts/example.com/data:/var/www/upload_tmp_dir/example.com:/var/www/session.save_path/example.com + php_admin_flag safe_mode on + php_admin_value session.save_path /var/www/session.save_path/example.com + php_admin_value upload_tmp_dir /var/www/upload_tmp_dir/example.com + + + + + + # fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh + + Deny From All + + + # simple wp-login brute force protection + # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ + RewriteEngine On + RewriteCond %{HTTP_COOKIE} !359422a82c97336dc082622faf72013a8e857bfd + RewriteRule ^/wp-login.php /wordpress-login-576a63fdc98202e7c7283713f2ddfee334bf13ee.php [R,L] + + CookieTracking on + CookieExpires 30 + CookieName 359422a82c97336dc082622faf72013a8e857bfd + + RewriteRule ^/wordpress-login-576a63fdc98202e7c7283713f2ddfee334bf13ee.php /wp-login.php [NE] + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + SecRuleRemoveById \"960010\" + SecRuleRemoveById \"950018\" + + + +" +)} + end + describe 'with mod_fcgid' do + let(:params){ + { + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + } + } + # only test variables that are tuned + it { should contain_apache__vhost__php__webapp('example.com').with( + :run_mode => 'fcgid', + :run_uid => 'foo', + :run_gid => 'bar', + :template_partial => 'apache/vhosts/php_wordpress/partial.erb', + :mod_security_rules_to_disable => ["960010", "950018"], + :manage_directories => true, + :managed_directories => '/var/www/vhosts/example.com/www/wp-content', + :manage_config => true, + :config_webwriteable => false, + :config_file => 'wp-config.php', + )} + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + DirectoryIndex index.htm index.html index.php + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + SuexecUserGroup foo bar + FcgidMaxRequestsPerProcess 5000 + FCGIWrapper /var/www/mod_fcgid-starters/example.com/example.com-starter .php + AddHandler fcgid-script .php + + + + AllowOverride FileInfo + Options +ExecCGI + + + + + + # fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh + + Deny From All + + + # simple wp-login brute force protection + # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/ + RewriteEngine On + RewriteCond %{HTTP_COOKIE} !359422a82c97336dc082622faf72013a8e857bfd + RewriteRule ^/wp-login.php /wordpress-login-576a63fdc98202e7c7283713f2ddfee334bf13ee.php [R,L] + + CookieTracking on + CookieExpires 30 + CookieName 359422a82c97336dc082622faf72013a8e857bfd + + RewriteRule ^/wordpress-login-576a63fdc98202e7c7283713f2ddfee334bf13ee.php /wp-login.php [NE] + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + SecRuleRemoveById \"960010\" + SecRuleRemoveById \"950018\" + + + +" +)} + end +end diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb new file mode 100644 index 0000000..051ad0d --- /dev/null +++ b/spec/defines/vhost_spec.rb @@ -0,0 +1,202 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + let(:pre_condition) { + 'include apache' + } + describe 'with standard' do + it { should contain_apache__vhost__template('example.com').with( + :ensure => 'present', + :do_includes => false, + :run_mode => 'normal', + :ssl_mode => false, + :logmode => 'default', + :mod_security => true, + :htpasswd_file => 'absent', + :htpasswd_path => 'absent', + :use_mod_macro => false, + )} + # go deeper in the catalog and the test the produced content from the template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with params' do + let(:params){ + { + :do_includes => true, + :ssl_mode => true, + :logmode => 'anonym', + :mod_security => false, + :htpasswd_file => true, + } + } + it { should contain_apache__vhost__template('example.com').with( + :ensure => 'present', + :path => 'absent', + :path_is_webdir => false, + :logpath => 'absent', + :logmode => 'anonym', + :logprefix => '', + :domain => 'absent', + :domainalias => 'absent', + :server_admin => 'absent', + :allow_override => 'None', + :do_includes => true, + :options => 'absent', + :additional_options => 'absent', + :default_charset => 'absent', + :php_settings => {}, + :php_options => {}, + :run_mode => 'normal', + :run_uid => 'absent', + :run_gid => 'absent', + :template_partial => 'apache/vhosts/static/partial.erb', + :ssl_mode => true, + :htpasswd_file => true, + :htpasswd_path => 'absent', + :ldap_auth => false, + :ldap_user => 'any', + :mod_security => false, + :mod_security_relevantonly => true, + :mod_security_rules_to_disable => [], + :mod_security_additional_options => 'absent', + :use_mod_macro => false, + :passing_extension => 'absent', + :gempath => 'absent', + )} + # go deeper in the catalog and the test the produced content from the template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /dev/null + CustomLog /var/www/vhosts/example.com/logs/access_log noip + + + + + AllowOverride None + Options +Includes + AuthType Basic + AuthName \"Access fuer example.com\" + AuthUserFile /var/www/htpasswds/example.com + require valid-user + + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + + + + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /dev/null + CustomLog /var/www/vhosts/example.com/logs/access_log noip + + + + + AllowOverride None + Options +Includes + AuthType Basic + AuthName \"Access fuer example.com\" + AuthUserFile /var/www/htpasswds/example.com + require valid-user + + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with params II' do + let(:params){ + { + :vhost_mode => 'file', + } + } + it { should_not contain_apache__vhost__template('example.com') } + it { should contain_apache__vhost__file('example.com').with( + :ensure => 'present', + :vhost_source => 'absent', + :vhost_destination => 'absent', + :do_includes => false, + :run_mode => 'normal', + :mod_security => true, + :htpasswd_file => 'absent', + :htpasswd_path => 'absent', + :use_mod_macro => false, + )} + end + describe 'with wrong vhost_mode' do + let(:params){ + { + :vhost_mode => 'foo', + } + } + it { expect { should compile }.to raise_error(Puppet::Error, /No such vhost_mode: foo defined for example.com\./) + } + end +end diff --git a/spec/defines/vhost_static_spec.rb b/spec/defines/vhost_static_spec.rb new file mode 100644 index 0000000..37891bb --- /dev/null +++ b/spec/defines/vhost_static_spec.rb @@ -0,0 +1,54 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::static', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + let(:pre_condition) { + 'include apache' + } + describe 'with standard' do + # only test the relevant options + it { should contain_apache__vhost__webdir('example.com').with( + :datadir => false, + )} + it { should contain_apache__vhost('example.com') } + # go deeper in the catalog and test the produced template + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end +end diff --git a/spec/defines/vhost_template_spec.rb b/spec/defines/vhost_template_spec.rb new file mode 100644 index 0000000..96fb9ac --- /dev/null +++ b/spec/defines/vhost_template_spec.rb @@ -0,0 +1,297 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'apache::vhost::template', :type => 'define' do + let(:title){ 'example.com' } + let(:facts){ + { + :fqdn => 'apache.example.com', + :operatingsystem => 'CentOS', + :operatingsystemmajrelease => '7', + } + } + let(:pre_condition) { + 'include apache' + } + describe 'with standard' do + it { should contain_apache__vhost__file('example.com').with( + :ensure => 'present', + :do_includes => false, + :run_mode => 'normal', + :ssl_mode => false, + :logmode => 'default', + :mod_security => true, + :htpasswd_file => 'absent', + :htpasswd_path => 'absent', + :use_mod_macro => false, + )} + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log combined + + + + + AllowOverride None + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with params' do + let(:params){ + { + :do_includes => true, + :ssl_mode => true, + :logmode => 'anonym', + :mod_security => false, + :htpasswd_file => true, + } + } + it { should contain_apache__vhost__file('example.com').with( + :ensure => 'present', + :do_includes => true, + :run_mode => 'normal', + :ssl_mode => true, + :logmode => 'anonym', + :mod_security => false, + :htpasswd_file => true, + :htpasswd_path => 'absent', + :use_mod_macro => false, + )} + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /dev/null + CustomLog /var/www/vhosts/example.com/logs/access_log noip + + + + + AllowOverride None + Options +Includes + AuthType Basic + AuthName \"Access fuer example.com\" + AuthUserFile /var/www/htpasswds/example.com + require valid-user + + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + + + + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /dev/null + CustomLog /var/www/vhosts/example.com/logs/access_log noip + + + + + AllowOverride None + Options +Includes + AuthType Basic + AuthName \"Access fuer example.com\" + AuthUserFile /var/www/htpasswds/example.com + require valid-user + + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with params II' do + let(:params){ + { + :do_includes => true, + :ssl_mode => 'force', + :logmode => 'semianonym', + :mod_security => false, + :htpasswd_file => true, + } + } + it { should contain_apache__vhost__file('example.com').with( + :ensure => 'present', + :do_includes => true, + :run_mode => 'normal', + :ssl_mode => 'force', + :logmode => 'semianonym', + :mod_security => false, + :htpasswd_file => true, + :htpasswd_path => 'absent', + :use_mod_macro => false, + )} + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log noip + + + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{HTTP:X-Forwarded-Proto} !=https + RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L] + + AllowOverride None + Options +Includes + AuthType Basic + AuthName \"Access fuer example.com\" + AuthUserFile /var/www/htpasswds/example.com + require valid-user + + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + + + + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /var/www/vhosts/example.com/logs/error_log + CustomLog /var/www/vhosts/example.com/logs/access_log noip + + + + + AllowOverride None + Options +Includes + AuthType Basic + AuthName \"Access fuer example.com\" + AuthUserFile /var/www/htpasswds/example.com + require valid-user + + + + + SecRuleEngine Off + SecAuditEngine Off + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end + describe 'with params III' do + let(:params){ + { + :do_includes => false, + :ssl_mode => 'only', + :logmode => 'nologs', + :mod_security => true, + :htpasswd_file => 'absent', + } + } + it { should contain_apache__vhost__file('example.com').with( + :ensure => 'present', + :do_includes => false, + :run_mode => 'normal', + :ssl_mode => 'only', + :logmode => 'nologs', + :mod_security => true, + :htpasswd_file => 'absent', + :htpasswd_path => 'absent', + :use_mod_macro => false, + )} + it { should contain_apache__vhost__file('example.com').with_content( +" + + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + ServerName example.com + DocumentRoot /var/www/vhosts/example.com/www/ + + + ErrorLog /dev/null + CustomLog /dev/null + + + + + AllowOverride None + + + + + + SecRuleEngine On + SecAuditEngine RelevantOnly + SecAuditLogType Concurrent + SecAuditLogStorageDir /var/www/vhosts/example.com/logs/ + SecAuditLog /var/www/vhosts/example.com/logs/mod_security_audit.log + SecDebugLog /var/www/vhosts/example.com/logs/mod_security_debug.log + + + +" +)} + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..381f972 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,13 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rake' + +fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures')) + +RSpec.configure do |c| + c.module_path = File.join(fixture_path, 'modules') + c.manifest_dir = File.join(fixture_path, 'manifests') + c.pattern = FileList[c.pattern].exclude(/^spec\/fixtures/) +end + +Puppet::Util::Log.level = :warning +Puppet::Util::Log.newdestination(:console) -- cgit v1.2.3 From 91ce5c16d26a51d7b61416e18b899e4ac115fa25 Mon Sep 17 00:00:00 2001 From: o Date: Thu, 16 Oct 2014 11:40:04 +0200 Subject: disable SSLv3 --- files/include.d/CentOS/ssl_defaults.inc | 3 +-- files/include.d/Debian/ssl_defaults.inc | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc index 7735ebb..776b7c3 100644 --- a/files/include.d/CentOS/ssl_defaults.inc +++ b/files/include.d/CentOS/ssl_defaults.inc @@ -5,8 +5,7 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -#SSLProtocol all -SSLv2 -SSLProtocol -all +SSLv3 +TLSv1 +SSLProtocol All -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc index 7030ec8..2599a4f 100644 --- a/files/include.d/Debian/ssl_defaults.inc +++ b/files/include.d/Debian/ssl_defaults.inc @@ -11,7 +11,7 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol -all +SSLv3 +TLSv1 +SSLProtocol All -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. -- cgit v1.2.3 From 49064cc0ad4f89dd7aaa2690436c30a26a0385f9 Mon Sep 17 00:00:00 2001 From: o Date: Fri, 14 Nov 2014 11:47:35 +0100 Subject: sni: make ssl_cert configurable per vhost to support sni we configure ssl_certs on a vhost basis. additionally this commit introduces a generic configuration hash which will be used to replace most other parameters in the future. --- files/include.d/CentOS/ssl_defaults.inc | 134 ------------------ files/include.d/Debian/ssl_defaults.inc | 144 ------------------- files/include.d/OpenBSD/ssl_defaults.inc | 5 - files/vhosts.d/CentOS/0-default_ssl.conf | 21 --- files/vhosts.d/Debian/0-default_ssl.conf | 170 ----------------------- files/vhosts.d/Gentoo/0-default_ssl.conf | 200 --------------------------- files/vhosts.d/OpenBSD/0-default_ssl.conf | 9 -- manifests/init.pp | 14 +- manifests/ssl/base.pp | 13 +- manifests/vhost.pp | 3 + manifests/vhost/file.pp | 1 + manifests/vhost/gitweb.pp | 2 + manifests/vhost/modperl.pp | 2 + manifests/vhost/passenger.pp | 2 + manifests/vhost/php/drupal.pp | 2 + manifests/vhost/php/gallery2.pp | 2 + manifests/vhost/php/joomla.pp | 2 + manifests/vhost/php/mediawiki.pp | 2 + manifests/vhost/php/silverstripe.pp | 2 + manifests/vhost/php/simplemachine.pp | 2 + manifests/vhost/php/spip.pp | 2 + manifests/vhost/php/standard.pp | 2 + manifests/vhost/php/typo3.pp | 2 + manifests/vhost/php/webapp.pp | 2 + manifests/vhost/php/wordpress.pp | 2 + manifests/vhost/proxy.pp | 2 + manifests/vhost/redirect.pp | 2 + manifests/vhost/static.pp | 2 + manifests/vhost/template.pp | 2 + manifests/vhost/webdav.pp | 2 + templates/include.d/ssl_defaults.inc.erb | 81 +++++++++++ templates/vhosts/0-default_ssl.conf.erb | 21 +++ templates/vhosts/default.erb | 4 +- templates/vhosts/partials/header_default.erb | 2 + templates/vhosts/partials/ssl.erb | 5 + 35 files changed, 173 insertions(+), 692 deletions(-) delete mode 100644 files/include.d/CentOS/ssl_defaults.inc delete mode 100644 files/include.d/Debian/ssl_defaults.inc delete mode 100644 files/include.d/OpenBSD/ssl_defaults.inc delete mode 100644 files/vhosts.d/CentOS/0-default_ssl.conf delete mode 100644 files/vhosts.d/Debian/0-default_ssl.conf delete mode 100644 files/vhosts.d/Gentoo/0-default_ssl.conf delete mode 100644 files/vhosts.d/OpenBSD/0-default_ssl.conf create mode 100644 templates/include.d/ssl_defaults.inc.erb create mode 100644 templates/vhosts/0-default_ssl.conf.erb create mode 100644 templates/vhosts/partials/ssl.erb diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc deleted file mode 100644 index 776b7c3..0000000 --- a/files/include.d/CentOS/ssl_defaults.inc +++ /dev/null @@ -1,134 +0,0 @@ -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Protocol support: -# List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol All -SSLv2 -SSLv3 - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - -SSLHonorCipherOrder on - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. -#SSLCertificateFile /etc/pki/tls/certs/localhost.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convinience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# set STS Header -Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc deleted file mode 100644 index 2599a4f..0000000 --- a/files/include.d/Debian/ssl_defaults.inc +++ /dev/null @@ -1,144 +0,0 @@ -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog /var/log/apache2/ssl_error_log -TransferLog /var/log/apache2/ssl_access_log -LogLevel warn - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Protocol support: -# List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol All -SSLv2 -SSLv3 - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH -SSLHonorCipherOrder on - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. -#SSLCertificateFile /etc/pki/tls/certs/localhost.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convinience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog /var/log/apache2/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - -# set STS Header -Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc deleted file mode 100644 index 67cf36f..0000000 --- a/files/include.d/OpenBSD/ssl_defaults.inc +++ /dev/null @@ -1,5 +0,0 @@ -SSLEngine on -#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH -SSLCertificateFile /etc/ssl/server.crt -SSLCertificateKeyFile /etc/ssl/private/server.key diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf deleted file mode 100644 index d018bcc..0000000 --- a/files/vhosts.d/CentOS/0-default_ssl.conf +++ /dev/null @@ -1,21 +0,0 @@ -############################################################ -### This file is managed by PUPPET! #### -### Only modify in repo or you will loose the changes! #### -############################################################ - - - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - DocumentRoot /var/www/html - - # Use separate log files for the SSL virtual host; note that LogLevel - # is not inherited from httpd.conf. - ErrorLog logs/ssl_error_log - TransferLog logs/ssl_access_log - LogLevel warn - - SSLCertificateFile /etc/pki/tls/certs/localhost.crt - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - - -# vim: ts=4 filetype=apache diff --git a/files/vhosts.d/Debian/0-default_ssl.conf b/files/vhosts.d/Debian/0-default_ssl.conf deleted file mode 100644 index 870215c..0000000 --- a/files/vhosts.d/Debian/0-default_ssl.conf +++ /dev/null @@ -1,170 +0,0 @@ - - - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/ - - Options FollowSymLinks - AllowOverride None - - - Options Indexes FollowSymLinks MultiViews - AllowOverride None - Order allow,deny - allow from all - - - ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - - AllowOverride None - Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - Order allow,deny - Allow from all - - - ErrorLog /var/log/apache2/error.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel warn - - CustomLog /var/log/apache2/ssl_access.log combined - - Alias /doc/ "/usr/share/doc/" - - Options Indexes MultiViews FollowSymLinks - AllowOverride None - Order deny,allow - Deny from all - Allow from 127.0.0.0/255.0.0.0 ::1/128 - - - # SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt - - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/ssl/certs/ - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl/ - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - # Access Control: - # With SSLRequire you can do per-directory access control based - # on arbitrary complex boolean expressions containing server - # variable checks and other lookup directives. The syntax is a - # mixture between C and Perl. See the mod_ssl documentation - # for more details. - # - #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - # - - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even - # under a "Satisfy any" situation, i.e. when it applies access is denied - # and no other module can change it. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - - diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf deleted file mode 100644 index a123de8..0000000 --- a/files/vhosts.d/Gentoo/0-default_ssl.conf +++ /dev/null @@ -1,200 +0,0 @@ -############################################################ -#### this file is managed by PUPPET #### -#### only modify in svn or you will loose the changes ! #### -############################################################ - - - -# see bug #178966 why this is in here - -# When we also provide SSL we have to listen to the HTTPS port -# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" -Listen 443 -NameVirtualHost *:443 -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" sslcombined -UseCanonicalName On - - - Include /etc/apache2/vhosts.d/default_vhost.include - ErrorLog /var/log/apache2/ssl_error_log - - - TransferLog /var/log/apache2/ssl_access_log - - - ## SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - ## SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH - - SSLCertificateFile /e/certs/server.crt - SSLCertificateKeyFile /e/certs/server.key - - SSLOptions +StdEnvVars - - - RewriteEngine on - RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) - RewriteRule .* - [F] - ServerSignature Off - - ## Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If the certificate - # is encrypted, then you will be prompted for a pass phrase. Note that a - # kill -HUP will prompt again. Keep in mind that if you have both an RSA - # and a DSA certificate you can configure both in parallel (to also allow - # the use of DSA ciphers, etc.) - #SSLCertificateFile /etc/apache2/ssl/server.crt - #SSLCertificateFile /etc/apache2/ssl/server-dsa.crt - - ## Server Private Key: - # If the key is not combined with the certificate, use this directive to - # point at the key file. Keep in mind that if you've both a RSA and a DSA - # private key you can configure both in parallel (to also allow the use of - # DSA ciphers, etc.) - #SSLCertificateKeyFile /etc/apache2/ssl/server.key - #SSLCertificateKeyFile /etc/apache2/ssl/server-dsa.key - - ## Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the concatenation of - # PEM encoded CA certificates which form the certificate chain for the - # server certificate. Alternatively the referenced file can be the same as - # SSLCertificateFile when the CA certificates are directly appended to the - # server certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl/ca.crt - - ## Certificate Authority (CA): - # Set the CA certificate verification path where to find CA certificates - # for client authentication or alternatively one huge file containing all - # of them (file must be PEM encoded). - # Note: Inside SSLCACertificatePath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCACertificatePath /etc/apache2/ssl/ssl.crt - #SSLCACertificateFile /etc/apache2/ssl/ca-bundle.crt - - ## Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client authentication - # or alternatively one huge file containing all of them (file must be PEM - # encoded). - # Note: Inside SSLCARevocationPath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCARevocationPath /etc/apache2/ssl/ssl.crl - #SSLCARevocationFile /etc/apache2/ssl/ca-bundle.crl - - ## Client Authentication (Type): - # Client certificate verification type and depth. Types are none, optional, - # require and optional_no_ca. Depth is a number which specifies how deeply - # to verify the certificate issuer chain before deciding the certificate is - # not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - ## Access Control: - # With SSLRequire you can do per-directory access control based on arbitrary - # complex boolean expressions containing server variable checks and other - # lookup directives. The syntax is a mixture between C and Perl. See the - # mod_ssl documentation for more details. - # - # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - # - - ## SSL Engine Options: - # Set various options for the SSL engine. - - ## FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that the - # standard Auth/DBMAuth methods can be used for access control. The user - # name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - - ## ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server - # (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates into - # CGI scripts. - - ## StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the exportation - # for CGI and SSI requests only. - - ## StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under - # a "Satisfy any" situation, i.e. when it applies access is denied and no - # other module can change it. - - ## OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - - SSLOptions +StdEnvVars - - - ## SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait - # for the close notify alert from client. When you need a different - # shutdown approach you can use one of the following variables: - - ## ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates the - # SSL/TLS standard but is needed for some brain-dead browsers. Use this when - # you receive I/O errors because of the standard approach where mod_ssl - # sends the close notify alert. - - ## ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation works - # correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - - ## Per-Server Logging: - # The home of a custom SSL log file. Use this when you want a compact - # non-error SSL logfile on a virtual host basis. - - CustomLog /var/log/apache2/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - - - - -# vim: ts=4 filetype=apache diff --git a/files/vhosts.d/OpenBSD/0-default_ssl.conf b/files/vhosts.d/OpenBSD/0-default_ssl.conf deleted file mode 100644 index 53ea262..0000000 --- a/files/vhosts.d/OpenBSD/0-default_ssl.conf +++ /dev/null @@ -1,9 +0,0 @@ - - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - DocumentRoot /var/www/htdocs/default/www/ - ErrorLog /var/www/htdocs/default/logs/default_error_log - CustomLog /var/www/htdocs/default/logs/default_access_log combined - - diff --git a/manifests/init.pp b/manifests/init.pp index a974c9c..badac8f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -14,11 +14,15 @@ # manage a simple apache class apache( - $cluster_node = '', - $manage_shorewall = false, - $manage_munin = false, - $no_default_site = false, - $ssl = false + $cluster_node = '', + $manage_shorewall = false, + $manage_munin = false, + $no_default_site = false, + $ssl = false, + $default_ssl_certificate_file = absent, + $default_ssl_certificate_key_file = absent, + $default_ssl_certificate_chain_file = absent, + $ssl_cipher_suite = "${certs::ssl_config::ciphers}" ) { case $::operatingsystem { centos: { include apache::centos } diff --git a/manifests/ssl/base.pp b/manifests/ssl/base.pp index 65bd5f7..3f32913 100644 --- a/manifests/ssl/base.pp +++ b/manifests/ssl/base.pp @@ -1,8 +1,15 @@ # basic defaults for ssl support -class apache::ssl::base { - ::apache::config::include{ 'ssl_defaults.inc': } +class apache::ssl::base ( +) { + apache::config::include { + 'ssl_defaults.inc': + content => template('apache/include.d/ssl_defaults.inc.erb'); + } if !$apache::no_default_site { - ::apache::vhost::file{ '0-default_ssl': } + apache::vhost::file{ + '0-default_ssl': + content => template('apache/vhosts/0-default_ssl.conf.erb'); + } } } diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 0b3e4f3..da1ce90 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -30,6 +30,7 @@ # define apache::vhost( $ensure = present, + $configuration = {}, $path = 'absent', $path_is_webdir = false, $logpath = 'absent', @@ -72,6 +73,7 @@ define apache::vhost( 'file': { apache::vhost::file{$name: ensure => $ensure, + configuration => $configuration, vhost_source => $vhost_source, vhost_destination => $vhost_destination, do_includes => $do_includes, @@ -85,6 +87,7 @@ define apache::vhost( 'template': { apache::vhost::template{$name: ensure => $ensure, + configuration => $configuration, path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index 087d478..686cb1a 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -40,6 +40,7 @@ # define apache::vhost::file( $ensure = present, + $configuration = {}, $vhost_source = 'absent', $vhost_destination = 'absent', $content = 'absent', diff --git a/manifests/vhost/gitweb.pp b/manifests/vhost/gitweb.pp index dab4983..6dd8643 100644 --- a/manifests/vhost/gitweb.pp +++ b/manifests/vhost/gitweb.pp @@ -6,6 +6,7 @@ # define apache::vhost::gitweb( $ensure = present, + $configuration = {}, $domain = 'absent', $logmode = 'default', $domainalias = 'absent', @@ -28,6 +29,7 @@ define apache::vhost::gitweb( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => '/var/www/git', path_is_webdir => true, logpath => $::operatingsystem ? { diff --git a/manifests/vhost/modperl.pp b/manifests/vhost/modperl.pp index c93e6cf..31e46b6 100644 --- a/manifests/vhost/modperl.pp +++ b/manifests/vhost/modperl.pp @@ -27,6 +27,7 @@ # define apache::vhost::modperl( $ensure = present, + $configuration = configuration, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -120,6 +121,7 @@ define apache::vhost::modperl( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, logmode => $logmode, vhost_mode => $vhost_mode, diff --git a/manifests/vhost/passenger.pp b/manifests/vhost/passenger.pp index 6886f13..4621890 100644 --- a/manifests/vhost/passenger.pp +++ b/manifests/vhost/passenger.pp @@ -14,6 +14,7 @@ # define apache::vhost::passenger( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -105,6 +106,7 @@ define apache::vhost::passenger( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => "${real_path}/www/public", path_is_webdir => true, template_partial => $template_partial, diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 4a41a20..5b15e6a 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -33,6 +33,7 @@ # define apache::vhost::php::drupal( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -104,6 +105,7 @@ define apache::vhost::php::drupal( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index 78d5256..3acb011 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -32,6 +32,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::gallery2( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -100,6 +101,7 @@ define apache::vhost::php::gallery2( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 38d41e7..eea39b5 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -107,6 +108,7 @@ define apache::vhost::php::joomla( ::apache::vhost::php::webapp{ $name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index 3068c79..25881ca 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::mediawiki( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -66,6 +67,7 @@ define apache::vhost::php::mediawiki( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index 81b0d7f..1f19eab 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::silverstripe( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -77,6 +78,7 @@ define apache::vhost::php::silverstripe( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index 48386b6..3fa11a7 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::simplemachine( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -72,6 +73,7 @@ define apache::vhost::php::simplemachine( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 74be5d4..e33c1df 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::spip( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -69,6 +70,7 @@ define apache::vhost::php::spip( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 86373a4..3870707 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::standard( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -266,6 +267,7 @@ define apache::vhost::php::standard( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, path_is_webdir => $path_is_webdir, vhost_mode => $vhost_mode, diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index a963c70..d9e877a 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::typo3( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -91,6 +92,7 @@ define apache::vhost::php::typo3( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 1569260..225b45b 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::webapp( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -106,6 +107,7 @@ define apache::vhost::php::webapp( # create vhost configuration file ::apache::vhost::php::standard{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 00e1898..be77eba 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::wordpress( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -75,6 +76,7 @@ define apache::vhost::php::wordpress( # create vhost configuration file apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp index 1c3b500..95ae205 100644 --- a/manifests/vhost/proxy.pp +++ b/manifests/vhost/proxy.pp @@ -21,6 +21,7 @@ # define apache::vhost::proxy( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $htpasswd_file = 'absent', @@ -38,6 +39,7 @@ define apache::vhost::proxy( # we use the options field as the target_url ::apache::vhost::template{$name: ensure => $ensure, + configuration => $configuration, template_partial => 'apache/vhosts/proxy/partial.erb', domain => $domain, path => 'really_absent', diff --git a/manifests/vhost/redirect.pp b/manifests/vhost/redirect.pp index a106c59..0ac40cc 100644 --- a/manifests/vhost/redirect.pp +++ b/manifests/vhost/redirect.pp @@ -21,6 +21,7 @@ # define apache::vhost::redirect( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $target_url, @@ -32,6 +33,7 @@ define apache::vhost::redirect( # we use the options field as the target_url ::apache::vhost::template{$name: ensure => $ensure, + configuration => $configuration, template_partial => 'apache/vhosts/redirect/partial.erb', domain => $domain, path => 'really_absent', diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index 21b062e..f919766 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -14,6 +14,7 @@ # define apache::vhost::static( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -58,6 +59,7 @@ define apache::vhost::static( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, template_partial => $template_partial, vhost_mode => $vhost_mode, diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index 55d41d9..8e9b798 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -42,6 +42,7 @@ # define apache::vhost::template( $ensure = present, + $configuration = {}, $path = 'absent', $path_is_webdir = false, $logpath = 'absent', @@ -133,6 +134,7 @@ define apache::vhost::template( } apache::vhost::file{$name: + configuration => $configuration, ensure => $ensure, do_includes => $do_includes, run_mode => $run_mode, diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index e1b6c3f..ff9e8ab 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -25,6 +25,7 @@ # define apache::vhost::webdav( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -93,6 +94,7 @@ define apache::vhost::webdav( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, diff --git a/templates/include.d/ssl_defaults.inc.erb b/templates/include.d/ssl_defaults.inc.erb new file mode 100644 index 0000000..236eb78 --- /dev/null +++ b/templates/include.d/ssl_defaults.inc.erb @@ -0,0 +1,81 @@ +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol All -SSLv2 -SSLv3 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite "<%= scope.lookupvar('apache::ssl_cipher_suite') %>" + +SSLHonorCipherOrder on + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" diff --git a/templates/vhosts/0-default_ssl.conf.erb b/templates/vhosts/0-default_ssl.conf.erb new file mode 100644 index 0000000..86e4979 --- /dev/null +++ b/templates/vhosts/0-default_ssl.conf.erb @@ -0,0 +1,21 @@ +############################################################ +### This file is managed by PUPPET! #### +### Only modify in repo or you will loose the changes! #### +############################################################ + + + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + DocumentRoot /var/www/html + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/ssl_error_log + TransferLog logs/ssl_access_log + LogLevel warn + +<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb', + {'configuration' => {}}]) %> + + +# vim: ts=4 filetype=apache diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index 79e713d..f911236 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -7,7 +7,9 @@ end vhost_parts.each do |vhost_part| -%> > -<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', {'vhost_part' => vhost_part } ]) %> +<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', + {'vhost_part' => vhost_part, + 'configuration' => configuration,}]) %> <%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index 266fc79..cd4d04c 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -1,6 +1,8 @@ Include include.d/defaults.inc <% if vhost_part == :ssl -%> Include include.d/ssl_defaults.inc +<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb', + {'configuration' => configuration}]) %> <% end -%> ServerName <%= @servername %> <% unless @serveralias.empty? || (@serveralias == 'absent') -%> diff --git a/templates/vhosts/partials/ssl.erb b/templates/vhosts/partials/ssl.erb new file mode 100644 index 0000000..24e28f5 --- /dev/null +++ b/templates/vhosts/partials/ssl.erb @@ -0,0 +1,5 @@ + SSLCertificateFile <%= configuration['ssl_certificate_file'] || scope.lookupvar('apache::default_ssl_certificate_file') %> + SSLCertificateKeyFile <%= configuration['ssl_certificate_key_file'] || scope.lookupvar('apache::default_ssl_certificate_key_file') %> +<% if configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') != 'absent' -%> + SSLCertificateChainFile <%= configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') %> +<% end -%> -- cgit v1.2.3 From dc653851e837e66cf0361c86525d7ff95942c0b3 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 16 Nov 2014 13:57:59 +0100 Subject: no need to interpolate --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index badac8f..7641705 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,7 @@ class apache( $default_ssl_certificate_file = absent, $default_ssl_certificate_key_file = absent, $default_ssl_certificate_chain_file = absent, - $ssl_cipher_suite = "${certs::ssl_config::ciphers}" + $ssl_cipher_suite = $certs::ssl_config::ciphers ) { case $::operatingsystem { centos: { include apache::centos } -- cgit v1.2.3 From 169d55dfa5401529b2ab54694365846a900af749 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 26 Dec 2014 12:11:15 +0100 Subject: use correct variable access --- templates/vhosts/default.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index f911236..1ef8023 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -9,7 +9,7 @@ vhost_parts.each do |vhost_part| -%> <%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', {'vhost_part' => vhost_part, - 'configuration' => configuration,}]) %> + 'configuration' => @configuration,}]) %> <%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> -- cgit v1.2.3 From 21711032c2ee0caeea2066a9b4a9bac6526dfe54 Mon Sep 17 00:00:00 2001 From: o Date: Mon, 5 Jan 2015 18:01:26 +0100 Subject: use ciphers_http from certs module --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 7641705..1079d85 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,7 @@ class apache( $default_ssl_certificate_file = absent, $default_ssl_certificate_key_file = absent, $default_ssl_certificate_chain_file = absent, - $ssl_cipher_suite = $certs::ssl_config::ciphers + $ssl_cipher_suite = $certs::ssl_config::ciphers_http ) { case $::operatingsystem { centos: { include apache::centos } -- cgit v1.2.3 From 86d189ef1496eb88a4ba553c261142ca4095c0de Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Jan 2015 16:25:37 +0100 Subject: also allow Indexes for wordpress so supercache can be run --- manifests/vhost/php/wordpress.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index be77eba..328d2b0 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -40,7 +40,7 @@ define apache::vhost::php::wordpress( $run_mode = 'normal', $run_uid = 'absent', $run_gid = 'absent', - $allow_override = 'FileInfo', + $allow_override = 'FileInfo Indexes', $php_settings = {}, $php_options = {}, $do_includes = false, -- cgit v1.2.3 From d976089f2fbaeb7668d9d5425af374f67f67788b Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Jan 2015 16:26:17 +0100 Subject: linting --- manifests/vhost/php/wordpress.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 328d2b0..95576c9 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -65,12 +65,12 @@ define apache::vhost::php::wordpress( $documentroot = $path ? { 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" + 'openbsd' => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } - $modsec_rules = ["960010", "950018"] + $modsec_rules = ['960010', '950018'] $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file -- cgit v1.2.3 From 677c74d5c8b49c43f2ff68eb580280bba4839264 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 3 Feb 2015 23:47:51 +0100 Subject: upload directory should be writeable --- manifests/vhost/php/wordpress.pp | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 95576c9..a6bbe43 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -1,21 +1,25 @@ -# run_mode: controls in which mode the vhost should be run, there are different setups -# possible: -# - normal: (*default*) run vhost with the current active worker (default: prefork) don't -# setup anything special -# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination -# with 'proxy-itk' & 'static-itk' mode) -# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the -# requests for the itk setup, that listens only on the loobpack device. -# (Incompatibility: cannot be used in combination with the itk setup.) -# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static -# content and proxies the dynamic calls to the itk setup, that listens only on -# the loobpack device (Incompatibility: cannot be used in combination with +# run_mode: controls in which mode the vhost should be run, there are different +# setups # possible: +# - normal: (*default*) run vhost with the current active worker +# (default: prefork) don't setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in +# combination with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just +# proxies all the requests for the itk setup, that listens only +# on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk +# setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves +# all the static content and proxies the dynamic calls to the +# itk setup, that listens only on the loobpack device +# (Incompatibility: cannot be used in combination with # 'itk' mode) # # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module # -# mod_security: Whether we use mod_security or not (will include mod_security module) +# mod_security: Whether we use mod_security or not (will include mod_security +# module) # - false: don't activate mod_security # - true: (*default*) activate mod_security # @@ -71,7 +75,8 @@ define apache::vhost::php::wordpress( default => "${path}/www" } $modsec_rules = ['960010', '950018'] - $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules) + $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable, + $modsec_rules) # create vhost configuration file apache::vhost::php::webapp{$name: @@ -109,7 +114,7 @@ define apache::vhost::php::wordpress( htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => "${documentroot}/wp-content", + managed_directories => [ "${documentroot}/wp-content/uploads",], manage_config => $manage_config, config_webwriteable => $config_webwriteable, config_file => 'wp-config.php', -- cgit v1.2.3 From 4994912452fa83356c91af9278f5835cd934d47a Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 14 Feb 2015 18:04:30 +0100 Subject: make it possible to set the php installation for joomlas --- manifests/vhost/php/joomla.pp | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index eea39b5..ed0696f 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -1,21 +1,26 @@ -# run_mode: controls in which mode the vhost should be run, there are different setups -# possible: -# - normal: (*default*) run vhost with the current active worker (default: prefork) don't -# setup anything special -# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination -# with 'proxy-itk' & 'static-itk' mode) -# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the -# requests for the itk setup, that listens only on the loobpack device. -# (Incompatibility: cannot be used in combination with the itk setup.) -# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static -# content and proxies the dynamic calls to the itk setup, that listens only on -# the loobpack device (Incompatibility: cannot be used in combination with -# 'itk' mode) +# run_mode: controls in which mode the vhost should be run, there are different +# setups possible: +# - normal: (*default*) run vhost with the current active worker +# (default: prefork) don't setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in +# combination with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just +# proxies all the requests for the itk setup, that listens only +# on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk +# setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves +# all the static +# content and proxies the dynamic calls to the itk setup, that +# listens only on the loobpack device +# (Incompatibility: cannot be used in combination with 'itk' +# mode) # # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module # -# mod_security: Whether we use mod_security or not (will include mod_security module) +# mod_security: Whether we use mod_security or not (will include mod_security +# module) # - false: don't activate mod_security # - true: (*default*) activate mod_security # @@ -43,6 +48,7 @@ define apache::vhost::php::joomla( $allow_override = 'None', $php_settings = {}, $php_options = {}, + $php_installation = 'system', $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -123,8 +129,10 @@ define apache::vhost::php::joomla( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_settings => merge($std_joomla_php_settings, $php_settings), + php_settings => merge($std_joomla_php_settings, + $php_settings), php_options => $php_options, + php_installation => $php_installation, do_includes => $do_includes, options => $options, additional_options => $additional_options, @@ -141,7 +149,7 @@ define apache::vhost::php::joomla( htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "${documentroot}/administrator/backups", + managed_directories => [ "${documentroot}/administrator/backups", "${documentroot}/administrator/components", "${documentroot}/administrator/language", "${documentroot}/administrator/modules", -- cgit v1.2.3 From 55af354baacf59e3f436ce3131bcc0f84848a09d Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 14 Feb 2015 18:09:40 +0100 Subject: make it possible to set the php installation for joomlas --- manifests/vhost/php/webapp.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 225b45b..695120d 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -45,6 +45,7 @@ define apache::vhost::php::webapp( $allow_override = 'None', $php_settings = {}, $php_options = {}, + $php_installation = 'system', $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -126,6 +127,7 @@ define apache::vhost::php::webapp( allow_override => $allow_override, php_settings => $php_settings, php_options => $php_options, + php_installation => $php_installation, do_includes => $do_includes, options => $options, additional_options => $additional_options, -- cgit v1.2.3 From e9f7dc800a0a7bd02bc4e6b35751e2412c0cc059 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 27 Feb 2015 09:44:25 +0100 Subject: these directories can be auto purged, because they are puppet introduced --- manifests/base.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/manifests/base.pp b/manifests/base.pp index 35fc42e..5b13cac 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,6 +4,9 @@ class apache::base { 'vhosts_dir': ensure => directory, path => '/etc/apache2/vhosts.d', + purge => true, + recurse => true, + force => true, owner => root, group => 0, mode => '0644'; @@ -16,18 +19,27 @@ class apache::base { 'include_dir': ensure => directory, path => '/etc/apache2/include.d', + purge => true, + recurse => true, + force => true, owner => root, group => 0, mode => '0644'; 'modules_dir': ensure => directory, path => '/etc/apache2/modules.d', + purge => true, + recurse => true, + force => true, owner => root, group => 0, mode => '0644'; 'htpasswd_dir': ensure => directory, path => '/var/www/htpasswds', + purge => true, + recurse => true, + force => true, owner => root, group => 'apache', mode => '0640'; -- cgit v1.2.3 From c6a19ad30ce72f000146645b9f82b369e17c9abf Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 27 Feb 2015 09:45:38 +0100 Subject: linting --- manifests/base.pp | 21 ++++---- manifests/centos.pp | 144 ++++++++++++++++++++++++++-------------------------- 2 files changed, 81 insertions(+), 84 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 5b13cac..8029e73 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -55,20 +55,17 @@ class apache::base { owner => root, group => 0, mode => '0644'; - } - anchor{'apache::basic_dirs::ready': - require => File['vhosts_dir','config_dir','include_dir','modules_dir','htpasswd_dir','web_dir','default_apache_index'] - } + } -> anchor{'apache::basic_dirs::ready': } - apache::config::include{ 'defaults.inc': } - apache::config::global{ 'git.conf': } - if !$apache::no_default_site { - apache::vhost::file { '0-default': } - } + apache::config::include{ 'defaults.inc': } + apache::config::global{ 'git.conf': } + if !$apache::no_default_site { + apache::vhost::file { '0-default': } + } service{'apache': - ensure => running, - name => 'apache2', - enable => true, + ensure => running, + name => 'apache2', + enable => true, } } diff --git a/manifests/centos.pp b/manifests/centos.pp index 554e7b2..f469715 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,86 +1,86 @@ ### centos class apache::centos inherits apache::package { - $config_dir = '/etc/httpd' + $config_dir = '/etc/httpd' - Package[apache]{ - name => 'httpd', - } - Service[apache]{ - name => 'httpd', - restart => '/etc/init.d/httpd graceful', - } - File[vhosts_dir]{ - path => "${config_dir}/vhosts.d", - } - File[config_dir]{ - path => "${config_dir}/conf.d", - } - File[include_dir]{ - path => "${config_dir}/include.d", - } - File[modules_dir]{ - path => "${config_dir}/modules.d", - } - File[web_dir]{ - path => '/var/www/vhosts', - } - File[default_apache_index]{ - path => '/var/www/html/index.html', - } + Package[apache]{ + name => 'httpd', + } + Service[apache]{ + name => 'httpd', + restart => '/etc/init.d/httpd graceful', + } + File[vhosts_dir]{ + path => "${config_dir}/vhosts.d", + } + File[config_dir]{ + path => "${config_dir}/conf.d", + } + File[include_dir]{ + path => "${config_dir}/include.d", + } + File[modules_dir]{ + path => "${config_dir}/modules.d", + } + File[web_dir]{ + path => '/var/www/vhosts', + } + File[default_apache_index]{ + path => '/var/www/html/index.html', + } - if str2bool($::selinux) { - Selinux::Fcontext{ - before => File[web_dir], - } - $seltype_rw = $::operatingsystemmajrelease ? { - 5 => 'httpd_sys_script_rw_t', - default => 'httpd_sys_rw_content_t' - } - selinux::fcontext{ - [ '/var/www/vhosts/[^/]*/www(/.*)?', - '/var/www/vhosts/[^/]*/non_public(/.*)?', - '/var/www/vhosts/[^/]*/data(/.*)?', - '/var/www/vhosts/[^/]*/upload(/.*)?' ]: - require => Package['apache'], - setype => $seltype_rw; - '/var/www/vhosts/[^/]*/logs(/.*)?': - require => Package['apache'], - setype => 'httpd_log_t'; - } + if str2bool($::selinux) { + Selinux::Fcontext{ + before => File[web_dir], } - file{'apache_service_config': - path => '/etc/sysconfig/httpd', - source => [ "puppet:///modules/site_apache/service/CentOS/${::fqdn}/httpd", - 'puppet:///modules/site_apache/service/CentOS/httpd', - 'puppet:///modules/apache/service/CentOS/httpd' ], - require => Package['apache'], - notify => Service['apache'], - owner => root, - group => 0, - mode => '0644'; + $seltype_rw = $::operatingsystemmajrelease ? { + 5 => 'httpd_sys_script_rw_t', + default => 'httpd_sys_rw_content_t' } - - # this is for later fixes - exec{ - 'adjust_pidfile': - command => 'sed -i "s/^#PidFile \(.*\)/PidFile \1/g" /etc/httpd/conf/httpd.conf', - unless => 'grep -qE \'^PidFile \' /etc/httpd/conf/httpd.conf', + selinux::fcontext{ + [ '/var/www/vhosts/[^/]*/www(/.*)?', + '/var/www/vhosts/[^/]*/non_public(/.*)?', + '/var/www/vhosts/[^/]*/data(/.*)?', + '/var/www/vhosts/[^/]*/upload(/.*)?' ]: require => Package['apache'], - notify => Service['apache']; - 'adjust_listen': - command => 'sed -i "s/^#Listen 80/Listen 80/g" /etc/httpd/conf/httpd.conf', - unless => 'grep -qE \'^Listen 80\' /etc/httpd/conf/httpd.conf', + setype => $seltype_rw; + '/var/www/vhosts/[^/]*/logs(/.*)?': require => Package['apache'], - notify => Service['apache']; + setype => 'httpd_log_t'; } + } + file{'apache_service_config': + path => '/etc/sysconfig/httpd', + source => [ "puppet:///modules/site_apache/service/CentOS/${::fqdn}/httpd", + 'puppet:///modules/site_apache/service/CentOS/httpd', + 'puppet:///modules/apache/service/CentOS/httpd' ], + require => Package['apache'], + notify => Service['apache'], + owner => root, + group => 0, + mode => '0644'; + } - apache::config::global{'00-listen.conf': - ensure => absent, - } + # this is for later fixes + exec{ + 'adjust_pidfile': + command => 'sed -i "s/^#PidFile \(.*\)/PidFile \1/g" /etc/httpd/conf/httpd.conf', + unless => 'grep -qE \'^PidFile \' /etc/httpd/conf/httpd.conf', + require => Package['apache'], + notify => Service['apache']; + 'adjust_listen': + command => 'sed -i "s/^#Listen 80/Listen 80/g" /etc/httpd/conf/httpd.conf', + unless => 'grep -qE \'^Listen 80\' /etc/httpd/conf/httpd.conf', + require => Package['apache'], + notify => Service['apache']; + } + + apache::config::global{'00-listen.conf': + ensure => absent, + } - include apache::logrotate::centos + include apache::logrotate::centos - apache::config::global{ 'welcome.conf': } - apache::config::global{ 'vhosts.conf': } + apache::config::global{ 'welcome.conf': } + apache::config::global{ 'vhosts.conf': } } -- cgit v1.2.3 From 39bbb27079fe22ad3ed0f220d32ff5f3ce3cb666 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 27 Feb 2015 09:59:35 +0100 Subject: notify the service if something changes --- manifests/base.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/base.pp b/manifests/base.pp index 8029e73..3f92159 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -7,6 +7,7 @@ class apache::base { purge => true, recurse => true, force => true, + notify => Service['apache'], owner => root, group => 0, mode => '0644'; @@ -22,6 +23,7 @@ class apache::base { purge => true, recurse => true, force => true, + notify => Service['apache'], owner => root, group => 0, mode => '0644'; @@ -31,6 +33,7 @@ class apache::base { purge => true, recurse => true, force => true, + notify => Service['apache'], owner => root, group => 0, mode => '0644'; @@ -40,6 +43,7 @@ class apache::base { purge => true, recurse => true, force => true, + notify => Service['apache'], owner => root, group => 'apache', mode => '0640'; -- cgit v1.2.3 From fa295b03762a0ae3220b8dcade7155674bb71ac0 Mon Sep 17 00:00:00 2001 From: o Date: Tue, 10 Mar 2015 19:05:31 +0100 Subject: support per-vhost hsts headers --- templates/vhosts/partials/ssl.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/vhosts/partials/ssl.erb b/templates/vhosts/partials/ssl.erb index 24e28f5..c9f3933 100644 --- a/templates/vhosts/partials/ssl.erb +++ b/templates/vhosts/partials/ssl.erb @@ -3,3 +3,6 @@ <% if configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') != 'absent' -%> SSLCertificateChainFile <%= configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') %> <% end -%> +<% if configuration['hsts'] -%> + Header add Strict-Transport-Security "max-age=<%= (configuration['hsts']['age'] || 15768000) rescue 15768000 %>" +<% end -%> -- cgit v1.2.3 From 8074127b8d8913314c90c3fe6131d078a858f7b6 Mon Sep 17 00:00:00 2001 From: o Date: Tue, 10 Mar 2015 22:14:51 +0100 Subject: hsts should be enabled on a per-site basis hsts does mix very badly with selfsigned certs. thus we disable it by default. set configuration['hsts'] = true for vhost with valid certs. --- templates/include.d/ssl_defaults.inc.erb | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/include.d/ssl_defaults.inc.erb b/templates/include.d/ssl_defaults.inc.erb index 236eb78..77f8e77 100644 --- a/templates/include.d/ssl_defaults.inc.erb +++ b/templates/include.d/ssl_defaults.inc.erb @@ -76,6 +76,3 @@ SSLHonorCipherOrder on SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 - -# set STS Header -Header add Strict-Transport-Security "max-age=15768000" -- cgit v1.2.3