From f810a0f8b94f09a53ce5435b47dafedd00d7fe3b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 14:49:33 +0100 Subject: moved README -> README.md --- README | 229 -------------------------------------------------------------- README.md | 229 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 229 insertions(+), 229 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/README b/README deleted file mode 100644 index 1c0c96c..0000000 --- a/README +++ /dev/null @@ -1,229 +0,0 @@ -puppet module for managing an Apache web server -=============================================== - -This module tries to manage apache on different distros in a similar manner. a -few additional directories have to be created as well some configuration files -have to be deployed to fit this schema. - -! Upgrade Notices ! - - * this module now only works with puppet 2.7 or newer - - * this module now uses parameterized classes, if you were using global - variables before, you need to change the class declarations in your manifests - - * this module now requires the stdlib module - - * this module no longer requires the common module - - * if using the munin module, you need a version of the munin module that is - at or newer than commit 77e0a70999a8c4c20ee8d9eb521b927c525ac653 (Feb 28, 2013) - - * if using munin, you will need to have the perl module installed - - * you must change your modules/site-apache to modules/site_apache - - * the $apache_no_default_site variable is no longer supported, you should - switch to passing the parameter "no_default_site => true" to the apache class - - * the $use_munin variable is no longer supported, you should switch to - passing the parameter 'manage_munin' to the apache class - - * the $use_shorewall variable is no longer supported, you should switch to - passing the parameter 'manage_shorewall' to the apache class - - * if you were using apache::vhost::file, or apache::vhost::template, there is a - wrapper called apache::vhost now that takes a $vhost_mode (either the default - 'template', or 'file), although you can continue to use the longer defines - - * Previously, apache::config::file resources would require the source to be a - full source specification, this is no longer needed, so please change any: - - source => "puppet:///modules/site-apache/blah" - - to be: - - source => "modules/site-apache/blah" - - -Requirements ------------- - - * puppet 2.7 or newer - * stdlib module - * templatewlv module - * facter >= 2.2 - because we check for $::operatingsystemmajrelease on multiple places. - In Debian wheezy, facter needs to get upgraded from wheezy-backports. - The facter version of Debian jessie is new enough. - -Usage -===== - -Installing Apache ------------------ - -To install Apache, simply include the 'apache' class in your manifests: - - include apache - -This will give you a basic managed setup. You can pass a couple parameters to the -class to have the module do some things for you: - - * manage_shorewall: If you have the shorewall module installed and are using - it then rules will be automatically defined for you to let traffic come from - the exterior into the web server via port 80, and also 443 if you're using - the apache::ssl class. (Default: false) - - * manage_munin: If you have the munin module installed and are using it, then - some apache graphs will be configured for you. (Default: false) - - * no_default_site: If you do not want the 0-default.conf and - 0-default_ssl.conf virtualhosts automatically created in your node - configuration. (Default: false) - - * ssl: If you want to install Apache SSL support enabled, just pass this - parameter (Default: false) - -For example: - - class { 'apache': - manage_shorewall => true, - manage_munin => true, - no_default_site => true, - ssl => true - } - -You can install the ITK worker model to enforce stronger, per-user security: - - include apache::itk - -On CentOS you can include 'apache::itk_plus' to get that mode. Not currently -implemented for other operating systems - -You can combine SSL support and the ITK worker model by including both classes. - - -Configuring Apache ------------------- - -To deploy a configuration files to the conf.d or include.d directory under -Apache's config directory, you can use the following: - -apache::config::file { 'filename': - content => 'Alias /thisApplication /usr/share/thisApplication/htdocs', -} - -by default this will deploy a conf.d global configuration file called 'filename' -with that content. - -You can pass the parameter 'type => include' to add includes for vhosts - - -To manage users in an htpasswd file: - -apache::htpasswd_user { "joe@$domain": - ensure => present, # default: present - site => "$domain", # default: 'absent' - will use $name - username => 'joe', # default: 'absent' - will use $name - password => "pass", - password_iscrypted => false, # default: false - will sha1 hash the value - path => 'absent' # default: 'absent' - /var/www/htpasswds/${site} -} - -This will place an encrypted version of "pass" for user joe into -/var/www/htpasswds/${site} - -You will need to make sure that ${site} exists before this is done, see the -apache::vhost class below for how this is done. - -VirtualHost files ------------------ - -vhosts can be added with the apache::vhost define. - -You can ship a flat file containing the configuration, or a template. That is -controlled by the 'vhost_mode' parameter, which can be either 'file', or -'template' (default). - -Unless specified, the source will be automatically pulled from -modules/site_apache/{templates,files}/vhosts.d, searched in this order: - - "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${name}.conf", - -otherwise you can pass a 'content' parameter to configure a template location that -it should be pulled from, or a 'vhost_source' parameter to specify the file source. - -For example: - -This would deploy a the vhost for $domain, pulled from a file from the sources -listed above: - -apache::vhost { "$domain": vhost_mode => 'file' } - -apache::vhost { "$domain": - vhost_mode => 'file', - vhost_source => 'modules/site_configs/vhosts.d/${name}.conf" -} - -There are multiple other additional configurables that you can pass to each -vhost definition: - -* logmode: - - default: Do normal logging to CustomLog and ErrorLog - - nologs: Send every logging to /dev/null - - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null - - semianonym: Don't log ips for CustomLog, log normal ErrorLog - -* run_mode: controls in which mode the vhost should be run, there are different setups - possible: - - normal: (*default*) run vhost with the current active worker (default: prefork) don't - setup anything special - - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination - with 'proxy-itk' & 'static-itk' mode) - - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the - requests for the itk setup, that listens only on the loobpack device. - (Incompatibility: cannot be used in combination with the itk setup.) - - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static - content and proxies the dynamic calls to the itk setup, that listens only on - the loobpack device (Incompatibility: cannot be used in combination with - 'itk' mode) - -* mod_security: Whether we use mod_security or not (will include mod_security module) - - false: (*default*) don't activate mod_security - - true: activate mod_security - -For templates, you can pass various parameters that will automatically configure -the template accordingly (such as php_options and php_settings). Please see -manifests/vhost/template.pp for the full list. - -There are various pre-made vhost configurations that use good defaults that you can use: - -apache::vhost::gitweb - sets up a gitweb vhost -apache::vhost::modperl - uses modperl, with optional fastcgi -apache::vhost::passenger - setup passenger -apache::vhost::proxy - setup a proxy vhost -apache::vhost::redirect - vhost to redirect hosts -apache::vhost::static - a static vhost -apache::vhost::webdav - for managing webdave accessible targets - -Additionally, for php sites, there are several handy pre-made vhost configurations: - -apache::vhost::php::drupal -apache::vhost::php::gallery2 -apache::vhost::php::global_exec_bin_dir -apache::vhost::php::joomla -apache::vhost::php::mediawiki -apache::vhost::php::safe_mode_bin -apache::vhost::php::silverstripe -apache::vhost::php::simplemachine -apache::vhost::php::spip -apache::vhost::php::standard -apache::vhost::php::typo3 -apache::vhost::php::webapp -apache::vhost::php::wordpress - diff --git a/README.md b/README.md new file mode 100644 index 0000000..1c0c96c --- /dev/null +++ b/README.md @@ -0,0 +1,229 @@ +puppet module for managing an Apache web server +=============================================== + +This module tries to manage apache on different distros in a similar manner. a +few additional directories have to be created as well some configuration files +have to be deployed to fit this schema. + +! Upgrade Notices ! + + * this module now only works with puppet 2.7 or newer + + * this module now uses parameterized classes, if you were using global + variables before, you need to change the class declarations in your manifests + + * this module now requires the stdlib module + + * this module no longer requires the common module + + * if using the munin module, you need a version of the munin module that is + at or newer than commit 77e0a70999a8c4c20ee8d9eb521b927c525ac653 (Feb 28, 2013) + + * if using munin, you will need to have the perl module installed + + * you must change your modules/site-apache to modules/site_apache + + * the $apache_no_default_site variable is no longer supported, you should + switch to passing the parameter "no_default_site => true" to the apache class + + * the $use_munin variable is no longer supported, you should switch to + passing the parameter 'manage_munin' to the apache class + + * the $use_shorewall variable is no longer supported, you should switch to + passing the parameter 'manage_shorewall' to the apache class + + * if you were using apache::vhost::file, or apache::vhost::template, there is a + wrapper called apache::vhost now that takes a $vhost_mode (either the default + 'template', or 'file), although you can continue to use the longer defines + + * Previously, apache::config::file resources would require the source to be a + full source specification, this is no longer needed, so please change any: + + source => "puppet:///modules/site-apache/blah" + + to be: + + source => "modules/site-apache/blah" + + +Requirements +------------ + + * puppet 2.7 or newer + * stdlib module + * templatewlv module + * facter >= 2.2 + because we check for $::operatingsystemmajrelease on multiple places. + In Debian wheezy, facter needs to get upgraded from wheezy-backports. + The facter version of Debian jessie is new enough. + +Usage +===== + +Installing Apache +----------------- + +To install Apache, simply include the 'apache' class in your manifests: + + include apache + +This will give you a basic managed setup. You can pass a couple parameters to the +class to have the module do some things for you: + + * manage_shorewall: If you have the shorewall module installed and are using + it then rules will be automatically defined for you to let traffic come from + the exterior into the web server via port 80, and also 443 if you're using + the apache::ssl class. (Default: false) + + * manage_munin: If you have the munin module installed and are using it, then + some apache graphs will be configured for you. (Default: false) + + * no_default_site: If you do not want the 0-default.conf and + 0-default_ssl.conf virtualhosts automatically created in your node + configuration. (Default: false) + + * ssl: If you want to install Apache SSL support enabled, just pass this + parameter (Default: false) + +For example: + + class { 'apache': + manage_shorewall => true, + manage_munin => true, + no_default_site => true, + ssl => true + } + +You can install the ITK worker model to enforce stronger, per-user security: + + include apache::itk + +On CentOS you can include 'apache::itk_plus' to get that mode. Not currently +implemented for other operating systems + +You can combine SSL support and the ITK worker model by including both classes. + + +Configuring Apache +------------------ + +To deploy a configuration files to the conf.d or include.d directory under +Apache's config directory, you can use the following: + +apache::config::file { 'filename': + content => 'Alias /thisApplication /usr/share/thisApplication/htdocs', +} + +by default this will deploy a conf.d global configuration file called 'filename' +with that content. + +You can pass the parameter 'type => include' to add includes for vhosts + + +To manage users in an htpasswd file: + +apache::htpasswd_user { "joe@$domain": + ensure => present, # default: present + site => "$domain", # default: 'absent' - will use $name + username => 'joe', # default: 'absent' - will use $name + password => "pass", + password_iscrypted => false, # default: false - will sha1 hash the value + path => 'absent' # default: 'absent' - /var/www/htpasswds/${site} +} + +This will place an encrypted version of "pass" for user joe into +/var/www/htpasswds/${site} + +You will need to make sure that ${site} exists before this is done, see the +apache::vhost class below for how this is done. + +VirtualHost files +----------------- + +vhosts can be added with the apache::vhost define. + +You can ship a flat file containing the configuration, or a template. That is +controlled by the 'vhost_mode' parameter, which can be either 'file', or +'template' (default). + +Unless specified, the source will be automatically pulled from +modules/site_apache/{templates,files}/vhosts.d, searched in this order: + + "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${name}.conf", + +otherwise you can pass a 'content' parameter to configure a template location that +it should be pulled from, or a 'vhost_source' parameter to specify the file source. + +For example: + +This would deploy a the vhost for $domain, pulled from a file from the sources +listed above: + +apache::vhost { "$domain": vhost_mode => 'file' } + +apache::vhost { "$domain": + vhost_mode => 'file', + vhost_source => 'modules/site_configs/vhosts.d/${name}.conf" +} + +There are multiple other additional configurables that you can pass to each +vhost definition: + +* logmode: + - default: Do normal logging to CustomLog and ErrorLog + - nologs: Send every logging to /dev/null + - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null + - semianonym: Don't log ips for CustomLog, log normal ErrorLog + +* run_mode: controls in which mode the vhost should be run, there are different setups + possible: + - normal: (*default*) run vhost with the current active worker (default: prefork) don't + setup anything special + - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination + with 'proxy-itk' & 'static-itk' mode) + - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the + requests for the itk setup, that listens only on the loobpack device. + (Incompatibility: cannot be used in combination with the itk setup.) + - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static + content and proxies the dynamic calls to the itk setup, that listens only on + the loobpack device (Incompatibility: cannot be used in combination with + 'itk' mode) + +* mod_security: Whether we use mod_security or not (will include mod_security module) + - false: (*default*) don't activate mod_security + - true: activate mod_security + +For templates, you can pass various parameters that will automatically configure +the template accordingly (such as php_options and php_settings). Please see +manifests/vhost/template.pp for the full list. + +There are various pre-made vhost configurations that use good defaults that you can use: + +apache::vhost::gitweb - sets up a gitweb vhost +apache::vhost::modperl - uses modperl, with optional fastcgi +apache::vhost::passenger - setup passenger +apache::vhost::proxy - setup a proxy vhost +apache::vhost::redirect - vhost to redirect hosts +apache::vhost::static - a static vhost +apache::vhost::webdav - for managing webdave accessible targets + +Additionally, for php sites, there are several handy pre-made vhost configurations: + +apache::vhost::php::drupal +apache::vhost::php::gallery2 +apache::vhost::php::global_exec_bin_dir +apache::vhost::php::joomla +apache::vhost::php::mediawiki +apache::vhost::php::safe_mode_bin +apache::vhost::php::silverstripe +apache::vhost::php::simplemachine +apache::vhost::php::spip +apache::vhost::php::standard +apache::vhost::php::typo3 +apache::vhost::php::webapp +apache::vhost::php::wordpress + -- cgit v1.2.3 From d355d8d0938062339e51d0b534c09b18315c5447 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 14:54:25 +0100 Subject: fixed indentation, removed trailing whitespaces --- README.md | 109 +++++++++++++++++++++++++++++++------------------------------- 1 file changed, 54 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 1c0c96c..d6cefda 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -puppet module for managing an Apache web server +Puppet module for managing an Apache web server =============================================== This module tries to manage apache on different distros in a similar manner. a @@ -26,7 +26,7 @@ have to be deployed to fit this schema. * the $apache_no_default_site variable is no longer supported, you should switch to passing the parameter "no_default_site => true" to the apache class - * the $use_munin variable is no longer supported, you should switch to + * the $use_munin variable is no longer supported, you should switch to passing the parameter 'manage_munin' to the apache class * the $use_shorewall variable is no longer supported, you should switch to @@ -69,7 +69,7 @@ To install Apache, simply include the 'apache' class in your manifests: This will give you a basic managed setup. You can pass a couple parameters to the class to have the module do some things for you: - + * manage_shorewall: If you have the shorewall module installed and are using it then rules will be automatically defined for you to let traffic come from the exterior into the web server via port 80, and also 443 if you're using @@ -87,12 +87,12 @@ class to have the module do some things for you: For example: - class { 'apache': - manage_shorewall => true, - manage_munin => true, - no_default_site => true, - ssl => true - } + class { 'apache': + manage_shorewall => true, + manage_munin => true, + no_default_site => true, + ssl => true + } You can install the ITK worker model to enforce stronger, per-user security: @@ -110,26 +110,26 @@ Configuring Apache To deploy a configuration files to the conf.d or include.d directory under Apache's config directory, you can use the following: -apache::config::file { 'filename': - content => 'Alias /thisApplication /usr/share/thisApplication/htdocs', -} + apache::config::file { 'filename': + content => 'Alias /thisApplication /usr/share/thisApplication/htdocs', + } by default this will deploy a conf.d global configuration file called 'filename' -with that content. +with that content. You can pass the parameter 'type => include' to add includes for vhosts To manage users in an htpasswd file: -apache::htpasswd_user { "joe@$domain": - ensure => present, # default: present - site => "$domain", # default: 'absent' - will use $name - username => 'joe', # default: 'absent' - will use $name - password => "pass", - password_iscrypted => false, # default: false - will sha1 hash the value - path => 'absent' # default: 'absent' - /var/www/htpasswds/${site} -} + apache::htpasswd_user { "joe@$domain": + ensure => present, # default: present + site => "$domain", # default: 'absent' - will use $name + username => 'joe', # default: 'absent' - will use $name + password => "pass", + password_iscrypted => false, # default: false - will sha1 hash the value + path => 'absent' # default: 'absent' - /var/www/htpasswds/${site} + } This will place an encrypted version of "pass" for user joe into /var/www/htpasswds/${site} @@ -140,35 +140,35 @@ apache::vhost class below for how this is done. VirtualHost files ----------------- -vhosts can be added with the apache::vhost define. +vhosts can be added with the apache::vhost define. You can ship a flat file containing the configuration, or a template. That is controlled by the 'vhost_mode' parameter, which can be either 'file', or -'template' (default). +'template' (default). Unless specified, the source will be automatically pulled from modules/site_apache/{templates,files}/vhosts.d, searched in this order: - "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", - "puppet:///modules/site_apache/vhosts.d/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::operatingsystemmajrelease}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf", + "puppet:///modules/site_apache/vhosts.d/${name}.conf", otherwise you can pass a 'content' parameter to configure a template location that -it should be pulled from, or a 'vhost_source' parameter to specify the file source. +it should be pulled from, or a 'vhost_source' parameter to specify the file source. For example: This would deploy a the vhost for $domain, pulled from a file from the sources listed above: -apache::vhost { "$domain": vhost_mode => 'file' } + apache::vhost { "$domain": vhost_mode => 'file' } -apache::vhost { "$domain": - vhost_mode => 'file', - vhost_source => 'modules/site_configs/vhosts.d/${name}.conf" -} + apache::vhost { "$domain": + vhost_mode => 'file', + vhost_source => 'modules/site_configs/vhosts.d/${name}.conf" + } There are multiple other additional configurables that you can pass to each vhost definition: @@ -203,27 +203,26 @@ manifests/vhost/template.pp for the full list. There are various pre-made vhost configurations that use good defaults that you can use: -apache::vhost::gitweb - sets up a gitweb vhost -apache::vhost::modperl - uses modperl, with optional fastcgi -apache::vhost::passenger - setup passenger -apache::vhost::proxy - setup a proxy vhost -apache::vhost::redirect - vhost to redirect hosts -apache::vhost::static - a static vhost -apache::vhost::webdav - for managing webdave accessible targets +- apache::vhost::gitweb - sets up a gitweb vhost +- apache::vhost::modperl - uses modperl, with optional fastcgi +- apache::vhost::passenger - setup passenger +- apache::vhost::proxy - setup a proxy vhost +- apache::vhost::redirect - vhost to redirect hosts +- apache::vhost::static - a static vhost +- apache::vhost::webdav - for managing webdave accessible targets Additionally, for php sites, there are several handy pre-made vhost configurations: -apache::vhost::php::drupal -apache::vhost::php::gallery2 -apache::vhost::php::global_exec_bin_dir -apache::vhost::php::joomla -apache::vhost::php::mediawiki -apache::vhost::php::safe_mode_bin -apache::vhost::php::silverstripe -apache::vhost::php::simplemachine -apache::vhost::php::spip -apache::vhost::php::standard -apache::vhost::php::typo3 -apache::vhost::php::webapp -apache::vhost::php::wordpress - +- apache::vhost::php::drupal +- apache::vhost::php::gallery2 +- apache::vhost::php::global_exec_bin_dir +- apache::vhost::php::joomla +- apache::vhost::php::mediawiki +- apache::vhost::php::safe_mode_bin +- apache::vhost::php::silverstripe +- apache::vhost::php::simplemachine +- apache::vhost::php::spip +- apache::vhost::php::standard +- apache::vhost::php::typo3 +- apache::vhost::php::webapp +- apache::vhost::php::wordpress -- cgit v1.2.3 From cb76fabaf1cefcfb58cc12a29afc7ba252913201 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 14:55:55 +0100 Subject: Provide ssl cipher suite defaults We don't want to depend on too many modules. The `$ssl_cipher_suite` parameter is the only dependency to the `cert` module and I think it's ok to remove this dependency. It's now a hardcoded default taken from the puppetlabs apache module (https://github.com/puppetlabs/puppetlabs-apache/blob/master/README.md#ssl_cipher) Ppl who use the cert class will know how to pass the parameter. See https://gitlab.com/shared-puppet-modules-group/apache/issues/9 for the discussion. --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 1079d85..ad1478a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,7 @@ class apache( $default_ssl_certificate_file = absent, $default_ssl_certificate_key_file = absent, $default_ssl_certificate_chain_file = absent, - $ssl_cipher_suite = $certs::ssl_config::ciphers_http + $ssl_cipher_suite = 'HIGH:MEDIUM:!aNULL:!MD5' ) { case $::operatingsystem { centos: { include apache::centos } -- cgit v1.2.3 From 54d5f758df1ceea446cb16cd0c3ec0eb754b8058 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 15:06:27 +0100 Subject: Upgrade notice about $ssl_cipher_suite --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index d6cefda..331c85b 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,11 @@ have to be deployed to fit this schema. ! Upgrade Notices ! + * The $ssl_cipher_suite has been evaluated from the `cert` module in the + past, but is now a hardcoded default for the sake of reducing dependency + to other modules. If you were using the `cert` module before, you should + pass this parameter when declaring the apache class ! + * this module now only works with puppet 2.7 or newer * this module now uses parameterized classes, if you were using global -- cgit v1.2.3