From 7bbb0feacac0565457f5f56f65468429803454fb Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 11 Aug 2010 14:06:53 +0200 Subject: introduce logmode feature We are now able to select how apache should log accesses. These modes are: * default: as you would use it * semianonym: no ips are logged for CustomLog, ErrorLog still logs ips * anonym: no ips are logged for CustomLog, ErrorLog is sent to /dev/null * nologs: all logs are sent to /dev/null --- manifests/vhost/php/joomla.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 280792e..1af9bf9 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -10,11 +10,17 @@ # php_default_charset: default charset header for php. # *default*: absent, which will set the same as default_charset # of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -61,6 +67,7 @@ define apache::vhost::php::joomla( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, template_mode => 'php_joomla', owner => $owner, -- cgit v1.2.3 From 1bdb39c6dd8ccaf76d8a4aa2e9486069afd2d476 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 16 Aug 2010 19:01:24 +0200 Subject: impelement itk plus mode itk plus mode is an additional mode to deploy itk based hostings which should be a bit more performant. The idea is that we have two apache-instances running: A) prefork based, listening on the external interface B) itk based, listening on the loopback interface A) will serve all static webpages, as well as possibly serve all static content of dynamic websites. All requests to dynamic content will be redirected to B). The idea is that A) doesn't load any modules to server dynamic content at all. B) will serve all the dynamic scripts of a vhost. This will mean that for vhosts (static ones) as well as static content (all none dynamic scripts) we can benefit from the fast prefork model, while we can use itk's security model for all the dynamic scripts. There are two new additional run_modes: - proxy-itk: this just passes all requests to apache instance B). This one is similar to plain itk based mode and should be used for vhosts that shouldn't (yet) changed to the mixed mode. - static-itk: this passes only requests to dynamic scripts to B) while all static content is served by A). Beware that the user with which A) is running should be member of the run group of B) and all static files need to readable by the group. This reduces the security model you have with plain itk, as the prefork apache user will be able to read php (config-) files of any vhost that runs in static-itk mode. If you want to keep the level of security for a certain vhost, you need to run the specific vhost in proxy-itk mode. Note 1: you cannot run vhosts in itk mode and others in proxy or static itk mode. There is a duplicate file resource definition that blocks that possibility. Note 2: This mode works currently only on CentOS based systems, as no work have been done so far to implement an init.d script that's able to run 2 apache instances. --- manifests/vhost/php/joomla.pp | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 1af9bf9..96e3ab1 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None -- cgit v1.2.3 From cbbffa1d3de5a19a72dd7bb88fb1bcb14e5384e1 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 22:52:47 +0200 Subject: improve mod_security rules * handled now by a partial * possibility to add rules that should be removed * possibility to add custom mod_sec options" * use new infrastructure for existing mod_sec tweaks --- manifests/vhost/php/joomla.pp | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 96e3ab1..3767c50 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -56,6 +56,8 @@ define apache::vhost::php::joomla( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -75,6 +77,24 @@ define apache::vhost::php::joomla( }, default => "${path}/www" } + + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + + SecRuleRemoveById 950013 + + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + + SecRuleRemoveById 960010 + +' + } else { $real_mod_security_additional_options = $mod_security_additional_options } # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -104,6 +124,8 @@ define apache::vhost::php::joomla( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, -- cgit v1.2.3 From 2fa748dcc92e34b13bd4b6f7e452ef89b29490c4 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 19:22:40 +0200 Subject: introduce a new template style, less duplicated things, more handy options --- manifests/vhost/php/joomla.pp | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 3767c50..1cd9479 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -19,12 +19,6 @@ # - false: don't activate mod_security # - true: (*default*) activate mod_security # -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache # logmode: # - default: Do normal logging to CustomLog and ErrorLog # - nologs: Send every logging to /dev/null @@ -46,10 +40,8 @@ define apache::vhost::php::joomla( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'None', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -60,6 +52,7 @@ define apache::vhost::php::joomla( $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_joomla/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -114,10 +107,8 @@ define apache::vhost::php::joomla( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, @@ -128,6 +119,7 @@ define apache::vhost::php::joomla( mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, -- cgit v1.2.3 From c4e151111d69757c3def14aad40bf2773bfa4ace Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 19:30:49 +0200 Subject: fix include --- manifests/vhost/php/joomla.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 1cd9479..cdeb24b 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -61,7 +61,7 @@ define apache::vhost::php::joomla( $config_webwriteable = false, $manage_directories = true ){ - include ::apache::joomla + include ::apache::include::joomla $documentroot = $path ? { 'absent' => $operatingsystem ? { -- cgit v1.2.3 From baf631043b368ec802c700d939eee42358e831e8 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 20:25:32 +0200 Subject: remove old template mode option --- manifests/vhost/php/joomla.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index cdeb24b..69b08f6 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -97,7 +97,6 @@ define apache::vhost::php::joomla( server_admin => $server_admin, logmode => $logmode, path => $path, - template_mode => 'php_joomla', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, -- cgit v1.2.3 From 076909377eaa3aa41936e3acb7e02a9b5b14d493 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 31 May 2012 11:38:45 +0200 Subject: fix various puppet language things --- manifests/vhost/php/joomla.pp | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 69b08f6..eed142c 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -64,13 +64,13 @@ define apache::vhost::php::joomla( include ::apache::include::joomla $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, default => "${path}/www" } - + if $mod_security_additional_options == 'absent' { $real_mod_security_additional_options = '# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html # Exceptions for Joomla Root Directory @@ -79,8 +79,7 @@ define apache::vhost::php::joomla( # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" \ - "allow,phase:1,nolog,ctl:ruleEngine=Off" + SecRule REQUEST_FILENAME "/administrator/index2.php" "allow,phase:1,nolog,ctl:ruleEngine=Off" # Exceptions for Joomla Component Expose @@ -124,22 +123,22 @@ define apache::vhost::php::joomla( htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/administrator/backups", - "$documentroot/administrator/components", - "$documentroot/administrator/language", - "$documentroot/administrator/modules", - "$documentroot/administrator/templates", - "$documentroot/components", - "$documentroot/dmdocuments", - "$documentroot/images", - "$documentroot/language", - "$documentroot/media", - "$documentroot/modules", - "$documentroot/plugins", - "$documentroot/templates", - "$documentroot/cache", - "$documentroot/tmp", - "$documentroot/administrator/cache" ], + managed_directories => [ "${documentroot}/administrator/backups", + "${documentroot}/administrator/components", + "${documentroot}/administrator/language", + "${documentroot}/administrator/modules", + "${documentroot}/administrator/templates", + "${documentroot}/components", + "${documentroot}/dmdocuments", + "${documentroot}/images", + "${documentroot}/language", + "${documentroot}/media", + "${documentroot}/modules", + "${documentroot}/plugins", + "${documentroot}/templates", + "${documentroot}/cache", + "${documentroot}/tmp", + "${documentroot}/administrator/cache" ], manage_config => $manage_config, config_webwriteable => $config_webwriteable, config_file => 'configuration.php', -- cgit v1.2.3 From aea2be9add8f751d968de1786e3a4b37568526a7 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 15 Dec 2012 12:16:13 +0100 Subject: newer mod_security versions need a rule id & linting --- manifests/vhost/php/joomla.pp | 220 ++++++++++++++++++++++-------------------- 1 file changed, 115 insertions(+), 105 deletions(-) (limited to 'manifests/vhost/php/joomla.pp') diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index eed142c..3962efa 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -25,124 +25,134 @@ # - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( - $ensure = present, - $domain = 'absent', - $domainalias = 'absent', - $server_admin = 'absent', - $logmode = 'default', - $path = 'absent', - $owner = root, - $group = apache, - $documentroot_owner = apache, - $documentroot_group = 0, - $documentroot_mode = 0640, - $run_mode = 'normal', - $run_uid = 'absent', - $run_gid = 'absent', - $allow_override = 'None', - $php_settings = {}, - $php_options = {}, - $do_includes = false, - $options = 'absent', - $additional_options = 'absent', - $default_charset = 'absent', - $mod_security = true, - $mod_security_relevantonly = true, - $mod_security_rules_to_disable = [], - $mod_security_additional_options = 'absent', - $ssl_mode = false, - $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php_joomla/partial.erb', - $vhost_source = 'absent', - $vhost_destination = 'absent', - $htpasswd_file = 'absent', - $htpasswd_path = 'absent', - $manage_config = true, - $config_webwriteable = false, - $manage_directories = true + $ensure = present, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_joomla/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true ){ - include ::apache::include::joomla + include ::apache::include::joomla - $documentroot = $path ? { - 'absent' => $::operatingsystem ? { - openbsd => "/var/www/htdocs/${name}/www", - default => "/var/www/vhosts/${name}/www" - }, - default => "${path}/www" - } + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } - if $mod_security_additional_options == 'absent' { - $real_mod_security_additional_options = '# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + if $mod_security_additional_options == 'absent' { + $id_str = $::operatingsystem ? { + 'CentOS' => $::lsbmajdistrelease ? { + 5 => '', + default => 'id:1199400,' + }, + default => '' + } + $real_mod_security_additional_options = "# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html # Exceptions for Joomla Root Directory - + SecRuleRemoveById 950013 # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" "allow,phase:1,nolog,ctl:ruleEngine=Off" + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" # Exceptions for Joomla Component Expose - + SecRuleRemoveById 960010 -' - } else { $real_mod_security_additional_options = $mod_security_additional_options } +" + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } - # create vhost configuration file - ::apache::vhost::php::webapp{$name: - ensure => $ensure, - domain => $domain, - domainalias => $domainalias, - server_admin => $server_admin, - logmode => $logmode, - path => $path, - owner => $owner, - group => $group, - documentroot_owner => $documentroot_owner, - documentroot_group => $documentroot_group, - documentroot_mode => $documentroot_mode, - run_mode => $run_mode, - run_uid => $run_uid, - run_gid => $run_gid, - allow_override => $allow_override, - php_settings => $php_settings, - php_options => $php_options, - do_includes => $do_includes, - options => $options, - additional_options => $additional_options, - default_charset => $default_charset, - mod_security => $mod_security, - mod_security_relevantonly => $mod_security_relevantonly, - mod_security_rules_to_disable => $mod_security_rules_to_disable, - mod_security_additional_options => $real_mod_security_additional_options, - ssl_mode => $ssl_mode, - vhost_mode => $vhost_mode, - template_partial => $template_partial, - vhost_source => $vhost_source, - vhost_destination => $vhost_destination, - htpasswd_file => $htpasswd_file, - htpasswd_path => $htpasswd_path, - manage_directories => $manage_directories, - managed_directories => [ "${documentroot}/administrator/backups", - "${documentroot}/administrator/components", - "${documentroot}/administrator/language", - "${documentroot}/administrator/modules", - "${documentroot}/administrator/templates", - "${documentroot}/components", - "${documentroot}/dmdocuments", - "${documentroot}/images", - "${documentroot}/language", - "${documentroot}/media", - "${documentroot}/modules", - "${documentroot}/plugins", - "${documentroot}/templates", - "${documentroot}/cache", - "${documentroot}/tmp", - "${documentroot}/administrator/cache" ], - manage_config => $manage_config, - config_webwriteable => $config_webwriteable, - config_file => 'configuration.php', - } + # create vhost configuration file + ::apache::vhost::php::webapp{ + $name: + ensure => $ensure, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/administrator/backups", + "${documentroot}/administrator/components", + "${documentroot}/administrator/language", + "${documentroot}/administrator/modules", + "${documentroot}/administrator/templates", + "${documentroot}/components", + "${documentroot}/dmdocuments", + "${documentroot}/images", + "${documentroot}/language", + "${documentroot}/media", + "${documentroot}/modules", + "${documentroot}/plugins", + "${documentroot}/templates", + "${documentroot}/cache", + "${documentroot}/tmp", + "${documentroot}/administrator/cache" ], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'configuration.php', + } } -- cgit v1.2.3