From 7bbb0feacac0565457f5f56f65468429803454fb Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 11 Aug 2010 14:06:53 +0200 Subject: introduce logmode feature We are now able to select how apache should log accesses. These modes are: * default: as you would use it * semianonym: no ips are logged for CustomLog, ErrorLog still logs ips * anonym: no ips are logged for CustomLog, ErrorLog is sent to /dev/null * nologs: all logs are sent to /dev/null --- manifests/vhost/php/wordpress.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'manifests/vhost/php/wordpress.pp') diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index c4e77f2..63e7267 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -10,11 +10,17 @@ # php_default_charset: default charset header for php. # *default*: absent, which will set the same as default_charset # of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::wordpress( $ensure = present, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', + $logmode = 'default', $path = 'absent', $owner = root, $group = apache, @@ -60,6 +66,7 @@ define apache::vhost::php::wordpress( domain => $domain, domainalias => $domainalias, server_admin => $server_admin, + logmode => $logmode, path => $path, template_mode => 'php_wordpress', owner => $owner, -- cgit v1.2.3 From 1bdb39c6dd8ccaf76d8a4aa2e9486069afd2d476 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 16 Aug 2010 19:01:24 +0200 Subject: impelement itk plus mode itk plus mode is an additional mode to deploy itk based hostings which should be a bit more performant. The idea is that we have two apache-instances running: A) prefork based, listening on the external interface B) itk based, listening on the loopback interface A) will serve all static webpages, as well as possibly serve all static content of dynamic websites. All requests to dynamic content will be redirected to B). The idea is that A) doesn't load any modules to server dynamic content at all. B) will serve all the dynamic scripts of a vhost. This will mean that for vhosts (static ones) as well as static content (all none dynamic scripts) we can benefit from the fast prefork model, while we can use itk's security model for all the dynamic scripts. There are two new additional run_modes: - proxy-itk: this just passes all requests to apache instance B). This one is similar to plain itk based mode and should be used for vhosts that shouldn't (yet) changed to the mixed mode. - static-itk: this passes only requests to dynamic scripts to B) while all static content is served by A). Beware that the user with which A) is running should be member of the run group of B) and all static files need to readable by the group. This reduces the security model you have with plain itk, as the prefork apache user will be able to read php (config-) files of any vhost that runs in static-itk mode. If you want to keep the level of security for a certain vhost, you need to run the specific vhost in proxy-itk mode. Note 1: you cannot run vhosts in itk mode and others in proxy or static itk mode. There is a duplicate file resource definition that blocks that possibility. Note 2: This mode works currently only on CentOS based systems, as no work have been done so far to implement an init.d script that's able to run 2 apache instances. --- manifests/vhost/php/wordpress.pp | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'manifests/vhost/php/wordpress.pp') diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 63e7267..461a2d7 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -1,9 +1,24 @@ -# run_mode: -# - normal: nothing special (*default*) -# - itk: apache is running with the itk module -# and run_uid and run_gid are used as vhost users +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# # run_uid: the uid the vhost should run as with the itk module # run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None -- cgit v1.2.3 From cbbffa1d3de5a19a72dd7bb88fb1bcb14e5384e1 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 17 May 2011 22:52:47 +0200 Subject: improve mod_security rules * handled now by a partial * possibility to add rules that should be removed * possibility to add custom mod_sec options" * use new infrastructure for existing mod_sec tweaks --- manifests/vhost/php/wordpress.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'manifests/vhost/php/wordpress.pp') diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 461a2d7..b8ea359 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -56,6 +56,8 @@ define apache::vhost::php::wordpress( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -74,9 +76,11 @@ define apache::vhost::php::wordpress( }, default => "${path}/www" } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file - ::apache::vhost::php::webapp{$name: + apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, @@ -103,6 +107,8 @@ define apache::vhost::php::wordpress( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, -- cgit v1.2.3 From 2fa748dcc92e34b13bd4b6f7e452ef89b29490c4 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 19:22:40 +0200 Subject: introduce a new template style, less duplicated things, more handy options --- manifests/vhost/php/wordpress.pp | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) (limited to 'manifests/vhost/php/wordpress.pp') diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index b8ea359..2fcff4a 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -19,12 +19,6 @@ # - false: don't activate mod_security # - true: (*default*) activate mod_security # -# php_safe_mode_exec_bins: An array of local binaries which should be linked in the -# safe_mode_exec_bin for this hosting -# *default*: None -# php_default_charset: default charset header for php. -# *default*: absent, which will set the same as default_charset -# of apache # logmode: # - default: Do normal logging to CustomLog and ErrorLog # - nologs: Send every logging to /dev/null @@ -46,10 +40,8 @@ define apache::vhost::php::wordpress( $run_uid = 'absent', $run_gid = 'absent', $allow_override = 'FileInfo', - $php_upload_tmp_dir = 'absent', - $php_session_save_path = 'absent', - $php_safe_mode_exec_bins = 'absent', - $php_default_charset = 'absent', + $php_settings = {}, + $php_options = {}, $do_includes = false, $options = 'absent', $additional_options = 'absent', @@ -60,6 +52,7 @@ define apache::vhost::php::wordpress( $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', @@ -97,10 +90,8 @@ define apache::vhost::php::wordpress( run_uid => $run_uid, run_gid => $run_gid, allow_override => $allow_override, - php_upload_tmp_dir => $php_upload_tmp_dir, - php_session_save_path => $php_session_save_path, - php_safe_mode_exec_bins => $php_safe_mode_exec_bins, - php_default_charset => $php_default_charset, + php_settings => $php_settings, + php_options => $php_options, do_includes => $do_includes, options => $options, additional_options => $additional_options, @@ -111,6 +102,7 @@ define apache::vhost::php::wordpress( mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, + template_partial => $template_partial, vhost_source => $vhost_source, vhost_destination => $vhost_destination, htpasswd_file => $htpasswd_file, -- cgit v1.2.3 From baf631043b368ec802c700d939eee42358e831e8 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Oct 2011 20:25:32 +0200 Subject: remove old template mode option --- manifests/vhost/php/wordpress.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'manifests/vhost/php/wordpress.pp') diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 2fcff4a..fef0807 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -80,7 +80,6 @@ define apache::vhost::php::wordpress( server_admin => $server_admin, logmode => $logmode, path => $path, - template_mode => 'php_wordpress', owner => $owner, group => $group, documentroot_owner => $documentroot_owner, -- cgit v1.2.3 From 076909377eaa3aa41936e3acb7e02a9b5b14d493 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 31 May 2012 11:38:45 +0200 Subject: fix various puppet language things --- manifests/vhost/php/wordpress.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'manifests/vhost/php/wordpress.pp') diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index fef0807..b3f98c1 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -63,7 +63,7 @@ define apache::vhost::php::wordpress( ){ $documentroot = $path ? { - 'absent' => $operatingsystem ? { + 'absent' => $::operatingsystem ? { openbsd => "/var/www/htdocs/${name}/www", default => "/var/www/vhosts/${name}/www" }, @@ -98,7 +98,7 @@ define apache::vhost::php::wordpress( mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, mod_security_rules_to_disable => $real_mod_security_rules_to_disable, - mod_security_additional_options => $mod_security_additional_options, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, template_partial => $template_partial, @@ -107,7 +107,7 @@ define apache::vhost::php::wordpress( htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => "$documentroot/wp-content", + managed_directories => "${documentroot}/wp-content", manage_config => $manage_config, config_webwriteable => $config_webwriteable, config_file => 'wp-config.php', -- cgit v1.2.3 From fe4113a36c48128474a2d7c3784c50d5af3e3931 Mon Sep 17 00:00:00 2001 From: o Date: Fri, 28 Dec 2012 13:42:31 +0100 Subject: add a workaround for http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh to all wordpress vhosts mend --- manifests/vhost/php/wordpress.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests/vhost/php/wordpress.pp') diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index b3f98c1..7a41ad7 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -52,7 +52,7 @@ define apache::vhost::php::wordpress( $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', - $template_partial = 'apache/vhosts/php/partial.erb', + $template_partial = 'apache/vhosts/php_wordpress/partial.erb', $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file = 'absent', -- cgit v1.2.3