1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
|
puppet module for managing an Apache web server
===============================================
This module tries to manage apache on different distros in a similar manner. a
few additional directories have to be created as well some configuration files
have to be deployed to fit this schema.
! Upgrade Notices !
* this module now only works with puppet 2.7 or newer
* this module now uses parameterized classes, if you were using global
variables before, you need to change the class declarations in your manifests
* this module now requires the stdlib module
* this module no longer requires the common module
* if using the munin module, you need a version of the munin module that is
at or newer than commit 77e0a70999a8c4c20ee8d9eb521b927c525ac653 (Feb 28, 2013)
* if using munin, you will need to have the perl module installed
* you must change your modules/site-apache to modules/site_apache
* the $apache_no_default_site variable is no longer supported, you should
switch to passing the parameter "no_default_site => true" to the apache class
* the $use_munin variable is no longer supported, you should switch to
passing the parameter 'manage_munin' to the apache class
* the $use_shorewall variable is no longer supported, you should switch to
passing the parameter 'manage_shorewall' to the apache class
* if you were using apache::vhost::file, or apache::vhost::template, there is a
wrapper called apache::vhost now that takes a $vhost_mode (either the default
'template', or 'file), although you can continue to use the longer defines
* Previously, apache::config::file resources would require the source to be a
full source specification, this is no longer needed, so please change any:
source => "puppet:///modules/site-apache/blah"
to be:
source => "modules/site-apache/blah"
Requirements:
* puppet 2.7 or newer
* stdlib
Usage
=====
Installing Apache
-----------------
To install Apache, simply include the 'apache' class in your manifests:
include apache
This will give you a basic managed setup. You can pass a couple parameters to the
class to have the module do some things for you:
* manage_shorewall: If you have the shorewall module installed and are using
it then rules will be automatically defined for you to let traffic come from
the exterior into the web server via port 80, and also 443 if you're using
the apache::ssl class. (Default: false)
* manage_munin: If you have the munin module installed and are using it, then
some apache graphs will be configured for you. (Default: false)
* no_default_site: If you do not want the 0-default.conf and
0-default_ssl.conf virtualhosts automatically created in your node
configuration. (Default: false)
For example:
class { 'apache':
manage_shorewall => true,
manage_munin => true,
no_default_site => true
}
If you want to install Apache and also enable SSL support:
include apache::ssl
You can install the ITK worker model to enforce stronger, per-user security:
include apache::itk
On CentOS you can include 'apache::itk_plus' to get that mode. Not currently
implemented for other operating systems
You can combine SSL support and the ITK worker model by including both classes.
Configuring Apache
------------------
To deploy a configuration files to the conf.d or include.d directory under
Apache's config directory, you can use the following:
apache::config::file { 'filename':
content => 'Alias /thisApplication /usr/share/thisApplication/htdocs',
}
by default this will deploy a conf.d global configuration file called 'filename'
with that content.
You can pass the parameter 'type => include' to add includes for vhosts
To manage users in an htpasswd file:
apache::htpasswd_user { "joe@$domain":
ensure => present, # default: present
site => "$domain", # default: 'absent' - will use $name
username => 'joe', # default: 'absent' - will use $name
password => "pass",
password_iscrypted => false, # default: false - will sha1 hash the value
path => 'absent' # default: 'absent' - /var/www/htpasswds/${site}
}
This will place an encrypted version of "pass" for user joe into
/var/www/htpasswds/${site}
You will need to make sure that ${site} exists before this is done, see the
apache::vhost class below for how this is done.
VirtualHost files
-----------------
vhosts can be added with the apache::vhost define.
You can ship a flat file containing the configuration, or a template. That is
controlled by the 'vhost_mode' parameter, which can be either 'file', or
'template' (default).
Unless specified, the source will be automatically pulled from
modules/site_apache/{templates,files}/vhosts.d, searched in this order:
"puppet:///modules/site_apache/vhosts.d/${::fqdn}/${name}.conf",
"puppet:///modules/site_apache/vhosts.d/{$apache::cluster_node}/${name}.conf",
"puppet:///modules/site_apache/vhosts.d/${::operatingsystem}.${::lsbdistcodename}/${name}.conf",
"puppet:///modules/site_apache/vhosts.d/${::operatingsystem}/${name}.conf",
"puppet:///modules/site_apache/vhosts.d/${name}.conf",
otherwise you can pass a 'content' parameter to configure a template location that
it should be pulled from, or a 'vhost_source' parameter to specify the file source.
For example:
This would deploy a the vhost for $domain, pulled from a file from the sources
listed above:
apache::vhost { "$domain": vhost_mode => 'file' }
apache::vhost { "$domain":
vhost_mode => 'file',
vhost_source => 'modules/site_configs/vhosts.d/${name}.conf"
}
There are multiple other additional configurables that you can pass to each
vhost definition:
* logmode:
- default: Do normal logging to CustomLog and ErrorLog
- nologs: Send every logging to /dev/null
- anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
- semianonym: Don't log ips for CustomLog, log normal ErrorLog
* run_mode: controls in which mode the vhost should be run, there are different setups
possible:
- normal: (*default*) run vhost with the current active worker (default: prefork) don't
setup anything special
- itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
with 'proxy-itk' & 'static-itk' mode)
- proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
requests for the itk setup, that listens only on the loobpack device.
(Incompatibility: cannot be used in combination with the itk setup.)
- static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
content and proxies the dynamic calls to the itk setup, that listens only on
the loobpack device (Incompatibility: cannot be used in combination with
'itk' mode)
* mod_security: Whether we use mod_security or not (will include mod_security module)
- false: (*default*) don't activate mod_security
- true: activate mod_security
For templates, you can pass various parameters that will automatically configure
the template accordingly (such as php_options and php_settings). Please see
manifests/vhost/template.pp for the full list.
There are various pre-made vhost configurations that use good defaults that you can use:
apache::vhost::gitweb - sets up a gitweb vhost
apache::vhost::modperl - uses modperl, with optional fastcgi
apache::vhost::passenger - setup passenger
apache::vhost::proxy - setup a proxy vhost
apache::vhost::redirect - vhost to redirect hosts
apache::vhost::static - a static vhost
apache::vhost::webdav - for managing webdave accessible targets
Additionally, for php sites, there are several handy pre-made vhost configurations:
apache::vhost::php::drupal
apache::vhost::php::gallery2
apache::vhost::php::global_exec_bin_dir
apache::vhost::php::joomla
apache::vhost::php::mediawiki
apache::vhost::php::safe_mode_bin
apache::vhost::php::silverstripe
apache::vhost::php::simplemachine
apache::vhost::php::spip
apache::vhost::php::standard
apache::vhost::php::typo3
apache::vhost::php::webapp
apache::vhost::php::wordpress
|