diff --git a/.travis.yml b/.travis.yml index 742380f6b4..16d694bb6e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,8 +16,5 @@ matrix: env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes" - rvm: 2.1.6 env: PUPPET_GEM_VERSION="~> 4.0" STRICT_VARIABLES="yes" - allow_failures: - - rvm: 2.1.6 - env: PUPPET_GEM_VERSION="~> 4.0" STRICT_VARIABLES="yes" notifications: email: false diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a722a8a9c..985194bf54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,23 @@ -##2015-06-11 - Supported Release 1.5.0 +## 2015-07-28 - Supported Release 1.6.0 +### Summary +This release includes a couple of new features, along with test and documentation updates, and support for the latest AIO puppet builds. + +#### Features +- Add `scan_proxy_header_field` parameter to `apache::mod::geoip` +- Add `ssl_openssl_conf_cmd` parameter to `apache::vhost` and `apache::mod::ssl` +- Add `filters` parameter to `apache::vhost` + +#### Bugfixes +- Test updates +- Do not use systemd on Amazon Linux +- Add missing docs for `timeout` parameter (MODULES-2148) + +## 2015-06-11 - Supported Release 1.5.0 ### Summary This release primarily adds Suse compatibility. It also adds a handful of other parameters for greater configuration control. -### Features +#### Features - Add `apache::lib_path` parameter - Add `apache::service_restart` parameter - Add `apache::vhost::geoip_enable` parameter @@ -17,7 +31,7 @@ parameters for greater configuration control. - Add `apache::mod::ssl::ssl_honorcipherorder` parameter - Add `apache::mod::userdir::options` parameter -### Bugfixes +#### Bugfixes - Document `apache::user` parameter - Document `apache::group` parameter - Fix apache::dev on FreeBSD @@ -30,16 +44,16 @@ parameters for greater configuration control. - Fix userdir access permissions - Fix issue where the module was trying to use systemd on Amazon Linux. -##2015-04-28 - Supported Release 1.4.1 +## 2015-04-28 - Supported Release 1.4.1 This release corrects a metadata issue that has been present since release 1.2.0. The refactoring of `apache::vhost` to use `puppetlabs-concat` requires a version of concat newer than the version required in PE. If you are using PE 3.3.0 or earlier you will need to use version 1.1.1 or earlier of the `puppetlabs-apache` module. -##2015-03-17 - Supported Release 1.4.0 +## 2015-03-17 - Supported Release 1.4.0 ###Summary This release fixes the issue where the docroot was still managed even if the default vhosts were disabled and has many other features and bugfixes including improved support for 'deny' and 'require' as arrays in the 'directories' parameter under `apache::vhost` -####Features +#### Features - New parameters to `apache` - `default_charset` - `default_type` @@ -67,7 +81,7 @@ This release fixes the issue where the docroot was still managed even if the def - Added proper array support for `require` in the `directories` parameter in `apache::vhost` - Added support for `setenv` inside proxy locations -###Bugfixes +### Bugfixes - Fix issue in `apache::vhost` that was preventing the scriptalias fragment from being included (MODULES-1784) - Install required `mod_ldap` package for EL7 (MODULES-1779) - Change default value of `maxrequestworkers` in `apache::mod::event` to be a multiple of the default `ThreadsPerChild` of 25. @@ -77,12 +91,12 @@ This release fixes the issue where the docroot was still managed even if the def - Change the loadfile name for `mod_passenger` so `mod_proxy` will load by default before `mod_passenger` - Remove old Debian work-around that removed `passenger_extra.conf` -##2015-02-17 - Supported Release 1.3.0 -###Summary +## 2015-02-17 - Supported Release 1.3.0 +### Summary This release has many new features and bugfixes, including the ability to optionally not trigger service restarts on config changes. -####Features +#### Features - New parameters - `apache` - `service_manage` - `use_optional_includes` @@ -117,7 +131,7 @@ This release has many new features and bugfixes, including the ability to option - Add passenger support for Debian Jessie - Add support for not having puppet restart the apache service (MODULES-1559) -####Bugfixes +#### Bugfixes - For apache 2.4 `mod_itk` requires `mod_prefork` (MODULES-825) - Allow SSLCACertificatePath to be unset in `apache::vhost` (MODULES-1457) - Load fcgid after unixd on RHEL7 @@ -136,12 +150,12 @@ This release has many new features and bugfixes, including the ability to option - Fix indentation in `vhost/_directories.erb` template (MODULES-1688) - Create symlinks on all distros if `vhost_enable_dir` is specified -##2014-09-30 - Supported Release 1.2.0 -###Summary +## 2014-09-30 - Supported Release 1.2.0 +### Summary This release features many improvements and bugfixes, including several new defines, a reworking of apache::vhost for more extensibility, and many new parameters for more customization. This release also includes improved support for strict variables and the future parser. -####Features +#### Features - Convert apache::vhost to use concat for easier extensions - Test improvements - Synchronize files with modulesync @@ -204,7 +218,7 @@ This release features many improvements and bugfixes, including several new defi - Add apache_version parameter to apache::mod::userdir - Add apache::mod::version class -####Bugfixes +#### Bugfixes - Set osfamily defaults for wsgi_socket_prefix - Support multiple balancermembers with the same url - Validate apache::vhost::custom_fragment @@ -235,25 +249,25 @@ This release features many improvements and bugfixes, including several new defi - Fix RedirectMatch rules - Fix misleading error message in apache::version -####Known Bugs +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. -##2014-07-15 - Supported Release 1.1.1 -###Summary +## 2014-07-15 - Supported Release 1.1.1 +### Summary This release merely updates metadata.json so the module can be uninstalled and upgraded via the puppet module command. ## 2014-04-14 Supported Release 1.1.0 -###Summary +### Summary This release primarily focuses on extending the httpd 2.4 support, tested through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger 4 support, as well as several new modules and important bugfixes. -####Features +#### Features - Add support for RHEL7 and Ubuntu 14.04 - More complete apache24 support @@ -268,7 +282,7 @@ through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger - Add support for custom extensions for mod_php - Improve proxy_html support for Debian -####Bugfixes +#### Bugfixes - Remove NameVirtualHost directive for apache >= 2.4 - Order proxy_set option so it doesn't change between runs @@ -276,42 +290,42 @@ through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger - Fix missing ensure on concat::fragment resources - Fix bad dependencies in apache::mod and apache::mod::mime -####Known Bugs +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. ## 2014-03-04 Supported Release 1.0.1 -###Summary +### Summary This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath. -####Features -####Bugfixes -####Known Bugs +#### Features +#### Bugfixes +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. ## 2014-03-04 Supported Release 1.0.0 -###Summary +### Summary This is a supported release. This release introduces Apache 2.4 support for Debian and RHEL based osfamilies. -####Features +#### Features - Add apache24 support - Add rewrite_base functionality to rewrites - Updated README documentation - Add WSGIApplicationGroup and WSGIImportScript directives -####Bugfixes +#### Bugfixes - Replace mutating hashes with merge() for Puppet 3.5 - Fix WSGI import_script and mod_ssl issues on Lucid -####Known Bugs +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. @@ -493,7 +507,7 @@ worker/prefork - Fix formatting in vhost template - Fix spec tests such that they pass -##2012-05-08 Puppet Labs - 0.0.4 +## 2012-05-08 Puppet Labs - 0.0.4 * e62e362 Fix broken tests for ssl, vhost, vhost::* * 42c6363 Changes to match style guide and pass puppet-lint without error * 42bc8ba changed name => path for file resources in order to name namevar by it's name diff --git a/Gemfile b/Gemfile index 2b1b7cd8d9..bfe64b186a 100644 --- a/Gemfile +++ b/Gemfile @@ -28,6 +28,7 @@ group :system_tests do gem 'beaker-rspec', :require => false end gem 'serverspec', :require => false + gem 'beaker-puppet_install_helper', :require => false end diff --git a/README.md b/README.md index 087bbc8694..44c87997ef 100644 --- a/README.md +++ b/README.md @@ -210,6 +210,21 @@ Starting in Apache 2.2.16, HTTPD supports [FallbackResource](https://httpd.apach } ``` +To set up a virtual host with filter rules + +```puppet + apache::vhost { 'subdomain.loc': + port => '80', + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], + docroot => '/var/www/html', + } +``` + Please note that the 'disabled' argument to FallbackResource is only supported since Apache 2.2.24. See a list of all [virtual host parameters](#defined-type-apachevhost). See an extensive list of [virtual host examples](#virtual-host-examples). @@ -475,6 +490,9 @@ Determines whether the HTTPD service state is managed by Puppet . Defaults to 't Determines whether the HTTPD service restart command should be anything other than the default managed by Puppet. Defaults to undef. +#####`timeout` + +Sets the amount of seconds the server will wait for certain events before failing a request. Defaults to 120. #####`trace_enable` @@ -666,14 +684,44 @@ These are the default settings: ```puppet class {'apache::mod::geoip': - $enable => false, - $db_file => '/usr/share/GeoIP/GeoIP.dat', - $flag => 'Standard', - $output => 'All', + enable => false, + db_file => '/usr/share/GeoIP/GeoIP.dat', + flag => 'Standard', + output => 'All', } ``` -The parameter `db_file` can be a single directory or a hash of directories. +#####`enable` + +Boolean. Enable or Disable mod_geoip globally. Defaults to false. + +#####`db_file` + +The full path to your GeoIP database file. Defaults to `/usr/share/GeoIP/GeoIP.dat`. This parameter optionally takes an array of paths for multiple GeoIP database files. + +#####`flag` + +GeoIP Flag. Defaults to 'Standard'. + +#####`output` + +Defines which output variables to use. Defaults to 'All'. + +#####`enable_utf8` + +Boolean. Changes the output from ISO-8859-1 (Latin-1) to UTF-8. + +#####`scan_proxy_headers` + +Boolean. Enables the GeoIPScanProxyHeaders option. More information can be found [here](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives). + +#####`scan_proxy_header_field` + +Specifies which header that mod_geoip should look at to determine the client's IP address. + +#####`use_last_xforwarededfor_ip` + +Boolean. If a comma-separated list of IP addresses is found, use the last IP address for the client's IP. ####Class: `apache::mod::info` @@ -823,6 +871,7 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t ssl_compression => false, ssl_cryptodevice => 'builtin', ssl_options => [ 'StdEnvVars' ], + ssl_openssl_conf_cmd => undef, ssl_cipher => 'HIGH:MEDIUM:!aNULL:!MD5', ssl_honorcipherorder => 'On', ssl_protocol => [ 'all', '-SSLv2', '-SSLv3' ], @@ -1237,6 +1286,21 @@ Specifies if the vhost file is present or absent. Defaults to 'present'. Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) directive, which specifies an action to take for any URL that doesn't map to anything in your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Valid values must either begin with a / or be 'disabled'. Defaults to 'undef'. +#####`filters` + +[Filters](http://httpd.apache.org/docs/2.2/mod/mod_filter.html) enable smart, context-sensitive configuration of output content filters. + +```puppet + apache::vhost { "$::fqdn": + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], + } +``` + #####`headers` Adds lines to replace, merge, or remove response headers. See [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) for more information. Can be an array. Defaults to 'undef'. @@ -1497,7 +1561,6 @@ Modifies collected [request headers](http://httpd.apache.org/docs/current/mod/mo ], } ``` - #####`rewrites` Creates URL rewrite rules. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', 'rewrite_rule' or 'rewrite_map'. Defaults to 'undef'. @@ -2251,6 +2314,10 @@ An array: } ``` +#####`ssl_openssl_conf_cmd` + +Sets the [SSLOpenSSLConfCmd](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters. Defaults to 'undef'. + #####`ssl_proxyengine` Specifies whether or not to use [SSLProxyEngine](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). Valid values are 'true' and 'false'. Defaults to 'false'. diff --git a/manifests/mod/geoip.pp b/manifests/mod/geoip.pp index 4e87cb96a6..1f8fb08eeb 100644 --- a/manifests/mod/geoip.pp +++ b/manifests/mod/geoip.pp @@ -5,6 +5,7 @@ $output = 'All', $enable_utf8 = undef, $scan_proxy_headers = undef, + $scan_proxy_header_field = undef, $use_last_xforwarededfor_ip = undef, ) { ::apache::mod { 'geoip': } @@ -16,6 +17,7 @@ # - output # - enable_utf8 # - scan_proxy_headers + # - scan_proxy_header_field # - use_last_xforwarededfor_ip file { 'geoip.conf': ensure => file, diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 4a6b823347..9e68d21b70 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -2,6 +2,7 @@ $ssl_compression = false, $ssl_cryptodevice = 'builtin', $ssl_options = [ 'StdEnvVars' ], + $ssl_openssl_conf_cmd = undef, $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5', $ssl_honorcipherorder = 'On', $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], @@ -57,6 +58,7 @@ # $ssl_cipher # $ssl_honorcipherorder # $ssl_options + # $ssl_openssl_conf_cmd # $session_cache # $ssl_mutex # $ssl_random_seed_bytes diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 17f61e3132..920359fed0 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -26,6 +26,7 @@ $ssl_verify_client = undef, $ssl_verify_depth = undef, $ssl_options = undef, + $ssl_openssl_conf_cmd = undef, $ssl_proxyengine = false, $priority = undef, $default_vhost = false, @@ -81,6 +82,7 @@ $rack_base_uris = undef, $headers = undef, $request_headers = undef, + $filters = undef, $rewrites = undef, $rewrite_base = undef, $rewrite_rule = undef, @@ -397,6 +399,13 @@ } } + # Check if mod_filter is required to process $filters + if $filters { + if ! defined(Class['apache::mod::filter']) { + include ::apache::mod::filter + } + } + if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) { if ! defined(Class['apache::mod::setenvif']) { include ::apache::mod::setenvif @@ -627,7 +636,7 @@ # - $proxy_pass_match # - $proxy_preserve_host # - $no_proxy_uris - if $proxy_dest or $proxy_pass or $proxy_pass_match { + if $proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match { concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", order => 140, @@ -729,6 +738,7 @@ # - $ssl_verify_client # - $ssl_verify_depth # - $ssl_options + # - $ssl_openssl_conf_cmd # - $apache_version if $ssl { concat::fragment { "${name}-ssl": @@ -880,6 +890,16 @@ } } + # Template uses: + # - $filters + if $filters and ! empty($filters) { + concat::fragment { "${name}-filters": + target => "${priority_real}${filename}.conf", + order => 330, + content => template('apache/vhost/_filters.erb'), + } + } + # Template uses no variables concat::fragment { "${name}-file_footer": target => "${priority_real}${filename}.conf", diff --git a/metadata.json b/metadata.json index 71bad1d354..a0e3fc2fac 100644 --- a/metadata.json +++ b/metadata.json @@ -1,12 +1,16 @@ { "name": "puppetlabs-apache", - "version": "1.5.0", + "version": "1.6.0", "author": "puppetlabs", "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", "license": "Apache-2.0", "source": "git://github.com/puppetlabs/puppetlabs-apache.git", "project_page": "https://github.com/puppetlabs/puppetlabs-apache", "issues_url": "https://tickets.puppetlabs.com/browse/MODULES", + "dependencies": [ + {"name":"puppetlabs/stdlib","version_requirement":">= 2.4.0 < 5.0.0"}, + {"name":"puppetlabs/concat","version_requirement":">= 1.1.1 < 2.0.0"} + ], "operatingsystem_support": [ { "operatingsystem": "RedHat", @@ -64,16 +68,12 @@ "requirements": [ { "name": "pe", - "version_requirement": ">= 3.7.0 < 4.0.0" + "version_requirement": ">= 3.7.0 < 2015.3.0" }, { "name": "puppet", - "version_requirement": "3.x" + "version_requirement": ">= 3.0.0 < 5.0.0" } ], - "description": "Module for Apache configuration", - "dependencies": [ - {"name":"puppetlabs/stdlib","version_requirement":">= 2.4.0 < 5.0.0"}, - {"name":"puppetlabs/concat","version_requirement":">= 1.1.1 < 2.0.0"} - ] + "description": "Module for Apache configuration" } diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb index 60295787e0..67ad7d5b84 100644 --- a/spec/acceptance/mod_security_spec.rb +++ b/spec/acceptance/mod_security_spec.rb @@ -1,6 +1,6 @@ require 'spec_helper_acceptance' -describe 'apache::mod::security class', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise'))) do +describe 'apache::mod::security class', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise' or fact('lsbdistcodename') == 'wheezy'))) do case fact('osfamily') when 'Debian' mod_dir = '/etc/apache2/mods-available' @@ -18,6 +18,18 @@ pp = "class { 'epel': }" apply_manifest(pp, :catch_failures => true) end + elsif fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' + it 'changes obsoletes, per PUP-4497' do + pp = <<-EOS + ini_setting { 'obsoletes': + path => '/etc/yum.conf', + section => 'main', + setting => 'obsoletes', + value => '0', + } + EOS + apply_manifest(pp, :catch_failures => true) + end end it 'succeeds in puppeting mod_security' do @@ -35,6 +47,11 @@ class { 'apache::mod::security': } } EOS apply_manifest(pp, :catch_failures => true) + + #Need to add a short sleep here because on RHEL6 the service takes a bit longer to init + if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/ + sleep 5 + end end describe service(service_name) do @@ -50,15 +67,17 @@ class { 'apache::mod::security': } it { is_expected.to contain "mod_security2.c" } end - it 'should return index page' do - shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r| - expect(r.stdout).to match(/Index page/) - expect(r.exit_code).to eq(0) + describe 'should be listening on port 80' do + it 'should return index page' do + shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end end - end - it 'should block query with SQL' do - shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end end end #default mod_security config diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index 50aa8292fe..1e8b94edca 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -136,5 +136,14 @@ end it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLRandomSeed startup file:/dev/urandom 1024$})} end + + context 'setting ssl_openssl_conf_cmd' do + let :params do + { + :ssl_openssl_conf_cmd => 'DHParameters "foo.pem"', + } + end + it { is_expected.to contain_file('ssl.conf').with_content(/^\s+SSLOpenSSLConfCmd DHParameters "foo.pem"$/)} + end end end diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 47c1b1f455..b17faa36ea 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -153,6 +153,7 @@ 'ssl_verify_client' => 'optional', 'ssl_verify_depth' => '3', 'ssl_options' => '+ExportCertData', + 'ssl_openssl_conf_cmd' => 'DHParameters "foo.pem"', 'ssl_proxyengine' => true, 'priority' => '30', 'default_vhost' => true, @@ -254,6 +255,15 @@ 'rewrite_rule' => ['^index\.html$ welcome.html'] } ], + 'filters' => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], 'rewrite_base' => '/', 'rewrite_rule' => '^index\.html$ welcome.html', 'rewrite_cond' => '%{HTTP_USER_AGENT} ^MSIE', @@ -341,6 +351,7 @@ it { is_expected.to contain_class('apache::mod::passenger') } it { is_expected.to contain_class('apache::mod::fastcgi') } it { is_expected.to contain_class('apache::mod::headers') } + it { is_expected.to contain_class('apache::mod::filter') } it { is_expected.to contain_class('apache::mod::setenvif') } it { is_expected.to contain_concat('30-rspec.example.com.conf').with({ 'owner' => 'root', @@ -398,9 +409,13 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias') } it { is_expected.to contain_concat__fragment('rspec.example.com-setenv') } it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with( + :content => /^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') } it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') } it { is_expected.to contain_concat__fragment('rspec.example.com-header') } + it { is_expected.to contain_concat__fragment('rspec.example.com-filters').with( + :content => /^\s+FilterDeclare COMPRESS$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-requestheader') } it { is_expected.to contain_concat__fragment('rspec.example.com-wsgi') } it { is_expected.to contain_concat__fragment('rspec.example.com-custom_fragment') } @@ -411,6 +426,30 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } end + context 'proxy_pass_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_pass_match' => [ + { + 'path' => '.*', + 'url' => 'http://backend-a/', + } + ], + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassMatch .* http:\/\/backend-a\//).with_content(/## Proxy rules/) } + end + context 'proxy_dest_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_dest_match' => '/' + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(/## Proxy rules/) } + end context 'not everything can be set together...' do let :params do { diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 599cc5663e..d767b1e60a 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,22 +1,8 @@ require 'beaker-rspec/spec_helper' require 'beaker-rspec/helpers/serverspec' +require 'beaker/puppet_install_helper' - -unless ENV['RS_PROVISION'] == 'no' - # This will install the latest available package on el and deb based - # systems fail on windows and osx, and install via gem on other *nixes - foss_opts = { :default_action => 'gem_install' } - - if default.is_pe?; then install_pe; else install_puppet( foss_opts ); end - - hosts.each do |host| - if host['platform'] =~ /debian/ - on host, 'echo \'export PATH=/var/lib/gems/1.8/bin/:${PATH}\' >> ~/.bashrc' - end - - on host, "mkdir -p #{host['distmoduledir']}" - end -end +run_puppet_install_helper UNSUPPORTED_PLATFORMS = ['Suse','windows','AIX','Solaris'] @@ -29,12 +15,22 @@ # Configure all nodes in nodeset c.before :suite do + # net-tools required for netstat utility being used by be_listening + if fact('osfamily') == 'RedHat' && fact('operatingsystemmajrelease') == '7' + pp = <<-EOS + package { 'net-tools': ensure => installed } + EOS + + apply_manifest_on(agents, pp, :catch_failures => false) + end + # Install module and dependencies hosts.each do |host| copy_module_to(host, :source => proj_root, :module_name => 'apache') # Required for mod_passenger tests. if fact('osfamily') == 'RedHat' on host, puppet('module','install','stahnma/epel'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module','install','puppetlabs/inifile'), { :acceptable_exit_codes => [0,1] } end # Required for manifest to make mod_pagespeed repository available if fact('osfamily') == 'Debian' diff --git a/templates/mod/geoip.conf.erb b/templates/mod/geoip.conf.erb index 84b5dfe92c..00e61d98b4 100644 --- a/templates/mod/geoip.conf.erb +++ b/templates/mod/geoip.conf.erb @@ -16,6 +16,9 @@ GeoIPEnableUTF8 <%= scope.function_bool2httpd([@enable_utf8]) %> <% if ! @scan_proxy_headers.nil? -%> GeoIPScanProxyHeaders <%= scope.function_bool2httpd([@scan_proxy_headers]) %> <% end -%> +<% if ! @scan_proxy_header_field.nil? -%> +GeoIPScanProxyHeaderField <%= @scan_proxy_header_field %> +<% end -%> <% if ! @use_last_xforwarededfor_ip.nil? -%> GeoIPUseLastXForwardedForIP <%= scope.function_bool2httpd([@use_last_xforwarededfor_ip]) %> <% end -%> diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index 933aa1fcc8..96b80b0036 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -25,4 +25,7 @@ <% if @ssl_options -%> SSLOptions <%= @ssl_options.compact.join(' ') %> <% end -%> +<%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> +<%- end -%> diff --git a/templates/vhost/_filters.erb b/templates/vhost/_filters.erb new file mode 100644 index 0000000000..b862597349 --- /dev/null +++ b/templates/vhost/_filters.erb @@ -0,0 +1,10 @@ +<% if @filters and ! @filters.empty? -%> + + ## Filter module rules + ## as per http://httpd.apache.org/docs/2.2/mod/mod_filter.html + <%- Array(@filters).each do |filter| -%> + <%- if filter != '' -%> + <%= filter %> + <%- end -%> + <%- end -%> +<% end -%> diff --git a/templates/vhost/_proxy.erb b/templates/vhost/_proxy.erb index f290fcb764..157e2ef402 100644 --- a/templates/vhost/_proxy.erb +++ b/templates/vhost/_proxy.erb @@ -1,4 +1,4 @@ -<% if @proxy_dest or @proxy_pass -%> +<% if @proxy_dest or @proxy_pass or @proxy_pass_match or @proxy_dest_match -%> ## Proxy rules ProxyRequests Off diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index 516992558f..c2d9413509 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -43,4 +43,7 @@ <%- if @ssl_options -%> SSLOptions <%= Array(@ssl_options).join(' ') %> <%- end -%> + <%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> + <%- end -%> <% end -%> diff --git a/tests/vhost_filter.pp b/tests/vhost_filter.pp new file mode 100644 index 0000000000..ab339737f9 --- /dev/null +++ b/tests/vhost_filter.pp @@ -0,0 +1,17 @@ +# Base class. Declares default vhost on port 80 with filters. +class { 'apache': } + +# Example from README adapted. +apache::vhost { 'readme.example.net': + docroot => '/var/www/html', + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], +} +