From f0810d29170403e13d3403028b8dcd6f426a4640 Mon Sep 17 00:00:00 2001 From: Olivier Hanesse Date: Mon, 29 Jun 2015 11:28:47 +0200 Subject: [PATCH 01/71] Fix: missing package for mod_geoip on Debian systems --- manifests/params.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/params.pp b/manifests/params.pp index b5d1421362..a4ad8293c7 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -181,6 +181,7 @@ 'dav_svn' => 'libapache2-svn', 'fastcgi' => 'libapache2-mod-fastcgi', 'fcgid' => 'libapache2-mod-fcgid', + 'geoip' => 'libapache2-mod-geoip', 'nss' => 'libapache2-mod-nss', 'pagespeed' => 'mod-pagespeed-stable', 'passenger' => 'libapache2-mod-passenger', From 15d513467f5a2111d0ec8a2bdb1351ef59822c52 Mon Sep 17 00:00:00 2001 From: dconry Date: Wed, 15 Jul 2015 14:14:04 -0400 Subject: [PATCH 02/71] Fix _proxy.erb to put multiple SetEnv Fix _proxy.erb to put multiple SetEnv directives on separate lines for ProxyMatch blocks. This was already fixed for plain ProxyPass blocks. --- templates/vhost/_proxy.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhost/_proxy.erb b/templates/vhost/_proxy.erb index 157e2ef402..29d35cae98 100644 --- a/templates/vhost/_proxy.erb +++ b/templates/vhost/_proxy.erb @@ -50,7 +50,7 @@ <%- end -%> <%- if proxy['setenv'] -%> <%- Array(proxy['setenv']).each do |setenv_var| -%> - SetEnv <%= setenv_var -%> + SetEnv <%= setenv_var %> <%- end -%> <%- end -%> From f3e861efcb19346c98e12a55dba759556375a6d5 Mon Sep 17 00:00:00 2001 From: Sander Hoentjen Date: Wed, 22 Jul 2015 12:40:35 +0200 Subject: [PATCH 03/71] add possibility to set icons_path to false so no alias will be set for it --- manifests/mod/alias.pp | 31 ++++++++++++------------------- manifests/params.pp | 8 ++++++++ 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/manifests/mod/alias.pp b/manifests/mod/alias.pp index 2f078f6456..5b59baa01d 100644 --- a/manifests/mod/alias.pp +++ b/manifests/mod/alias.pp @@ -1,27 +1,20 @@ class apache::mod::alias( $apache_version = $apache::apache_version, $icons_options = 'Indexes MultiViews', -) { - $ver24 = versioncmp($apache_version, '2.4') >= 0 + # set icons_path to false to disable the alias + $icons_path = $::apache::params::alias_icons_path, - $icons_path = $::osfamily ? { - 'debian' => '/usr/share/apache2/icons', - 'Suse' => '/usr/share/apache2/icons', - 'redhat' => $ver24 ? { - true => '/usr/share/httpd/icons', - default => '/var/www/icons', - }, - 'freebsd' => '/usr/local/www/apache24/icons', - 'gentoo' => '/usr/share/apache2/icons', - } +) { apache::mod { 'alias': } # Template uses $icons_path - file { 'alias.conf': - ensure => file, - path => "${::apache::mod_dir}/alias.conf", - content => template('apache/mod/alias.conf.erb'), - require => Exec["mkdir ${::apache::mod_dir}"], - before => File[$::apache::mod_dir], - notify => Class['apache::service'], + if $icons_path { + file { 'alias.conf': + ensure => file, + path => "${::apache::mod_dir}/alias.conf", + content => template('apache/mod/alias.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } } } diff --git a/manifests/params.pp b/manifests/params.pp index b5d1421362..22e47f6386 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -113,6 +113,10 @@ $mime_support_package = 'mailcap' $mime_types_config = '/etc/mime.types' $docroot = '/var/www/html' + $alias_icons_path = $::apache::version::distrelease ? { + '7' => '/usr/share/httpd/icons', + default => '/var/www/icons', + } $error_documents_path = $::apache::version::distrelease ? { '7' => '/usr/share/httpd/error', default => '/var/www/error' @@ -233,6 +237,7 @@ 'base_rules/modsecurity_crs_59_outbound_blocking.conf', 'base_rules/modsecurity_crs_60_correlation.conf' ] + $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) { $dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev'] @@ -355,6 +360,7 @@ $mime_types_config = '/usr/local/etc/mime.types' $wsgi_socket_prefix = undef $docroot = '/usr/local/www/apache24/data' + $alias_icons_path = '/usr/local/www/apache24/icons' $error_documents_path = '/usr/local/www/apache24/error' } elsif $::osfamily == 'Gentoo' { $user = 'apache' @@ -416,6 +422,7 @@ $mime_types_config = '/etc/mime.types' $wsgi_socket_prefix = undef $docroot = '/var/www/localhost/htdocs' + $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' } elsif $::osfamily == 'Suse' { $user = 'wwwrun' @@ -462,6 +469,7 @@ $mime_types_config = '/etc/mime.types' $docroot = '/srv/www' $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' $dev_packages = ['libapr-util1-devel', 'libapr1-devel'] From 8b00664a26728ca3556b532caa1ececa95962ed2 Mon Sep 17 00:00:00 2001 From: Ricardo Melo Date: Fri, 24 Jul 2015 13:01:32 -0400 Subject: [PATCH 04/71] Adding use_optional_includes parameter to vhost define. --- manifests/vhost.pp | 1 + spec/defines/vhost_spec.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 920359fed0..b48906095f 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -107,6 +107,7 @@ $fastcgi_socket = undef, $fastcgi_dir = undef, $additional_includes = [], + $use_optional_includes = $::apache::use_optional_includes, $apache_version = $::apache::apache_version, $allow_encoded_slashes = undef, $suexec_user_group = undef, diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index b17faa36ea..dac685eb95 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -299,6 +299,7 @@ 'fastcgi_dir' => '/tmp', 'additional_includes' => '/custom/path/includes', 'apache_version' => '2.4', + 'use_optional_includes' => true, 'suexec_user_group' => 'root root', 'allow_encoded_slashes' => 'nodecode', 'passenger_app_root' => '/usr/share/myapp', From b1a3cc18f3d07ec239b5183384c12798f83b852f Mon Sep 17 00:00:00 2001 From: Phil Fenstermacher Date: Mon, 6 Jul 2015 16:55:53 -0400 Subject: [PATCH 05/71] Include full path for UserDir directive --- templates/mod/userdir.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/mod/userdir.conf.erb b/templates/mod/userdir.conf.erb index 9032a3acc7..83263c3d02 100644 --- a/templates/mod/userdir.conf.erb +++ b/templates/mod/userdir.conf.erb @@ -2,7 +2,7 @@ <% if @disable_root -%> UserDir disabled root <% end -%> - UserDir <%= @dir %> + UserDir <%= @home %>/*/<%= @dir %> /*/<%= @dir %>"> AllowOverride FileInfo AuthConfig Limit Indexes From 8b2e700360f2a36ce19f9b1cc56640d3014ede25 Mon Sep 17 00:00:00 2001 From: Mason Malone Date: Wed, 29 Jul 2015 09:55:50 -0400 Subject: [PATCH 06/71] Fix apache::mod::cgid so it can be used with the event MPM Before this, attempting to include apache::mod::cgid when using the event MPM raised the following error: Could not find resource 'Class[Apache::Mod::Worker]' for relationship on 'Class[Apache::Mod::Cgid]' --- manifests/mod/cgid.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/mod/cgid.pp b/manifests/mod/cgid.pp index 8946f652b9..6db6b287d1 100644 --- a/manifests/mod/cgid.pp +++ b/manifests/mod/cgid.pp @@ -2,7 +2,12 @@ case $::osfamily { 'FreeBSD': {} default: { - Class['::apache::mod::worker'] -> Class['::apache::mod::cgid'] + if defined(Class['::apache::mod::worker']) { + Class['::apache::mod::worker'] -> Class['::apache::mod::cgid'] + } + elsif defined(Class['::apache::mod::event']) { + Class['::apache::mod::event'] -> Class['::apache::mod::cgid'] + } } } From 4646f7be28f38f8f361a9f64408de26585ca4d41 Mon Sep 17 00:00:00 2001 From: Katharina Drexel Date: Thu, 30 Jul 2015 12:55:59 +0200 Subject: [PATCH 07/71] we also want to have groups with '-' like vhost-users --- manifests/vhost.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 920359fed0..9018a29a1b 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -149,7 +149,7 @@ # Input validation begins if $suexec_user_group { - validate_re($suexec_user_group, '^\w+ \w+$', + validate_re($suexec_user_group, '^[\w-]+ [\w-]+$', "${suexec_user_group} is not supported for suexec_user_group. Must be 'user group'.") } From 9f0c303e79a88eaae59a332fa62159082b93f9b3 Mon Sep 17 00:00:00 2001 From: Soren Morton Date: Fri, 8 May 2015 20:13:29 +0000 Subject: [PATCH 08/71] Adding ability to enable/disable the secruleengine through a parameter --- README.md | 4 ++++ manifests/mod/security.pp | 1 + manifests/params.pp | 2 ++ templates/mod/security.conf.erb | 2 +- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 44c87997ef..58da99da09 100644 --- a/README.md +++ b/README.md @@ -1079,6 +1079,10 @@ Name of package to install containing crs rules Directory to install the modsec configuration and activated rules links into +#####`modsec_secruleengine` + +Configures the rules engine. Valid vaules are On, Off, and DetectionOnly + #####`activated_rules` Array of rules from the modsec_crs_path to activate by symlinking to diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 84e55e2921..050b1bd6fa 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -2,6 +2,7 @@ $crs_package = $::apache::params::modsec_crs_package, $activated_rules = $::apache::params::modsec_default_rules, $modsec_dir = $::apache::params::modsec_dir, + $modsec_secruleengine = $::apache::params::modsec_secruleengine, $allowed_methods = 'GET HEAD POST OPTIONS', $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', diff --git a/manifests/params.pp b/manifests/params.pp index b5d1421362..084987a66d 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -126,6 +126,7 @@ $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' + $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', 'base_rules/modsecurity_35_scanners.data', @@ -210,6 +211,7 @@ $modsec_crs_package = 'modsecurity-crs' $modsec_crs_path = '/usr/share/modsecurity-crs' $modsec_dir = '/etc/modsecurity' + $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', 'base_rules/modsecurity_35_scanners.data', diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb index 7597c461f6..ac28402c64 100644 --- a/templates/mod/security.conf.erb +++ b/templates/mod/security.conf.erb @@ -9,7 +9,7 @@ <%- end -%> # Default recommended configuration - SecRuleEngine On + SecRuleEngine <%= @modsec_secruleengine %> SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" From 9b7bde91968dea386b59be53f8f6b6d2e66779dd Mon Sep 17 00:00:00 2001 From: Brendan Murtagh Date: Wed, 29 Jul 2015 16:13:49 -0400 Subject: [PATCH 09/71] Added documentation for ForceType directive (MODULES-2152) Merge clean up. Sorry, no a git pro --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 44c87997ef..e1726c5688 100644 --- a/README.md +++ b/README.md @@ -1301,6 +1301,10 @@ Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.htm } ``` +#####`force_type` + +Sets the [ForceType](http://httpd.apache.org/docs/2.2/mod/core.html#forcetype) directive, to force all matching files to be served with the specified MIME content-type. + #####`headers` Adds lines to replace, merge, or remove response headers. See [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) for more information. Can be an array. Defaults to 'undef'. From f87394e74838ea9e9d9e07dc22da25898e928766 Mon Sep 17 00:00:00 2001 From: Sander Hoentjen Date: Wed, 22 Jul 2015 12:40:35 +0200 Subject: [PATCH 10/71] add possibility to set icons_path to false so no alias will be set for it --- manifests/mod/alias.pp | 31 ++++++++++++------------------- manifests/params.pp | 8 ++++++++ 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/manifests/mod/alias.pp b/manifests/mod/alias.pp index 2f078f6456..5b59baa01d 100644 --- a/manifests/mod/alias.pp +++ b/manifests/mod/alias.pp @@ -1,27 +1,20 @@ class apache::mod::alias( $apache_version = $apache::apache_version, $icons_options = 'Indexes MultiViews', -) { - $ver24 = versioncmp($apache_version, '2.4') >= 0 + # set icons_path to false to disable the alias + $icons_path = $::apache::params::alias_icons_path, - $icons_path = $::osfamily ? { - 'debian' => '/usr/share/apache2/icons', - 'Suse' => '/usr/share/apache2/icons', - 'redhat' => $ver24 ? { - true => '/usr/share/httpd/icons', - default => '/var/www/icons', - }, - 'freebsd' => '/usr/local/www/apache24/icons', - 'gentoo' => '/usr/share/apache2/icons', - } +) { apache::mod { 'alias': } # Template uses $icons_path - file { 'alias.conf': - ensure => file, - path => "${::apache::mod_dir}/alias.conf", - content => template('apache/mod/alias.conf.erb'), - require => Exec["mkdir ${::apache::mod_dir}"], - before => File[$::apache::mod_dir], - notify => Class['apache::service'], + if $icons_path { + file { 'alias.conf': + ensure => file, + path => "${::apache::mod_dir}/alias.conf", + content => template('apache/mod/alias.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } } } diff --git a/manifests/params.pp b/manifests/params.pp index b5d1421362..22e47f6386 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -113,6 +113,10 @@ $mime_support_package = 'mailcap' $mime_types_config = '/etc/mime.types' $docroot = '/var/www/html' + $alias_icons_path = $::apache::version::distrelease ? { + '7' => '/usr/share/httpd/icons', + default => '/var/www/icons', + } $error_documents_path = $::apache::version::distrelease ? { '7' => '/usr/share/httpd/error', default => '/var/www/error' @@ -233,6 +237,7 @@ 'base_rules/modsecurity_crs_59_outbound_blocking.conf', 'base_rules/modsecurity_crs_60_correlation.conf' ] + $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) { $dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev'] @@ -355,6 +360,7 @@ $mime_types_config = '/usr/local/etc/mime.types' $wsgi_socket_prefix = undef $docroot = '/usr/local/www/apache24/data' + $alias_icons_path = '/usr/local/www/apache24/icons' $error_documents_path = '/usr/local/www/apache24/error' } elsif $::osfamily == 'Gentoo' { $user = 'apache' @@ -416,6 +422,7 @@ $mime_types_config = '/etc/mime.types' $wsgi_socket_prefix = undef $docroot = '/var/www/localhost/htdocs' + $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' } elsif $::osfamily == 'Suse' { $user = 'wwwrun' @@ -462,6 +469,7 @@ $mime_types_config = '/etc/mime.types' $docroot = '/srv/www' $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' $dev_packages = ['libapr-util1-devel', 'libapr1-devel'] From 90c4befeea0cadba006adf93fe5d93908159160d Mon Sep 17 00:00:00 2001 From: Katharina Drexel Date: Thu, 30 Jul 2015 12:55:59 +0200 Subject: [PATCH 11/71] we also want to have groups with '-' like vhost-users --- manifests/vhost.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 920359fed0..9018a29a1b 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -149,7 +149,7 @@ # Input validation begins if $suexec_user_group { - validate_re($suexec_user_group, '^\w+ \w+$', + validate_re($suexec_user_group, '^[\w-]+ [\w-]+$', "${suexec_user_group} is not supported for suexec_user_group. Must be 'user group'.") } From 4daaa34da62eb0d4a42c2649f8dbcb3574daf974 Mon Sep 17 00:00:00 2001 From: Soren Morton Date: Fri, 8 May 2015 20:13:29 +0000 Subject: [PATCH 12/71] Adding ability to enable/disable the secruleengine through a parameter --- README.md | 4 ++++ manifests/mod/security.pp | 1 + manifests/params.pp | 2 ++ templates/mod/security.conf.erb | 2 +- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 44c87997ef..58da99da09 100644 --- a/README.md +++ b/README.md @@ -1079,6 +1079,10 @@ Name of package to install containing crs rules Directory to install the modsec configuration and activated rules links into +#####`modsec_secruleengine` + +Configures the rules engine. Valid vaules are On, Off, and DetectionOnly + #####`activated_rules` Array of rules from the modsec_crs_path to activate by symlinking to diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 84e55e2921..050b1bd6fa 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -2,6 +2,7 @@ $crs_package = $::apache::params::modsec_crs_package, $activated_rules = $::apache::params::modsec_default_rules, $modsec_dir = $::apache::params::modsec_dir, + $modsec_secruleengine = $::apache::params::modsec_secruleengine, $allowed_methods = 'GET HEAD POST OPTIONS', $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', diff --git a/manifests/params.pp b/manifests/params.pp index 22e47f6386..7d88d10053 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -130,6 +130,7 @@ $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' + $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', 'base_rules/modsecurity_35_scanners.data', @@ -214,6 +215,7 @@ $modsec_crs_package = 'modsecurity-crs' $modsec_crs_path = '/usr/share/modsecurity-crs' $modsec_dir = '/etc/modsecurity' + $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', 'base_rules/modsecurity_35_scanners.data', diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb index 7597c461f6..ac28402c64 100644 --- a/templates/mod/security.conf.erb +++ b/templates/mod/security.conf.erb @@ -9,7 +9,7 @@ <%- end -%> # Default recommended configuration - SecRuleEngine On + SecRuleEngine <%= @modsec_secruleengine %> SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" From 11b1bd827918437b7c4dc6da200a3b36274d966c Mon Sep 17 00:00:00 2001 From: Brendan Murtagh Date: Wed, 29 Jul 2015 16:13:49 -0400 Subject: [PATCH 13/71] Added documentation for ForceType directive (MODULES-2152) Merge clean up. Sorry, no a git pro --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 58da99da09..0ce6402404 100644 --- a/README.md +++ b/README.md @@ -1305,6 +1305,10 @@ Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.htm } ``` +#####`force_type` + +Sets the [ForceType](http://httpd.apache.org/docs/2.2/mod/core.html#forcetype) directive, to force all matching files to be served with the specified MIME content-type. + #####`headers` Adds lines to replace, merge, or remove response headers. See [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) for more information. Can be an array. Defaults to 'undef'. From fb4aa9b10983cd2b575fc1c78cdb510313b1bf06 Mon Sep 17 00:00:00 2001 From: Bryan Jen Date: Thu, 30 Jul 2015 14:46:03 -0700 Subject: [PATCH 14/71] Removes ruby 1.8.7 from the travisci test matrix --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 16d694bb6e..c418ab5f2a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,8 +6,6 @@ script: "bundle exec rake validate && bundle exec rake lint && bundle exec rake matrix: fast_finish: true include: - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.0" - rvm: 1.9.3 env: PUPPET_GEM_VERSION="~> 3.0" - rvm: 2.1.5 From 660dda1e14edb86994d7ef49917406bd3ef68f98 Mon Sep 17 00:00:00 2001 From: Garrett Guillotte Date: Thu, 2 Jul 2015 15:50:31 -0700 Subject: [PATCH 15/71] Apache readme reorganization. Massive reorg and style edit, bringing the way we present classes, defines, and parameters in line with our established styles. Documents several undocumented parameters and default values, especially in Apache module classes. This work is incomplete; there are many more undocumented parameters and more style and formatting consistency issues to resolve. --- README.md | 3034 ++++++++++++++++++++++++------------------- README.passenger.md | 54 +- 2 files changed, 1699 insertions(+), 1389 deletions(-) diff --git a/README.md b/README.md index 0ce6402404..dd9851f96d 100644 --- a/README.md +++ b/README.md @@ -1,582 +1,1164 @@ -#apache - -####Table of Contents - -1. [Overview - What is the apache module?](#overview) -2. [Module Description - What does the module do?](#module-description) -3. [Setup - The basics of getting started with apache](#setup) - * [Beginning with apache - Installation](#beginning-with-apache) - * [Configure a virtual host - Basic options for getting started](#configure-a-virtual-host) -4. [Usage - The classes and defined types available for configuration](#usage) - * [Classes and Defined Types](#classes-and-defined-types) - * [Class: apache](#class-apache) - * [Defined Type: apache::custom_config](#defined-type-apachecustom_config) - * [Class: apache::default_mods](#class-apachedefault_mods) - * [Defined Type: apache::mod](#defined-type-apachemod) - * [Classes: apache::mod::*](#classes-apachemodname) - * [Class: apache::mod::alias](#class-apachemodalias) - * [Class: apache::mod::event](#class-apachemodevent) - * [Class: apache::mod::geoip](#class-apachemodgeoip) - * [Class: apache::mod::info](#class-apachemodinfo) - * [Class: apache::mod::pagespeed](#class-apachemodpagespeed) - * [Class: apache::mod::php](#class-apachemodphp) - * [Class: apache::mod::ssl](#class-apachemodssl) - * [Class: apache::mod::status](#class-apachemodstatus) - * [Class: apache::mod::expires](#class-apachemodexpires) - * [Class: apache::mod::wsgi](#class-apachemodwsgi) - * [Class: apache::mod::fcgid](#class-apachemodfcgid) - * [Class: apache::mod::negotiation](#class-apachemodnegotiation) - * [Class: apache::mod::deflate](#class-apachemoddeflate) - * [Class: apache::mod::reqtimeout](#class-apachemodreqtimeout) - * [Class: apache::mod::security](#class-modsecurity) - * [Class: apache::mod::version](#class-apachemodversion) - * [Defined Type: apache::vhost](#defined-type-apachevhost) - * [Parameter: `directories` for apache::vhost](#parameter-directories-for-apachevhost) - * [SSL parameters for apache::vhost](#ssl-parameters-for-apachevhost) - * [Defined Type: apache::fastcgi::server](#defined-type-fastcgi-server) - * [Virtual Host Examples - Demonstrations of some configuration options](#virtual-host-examples) - * [Load Balancing](#load-balancing) - * [Defined Type: apache::balancer](#defined-type-apachebalancer) - * [Defined Type: apache::balancermember](#defined-type-apachebalancermember) - * [Examples - Load balancing with exported and non-exported resources](#examples) -5. [Reference - An under-the-hood peek at what the module is doing and how](#reference) - * [Classes](#classes) - * [Public Classes](#public-classes) - * [Private Classes](#private-classes) - * [Defined Types](#defined-types) - * [Public Defined Types](#public-defined-types) - * [Private Defined Types](#private-defined-types) - * [Templates](#templates) -6. [Limitations - OS compatibility, etc.](#limitations) -7. [Development - Guide for contributing to the module](#development) - * [Contributing to the apache module](#contributing) - * [Running tests - A quick guide](#running-tests) - -##Overview - -The apache module allows you to set up virtual hosts and manage web services with minimal effort. - -##Module Description - -Apache is a widely-used web server, and this module provides a simplified way of creating configurations to manage your infrastructure. This includes the ability to configure and manage a range of different virtual host setups, as well as a streamlined way to install and configure Apache modules. - -##Setup - -**What apache affects:** - -* configuration files and directories (created and written to) - * **WARNING**: Configurations that are *not* managed by Puppet will be purged. -* package/service/configuration files for Apache -* Apache modules -* virtual hosts -* listened-to ports -* `/etc/make.conf` on FreeBSD and Gentoo -* depends on module 'gentoo/puppet-portage' for Gentoo - -###Beginning with Apache - -To install Apache with the default parameters - -```puppet - class { 'apache': } -``` - -The defaults are determined by your operating system (e.g. Debian systems have one set of defaults, and RedHat systems have another, as do FreeBSD and Gentoo systems). These defaults work well in a testing environment, but are not suggested for production. To establish customized parameters - -```puppet - class { 'apache': - default_mods => false, - default_confd_files => false, - } -``` +# apache + +[Module description]: #module-description + +[Setup]: #setup +[Beginning with Apache]: #beginning-with-apache + +[Usage]: #usage +[Configuring virtual hosts]: #configuring-virtual-hosts +[Configuring virtual hosts with SSL]: #configuring-virtual-hosts-with-ssl +[Configuring virtual host port and address bindings]: #configuring-virtual-host-port-and-address-bindings +[Configuring virtual hosts for apps and processors]: #configuring-virtual-hosts-for-apps-and-processors +[Configuring IP-based virtual hosts]: #configuring-ip-based-virtual-hosts +[Installing Apache modules]: #installing-apache-modules +[Installing arbitrary modules]: #installing-arbitrary-modules +[Installing specific modules]: #installing-specific-modules +[Configuring FastCGI servers]: #configuring-fastcgi-servers-to-handle-php-files +[Load balancing examples]: #load-balancing-examples + +[Reference]: #reference +[Public classes]: #public-classes +[Private classes]: #private-classes +[Public defines]: #public-defines +[Private defines]: #private-defines +[Templates]: #templates + +[Limitations]: #limitations + +[Development]: #development +[Contributing]: #contributing +[Running tests]: #running-tests + +[`AddDefaultCharset`]: http://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset +[`add_listen`]: #add_listen +[`Alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#alias +[`AliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#aliasmatch +[aliased servers]: https://httpd.apache.org/docs/current/urlmapping.html +[`AllowEncodedSlashes`]: http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes +[`apache`]: #class-apache +[`apache_version`]: #apache_version +[`apache::balancer`]: #define-apachebalancer +[`apache::balancermember`]: #define-apachebalancermember +[`apache::fastcgi::server`]: #define-apachefastcgiserver +[`apache::mod`]: #define-apachemod +[`apache::mod::`]: #classes-apachemodmodule-name +[`apache::mod::event`]: #class-apachemodevent +[`apache::mod::itk`]: #class-apachemoditk +[`apache::mod::passenger`]: #class-apachemodpassenger +[`apache::mod::peruser`]: #class-apachemodperuser +[`apache::mod::prefork`]: #class-apachemodprefork +[`apache::mod::proxy_html`]: #class-apachemodproxy_html +[`apache::mod::security`]: #class-apachemodsecurity +[`apache::mod::ssl`]: #class-apachemodssl +[`apache::mod::worker`]: #class-apachemodworker +[`apache::params`]: #class-apacheparams +[`apache::version`]: #class-apacheversion +[`apache::vhost`]: #define-apachevhost +[`apache::vhost::WSGIImportScript`]: #wsgiimportscript +[Apache HTTP Server]: http://httpd.apache.org +[Apache modules]: http://httpd.apache.org/docs/current/mod/ +[array]: https://docs.puppetlabs.com/puppet/latest/reference/lang_data_array.html + +[beaker-rspec]: https://github.com/puppetlabs/beaker-rspec + +[certificate revocation list]: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile +[certificate revocation list path]: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath +[common gateway interface]: http://httpd.apache.org/docs/current/howto/cgi.html +[`confd_dir`]: #confd_dir +[`content`]: #content +[custom error documents]: http://httpd.apache.org/docs/current/custom-error.html +[`custom_fragment`]: #custom_fragment + +[`default_mods`]: #default_mods +[`default_ssl_crl`]: #default_ssl_crl +[`default_ssl_crl_path`]: #default_ssl_crl_path +[`default_ssl_vhost`]: #default_ssl_vhost +[`directory`]: #directory +[`DirectoryIndex`]: http://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex +[`docroot`]: #docroot +[`docroot_owner`]: #docroot_owner +[`docroot_group`]: #docroot_group +[`DocumentRoot`]: https://httpd.apache.org/docs/current/mod/core.html#documentroot + +[`EnableSendfile`]: http://httpd.apache.org/docs/current/mod/core.html#enablesendfile +[`ExpiresByType`]: http://httpd.apache.org/docs/current/mod/mod_expires.html#expiresbytype +[enforcing mode]: http://selinuxproject.org/page/Guide/Mode +[`ensure`]: https://docs.puppetlabs.com/references/latest/type.html#package-attribute-ensure +[exported resources]: http://docs.puppetlabs.com/latest/reference/lang_exported.md +[`ExtendedStatus`]: http://httpd.apache.org/docs/current/mod/core.html#extendedstatus + +[Facter]: http://docs.puppetlabs.com/facter/ +[FastCGI]: http://www.fastcgi.com/ +[FallbackResource]: https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource +[`fallbackresource`]: #fallbackresource +[filter rules]: http://httpd.apache.org/docs/current/filter.html +[`filters`]: #filters +[`ForceType`]: http://httpd.apache.org/docs/current/mod/core.html#forcetype + +[GeoIPScanProxyHeaders]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives +[`gentoo/puppet-portage`]: https://github.com/gentoo/puppet-portage + +[Hash]: https://docs.puppetlabs.com/puppet/latest/reference/lang_data_hash.html + +[`IncludeOptional`]: http://httpd.apache.org/docs/current/mod/core.html#includeoptional +[`Include`]: http://httpd.apache.org/docs/current/mod/core.html#include +[interval syntax]: http://httpd.apache.org/docs/current/mod/mod_expires.html#AltSyn +[`ip`]: #ip +[`ip_based`]: #ip_based +[IP-based virtual hosts]: http://httpd.apache.org/docs/current/vhosts/ip-based.html + +[`KeepAlive`]: http://httpd.apache.org/docs/current/mod/core.html#keepalive +[`KeepAliveTimeout`]: http://httpd.apache.org/docs/current/mod/core.html#keepalivetimeout +[`keepalive` parameter]: #keepalive +[`keepalive_timeout`]: #keepalive_timeout + +[`lib`]: #lib +[`lib_path`]: #lib_path +[`Listen`]: http://httpd.apache.org/docs/current/bind.html +[`ListenBackLog`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#listenbacklog +[`LoadFile`]: https://httpd.apache.org/docs/current/mod/mod_so.html#loadfile +[`LogFormat`]: https://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat +[`logroot`]: #logroot +[Log security]: http://httpd.apache.org/docs/current/logs.html#security + +[`manage_user`]: #manage_user +[`manage_group`]: #manage_group +[`MaxConnectionsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxconnectionsperchild +[`max_keepalive_requests`]: #max_keepalive_requests +[`MaxRequestWorkers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxrequestworkers +[`MaxSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxsparethreads +[MIME `content-type`]: https://www.iana.org/assignments/media-types/media-types.xhtml +[`MinSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#minsparethreads +[`mod_alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html +[`mod_auth_cas`]: https://github.com/Jasig/mod_auth_cas +[`mod_authnz_external`]: https://code.google.com/p/mod-auth-external/ +[`mod_expires`]: http://httpd.apache.org/docs/current/mod/mod_expires.html +[`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html +[`mod_geoip`]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/ +[`mod_info`]: https://httpd.apache.org/docs/current/mod/mod_info.html +[`mod_mpm_event`]: https://httpd.apache.org/docs/current/mod/event.html +[`mod_negotiation`]: http://httpd.apache.org/docs/current/mod/mod_negotiation.html +[`mod_pagespeed`]: https://developers.google.com/speed/pagespeed/module/?hl=en +[`mod_php`]: http://php.net/manual/en/book.apache.php +[`mod_proxy`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html +[`mod_proxy_balancer`]: http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html +[`mod_reqtimeout`]: http://httpd.apache.org/docs/current/mod/mod_reqtimeout.html +[`mod_security`]: https://www.modsecurity.org/ +[`mod_ssl`]: http://httpd.apache.org/docs/current/mod/mod_ssl.html +[`mod_status`]: http://httpd.apache.org/docs/current/mod/mod_status.html +[`mod_version`]: http://httpd.apache.org/docs/current/mod/mod_version.html +[`mod_wsgi`]: http://modwsgi.readthedocs.org/en/latest/ +[module contribution guide]: http://docs.puppetlabs.com/forge/contributing.html +[`mpm_module`]: #mpm_module +[multi-processing module]: http://httpd.apache.org/docs/current/mpm.html + +[name-based virtual hosts]: https://httpd.apache.org/docs/current/vhosts/name-based.html + +[open source Puppet]: http://docs.puppetlabs.com/puppet/ +[`Options`]: https://httpd.apache.org/docs/current/mod/core.html#options + +[`path`]: #path +[`Peruser`]: http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr +[`port`]: #port +[`priority`]: #defines-apachevhost +[`ProxyPass`]: http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass +[`ProxySet`]: http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset +[Puppet Enterprise]: http://docs.puppetlabs.com/pe/ +[Puppet Forge]: http://forge.puppetlabs.com +[Puppet Labs]: http://puppetlabs.com +[Puppet module]: http://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html +[Puppet module's code]: https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/default_mods.pp +[`purge_configs`]: #purge_configs +[`purge_vhost_configs`]: #purge_vhost_configs +[Python]: https://www.python.org/ + +[Rack]: http://rack.github.io/ +[`rack_base_uris`]: #rack_base_uris +[RFC 2616]: https://www.ietf.org/rfc/rfc2616.txt +[`RequestReadTimeout`]: http://httpd.apache.org/docs/current/mod/mod_reqtimeout.html#requestreadtimeout +[rspec-puppet]: http://rspec-puppet.com/ + +[`ScriptAlias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptalias +[`ScriptAliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptaliasmatch +[`scriptalias`]: #scriptalias +[SELinux]: http://selinuxproject.org/ +[`ServerAdmin`]: http://httpd.apache.org/docs/current/mod/core.html#serveradmin +[`serveraliases`]: #serveraliases +[`ServerLimit`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#serverlimit +[`ServerName`]: http://httpd.apache.org/docs/current/mod/core.html#servername +[`ServerRoot`]: http://httpd.apache.org/docs/current/mod/core.html#serverroot +[`ServerTokens`]: http://httpd.apache.org/docs/current/mod/core.html#servertokens +[`ServerSignature`]: http://httpd.apache.org/docs/current/mod/core.html#serversignature +[Service attribute restart]: http://docs.puppetlabs.com/references/latest/type.html#service-attribute-restart +[`source`]: #source +[SSLCARevocationCheck]: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck +[SSL certificate key file]: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatekeyfile +[SSL chain]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile +[SSL encryption]: https://httpd.apache.org/docs/current/ssl/index.html +[`ssl`]: #ssl +[`ssl_cert`]: #ssl_cert +[`ssl_compression`]: #ssl_compression +[`ssl_key`]: #ssl_key +[`StartServers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#startservers +[suPHP]: http://www.suphp.org/Home.html +[`suphp_addhandler`]: #suphp_addhandler +[`suphp_configpath`]: #suphp_configpath +[`suphp_engine`]: #suphp_engine +[supported operating system]: https://forge.puppetlabs.com/supported#puppet-supported-modules-compatibility-matrix + +[`ThreadLimit`]: http://httpd.apache.org/docs/current/mod/mpm_common.html#threadlimit +[`ThreadsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#threadsperchild +[`TimeOut`]: http://httpd.apache.org/docs/current/mod/core.html#timeout +[template]: http://docs.puppetlabs.com/puppet/latest/reference/lang_template.html +[`TraceEnable`]: http://httpd.apache.org/docs/current/mod/core.html#traceenable + +[`verify_config`]: #verify_config +[`vhost`]: #define-apachevhost +[`vhost_dir`]: #vhost_dir +[`virtual_docroot`]: #virtual_docroot + +[Web Server Gateway Interface]: https://www.python.org/dev/peps/pep-3333/#abstract +[`WSGIPythonPath`]: https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPythonPath +[`WSGIPythonHome`]: https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPythonHome + +#### Table of Contents + +1. [Module description - What is the apache module, and what does it do?][Module description] +2. [Setup - The basics of getting started with apache][Setup] + - [Beginning with Apache - Installation][Beginning with Apache] +3. [Usage - The classes and defined types available for configuration][Usage] + - [Configuring virtual hosts - Examples to help get started][Configuring virtual hosts] + - [Configuring FastCGI servers to handle PHP files][Configuring FastCGI servers] + - [Load balancing with exported and non-exported resources][Load balancing examples] +4. [Reference - An under-the-hood peek at what the module is doing and how][Reference] + - [Public classes][] + - [Private classes][] + - [Public defines][] + - [Private defines][] + - [Templates][] +5. [Limitations - OS compatibility, etc.][Limitations] +6. [Development - Guide for contributing to the module][Development] + - [Contributing to the apache module][Contributing] + - [Running tests - A quick guide][Running tests] + +## Module description + +[Apache HTTP Server][] (also called Apache HTTPD, or simply Apache) is a widely used web server. This [Puppet module][] simplifies the task of creating configurations to manage Apache servers in your infrastructure. It can configure and manage a range of virtual host setups and provides a streamlined way to install and configure [Apache modules][]. + +## Setup + +**What the apache Puppet module affects:** + +- Configuration files and directories (created and written to) + - **WARNING**: Configurations *not* managed by Puppet will be purged. +- Package/service/configuration files for Apache +- Apache modules +- Virtual hosts +- Listened-to ports +- `/etc/make.conf` on FreeBSD and Gentoo + +On Gentoo, this module depends on the [`gentoo/puppet-portage`][] Puppet module. Note that while several options apply or enable certain features and settings for Gentoo, it is not a [supported operating system][] for this module. + +**Note**: This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Apache configuration should be managed by Puppet, as unmanaged configuration files can cause unexpected failures. + +To temporarily disable full Puppet management, set the [`purge_configs`][] parameter in the [`apache`][] class declaration to 'false'. We recommend using this only as a temporary means of saving and relocating customized configurations. + +### Beginning with Apache + +To have Puppet install Apache with the default parameters, declare the [`apache`][] class: + +~~~ puppet +class { 'apache': } +~~~ + +The Puppet module applies a default configuration based on your operating system; Debian, Red Hat, FreeBSD, and Gentoo systems each have unique default configurations. These defaults work in testing environments but are not suggested for production, and Puppet recommends customizing the class's parameters to suit your site. Use the [Reference](#reference) section to find information about the class's parameters and their default values. + +You can customize parameters when declaring the `apache` class. For instance, this declaration installs Apache without the apache module's [default virtual host configuration][Configuring virtual hosts], allowing you to customize all Apache virtual hosts: + +~~~ puppet +class { 'apache': + default_vhosts => false, +} +~~~ -###Configure a virtual host +## Usage -Declaring the `apache` class creates a default virtual host by setting up a vhost on port 80, listening on all interfaces and serving `$apache::docroot`. +### Configuring a virtual host -```puppet - class { 'apache': } -``` +The default [`apache`][] class sets up a virtual host on port 80, listening on all interfaces and serving the [`docroot`][] parameter's default directory of `/var/www`. -To configure a very basic, name-based virtual host +**Note**: See the [`apache::vhost`][] define's reference for a list of all virtual host parameters. -```puppet - apache::vhost { 'first.example.com': - port => '80', - docroot => '/var/www/first', - } -``` +To configure basic [name-based virtual hosts][], specify the [`port`][] and [`docroot`][] parameters in the [`apache::vhost`][] define: -*Note:* The default priority is 15. If nothing matches this priority, the alphabetically first name-based vhost is used. This is also true if you pass a higher priority and no names match anything else. +~~~ puppet +apache::vhost { 'vhost.example.com': + port => '80', + docroot => '/var/www/vhost', +} +~~~ -A slightly more complicated example, changes the docroot owner/group from the default 'root' +**Note**: Apache processes virtual hosts in alphabetical order, and server administrators can prioritize Apache's virtual host processing by prefixing a virtual host's configuration file name with a number. The [`apache::vhost`][] define applies a default [`priority`][] of 15, which Puppet interprets by prefixing the virtual host's file name with `15-`. This all means that if multiple sites have the same priority, or if you disable priority numbers by setting the `priority` parameter's value to 'false', Apache still processes virtual hosts in alphabetical order. -```puppet - apache::vhost { 'second.example.com': - port => '80', - docroot => '/var/www/second', - docroot_owner => 'third', - docroot_group => 'third', - } -``` +To configure user and group ownership for `docroot`, use the [`docroot_owner`][] and [`docroot_group`][] parameters: -To set up a virtual host with SSL and default SSL certificates +~~~ puppet +apache::vhost { 'user.example.com': + port => '80', + docroot => '/var/www/user', + docroot_owner => 'www-data', + docroot_group => 'www-data', +} +~~~ -```puppet - apache::vhost { 'ssl.example.com': - port => '443', - docroot => '/var/www/ssl', - ssl => true, - } -``` +#### Configuring virtual hosts with SSL -To set up a virtual host with SSL and specific SSL certificates +To configure a virtual host to use [SSL encryption][] and default SSL certificates, set the [`ssl`][] parameter. You must also specify the [`port`][] parameter, typically with a value of '443', to accomodate HTTPS requests: -```puppet - apache::vhost { 'fourth.example.com': - port => '443', - docroot => '/var/www/fourth', - ssl => true, - ssl_cert => '/etc/ssl/fourth.example.com.cert', - ssl_key => '/etc/ssl/fourth.example.com.key', - } -``` +~~~ puppet +apache::vhost { 'ssl.example.com': + port => '443', + docroot => '/var/www/ssl', + ssl => true, +} +~~~ -Virtual hosts listen on '*' by default. To listen on a specific IP address +To configure a virtual host to use SSL and specific SSL certificates, use the paths to the certificate and key in the [`ssl_cert`][] and [`ssl_key`][] parameters, respectively: -```puppet - apache::vhost { 'subdomain.example.com': - ip => '127.0.0.1', - port => '80', - docroot => '/var/www/subdomain', - } -``` +~~~ puppet +apache::vhost { 'cert.example.com': + port => '443', + docroot => '/var/www/cert', + ssl => true, + ssl_cert => '/etc/ssl/fourth.example.com.cert', + ssl_key => '/etc/ssl/fourth.example.com.key', +} +~~~ -To set up a virtual host with a wildcard alias for the subdomain mapped to a same-named directory, for example: `http://example.com.loc` to `/var/www/example.com` +To configure a mix of SSL and unencrypted virtual hosts at the same domain, declare them with separate [`apache::vhost`] defines: -```puppet - apache::vhost { 'subdomain.loc': - vhost_name => '*', - port => '80', - virtual_docroot => '/var/www/%-2+', - docroot => '/var/www', - serveraliases => ['*.loc',], - } -``` +~~~ puppet +# The non-ssl virtual host +apache::vhost { 'mix.example.com non-ssl': + servername => 'mix.example.com', + port => '80', + docroot => '/var/www/mix', +} -To set up a virtual host with suPHP +# The SSL virtual host at the same domain +apache::vhost { 'mix.example.com ssl': + servername => 'mix.example.com', + port => '443', + docroot => '/var/www/mix', + ssl => true, +} +~~~ -```puppet - apache::vhost { 'suphp.example.com': - port => '80', - docroot => '/home/appuser/myphpapp', - suphp_addhandler => 'x-httpd-php', - suphp_engine => 'on', - suphp_configpath => '/etc/php5/apache2', - directories => { path => '/home/appuser/myphpapp', - 'suphp' => { user => 'myappuser', group => 'myappgroup' }, - } - } -``` +To configure a virtual host to redirect unencrypted connections to SSL, declare them with separate [`apache::vhost`] defines and redirect unencrypted requests to the virtual host with SSL enabled: -To set up a virtual host with WSGI +~~~ puppet +apache::vhost { 'redirect.example.com non-ssl': + servername => 'redirect.example.com', + port => '80', + docroot => '/var/www/redirect', + redirect_status => 'permanent', + redirect_dest => 'https://redirect.example.com/' +} -```puppet - apache::vhost { 'wsgi.example.com': - port => '80', - docroot => '/var/www/pythonapp', - wsgi_application_group => '%{GLOBAL}', - wsgi_daemon_process => 'wsgi', - wsgi_daemon_process_options => { - processes => '2', - threads => '15', - display-name => '%{GROUP}', - }, - wsgi_import_script => '/var/www/demo.wsgi', - wsgi_import_script_options => - { process-group => 'wsgi', application-group => '%{GLOBAL}' }, - wsgi_process_group => 'wsgi', - wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, - } -``` +apache::vhost { 'redirect.example.com ssl': + servername => 'redirect.example.com', + port => '443', + docroot => '/var/www/redirect', + ssl => true, +} +~~~ -Starting in Apache 2.2.16, HTTPD supports [FallbackResource](https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource), a simple replacement for common RewriteRules. +#### Configuring virtual host port and address bindings -```puppet - apache::vhost { 'wordpress.example.com': - port => '80', - docroot => '/var/www/wordpress', - fallbackresource => '/index.php', - } -``` +Virtual hosts listen on all IP addresses ('*') by default. To configure the virtual host to listen on a specific IP address, use the [`ip`][] parameter: -To set up a virtual host with filter rules +~~~ puppet +apache::vhost { 'ip.example.com': + ip => '127.0.0.1', + port => '80', + docroot => '/var/www/ip', +} +~~~ -```puppet - apache::vhost { 'subdomain.loc': - port => '80', - filters => [ - 'FilterDeclare COMPRESS', - 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', - 'FilterChain COMPRESS', - 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', - ], - docroot => '/var/www/html', - } -``` +To configure a virtual host with [aliased servers][], refer to the aliases using the [`serveraliases`][] parameter: + +~~~ puppet +apache::vhost { 'aliases.example.com': + serveraliases => [ + 'aliases.example.org', + 'aliases.example.net', + ], + port => '80', + docroot => '/var/www/aliases', +} +~~~ + +To set up a virtual host with a wildcard alias for the subdomain mapped to a same-named directory, such as 'http://example.com.loc' mapped to `/var/www/example.com`, define the wildcard alias using the [`serveraliases`][] parameter and the document root with the [`virtual_docroot`][] parameter: + +~~~ puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => '80', + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} +~~~ + +To configure a virtual host with [filter rules][], pass the filter directives as an [array][] using the [`filters`][] parameter: + +~~~ puppet +apache::vhost { 'subdomain.loc': + port => '80', + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], + docroot => '/var/www/html', +} +~~~ + +#### Configuring virtual hosts for apps and processors + +To set up a virtual host with [suPHP][], use the [`suphp_engine`][] parameter to enable the suPHP engine, [`suphp_addhandler`][] parameter to define a MIME type, [`suphp_configpath`][] to set which path suPHP passes to the PHP interpreter, and the [`directory`][] parameter to configure Directory, File, and Location directive blocks: + +~~~ puppet +apache::vhost { 'suphp.example.com': + port => '80', + docroot => '/home/appuser/myphpapp', + suphp_addhandler => 'x-httpd-php', + suphp_engine => 'on', + suphp_configpath => '/etc/php5/apache2', + directories => [ + { 'path' => '/home/appuser/myphpapp', + 'suphp' => { + user => 'myappuser', + group => 'myappgroup', + }, + }, + ], +} +~~~ + +You can use a set of parameters to configure a virtual host to use the [Web Server Gateway Interface][] (WSGI) for [Python][] applications: + +~~~ puppet +apache::vhost { 'wsgi.example.com': + port => '80', + docroot => '/var/www/pythonapp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => { + processes => '2', + threads => '15', + display-name => '%{GROUP}', + }, + wsgi_import_script => '/var/www/demo.wsgi', + wsgi_import_script_options => { + process-group => 'wsgi', + application-group => '%{GLOBAL}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, +} +~~~ + +Starting in Apache 2.2.16, Apache supports [FallbackResource][], a simple replacement for common RewriteRules. You can set a FallbackResource using the [`fallbackresource`][] parameter: + +~~~ puppet +apache::vhost { 'wordpress.example.com': + port => '80', + docroot => '/var/www/wordpress', + fallbackresource => '/index.php', +} +~~~ + +**Note**: The `fallbackresource` parameter only supports the 'disabled' value since Apache 2.2.24. + +To configure a virtual host with a designated directory for [Common Gateway Interface][] (CGI) files, use the [`scriptalias`][] parameter to define the `cgi-bin` path: + +~~~ puppet +apache::vhost { 'cgi.example.com': + port => '80', + docroot => '/var/www/cgi', + scriptalias => '/usr/lib/cgi-bin', +} +~~~ + +To configure a virtual host for [Rack][], use the [`rack_base_uris`][] parameter: + +~~~ puppet +apache::vhost { 'rack.example.com': + port => '80', + docroot => '/var/www/rack', + rack_base_uris => ['/rackapp1', '/rackapp2'], +} +~~~ + +#### Configuring IP-based virtual hosts + +You can configure [IP-based virtual hosts][] to listen on any port and have them respond to requests on specific IP addresses. In this example, we set the server to listen on ports 80 and 81 because the example virtual hosts are _not_ declared with a [`port`][] parameter: + +~~~ puppet +apache::listen { '80': } + +apache::listen { '81': } +~~~ + +Then we configure the IP-based virtual hosts with the [`ip_based`][] parameter: + +~~~ puppet +apache::vhost { 'first.example.com': + ip => '10.0.0.10', + docroot => '/var/www/first', + ip_based => true, +} + +apache::vhost { 'second.example.com': + ip => '10.0.0.11', + docroot => '/var/www/second', + ip_based => true, +} +~~~ + +You can also configure a mix of IP- and [name-based virtual hosts][], and in any combination of [SSL][SSL encryption] and unencrypted configurations. First, we add two IP-based virtual hosts on an IP address (in this example, 10.0.0.10). One uses SSL and the other is unencrypted: + +~~~ puppet +apache::vhost { 'The first IP-based virtual host, non-ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '80', + ip_based => true, + docroot => '/var/www/first', +} + +apache::vhost { 'The first IP-based vhost, ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '443', + ip_based => true, + docroot => '/var/www/first-ssl', + ssl => true, +} +~~~ -Please note that the 'disabled' argument to FallbackResource is only supported since Apache 2.2.24. +Next, we add two name-based virtual hosts listening on a second IP address (10.0.0.20): -See a list of all [virtual host parameters](#defined-type-apachevhost). See an extensive list of [virtual host examples](#virtual-host-examples). +~~~ puppet +apache::vhost { 'second.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/second', +} + +apache::vhost { 'third.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/third', +} +~~~ + +To add name-based virtual hosts that answer on either 10.0.0.10 or 10.0.0.20, you **must** set the [`add_listen`][] parameter to 'false' to disable the default Apache setting of `Listen 80`, as it conflicts with the preceding IP-based virtual hosts. + +~~~ puppet +apache::vhost { 'fourth.example.com': + port => '80', + docroot => '/var/www/fourth', + add_listen => false, +} + +apache::vhost { 'fifth.example.com': + port => '80', + docroot => '/var/www/fifth', + add_listen => false, +} +~~~ + +### Installing Apache modules + +There's two ways to install [Apache modules][] using the Puppet apache module: + +- Use the [`apache::mod::`][] classes to [install specific Apache modules with parameters][Installing specific modules]. +- Use the [`apache::mod`][] define to [install arbitrary Apache modules][Installing arbitrary modules]. + +#### Installing specific modules + +The Puppet apache module supports installing many common [Apache modules][], often with parameterized configuration options. For a list of supported Apache modules, see the [`apache::mod::`][] class references. + +For example, you can install the `mod_ssl` Apache module with default settings by declaring the [`apache::mod::ssl`][] class: + +~~~ puppet +class { 'apache::mod::ssl': } +~~~ + +[`apache::mod::ssl`][] has several parameterized options that you can set when declaring it. For instance, to enable `mod_ssl` with compression enabled, set the [`ssl_compression`][] parameter to 'true': + +~~~ puppet +class { 'apache::mod::ssl': + ssl_compression => true, +} +~~~ + +Note that some modules have prerequisites, which are documented in their references under [`apache::mod::`][]. + +#### Installing arbitrary modules + +You can pass the name of any module that your operating system's package manager can install to the [`apache::mod`][] define to install it. Unlike the specific-module classes, the [`apache::mod`][] define doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you. + +For example, to install the [`mod_authnz_external`][] Apache module, declare the define with the 'mod_authnz_external' name: -##Usage +~~~ puppet +apache::mod { 'mod_authnz_external': } +~~~ -###Classes and Defined Types +There's several optional parameters you can specify when defining Apache modules this way. See the [define's reference][`apache::mod`] for details. -This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Configuration of Apache should be managed by Puppet, as non-Puppet configuration files can cause unexpected failures. +### Configuring FastCGI servers to handle PHP files + +Add the [`apache::fastcgi::server`][] define to allow [FastCGI][] servers to handle requests for specific files. For example, the following defines a FastCGI server at 127.0.0.1 (localhost) on port 9000 to handle PHP requests: + +~~~ puppet +apache::fastcgi::server { 'php': + host => '127.0.0.1:9000', + timeout => 15, + flush => false, + faux_path => '/var/www/php.fcgi', + fcgi_alias => '/php.fcgi', + file_type => 'application/x-httpd-php' +} +~~~ + +You can then use the [`custom_fragment`] parameter to configure the virtual host to have the FastCGI server handle the specified file type: + +~~~ puppet +apache::vhost { 'www': + ... + custom_fragment => 'AddType application/x-httpd-php .php' + ... +} +~~~ + +### Load balancing examples + +Apache supports load balancing across groups of servers through the [`mod_proxy`][] Apache module. Puppet supports configuring Apache load balancing groups (also known as balancer clusters) through the [`apache::balancer`][] and [`apache::balancermember`][] defines. + +To enable load balancing with [exported resources][], export the [`apache::balancermember`][] define from the load balancer member server: + +~~~ puppet +@@apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} +~~~ -It is possible to temporarily disable full Puppet management by setting the [`purge_configs`](#purge_configs) parameter within the base `apache` class to 'false'. This option should only be used as a temporary means of saving and relocating customized configurations. See the [`purge_configs` parameter](#purge_configs) for more information. +Then, on the proxy server, create the load balancing group: -####Class: `apache` +~~~ puppet +apache::balancer { 'puppet00': } +~~~ -The apache module's primary class, `apache`, guides the basic setup of Apache on your system. +To enable load balancing without exporting resources, declare the following on the proxy server: -You can establish a default vhost in this class, the `vhost` class, or both. You can add additional vhost configurations for specific virtual hosts using a declaration of the `vhost` type. +~~~ puppet +apache::balancer { 'puppet00': } + +apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], + } +~~~ + +Then declare the `apache::balancer` and `apache::balancermember` defines on the proxy server. + +If you need to use the [ProxySet](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset) directive on the balancer, use the [`proxy_set`](#proxy_set) parameter of `apache::balancer`: + +~~~ puppet +apache::balancer { 'puppet01': + proxy_set => { + 'stickysession' => 'JSESSIONID', + }, +} +~~~ + +## Reference + +- [**Public Classes**](#public-classes) + - [Class: apache](#class-apache) + - [Class: apache::dev](#class-apachedev) + - [Classes: apache::mod::*](#classes-apachemodname) +- [**Private Classes**](#private-classes) + - [Class: apache::confd::no_accf](#class-apacheconfdno_accf) + - [Class: apache::default_confd_files](#class-apachedefault_confd_files) + - [Class: apache::default_mods](#class-apachedefault_mods) + - [Class: apache::package](#class-apachepackage) + - [Class: apache::params](#class-apacheparams) + - [Class: apache::service](#class-apacheservice) + - [Class: apache::version](#class-apacheversion) +- [**Public Defines**](#public-defines) + - [Define: apache::balancer](#define-apachebalancer) + - [Define: apache::balancermember](#define-apachebalancermember) + - [Define: apache::custom_config](#define-apachecustom_config) + - [Define: apache::fastcgi::server](#define-fastcgi-server) + - [Define: apache::listen](#define-apachelisten) + - [Define: apache::mod](#define-apachemod) + - [Define: apache::namevirtualhost](#define-apachenamevirtualhost) + - [Define: apache::vhost](#define-apachevhost) +- [**Private Defines**](#private-defines) + - [Define: apache::default_mods::load](#define-default_mods-load) + - [Define: apache::peruser::multiplexer](#define-apacheperusermultiplexer) + - [Define: apache::peruser::processor](#define-apacheperuserprocessor) + - [Define: apache::security::file_link](#define-apachesecurityfile_link) +- [**Templates**](#templates) + +### Public Classes + +#### Class: `apache` + +Guides the basic setup and installation of Apache on your system. + +When this class is declared with the default options, Puppet: + +- Installs the appropriate Apache software package and [required Apache modules](#default_mods) for your operating system. +- Places the required configuration files in a directory, with the [default location](#conf_dir) determined by your operating system. +- Configures the server with a default virtual host and standard port ('80') and address ('*') bindings. +- Creates a document root directory determined by your operating system, typically `/var/www`. +- Starts the Apache service. + +You can simply declare the default `apache` class: + +~~~ puppet +class { 'apache': } +~~~ + +You can establish a default virtual host in this class, by using the [`apache::vhost`][] define, or both. You can also configure additional specific virtual hosts with the [`apache::vhost`][] define. Puppet recommends customizing the `apache` class's declaration with the following parameters, as its default settings are not optimized for production. **Parameters within `apache`:** -#####`allow_encoded_slashes` +##### `allow_encoded_slashes` -This sets the server default for the [`AllowEncodedSlashes` declaration](http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes) which modifies the responses to URLs with `\` and `/` characters. The default is undefined, which omits the declaration from the server configuration and select the Apache default setting of `Off`. Allowed values are: `on`, `off` or `nodecode`. +Sets the server default for the [`AllowEncodedSlashes`][] declaration, which modifies the responses to URLs containing '\' and '/' characters. Valid options: 'on', 'off', 'nodecode'. Default: 'undef', which omits the declaration from the server's configuration and uses Apache's default setting of 'off'. -#####`apache_version` +##### `apache_version` -Configures the behavior of the module templates, package names, and default mods by setting the Apache version. Default is determined by the class `apache::version` using the OS family and release. It should not be configured manually without special reason. +Configures module template behavior, package names, and default Apache modules by defining the version of Apache to use. Default: Determined by your operating system family and release via the [`apache::version`][] class. Puppet recommends against manually configuring this parameter without reason. -#####`conf_dir` +##### `conf_dir` -Changes the location of the configuration directory the main configuration file is placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2' on Debian, '/usr/local/etc/apache22' on FreeBSD, and '/etc/apache2' on Gentoo. +Sets the directory where the Apache server's main configuration file is located. Default: Depends on your operating system. -#####`confd_dir` +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2` +- **Red Hat**: `/etc/httpd/conf` -Changes the location of the configuration directory your custom configuration files are placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2/conf.d' on Debian, '/usr/local/etc/apache22' on FreeBSD, and '/etc/apache2/conf.d' on Gentoo. +##### `conf_template` -#####`conf_template` +Defines the [template][] used for the main Apache configuration file. Default: `apache/httpd.conf.erb`. Modifying this parameter is potentially risky, as the apache Puppet module is designed to use a minimal configuration file customized by `conf.d` entries. -Overrides the template used for the main apache configuration file. Defaults to 'apache/httpd.conf.erb'. +##### `confd_dir` -*Note:* Using this parameter is potentially risky, as the module has been built for a minimal configuration file with the configuration primarily coming from conf.d/ entries. +Sets the location of the Apache server's custom configuration directory. Default: Depends on your operating system. -#####`default_charset` +- **Debian**: `/etc/apache2/conf.d` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2/conf.d` +- **Red Hat**: `/etc/httpd/conf` -If defined, the value will be set as `AddDefaultCharset` in the main configuration file. It is undefined by default. +##### `default_charset` -#####`default_confd_files` +Used as the [`AddDefaultCharset`][] directive in the main configuration file. Default: 'undef'. -Generates default set of include-able Apache configuration files under `${apache::confd_dir}` directory. These configuration files correspond to what is usually installed with the Apache package on a given platform. +##### `default_confd_files` -#####`default_mods` +Determines whether Puppet generates a default set of includable Apache configuration files in the directory defined by the [`confd_dir`][] parameter. These configuration files correspond to what is typically installed with the Apache package on the server's operating system. Valid options: Boolean. Default: 'true'. -Sets up Apache with default settings based on your OS. Valid values are 'true', 'false', or an array of mod names. +##### `default_mods` -Defaults to 'true', which includes the default [HTTPD mods](https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/default_mods.pp). +Determines whether to configure and enable a set of default [Apache modules][] depending on your operating system. Valid options: 'true', 'false', or an array of Apache module names. Default: 'true'. -If false, it only includes the mods required to make HTTPD work, and any other mods can be declared on their own. +If this parameter's value is 'false', Puppet only includes the Apache modules required to make the HTTP daemon work on your operating system, and you can declare any other modules separately using the [`apache::mod::`][] class or [`apache::mod`][] define. -If an array, the apache module includes the array of mods listed. +If 'true', Puppet installs additional modules, the list of which depends on the operating system as well as the [`apache_version`][] and [`mpm_module`][] parameters' values. As these lists of modules can change frequently, consult the [Puppet module's code][] for up-to-date lists. -#####`default_ssl_ca` +If this parameter contains an array, Puppet instead enables all passed Apache modules. -The default certificate authority, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. +##### `default_ssl_ca` -#####`default_ssl_cert` +Sets the default certificate authority for the Apache server. Default: 'undef'. -The default SSL certification, which is automatically set based on your operating system ('/etc/pki/tls/certs/localhost.crt' for RedHat, '/etc/ssl/certs/ssl-cert-snakeoil.pem' for Debian, '/usr/local/etc/apache22/server.crt' for FreeBSD, and '/etc/ssl/apache2/server.crt' for Gentoo). This default works out of the box but must be updated with your specific certificate information before being used in production. +While this default value results in a functioning Apache server, you **must** update this parameter with your certificate authority information before deploying this server in a production environment. -#####`default_ssl_chain` +##### `default_ssl_cert` -The default SSL chain, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. +Sets the [SSL encryption][] certificate location. Default: Determined by your operating system. -#####`default_ssl_crl` +- **Debian**: `/etc/ssl/certs/ssl-cert-snakeoil.pem` +- **FreeBSD**: `/usr/local/etc/apache22/server.crt` +- **Gentoo**: `/etc/ssl/apache2/server.crt` +- **Red Hat**: `/etc/pki/tls/certs/localhost.crt` -The default certificate revocation list to use, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. +While the default value results in a functioning Apache server, you **must** update this parameter with your certificate location before deploying this server in a production environment. -#####`default_ssl_crl_path` +##### `default_ssl_chain` -The default certificate revocation list path, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. +Sets the default [SSL chain][] location. Default: 'undef'. -#####`default_ssl_crl_check` +While this default value results in a functioning Apache server, you **must** update this parameter with your SSL chain before deploying this server in a production environment. -Sets the default certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), which is automatically set to 'undef'. This default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value is ignored on older versions. +##### `default_ssl_crl` -#####`default_ssl_key` +Sets the path of the default [certificate revocation list][] (CRL) file to use. Default: 'undef'. -The default SSL key, which is automatically set based on your operating system ('/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, '/usr/local/etc/apache22/server.key' for FreeBSD, and '/etc/ssl/apache2/server.key' for Gentoo). This default works out of the box but must be updated with your specific certificate information before being used in production. +While this default value results in a functioning Apache server, you **must** update this parameter with your CRL file's path before deploying this server in a production environment. You can use this parameter with or in place of the [`default_ssl_crl_path`][]. -#####`default_ssl_vhost` +##### `default_ssl_crl_path` -Sets up a default SSL virtual host. Defaults to 'false'. If set to 'true', sets up the following vhost: +Sets the server's [certificate revocation list path][], which contains your CRLs. Default: 'undef'. -```puppet - apache::vhost { 'default-ssl': - port => 443, - ssl => true, - docroot => $docroot, - scriptalias => $scriptalias, - serveradmin => $serveradmin, - access_log_file => "ssl_${access_log_file}", - } -``` +While this default value results in a functioning Apache server, you **must** update this parameter with the CRL path before deploying this server in a production environment. + +##### `default_ssl_crl_check` + +Sets the default certificate revocation check level via the [`SSLCARevocationCheck`] directive. Default: 'undef'. + +While this default value results in a functioning Apache server, you **must** specify this parameter when using certificate revocation lists in a production environment. + +This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +##### `default_ssl_key` + +Sets the [SSL certificate key file][] location. Default: Determined by your operating system. + +- **Debian**: `/etc/ssl/private/ssl-cert-snakeoil.key` +- **FreeBSD**: `/usr/local/etc/apache22/server.key` +- **Gentoo**: `/etc/ssl/apache2/server.key` +- **Red Hat**: `/etc/pki/tls/private/localhost.key` + +While these default values result in a functioning Apache server, you **must** update this parameter with your SSL key's location before deploying this server in a production environment. + +##### `default_ssl_vhost` + +Configures a default [SSL][SSL encryption] virtual host. Valid options: Boolean. Default: 'false'. + +If 'true', Puppet automatically configures the following virtual host using the [`apache::vhost`][] define: + +~~~ puppet +apache::vhost { 'default-ssl': + port => 443, + ssl => true, + docroot => $docroot, + scriptalias => $scriptalias, + serveradmin => $serveradmin, + access_log_file => "ssl_${access_log_file}", + } +~~~ + +**Note**: SSL virtual hosts only respond to HTTPS queries. -SSL vhosts only respond to HTTPS queries. +##### `default_type` -#####`default_type` +_Apache 2.2 only_. Sets the [MIME `content-type`][] sent if the server cannot otherwise determine an appropriate `content-type`. This directive is deprecated in Apache 2.4 and newer and only exists for backwards compatibility in configuration files. Default: 'undef'. -(Apache httpd 2.2 only) MIME content-type that will be sent if the server cannot determine a type in any other way. This directive has been deprecated in Apache httpd 2.4, and only exists there for backwards compatibility of configuration files. +##### `default_vhost` -#####`default_vhost` +Configures a default virtual host when the class is declared. Valid options: Boolean. Default: 'true'. -Sets up a default virtual host. Defaults to 'true', set to 'false' to set up [customized virtual hosts](#configure-a-virtual-host). +To configure [customized virtual hosts][Configuring virtual hosts], set this parameter's value to 'false'. -#####`docroot` +##### `docroot` -Changes the location of the default [Documentroot](https://httpd.apache.org/docs/current/mod/core.html#documentroot). Defaults to '/var/www/html' on RedHat, '/var/www' on Debian, '/usr/local/www/apache22/data' on FreeBSD, and '/var/www/localhost/htdocs' on Gentoo. +Sets the default [`DocumentRoot`][] location. Default: Determined by your operating system. -#####`error_documents` +- **Debian**: `/var/www` +- **FreeBSD**: `/usr/local/www/apache22/data` +- **Gentoo**: `/var/www/localhost/htdocs` +- **Red Hat**: `/var/www/html` -Enables custom error documents. Defaults to 'false'. +##### `error_documents` -#####`group` +Determines whether to enable [custom error documents][] on the Apache server. Valid options: Boolean. Default: 'false'. -Changes the group that Apache will answer requests as. The parent process will continue to be run as root, but resource accesses by child processes will be done under this group. By default, puppet will attempt to manage this group as a resource under `::apache`. If this is not what you want, set [`manage_group`](#manage_group) to 'false'. Defaults to the OS-specific default user for apache, as detected in `::apache::params`. +##### `group` -#####`httpd_dir` +Sets the group ID that owns any Apache processes spawned to answer requests. -Changes the base location of the configuration directories used for the apache service. This is useful for specially repackaged HTTPD builds, but might have unintended consequences when used in combination with the default distribution packages. Defaults to '/etc/httpd' on RedHat, '/etc/apache2' on Debian, '/usr/local/etc/apache22' on FreeBSD, and '/etc/apache2' on Gentoo. +By default, Puppet attempts to manage this group as a resource under the `apache` class, determining the group based on the operating system as detected by the [`apache::params`][] class. To to prevent the group resource from being created and use a group created by another Puppet module, set the [`manage_group`][] parameter's value to 'false'. -#####`keepalive` +**Note**: Modifying this parameter only changes the group ID that Apache uses to spawn child processes to access resources. It does not change the user that owns the parent server process. -Enables persistent connections. +##### `httpd_dir` -#####`keepalive_timeout` +Sets the Apache server's base configuration directory. This is useful for specially repackaged Apache server builds but might have unintended consequences when combined with the default distribution packages. Default: Determined by your operating system. -Sets the amount of time the server waits for subsequent requests on a persistent connection. Defaults to '15'. +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2` +- **Red Hat**: `/etc/httpd` -#####`max_keepalive_requests` +##### `keepalive` -Sets the limit of the number of requests allowed per connection when KeepAlive is on. Defaults to '100'. +Determines whether to enable persistent HTTP connections with the [`KeepAlive`][] directive. Valid options: 'Off', 'On'. Default: 'Off'. -#####`lib_path` +If 'On', use the [`keepalive_timeout`][] and [`max_keepalive_requests`][] parameters to set relevant options. -Specifies the location where apache module files are stored. It should not be configured manually without special reason. +##### `keepalive_timeout` -#####`loadfile_name` +Sets the [`KeepAliveTimeout`] directive, which determines the amount of time the Apache server waits for subsequent requests on a persistent HTTP connection. Default: '15'. -Sets the file name for the module loadfile. Should be in the format \*.load. This can be used to set the module load order. +This parameter is only relevant if the [`keepalive` parameter][] is enabled. -#####`log_level` +##### `max_keepalive_requests` -Changes the verbosity level of the error log. Defaults to 'warn'. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info', or 'debug'. +Limits the number of requests allowed per connection when the [`keepalive` parameter][] is enabled. Default: '100'. -#####`log_formats` +##### `lib_path` -Define additional [LogFormats](https://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat). This is done in a Hash: +Specifies the location where [Apache module][] files are stored. Default: Depends on the operating system. -```puppet - $log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } -``` +- **Debian** and **Gentoo**: `/usr/lib/apache2/modules` +- **FreeBSD**: `/usr/local/libexec/apache24` +- **Red Hat**: `modules` -There are a number of predefined LogFormats in the httpd.conf that Puppet writes out: +**Note**: Do not configure this parameter manually without special reason. -```httpd +##### `loadfile_name` + +Sets the [`LoadFile`] directive's filename. Valid options: Filenames in the format `\*.load`. + +This can be used to set the module load order. + +##### `log_level` + +Changes the error log's verbosity. Valid options: 'alert', 'crit', 'debug', 'emerg', 'error', 'info', 'notice', 'warn'. Default: 'warn'. + +##### `log_formats` + +Define additional [`LogFormat`][] directives. Valid options: A [Hash][], such as: + +~~~ puppet +$log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } +~~~ + +There are a number of predefined `LogFormats` in the `httpd.conf` that Puppet creates: + +~~~ httpd LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent -``` +~~~ -If your `$log_formats` contains one of those, they will be overwritten with **your** definition. +If your `log_formats` parameter contains one of those, it will be overwritten with **your** definition. -#####`logroot` +##### `logroot` -Changes the directory where Apache log files for the virtual host are placed. Defaults to '/var/log/httpd' on RedHat, '/var/log/apache2' on Debian, '/var/log/apache22' on FreeBSD, and '/var/log/apache2' on Gentoo. +Changes the directory of Apache log files for the virtual host. Default: Determined by your operating system. -#####`logroot_mode` +- **Debian**: `/var/log/apache2` +- **FreeBSD**: `/var/log/apache22` +- **Gentoo**: `/var/log/apache2` +- **Red Hat**: `/var/log/httpd` -Overrides the mode the default logroot directory is set to ($::apache::logroot). Defaults to undef. Do NOT give people write access to the directory the logs are stored -in without being aware of the consequences; see http://httpd.apache.org/docs/2.4/logs.html#security for details. +##### `logroot_mode` -#####`manage_group` +Overrides the default [`logroot`][] directory's mode. Default: 'undef'. -Setting this to 'false' stops the group resource from being created. This is for when you have a group, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established group would result in a duplicate resource error. +**Note**: Do _not_ grant write access to the directory where the logs are stored without being aware of the consequences. See the [Apache documentation][Log security] for details. -#####`manage_user` +##### `manage_group` -Setting this to 'false' stops the user resource from being created. This is for instances when you have a user, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established user would result in a duplicate resource error. +When 'false', stops Puppet from creating the group resource. Valid options: Boolean. Default: 'true'. -#####`mod_dir` +If you have a group created from another Puppet module that you want to use to run Apache, set this to 'false'. Without this parameter, attempting to use a previously established group results in a duplicate resource error. -Changes the location of the configuration directory your Apache modules configuration files are placed in. Defaults to '/etc/httpd/conf.d' for RedHat, '/etc/apache2/mods-available' for Debian, '/usr/local/etc/apache22/Modules' for FreeBSD, and '/etc/apache2/modules.d' on Gentoo. +##### `manage_user` -#####`mpm_module` +When 'false', stops Puppet from creating the user resource. Valid options: Boolean. Default: 'true'. -Determines which MPM is loaded and configured for the HTTPD process. Valid values are 'event', 'itk', 'peruser', 'prefork', 'worker', or 'false'. Defaults to 'prefork' on RedHat, FreeBSD and Gentoo, and 'worker' on Debian. Must be set to 'false' to explicitly declare the following classes with custom parameters: +This is for instances when you have a user, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established user would result in a duplicate resource error. -* `apache::mod::event` -* `apache::mod::itk` -* `apache::mod::peruser` -* `apache::mod::prefork` -* `apache::mod::worker` +##### `mod_dir` -*Note:* Switching between different MPMs on FreeBSD is possible but quite difficult. Before changing `$mpm_module` you must uninstall all packages that depend on your currently-installed Apache. +Sets where Puppet places configuration files for your [Apache modules][]. Default: Determined by your operating system. -#####`package_ensure` +- **Debian**: `/etc/apache2/mods-available` +- **FreeBSD**: `/usr/local/etc/apache22/Modules` +- **Gentoo**: `/etc/apache2/modules.d` +- **Red Hat**: `/etc/httpd/conf.d` -Allows control over the package ensure attribute. Can be 'present','absent', or a version string. +##### `mpm_module` -#####`ports_file` +Determines which [multi-processing module][] (MPM) is loaded and configured for the HTTPD process. Valid options: 'event', 'itk', 'peruser', 'prefork', 'worker', or 'false'. Default: Determined by your operating system. -Changes the name of the file containing Apache ports configuration. Default is `${conf_dir}/ports.conf`. +- **Debian**: `worker` +- **FreeBSD, Gentoo, and Red Hat**: `prefork` -#####`purge_configs` +You must set this to 'false' to explicitly declare the following classes with custom parameters: -Removes all other Apache configs and vhosts, defaults to 'true'. Setting this to 'false' is a stopgap measure to allow the apache module to coexist with existing or otherwise-managed configuration. It is recommended that you move your configuration entirely to resources within this module. +- [`apache::mod::event`][] +- [`apache::mod::itk`][] +- [`apache::mod::peruser`][] +- [`apache::mod::prefork`][] +- [`apache::mod::worker`][] -#####`purge_vhost_configs` +**Note**: Switching between different MPMs on FreeBSD is possible but quite difficult. Before changing `mpm_module`, you must uninstall all packages that depend on your installed Apache server. -If `vhost_dir` != `confd_dir`, this controls the removal of any configurations that are not managed by Puppet within `vhost_dir`. It defaults to the value of `purge_configs`. Setting this to false is a stopgap measure to allow the apache module to coexist with existing or otherwise unmanaged configurations within `vhost_dir` +##### `package_ensure` -#####`sendfile` +Controls the `package` resource's [`ensure`][] attribute. Valid options: 'absent', 'installed' (or the equivalent 'present'), or a version string. Default: 'installed'. -Makes Apache use the Linux kernel sendfile to serve static files. Defaults to 'On'. +##### `ports_file` -#####`serveradmin` +Sets the path to the file containing Apache ports configuration. Default: `{$conf_dir}/ports.conf`. -Sets the server administrator. Defaults to 'root@localhost'. +##### `purge_configs` -#####`servername` +Removes all other Apache configs and virtual hosts. Valid options: Boolean. Default: 'true'. -Sets the server name. Defaults to `fqdn` provided by Facter. +Setting this to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or unmanaged configurations. We recommend moving your configuration to resources within this module. For virtual host configurations, see [`purge_vhost_configs`][]. -#####`server_root` +##### `purge_vhost_configs` -Sets the root directory in which the server resides. Defaults to '/etc/httpd' on RedHat, '/etc/apache2' on Debian, '/usr/local' on FreeBSD, and '/var/www' on Gentoo. +If the [`vhost_dir`][] parameter's value differs from the [`confd_dir`][] parameter's, the Boolean parameter `purge_vhost_configs` determines whether Puppet removes any configurations inside `vhost_dir` _not_ managed by Puppet. Default: same as [`purge_configs`][]. -#####`server_signature` +Setting `purge_vhost_configs` to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or otherwise unmanaged configurations within `vhost_dir`. -Configures a trailing footer line under server-generated documents. More information about [ServerSignature](http://httpd.apache.org/docs/current/mod/core.html#serversignature). Defaults to 'On'. +##### `sendfile` -#####`server_tokens` +Forces Apache to use the Linux kernel's `sendfile` support to serve static files, via the [`EnableSendfile`][] directive. Valid options: 'On', 'Off'. Default: 'On'. -Controls how much information Apache sends to the browser about itself and the operating system. More information about [ServerTokens](http://httpd.apache.org/docs/current/mod/core.html#servertokens). Defaults to 'OS'. +##### `serveradmin` -#####`service_enable` +Sets the Apache server administrator's contact information via Apache's [`ServerAdmin`][] directive. Default: 'root@localhost'. -Determines whether the HTTPD service is enabled when the machine is booted. Defaults to 'true'. +##### `servername` -#####`service_ensure` +Sets the Apache server name via Apache's [`ServerName`][] directive. Default: the 'fqdn' fact reported by [Facter][]. -Determines whether the service should be running. Valid values are 'true', 'false', 'running', or 'stopped' when Puppet should manage the service. Any other value sets ensure to 'false' for the Apache service, which is useful when you want to let the service be managed by some other application like Pacemaker. Defaults to 'running'. +##### `server_root` -#####`service_name` +Sets the Apache server's root directory via Apache's [`ServerRoot`][] directive. Default: determined by your operating system. -Name of the Apache service to run. Defaults to: 'httpd' on RedHat, 'apache2' on Debian and Gentoo, and 'apache22' on FreeBSD. +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local` +- **Gentoo**: `/var/www` +- **Red Hat**: `/etc/httpd` -#####`service_manage` +##### `server_signature` -Determines whether the HTTPD service state is managed by Puppet . Defaults to 'true'. +Configures a trailing footer line to display at the bottom of server-generated documents, such as error documents and output of certain [Apache modules][], via Apache's [`ServerSignature`][] directive. Valid options: 'Off', 'On'. Default: 'On'. -#####`service_restart` +##### `server_tokens` -Determines whether the HTTPD service restart command should be anything other than the default managed by Puppet. Defaults to undef. +Controls how much information Apache sends to the browser about itself and the operating system, via Apache's [`ServerTokens`][] directive. Defaults to 'OS'. -#####`timeout` +##### `service_enable` -Sets the amount of seconds the server will wait for certain events before failing a request. Defaults to 120. +Determines whether Puppet enables the Apache HTTPD service when the system is booted. Valid options: Boolean. Default: 'true'. -#####`trace_enable` +##### `service_ensure` -Controls how TRACE requests per RFC 2616 are handled. More information about [TraceEnable](http://httpd.apache.org/docs/current/mod/core.html#traceenable). Defaults to 'On'. +Determines whether Puppet should make sure the service is running. Valid options: 'true' (equivalent to 'running'), 'false' (equivalent to 'stopped'). Default: 'running'. -#####`vhost_dir` +The 'false' or 'stopped' values set the 'httpd' service resource's `ensure` parameter to 'false', which is useful when you want to let the service be managed by another application, such as Pacemaker. -Changes the location of the configuration directory your virtual host configuration files are placed in. Defaults to 'etc/httpd/conf.d' on RedHat, '/etc/apache2/sites-available' on Debian, '/usr/local/etc/apache22/Vhosts' on FreeBSD, and '/etc/apache2/vhosts.d' on Gentoo. +##### `service_name` -#####`user` +Sets the name of the Apache service. Default: determined by your operating system. -Changes the user that Apache will answer requests as. The parent process will continue to be run as root, but resource accesses by child processes will be done under this user. By default, puppet will attept to manage this user as a resource under `::apache`. If this is not what you want, set [`manage_user`](#manage_user) to 'false'. Defaults to the OS-specific default user for apache, as detected in `::apache::params`. +- **Debian and Gentoo**: `apache2` +- **FreeBSD**: `apache22` +- **Red Hat**: `httpd` -#####`apache_name` +##### `service_manage` -The name of the Apache package to install. This is automatically detected in `::apache::params`. You might need to override this if you are using a non-standard Apache package, such as those from Red Hat's software collections. +Determines whether Puppet manages the HTTPD service's state. Default: 'true'. -####Defined Type: `apache::custom_config` +##### `service_restart` -Allows you to create custom configs for Apache. The configuration files are only added to the Apache confd dir if the file is valid. An error is raised during the Puppet run if the file is invalid and `$verify_config` is `true`. +Determines whether Puppet should use a specific command to restart the HTTPD service. Valid options: a command to restart the Apache service. Default: 'undef', which uses the [default Puppet behavior][Service attribute restart]. -```puppet - apache::custom_config { 'test': - content => '# Test', - } -``` +##### `timeout` -**Parameters within `apache::custom_config`:** +Sets Apache's [`TimeOut`][] directive, which defines the number of seconds Apache waits for certain events before failing a request. Defaults to 120. -#####`ensure` +##### `trace_enable` -Specify whether the configuration file is present or absent. Defaults to 'present'. Valid values are 'present' and 'absent'. +Controls how Apache handles `TRACE` requests (per [RFC 2616][]) via the [`TraceEnable`][] directive. Valid options: 'Off', 'On'. Default: 'On'. -#####`confdir` +##### `vhost_dir` -The directory to place the configuration file in. Defaults to `$::apache::confd_dir`. +Changes your virtual host configuration files' location. Default: determined by your operating system. -#####`content` +- **Debian**: `/etc/apache2/sites-available` +- **FreeBSD**: `/usr/local/etc/apache22/Vhosts` +- **Gentoo**: `/etc/apache2/vhosts.d` +- **Red Hat**: `etc/httpd/conf.d` -The content of the configuration file. Only one of `$content` and `$source` can be specified. +##### `user` -#####`priority` +Changes the user Apache uses to answer requests. Apache's parent process will continue to be run as root, but child processes will access resources as the user defined by this parameter. -The priority of the configuration file, used for ordering. Defaults to '25'. +Default: Puppet sets the default value via the [`apache::params`][] class, which manages the user based on your operating system: -Pass priority `false` to omit the priority prefix in file names. +- **Debian**: 'www-data' +- **FreeBSD**: 'www' +- **Gentoo** and **Red Hat**: 'apache' + +To prevent Puppet from managing the user, set the [`manage_user`][] parameter to 'false'. -#####`source` +##### `apache_name` -The source of the configuration file. Only one of `$content` and `$source` can be specified. +The name of the Apache package to install. Default: Puppet sets the default value via the [`apache::params`][] class, which manages the user based on your operating system: -#####`verify_command` +The default value is determined by your operating system: -The command to use to verify the configuration file. It should use a fully qualified command. Defaults to '/usr/sbin/apachectl -t'. The `$verify_command` is only used if `$verify_config` is `true`. If the `$verify_command` fails, the configuration file is deleted, the Apache service is not notified, and an error is raised during the Puppet run. +- **Debian**: 'apache2' +- **FreeBSD**: 'apache24' +- **Gentoo**: 'www-servers/apache' +- **Red Hat**: 'httpd' -#####`verify_config` +You might need to override this if you are using a non-standard Apache package, such as those from Red Hat's software collections. -Boolean to specify whether the configuration file should be validated before the Apache service is notified. Defaults to `true`. +#### Class: `apache::dev` -####Class: `apache::default_mods` +Installs Apache development libraries. By default, the package name is defined by the [`dev_packages`] parameter of the [`apache::params`] class based on your operating system: -Installs default Apache modules based on what OS you are running. +The default value is determined by your operating system: -```puppet - class { 'apache::default_mods': } -``` +- **Debian** : 'libaprutil1-dev', 'libapr1-dev'; 'apache2-dev' on Ubuntu 13.10 and Debian 8; 'apache2-prefork-dev' on other versions +- **FreeBSD**: 'undef'; see note below +- **Gentoo**: 'undef' +- **Red Hat**: 'httpd-devel' -####Defined Type: `apache::mod` +**Note**: On FreeBSD, you must declare the `apache::package` or `apache` classes before declaring `apache::dev`. -Used to enable arbitrary Apache HTTPD modules for which there is no specific `apache::mod::[name]` class. The `apache::mod` defined type also installs the required packages to enable the module, if any. +#### Classes: `apache::mod::` -```puppet - apache::mod { 'rewrite': } - apache::mod { 'ldap': } -``` +Enables specific [Apache modules][]. You can enable and configure an Apache module by declaring its class. For example, to install and enable [`mod_alias`][] with no icons, you can declare the [`apache::mod::alias`][] class with the `icons_options` parameter set to 'None': -####Classes: `apache::mod::[name]` +~~~ puppet +class { 'apache::mod::alias': + icons_options => 'None', +} +~~~ -There are many `apache::mod::[name]` classes within this module that can be declared using `include`: +The following Apache modules have supported classes, many of which allow for parameterized configuration. You can install other Apache modules with the [`apache::mod`][] define. * `actions` -* `alias`(see [`apache::mod::alias`](#class-apachemodalias) below) +* `alias` (see [`apache::mod::alias`](#class-apachemodalias)) * `auth_basic` -* `auth_cas`* (see [`apache::mod::auth_cas`](#class-apachemodauthcas) below) +* `auth_cas`* (see [`apache::mod::auth_cas`](#class-apachemodauthcas)) * `auth_kerb` * `authn_core` * `authn_file` @@ -594,11 +1176,12 @@ There are many `apache::mod::[name]` classes within this module that can be decl * `dev` * `dir`* * `disk_cache` -* `event`(see [`apache::mod::event`](#class-apachemodevent) below) +* `event` (see [`apache::mod::event`](#class-apachemodevent)) * `expires` * `fastcgi` * `fcgid` * `filter` +* `geoip` (see [`apache::mod::geoip`][]) * `headers` * `include` * `info`* @@ -608,7 +1191,7 @@ There are many `apache::mod::[name]` classes within this module that can be decl * `mime_magic`* * `negotiation` * `nss`* -* `pagespeed` (see [`apache::mod::pagespeed`](#class-apachemodpagespeed) below) +* `pagespeed` (see [`apache::mod::pagespeed`](#class-apachemodpagespeed)) * `passenger`* * `perl` * `peruser` @@ -626,562 +1209,549 @@ There are many `apache::mod::[name]` classes within this module that can be decl * `rpaf`* * `setenvif` * `security` -* `shib`* (see [`apache::mod::shib`](#class-apachemodshib) below) +* `shib`* (see [`apache::mod::shib`](#class-apachemodshib)) * `speling` -* `ssl`* (see [`apache::mod::ssl`](#class-apachemodssl) below) -* `status`* (see [`apache::mod::status`](#class-apachemodstatus) below) +* `ssl`* (see [`apache::mod::ssl`](#class-apachemodssl)) +* `status`* (see [`apache::mod::status`](#class-apachemodstatus)) * `suphp` * `userdir`* +* `version` * `vhost_alias` * `worker`* -* `wsgi` (see [`apache::mod::wsgi`](#class-apachemodwsgi) below) +* `wsgi` (see [`apache::mod::wsgi`](#class-apachemodwsgi)) * `xsendfile` -Modules noted with a * indicate that the module has settings and, thus, a template that includes parameters. These parameters control the module's configuration. Most of the time, these parameters do not require any configuration or attention. +Modules noted with a * indicate that the module has settings and a template that includes parameters to configure the module. Most Apache module class parameters have default values and don't require configuration. For modules with templates, Puppet installs template files with the module; these template files are required for the module to work. -The modules mentioned above, and other Apache modules that have templates, cause template files to be dropped along with the mod install. The module will not work without the template. Any module without a template installs the package but drops no files. +##### Class: `apache::mod::alias` -###Class: `apache::mod::alias` +Installs and manages [`mod_alias`][]. -Installs and manages the alias module. +**Parameters within `apache::mod::alias`**: -Full Documentation for alias is available from [Apache](https://httpd.apache.org/docs/current/mod/mod_alias.html). +* `icons_options`: Disables directory listings for the icons directory, via Apache [`Options`] directive. Default: 'Indexes MultiViews'. +* `icons_path`: Sets the local path for an `/icons/` Alias. Default: depends on your operating system. -To disable directory listing for the icons directory: -```puppet - class { 'apache::mod::alias': - icons_options => 'None', - } -``` +- **Debian**: `/usr/share/apache2/icons` +- **FreeBSD**: `/usr/local/www/apache24/icons` +- **Gentoo**: `/var/www/icons` +- **Red Hat**: `/var/www/icons`, except on Apache 2.4, where it's `/usr/share/httpd/icons` -####Class: `apache::mod::event` +##### Class: `apache::mod::event` -Installs and manages mpm_event module. +Installs and manages [`mod_mpm_event`][]. You can't include both `apache::mod::event` and [`apache::mod::itk`][], [`apache::mod::peruser`][], [`apache::mod::prefork`][], or [`apache::mod::worker`][] on the same server. -Full Documentation for mpm_event is available from [Apache](https://httpd.apache.org/docs/current/mod/event.html). +**Parameters within `apache::mod::event`**: -To configure the event thread limit: +- `listenbacklog`: Sets the maximum length of the pending connections queue via the module's [`ListenBackLog`][] directive. Default: '511'. +- `maxclients` (_Apache 2.3.12 or older_: `maxrequestworkers`): Sets the maximum number of connections Apache can simultaneously process, via the module's [`MaxRequestWorkers`][] directive. Default: '150'. +- `maxconnectionsperchild` (_Apache 2.3.8 or older_: `maxrequestsperchild`): Limits the number of connections a child server handles during its life, via the module's [`MaxConnectionsPerChild`][] directive. Default: '0'. +- `maxsparethreads` and `minsparethreads`: Sets the maximum and minimum number of idle threads, via the [`MaxSpareThreads`][] and [`MinSpareThreads`][] directives. Default: '75' and '25', respectively. +- `serverlimit`: Limits the configurable number of processes via the [`ServerLimit`][] directive. Default: '25'. +- `startservers`: Sets the number of child server processes created at startup, via the module's [`StartServers`][] directive. Default: '2'. +- `threadlimit`: Limits the number of event threads via the module's [`ThreadLimit`][] directive. Default: '64'. +- `threadsperchild`: Sets the number of threads created by each child process, via the [`ThreadsPerChild`][] directive. Default: '25'. -```puppet - class {'apache::mod::event': - $threadlimit => '128', - } -``` +##### Class: `apache::mod::auth_cas` -####Class: `apache::mod::auth_cas` +Installs and manages [`mod_auth_cas`][]. Its parameters share names with the Apache module's directives. -Installs and manages mod_auth_cas. The parameters `cas_login_url` and `cas_validate_url` are required. +The `cas_login_url` and `cas_validate_url` parameters are required; several other parameters have 'undef' default values. -Full documentation on mod_auth_cas is available from [JASIG](https://github.com/Jasig/mod_auth_cas). +**Parameters within `apache::mod::auth_cas`**: -####Class: `apache::mod::geoip` +- `cas_authoritative`: Determines whether an optional authorization directive is authoritative and binding. Default: 'undef'. +- `cas_certificate_path`: Sets the path to the X509 certificate of the Certificate Authority for the server in `cas_login_url` and `cas_validate_url`. Default: 'undef'. +- `cas_cache_clean_interval`: Sets the minimum number of seconds that must pass between cache cleanings. Default: 'undef'. +- `cas_cookie_domain`: Sets the value of the `Domain=` parameter in the `Set-Cookie` HTTP header. Default: 'undef'. +- `cas_cookie_entropy`: Sets the number of bytes to use when creating session identifiers. Default: 'undef'. +- `cas_cookie_http_only`: Sets the optional `HttpOnly` flag when `mod_auth_cas` issues cookies. Default: 'undef'. +- `cas_debug`: Determines whether to enable the module's debugging mode. Default: 'Off'. +- `cas_idle_timeout`: Default: 'undef'. +- `cas_login_url`: **Required**. Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don't have an active session. +- `cas_root_proxied_as`: Sets the URL end users see when access to this Apache server is proxied. Default: 'undef'. +- `cas_timeout`: Limits the number of seconds a `mod_auth_cas` session can remain active. Default: 'undef'. +- `cas_validate_depth`: Limits the depth for chained certificate validation. Default: 'undef'. +- `cas_validate_url`: **Required**. Sets the URL to use when validating a client-presented ticket in an HTTP query string. +- `cas_version`: The CAS protocol version to adhere to. Valid options: '1', '2'. Default: '2'. -Installs and manages mod_geoip. +##### Class: `apache::mod::deflate` -Full documentation on mod_geoip is available from [MaxMind](http://dev.maxmind.com/geoip/legacy/mod_geoip2/). +Installs and configures [`mod_deflate`][]. -These are the default settings: +**Parameters within `apache::mod::deflate`:** -```puppet - class {'apache::mod::geoip': - enable => false, - db_file => '/usr/share/GeoIP/GeoIP.dat', - flag => 'Standard', - output => 'All', - } -``` +- `types`: An [array][] of [MIME types][MIME `content-type`] to be deflated. Default: [ 'text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', 'application/rss+xml' ]. +- `notes`: A [Hash][] where the key represents the type and the value represents the note name. Default: { 'Input' => 'instream', 'Output' => 'outstream', 'Ratio' => 'ratio' } -#####`enable` +##### Class: `apache::mod::expires` -Boolean. Enable or Disable mod_geoip globally. Defaults to false. +Installs [`mod_expires`][] and uses the `expires.conf.erb` template to generate its configuration. -#####`db_file` +**Parameters within `apache::mod::expires`**: -The full path to your GeoIP database file. Defaults to `/usr/share/GeoIP/GeoIP.dat`. This parameter optionally takes an array of paths for multiple GeoIP database files. +- `expires_active`: Enables generation of `Expires` headers for a document realm. Default: 'true'. +- `expires_default`: Default algorithm for calculating expiration time using [`ExpiresByType`][] syntax or [interval syntax][]. Default: undef. +- `expires_by_type`: Describes a set of [MIME `content-type`][] and their expiration times. Valid options: An [array][] of [Hashes][Hash], with each Hash's key a valid MIME `content-type` (i.e. 'text/json') and its value following valid [interval syntax][]. Default: undef. -#####`flag` +##### Class: `apache::mod::fcgid` -GeoIP Flag. Defaults to 'Standard'. +Installs and configures [`mod_fcgid`][]. -#####`output` +The class makes no effort to individually parameterize all available options. Instead, configure `mod_fcgid` using the `options` [Hash][]. For example: -Defines which output variables to use. Defaults to 'All'. +~~~ puppet +class { 'apache::mod::fcgid': + options => { + 'FcgidIPCDir' => '/var/run/fcgidsock', + 'SharememPath' => '/var/run/fcgid_shm', + 'AddHandler' => 'fcgid-script .fcgi', + }, +} +~~~ -#####`enable_utf8` +For a full list of options, see the [official `mod_fcgid` documentation][`mod_fcgid`]. -Boolean. Changes the output from ISO-8859-1 (Latin-1) to UTF-8. +If you include `apache::mod::fcgid`, you can set the [`FcgidWrapper`][] per directory, per virtual host. The module must be loaded first; Puppet will not automatically enable it if you set the `fcgiwrapper` parameter in `apache::vhost`. -#####`scan_proxy_headers` +~~~ puppet +include apache::mod::fcgid -Boolean. Enables the GeoIPScanProxyHeaders option. More information can be found [here](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives). +apache::vhost { 'example.org': + docroot => '/var/www/html', + directories => { + path => '/var/www/html', + fcgiwrapper => { + command => '/usr/local/bin/fcgiwrapper', + } + }, +} +~~~ -#####`scan_proxy_header_field` +##### Class: `apache::mod::geoip` -Specifies which header that mod_geoip should look at to determine the client's IP address. +Installs and manages [`mod_geoip`][]. -#####`use_last_xforwarededfor_ip` +**Parameters within `apache::mod::geoip`**: -Boolean. If a comma-separated list of IP addresses is found, use the last IP address for the client's IP. +- `db_file`: Sets the path to your GeoIP database file. Valid options: a path, or an [array][] paths for multiple GeoIP database files. Default: `/usr/share/GeoIP/GeoIP.dat`. +- `enable`: Determines whether to globally enable [`mod_geoip`][]. Valid options: Boolean. Default: 'false'. +- `flag`: Sets the GeoIP flag. Valid options: 'CheckCache', 'IndexCache', 'MemoryCache', 'Standard'. Default: 'Standard'. +- `output`: Defines which output variables to use. Valid options: 'All', 'Env', 'Request', 'Notes'. Default: 'All'. +- `enable_utf8`: Changes the output from ISO-8859-1 (Latin-1) to UTF-8. Valid options: Boolean. Default: 'undef'. +- `scan_proxy_headers`: Enables the [GeoIPScanProxyHeaders][] option. Valid options: Boolean. Default: 'undef'. +- `scan_proxy_header_field`: Specifies which header [`mod_geoip`][] should look at to determine the client's IP address. Default: 'undef'. +- `use_last_xforwarededfor_ip` (sic): Determines whether to use the first or last IP address for the client's IP if a comma-separated list of IP addresses is found. Valid options: Boolean. Default: 'undef'. -####Class: `apache::mod::info` +##### Class: `apache::mod::info` -Installs and manages mod_info which provides a comprehensive overview of the server configuration. +Installs and manages [`mod_info`][], which provides a comprehensive overview of the server configuration. -Full documentation for mod_info is available from [Apache](https://httpd.apache.org/docs/current/mod/mod_info.html). +**Parameters within `apache::mod::info`**: -These are the default settings: +- `allow_from`: Whitelist of IPv4 or IPv6 addresses or ranges that can access `/server-info`. Valid options: One or more octets of an IPv4 address, an IPv6 address or range, or an array of either. Default: ['127.0.0.1','::1'] +- `apache_version`: Default: `$::apache::apache_version`, +- `restrict_access`: Determines whether to enable access restrictions. If 'false', the `allow_from` whitelist is ignored and any IP address can access `/server-info`. Valid options: Boolean. Default: 'true'. -```puppet - $allow_from = ['127.0.0.1','::1'], - $apache_version = $::apache::apache_version, - $restrict_access = true, -``` +##### Class: `apache::mod::negotiation` -To set the addresses that are allowed to access /server-info add the following: +Installs and configures [`mod_negotiation`][]. -```puppet - class {'apache::mod::info': - allow_from => [ - '10.10.36', - '10.10.38', - '127.0.0.1', - ], - } -``` +**Parameters within `apache::mod::negotiation`:** -To disable the access restrictions add the following: +- `force_language_priority`: Sets the `ForceLanguagePriority` option. Valid option: String. Default: `Prefer Fallback`. +- `language_priority`: An [array][] of languages to set the `LanguagePriority` option of the module. Default: [ 'en', 'ca', 'cs', 'da', 'de', 'el', 'eo', 'es', 'et', 'fr', 'he', 'hr', 'it', 'ja', 'ko', 'ltz', 'nl', 'nn', 'no', 'pl', 'pt', 'pt-BR', 'ru', 'sv', 'zh-CN', 'zh-TW' ] -```puppet - class {'apache::mod::info': - restrict_access => false, - } -``` - -It is not recommended to leave this set to false though it can be very useful for testing. For this reason, you can insert this setting in your normal code to temporarily disable the restrictions like so: - -```puppet - class {'apache::mod::info': - restrict_access => false, # false disables the block below - allow_from => [ - '10.10.36', - '10.10.38', - '127.0.0.1', - ], - } -``` - -####Class: `apache::mod::pagespeed` - -Installs and manages mod_pagespeed, which is a Google module that rewrites web pages to reduce latency and bandwidth. - -This module does *not* manage the software repositories needed to automatically install the -mod-pagespeed-stable package. The module does however require that the package be installed, -or be installable using the system's default package provider. You should ensure that this -pre-requisite is met or declaring `apache::mod::pagespeed` causes the Puppet run to fail. - -These are the defaults: - -```puppet - class { 'apache::mod::pagespeed': - inherit_vhost_config => 'on', - filter_xhtml => false, - cache_path => '/var/cache/mod_pagespeed/', - log_dir => '/var/log/pagespeed', - memcache_servers => [], - rewrite_level => 'CoreFilters', - disable_filters => [], - enable_filters => [], - forbid_filters => [], - rewrite_deadline_per_flush_ms => 10, - additional_domains => undef, - file_cache_size_kb => 102400, - file_cache_clean_interval_ms => 3600000, - lru_cache_per_process => 1024, - lru_cache_byte_limit => 16384, - css_flatten_max_bytes => 2048, - css_inline_max_bytes => 2048, - css_image_inline_max_bytes => 2048, - image_inline_max_bytes => 2048, - js_inline_max_bytes => 2048, - css_outline_min_bytes => 3000, - js_outline_min_bytes => 3000, - inode_limit => 500000, - image_max_rewrites_at_once => 8, - num_rewrite_threads => 4, - num_expensive_rewrite_threads => 4, - collect_statistics => 'on', - statistics_logging => 'on', - allow_view_stats => [], - allow_pagespeed_console => [], - allow_pagespeed_message => [], - message_buffer_size => 100000, - additional_configuration => { } - } -``` +##### Class: `apache::mod::pagespeed` -Full documentation for mod_pagespeed is available from [Google](http://modpagespeed.com). +Installs and manages [`mod_pagespeed`], a Google module that rewrites web pages to reduce latency and bandwidth. -####Class: `apache::mod::php` +While this Apache module requires the `mod-pagespeed-stable` package, Puppet **doesn't** manage the software repositories required to automatically install the package. If you declare this class when the package is either not installed or not available to your package manager, your Puppet run will fail. -Installs and configures mod_php. The defaults are OS-dependant. +**Parameters within `apache::mod::info`**: -Overriding the package name: -```puppet - class {'::apache::mod::php': - package_name => "php54-php", - path => "${::apache::params::lib_path}/libphp54-php5.so", - } -``` +- `inherit_vhost_config`: Default: 'on'. +- `filter_xhtml`: Default: false. +- `cache_path`: Default: '/var/cache/mod_pagespeed/'. +- `log_dir`: Default: '/var/log/pagespeed'. +- `memcache_servers`: Default: []. +- `rewrite_level`: Default: 'CoreFilters'. +- `disable_filters`: Default: []. +- `enable_filters`: Default: []. +- `forbid_filters`: Default: []. +- `rewrite_deadline_per_flush_ms`: Default: 10. +- `additional_domains`: Default: undef. +- `file_cache_size_kb`: Default: 102400. +- `file_cache_clean_interval_ms`: Default: 3600000. +- `lru_cache_per_process`: Default: 1024. +- `lru_cache_byte_limit`: Default: 16384. +- `css_flatten_max_bytes`: Default: 2048. +- `css_inline_max_bytes`: Default: 2048. +- `css_image_inline_max_bytes`: Default: 2048. +- `image_inline_max_bytes`: Default: 2048. +- `js_inline_max_bytes`: Default: 2048. +- `css_outline_min_bytes`: Default: 3000. +- `js_outline_min_bytes`: Default: 3000. +- `inode_limit`: Default: 500000. +- `image_max_rewrites_at_once`: Default: 8. +- `num_rewrite_threads`: Default: 4. +- `num_expensive_rewrite_threads`: Default: 4. +- `collect_statistics`: Default: 'on'. +- `statistics_logging`: Default: 'on'. +- `allow_view_stats`: Default: []. +- `allow_pagespeed_console`: Default: []. +- `allow_pagespeed_message`: Default: []. +- `message_buffer_size`: Default: 100000. +- `additional_configuration`: Default: { }. -Overriding the default configuartion: -```puppet - class {'::apache::mod::php': - source => 'puppet:///modules/apache/my_php.conf', - } -``` +The class's parameters correspond to the module's directives. See the [module's documentation][`mod_pagespeed`] for details. -or -```puppet - class {'::apache::mod::php': - template => 'apache/php.conf.erb', - } -``` +##### Class: `apache::mod::php` -or +Installs and configures [`mod_php`][]. -```puppet - class {'::apache::mod::php': - content => ' -AddHandler php5-script .php -AddType text/html .php', - } -``` -####Class: `apache::mod::shib` +**Parameters within `apache::mod::php`**: -Installs the [Shibboleth](http://shibboleth.net/) module for Apache which allows the use of SAML2 Single-Sign-On (SSO) authentication by Shibboleth Identity Providers and Shibboleth Federations. This class only installs and configures the Apache components of a Shibboleth Service Provider (a web application that consumes Shibboleth SSO identities). The Shibboleth configuration can be managed manually, with Puppet, or using a [Shibboleth Puppet Module](https://github.com/aethylred/puppet-shibboleth). +Default values depend on your operating system. -Defining this class enables the Shibboleth specific parameters in `apache::vhost` instances. +> **Note**: This list is incomplete. Most of this class's parameters correspond to `mod_php` directives; see the [module's documentation][`mod_php`] for details. -####Class: `apache::mod::ssl` +- `package_name`: Names the package that installs `php_mod`. +- `path`: Defines the path to the `mod_php` shared object (`.so`) file. +- `source`: Defines the path to the default configuration. Valid options include a `puppet:///` paths. +- `template`: Defines the path to the `php.conf` template Puppet uses to generate the configuration file. +- `content`: Adds arbitrary content to `php.conf`. -Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are the defaults: +##### Class: `apache::mod::reqtimeout` -```puppet - class { 'apache::mod::ssl': - ssl_compression => false, - ssl_cryptodevice => 'builtin', - ssl_options => [ 'StdEnvVars' ], - ssl_openssl_conf_cmd => undef, - ssl_cipher => 'HIGH:MEDIUM:!aNULL:!MD5', - ssl_honorcipherorder => 'On', - ssl_protocol => [ 'all', '-SSLv2', '-SSLv3' ], - ssl_pass_phrase_dialog => 'builtin', - ssl_random_seed_bytes => '512', - ssl_sessioncachetimeout => '300', - } -``` +Installs and configures [`mod_reqtimeout`][]. -To *use* SSL with a virtual host, you must either set the`default_ssl_vhost` parameter in `::apache` to 'true' or set the `ssl` parameter in `apache::vhost` to 'true'. +**Parameters within `apache::mod::reqtimeout`**: -####Class: `apache::mod::status` +- `timeouts`: A string or [array][] that sets the [`RequestReadTimeout`][] option. Default: ['header=20-40,MinRate=500', 'body=20,MinRate=500']. -Installs Apache mod_status and uses the status.conf.erb template. These are the defaults: +##### Class: `apache::mod::shib` -```puppet - class { 'apache::mod::status': - allow_from => ['127.0.0.1','::1'], - extended_status => 'On', - status_path => '/server-status', -){ +Installs the [Shibboleth](http://shibboleth.net/) Apache module `mod_shib`, which enables SAML2 single sign-on (SSO) authentication by Shibboleth Identity Providers and Shibboleth Federations. This class only installs and configures the Apache components of a web application that consumes Shibboleth SSO identities, also known as a Shibboleth Service Provider. You can manage the Shibboleth configuration manually, with Puppet, or using a [Shibboleth Puppet Module](https://github.com/aethylred/puppet-shibboleth). +Defining this class enables Shibboleth-specific parameters in `apache::vhost` instances. - } -``` +##### Class: `apache::mod::ssl` -####Class: `apache::mod::expires` +Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template to generate its configuration. -Installs Apache mod_expires and uses the expires.conf.erb template. These are the defaults: +**Parameters within `apache::mod::ssl`**: -```puppet - class { 'apache::mod::expires': - expires_active => true, - expires_default => undef, - expires_by_type => undef, -){ +- `ssl_cipher`: Default: 'HIGH:MEDIUM:!aNULL:!MD5'. +- `ssl_compression`: Default: 'false'. +- `ssl_cryptodevice`: Default: 'builtin'. +- `ssl_honorcipherorder`: Default: 'On'. +- `ssl_openssl_conf_cmd`: Default: 'undef'. +- `ssl_options`: Default: [ 'StdEnvVars' ] +- `ssl_pass_phrase_dialog`: Default: 'builtin'. +- `ssl_protocol`: Default: [ 'all', '-SSLv2', '-SSLv3' ]. +- `ssl_random_seed_bytes`: Default: '512'. +- `ssl_sessioncachetimeout`: Default: '300'. +To use SSL with a virtual host, you must either set the [`default_ssl_vhost`][] parameter in `::apache` to 'true' **o**r the [`ssl`][] parameter in [`apache::vhost`][] to 'true'. - } -``` +##### Class: `apache::mod::status` -`expires_by_type` is an array of Hashes, describing a set of types and their expire times: +Installs [`mod_status`][] and uses the `status.conf.erb` template to generate its configuration. -```puppet - class { 'apache::mod::expires': - expires_by_type => [ - { 'text/json' => 'access plus 1 month' }, - { 'text/html' => 'access plus 1 year' }, - ] - } -``` +**Parameters within `apache::mod::status`**: -####Class: `apache::mod::wsgi` +- `allow_from`: An [array][] of IPv4 or IPv6 addresses that can access `/server-status`. Default: ['127.0.0.1','::1']. +- `extended_status`: Determines whether to track extended status information for each request, via the [`ExtendedStatus`][] directive. Valid options: 'Off', 'On'. Default: 'On'. +- `status_path`: The server location of the status page. Default: '/server-status'. -Enables Python support in the WSGI module. To use, simply `include 'apache::mod::wsgi'`. +##### Class: `apache::mod::version` -For customized parameters, which tell Apache how Python is currently configured on the operating system, +Installs [`mod_version`][] on many operating systems and Apache configurations. -```puppet - class { 'apache::mod::wsgi': - wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI", - wsgi_python_home => '/path/to/venv', - wsgi_python_path => '/path/to/venv/site-packages', - } -``` - -To specify an alternate mod\_wsgi package name to install and the name of the module .so it provides, -(e.g. a "python27-mod\_wsgi" package that provides "python27-mod_wsgi.so" in the default module directory): - -```puppet - class { 'apache::mod::wsgi': - wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI", - wsgi_python_home => '/path/to/venv', - wsgi_python_path => '/path/to/venv/site-packages', - package_name => 'python27-mod_wsgi', - mod_path => 'python27-mod_wsgi.so', - } -``` +If Debian and Ubuntu systems with Apache 2.4 are classified with `apache::mod::version`, Puppet warns that `mod_version` is built-in and can't be loaded. -If ``mod_path`` does not contain "/", it will be prefixed by the default module path -for your OS; otherwise, it will be used literally. +##### Class: `apache::mod::security` -More information about [WSGI](http://modwsgi.readthedocs.org/en/latest/). +Installs and configures Trustwave's [`mod_security`][]. It is enabled and runs by default on all virtual hosts. -####Class: `apache::mod::fcgid` +**Parameters within `apache::mod::security`**: -Installs and configures mod_fcgid. +- `activated_rules`: An [array][] of rules from the `modsec_crs_path` to activate via symlinks. Default: `modsec_default_rules` in [`apache::params`][]. +- `allowed_methods`: A space-separated list of allowed HTTP methods. Default: 'GET HEAD POST OPTIONS'. +- `content_types`: A list of one or more allowed [MIME types][MIME `content-type`]. Default: 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf' +- `crs_package`: Names the package that installs CRS rules. Default: `modsec_crs_package` in [`apache::params`][]. +- `modsec_dir`: Defines the path where Puppet installs the modsec configuration and activated rules links. Default: 'On', set by `modsec_dir` in [`apache::params`][]. +${modsec_dir}/activated_rules. +- `modsec_secruleengine`: Configures the modsec rules engine. Valid options: 'On', 'Off', and 'DetectionOnly'. Default: `modsec_secruleengine` in [`apache::params`][]. +- `restricted_extensions`: A space-separated list of prohibited file extensions. Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'. +- `restricted_headers`: A list of restricted headers separated by slashes and spaces. Default: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'. -The class makes no effort to list all available options, but rather uses an options hash to allow for ultimate flexibility: +##### Class: `apache::mod::wsgi` -```puppet - class { 'apache::mod::fcgid': - options => { - 'FcgidIPCDir' => '/var/run/fcgidsock', - 'SharememPath' => '/var/run/fcgid_shm', - 'AddHandler' => 'fcgid-script .fcgi', - }, - } -``` +Enables Python support via [`mod_wsgi`][]. -For a full list op options, see the [official mod_fcgid documentation](https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html). +**Parameters within `apache::mod::wsgi`**: -It is also possible to set the FcgidWrapper per directory per vhost. You must ensure the fcgid module is loaded because there is no auto loading. +- `mod_path`: Defines the path to the `mod_wsgi` shared object (`.so`) file. Default: undef. + - If the `mod_path` parameter doesn't contain `/`, Puppet prefixes it with your operating system's default module path. +Otherwise, Puppet follows it literally. +- `package_name`: Names the package that installs `mod_wsgi`. Default: undef. +- `wsgi_python_home`: Defines the [`WSGIPythonHome`][] directive, such as '/path/to/venv'. Valid options: path. Default: undef. +- `wsgi_python_path`: Defines the [`WSGIPythonPath`][] directive, such as '/path/to/venv/site-packages'. Valid options: path. Default: undef. +- `wsgi_socket_prefix`: Defines the [`WSGISocketPrefix`][] directive, such as "\${APACHE_RUN_DIR}WSGI". Default: `wsgi_socket_prefix` in [`apache::params`][]. -```puppet - include apache::mod::fcgid - apache::vhost { 'example.org': - docroot => '/var/www/html', - directories => { - path => '/var/www/html', - fcgiwrapper => { - command => '/usr/local/bin/fcgiwrapper', - } - }, - } -``` +The class's parameters correspond to the module's directives. See the [module's documentation][`mod_wsgi`] for details. -See [FcgidWrapper documentation](https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html#fcgidwrapper) for more information. +### Private Classes -####Class: `apache::mod::negotiation` +#### Class: `apache::confd::no_accf` -Installs and configures mod_negotiation. If there are not provided any -parameter, default apache mod_negotiation configuration is done. +Creates the `no-accf.conf` configuration file in `conf.d`, required by FreeBSD's Apache 2.4. -```puppet - class { '::apache::mod::negotiation': - force_language_priority => 'Prefer', - language_priority => [ 'es', 'en', 'ca', 'cs', 'da', 'de', 'el', 'eo' ], - } -``` +#### Class: `apache::default_confd_files` -**Parameters within `apache::mod::negotiation`:** +Includes `conf.d` files for FreeBSD. -#####`force_language_priority` +#### Class: `apache::default_mods` -A string that sets the `ForceLanguagePriority` option. Defaults to `Prefer Fallback`. +Installs the Apache modules required to run the default configuration. See the `apache` class's [`default_mods`][] parameter for details. -#####`language_priority` +#### Class: `apache::package` -An array of languages to set the `LanguagePriority` option of the module. +Installs and configures basic Apache packages. -####Class: `apache::mod::deflate` +#### Class: `apache::params` -Installs and configures mod_deflate. If no parameters are provided, a default configuration is applied. +Manages Apache parameters for different operating systems. -```puppet - class { '::apache::mod::deflate': - types => [ 'text/html', 'text/css' ], - notes => { - 'Input' => 'instream', - 'Ratio' => 'ratio', - }, - } -``` +#### Class: `apache::service` -#####`types` +Manages the Apache daemon. -An array of mime types to be deflated. +#### Class: `apache::version` -#####`notes` +Attempts to automatically detect the Apache version based on the operating system. -A hash where the key represents the type and the value represents the note name. +### Public Defines +#### Define: `apache::balancer` -####Class: `apache::mod::reqtimeout` +Creates an Apache load balancing group, also known as a balancer cluster, using [`mod_proxy`][]. Each load balancing group needs one or more balancer members, which you can declare in Puppet with the [`apache::balancermember`][] define. -Installs and configures mod_reqtimeout. Defaults to recommended apache -mod_reqtimeout configuration. +Declare one `apache::balancer` define for each Apache load balancing group. You can export `apache::balancermember` defines for all balancer members and collect them on a single Apache load balancer server using [exported resources][]. -```puppet - class { '::apache::mod::reqtimeout': - timeouts => ['header=20-40,MinRate=500', 'body=20,MinRate=500'], - } -``` +**Parameters within `apache::balancer`**: -####Class: `apache::mod::version` +##### `name` -This wrapper around mod_version warns on Debian and Ubuntu systems with Apache httpd 2.4 -about loading mod_version, as on these platforms it's already built-in. +Sets the title of the balancer cluster and name of the `conf.d` file containing its configuration. -```puppet - include '::apache::mod::version' -``` +##### `proxy_set` -#####`timeouts` +Configures key-value pairs as [`ProxySet`][] lines. Valid options: [Hash][]. Default: '{}'. -A string or an array that sets the `RequestReadTimeout` option. Defaults to -`['header=20-40,MinRate=500', 'body=20,MinRate=500']`. +##### `collect_exported` +Determines whether to use [exported resources][]. Valid options: Boolean. Default: 'true'. -####Class: `apache::mod::security` +If you statically declare all of your backend servers, set this parameter to 'false' to rely on existing, declared balancer member resources. Also, use `apache::balancermember` with [array][] arguments. -Installs and configures mod_security. Defaults to enabled and running on all -vhosts. +To dynamically declare backend servers via exported resources collected on a central node, set this parameter to 'true' to collect the balancer member resources exported by the balancer member nodes. -```puppet - include '::apache::mod::security' -``` +If you don't use exported resources, a single Puppet run configures all balancer members. If you use exported resources, Puppet has to run on the balanced nodes first, then run on the balancer. -#####`crs_package` +#### Define: `apache::balancermember` -Name of package to install containing crs rules +Defines members of [`mod_proxy_balancer`][], which sets up a balancer member inside a listening service configuration block in the load balancer's `apache.cfg`. -#####`modsec_dir` +**Parameters within `apache::balancermember`**: -Directory to install the modsec configuration and activated rules links into +##### `balancer_cluster` -#####`modsec_secruleengine` +**Required**. Sets the Apache service's instance name, and must match the name of a declared [`apache::balancer`][] resource. -Configures the rules engine. Valid vaules are On, Off, and DetectionOnly +##### `url` -#####`activated_rules` +Specifies the URL used to contact the balancer member server. Default: 'http://${::fqdn}/'. -Array of rules from the modsec_crs_path to activate by symlinking to -${modsec_dir}/activated_rules. +##### `options` -#####`allowed_methods` +Specifies an [array][] of [options](http://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember) after the URL, and accepts any key-value pairs available to [`ProxyPass`][]. Default: an empty array. -HTTP methods allowed by mod_security +#### Define: `apache::custom_config` -#####`content_types` +Adds a custom configuration file to the Apache server's `conf.d` directory. If the file is invalid and this define's `$verify_config` parameter is 'true', Puppet throws an error during a Puppet run. -Content-types allowed by mod_security +**Parameters within `apache::custom_config`**: -#####`restricted_extensions` +##### `ensure` -Extensions prohibited by mod_security +Specifies whether the configuration file should be present. Valid options: 'absent', 'present'. Default: 'present'. -#####`restricted_headers` +##### `confdir` -Headers restricted by mod_security +Sets the directory in which Puppet places configuration files. Default: '$::apache::confd_dir'. +##### `content` -####Defined Type: `apache::vhost` +Sets the configuration file's content. The `content` and [`source`][] parameters are exclusive of each other. -The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to `vhost` being a defined resource type, which allows it to be evaluated multiple times with different parameters. +##### `priority` -The `vhost` defined type allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default vhost within the base `::apache` class, as well as set a customized vhost as default. Your customized vhost (priority 10) will be privileged over the base class vhost (15). +Sets the configuration file's priority by prefixing its filename with this parameter's numeric value, as Apache processes configuration files in alphanumeric order. The default value is `25`. -The `vhost` defined type uses `concat::fragment` to build the configuration file, so if you want to inject custom fragments for pieces of the configuration not supported by default by the defined type, you can add a custom fragment. For the `order` parameter for the custom fragment, the `vhost` defined type uses multiples of 10, so any order that isn't a multiple of 10 should work. +To omit the priority prefix in the configuration file's name, set this parameter to `false`. -```puppet - apache::vhost { "example.com": - docroot => '/var/www/html', - priority => '25', - } - concat::fragment { "example.com-my_custom_fragment": - target => '25-example.com.conf', - order => 11, - content => '# my custom comment', - } -``` +##### `source` -If you have a series of specific configurations and do not want a base `::apache` class default vhost, make sure to set the base class `default_vhost` to 'false'. +Points to the configuration file's source. The [`content`][] and `source` parameters are exclusive of each other. -```puppet - class { 'apache': - default_vhost => false, - } -``` +##### `verify_command` + +Specifies the command Puppet uses to verify the configuration file. Use a fully qualified command. Default: `/usr/sbin/apachectl -t`. + +This parameter is only used if the [`verify_config`][] parameter's value is 'true'. If the `verify_command` fails, the Puppet run deletes the configuration file, does not notify the Apache service, and raises an error. + +##### `verify_config` + +Specifies whether to validate the configuration file before notifying the Apache service. Valid options: Boolean. Default: `true`. + +#### Define: `apache::fastcgi::server` + +Defines one or more external FastCGI servers to handle specific file types. Use this define with [`mod_fastcgi`][FastCGI]. + +**Parameters within `apache::fastcgi::server`:** + +##### `host` + +Determines the FastCGI's hostname or IP address and TCP port number (1-65535). + +##### `timeout` + +Sets the number of seconds a [FastCGI][] application can be inactive before aborting the request and logging the event at the error LogLevel. The inactivity timer applies only as long as a connection is pending with the FastCGI application. If a request is queued to an application, but the application doesn't respond by writing and flushing within this period, the request is aborted. If communication is complete with the application but incomplete with the client (the response is buffered), the timeout does not apply. -**Parameters within `apache::vhost`:** +##### `flush` -#####`access_log` +Forces [`mod_fastcgi`][FastCGI] to write to the client as data is received from the application. By default, `mod_fastcgi` buffers data in order to free the application as quickly as possible. -Specifies whether `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`) should be configured. Setting the value to 'false' chooses none. Defaults to 'true'. +##### `faux_path` -#####`access_log_file` +Apache has [FastCGI][] handle URIs that resolve to this filename. The path set in this parameter does not have to exist in the local filesystem. -Sets the `*_access.log` filename that is placed in `$logroot`. Given a vhost, example.com, it defaults to 'example.com_ssl.log' for SSL vhosts and 'example.com_access.log' for non-SSL vhosts. +##### `alias` -#####`access_log_pipe` +Internally links actions with the FastCGI server. This alias must be unique. -Specifies a pipe to send access log messages to. Defaults to 'undef'. +##### `file_type` -#####`access_log_syslog` +Sets the [MIME `content-type`][] of the file to be processed by the FastCGI server. -Sends all access log messages to syslog. Defaults to 'undef'. +#### Define: `apache::listen` -#####`access_log_format` +Adds [`Listen`][] directives to `ports.conf` in the Apache configuration directory that define the Apache server's or a virtual host's listening address and port. The [`apache::vhost`][] class uses this define, and titles take the form '', ':', or ':'. -Specifies the use of either a LogFormat nickname or a custom format string for the access log. Defaults to 'combined'. See [these examples](http://httpd.apache.org/docs/current/mod/mod_log_config.html). +#### Define: `apache::mod` -#####`access_log_env_var` +Installs packages for an Apache module that doesn't have a corresponding [`apache::mod::`][] class, and checks for or places the module's default configuration files in the Apache server's `module` and `enable` directories. The default locations depend on your operating system. + +**Parameters within `apache::mod`**: + +##### `package` + +**Required**. Names the package Puppet uses to install the Apache module. + +##### `package_ensure` + +Determines whether Puppet ensures the Apache module should be installed. Valid options: 'absent', 'present'. Default: 'present'. + +##### `lib` + +Defines the module's shared object name. Its default value is `mod_$name.so`, and it should not be configured manually without special reason. + +##### `lib_path` + +Specifies a path to the module's libraries. Default: the `apache` class's [`lib_path`][] parameter. + +Don't manually set this parameter without special reason. The [`path`][] parameter overrides this value. + +##### `loadfile_name` + +Sets the filename for the module's [`LoadFile`][] directive, which can also set the module load order as Apache processes them in alphanumeric order. Valid options: filenames formatted `\*.load`. Default: `$name.load`. + +##### `loadfiles` + +Specifies an [array][] of [`LoadFile`][] directives. + +##### `path` + +Specifies a path to the module. Default: [`lib_path`][]/[`lib`][]. Don't manually set this parameter without special reason. + +#### Define: `apache::namevirtualhost` + +Enables [name-based virtual hosts][] and adds all related directives to the `ports.conf` file in the Apache HTTPD configuration directory. Titles can take the forms '\*', '*:', '\_default_:, '', or ':'. + +#### Define: `apache::vhost` + +The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to `vhost` being a defined resource type, which allows Apache to evaluate it multiple times with different parameters. + +The `apache::vhost` define allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default virtual host within the base `::apache` class, as well as set a customized virtual host as the default. Customized virtual hosts have a lower numeric [`priority`][] than the base class's, causing Apache to process the customized virtual host first. + +The `apache::vhost` define uses `concat::fragment` to build the configuration file. To inject custom fragments for pieces of the configuration that the define doesn't inherently support, add a custom fragment. + +For the custom fragment's `order` parameter, the `apache::vhost` define uses multiples of 10, so any `order` that isn't a multiple of 10 should work. + +**Parameters within `apache::vhost`**: + +##### `access_log` + +Determines whether to configure `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`). Valid options: Boolean. Default: 'true'. + +##### `access_log_env_var` Specifies that only requests with particular environment variables be logged. Defaults to 'undef'. -#####`add_default_charset` +##### `access_log_file` + +Sets the filename of the `*_access.log` placed in [`logroot`][]. Given a virtual host---for instance, example.com---it defaults to 'example.com_ssl.log' for [SSL-encrypted][SSL encryption] virtual hosts and 'example.com_access.log' for unencrypted virtual hosts. + +##### `access_log_format` + +Specifies the use of either a [`LogFormat`][] nickname or a custom-formatted string for the access log. Default: 'combined'. + +##### `access_log_pipe` + +Specifies a pipe where Apache sends access log messages. Default: 'undef'. + +##### `access_log_syslog` -Sets [AddDefaultCharset](http://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset), a default value for the media charset, which is added to text/plain and text/html responses. +Sends all access log messages to syslog. Default: 'undef'. -#####`add_listen` +##### `add_default_charset` -Determines whether the vhost creates a Listen statement. The default value is 'true'. +Sets a default media charset value for the [`AddDefaultCharset`][] directive, which is added to `text/plain` and `text/html` responses. -Setting `add_listen` to 'false' stops the vhost from creating a Listen statement, and this is important when you combine vhosts that are not passed an `ip` parameter with vhosts that *are* passed the `ip` parameter. +##### `add_listen` -#####`use_optional_includes` +Determines whether the virtual host creates a [`Listen`][] statement. Valid options: Boolean. Default: 'true'. -Specifies if for apache > 2.4 it should use IncludeOptional instead of Include for `additional_includes`. Defaults to 'false'. +Setting `add_listen` to 'false' prevents the virtual host from creating a `Listen` statement. This is important when combining virtual hosts that aren't passed an `ip` parameter with those that are. -#####`additional_includes` +##### `use_optional_includes` -Specifies paths to additional static, vhost-specific Apache configuration files. Useful for implementing a unique, custom configuration not supported by this module. Can be an array. Defaults to '[]'. +Specifies whether Apache uses the [`IncludeOptional`][] directive instead of [`Include`][] for `additional_includes` in Apache 2.4 or newer. Valid options: Boolean. Default: 'false'. -#####`aliases` +##### `additional_includes` -Passes a list of hashes to the vhost to create Alias, AliasMatch, ScriptAlias or ScriptAliasMatch directives as per the [mod_alias documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). These hashes are formatted as follows: +Specifies paths to additional static, virtual host-specific Apache configuration files. You can use this parameter to implement a unique, custom configuration not supported by this module. Valid options: a string path or [array][] of them. Default: an empty array. -```puppet +##### `aliases` + +Passes a list of [Hashes][Hash] to the virtual host to create [`Alias`][], [`AliasMatch`][], [`ScriptAlias`][] or [`ScriptAliasMatch`][] directives as per the [`mod_alias`][] documentation. + +For example: + +~~~ puppet aliases => [ { aliasmatch => '^/image/(.*)\.jpg$', path => '/files/jpg.images/$1.jpg', @@ -1199,102 +1769,100 @@ aliases => [ path => '/usr/share/nagios/html', }, ], -``` +~~~ -For `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` to work, each needs a corresponding context, such as `` or ``. The directives are created in the order specified in the `aliases` parameter. As described in the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html), more specific `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters should come before the more general ones to avoid shadowing. +For the `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` keys to work, each needs a corresponding context, such as `` or ``. Puppet creates the directives in the order specified in the `aliases` parameter. As described in the [`mod_alias`][] documentation, add more specific `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters before the more general ones to avoid shadowing. -*Note*: Using the `aliases` parameter is preferred over the `scriptaliases` parameter since here the order of the various alias directives among each other can be controlled precisely. Defining ScriptAliases using the `scriptaliases` parameter means *all* ScriptAlias directives will come after *all* Alias directives, which can lead to Alias directives shadowing ScriptAlias directives. This is often problematic, for example in case of Nagios. +**Note**: Use the `aliases` parameter instead of the `scriptaliases` parameter because you can precisely control the various alias directives' order. Defining `ScriptAliases` using the `scriptaliases` parameter means *all* `ScriptAlias` directives will come after *all* `Alias` directives, which can lead to `Alias` directives shadowing `ScriptAlias` directives. This often causes problems, for example with Nagios. -*Note:* If `apache::mod::passenger` is loaded and `PassengerHighPerformance => true` is set, then Alias might have issues honoring the `PassengerEnabled => off` statement. See [this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details. +If [`apache::mod::passenger`][] is loaded and `PassengerHighPerformance` is 'true', the `Alias` directive might not be able to honor the `PassengerEnabled => off` statement. See [this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details. -#####`allow_encoded_slashes` +##### `allow_encoded_slashes` -This sets the [`AllowEncodedSlashes` declaration](http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes) for the vhost, overriding the server default. This modifies the vhost responses to URLs with `\` and `/` characters. The default is undefined, which omits the declaration from the server configuration and select the Apache default setting of `Off`. Allowed values are: `on`, `off` or `nodecode`. +Sets the [`AllowEncodedSlashes`][] declaration for the virtual host, overriding the server default. This modifies the virtual host responses to URLs with `\` and `/` characters. Valid options: 'nodecode', 'off', 'on'. Default: undef, which omits the declaration from the server configuration and selects the Apache default setting of `Off`. -#####`block` +##### `block` -Specifies the list of things Apache blocks access to. The default is an empty set, '[]'. Currently, the only option is 'scm', which blocks web access to .svn, .git and .bzr directories. +Specifies the list of things to which Apache blocks access. Valid option: 'scm', which blocks web access to `.svn`, `.git`, and `.bzr` directories. Default: an empty [array][]. -#####`custom_fragment` +##### `custom_fragment` -Passes a string of custom configuration directives to be placed at the end of the vhost configuration. Defaults to 'undef'. +Passes a string of custom configuration directives to place at the end of the virtual host configuration. Default: 'undef'. -#####`default_vhost` +##### `default_vhost` -Sets a given `apache::vhost` as the default to serve requests that do not match any other `apache::vhost` definitions. The default value is 'false'. +Sets a given `apache::vhost` define as the default to serve requests that do not match any other `apache::vhost` defines. Default: 'false'. -#####`directories` +##### `directories` -See the [`directories` section](#parameter-directories-for-apachevhost). +See the [`directories`](#parameter-directories-for-apachevhost) section. -#####`directoryindex` +##### `directoryindex` -Sets the list of resources to look for when a client requests an index of the directory by specifying a '/' at the end of the directory name. [DirectoryIndex](http://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex) has more information. Defaults to 'undef'. +Sets the list of resources to look for when a client requests an index of the directory by specifying a '/' at the end of the directory name. See the [`DirectoryIndex`][] directive documentation for details. Default: 'undef'. -#####`docroot` +##### `docroot` -Provides the -[DocumentRoot](http://httpd.apache.org/docs/current/mod/core.html#documentroot) -directive, which identifies the directory Apache serves files from. Required. +**Required**. Sets the [`DocumentRoot`][] location, from which Apache serves files. -#####`docroot_group` +##### `docroot_group` -Sets group access to the docroot directory. Defaults to 'root'. +Sets group access to the [`docroot`][] directory. Defaults to 'root'. -#####`docroot_owner` +##### `docroot_owner` Sets individual user access to the docroot directory. Defaults to 'root'. -#####`docroot_mode` +##### `docroot_mode` Sets access permissions of the docroot directory. Defaults to 'undef'. -#####`manage_docroot` +##### `manage_docroot` Whether to manage to docroot directory at all. Defaults to 'true'. -#####`error_log` +##### `error_log` Specifies whether `*_error.log` directives should be configured. Defaults to 'true'. -#####`error_log_file` +##### `error_log_file` Points to the `*_error.log` file. Given a vhost, example.com, it defaults to 'example.com_ssl_error.log' for SSL vhosts and 'example.com_access_error.log' for non-SSL vhosts. -#####`error_log_pipe` +##### `error_log_pipe` Specifies a pipe to send error log messages to. Defaults to 'undef'. -#####`error_log_syslog` +##### `error_log_syslog` Sends all error log messages to syslog. Defaults to 'undef'. -#####`error_documents` +##### `error_documents` A list of hashes which can be used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for this vhost. Defaults to '[]'. Example: -```puppet +~~~ puppet apache::vhost { 'sample.example.net': error_documents => [ { 'error_code' => '503', 'document' => '/service-unavail' }, { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' }, ], } -``` +~~~ -#####`ensure` +##### `ensure` Specifies if the vhost file is present or absent. Defaults to 'present'. -#####`fallbackresource` +##### `fallbackresource` Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) directive, which specifies an action to take for any URL that doesn't map to anything in your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Valid values must either begin with a / or be 'disabled'. Defaults to 'undef'. -#####`filters` +##### `filters` [Filters](http://httpd.apache.org/docs/2.2/mod/mod_filter.html) enable smart, context-sensitive configuration of output content filters. -```puppet +~~~ puppet apache::vhost { "$::fqdn": filters => [ 'FilterDeclare COMPRESS', @@ -1303,25 +1871,25 @@ Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.htm 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', ], } -``` +~~~ -#####`force_type` +##### `force_type` -Sets the [ForceType](http://httpd.apache.org/docs/2.2/mod/core.html#forcetype) directive, to force all matching files to be served with the specified MIME content-type. +Sets the [`ForceType`][] directive, which forces Apache to serve all matching files with the specified [MIME `content-type`][]. -#####`headers` +##### `headers` Adds lines to replace, merge, or remove response headers. See [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) for more information. Can be an array. Defaults to 'undef'. -#####`ip` +##### `ip` Sets the IP address the vhost listens on. Defaults to listen on all IPs. -#####`ip_based` +##### `ip_based` Enables an [IP-based](http://httpd.apache.org/docs/current/vhosts/ip-based.html) vhost. This parameter inhibits the creation of a NameVirtualHost directive, since those are used to funnel requests to name-based vhosts. Defaults to 'false'. -#####`itk` +##### `itk` Configures [ITK](http://mpm-itk.sesse.net/) in a hash. Keys can be: @@ -1335,7 +1903,7 @@ Configures [ITK](http://mpm-itk.sesse.net/) in a hash. Keys can be: Usage typically looks like: -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', itk => { @@ -1343,123 +1911,123 @@ Usage typically looks like: group => 'somegroup', }, } -``` +~~~ -#####`logroot` +##### `logroot` Specifies the location of the virtual host's logfiles. Defaults to '/var/log//'. -#####`$logroot_ensure` +##### `$logroot_ensure` Determines whether or not to remove the logroot directory for a virtual host. Valid values are 'directory', or 'absent'. -#####`logroot_mode` +##### `logroot_mode` Overrides the mode the logroot directory is set to. Defaults to undef. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see http://httpd.apache.org/docs/2.4/logs.html#security for details. -#####`log_level` +##### `log_level` Specifies the verbosity of the error log. Defaults to 'warn' for the global server configuration and can be overridden on a per-vhost basis. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' or 'debug'. -######`modsec_body_limit` +###### `modsec_body_limit` Configures the maximum request body size (in bytes) ModSecurity will accept for buffering -######`modsec_disable_vhost` +###### `modsec_disable_vhost` Boolean. Only valid if apache::mod::security is included. Used to disable mod_security on an individual vhost. Only relevant if apache::mod::security is included. -######`modsec_disable_ids` +###### `modsec_disable_ids` Array of mod_security IDs to remove from the vhost. Also takes a hash allowing removal of an ID from a specific location. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': modsec_disable_ids => [ 90015, 90016 ], } -``` +~~~ -```puppet +~~~ puppet apache::vhost { 'sample.example.net': modsec_disable_ids => { '/location1' => [ 90015, 90016 ] }, } -``` +~~~ -######`modsec_disable_ips` +###### `modsec_disable_ips` Array of IPs to exclude from mod_security rule matching -#####`no_proxy_uris` +##### `no_proxy_uris` Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [`proxy_dest`](#proxy_dest). -#####`no_proxy_uris_match` +##### `no_proxy_uris_match` This directive is equivalent to `no_proxy_uris`, but takes regular expressions. -#####`proxy_preserve_host` +##### `proxy_preserve_host` Sets the [ProxyPreserveHost Directive](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost). true Enables the Host: line from an incoming request to be proxied to the host instead of hostname . false sets this option to off (default). -#####`proxy_error_override` +##### `proxy_error_override` Sets the [ProxyErrorOverride Directive](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyerroroverride). This directive controls whether apache should override error pages for proxied content. This option is off by default. -#####`options` +##### `options` Sets the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) for the specified virtual host. Defaults to '['Indexes','FollowSymLinks','MultiViews']', as demonstrated below: -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … options => ['Indexes','FollowSymLinks','MultiViews'], } -``` +~~~ *Note:* If you use [`directories`](#parameter-directories-for-apachevhost), 'Options', 'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. -#####`override` +##### `override` Sets the overrides for the specified virtual host. Accepts an array of [AllowOverride](http://httpd.apache.org/docs/current/mod/core.html#allowoverride) arguments. Defaults to '[none]'. -#####`passenger_app_root` +##### `passenger_app_root` Sets [PassengerRoot](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerAppRoot), the location of the Passenger application root if different from the DocumentRoot. -#####`passenger_app_env` +##### `passenger_app_env` Sets [PassengerAppEnv](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerAppEnv), the environment for the Passenger application. If not specifies, defaults to the global setting or 'production'. -#####`passenger_ruby` +##### `passenger_ruby` Sets [PassengerRuby](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerRuby) on this virtual host, the Ruby interpreter to use for the application. -#####`passenger_min_instances` +##### `passenger_min_instances` Sets [PassengerMinInstances](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerMinInstances), the minimum number of application processes to run. -#####`passenger_start_timeout` +##### `passenger_start_timeout` Sets [PassengerStartTimeout](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#_passengerstarttimeout_lt_seconds_gt), the timeout for the application startup. -#####`passenger_pre_start` +##### `passenger_pre_start` Sets [PassengerPreStart](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerPreStart), the URL of the application if pre-starting is required. -#####`php_flags & values` +##### `php_flags & values` Allows per-vhost setting [`php_value`s or `php_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Defaults to '{}'. -#####`php_admin_flags & values` +##### `php_admin_flags & values` Allows per-vhost setting [`php_admin_value`s or `php_admin_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application. Defaults to '{}'. -#####`port` +##### `port` Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL vhosts and port 443 for SSL vhosts. The host only listens on the port set in this parameter. -#####`priority` +##### `priority` Sets the relative load-order for Apache HTTPD VirtualHost configuration files. Defaults to '25'. @@ -1469,15 +2037,15 @@ If nothing matches the priority, the first name-based vhost is used. Likewise, p Pass priority `false` to omit the priority prefix in file names. -#####`proxy_dest` +##### `proxy_dest` Specifies the destination address of a [ProxyPass](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Defaults to 'undef'. -#####`proxy_pass` +##### `proxy_pass` Specifies an array of `path => URI` for a [ProxyPass](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Defaults to 'undef'. Optionally parameters can be added as an array. -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … proxy_pass => [ @@ -1494,73 +2062,73 @@ apache::vhost { 'site.name.fdqn': 'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1']}, ], } -``` +~~~ `reverse_urls` is optional and can be an array or a string. It is useful when used with `mod_proxy_balancer`. `params` is an optional parameter. It allows to provide the ProxyPass key=value parameters (Connection settings). `setenv` is optional and is an array to set environment variables for the proxy directive, for details see http://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings -#####`proxy_dest_match` +##### `proxy_dest_match` This directive is equivalent to proxy_dest, but takes regular expressions, see [ProxyPassMatch](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details. -#####`proxy_dest_reverse_match` +##### `proxy_dest_reverse_match` Allows you to pass a ProxyPassReverse if `proxy_dest_match` is specified. See [ProxyPassReverse](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) for details. -#####`proxy_pass_match` +##### `proxy_pass_match` This directive is equivalent to proxy_pass, but takes regular expressions, see [ProxyPassMatch](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details. -#####`rack_base_uris` +##### `rack_base_uris` Specifies the resource identifiers for a rack configuration. The file paths specified are listed as rack application roots for [Phusion Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsbaseuri_and_rackbaseuri) in the _rack.erb template. Defaults to 'undef'. -#####`redirect_dest` +##### `redirect_dest` Specifies the address to redirect to. Defaults to 'undef'. -#####`redirect_source` +##### `redirect_source` Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent. -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … redirect_source => ['/images','/downloads'], redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], } -``` +~~~ -#####`redirect_status` +##### `redirect_status` Specifies the status to append to the redirect. Defaults to 'undef'. -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … redirect_status => ['temp','permanent'], } -``` +~~~ -#####`redirectmatch_regexp` & `redirectmatch_status` & `redirectmatch_dest` +##### `redirectmatch_regexp` & `redirectmatch_status` & `redirectmatch_dest` Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as arrays. Defaults to 'undef'. -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … redirectmatch_status => ['404','404'], redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'], redirectmatch_dest => ['http://www.example.com/1','http://www.example.com/2'], } -``` +~~~ -#####`request_headers` +##### `request_headers` Modifies collected [request headers](http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) in various ways, including adding additional request headers, removing request headers, etc. Defaults to 'undef'. -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … request_headers => [ @@ -1568,23 +2136,23 @@ Modifies collected [request headers](http://httpd.apache.org/docs/current/mod/mo 'unset MirrorID', ], } -``` -#####`rewrites` +~~~ +##### `rewrites` Creates URL rewrite rules. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', 'rewrite_rule' or 'rewrite_map'. Defaults to 'undef'. For example, you can specify that anyone trying to access index.html is served welcome.html -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] } -``` +~~~ The parameter allows rewrite conditions that, when true, execute the associated rule. For instance, if you wanted to rewrite URLs only if the visitor is using IE -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … rewrites => [ @@ -1595,11 +2163,11 @@ The parameter allows rewrite conditions that, when true, execute the associated }, ], } -``` +~~~ You can also apply multiple conditions. For instance, rewrite index.html to welcome.html only when the browser is Lynx or Mozilla (version 1 or 2) -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … rewrites => [ @@ -1610,11 +2178,11 @@ You can also apply multiple conditions. For instance, rewrite index.html to welc }, ], } -``` +~~~ Multiple rewrites and conditions are also possible -```puppet +~~~ puppet apache::vhost { 'site.name.fdqn': … rewrites => [ @@ -1639,21 +2207,21 @@ Multiple rewrites and conditions are also possible }, ], } -``` +~~~ Refer to the [`mod_rewrite` documentation](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) for more details on what is possible with rewrite rules and conditions. -#####`scriptalias` +##### `scriptalias` Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', for example: '/usr/scripts'. Defaults to 'undef'. -#####`scriptaliases` +##### `scriptaliases` *Note*: This parameter is deprecated in favour of the `aliases` parameter. Passes an array of hashes to the vhost to create either ScriptAlias or ScriptAliasMatch statements as per the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). These hashes are formatted as follows: -```puppet +~~~ puppet scriptaliases => [ { alias => '/myscript', @@ -1672,39 +2240,39 @@ Passes an array of hashes to the vhost to create either ScriptAlias or ScriptAli path => '/usr/share/neatscript', }, ] -``` +~~~ The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with [Alias and AliasMatch](#aliases) directives, more specific aliases should come before more general ones to avoid shadowing. -#####`serveradmin` +##### `serveradmin` Specifies the email address Apache displays when it renders one of its error pages. Defaults to 'undef'. -#####`serveraliases` +##### `serveraliases` Sets the [ServerAliases](http://httpd.apache.org/docs/current/mod/core.html#serveralias) of the site. Defaults to '[]'. -#####`servername` +##### `servername` Sets the servername corresponding to the hostname you connect to the virtual host at. Defaults to the title of the resource. -#####`setenv` +##### `setenv` Used by HTTPD to set environment variables for vhosts. Defaults to '[]'. Example: -```puppet +~~~ puppet apache::vhost { 'setenv.example.com': setenv => ['SPECIAL_PATH /foo/bin'], } -``` +~~~ -#####`setenvif` +##### `setenvif` Used by HTTPD to conditionally set environment variables for vhosts. Defaults to '[]'. -#####`suphp_addhandler`, `suphp_configpath`, & `suphp_engine` +##### `suphp_addhandler`, `suphp_configpath`, & `suphp_engine` Set up a virtual host with [suPHP](http://suphp.org/DocumentationView.html?file=apache/CONFIG). @@ -1716,7 +2284,7 @@ Set up a virtual host with [suPHP](http://suphp.org/DocumentationView.html?file= To set up a virtual host with suPHP -```puppet +~~~ puppet apache::vhost { 'suphp.example.com': port => '80', docroot => '/home/appuser/myphpapp', @@ -1727,17 +2295,17 @@ To set up a virtual host with suPHP 'suphp' => { user => 'myappuser', group => 'myappgroup' }, } } -``` +~~~ -#####`vhost_name` +##### `vhost_name` Enables name-based virtual hosting. If no IP is passed to the virtual host, but the vhost is assigned a port, then the vhost name is 'vhost_name:port'. If the virtual host has no assigned IP or port, the vhost name is set to the title of the resource. Defaults to '*'. -#####`virtual_docroot` +##### `virtual_docroot` Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, 'http://example.com' would map to '/var/www/example.com'. Defaults to 'false'. -```puppet +~~~ puppet apache::vhost { 'subdomain.loc': vhost_name => '*', port => '80', @@ -1745,9 +2313,9 @@ Sets up a virtual host with a wildcard alias subdomain mapped to a directory wit docroot => '/var/www', serveraliases => ['*.loc',], } -``` +~~~ -#####`wsgi_daemon_process`, `wsgi_daemon_process_options`, `wsgi_process_group`, `wsgi_script_aliases`, & `wsgi_pass_authorization` +##### `wsgi_daemon_process`, `wsgi_daemon_process_options`, `wsgi_process_group`, `wsgi_script_aliases`, & `wsgi_pass_authorization` Set up a virtual host with [WSGI](https://code.google.com/p/modwsgi/). @@ -1765,7 +2333,7 @@ Set up a virtual host with [WSGI](https://code.google.com/p/modwsgi/). To set up a virtual host with WSGI -```puppet +~~~ puppet apache::vhost { 'wsgi.example.com': port => '80', docroot => '/var/www/pythonapp', @@ -1779,7 +2347,7 @@ To set up a virtual host with WSGI wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, wsgi_chunked_request => 'On', } -``` +~~~ ####Parameter `directories` for `apache::vhost` @@ -1791,7 +2359,7 @@ The `provider` key is optional. If missing, this key defaults to 'directory'. Va General `directories` usage looks something like -```puppet +~~~ puppet apache::vhost { 'files.example.net': docroot => '/var/www/files', directories => [ @@ -1801,26 +2369,26 @@ General `directories` usage looks something like }, ], } -``` +~~~ *Note:* At least one directory should match the `docroot` parameter. After you start declaring directories, `apache::vhost` assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the `docroot` parameter. Available handlers, represented as keys, should be placed within the `directory`, `files`, or `location` hashes. This looks like -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ { path => '/path/to/directory', handler => value } ], } -``` +~~~ Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are: -######`addhandlers` +###### `addhandlers` Sets [AddHandler](http://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler) directives, which map filename extensions to the specified handler. Accepts a list of hashes, with `extensions` serving to list the extensions being managed by the handler, and takes the form: `{ handler => 'handler-name', extensions => ['extension']}`. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -1829,13 +2397,13 @@ Sets [AddHandler](http://httpd.apache.org/docs/current/mod/mod_mime.html#addhand }, ], } -``` +~~~ -######`allow` +###### `allow` Sets an [Allow](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow) directive, which groups authorizations based on hostnames or IPs. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -1844,13 +2412,13 @@ Sets an [Allow](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow) }, ], } -``` +~~~ -######`allow_override` +###### `allow_override` Sets the types of directives allowed in [.htaccess](http://httpd.apache.org/docs/current/mod/core.html#allowoverride) files. Accepts an array. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -1859,69 +2427,69 @@ Sets the types of directives allowed in [.htaccess](http://httpd.apache.org/docs }, ], } -``` +~~~ -######`auth_basic_authoritative` +###### `auth_basic_authoritative` Sets the value for [AuthBasicAuthoritative](https://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicauthoritative), which determines whether authorization and authentication are passed to lower level Apache modules. -######`auth_basic_fake` +###### `auth_basic_fake` Sets the value for [AuthBasicFake](http://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicfake), which statically configures authorization credentials for a given directive block. -######`auth_basic_provider` +###### `auth_basic_provider` Sets the value for [AuthBasicProvider] (http://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicprovider), which sets the authentication provider for a given location. -######`auth_digest_algorithm` +###### `auth_digest_algorithm` Sets the value for [AuthDigestAlgorithm](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestalgorithm), which selects the algorithm used to calculate the challenge and response hashes. -######`auth_digest_domain` +###### `auth_digest_domain` Sets the value for [AuthDigestDomain](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestdomain), which allows you to specify one or more URIs in the same protection space for digest authentication. -######`auth_digest_nonce_lifetime` +###### `auth_digest_nonce_lifetime` Sets the value for [AuthDigestNonceLifetime](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestnoncelifetime), which controls how long the server nonce is valid. -######`auth_digest_provider` +###### `auth_digest_provider` Sets the value for [AuthDigestProvider](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestprovider), which sets the authentication provider for a given location. -######`auth_digest_qop` +###### `auth_digest_qop` Sets the value for [AuthDigestQop](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestqop), which determines the quality-of-protection to use in digest authentication. -######`auth_digest_shmem_size` +###### `auth_digest_shmem_size` Sets the value for [AuthAuthDigestShmemSize](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestshmemsize), which defines the amount of shared memory allocated to the server for keeping track of clients. -######`auth_group_file` +###### `auth_group_file` Sets the value for [AuthGroupFile](https://httpd.apache.org/docs/current/mod/mod_authz_groupfile.html#authgroupfile), which sets the name of the text file containing the list of user groups for authorization. -######`auth_name` +###### `auth_name` Sets the value for [AuthName](http://httpd.apache.org/docs/current/mod/mod_authn_core.html#authname), which sets the name of the authorization realm. -######`auth_require` +###### `auth_require` Sets the entity name you're requiring to allow access. Read more about [Require](http://httpd.apache.org/docs/current/mod/mod_authz_host.html#requiredirectives). -######`auth_type` +###### `auth_type` Sets the value for [AuthType](http://httpd.apache.org/docs/current/mod/mod_authn_core.html#authtype), which guides the type of user authentication. -######`auth_user_file` +###### `auth_user_file` Sets the value for [AuthUserFile](http://httpd.apache.org/docs/current/mod/mod_authn_file.html#authuserfile), which sets the name of the text file containing the users/passwords for authentication. -######`custom_fragment` +###### `custom_fragment` Pass a string of custom configuration directives to be placed at the end of the directory configuration. -```puppet +~~~ puppet apache::vhost { 'monitor': … directories => [ @@ -1942,13 +2510,13 @@ Pass a string of custom configuration directives to be placed at the end of the }, ] } -``` +~~~ -######`deny` +###### `deny` Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -1957,13 +2525,13 @@ Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) dir }, ], } -``` +~~~ -######`error_documents` +###### `error_documents` An array of hashes used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for the directory. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': directories => [ { path => '/srv/www', @@ -1975,14 +2543,14 @@ An array of hashes used to override the [ErrorDocument](https://httpd.apache.org }, ], } -``` +~~~ -######`geoip_enable` +###### `geoip_enable` Sets the [GeoIPEnable](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Configuration) directive. Note that you must declare `class {'apache::mod::geoip': }` before using this directive. -```puppet +~~~ puppet apache::vhost { 'first.example.com': docroot => '/var/www/first', directories => [ @@ -1991,13 +2559,13 @@ Note that you must declare `class {'apache::mod::geoip': }` before using this di }, ], } -``` +~~~ -######`headers` +###### `headers` Adds lines for [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => { @@ -2005,13 +2573,13 @@ Adds lines for [Header](http://httpd.apache.org/docs/current/mod/mod_headers.htm headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', }, } -``` +~~~ -######`index_options` +###### `index_options` Allows configuration settings for [directory indexing](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexoptions). -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2022,13 +2590,13 @@ Allows configuration settings for [directory indexing](http://httpd.apache.org/d }, ], } -``` +~~~ -######`index_order_default` +###### `index_order_default` Sets the [default ordering](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexorderdefault) of the directory index. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2038,13 +2606,13 @@ Sets the [default ordering](http://httpd.apache.org/docs/current/mod/mod_autoind }, ], } -``` +~~~ -######`index_style_sheet` +###### `index_style_sheet` Sets the [IndexStyleSheet](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexstylesheet) which adds a CSS stylesheet to the directory index. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2055,13 +2623,13 @@ Sets the [IndexStyleSheet](http://httpd.apache.org/docs/current/mod/mod_autoinde }, ], } -``` +~~~ -######`options` +###### `options` Lists the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) for the given Directory block. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2070,13 +2638,13 @@ Lists the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) }, ], } -``` +~~~ -######`order` +###### `order` Sets the order of processing Allow and Deny statements as per [Apache core documentation](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2085,13 +2653,13 @@ Sets the order of processing Allow and Deny statements as per [Apache core docum }, ], } -``` +~~~ -######`passenger_enabled` +###### `passenger_enabled` Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directory to 'on' or 'off'. Requires `apache::mod::passenger` to be included. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2100,24 +2668,24 @@ Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/ }, ], } -``` +~~~ *Note:* Be aware that there is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive. -######`php_value` and `php_flag` +###### `php_value` and `php_flag` `php_value` sets the value of the directory, and `php_flag` uses a boolean to configure the directory. Further information can be found [here](http://php.net/manual/en/configuration.changes.php). -######`php_admin_value` and `php_admin_flag` +###### `php_admin_value` and `php_admin_flag` `php_admin_value` sets the value of the directory, and `php_admin_flag` uses a boolean to configure the directory. Further information can be found [here](http://php.net/manual/en/configuration.changes.php). -######`satisfy` +###### `satisfy` Sets a `Satisfy` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#satisfy). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2126,13 +2694,13 @@ Sets a `Satisfy` directive as per the [Apache Core documentation](http://httpd.a } ], } -``` +~~~ -######`sethandler` +###### `sethandler` Sets a `SetHandler` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#sethandler). An example: -```puppet +~~~ puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2141,13 +2709,13 @@ Sets a `SetHandler` directive as per the [Apache Core documentation](http://http } ], } -``` +~~~ -######`rewrites` +###### `rewrites` Creates URL [`rewrites`](#rewrites) rules in vhost directories. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'. -```puppet +~~~ puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -2166,15 +2734,15 @@ Creates URL [`rewrites`](#rewrites) rules in vhost directories. Expects an array }, ], } -``` +~~~ ***Note*** If you include rewrites in your directories make sure you are also including `apache::mod::rewrite`. You may also want to consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the vhost directories. -######`shib_request_setting` +###### `shib_request_setting` Allows an valid content setting to be set or altered for the application request. This command takes two parameters, the name of the content setting, and the value to set it to.Check the Shibboleth [content setting documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) for valid settings. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. -```puppet +~~~ puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -2184,17 +2752,17 @@ Allows an valid content setting to be set or altered for the application request }, ], } -``` +~~~ -######`shib_use_headers` +###### `shib_use_headers` When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. -######`ssl_options` +###### `ssl_options` String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the vhost. -```puppet +~~~ puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -2206,13 +2774,13 @@ String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl }, ], } -``` +~~~ -######`suphp` +###### `suphp` A hash containing the 'user' and 'group' keys for the [suPHP_UserGroup](http://www.suphp.org/DocumentationView.html?file=apache/CONFIG) setting. It must be used with `suphp_engine => on` in the vhost declaration, and can only be passed within `directories`. -```puppet +~~~ puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -2224,119 +2792,119 @@ A hash containing the 'user' and 'group' keys for the [suPHP_UserGroup](http://w }, ], } -``` +~~~ ####SSL parameters for `apache::vhost` All of the SSL parameters for `::vhost` default to whatever is set in the base `apache` class. Use the below parameters to tweak individual SSL settings for specific vhosts. -#####`ssl` +##### `ssl` Enables SSL for the virtual host. SSL vhosts only respond to HTTPS queries. Valid values are 'true' or 'false'. Defaults to 'false'. -#####`ssl_ca` +##### `ssl_ca` Specifies the SSL certificate authority. Defaults to 'undef'. -#####`ssl_cert` +##### `ssl_cert` Specifies the SSL certification. Defaults are based on your OS: '/etc/pki/tls/certs/localhost.crt' for RedHat, '/etc/ssl/certs/ssl-cert-snakeoil.pem' for Debian, '/usr/local/etc/apache22/server.crt' for FreeBSD, and '/etc/ssl/apache2/server.crt' on Gentoo. -#####`ssl_protocol` +##### `ssl_protocol` Specifies [SSLProtocol](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). Expects an array of accepted protocols. Defaults to 'all', '-SSLv2', '-SSLv3'. -#####`ssl_cipher` +##### `ssl_cipher` Specifies [SSLCipherSuite](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite). Defaults to 'HIGH:MEDIUM:!aNULL:!MD5'. -#####`ssl_honorcipherorder` +##### `ssl_honorcipherorder` Sets [SSLHonorCipherOrder](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), which is used to prefer the server's cipher preference order. Defaults to 'On' in the base `apache` config. -#####`ssl_certs_dir` +##### `ssl_certs_dir` Specifies the location of the SSL certification directory. Defaults to '/etc/ssl/certs' on Debian, '/etc/pki/tls/certs' on RedHat, '/usr/local/etc/apache22' on FreeBSD, and '/etc/ssl/apache2' on Gentoo. -#####`ssl_chain` +##### `ssl_chain` Specifies the SSL chain. Defaults to 'undef'. (This default works out of the box, but it must be updated in the base `apache` class with your specific certificate information before being used in production.) -#####`ssl_crl` +##### `ssl_crl` Specifies the certificate revocation list to use. Defaults to 'undef'. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) -#####`ssl_crl_path` +##### `ssl_crl_path` Specifies the location of the certificate revocation list. Defaults to 'undef'. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) -#####`ssl_crl_check` +##### `ssl_crl_check` Sets the certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), defaults to 'undef'. This default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on older versions. -#####`ssl_key` +##### `ssl_key` Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, '/usr/local/etc/apache22/server.key' for FreeBSD, and '/etc/ssl/apache2/server.key' on Gentoo. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) -#####`ssl_verify_client` +##### `ssl_verify_client` Sets the [SSLVerifyClient](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) directive, which sets the certificate verification level for client authentication. Valid values are: 'none', 'optional', 'require', and 'optional_no_ca'. Defaults to 'undef'. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': … ssl_verify_client => 'optional', } -``` +~~~ -#####`ssl_verify_depth` +##### `ssl_verify_depth` Sets the [SSLVerifyDepth](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) directive, which specifies the maximum depth of CA certificates in client certificate verification. Defaults to 'undef'. -```puppet +~~~ puppet apache::vhost { 'sample.example.net': … ssl_verify_depth => 1, } -``` +~~~ -#####`ssl_options` +##### `ssl_options` Sets the [SSLOptions](http://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions) directive, which configures various SSL engine run-time options. This is the global setting for the given vhost and can be a string or an array. Defaults to 'undef'. A string: -```puppet +~~~ puppet apache::vhost { 'sample.example.net': … ssl_options => '+ExportCertData', } -``` +~~~ An array: -```puppet +~~~ puppet apache::vhost { 'sample.example.net': … ssl_options => [ '+StrictRequire', '+ExportCertData' ], } -``` +~~~ -#####`ssl_openssl_conf_cmd` +##### `ssl_openssl_conf_cmd` Sets the [SSLOpenSSLConfCmd](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters. Defaults to 'undef'. -#####`ssl_proxyengine` +##### `ssl_proxyengine` Specifies whether or not to use [SSLProxyEngine](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). Valid values are 'true' and 'false'. Defaults to 'false'. -####Defined Type: FastCGI Server +####Define: FastCGI Server This type is intended for use with mod_fastcgi. It allows you to define one or more external FastCGI servers to handle specific file types. Ex: -```puppet +~~~ puppet apache::fastcgi::server { 'php': host => '127.0.0.1:9000', timeout => 15, @@ -2345,426 +2913,168 @@ apache::fastcgi::server { 'php': fcgi_alias => '/php.fcgi', file_type => 'application/x-httpd-php' } -``` +~~~ Within your virtual host, you can then configure the specified file type to be handled by the fastcgi server specified above. -```puppet +~~~ puppet apache::vhost { 'www': ... custom_fragment => 'AddType application/x-httpd-php .php' ... } -``` +~~~ -#####`host` +##### `host` The hostname or IP address and TCP port number (1-65535) of the FastCGI server. -#####`timeout` +##### `timeout` The number of seconds of FastCGI application inactivity allowed before the request is aborted and the event is logged (at the error LogLevel). The inactivity timer applies only as long as a connection is pending with the FastCGI application. If a request is queued to an application, but the application doesn't respond (by writing and flushing) within this period, the request is aborted. If communication is complete with the application but incomplete with the client (the response is buffered), the timeout does not apply. -#####`flush` +##### `flush` Force a write to the client as data is received from the application. By default, mod_fastcgi buffers data in order to free the application as quickly as possible. -#####`faux_path` +##### `faux_path` `faux_path` does not have to exist in the local filesystem. URIs that Apache resolves to this filename are handled by this external FastCGI application. -#####`alias` +##### `alias` A unique alias. This is used internally to link the action with the FastCGI server. -#####`file_type` +##### `file_type` The MIME-type of the file to be processed by the FastCGI server. -###Virtual Host Examples +### Private Defines -The apache module allows you to set up pretty much any configuration of virtual host you might need. This section addresses some common configurations, but look at the [Tests section](https://github.com/puppetlabs/puppetlabs-apache/tree/master/tests) for even more examples. +#### Define: `apache::peruser::multiplexer` -Configure a vhost with a server administrator +This define checks if an Apache module has a class. If it does, it includes that class. If it does not, it passes the module name to the [`apache::mod`][] define. -```puppet - apache::vhost { 'third.example.com': - port => '80', - docroot => '/var/www/third', - serveradmin => 'admin@example.com', - } -``` +#### Define: `apache::peruser::multiplexer` -- - - +Enables the [`Peruser`][] module for FreeBSD only. -Set up a vhost with aliased servers +#### Define: `apache::peruser::processor` -```puppet - apache::vhost { 'sixth.example.com': - serveraliases => [ - 'sixth.example.org', - 'sixth.example.net', - ], - port => '80', - docroot => '/var/www/fifth', - } -``` +Enables the [`Peruser`][] module for FreeBSD only. -- - - +#### Define: `apache::security::file_link` -Configure a vhost with a cgi-bin +Links the `activated_rules` from [`apache::mod::security`][] to the respective CRS rules on disk. -```puppet - apache::vhost { 'eleventh.example.com': - port => '80', - docroot => '/var/www/eleventh', - scriptalias => '/usr/lib/cgi-bin', - } -``` +### Templates -- - - +The Apache module relies heavily on templates to enable the [`apache::vhost`][] and [`apache::mod`][] defines. These templates are built based on [Facter][] facts specific to your operating system. Unless explicitly called out, most templates are not meant for configuration. -Set up a vhost with a rack configuration +## Limitations -```puppet - apache::vhost { 'fifteenth.example.com': - port => '80', - docroot => '/var/www/fifteenth', - rack_base_uris => ['/rackapp1', '/rackapp2'], - } -``` +### Ubuntu 10.04 -- - - +The [`apache::vhost::WSGIImportScript`][] parameter creates a statement inside the virtual host that is unsupported on older versions of Apache, causing it to fail. This will be remedied in a future refactoring. -Set up a mix of SSL and non-SSL vhosts at the same domain +### RHEL/CentOS 5 -```puppet - #The non-ssl vhost - apache::vhost { 'first.example.com non-ssl': - servername => 'first.example.com', - port => '80', - docroot => '/var/www/first', - } +The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are untested since repositories are missing compatible packages. - #The SSL vhost at the same domain - apache::vhost { 'first.example.com ssl': - servername => 'first.example.com', - port => '443', - docroot => '/var/www/first', - ssl => true, - } -``` +### RHEL/CentOS 7 -- - - +The [`apache::mod::passenger`][] class is untested as the EL7 repository is missing compatible packages, which also blocks us from testing the [`apache::vhost`][] define's [`rack_base_uri`][] parameter. -Configure a vhost to redirect non-SSL connections to SSL +### General -```puppet - apache::vhost { 'sixteenth.example.com non-ssl': - servername => 'sixteenth.example.com', - port => '80', - docroot => '/var/www/sixteenth', - redirect_status => 'permanent', - redirect_dest => 'https://sixteenth.example.com/' - } - apache::vhost { 'sixteenth.example.com ssl': - servername => 'sixteenth.example.com', - port => '443', - docroot => '/var/www/sixteenth', - ssl => true, - } -``` - -- - - - -Set up IP-based vhosts on any listen port and have them respond to requests on specific IP addresses. In this example, we set listening on ports 80 and 81. This is required because the example vhosts are not declared with a port parameter. - -```puppet - apache::listen { '80': } - apache::listen { '81': } -``` - -Then we set up the IP-based vhosts - -```puppet - apache::vhost { 'first.example.com': - ip => '10.0.0.10', - docroot => '/var/www/first', - ip_based => true, - } - apache::vhost { 'second.example.com': - ip => '10.0.0.11', - docroot => '/var/www/second', - ip_based => true, - } -``` - -- - - - -Configure a mix of name-based and IP-based vhosts. First, we add two IP-based vhosts on 10.0.0.10, one SSL and one non-SSL - -```puppet - apache::vhost { 'The first IP-based vhost, non-ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '80', - ip_based => true, - docroot => '/var/www/first', - } - apache::vhost { 'The first IP-based vhost, ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '443', - ip_based => true, - docroot => '/var/www/first-ssl', - ssl => true, - } -``` - -Then, we add two name-based vhosts listening on 10.0.0.20 - -```puppet - apache::vhost { 'second.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/second', - } - apache::vhost { 'third.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/third', - } -``` - -If you want to add two name-based vhosts so that they answer on either 10.0.0.10 or 10.0.0.20, you **MUST** declare `add_listen => 'false'` to disable the otherwise automatic 'Listen 80', as it conflicts with the preceding IP-based vhosts. - -```puppet - apache::vhost { 'fourth.example.com': - port => '80', - docroot => '/var/www/fourth', - add_listen => false, - } - apache::vhost { 'fifth.example.com': - port => '80', - docroot => '/var/www/fifth', - add_listen => false, - } -``` - -###Load Balancing - -####Defined Type: `apache::balancer` - -`apache::balancer` creates an Apache balancer cluster. Each balancer cluster needs one or more balancer members, which are declared with [`apache::balancermember`](#defined-type-apachebalancermember). - -One `apache::balancer` defined resource should be defined for each Apache load balanced set of servers. The `apache::balancermember` resources for all balancer members can be exported and collected on a single Apache load balancer server using exported resources. - -**Parameters within `apache::balancer`:** - -#####`name` - -Sets the balancer cluster's title. This parameter also sets the title of the conf.d file. - -#####`proxy_set` - -Configures key-value pairs as [ProxySet](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset) lines. Accepts a hash, and defaults to '{}'. - -#####`collect_exported` - -Determines whether or not to use exported resources. Valid values 'true' and 'false', defaults to 'true'. - -If you statically declare all of your backend servers, you should set this to 'false' to rely on existing declared balancer member resources. Also make sure to use `apache::balancermember` with array arguments. - -If you wish to dynamically declare your backend servers via [exported resources](http://docs.puppetlabs.com/guides/exported_resources.html) collected on a central node, you must set this parameter to 'true' in order to collect the exported balancer member resources that were exported by the balancer member nodes. - -If you choose not to use exported resources, all balancer members will be configured in a single Puppet run. If you are using exported resources, Puppet has to run on the balanced nodes, then run on the balancer. - -####Defined Type: `apache::balancermember` - -Defines members of [mod_proxy_balancer](http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html), which sets up a balancer member inside a listening service configuration block in etc/apache/apache.cfg on the load balancer. - -**Parameters within `apache::balancermember`:** - -#####`name` - -Sets the title of the resource. This name also sets the name of the concat fragment. - -#####`balancer_cluster` +This module is CI tested against both [open source Puppet][] and [Puppet Enterprise][] on: -Sets the Apache service's instance name. This must match the name of a declared `apache::balancer` resource. Required. +- CentOS 5 and 6 +- Ubuntu 12.04 and 14.04 +- Debian 7 +- RHEL 5, 6, and 7 -#####`url` +This module also provides functions for other distributions and operating systems, such as FreeBSD, Gentoo, and Amazon Linux, but is not formally tested on them and are subject to regressions. -Specifies the URL used to contact the balancer member server. Defaults to 'http://${::fqdn}/'. +### SELinux and custom paths -#####`options` +If [SELinux][] is in [enforcing mode][] and you want to use custom paths for `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you need to manage the files' context yourself. -An array of [options](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#balancermember) to be specified after the URL. Accepts any key-value pairs available to [ProxyPass](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass). +You can do this with Puppet: -####Examples - -To load balance with exported resources, export the `balancermember` from the balancer member - -```puppet - @@apache::balancermember { "${::fqdn}-puppet00": - balancer_cluster => 'puppet00', - url => "ajp://${::fqdn}:8009" - options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], - } -``` - -Then, on the proxy server, create the balancer cluster - -```puppet - apache::balancer { 'puppet00': } -``` - -To load balance without exported resources, declare the following on the proxy - -```puppet - apache::balancer { 'puppet00': } - apache::balancermember { "${::fqdn}-puppet00": - balancer_cluster => 'puppet00', - url => "ajp://${::fqdn}:8009" - options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], - } -``` - -Then declare `apache::balancer` and `apache::balancermember` on the proxy server. - -If you need to use ProxySet in the balancer config - -```puppet - apache::balancer { 'puppet01': - proxy_set => {'stickysession' => 'JSESSIONID'}, - } -``` - -##Reference - -###Classes - -####Public Classes - -* [`apache`](#class-apache): Guides the basic setup of Apache. -* `apache::dev`: Installs Apache development libraries. (*Note:* On FreeBSD, you must declare `apache::package` or `apache` before `apache::dev`.) -* [`apache::mod::[name]`](#classes-apachemodname): Enables specific Apache HTTPD modules. - -####Private Classes - -* `apache::confd::no_accf`: Creates the no-accf.conf configuration file in conf.d, required by FreeBSD's Apache 2.4. -* `apache::default_confd_files`: Includes conf.d files for FreeBSD. -* `apache::default_mods`: Installs the Apache modules required to run the default configuration. -* `apache::package`: Installs and configures basic Apache packages. -* `apache::params`: Manages Apache parameters. -* `apache::service`: Manages the Apache daemon. - -###Defined Types - -####Public Defined Types - -* `apache::balancer`: Creates an Apache balancer cluster. -* `apache::balancermember`: Defines members of [mod_proxy_balancer](http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html). -* `apache::listen`: Based on the title, controls which ports Apache binds to for listening. Adds [Listen](http://httpd.apache.org/docs/current/bind.html) directives to ports.conf in the Apache HTTPD configuration directory. Titles take the form '', ':', or ':'. -* `apache::mod`: Used to enable arbitrary Apache HTTPD modules for which there is no specific `apache::mod::[name]` class. -* `apache::namevirtualhost`: Enables name-based hosting of a virtual host. Adds all [NameVirtualHost](http://httpd.apache.org/docs/current/vhosts/name-based.html) directives to the `ports.conf` file in the Apache HTTPD configuration directory. Titles take the form '\*', '*:', '\_default_:, '', or ':'. -* `apache::vhost`: Allows specialized configurations for virtual hosts that have requirements outside the defaults. - -####Private Defined Types - -* `apache::peruser::multiplexer`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only. -* `apache::peruser::processor`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only. -* `apache::security::file_link`: Links the activated_rules from apache::mod::security to the respective CRS rules on disk. - -###Templates - -The Apache module relies heavily on templates to enable the `vhost` and `apache::mod` defined types. These templates are built based on Facter facts around your operating system. Unless explicitly called out, most templates are not meant for configuration. - -##Limitations - -###Ubuntu 10.04 - -The `apache::vhost::WSGIImportScript` parameter creates a statement inside the VirtualHost which is unsupported on older versions of Apache, causing this to fail. This will be remedied in a future refactoring. - -###RHEL/CentOS 5 - -The `apache::mod::passenger` and `apache::mod::proxy_html` classes are untested since repositories are missing compatible packages. - -###RHEL/CentOS 7 - -The `apache::mod::passenger` class is untested as the repository does not have packages for EL7 yet. The fact that passenger packages aren't available also makes us unable to test the `rack_base_uri` parameter in `apache::vhost`. - -###General +~~~ puppet +exec { 'set_apache_defaults': + command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + require => Package['policycoreutils-python'], +} -This module is CI tested on Centos 5 & 6, Ubuntu 12.04 & 14.04, Debian 7, and RHEL 5, 6 & 7 platforms against both the OSS and Enterprise version of Puppet. +package { 'policycoreutils-python': + ensure => installed, +} -The module contains support for other distributions and operating systems, such as FreeBSD, Gentoo and Amazon Linux, but is not formally tested on those and regressions can occur. +exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Class['Apache::Service'], + require => Class['apache'], +} -###SELinux and Custom Paths +class { 'apache': } -If you are running with SELinux in enforcing mode and want to use custom paths for your `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you need to manage the context for the files yourself. +host { 'test.server': + ip => '127.0.0.1', +} -Something along the lines of: +file { '/custom/path': + ensure => directory, +} -```puppet - exec { 'set_apache_defaults': - command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"', - path => '/bin:/usr/bin/:/sbin:/usr/sbin', - require => Package['policycoreutils-python'], - } - package { 'policycoreutils-python': ensure => installed } - exec { 'restorecon_apache': - command => 'restorecon -Rv /apache_spec', - path => '/bin:/usr/bin/:/sbin:/usr/sbin', - before => Class['Apache::Service'], - require => Class['apache'], - } - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - file { '/custom/path': ensure => directory, } - file { '/custom/path/include': ensure => present, content => '#additional_includes' } - apache::vhost { 'test.server': - docroot => '/custom/path', - additional_includes => '/custom/path/include', - } -``` +file { '/custom/path/include': + ensure => present, + content => '#additional_includes', +} -You need to set the contexts using `semanage fcontext` not `chcon` because `file {...}` resources reset the context to the values in the database if the resource isn't specifying the context. +apache::vhost { 'test.server': + docroot => '/custom/path', + additional_includes => '/custom/path/include', +} +~~~ -###FreeBSD +You need to set the contexts using `semanage fcontext` instead of `chcon` because Puppet's `file` resources reset the values' context in the database if the resource doesn't specify it. -In order to use this module on FreeBSD, you *must* use apache24-2.4.12 (www/apache24) or newer. +### FreeBSD -##Development +In order to use this module on FreeBSD, you _must_ use apache24-2.4.12 (www/apache24) or newer. -###Contributing +## Development -Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve. +### Contributing -We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. +[Puppet Labs][] modules on the [Puppet Forge][] are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve. -Read the complete module [contribution guide](https://docs.puppetlabs.com/forge/contributing.html) +We want to make it as easy as possible to contribute changes so our modules work in your environment, but we also need contributors to follow a few guidelines to help us maintain and improve the modules' quality. -###Running tests +For more information, please read the complete [module contribution guide][]. -This project contains tests for both [rspec-puppet](http://rspec-puppet.com/) and [beaker-rspec](https://github.com/puppetlabs/beaker-rspec) to verify functionality. For in-depth information please see their respective documentation. +### Running tests -Quickstart: +This project contains tests for both [rspec-puppet][] and [beaker-rspec][] to verify functionality. For detailed information on using these tools, please see their respective documentation. -####Ruby > 1.8.7 +#### Testing quickstart: Ruby > 1.8.7 -``` - gem install bundler - bundle install - bundle exec rake spec - bundle exec rspec spec/acceptance - RS_DEBUG=yes bundle exec rspec spec/acceptance -``` +~~~ +gem install bundler +bundle install +bundle exec rake spec +bundle exec rspec spec/acceptance +RS_DEBUG=yes bundle exec rspec spec/acceptance +~~~ -####Ruby = 1.8.7 +#### Testing quickstart: Ruby = 1.8.7 -``` - gem install bundler - bundle install --without system_tests - bundle exec rake spec -``` +~~~ +gem install bundler +bundle install --without system_tests +bundle exec rake spec +~~~ diff --git a/README.passenger.md b/README.passenger.md index 5b33d29096..7a2aada9b5 100644 --- a/README.passenger.md +++ b/README.passenger.md @@ -13,7 +13,7 @@ Also, general apache module loading parameters can be supplied to enable using a customized passenger module in place of a default-package-based version of the module. -# Operating system support and Passenger versions +## Operating system support and Passenger versions The most important configuration directive for the Apache Passenger module is `PassengerRoot`. Its value depends on the Passenger version used (2.x, 3.x or @@ -35,7 +35,7 @@ RHEL with EPEL6 | 3.0.21 | /usr/lib/ruby/gems/1.8/gems/passenger-3. As mentioned in `README.md` there are no compatible packages available for RHEL/CentOS 5 or RHEL/CentOS 7. -## Configuration files and locations on RHEL/CentOS +### Configuration files and locations on RHEL/CentOS Notice two important points: @@ -55,7 +55,7 @@ directives as described in the remainder of this document are placed in This pertains *only* to RHEL/CentOS, *not* Debian and Ubuntu. -## Third-party and custom Passenger packages and versions +### Third-party and custom Passenger packages and versions The Passenger version distributed by the default OS packages may be too old to be useful. Newer versions may be installed via Gems, from source or from @@ -75,7 +75,7 @@ For Passenger 4.x packages on Debian and Ubuntu the `PassengerRoot` directive should almost universally be set to `/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini`. -# Parameters for `apache::mod::passenger` +## Parameters for `apache::mod::passenger` The following class parameters configure Passenger in a global, server-wide context. @@ -95,12 +95,12 @@ class { 'apache::mod::passenger': The general form is using the all lower-case version of the configuration directive, with underscores instead of CamelCase. -## Parameters used with passenger.conf +### Parameters used with passenger.conf If you pass a default value to `apache::mod::passenger` it will be ignored and not passed through to the configuration file. -### passenger_root +#### passenger_root The location to the Phusion Passenger root directory. This configuration option is essential to Phusion Passenger, and allows Phusion Passenger to locate its @@ -112,7 +112,7 @@ information. http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerroot_lt_directory_gt -### passenger_default_ruby +#### passenger_default_ruby This option specifies the default Ruby interpreter to use for web apps as well as for all sorts of internal Phusion Passenger helper scripts, e.g. the one @@ -126,7 +126,7 @@ set to '/usr/bin/ruby'. http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerDefaultRuby -### passenger_ruby +#### passenger_ruby This directive is the same as `passenger_default_ruby` for Passenger versions < 4.x and must be used instead of `passenger_default_ruby` for such versions. @@ -141,28 +141,28 @@ Defaults to `/usr/bin/ruby` for all supported operating systems except Ubuntu http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerRuby -### passenger_high_performance +#### passenger_high_performance Default is `off`. When turned `on` Passenger runs in a higher performance mode that can be less compatible with other Apache modules. http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerHighPerformance -### passenger_max_pool_size +#### passenger_max_pool_size Sets the maximum number of Passenger application processes that may simultaneously run. The default value is 6. http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengermaxpoolsize_lt_integer_gt -### passenger_pool_idle_time +#### passenger_pool_idle_time The maximum number of seconds a Passenger Application process will be allowed to remain idle before being shut down. The default value is 300. http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerPoolIdleTime -### passenger_max_requests +#### passenger_max_requests The maximum number of request a Passenger application will process before being restarted. The default value is 0, which indicates that a process will only @@ -170,14 +170,14 @@ shut down if the Pool Idle Time (see above) expires. http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMaxRequests -### passenger_stat_throttle_rate +#### passenger_stat_throttle_rate Sets how often Passenger performs file system checks, at most once every _x_ seconds. Default is 0, which means the checks are performed with every request. http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerstatthrottlerate_lt_integer_gt -### rack_autodetect +#### rack_autodetect Should Passenger automatically detect if the document root of a virtual host is a Rack application. Not set by default (`undef`). Note that this directive has @@ -186,7 +186,7 @@ Use this directive only on Passenger < 4.x. http://www.modrails.com/documentation/Users%20guide%20Apache.html#_rackautodetect_lt_on_off_gt -### rails_autodetect +#### rails_autodetect Should Passenger automatically detect if the document root of a virtual host is a Rails application. Not set by default (`undef`). Note that this directive @@ -195,13 +195,13 @@ instead. Use this directive only on Passenger < 4.x. http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsautodetect_lt_on_off_gt -### passenger_use_global_queue +#### passenger_use_global_queue Allows toggling of PassengerUseGlobalQueue. NOTE: PassengerUseGlobalQueue is the default in Passenger 4.x and the versions >= 4.x have disabled this configuration option altogether. Use with caution. -### passenger_app_env +#### passenger_app_env Sets the global default `PassengerAppEnv` for Passenger applications. Not set by default (`undef`) and thus defaults to Passenger's built-in value of 'production'. @@ -209,43 +209,43 @@ This directive can be overridden in an `apache::vhost` resource. https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerAppEnv -## Parameters used to load the module +### Parameters used to load the module Unlike the tuning parameters specified above, the following parameters are only used when loading customized passenger modules. -### mod_package +#### mod_package Allows overriding the default package name used for the passenger module package. -### mod_package_ensure +#### mod_package_ensure Allows overriding the package installation setting used by puppet when installing the passenger module. The default is 'present'. -### mod_id +#### mod_id Allows overriding the value used by apache to identify the passenger module. The default is 'passenger_module'. -### mod_lib_path +#### mod_lib_path Allows overriding the directory path used by apache when loading the passenger module. The default is the value of `$apache::params::lib_path`. -### mod_lib +#### mod_lib Allows overriding the library file name used by apache when loading the passenger module. The default is 'mod_passenger.so'. -### mod_path +#### mod_path Allows overriding the full path to the library file used by apache when loading the passenger module. The default is the concatenation of the `mod_lib_path` and `mod_lib` parameters. -# Dependencies +## Dependencies RedHat-based systems will need to configure additional package repositories in order to install Passenger, specifically: @@ -256,7 +256,7 @@ order to install Passenger, specifically: Configuration of these repositories is beyond the scope of this module and is left to the user. -# Attribution +## Attribution The Passenger tuning parameters for the `apache::mod::passenger` Puppet class was modified by Aaron Hicks (hicksa@landcareresearch.co.nz) for work on the @@ -268,7 +268,7 @@ PuppetLabs Apache module on GitHub. * http://www.nesi.org.nz// * https://tuakiri.ac.nz/confluence/display/Tuakiri/Home -# Copyright and License +## Copyright and License Copyright (C) 2012 [Puppet Labs](https://www.puppetlabs.com/) Inc From 62e1370fbfc9e7e0e1f8a2458b7f66102dcbf26c Mon Sep 17 00:00:00 2001 From: Garrett Guillotte Date: Fri, 31 Jul 2015 11:06:22 -0700 Subject: [PATCH 16/71] DOC-1493: Resolve broken links. Corrects several broken markdown links. --- README.md | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index dd9851f96d..2e457ffb9b 100644 --- a/README.md +++ b/README.md @@ -43,15 +43,21 @@ [`apache::fastcgi::server`]: #define-apachefastcgiserver [`apache::mod`]: #define-apachemod [`apache::mod::`]: #classes-apachemodmodule-name +[`apache::mod::alias`]: #class-apachemodalias +[`apache::mod::auth_cas`]: #class-apachemodauth_cas [`apache::mod::event`]: #class-apachemodevent +[`apache::mod::geoip`]: #class-apachemodgeoip [`apache::mod::itk`]: #class-apachemoditk [`apache::mod::passenger`]: #class-apachemodpassenger [`apache::mod::peruser`]: #class-apachemodperuser [`apache::mod::prefork`]: #class-apachemodprefork [`apache::mod::proxy_html`]: #class-apachemodproxy_html [`apache::mod::security`]: #class-apachemodsecurity +[`apache::mod::shib`]: #class-apachemodshib [`apache::mod::ssl`]: #class-apachemodssl +[`apache::mod::status`]: #class-apachemodstatus [`apache::mod::worker`]: #class-apachemodworker +[`apache::mod::wsgi`]: #class-apachemodwsgi [`apache::params`]: #class-apacheparams [`apache::version`]: #class-apacheversion [`apache::vhost`]: #define-apachevhost @@ -74,7 +80,9 @@ [`default_ssl_crl`]: #default_ssl_crl [`default_ssl_crl_path`]: #default_ssl_crl_path [`default_ssl_vhost`]: #default_ssl_vhost +[`dev_packages`]: #dev_packages [`directory`]: #directory +[`directories`]: #parameter-directories-for-apachevhost [`DirectoryIndex`]: http://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex [`docroot`]: #docroot [`docroot_owner`]: #docroot_owner @@ -192,7 +200,7 @@ [`ServerSignature`]: http://httpd.apache.org/docs/current/mod/core.html#serversignature [Service attribute restart]: http://docs.puppetlabs.com/references/latest/type.html#service-attribute-restart [`source`]: #source -[SSLCARevocationCheck]: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck +[`SSLCARevocationCheck`]: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck [SSL certificate key file]: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatekeyfile [SSL chain]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile [SSL encryption]: https://httpd.apache.org/docs/current/ssl/index.html @@ -829,7 +837,7 @@ While this default value results in a functioning Apache server, you **must** up ##### `default_ssl_crl_check` -Sets the default certificate revocation check level via the [`SSLCARevocationCheck`] directive. Default: 'undef'. +Sets the default certificate revocation check level via the [`SSLCARevocationCheck`][] directive. Default: 'undef'. While this default value results in a functioning Apache server, you **must** specify this parameter when using certificate revocation lists in a production environment. @@ -923,7 +931,7 @@ Limits the number of requests allowed per connection when the [`keepalive` param ##### `lib_path` -Specifies the location where [Apache module][] files are stored. Default: Depends on the operating system. +Specifies the location where [Apache module][Apache modules] files are stored. Default: Depends on the operating system. - **Debian** and **Gentoo**: `/usr/lib/apache2/modules` - **FreeBSD**: `/usr/local/libexec/apache24` @@ -1132,7 +1140,7 @@ You might need to override this if you are using a non-standard Apache package, #### Class: `apache::dev` -Installs Apache development libraries. By default, the package name is defined by the [`dev_packages`] parameter of the [`apache::params`] class based on your operating system: +Installs Apache development libraries. By default, the package name is defined by the [`dev_packages`][] parameter of the [`apache::params`][] class based on your operating system: The default value is determined by your operating system: @@ -1156,9 +1164,9 @@ class { 'apache::mod::alias': The following Apache modules have supported classes, many of which allow for parameterized configuration. You can install other Apache modules with the [`apache::mod`][] define. * `actions` -* `alias` (see [`apache::mod::alias`](#class-apachemodalias)) +* `alias` (see [`apache::mod::alias`][]) * `auth_basic` -* `auth_cas`* (see [`apache::mod::auth_cas`](#class-apachemodauthcas)) +* `auth_cas`* (see [`apache::mod::auth_cas`][]) * `auth_kerb` * `authn_core` * `authn_file` @@ -1176,7 +1184,7 @@ The following Apache modules have supported classes, many of which allow for par * `dev` * `dir`* * `disk_cache` -* `event` (see [`apache::mod::event`](#class-apachemodevent)) +* `event` (see [`apache::mod::event`][]) * `expires` * `fastcgi` * `fcgid` @@ -1191,11 +1199,11 @@ The following Apache modules have supported classes, many of which allow for par * `mime_magic`* * `negotiation` * `nss`* -* `pagespeed` (see [`apache::mod::pagespeed`](#class-apachemodpagespeed)) +* `pagespeed` (see [`apache::mod::pagespeed`][]) * `passenger`* * `perl` * `peruser` -* `php` (requires [`mpm_module`](#mpm_module) set to `prefork`) +* `php` (requires [`mpm_module`][] set to `prefork`) * `prefork`* * `proxy`* * `proxy_ajp` @@ -1209,16 +1217,16 @@ The following Apache modules have supported classes, many of which allow for par * `rpaf`* * `setenvif` * `security` -* `shib`* (see [`apache::mod::shib`](#class-apachemodshib)) +* `shib`* (see [`apache::mod::shib`]) * `speling` -* `ssl`* (see [`apache::mod::ssl`](#class-apachemodssl)) -* `status`* (see [`apache::mod::status`](#class-apachemodstatus)) +* `ssl`* (see [`apache::mod::ssl`][]) +* `status`* (see [`apache::mod::status`][]) * `suphp` * `userdir`* * `version` * `vhost_alias` * `worker`* -* `wsgi` (see [`apache::mod::wsgi`](#class-apachemodwsgi)) +* `wsgi` (see [`apache::mod::wsgi`][]) * `xsendfile` Modules noted with a * indicate that the module has settings and a template that includes parameters to configure the module. Most Apache module class parameters have default values and don't require configuration. For modules with templates, Puppet installs template files with the module; these template files are required for the module to work. @@ -1968,15 +1976,17 @@ This directive is equivalent to `no_proxy_uris`, but takes regular expressions. ##### `proxy_preserve_host` -Sets the [ProxyPreserveHost Directive](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost). true Enables the Host: line from an incoming request to be proxied to the host instead of hostname . false sets this option to off (default). +Sets the [ProxyPreserveHost Directive](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost). Valid options: Boolean. Default: 'false'. + +Setting this parameter to 'true' enables the `Host:` line from an incoming request to be proxied to the host instead of hostname. 'false' sets this option to 'Off'. ##### `proxy_error_override` -Sets the [ProxyErrorOverride Directive](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyerroroverride). This directive controls whether apache should override error pages for proxied content. This option is off by default. +Sets the [ProxyErrorOverride Directive](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride). This directive controls whether apache should override error pages for proxied content. This option is off by default. ##### `options` -Sets the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) for the specified virtual host. Defaults to '['Indexes','FollowSymLinks','MultiViews']', as demonstrated below: +Sets the [`Options`][] for the specified virtual host. Default: ['Indexes','FollowSymLinks','MultiViews'], as demonstrated below: ~~~ puppet apache::vhost { 'site.name.fdqn': @@ -1985,7 +1995,7 @@ Sets the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) f } ~~~ -*Note:* If you use [`directories`](#parameter-directories-for-apachevhost), 'Options', 'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. +**Note**: If you use the [`directories`][] parameter of [`apache::vhost`][], 'Options', 'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. ##### `override` @@ -2983,7 +2993,7 @@ The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are u ### RHEL/CentOS 7 -The [`apache::mod::passenger`][] class is untested as the EL7 repository is missing compatible packages, which also blocks us from testing the [`apache::vhost`][] define's [`rack_base_uri`][] parameter. +The [`apache::mod::passenger`][] class is untested as the EL7 repository is missing compatible packages, which also blocks us from testing the [`apache::vhost`][] define's [`rack_base_uris`][] parameter. ### General From 2d4723f42a9f132c6c43c0c62dbb50fb3d6e5112 Mon Sep 17 00:00:00 2001 From: "Jacob A. Ela" Date: Wed, 13 May 2015 08:33:35 -0500 Subject: [PATCH 17/71] mod_passenger: allow setting PassengerSpawnMethod --- README.passenger.md | 9 +++++++++ manifests/mod/passenger.pp | 7 +++++++ spec/classes/mod/passenger_spec.rb | 12 ++++++++++++ templates/mod/passenger.conf.erb | 3 +++ 4 files changed, 31 insertions(+) diff --git a/README.passenger.md b/README.passenger.md index 7a2aada9b5..d50b3f4897 100644 --- a/README.passenger.md +++ b/README.passenger.md @@ -170,6 +170,15 @@ shut down if the Pool Idle Time (see above) expires. http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMaxRequests +#### passenger_spawn_method + +Sets the method by which Ruby application processes are spawned. Default is `smart` +which caches code using the app preloader. + +Passenger >= 4.0 renamed `conservative` to `direct` and `smart-lv2` to `smart`. + +https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerSpawnMethod + #### passenger_stat_throttle_rate Sets how often Passenger performs file system checks, at most once every _x_ diff --git a/manifests/mod/passenger.pp b/manifests/mod/passenger.pp index 03cce4d892..efd3486896 100644 --- a/manifests/mod/passenger.pp +++ b/manifests/mod/passenger.pp @@ -4,6 +4,7 @@ $passenger_high_performance = undef, $passenger_pool_idle_time = undef, $passenger_max_requests = undef, + $passenger_spawn_method = undef, $passenger_stat_throttle_rate = undef, $rack_autodetect = undef, $rails_autodetect = undef, @@ -21,6 +22,11 @@ $mod_id = undef, $mod_path = undef, ) { + + if $passenger_spawn_method { + validate_re($passenger_spawn_method, '(^smart$|^direct$|^smart-lv2$|^conservative$)', "${passenger_spawn_method} is not permitted for passenger_spawn_method. Allowed values are 'smart', 'direct', 'smart-lv2', or 'conservative'.") + } + # Managed by the package, but declare it to avoid purging if $passenger_conf_package_file { file { 'passenger_package.conf': @@ -61,6 +67,7 @@ # - $passenger_min_instances # - $passenger_high_performance # - $passenger_max_requests + # - $passenger_spawn_method # - $passenger_stat_throttle_rate # - $passenger_use_global_queue # - $passenger_app_env diff --git a/spec/classes/mod/passenger_spec.rb b/spec/classes/mod/passenger_spec.rb index 07ce358fe2..40ac749f6a 100644 --- a/spec/classes/mod/passenger_spec.rb +++ b/spec/classes/mod/passenger_spec.rb @@ -64,6 +64,18 @@ end it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerMaxRequests 20$/) } end + describe "with passenger_spawn_method => bogus" do + let :params do + { :passenger_spawn_method => 'bogus' } + end + it { is_expected.to raise_error(Puppet::Error, /not permitted for passenger_spawn_method/) } + end + describe "with passenger_spawn_method => direct" do + let :params do + { :passenger_spawn_method => 'direct' } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerSpawnMethod direct$/) } + end describe "with passenger_stat_throttle_rate => 10" do let :params do { :passenger_stat_throttle_rate => 10 } diff --git a/templates/mod/passenger.conf.erb b/templates/mod/passenger.conf.erb index e50a2d636c..1af4eaaa4b 100644 --- a/templates/mod/passenger.conf.erb +++ b/templates/mod/passenger.conf.erb @@ -25,6 +25,9 @@ <%- if @passenger_max_requests -%> PassengerMaxRequests <%= @passenger_max_requests %> <%- end -%> + <%- if @passenger_spawn_method -%> + PassengerSpawnMethod <%= @passenger_spawn_method %> + <%- end -%> <%- if @passenger_stat_throttle_rate -%> PassengerStatThrottleRate <%= @passenger_stat_throttle_rate %> <%- end -%> From eb022c68b35d42ca145973d846e3ff8ec8fc10b5 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Thu, 6 Aug 2015 10:52:01 -0700 Subject: [PATCH 18/71] Update README.md Closes #1172 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2e457ffb9b..802b21f3e8 100644 --- a/README.md +++ b/README.md @@ -780,7 +780,7 @@ Sets the location of the Apache server's custom configuration directory. Default - **Debian**: `/etc/apache2/conf.d` - **FreeBSD**: `/usr/local/etc/apache22` - **Gentoo**: `/etc/apache2/conf.d` -- **Red Hat**: `/etc/httpd/conf` +- **Red Hat**: `/etc/httpd/conf.d` ##### `default_charset` @@ -1111,7 +1111,7 @@ Changes your virtual host configuration files' location. Default: determined by - **Debian**: `/etc/apache2/sites-available` - **FreeBSD**: `/usr/local/etc/apache22/Vhosts` - **Gentoo**: `/etc/apache2/vhosts.d` -- **Red Hat**: `etc/httpd/conf.d` +- **Red Hat**: `/etc/httpd/conf.d` ##### `user` From e504da604dca75fc584c96c1359c8aa79d1daf9f Mon Sep 17 00:00:00 2001 From: Phil Fenstermacher Date: Mon, 6 Jul 2015 22:40:39 -0400 Subject: [PATCH 19/71] mod::alias should be included when the aliases parameter is used (even without scriptaliases) --- manifests/vhost.pp | 2 +- spec/defines/vhost_spec.rb | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index af48d2f3f0..0fb37851c1 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -363,7 +363,7 @@ } # Load mod_alias if needed and not yet loaded - if ($scriptalias or $scriptaliases != []) or ($redirect_source and $redirect_dest) { + if ($scriptalias and $scriptaliases != []) or ($aliases and $aliases != []) or ($redirect_source and $redirect_dest) { if ! defined(Class['apache::mod::alias']) and ($ensure == 'present') { include ::apache::mod::alias } diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index dac685eb95..cb8c9e84bb 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -427,6 +427,20 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } end + context 'set only aliases' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'aliases' => [ + { + 'alias' => '/alias', + 'path' => '/rspec/docroot', + }, + ] + } + end + it { is_expected.to contain_class('apache::mod::alias')} + end context 'proxy_pass_match' do let :params do { From 7e4c6bc55043506140c950876f53299fb324d0b0 Mon Sep 17 00:00:00 2001 From: Jamie Cressey Date: Wed, 24 Jun 2015 11:17:20 +0100 Subject: [PATCH 20/71] Adding support to mod_disk_cache for >= 2.4 Adding support to mod_disk_cache for >= 2.4 --- README.md | 14 +++- manifests/mod/disk_cache.pp | 41 ++++++----- spec/classes/mod/disk_cache.rb | 111 ++++++++++++++++++++++++++++++ templates/mod/disk_cache.conf.erb | 12 ++-- 4 files changed, 153 insertions(+), 25 deletions(-) create mode 100644 spec/classes/mod/disk_cache.rb diff --git a/README.md b/README.md index 802b21f3e8..c1909782c6 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ [`apache::mod::`]: #classes-apachemodmodule-name [`apache::mod::alias`]: #class-apachemodalias [`apache::mod::auth_cas`]: #class-apachemodauth_cas +[`apache::mod::disk_cache`]: #class-apachemoddisk_cache [`apache::mod::event`]: #class-apachemodevent [`apache::mod::geoip`]: #class-apachemodgeoip [`apache::mod::itk`]: #class-apachemoditk @@ -1183,7 +1184,7 @@ The following Apache modules have supported classes, many of which allow for par * `deflate` * `dev` * `dir`* -* `disk_cache` +* `disk_cache` (see [`apache::mod::disk_cache`][]) * `event` (see [`apache::mod::event`][]) * `expires` * `fastcgi` @@ -1245,6 +1246,17 @@ Installs and manages [`mod_alias`][]. - **Gentoo**: `/var/www/icons` - **Red Hat**: `/var/www/icons`, except on Apache 2.4, where it's `/usr/share/httpd/icons` +####Class: `apache::mod::disk_cache` + +Installs and configures mod_disk_cache. The cache root is determined based on apache version and OS. It can be specified directly as well. + +Specifying the cache root: +```puppet + class {'::apache::mod::disk_cache': + cache_root => '/path/to/cache', + } +``` + ##### Class: `apache::mod::event` Installs and manages [`mod_mpm_event`][]. You can't include both `apache::mod::event` and [`apache::mod::itk`][], [`apache::mod::peruser`][], [`apache::mod::prefork`][], or [`apache::mod::worker`][] on the same server. diff --git a/manifests/mod/disk_cache.pp b/manifests/mod/disk_cache.pp index 2b9d8a9101..2f0a476fa4 100644 --- a/manifests/mod/disk_cache.pp +++ b/manifests/mod/disk_cache.pp @@ -1,25 +1,34 @@ -class apache::mod::disk_cache { - $cache_root = $::osfamily ? { - 'debian' => '/var/cache/apache2/mod_disk_cache', - 'redhat' => '/var/cache/mod_proxy', - 'freebsd' => '/var/cache/mod_disk_cache', - 'gentoo' => '/var/cache/apache2/mod_disk_cache', +class apache::mod::disk_cache ( + $cache_root = undef, +) { + if $cache_root { + $_cache_root = $cache_root } - - $mod_name = $::osfamily ? { - 'FreeBSD' => 'cache_disk', - default => 'disk_cache', + elsif versioncmp($::apache::apache_version, '2.4') >= 0 { + $_cache_root = $::osfamily ? { + 'debian' => '/var/cache/apache2/mod_cache_disk', + 'redhat' => '/var/cache/httpd/proxy', + 'freebsd' => '/var/cache/mod_cache_disk', + } + } + else { + $_cache_root = $::osfamily ? { + 'debian' => '/var/cache/apache2/mod_disk_cache', + 'redhat' => '/var/cache/mod_proxy', + 'freebsd' => '/var/cache/mod_disk_cache', + } } - if $::osfamily != 'FreeBSD' { - # FIXME: investigate why disk_cache was dependent on proxy - # NOTE: on FreeBSD disk_cache is compiled by default but proxy is not - Class['::apache::mod::proxy'] -> Class['::apache::mod::disk_cache'] + if versioncmp($::apache::apache_version, '2.4') >= 0 { + apache::mod { 'cache_disk': } } + else { + apache::mod { 'disk_cache': } + } + Class['::apache::mod::cache'] -> Class['::apache::mod::disk_cache'] - apache::mod { $mod_name: } - # Template uses $cache_proxy + # Template uses $_cache_root file { 'disk_cache.conf': ensure => file, path => "${::apache::mod_dir}/disk_cache.conf", diff --git a/spec/classes/mod/disk_cache.rb b/spec/classes/mod/disk_cache.rb new file mode 100644 index 0000000000..263b4cac64 --- /dev/null +++ b/spec/classes/mod/disk_cache.rb @@ -0,0 +1,111 @@ +require 'spec_helper' + +describe 'apache::mod::disk_cache', :type => :class do + let :pre_condition do + 'include apache' + end + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + } + end + + it { is_expected.to contain_apache__mod("disk_cache") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk /\nCacheRoot \"\/var\/cache\/apache2\/mod_disk_cache\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + } + end + + it { is_expected.to contain_apache__mod("cache_disk") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk /\nCacheRoot \"\/var\/cache\/apache2\/mod_cache_disk\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + end + + context "on a RedHat 6-based OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + } + end + + it { is_expected.to contain_apache__mod("disk_cache") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk /\nCacheRoot \"\/var\/cache\/httpd\/proxy\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + } + end + + it { is_expected.to contain_apache__mod("cache_disk") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk /\nCacheRoot \"\/var\/cache\/httpd\/proxy\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + end + context "on a FreeBSD OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '10', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + } + end + + it { is_expected.to contain_apache__mod("disk_cache") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk /\nCacheRoot \"\/var\/cache\/mod_cache_disk\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + } + end + + it { is_expected.to contain_apache__mod("cache_disk") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk /\nCacheRoot \"\/var\/cache\/mod_cache_disk\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + end +end diff --git a/templates/mod/disk_cache.conf.erb b/templates/mod/disk_cache.conf.erb index 0c7e2c4b73..b1b460e522 100644 --- a/templates/mod/disk_cache.conf.erb +++ b/templates/mod/disk_cache.conf.erb @@ -1,8 +1,4 @@ - - - CacheEnable disk / - CacheRoot "<%= @cache_root %>" - CacheDirLevels 2 - CacheDirLength 1 - - +CacheEnable disk / +CacheRoot "<%= @_cache_root %>" +CacheDirLevels 2 +CacheDirLength 1 From 1bf0aba5f6c457149786878afaba525bec940118 Mon Sep 17 00:00:00 2001 From: Seth Lyons Date: Sun, 9 Aug 2015 20:23:21 -0400 Subject: [PATCH 21/71] load unixd before fcgid on all operating systems (see #879) --- manifests/mod/fcgid.pp | 13 +++------ spec/classes/mod/fcgid_spec.rb | 27 ++++++++++++------- .../{fcgid.conf.erb => unixd_fcgid.conf.erb} | 0 3 files changed, 21 insertions(+), 19 deletions(-) rename templates/mod/{fcgid.conf.erb => unixd_fcgid.conf.erb} (100%) diff --git a/manifests/mod/fcgid.pp b/manifests/mod/fcgid.pp index a143c2b434..9786670338 100644 --- a/manifests/mod/fcgid.pp +++ b/manifests/mod/fcgid.pp @@ -1,22 +1,17 @@ class apache::mod::fcgid( $options = {}, ) { - if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' { - $loadfile_name = 'unixd_fcgid.load' - } else { - $loadfile_name = undef - } ::apache::mod { 'fcgid': - loadfile_name => $loadfile_name + loadfile_name => 'unixd_fcgid.load', } # Template uses: # - $options - file { 'fcgid.conf': + file { 'unixd_fcgid.conf': ensure => file, - path => "${::apache::mod_dir}/fcgid.conf", - content => template('apache/mod/fcgid.conf.erb'), + path => "${::apache::mod_dir}/unixd_fcgid.conf", + content => template('apache/mod/unixd_fcgid.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], notify => Class['apache::service'], diff --git a/spec/classes/mod/fcgid_spec.rb b/spec/classes/mod/fcgid_spec.rb index 096717d351..98953625ac 100644 --- a/spec/classes/mod/fcgid_spec.rb +++ b/spec/classes/mod/fcgid_spec.rb @@ -21,7 +21,9 @@ } end it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('fcgid') } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => 'unixd_fcgid.load' + }) } it { is_expected.to contain_package("libapache2-mod-fcgid") } end @@ -36,13 +38,15 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end describe 'without parameters' do it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('fcgid') } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => 'unixd_fcgid.load' + }) } it { is_expected.to contain_package("mod_fcgid") } end @@ -57,7 +61,7 @@ } end it 'should contain the correct config' do - content = catalogue.resource('file', 'fcgid.conf').send(:parameters)[:content] + content = catalogue.resource('file', 'unixd_fcgid.conf').send(:parameters)[:content] expect(content.split("\n").reject { |c| c =~ /(^#|^$)/ }).to eq([ '', ' AddHandler fcgid-script .fcgi', @@ -89,8 +93,7 @@ it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('fcgid').with({ 'loadfile_name' => 'unixd_fcgid.load' - }) - } + }) } it { is_expected.to contain_package("mod_fcgid") } end end @@ -99,8 +102,8 @@ let :facts do { :osfamily => 'FreeBSD', - :operatingsystemrelease => '9', - :operatingsystemmajrelease => '9', + :operatingsystemrelease => '10', + :operatingsystemmajrelease => '10', :concat_basedir => '/dne', :operatingsystem => 'FreeBSD', :id => 'root', @@ -111,7 +114,9 @@ end it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('fcgid') } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => 'unixd_fcgid.load' + }) } it { is_expected.to contain_package("www/mod_fcgid") } end @@ -130,7 +135,9 @@ end it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('fcgid') } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => 'unixd_fcgid.load' + }) } it { is_expected.to contain_package("www-apache/mod_fcgid") } end end diff --git a/templates/mod/fcgid.conf.erb b/templates/mod/unixd_fcgid.conf.erb similarity index 100% rename from templates/mod/fcgid.conf.erb rename to templates/mod/unixd_fcgid.conf.erb From 3ff15a5e7e3fc3cc9adb7efd23c89169adde8a07 Mon Sep 17 00:00:00 2001 From: Bryan Jen Date: Wed, 12 Aug 2015 15:53:43 -0700 Subject: [PATCH 22/71] fixes conditional in vhost aliases --- manifests/vhost.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 0fb37851c1..20b1aa6b91 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -363,7 +363,7 @@ } # Load mod_alias if needed and not yet loaded - if ($scriptalias and $scriptaliases != []) or ($aliases and $aliases != []) or ($redirect_source and $redirect_dest) { + if ($scriptalias or $scriptaliases != []) or ($aliases and $aliases != []) or ($redirect_source and $redirect_dest) { if ! defined(Class['apache::mod::alias']) and ($ensure == 'present') { include ::apache::mod::alias } From cd1102bb20bc6ed876994986f28931248fa200dd Mon Sep 17 00:00:00 2001 From: Vamegh Hedayati Date: Wed, 22 Jul 2015 11:49:47 +0100 Subject: [PATCH 23/71] Add support for user modifiable installation of mod_systemd and pidfile locations. default_mods.pp --> added use_systemd option, if running a custom build of apache on centos7, user modifiable boolean option provided init.pp --> added pidfile and use_systemd option both of which go to params.pp and allow these values to be set in hiera. changed all osfamily choices for conf_dir removed setting the $pidfile variable (now done in params). params.pp --> added $use_systemd, by default set to true to mimic original behaviour. added $pidfile, set to mimic exact same behaviour as used in init.pp, except now user changeable via hiera. updated documentation, to include the 2 new options. --- README.md | 64 ++++++++++++++++++++++----------------- manifests/default_mods.pp | 7 +++-- manifests/init.pp | 7 ++--- manifests/params.pp | 7 +++++ 4 files changed, 50 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index c1909782c6..769b937b8d 100644 --- a/README.md +++ b/README.md @@ -448,7 +448,7 @@ apache::vhost { 'suphp.example.com': suphp_configpath => '/etc/php5/apache2', directories => [ { 'path' => '/home/appuser/myphpapp', - 'suphp' => { + 'suphp' => { user => 'myappuser', group => 'myappgroup', }, @@ -620,7 +620,7 @@ Note that some modules have prerequisites, which are documented in their referen #### Installing arbitrary modules -You can pass the name of any module that your operating system's package manager can install to the [`apache::mod`][] define to install it. Unlike the specific-module classes, the [`apache::mod`][] define doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you. +You can pass the name of any module that your operating system's package manager can install to the [`apache::mod`][] define to install it. Unlike the specific-module classes, the [`apache::mod`][] define doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you. For example, to install the [`mod_authnz_external`][] Apache module, declare the define with the 'mod_authnz_external' name: @@ -795,7 +795,7 @@ Determines whether Puppet generates a default set of includable Apache configura Determines whether to configure and enable a set of default [Apache modules][] depending on your operating system. Valid options: 'true', 'false', or an array of Apache module names. Default: 'true'. -If this parameter's value is 'false', Puppet only includes the Apache modules required to make the HTTP daemon work on your operating system, and you can declare any other modules separately using the [`apache::mod::`][] class or [`apache::mod`][] define. +If this parameter's value is 'false', Puppet only includes the Apache modules required to make the HTTP daemon work on your operating system, and you can declare any other modules separately using the [`apache::mod::`][] class or [`apache::mod`][] define. If 'true', Puppet installs additional modules, the list of which depends on the operating system as well as the [`apache_version`][] and [`mpm_module`][] parameters' values. As these lists of modules can change frequently, consult the [Puppet module's code][] for up-to-date lists. @@ -803,7 +803,7 @@ If this parameter contains an array, Puppet instead enables all passed Apache mo ##### `default_ssl_ca` -Sets the default certificate authority for the Apache server. Default: 'undef'. +Sets the default certificate authority for the Apache server. Default: 'undef'. While this default value results in a functioning Apache server, you **must** update this parameter with your certificate authority information before deploying this server in a production environment. @@ -820,7 +820,7 @@ While the default value results in a functioning Apache server, you **must** upd ##### `default_ssl_chain` -Sets the default [SSL chain][] location. Default: 'undef'. +Sets the default [SSL chain][] location. Default: 'undef'. While this default value results in a functioning Apache server, you **must** update this parameter with your SSL chain before deploying this server in a production environment. @@ -832,7 +832,7 @@ While this default value results in a functioning Apache server, you **must** up ##### `default_ssl_crl_path` -Sets the server's [certificate revocation list path][], which contains your CRLs. Default: 'undef'. +Sets the server's [certificate revocation list path][], which contains your CRLs. Default: 'undef'. While this default value results in a functioning Apache server, you **must** update this parameter with the CRL path before deploying this server in a production environment. @@ -857,7 +857,7 @@ While these default values result in a functioning Apache server, you **must** u ##### `default_ssl_vhost` -Configures a default [SSL][SSL encryption] virtual host. Valid options: Boolean. Default: 'false'. +Configures a default [SSL][SSL encryption] virtual host. Valid options: Boolean. Default: 'false'. If 'true', Puppet automatically configures the following virtual host using the [`apache::vhost`][] define: @@ -880,7 +880,7 @@ _Apache 2.2 only_. Sets the [MIME `content-type`][] sent if the server cannot ot ##### `default_vhost` -Configures a default virtual host when the class is declared. Valid options: Boolean. Default: 'true'. +Configures a default virtual host when the class is declared. Valid options: Boolean. Default: 'true'. To configure [customized virtual hosts][Configuring virtual hosts], set this parameter's value to 'false'. @@ -899,7 +899,7 @@ Determines whether to enable [custom error documents][] on the Apache server. Va ##### `group` -Sets the group ID that owns any Apache processes spawned to answer requests. +Sets the group ID that owns any Apache processes spawned to answer requests. By default, Puppet attempts to manage this group as a resource under the `apache` class, determining the group based on the operating system as detected by the [`apache::params`][] class. To to prevent the group resource from being created and use a group created by another Puppet module, set the [`manage_group`][] parameter's value to 'false'. @@ -922,7 +922,7 @@ If 'On', use the [`keepalive_timeout`][] and [`max_keepalive_requests`][] parame ##### `keepalive_timeout` -Sets the [`KeepAliveTimeout`] directive, which determines the amount of time the Apache server waits for subsequent requests on a persistent HTTP connection. Default: '15'. +Sets the [`KeepAliveTimeout`] directive, which determines the amount of time the Apache server waits for subsequent requests on a persistent HTTP connection. Default: '15'. This parameter is only relevant if the [`keepalive` parameter][] is enabled. @@ -942,7 +942,7 @@ Specifies the location where [Apache module][Apache modules] files are stored. D ##### `loadfile_name` -Sets the [`LoadFile`] directive's filename. Valid options: Filenames in the format `\*.load`. +Sets the [`LoadFile`] directive's filename. Valid options: Filenames in the format `\*.load`. This can be used to set the module load order. @@ -980,13 +980,13 @@ Changes the directory of Apache log files for the virtual host. Default: Determi ##### `logroot_mode` -Overrides the default [`logroot`][] directory's mode. Default: 'undef'. +Overrides the default [`logroot`][] directory's mode. Default: 'undef'. **Note**: Do _not_ grant write access to the directory where the logs are stored without being aware of the consequences. See the [Apache documentation][Log security] for details. ##### `manage_group` -When 'false', stops Puppet from creating the group resource. Valid options: Boolean. Default: 'true'. +When 'false', stops Puppet from creating the group resource. Valid options: Boolean. Default: 'true'. If you have a group created from another Puppet module that you want to use to run Apache, set this to 'false'. Without this parameter, attempting to use a previously established group results in a duplicate resource error. @@ -1026,13 +1026,17 @@ You must set this to 'false' to explicitly declare the following classes with cu Controls the `package` resource's [`ensure`][] attribute. Valid options: 'absent', 'installed' (or the equivalent 'present'), or a version string. Default: 'installed'. +##### `pidfile` + +Allows settting a custom location for the pid file - useful if using a custom built Apache rpm. Defaults to 'run/httpd.pid' on RedHat, '/var/run/httpd.pid on FreeBSD and '\${APACHE_PID_FILE}' on Debian. + ##### `ports_file` Sets the path to the file containing Apache ports configuration. Default: `{$conf_dir}/ports.conf`. ##### `purge_configs` -Removes all other Apache configs and virtual hosts. Valid options: Boolean. Default: 'true'. +Removes all other Apache configs and virtual hosts. Valid options: Boolean. Default: 'true'. Setting this to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or unmanaged configurations. We recommend moving your configuration to resources within this module. For virtual host configurations, see [`purge_vhost_configs`][]. @@ -1079,7 +1083,7 @@ Determines whether Puppet enables the Apache HTTPD service when the system is bo Determines whether Puppet should make sure the service is running. Valid options: 'true' (equivalent to 'running'), 'false' (equivalent to 'stopped'). Default: 'running'. -The 'false' or 'stopped' values set the 'httpd' service resource's `ensure` parameter to 'false', which is useful when you want to let the service be managed by another application, such as Pacemaker. +The 'false' or 'stopped' values set the 'httpd' service resource's `ensure` parameter to 'false', which is useful when you want to let the service be managed by another application, such as Pacemaker. ##### `service_name` @@ -1105,6 +1109,10 @@ Sets Apache's [`TimeOut`][] directive, which defines the number of seconds Apach Controls how Apache handles `TRACE` requests (per [RFC 2616][]) via the [`TraceEnable`][] directive. Valid options: 'Off', 'On'. Default: 'On'. +##### `use_systemd` + +Controls whether the systemd module should be installed on Centos 7 servers, this is especially useful if using custom built rpms. This can either be 'true' or 'false, defaults to 'true'. + ##### `vhost_dir` Changes your virtual host configuration files' location. Default: determined by your operating system. @@ -1116,7 +1124,7 @@ Changes your virtual host configuration files' location. Default: determined by ##### `user` -Changes the user Apache uses to answer requests. Apache's parent process will continue to be run as root, but child processes will access resources as the user defined by this parameter. +Changes the user Apache uses to answer requests. Apache's parent process will continue to be run as root, but child processes will access resources as the user defined by this parameter. Default: Puppet sets the default value via the [`apache::params`][] class, which manages the user based on your operating system: @@ -1146,7 +1154,7 @@ Installs Apache development libraries. By default, the package name is defined b The default value is determined by your operating system: - **Debian** : 'libaprutil1-dev', 'libapr1-dev'; 'apache2-dev' on Ubuntu 13.10 and Debian 8; 'apache2-prefork-dev' on other versions -- **FreeBSD**: 'undef'; see note below +- **FreeBSD**: 'undef'; see note below - **Gentoo**: 'undef' - **Red Hat**: 'httpd-devel' @@ -1428,7 +1436,7 @@ The class's parameters correspond to the module's directives. See the [module's ##### Class: `apache::mod::php` -Installs and configures [`mod_php`][]. +Installs and configures [`mod_php`][]. **Parameters within `apache::mod::php`**: @@ -1438,7 +1446,7 @@ Default values depend on your operating system. - `package_name`: Names the package that installs `php_mod`. - `path`: Defines the path to the `mod_php` shared object (`.so`) file. -- `source`: Defines the path to the default configuration. Valid options include a `puppet:///` paths. +- `source`: Defines the path to the default configuration. Valid options include a `puppet:///` paths. - `template`: Defines the path to the `php.conf` template Puppet uses to generate the configuration file. - `content`: Adds arbitrary content to `php.conf`. @@ -1458,7 +1466,7 @@ Defining this class enables Shibboleth-specific parameters in `apache::vhost` in ##### Class: `apache::mod::ssl` -Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template to generate its configuration. +Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template to generate its configuration. **Parameters within `apache::mod::ssl`**: @@ -1619,7 +1627,7 @@ Sets the configuration file's content. The `content` and [`source`][] parameters ##### `priority` -Sets the configuration file's priority by prefixing its filename with this parameter's numeric value, as Apache processes configuration files in alphanumeric order. The default value is `25`. +Sets the configuration file's priority by prefixing its filename with this parameter's numeric value, as Apache processes configuration files in alphanumeric order. The default value is `25`. To omit the priority prefix in the configuration file's name, set this parameter to `false`. @@ -1675,7 +1683,7 @@ Adds [`Listen`][] directives to `ports.conf` in the Apache configuration directo Installs packages for an Apache module that doesn't have a corresponding [`apache::mod::`][] class, and checks for or places the module's default configuration files in the Apache server's `module` and `enable` directories. The default locations depend on your operating system. -**Parameters within `apache::mod`**: +**Parameters within `apache::mod`**: ##### `package` @@ -1691,7 +1699,7 @@ Defines the module's shared object name. Its default value is `mod_$name.so`, an ##### `lib_path` -Specifies a path to the module's libraries. Default: the `apache` class's [`lib_path`][] parameter. +Specifies a path to the module's libraries. Default: the `apache` class's [`lib_path`][] parameter. Don't manually set this parameter without special reason. The [`path`][] parameter overrides this value. @@ -1717,7 +1725,7 @@ The Apache module allows a lot of flexibility in the setup and configuration of The `apache::vhost` define allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default virtual host within the base `::apache` class, as well as set a customized virtual host as the default. Customized virtual hosts have a lower numeric [`priority`][] than the base class's, causing Apache to process the customized virtual host first. -The `apache::vhost` define uses `concat::fragment` to build the configuration file. To inject custom fragments for pieces of the configuration that the define doesn't inherently support, add a custom fragment. +The `apache::vhost` define uses `concat::fragment` to build the configuration file. To inject custom fragments for pieces of the configuration that the define doesn't inherently support, add a custom fragment. For the custom fragment's `order` parameter, the `apache::vhost` define uses multiples of 10, so any `order` that isn't a multiple of 10 should work. @@ -1799,7 +1807,7 @@ If [`apache::mod::passenger`][] is loaded and `PassengerHighPerformance` is 'tru ##### `allow_encoded_slashes` -Sets the [`AllowEncodedSlashes`][] declaration for the virtual host, overriding the server default. This modifies the virtual host responses to URLs with `\` and `/` characters. Valid options: 'nodecode', 'off', 'on'. Default: undef, which omits the declaration from the server configuration and selects the Apache default setting of `Off`. +Sets the [`AllowEncodedSlashes`][] declaration for the virtual host, overriding the server default. This modifies the virtual host responses to URLs with `\` and `/` characters. Valid options: 'nodecode', 'off', 'on'. Default: undef, which omits the declaration from the server configuration and selects the Apache default setting of `Off`. ##### `block` @@ -1988,7 +1996,7 @@ This directive is equivalent to `no_proxy_uris`, but takes regular expressions. ##### `proxy_preserve_host` -Sets the [ProxyPreserveHost Directive](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost). Valid options: Boolean. Default: 'false'. +Sets the [ProxyPreserveHost Directive](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost). Valid options: Boolean. Default: 'false'. Setting this parameter to 'true' enables the `Host:` line from an incoming request to be proxied to the host instead of hostname. 'false' sets this option to 'Off'. @@ -3052,8 +3060,8 @@ file { '/custom/path': ensure => directory, } -file { '/custom/path/include': - ensure => present, +file { '/custom/path/include': + ensure => present, content => '#additional_includes', } diff --git a/manifests/default_mods.pp b/manifests/default_mods.pp index 9e3c2c69a7..1c3820bf09 100644 --- a/manifests/default_mods.pp +++ b/manifests/default_mods.pp @@ -1,7 +1,8 @@ class apache::default_mods ( $all = true, $mods = undef, - $apache_version = $::apache::apache_version + $apache_version = $::apache::apache_version, + $use_systemd = $::apache::use_systemd, ) { # These are modules required to run the default configuration. # They are not configurable at this time, so we just include @@ -13,7 +14,9 @@ # Lets fork it # Do not try to load mod_systemd on RHEL/CentOS 6 SCL. if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon') ) { - ::apache::mod { 'systemd': } + if ($use_systemd) { + ::apache::mod { 'systemd': } + } } ::apache::mod { 'unixd': } } diff --git a/manifests/init.pp b/manifests/init.pp index 9e6da98138..5f02bfd61f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -52,6 +52,7 @@ $lib_path = $::apache::params::lib_path, $conf_template = $::apache::params::conf_template, $servername = $::apache::params::servername, + $pidfile = $::apache::params::pidfile, $manage_user = true, $manage_group = true, $user = $::apache::params::user, @@ -72,6 +73,7 @@ $allow_encoded_slashes = undef, $package_ensure = 'installed', $use_optional_includes = $::apache::params::use_optional_includes, + $use_systemd = $::apache::params::use_systemd, ) inherits ::apache::params { validate_bool($default_vhost) validate_bool($default_ssl_vhost) @@ -247,24 +249,20 @@ if $::apache::conf_dir and $::apache::params::conf_file { case $::osfamily { 'debian': { - $pidfile = "\${APACHE_PID_FILE}" $error_log = 'error.log' $scriptalias = '/usr/lib/cgi-bin' $access_log_file = 'access.log' } 'redhat': { - $pidfile = 'run/httpd.pid' $error_log = 'error_log' $scriptalias = '/var/www/cgi-bin' $access_log_file = 'access_log' } 'freebsd': { - $pidfile = '/var/run/httpd.pid' $error_log = 'httpd-error.log' $scriptalias = '/usr/local/www/apache24/cgi-bin' $access_log_file = 'httpd-access.log' } 'gentoo': { - $pidfile = '/run/apache2.pid' $error_log = 'error.log' $error_documents_path = '/usr/share/apache2/error' $scriptalias = '/var/www/localhost/cgi-bin' @@ -282,7 +280,6 @@ } } 'Suse': { - $pidfile = '/var/run/httpd2.pid' $error_log = 'error.log' $scriptalias = '/usr/lib/cgi-bin' $access_log_file = 'access.log' diff --git a/manifests/params.pp b/manifests/params.pp index 63a338ba9c..6a26128eaa 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -29,6 +29,9 @@ $log_level = 'warn' $use_optional_includes = false + # should we use systemd module? + $use_systemd = true + if $::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04' { $verify_command = '/usr/sbin/apache2ctl -t' } else { @@ -50,6 +53,7 @@ $vhost_enable_dir = undef $conf_file = 'httpd.conf' $ports_file = "${conf_dir}/ports.conf" + $pidfile = 'run/httpd.pid' $logroot = '/var/log/httpd' $logroot_mode = undef $lib_path = 'modules' @@ -170,6 +174,7 @@ $vhost_enable_dir = "${httpd_dir}/sites-enabled" $conf_file = 'apache2.conf' $ports_file = "${conf_dir}/ports.conf" + $pidfile = "\${APACHE_PID_FILE}" $logroot = '/var/log/apache2' $logroot_mode = undef $lib_path = '/usr/lib/apache2/modules' @@ -316,6 +321,7 @@ $vhost_enable_dir = undef $conf_file = 'httpd.conf' $ports_file = "${conf_dir}/ports.conf" + $pidfile = '/var/run/httpd.pid' $logroot = '/var/log/apache24' $logroot_mode = undef $lib_path = '/usr/local/libexec/apache24' @@ -443,6 +449,7 @@ $vhost_enable_dir = "${httpd_dir}/sites-enabled" $conf_file = 'httpd.conf' $ports_file = "${conf_dir}/ports.conf" + $pidfile = '/var/run/httpd2.pid' $logroot = '/var/log/apache2' $logroot_mode = undef $lib_path = '/usr/lib64/apache2-prefork/' From d4dbc720c69e4a92384bb492cc78a3f82db81c78 Mon Sep 17 00:00:00 2001 From: Bryan Jen Date: Thu, 13 Aug 2015 13:23:03 -0700 Subject: [PATCH 24/71] corrects mod_cgid worker/event defaults --- manifests/mod/cgid.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/manifests/mod/cgid.pp b/manifests/mod/cgid.pp index 6db6b287d1..4094c3281a 100644 --- a/manifests/mod/cgid.pp +++ b/manifests/mod/cgid.pp @@ -2,11 +2,10 @@ case $::osfamily { 'FreeBSD': {} default: { - if defined(Class['::apache::mod::worker']) { - Class['::apache::mod::worker'] -> Class['::apache::mod::cgid'] - } - elsif defined(Class['::apache::mod::event']) { + if defined(Class['::apache::mod::event']) { Class['::apache::mod::event'] -> Class['::apache::mod::cgid'] + } else { + Class['::apache::mod::worker'] -> Class['::apache::mod::cgid'] } } } From ea54cf0e46d585596b6e83f714b0b34a07d5caeb Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Mon, 17 Aug 2015 01:02:43 +0200 Subject: [PATCH 25/71] The purge_vhost_configs parameter is actually called purge_vhost_dir --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 769b937b8d..6ddc2e91be 100644 --- a/README.md +++ b/README.md @@ -179,7 +179,7 @@ [Puppet module]: http://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html [Puppet module's code]: https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/default_mods.pp [`purge_configs`]: #purge_configs -[`purge_vhost_configs`]: #purge_vhost_configs +[`purge_vhost_dir`]: #purge_vhost_dir [Python]: https://www.python.org/ [Rack]: http://rack.github.io/ @@ -1038,13 +1038,13 @@ Sets the path to the file containing Apache ports configuration. Default: `{$con Removes all other Apache configs and virtual hosts. Valid options: Boolean. Default: 'true'. -Setting this to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or unmanaged configurations. We recommend moving your configuration to resources within this module. For virtual host configurations, see [`purge_vhost_configs`][]. +Setting this to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or unmanaged configurations. We recommend moving your configuration to resources within this module. For virtual host configurations, see [`purge_vhost_dir`][]. -##### `purge_vhost_configs` +##### `purge_vhost_dir` -If the [`vhost_dir`][] parameter's value differs from the [`confd_dir`][] parameter's, the Boolean parameter `purge_vhost_configs` determines whether Puppet removes any configurations inside `vhost_dir` _not_ managed by Puppet. Default: same as [`purge_configs`][]. +If the [`vhost_dir`][] parameter's value differs from the [`confd_dir`][] parameter's, the Boolean parameter `purge_vhost_dir` determines whether Puppet removes any configurations inside `vhost_dir` _not_ managed by Puppet. Default: same as [`purge_configs`][]. -Setting `purge_vhost_configs` to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or otherwise unmanaged configurations within `vhost_dir`. +Setting `purge_vhost_dir` to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or otherwise unmanaged configurations within `vhost_dir`. ##### `sendfile` From d245182d0b13faaecfd7cc45589a6e26f05ff41c Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Tue, 18 Aug 2015 16:46:09 -0500 Subject: [PATCH 26/71] Add ListenBacklog for mod worker (MODULES-2432) This change adds the ListenBacklog option for the worker module. --- manifests/mod/worker.pp | 56 +++++++++++++++++++++++++++++++++ spec/classes/mod/worker_spec.rb | 5 ++- templates/mod/worker.conf.erb | 1 + 3 files changed, 61 insertions(+), 1 deletion(-) diff --git a/manifests/mod/worker.pp b/manifests/mod/worker.pp index 25925f8073..2e6a6421b2 100644 --- a/manifests/mod/worker.pp +++ b/manifests/mod/worker.pp @@ -1,3 +1,57 @@ +# == Class: apache::mod::worker +# +# +# === Parameters +# +# [*startservers*] +# (optional) The number of child server processes created on startup +# Defaults is '2' +# +# [*maxclients*] +# (optional) The max number of simultaneous requests that will be served. +# This is the old name and is still supported. The new name is +# MaxRequestWorkers as of 2.3.13. +# Default is '150' +# +# [*minsparethreads*] +# (optional) Minimum number of idle threads to handle request spikes. +# Default is '25' +# +# [*maxsparethreads*] +# (optional) Maximum number of idle threads. +# Default is '75' +# +# [*threadsperchild*] +# (optional) The number of threads created by each child process. +# Default is '25' +# +# [*maxrequestsperchild*] +# (optional) Limit on the number of connectiojns an individual child server +# process will handle. This is the old name and is still supported. The new +# name is MaxConnectionsPerChild as of 2.3.9+. +# Default is '0' +# +# [*serverlimit*] +# (optional) With worker, use this directive only if your MaxRequestWorkers +# and ThreadsPerChild settings require more than 16 server processes +# (default). Do not set the value of this directive any higher than the +# number of server processes required by what you may want for +# MaxRequestWorkers and ThreadsPerChild. +# Default is '25' +# +# [*threadlimit*] +# (optional) This directive sets the maximum configured value for +# ThreadsPerChild for the lifetime of the Apache httpd process. +# Default is '64' +# +# [*listenbacklog*] +# (optional) Maximum length of the queue of pending connections. +# Defaults is '511' +# +# [*apache_version*] +# (optional) +# Default is $::apache::apache_version +# class apache::mod::worker ( $startservers = '2', $maxclients = '150', @@ -7,6 +61,7 @@ $maxrequestsperchild = '0', $serverlimit = '25', $threadlimit = '64', + $listenbacklog = '511', $apache_version = $::apache::apache_version, ) { if defined(Class['apache::mod::event']) { @@ -36,6 +91,7 @@ # - $maxrequestsperchild # - $serverlimit # - $threadLimit + # - $listenbacklog file { "${::apache::mod_dir}/worker.conf": ensure => file, content => template('apache/mod/worker.conf.erb'), diff --git a/spec/classes/mod/worker_spec.rb b/spec/classes/mod/worker_spec.rb index 38a79aeb26..9d0d8e5e01 100644 --- a/spec/classes/mod/worker_spec.rb +++ b/spec/classes/mod/worker_spec.rb @@ -157,6 +157,7 @@ it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadsPerChild\s+25$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+MaxRequestsPerChild\s+0$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadLimit\s+64$/) } + it { should contain_file("/etc/httpd/conf.d/worker.conf").with(:content => /^\s*ListenBacklog\s*511/) } end context 'setting params' do @@ -169,7 +170,8 @@ :maxsparethreads => 14, :threadsperchild => 15, :maxrequestsperchild => 16, - :threadlimit => 17 + :threadlimit => 17, + :listenbacklog => 8, } end it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^$/) } @@ -181,6 +183,7 @@ it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadsPerChild\s+15$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+MaxRequestsPerChild\s+16$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadLimit\s+17$/) } + it { should contain_file("/etc/httpd/conf.d/worker.conf").with(:content => /^\s*ListenBacklog\s*8/) } end end end diff --git a/templates/mod/worker.conf.erb b/templates/mod/worker.conf.erb index 597e05f8d5..ad2bc44610 100644 --- a/templates/mod/worker.conf.erb +++ b/templates/mod/worker.conf.erb @@ -7,4 +7,5 @@ ThreadsPerChild <%= @threadsperchild %> MaxRequestsPerChild <%= @maxrequestsperchild %> ThreadLimit <%= @threadlimit %> + ListenBacklog <%= @listenbacklog %> From b2f842c9c03e86de855422827954fbb9e4471b87 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Tue, 18 Aug 2015 13:21:19 +0200 Subject: [PATCH 27/71] (MODULES-2458) Support for mod_auth_mellon. mod_auth_melon is an authentication module for apache. Configurations such as the following are now supported. ```puppet class{'apache': default_mods => false, default_confd_files => false, default_vhost => false, } class{'apache::mod::auth_mellon': mellon_cache_size => 101 } apache::vhost{$::fqdn: docroot => '/var/www/html', port => 443, ssl => true, ssl_key => "/etc/certs/${::fqdn}.key", ssl_cert => "/etc/certs/${::fqdn}.cert", directories => [ { path => '/', provider => 'directory', mellon_enable => 'info', mellon_merge_env_vars => 'On', mellon_endpoint_path => '/mellon', mellon_sp_private_key_file => "/etc/certs/${::fqdn}.key", mellon_sp_cert_file => "/etc/certs/${::fqdn}.cert", mellon_idp_metadata_file => "/etc/httpd/conf.d/mellon/FederationMetadata.xml", mellon_set_env_no_prefix => { "user" => "http://schemas.xmlsoap.org/claims/UPN", "ADFS_GROUP" => "http://schemas.xmlsoap.org/claims/Group", "ADFS_EMAIL" => "http://schemas.xmlsoap.org/claims/EmailAddress"}, mellon_user => 'ADFS_LOGIN', }, { path => '/protected', provider => 'location', auth_type => 'Mellon', auth_require => 'valid-user', mellon_enable => 'auth', mellon_cond => ['ADFS_LOGIN straylen [MAP]'] }, ] } ``` --- README.md | 86 +++++++++++++++++++++++++++ manifests/mod/auth_mellon.pp | 24 ++++++++ manifests/params.pp | 11 ++++ spec/classes/mod/auth_mellon_spec.rb | 87 ++++++++++++++++++++++++++++ templates/mod/auth_mellon.conf.erb | 21 +++++++ templates/vhost/_directories.erb | 31 ++++++++++ 6 files changed, 260 insertions(+) create mode 100644 manifests/mod/auth_mellon.pp create mode 100644 spec/classes/mod/auth_mellon_spec.rb create mode 100644 templates/mod/auth_mellon.conf.erb diff --git a/README.md b/README.md index 769b937b8d..ac0e4c1616 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ [`apache::mod::`]: #classes-apachemodmodule-name [`apache::mod::alias`]: #class-apachemodalias [`apache::mod::auth_cas`]: #class-apachemodauth_cas +[`apache::mod::auth_mellon`]: #class-apachemodauth_mellon [`apache::mod::disk_cache`]: #class-apachemoddisk_cache [`apache::mod::event`]: #class-apachemodevent [`apache::mod::geoip`]: #class-apachemodgeoip @@ -142,6 +143,7 @@ [`mod_alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html [`mod_auth_cas`]: https://github.com/Jasig/mod_auth_cas [`mod_authnz_external`]: https://code.google.com/p/mod-auth-external/ +[`mod_auth_mellon`]: https://github.com/UNINETT/mod_auth_mellon [`mod_expires`]: http://httpd.apache.org/docs/current/mod/mod_expires.html [`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html [`mod_geoip`]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/ @@ -1176,6 +1178,7 @@ The following Apache modules have supported classes, many of which allow for par * `alias` (see [`apache::mod::alias`][]) * `auth_basic` * `auth_cas`* (see [`apache::mod::auth_cas`][]) +* `auth_mellon`* (see [`apache::mod::auth_mellon`][]) * `auth_kerb` * `authn_core` * `authn_file` @@ -1303,6 +1306,26 @@ The `cas_login_url` and `cas_validate_url` parameters are required; several othe - `cas_validate_url`: **Required**. Sets the URL to use when validating a client-presented ticket in an HTTP query string. - `cas_version`: The CAS protocol version to adhere to. Valid options: '1', '2'. Default: '2'. +##### Class: `apache::mod::auth_mellon` + +Installs and manages [`mod_auth_mellon`][]. It's parameters share names with the Apache module's directives. + +~~~puppet +class{'apache::mod::auth_mellon': + mellon_cache_size => 101 +} +~~~ + +**Parameters within `apache::mod::auth_mellon`**: + +- `mellon_cache_size`: Size in megabytes of mellon cache. +- `mellon_cache_entry_size`: Maximum size for single session. +- `mellon_lock_file`: Location of lock file. +- `mellon_post_directory`: Full path where post requests are saved. +- `mellon_post_ttl`: Time to keep post requests. +- `mellon_post_size`: Maximum size of post requests. +- `mellon_post_count`: Maxmum number of post requests. + ##### Class: `apache::mod::deflate` Installs and configures [`mod_deflate`][]. @@ -2655,6 +2678,69 @@ Sets the [IndexStyleSheet](http://httpd.apache.org/docs/current/mod/mod_autoinde } ~~~ +###### `mellon_enable` + +Sets the [MellonEnable](https://github.com/UNINETT/mod_auth_mellon) to enable auth_melon on a location. + +~~~ puppet +apache::vhost{'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/', + provider => 'directory', + mellon_enable => 'info', + mellon_sp_private_key_file => '/etc/certs/${::fqdn}.key, + mellon_endpoint_path => '/mellon', + mellon_set_env_no_prefix => { 'ADFS_GROUP' => 'http://schemas.xmlsoap.org/claims/Group', + 'ADFS_EMAIL' => 'http://schemas.xmlsoap.org/claims/EmailAddress'}, + mellon_user => 'ADFS_LOGIN' + }, + { path => '/protected', + provider => 'location', + mellon_enable => 'auth', + auth_type => 'Mellon', + auth_require => 'valid-user', + mellon_cond => ['ADFS_LOGIN userA [MAP]','ADFS_LOGIN userB [MAP]'] + } + ] +} + +###### `mellon_cond` + +Sets the [MellonCond](https://github.com/UNINETT/mod_auth_mellon) is an array of mellon conditions that must +be met to grant access. + + +###### `mellon_endpoint_path` + +Sets the [MellonEndpointPath](https://github.com/UNINETT/mod_auth_mellon) to set melon endpoint path. + +###### `mellon_idp_metadata_file` + +Sets the [MellonIDPMetadataFile](https://github.com/UNINETT/mod_auth_mellon) location of idp metadata file. + +###### `mellon_saml_rsponse_dump` + +Sets the [MellonSamlRepsponseDump](https://github.com/UNINETT/mod_auth_mellon) to enable debug of SAML. + +###### `mellon_set_env_no_prefix` + +Sets the [MellonSetEnvNoPrefix](https://github.com/UNINETT/mod_auth_mellon) is a hash of attribute names to map +to environment variables. + + +###### `mellon_sp_private_key_file` + +Sets the [MellonSPPrivateKeyFile](https://github.com/UNINETT/mod_auth_mellon) private key location of service provider. + +###### `mellon_sp_cert_file` + +Sets the [MellonSPCertFile](https://github.com/UNINETT/mod_auth_mellon) public key location of service provider. + +###### `mellon_user` + +Sets the [MellonUser](https://github.com/UNINETT/mod_auth_mellon) attribute we should use for the username. + ###### `options` Lists the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) for the given Directory block. diff --git a/manifests/mod/auth_mellon.pp b/manifests/mod/auth_mellon.pp new file mode 100644 index 0000000000..79f6ffebb2 --- /dev/null +++ b/manifests/mod/auth_mellon.pp @@ -0,0 +1,24 @@ +class apache::mod::auth_mellon ( + $mellon_cache_size = $::apache::params::mellon_cache_size, + $mellon_lock_file = $::apache::params::mellon_lock_file, + $mellon_post_directory = $::apache::params::mellon_post_directory, + $mellon_cache_entry_size = undef, + $mellon_post_ttl = undef, + $mellon_post_size = undef, + $mellon_post_count = undef +) { + + ::apache::mod { 'auth_mellon': } + + # Template uses + # - All variables beginning with mellon_ + file { 'auth_mellon.conf': + ensure => file, + path => "${::apache::mod_dir}/auth_mellon.conf", + content => template('apache/mod/auth_mellon.conf.erb'), + require => [ Exec["mkdir ${::apache::mod_dir}"], ], + before => File[$::apache::mod_dir], + notify => Class['Apache::Service'], + } + +} diff --git a/manifests/params.pp b/manifests/params.pp index 6a26128eaa..5c5233ccdb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -75,6 +75,7 @@ $mod_packages = { 'auth_cas' => 'mod_auth_cas', 'auth_kerb' => 'mod_auth_kerb', + 'auth_mellon' => 'mod_auth_mellon', 'authnz_ldap' => $::apache::version::distrelease ? { '7' => 'mod_ldap', default => 'mod_authz_ldap', @@ -131,6 +132,9 @@ $wsgi_socket_prefix = undef } $cas_cookie_path = '/var/cache/mod_auth_cas/' + $mellon_lock_file = '/run/mod_auth_mellon/lock' + $mellon_cache_size = 100 + $mellon_post_directory = undef $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' @@ -188,6 +192,7 @@ $mod_packages = { 'auth_cas' => 'libapache2-mod-auth-cas', 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'auth_mellon' => 'libapache2-mod-auth-mellon', 'dav_svn' => 'libapache2-svn', 'fastcgi' => 'libapache2-mod-fastcgi', 'fcgid' => 'libapache2-mod-fcgid', @@ -218,6 +223,9 @@ $mime_types_config = '/etc/mime.types' $docroot = '/var/www' $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $mellon_lock_file = undef + $mellon_cache_size = undef + $mellon_post_directory = '/var/cache/apache2/mod_auth_mellon/' $modsec_crs_package = 'modsecurity-crs' $modsec_crs_path = '/usr/share/modsecurity-crs' $modsec_dir = '/etc/modsecurity' @@ -479,6 +487,9 @@ $mime_types_config = '/etc/mime.types' $docroot = '/srv/www' $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $mellon_lock_file = undef + $mellon_cache_size = undef + $mellon_post_directory = undef $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' $dev_packages = ['libapr-util1-devel', 'libapr1-devel'] diff --git a/spec/classes/mod/auth_mellon_spec.rb b/spec/classes/mod/auth_mellon_spec.rb new file mode 100644 index 0000000000..f022e48108 --- /dev/null +++ b/spec/classes/mod/auth_mellon_spec.rb @@ -0,0 +1,87 @@ +describe 'apache::mod::auth_mellon', :type => :class do + let :pre_condition do + 'include apache' + end + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { should contain_apache__mod('auth_mellon') } + it { should contain_package('libapache2-mod-auth-mellon') } + it { should contain_file('auth_mellon.conf').with_path('/etc/apache2/mods-available/auth_mellon.conf') } + it { should contain_file('auth_mellon.conf').with_content("MellonPostDirectory \"\/var\/cache\/apache2\/mod_auth_mellon\/\"\n") } + end + describe 'with parameters' do + let :params do + { :mellon_cache_size => '200', + :mellon_cache_entry_size => '2010', + :mellon_lock_file => '/tmp/junk', + :mellon_post_directory => '/tmp/post', + :mellon_post_ttl => '5', + :mellon_post_size => '8', + :mellon_post_count => '10' + } + end + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } + end + + end + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { should contain_apache__mod('auth_mellon') } + it { should contain_package('mod_auth_mellon') } + it { should contain_file('auth_mellon.conf').with_path('/etc/httpd/conf.d/auth_mellon.conf') } + it { should contain_file('auth_mellon.conf').with_content("MellonCacheSize 100\nMellonLockFile \"/run/mod_auth_mellon/lock\"\n") } + end + describe 'with parameters' do + let :params do + { :mellon_cache_size => '200', + :mellon_cache_entry_size => '2010', + :mellon_lock_file => '/tmp/junk', + :mellon_post_directory => '/tmp/post', + :mellon_post_ttl => '5', + :mellon_post_size => '8', + :mellon_post_count => '10' + } + end + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } + end + end +end diff --git a/templates/mod/auth_mellon.conf.erb b/templates/mod/auth_mellon.conf.erb new file mode 100644 index 0000000000..e36a733907 --- /dev/null +++ b/templates/mod/auth_mellon.conf.erb @@ -0,0 +1,21 @@ +<%- if @mellon_cache_size -%> +MellonCacheSize <%= @mellon_cache_size %> +<%- end -%> +<%- if @mellon_cache_entry_size -%> +MellonCacheEntrySize <%= @mellon_cache_entry_size %> +<%- end -%> +<%- if @mellon_lock_file -%> +MellonLockFile "<%= @mellon_lock_file %>" +<%- end -%> +<%- if @mellon_post_directory -%> +MellonPostDirectory "<%= @mellon_post_directory %>" +<%- end -%> +<%- if @mellon_post_ttl -%> +MellonPostTTL <%= @mellon_post_ttl %> +<%- end -%> +<%- if @mellon_post_size -%> +MellonPostSize <%= @mellon_post_size %> +<%- end -%> +<%- if @mellon_post_count -%> +MellonPostCount <%= @mellon_post_count %> +<%- end -%> diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 529d9bdffa..189bd57701 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -252,6 +252,37 @@ ShibUseHeaders <%= directory['shib_use_headers'] %> <%- end -%> <%- end -%> + <%- if directory['mellon_enable'] -%> + MellonEnable "<%= directory['mellon_enable'] %>" + <%- if directory['mellon_endpoint_path'] -%> + MellonEndpointPath "<%= directory['mellon_endpoint_path'] %>" + <%- end -%> + <%- if directory['mellon_sp_private_key_file'] -%> + MellonSPPrivateKeyFile "<%= directory['mellon_sp_private_key_file'] %>" + <%- end -%> + <%- if directory['mellon_sp_cert_file'] -%> + MellonSPCertFile "<%= directory['mellon_sp_cert_file'] %>" + <%- end -%> + <%- if directory['mellon_idp_metadata_file'] -%> + MellonIDPMetadataFile "<%= directory['mellon_idp_metadata_file'] %>" + <%- end -%> + <%- if directory['mellon_set_env_no_prefix'] -%> + <%- directory['mellon_set_env_no_prefix'].each do |key, value| -%> + MellonSetEnvNoPrefix "<%= key %>" "<%= value %>" + <%- end -%> + <%- end -%> + <%- if directory['mellon_user'] -%> + MellonUser "<%= directory['mellon_user'] %>" + <%- end -%> + <%- if directory['mellon_saml_response_dump'] -%> + MellonSamlResponseDump "<%= directory['mellon_saml_response_dump'] %>" + <%- end -%> + <%- if directory['mellon_cond'] -%> + <%- Array(directory['mellon_cond']).each do |cond| -%> + MellonCond <%= cond %> + <%- end -%> + <%- end -%> + <%- end -%> <%- if directory['custom_fragment'] -%> <%= directory['custom_fragment'] %> <%- end -%> From 3b5e4db1c5cb9194b757c7ca4a3f30f79e7103e5 Mon Sep 17 00:00:00 2001 From: Morgan Haskel Date: Mon, 24 Aug 2015 14:50:23 -0700 Subject: [PATCH 28/71] MODULES-2439 - ProxyPassMatch parameters were ending up on a newline --- spec/defines/vhost_spec.rb | 3 ++- templates/vhost/_proxy.erb | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index cb8c9e84bb..5dce3f748b 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -449,12 +449,13 @@ { 'path' => '.*', 'url' => 'http://backend-a/', + 'params' => { 'timeout' => 300 }, } ], } end it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( - /ProxyPassMatch .* http:\/\/backend-a\//).with_content(/## Proxy rules/) } + /ProxyPassMatch .* http:\/\/backend-a\/ timeout=300/).with_content(/## Proxy rules/) } end context 'proxy_dest_match' do let :params do diff --git a/templates/vhost/_proxy.erb b/templates/vhost/_proxy.erb index 29d35cae98..71512fdba2 100644 --- a/templates/vhost/_proxy.erb +++ b/templates/vhost/_proxy.erb @@ -33,7 +33,7 @@ <% end -%> <% [@proxy_pass_match].flatten.compact.each do |proxy| %> - ProxyPassMatch <%= proxy['path'] %> <%= proxy['url'] %> + ProxyPassMatch <%= proxy['path'] %> <%= proxy['url'] -%> <%- if proxy['params'] -%> <%- proxy['params'].each_pair do |key, value| -%> <%= key %>=<%= value -%> <%- end -%> From 059b92b9403a555984734b988b7352adbbf7b602 Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Tue, 18 Aug 2015 23:37:43 +0200 Subject: [PATCH 29/71] Catch that mod_authz_default has been removed in Apache 2.4 Having it in the server config will prevent the server from starting as the module file cannot be found. --- manifests/mod/authz_default.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/manifests/mod/authz_default.pp b/manifests/mod/authz_default.pp index 23edd9b5ac..e457774ae5 100644 --- a/manifests/mod/authz_default.pp +++ b/manifests/mod/authz_default.pp @@ -1,3 +1,9 @@ -class apache::mod::authz_default { - ::apache::mod { 'authz_default': } +class apache::mod::authz_default( + $apache_version = $::apache::apache_version +) { + if versioncmp($apache_version, '2.4') >= 0 { + warning('apache::mod::authz_default has been removed in Apache 2.4') + } else { + ::apache::mod { 'authz_default': } + } } From 7cf4b96f7806c9960ffd002b6c9f4a6cc8720800 Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Wed, 12 Aug 2015 14:44:45 +0200 Subject: [PATCH 30/71] Support the mod_proxy ProxyPassReverseCookiePath directive --- README.md | 3 +++ spec/defines/vhost_spec.rb | 14 ++++++++++---- templates/vhost/_proxy.erb | 5 +++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9cfde923ed..58e8e03ebf 100644 --- a/README.md +++ b/README.md @@ -2113,11 +2113,14 @@ apache::vhost { 'site.name.fdqn': 'keywords' => ['nocanon', 'interpolate'] }, { 'path' => '/f', 'url' => 'http://backend-f/', 'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1']}, + { 'path' => '/g', 'url' => 'http://backend-g/', + 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}], }, ], } ~~~ `reverse_urls` is optional and can be an array or a string. It is useful when used with `mod_proxy_balancer`. +`reverse_cookies` is optional and is used to set ProxyPassReverseCookiePath. `params` is an optional parameter. It allows to provide the ProxyPass key=value parameters (Connection settings). `setenv` is optional and is an array to set environment variables for the proxy directive, for details see http://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 5dce3f748b..3b9a6fdbd9 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -210,10 +210,14 @@ 'proxy_dest' => '/', 'proxy_pass' => [ { - 'path' => '/a', - 'url' => 'http://backend-a/', - 'keywords' => ['noquery', 'interpolate'], - 'params' => { + 'path' => '/a', + 'url' => 'http://backend-a/', + 'keywords' => ['noquery', 'interpolate'], + 'reverse_cookies' => [{ + 'path' => '/a', + 'url' => 'http://backend-a/', + }], + 'params' => { 'retry' => '0', 'timeout' => '5' }, @@ -403,6 +407,8 @@ /SetEnv proxy-nokeepalive 1/) } it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( /noquery interpolate/) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassReverseCookiePath\s+\/a\s+http:\/\//) } it { is_expected.to contain_concat__fragment('rspec.example.com-rack') } it { is_expected.to contain_concat__fragment('rspec.example.com-redirect') } it { is_expected.to contain_concat__fragment('rspec.example.com-rewrite') } diff --git a/templates/vhost/_proxy.erb b/templates/vhost/_proxy.erb index 71512fdba2..3f94af9112 100644 --- a/templates/vhost/_proxy.erb +++ b/templates/vhost/_proxy.erb @@ -18,6 +18,11 @@ <%- if proxy['keywords'] %> <%= proxy['keywords'].join(' ') -%> <%- end %> > + <%- if not proxy['reverse_cookies'].nil? -%> + <%- Array(proxy['reverse_cookies']).each do |reverse_cookies| -%> + ProxyPassReverseCookiePath <%= reverse_cookies['path'] %> <%= reverse_cookies['url'] %> + <%- end -%> + <%- end -%> <%- if proxy['reverse_urls'].nil? -%> ProxyPassReverse <%= proxy['url'] %> <%- else -%> From 6e05f67d5732cf6beee9a7cc77c52830137fbce2 Mon Sep 17 00:00:00 2001 From: Holt Wilkins Date: Fri, 21 Aug 2015 18:19:52 +1000 Subject: [PATCH 31/71] Add support for the Apache SSLProxyMachineCertificateFile directive which allows the apache reverse proxy to use a client certificate to authenticate to its upstream --- README.md | 11 +++++++++++ manifests/vhost.pp | 2 ++ templates/vhost/_ssl.erb | 3 +++ 3 files changed, 16 insertions(+) diff --git a/README.md b/README.md index 769b937b8d..a1de3d734f 100644 --- a/README.md +++ b/README.md @@ -2898,6 +2898,17 @@ Sets the [SSLVerifyDepth](http://httpd.apache.org/docs/current/mod/mod_ssl.html# } ~~~ +##### `ssl_proxy_machine_cert` + +Sets the [SSLProxyMachineCertificateFile](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) directive, which specifies an all-in-one file where you keep the certs and keys used for this server to authenticate itself to remote servers. This file should be a concatenation of the PEM-encoded certificate files in order of preference. Defaults to 'undef'. + +~~~ puppet + apache::vhost { 'sample.example.net': + … + ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem', + } +~~~ + ##### `ssl_options` Sets the [SSLOptions](http://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions) directive, which configures various SSL engine run-time options. This is the global setting for the given vhost and can be a string or an array. Defaults to 'undef'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 20b1aa6b91..c44bba5891 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -25,6 +25,7 @@ $ssl_honorcipherorder = undef, $ssl_verify_client = undef, $ssl_verify_depth = undef, + $ssl_proxy_machine_cert = undef, $ssl_options = undef, $ssl_openssl_conf_cmd = undef, $ssl_proxyengine = false, @@ -738,6 +739,7 @@ # - $ssl_honorcipherorder # - $ssl_verify_client # - $ssl_verify_depth + # - $ssl_proxy_machine_cert # - $ssl_options # - $ssl_openssl_conf_cmd # - $apache_version diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index c2d9413509..e99b739a67 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -40,6 +40,9 @@ <%- if @ssl_verify_depth -%> SSLVerifyDepth <%= @ssl_verify_depth %> <%- end -%> + <%- if @ssl_proxy_machine_cert -%> + SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>" + <%- end -%> <%- if @ssl_options -%> SSLOptions <%= Array(@ssl_options).join(' ') %> <%- end -%> From be089859927b99237de02a821a6f786c722c326e Mon Sep 17 00:00:00 2001 From: Niklas Grossmann Date: Wed, 2 Sep 2015 15:12:37 +0200 Subject: [PATCH 32/71] MODULES-2513 mod::ssl fails on SLES Add SLES/Suse support to mod::ssl. --- manifests/mod/ssl.pp | 17 +++++++++++------ spec/classes/mod/ssl_spec.rb | 16 ++++++++++++++++ 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 9e68d21b70..475f233a50 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -12,12 +12,6 @@ $apache_version = $::apache::apache_version, $package_name = undef, ) { - $session_cache = $::osfamily ? { - 'debian' => "\${APACHE_RUN_DIR}/ssl_scache(512000)", - 'redhat' => '/var/cache/mod_ssl/scache(512000)', - 'freebsd' => '/var/run/ssl_scache(512000)', - 'gentoo' => '/var/run/ssl_scache(512000)', - } case $::osfamily { 'debian': { @@ -38,11 +32,22 @@ 'gentoo': { $ssl_mutex = 'default' } + 'Suse': { + $ssl_mutex = 'default' + } default: { fail("Unsupported osfamily ${::osfamily}") } } + $session_cache = $::osfamily ? { + 'debian' => "\${APACHE_RUN_DIR}/ssl_scache(512000)", + 'redhat' => '/var/cache/mod_ssl/scache(512000)', + 'freebsd' => '/var/run/ssl_scache(512000)', + 'gentoo' => '/var/run/ssl_scache(512000)', + 'Suse' => '/var/lib/apache2/ssl_scache(512000)' + } + ::apache::mod { 'ssl': package => $package_name, } diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index 1e8b94edca..0fd813d7e1 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -100,6 +100,22 @@ it { is_expected.to contain_apache__mod('ssl') } end + context 'on a Suse OS' do + let :facts do + { + :osfamily => 'Suse', + :operatingsystem => 'SLES', + :operatingsystemrelease => '11.2', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + end # Template config doesn't vary by distro context "on all distros" do let :facts do From 2311945635b113afb6f367a288df563fd2b1abc5 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Fri, 4 Sep 2015 11:07:19 +0200 Subject: [PATCH 33/71] Fix mellon docs formatting --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d95ac6b534..dc1eb18c7e 100644 --- a/README.md +++ b/README.md @@ -2707,6 +2707,7 @@ apache::vhost{'sample.example.net': } ] } +~~~ ###### `mellon_cond` From a221fdcb6d1963b4dfbfb1468fce13fea07f5d85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20POIROUX?= Date: Mon, 7 Sep 2015 15:25:04 +0200 Subject: [PATCH 34/71] Deflate "application/json" by default Hello, How can I customize the "types" of "deflate " while using " default_mods " ? I need to deflate "application/json". JSON is a common text resource types on the web which should be served with HTTP compression: https://zoompf.com/blog/2012/02/lose-the-wait-http-compression Thks --- manifests/mod/deflate.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/mod/deflate.pp b/manifests/mod/deflate.pp index 9b8d43621c..0748a54e57 100644 --- a/manifests/mod/deflate.pp +++ b/manifests/mod/deflate.pp @@ -3,7 +3,8 @@ 'text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', - 'application/rss+xml' + 'application/rss+xml', + 'application/json' ], $notes = { 'Input' => 'instream', From f11f5f77ab67268ec39a07e4d42d28790f766dba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20POIROUX?= Date: Tue, 8 Sep 2015 12:24:17 +0200 Subject: [PATCH 35/71] Added application/json on default DEFLATE configuration --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dc1eb18c7e..b6af020e65 100644 --- a/README.md +++ b/README.md @@ -1332,7 +1332,7 @@ Installs and configures [`mod_deflate`][]. **Parameters within `apache::mod::deflate`:** -- `types`: An [array][] of [MIME types][MIME `content-type`] to be deflated. Default: [ 'text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', 'application/rss+xml' ]. +- `types`: An [array][] of [MIME types][MIME `content-type`] to be deflated. Default: [ 'text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', 'application/rss+xml', 'application/json' ]. - `notes`: A [Hash][] where the key represents the type and the value represents the note name. Default: { 'Input' => 'instream', 'Output' => 'outstream', 'Ratio' => 'ratio' } ##### Class: `apache::mod::expires` From 9367580e2dc72df792fdafc48c5a9c94d7725a59 Mon Sep 17 00:00:00 2001 From: Aaron Russell Date: Fri, 3 Jul 2015 09:48:50 -0400 Subject: [PATCH 36/71] (MODULES-2188) Add support for PassengerBaseURI in Apache This adds a varaible and template block for using PassengerBaseURI in the vhost --- README.md | 4 ++++ manifests/vhost.pp | 16 ++++++++++++++++ spec/defines/vhost_spec.rb | 1 + templates/vhost/_passenger_base_uris.erb | 7 +++++++ tests/vhost.pp | 8 ++++++++ 5 files changed, 36 insertions(+) create mode 100644 templates/vhost/_passenger_base_uris.erb diff --git a/README.md b/README.md index 769b937b8d..ff4ce0007b 100644 --- a/README.md +++ b/README.md @@ -2114,6 +2114,10 @@ This directive is equivalent to proxy_pass, but takes regular expressions, see [ Specifies the resource identifiers for a rack configuration. The file paths specified are listed as rack application roots for [Phusion Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsbaseuri_and_rackbaseuri) in the _rack.erb template. Defaults to 'undef'. +#####`passenger_base_uris` + +Used to specify that the given URI is a Phusion Passenger-served application. The file paths specified are listed as passenger application roots for [Phusion Passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerBaseURI) in the _passenger_base_uris.erb template. Defaults to 'undef'. + ##### `redirect_dest` Specifies the address to redirect to. Defaults to 'undef'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 20b1aa6b91..1c72242688 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -80,6 +80,7 @@ $redirectmatch_regexp = undef, $redirectmatch_dest = undef, $rack_base_uris = undef, + $passenger_base_uris = undef, $headers = undef, $request_headers = undef, $filters = undef, @@ -386,6 +387,11 @@ } } + # Load mod_passenger if needed and not yet loaded + if $passenger_base_uris { + include ::apache::mod::passenger + } + # Load mod_fastci if needed and not yet loaded if $fastcgi_server and $fastcgi_socket { if ! defined(Class['apache::mod::fastcgi']) { @@ -655,6 +661,16 @@ } } + # Template uses: + # - $passenger_base_uris + if $passenger_base_uris { + concat::fragment { "${name}-passenger_uris": + target => "${priority_real}${filename}.conf", + order => 155, + content => template('apache/vhost/_passenger_base_uris.erb'), + } + } + # Template uses: # - $redirect_source # - $redirect_dest diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index cb8c9e84bb..82301c4efb 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -248,6 +248,7 @@ 'redirectmatch_regexp' => ['\.git$'], 'redirectmatch_dest' => ['http://www.example.com'], 'rack_base_uris' => ['/rackapp1'], + 'passenger_base_uris' => ['/passengerapp1'], 'headers' => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', 'request_headers' => ['append MirrorID "mirror 12"'], 'rewrites' => [ diff --git a/templates/vhost/_passenger_base_uris.erb b/templates/vhost/_passenger_base_uris.erb new file mode 100644 index 0000000000..f3ef5aa0a5 --- /dev/null +++ b/templates/vhost/_passenger_base_uris.erb @@ -0,0 +1,7 @@ +<% if @passenger_base_uris -%> + + ## Enable passenger base uris +<% Array(@passenger_base_uris).each do |uri| -%> + PassengerBaseURI <%= uri %> +<% end -%> +<% end -%> diff --git a/tests/vhost.pp b/tests/vhost.pp index a46b677846..0cf8da75c4 100644 --- a/tests/vhost.pp +++ b/tests/vhost.pp @@ -141,6 +141,7 @@ rack_base_uris => ['/rackapp1', '/rackapp2'], } + # Vhost to redirect non-ssl to ssl apache::vhost { 'sixteenth.example.com non-ssl': servername => 'sixteenth.example.com', @@ -251,3 +252,10 @@ access_log_env_var => 'admin', } +# Vhost with a passenger_base configuration +apache::vhost { 'twentysecond.example.com': + port => '80', + docroot => '/var/www/twentysecond', + rack_base_uris => ['/passengerapp1', '/passengerapp2'], +} + From 49fed02c87da035d9cd85aafe115b7ed447d92ca Mon Sep 17 00:00:00 2001 From: Edmund Craske Date: Mon, 14 Sep 2015 13:29:36 +0100 Subject: [PATCH 37/71] Fix typo of MPM_PREFORK Was unsetting 'MPM_PERFORK', so 'MPM_PREFORK' would not have been unset correctly. --- manifests/package.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/package.pp b/manifests/package.pp index 728b26010e..5c59f2546d 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -17,11 +17,11 @@ } 'worker': { $set = 'MPM_WORKER' - $unset = 'MPM_PERFORK MPM_EVENT' + $unset = 'MPM_PREFORK MPM_EVENT' } 'event': { $set = 'MPM_EVENT' - $unset = 'MPM_PERFORK MPM_WORKER' + $unset = 'MPM_PREFORK MPM_WORKER' } 'itk': { $set = undef From bf948c05e253b43ed0bae1ca36868af4af617860 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Fri, 14 Aug 2015 13:07:35 +0200 Subject: [PATCH 38/71] (MODULES-2419) - Add mod_auth_kerb parameters to vhost. https://tickets.puppetlabs.com/browse/MODULES-2419 The following kerberos parameters can be set within a vhost. KrbMethodNegotiate KrbMethodK5Passwd KrbAuthoritative KrbAuthRealms Krb5Keytab KrbLocalUserMapping Reference for mod_auth_kerb: http://modauthkerb.sourceforge.net/configure.html https://bugzilla.redhat.com/show_bug.cgi?id=970678 --- README.md | 45 ++++++++++++++++++++++++++++++++++ manifests/vhost.pp | 28 +++++++++++++++++++++ spec/defines/vhost_spec.rb | 17 +++++++++++++ templates/vhost/_auth_kerb.erb | 23 +++++++++++++++++ 4 files changed, 113 insertions(+) create mode 100644 templates/vhost/_auth_kerb.erb diff --git a/README.md b/README.md index b6af020e65..fdc4c97765 100644 --- a/README.md +++ b/README.md @@ -1964,6 +1964,51 @@ Usage typically looks like: } ~~~ +##### `auth_kerb` + +Enable mod_auth_kerb parameters for a virtual host. Valid values are 'true' or 'false'. Defaults to 'false'. + +Usage typically looks like: + +~~~ puppet + apache::vhost {'sample.example.net': + auth_kerb => true, + krb_method_negotiate => 'on', + krb_auth_realms => ['EXAMPLE.ORG'], + krb_local_user_mapping => 'on', + directories => { + path => '/var/www/html', + auth_name => 'Kerberos Login', + auth_type => 'Kerberos', + auth_require => 'valid-user', + } + } +~~~ + +##### `krb_method_negotiate` + +To enable or disable the use of the Negotiate method. Defaults is 'on' + +##### `krb_method_k5passwd` + +To enable or disable the use of password based authentication for Kerberos v5. Default is 'on' + +##### `krb_authoritative` + +If set to off this directive allow authentication controls to be pass on to another modules. Default is 'on' + +##### `krb_auth_realms` + +Specifies an array Kerberos realm(s) to be used for authentication. Default is [] + +##### `krb_5keytab` + +Location of the Kerberos V5 keytab file. Not set by default. + +##### `krb_local_user_mapping` + +Strips @REALM from username for further use. Not set by default. + ##### `logroot` Specifies the location of the virtual host's logfiles. Defaults to '/var/log//'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index c44bba5891..027e490796 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -123,6 +123,13 @@ $modsec_disable_ids = undef, $modsec_disable_ips = undef, $modsec_body_limit = undef, + $auth_kerb = false, + $krb_method_negotiate = 'on', + $krb_method_k5passwd = 'on', + $krb_authoritative = 'on', + $krb_auth_realms = [], + $krb_5keytab = undef, + $krb_local_user_mapping = undef, ) { # The base class must be included first because it is used by parameter defaults if ! defined(Class['apache']) { @@ -213,6 +220,7 @@ validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.") } + validate_bool($auth_kerb) # Input validation ends if $ssl and $ensure == 'present' { @@ -221,6 +229,10 @@ include ::apache::mod::mime } + if $auth_kerb and $ensure == 'present' { + include ::apache::mod::auth_kerb + } + if $virtual_docroot { include ::apache::mod::vhost_alias } @@ -751,6 +763,22 @@ } } + # Template uses: + # - $auth_kerb + # - $krb_method_negotiate + # - $krb_method_k5passwd + # - $krb_authoritative + # - $krb_auth_realms + # - $krb_5keytab + # - $krb_local_user_mapping + if $auth_kerb { + concat::fragment { "${name}-auth_kerb": + target => "${priority_real}${filename}.conf", + order => 210, + content => template('apache/vhost/_auth_kerb.erb'), + } + } + # Template uses: # - $suphp_engine # - $suphp_addhandler diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 3b9a6fdbd9..8d6ced9d4a 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -313,6 +313,13 @@ 'passenger_start_timeout' => '600', 'passenger_pre_start' => 'http://localhost/myapp', 'add_default_charset' => 'UTF-8', + 'auth_kerb' => true, + 'krb_method_negotiate' => 'off', + 'krb_method_k5passwd' => 'off', + 'krb_authoritative' => 'off', + 'krb_auth_realms' => ['EXAMPLE.ORG','EXAMPLE.NET'], + 'krb_5keytab' => '/tmp/keytab5', + 'krb_local_user_mapping' => 'off', } end let :facts do @@ -432,6 +439,16 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-passenger') } it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbMethodNegotiate\soff$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbAuthoritative\soff$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbAuthRealms\sEXAMPLE.ORG\sEXAMPLE.NET$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+Krb5Keytab\s\/tmp\/keytab5$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbLocalUserMapping\soff$/)} end context 'set only aliases' do let :params do diff --git a/templates/vhost/_auth_kerb.erb b/templates/vhost/_auth_kerb.erb new file mode 100644 index 0000000000..9179ee8b2a --- /dev/null +++ b/templates/vhost/_auth_kerb.erb @@ -0,0 +1,23 @@ +<% if @auth_kerb -%> + + ## Kerberos directives + <%- if @krb_method_negotiate -%> + KrbMethodNegotiate <%= @krb_method_negotiate %> + <%- end -%> + <%- if @krb_method_k5passwd -%> + KrbMethodK5Passwd <%= @krb_method_k5passwd %> + <%- end -%> + <%- if @krb_authoritative -%> + KrbAuthoritative <%= @krb_authoritative %> + <%- end -%> + <%- if @krb_auth_realms and @krb_auth_realms.length >= 1 -%> + KrbAuthRealms <%= @krb_auth_realms.join(' ') %> + <%- end -%> + <%- if @krb_5keytab -%> + Krb5Keytab <%= @krb_5keytab %> + <%- end -%> + <%- if @krb_local_user_mapping -%> + KrbLocalUserMapping <%= @krb_local_user_mapping -%> + <%- end -%> + +<% end -%> From 05613d7f0979237f176778c0fa6ebfb9cc10f8c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sascha=20R=C3=BCssel?= Date: Mon, 21 Sep 2015 16:13:37 +0200 Subject: [PATCH 39/71] also install mod_authn_alias as default mod in debian for apache < 2.4 --- manifests/default_mods.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/default_mods.pp b/manifests/default_mods.pp index 1c3820bf09..a1d2c89ef3 100644 --- a/manifests/default_mods.pp +++ b/manifests/default_mods.pp @@ -42,6 +42,9 @@ 'debian': { include ::apache::mod::authn_core include ::apache::mod::reqtimeout + if versioncmp($apache_version, '2.4') < 0 { + ::apache::mod { 'authn_alias': } + } } 'redhat': { include ::apache::mod::actions From 2ab10465fee10c150f3f8f98c74730ad7b8d3d24 Mon Sep 17 00:00:00 2001 From: Athanasios Douitsis Date: Tue, 22 Sep 2015 15:14:05 +0300 Subject: [PATCH 40/71] Fix erroneous example in README.md Fix error regarding the shib_request_settings setting for a vhost directory. Also, fix value of said attribute to a hash instead of a string. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a4eb4d4ae..925ba5ae01 100644 --- a/README.md +++ b/README.md @@ -2916,7 +2916,7 @@ Allows an valid content setting to be set or altered for the application request docroot => '/path/to/directory', directories => [ { path => '/path/to/directory', - shib_require_setting => 'requiresession 1', + shib_request_settings => { 'requiresession' => 'On' }, shib_use_headers => 'On', }, ], From 99daf49c2fa0149a50d996f51cf49ece01e315a4 Mon Sep 17 00:00:00 2001 From: Freddy Spierenburg Date: Tue, 22 Sep 2015 18:22:00 +0200 Subject: [PATCH 41/71] MODULES-2613 Small style cleanup to templates/vhost/_additional_includes.erb The file templates/vhost/_additional_includes.erb can use a small cleanup (IMHO). Without this commit the includes are not nicely indented in line with the comment and the rest of the configuration file. This commit fixes that. --- templates/vhost/_additional_includes.erb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/templates/vhost/_additional_includes.erb b/templates/vhost/_additional_includes.erb index aa9f0fe351..a07bb81125 100644 --- a/templates/vhost/_additional_includes.erb +++ b/templates/vhost/_additional_includes.erb @@ -2,9 +2,8 @@ ## Load additional static includes <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 && @use_optional_includes -%> -IncludeOptional "<%= include %>" + IncludeOptional "<%= include %>" <%- else -%> -Include "<%= include %>" + Include "<%= include %>" <%- end -%> - <% end -%> From 10d632b99b3f84f7f70421a64c62bdbb72f2d824 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Wed, 23 Sep 2015 15:26:15 +0200 Subject: [PATCH 42/71] (MODULES-2616) Optionally set LimitRequestFieldSize on an apache::vhost Support setting of LimitRequestFieldSize on a vhost. ```puppet apache::vhost{'foo': limit_request_field_size => 1234 } ``` by default value is unset. http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize https://tickets.puppetlabs.com/browse/MODULES-2616 --- README.md | 4 ++++ manifests/vhost.pp | 14 ++++++++++++++ spec/defines/vhost_spec.rb | 4 ++++ templates/vhost/_limits.erb | 5 +++++ 4 files changed, 27 insertions(+) create mode 100644 templates/vhost/_limits.erb diff --git a/README.md b/README.md index 925ba5ae01..1f69c825b1 100644 --- a/README.md +++ b/README.md @@ -2009,6 +2009,10 @@ Location of the Kerberos V5 keytab file. Not set by default. Strips @REALM from username for further use. Not set by default. +##### `limit_request_field_size` + +[Limits](http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize) the size of the HTTP request header allowed from the client. Default is 'undef'. + ##### `logroot` Specifies the location of the virtual host's logfiles. Defaults to '/var/log//'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 42a3a373b2..25530bccb8 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -131,6 +131,7 @@ $krb_auth_realms = [], $krb_5keytab = undef, $krb_local_user_mapping = undef, + $limit_request_field_size = undef, ) { # The base class must be included first because it is used by parameter defaults if ! defined(Class['apache']) { @@ -222,6 +223,10 @@ } validate_bool($auth_kerb) + + if $limit_request_field_size { + validate_integer($limit_request_field_size) + } # Input validation ends if $ssl and $ensure == 'present' { @@ -946,6 +951,15 @@ content => template('apache/vhost/_filters.erb'), } } + # Template uses: + # - $limit_request_field_size + if $limit_request_field_size { + concat::fragment { "${name}-limits": + target => "${priority_real}${filename}.conf", + order => 330, + content => template('apache/vhost/_limits.erb'), + } + } # Template uses no variables concat::fragment { "${name}-file_footer": diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 713d8726da..03140931fc 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -321,6 +321,7 @@ 'krb_auth_realms' => ['EXAMPLE.ORG','EXAMPLE.NET'], 'krb_5keytab' => '/tmp/keytab5', 'krb_local_user_mapping' => 'off', + 'limit_request_field_size' => '54321', } end let :facts do @@ -450,6 +451,8 @@ :content => /^\s+Krb5Keytab\s\/tmp\/keytab5$/)} it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( :content => /^\s+KrbLocalUserMapping\soff$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-limits').with( + :content => /^\s+LimitRequestFieldSize\s54321$/)} end context 'set only aliases' do let :params do @@ -601,6 +604,7 @@ it { is_expected.to_not contain_concat__fragment('rspec.example.com-fastcgi') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-suexec') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-charsets') } + it { is_expected.to_not contain_concat__fragment('rspec.example.com-limits') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } end end diff --git a/templates/vhost/_limits.erb b/templates/vhost/_limits.erb new file mode 100644 index 0000000000..0bd56db353 --- /dev/null +++ b/templates/vhost/_limits.erb @@ -0,0 +1,5 @@ + + ## Limit Request Values +<% if @limit_request_field_size -%> + LimitRequestFieldSize <%= @limit_request_field_size %> +<% end -%> From 7a67ab19c0a65617654145a1f683f40c28a14386 Mon Sep 17 00:00:00 2001 From: Justin Lambert Date: Thu, 24 Sep 2015 06:03:24 -0600 Subject: [PATCH 43/71] add SecUploadDir parameter to support file uploads with mod_security --- templates/mod/security.conf.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb index ac28402c64..7b2da76135 100644 --- a/templates/mod/security.conf.erb +++ b/templates/mod/security.conf.erb @@ -59,10 +59,13 @@ SecAuditLog /var/log/apache2/modsec_audit.log SecTmpDir /var/cache/modsecurity SecDataDir /var/cache/modsecurity + SecUploadDir /var/cache/modsecurity <% else -%> SecDebugLog /var/log/httpd/modsec_debug.log SecAuditLog /var/log/httpd/modsec_audit.log SecTmpDir /var/lib/mod_security SecDataDir /var/lib/mod_security + SecUploadDir /var/lib/mod_security <% end -%> + SecUploadKeepFiles Off From e2b6bcfee0a0e9f9a1eef57eb44d3ca315e3b37e Mon Sep 17 00:00:00 2001 From: Mark Jeffcoat Date: Thu, 24 Sep 2015 16:15:29 -0500 Subject: [PATCH 44/71] Correct typo in default_vhost => false example. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1f69c825b1..f720c4202a 100644 --- a/README.md +++ b/README.md @@ -289,7 +289,7 @@ You can customize parameters when declaring the `apache` class. For instance, th ~~~ puppet class { 'apache': - default_vhosts => false, + default_vhost => false, } ~~~ From 1a981c7d048d410662bf256eea233015b9b3613f Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Wed, 30 Sep 2015 13:52:47 +0200 Subject: [PATCH 45/71] (MODULES-2649) Allow SetOutputFilter to be set on a directory. e.g ```puppet apache::vhost{'abc.example.org': directories => [ { path => '/path/to/filtered', set_output_filter => 'puppetdb-filter', }, ], } ``` * https://tickets.puppetlabs.com/browse/MODULES-2649 * http://httpd.apache.org/docs/current/mod/core.html#setoutputfilter --- README.md | 15 +++++++++++++++ spec/defines/vhost_spec.rb | 5 +++++ templates/vhost/_directories.erb | 3 +++ 3 files changed, 23 insertions(+) diff --git a/README.md b/README.md index f720c4202a..e9cf59eee6 100644 --- a/README.md +++ b/README.md @@ -2884,6 +2884,21 @@ Sets a `SetHandler` directive as per the [Apache Core documentation](http://http } ~~~ +###### `set_output_filter` + +Sets a `SetOutputFilter` directive as per [Apache Core documentation](http://httpd.apache.org/docs/current/mod/core.html#setoutputfilter). An example: + +~~~ puppet + apache::vhost{ 'filter.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + set_output_filter => puppetdb-strip-resource-params, + }, + ], + } +~~~ + ###### `rewrites` Creates URL [`rewrites`](#rewrites) rules in vhost directories. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'. diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 03140931fc..6fd59f9157 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -190,6 +190,9 @@ 'index_options' => ['FancyIndexing'], 'index_style_sheet' => '/styles/style.css', }, + { 'path' => '/var/www/files/output_filtered', + 'set_output_filter' => 'output_filter', + }, ], 'error_log' => false, 'error_log_file' => 'httpd_error_log', @@ -399,6 +402,8 @@ :content => /^\s+IndexStyleSheet\s'\/styles\/style\.css'$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( :content => /^\s+DirectoryIndex\sdisabled$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+SetOutputFilter\soutput_filter$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-additional_includes') } it { is_expected.to contain_concat__fragment('rspec.example.com-logging') } it { is_expected.to contain_concat__fragment('rspec.example.com-serversignature') } diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 189bd57701..bcb958601a 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -239,6 +239,9 @@ SetEnv <%= setenv %> <%- end -%> <%- end -%> + <%- if directory['set_output_filter'] -%> + SetOutputFilter <%= directory['set_output_filter'] %> + <%- end -%> <%- if @shibboleth_enabled -%> <%- if directory['shib_require_session'] and ! directory['shib_require_session'].empty? -%> ShibRequireSession <%= directory['shib_require_session'] %> From a59015bb12b556b17b33068902a4b005bffc6b08 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Fri, 25 Sep 2015 10:13:49 +0200 Subject: [PATCH 46/71] (MODULES-2647) Optinally set parameters for mod_ext_filter module Permits the * ExtFilterDefine to be set multiple times on a server. * ExtFilterOptions to be set on a directory context. ```puppet class{'apache': default_mods => false, directories => [ { path => '/var/www/filter', ext_filter_options => 'LogStderr Onfail=abort', }, ], } class{'apache::mod::ext_filter': ext_filter_define => { 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', }, } ``` * https://tickets.puppetlabs.com/browse/MODULES-2647 * http://httpd.apache.org/docs/current/mod/mod_ext_filter.html --- README.md | 36 ++++++++++++++++ manifests/default_mods.pp | 2 +- manifests/mod/ext_filter.pp | 24 +++++++++++ spec/classes/mod/ext_filter_spec.rb | 66 +++++++++++++++++++++++++++++ templates/mod/ext_filter.conf.erb | 6 +++ templates/vhost/_directories.erb | 3 ++ 6 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 manifests/mod/ext_filter.pp create mode 100644 spec/classes/mod/ext_filter_spec.rb create mode 100644 templates/mod/ext_filter.conf.erb diff --git a/README.md b/README.md index e9cf59eee6..76eab50a48 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ [`apache::mod::auth_mellon`]: #class-apachemodauth_mellon [`apache::mod::disk_cache`]: #class-apachemoddisk_cache [`apache::mod::event`]: #class-apachemodevent +[`apache::mod::ext_filter`]: #class-apachemodext_filter [`apache::mod::geoip`]: #class-apachemodgeoip [`apache::mod::itk`]: #class-apachemoditk [`apache::mod::passenger`]: #class-apachemodpassenger @@ -145,6 +146,7 @@ [`mod_authnz_external`]: https://code.google.com/p/mod-auth-external/ [`mod_auth_mellon`]: https://github.com/UNINETT/mod_auth_mellon [`mod_expires`]: http://httpd.apache.org/docs/current/mod/mod_expires.html +[`mod_ext_filter`]: http://httpd.apache.org/docs/current/mod/mod_ext_filter.html [`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html [`mod_geoip`]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/ [`mod_info`]: https://httpd.apache.org/docs/current/mod/mod_info.html @@ -1198,6 +1200,7 @@ The following Apache modules have supported classes, many of which allow for par * `disk_cache` (see [`apache::mod::disk_cache`][]) * `event` (see [`apache::mod::event`][]) * `expires` +* `ext_filter` (see [`apache::mod::ext_filter`][]) * `fastcgi` * `fcgid` * `filter` @@ -1345,6 +1348,23 @@ Installs [`mod_expires`][] and uses the `expires.conf.erb` template to generate - `expires_default`: Default algorithm for calculating expiration time using [`ExpiresByType`][] syntax or [interval syntax][]. Default: undef. - `expires_by_type`: Describes a set of [MIME `content-type`][] and their expiration times. Valid options: An [array][] of [Hashes][Hash], with each Hash's key a valid MIME `content-type` (i.e. 'text/json') and its value following valid [interval syntax][]. Default: undef. +##### Class: `apache::mod::ext_filter` + +Installs and configures [`mod_ext_filter`][]. + +~~~ puppet +class{'apache::mod::ext_filter': + ext_filter_define => { + 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', + 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', + }, +} +~~~ + +**Parameters within `apache::mod::ext_filter`**: + +- `ext_filter_define`: A hash of filter names and their parameters. Default: undef. + ##### Class: `apache::mod::fcgid` Installs and configures [`mod_fcgid`][]. @@ -2654,6 +2674,22 @@ An array of hashes used to override the [ErrorDocument](https://httpd.apache.org } ~~~ +###### `ext_filter_options` + +Sets the [ExtFilterOptions](http://httpd.apache.org/docs/current/mod/mod_ext_filter.html) directive. +Note that you must delcare `class {'apache::mod::ext_filter': }` before using this directive. + +~~~ puppet + apache::vhost{ 'filter.example.org': + docroot => '/var/www/filter', + directories => [ + { path => '/var/www/filter', + ext_filter_options => 'LogStderr Onfail=abort', + }, + ], + } +~~~ + ###### `geoip_enable` Sets the [GeoIPEnable](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Configuration) directive. diff --git a/manifests/default_mods.pp b/manifests/default_mods.pp index a1d2c89ef3..fd057d113f 100644 --- a/manifests/default_mods.pp +++ b/manifests/default_mods.pp @@ -50,6 +50,7 @@ include ::apache::mod::actions include ::apache::mod::authn_core include ::apache::mod::cache + include ::apache::mod::ext_filter include ::apache::mod::mime include ::apache::mod::mime_magic include ::apache::mod::rewrite @@ -63,7 +64,6 @@ ::apache::mod { 'authz_dbm': } ::apache::mod { 'authz_owner': } ::apache::mod { 'expires': } - ::apache::mod { 'ext_filter': } ::apache::mod { 'include': } ::apache::mod { 'logio': } ::apache::mod { 'substitute': } diff --git a/manifests/mod/ext_filter.pp b/manifests/mod/ext_filter.pp new file mode 100644 index 0000000000..b78abb6071 --- /dev/null +++ b/manifests/mod/ext_filter.pp @@ -0,0 +1,24 @@ +class apache::mod::ext_filter( + $ext_filter_define = undef +) { + + if $ext_filter_define { + validate_hash($ext_filter_define) + } + + ::apache::mod { 'ext_filter': } + + # Template uses + # -$ext_filter_define + + if $ext_filter_define { + file { 'ext_filter.conf': + ensure => file, + path => "${::apache::mod_dir}/ext_filter.conf", + content => template('apache/mod/ext_filter.conf.erb'), + require => [ Exec["mkdir ${::apache::mod_dir}"], ], + before => File[$::apache::mod_dir], + notify => Class['Apache::Service'], + } + } +} diff --git a/spec/classes/mod/ext_filter_spec.rb b/spec/classes/mod/ext_filter_spec.rb new file mode 100644 index 0000000000..afa71c1083 --- /dev/null +++ b/spec/classes/mod/ext_filter_spec.rb @@ -0,0 +1,66 @@ +describe 'apache::mod::ext_filter', :type => :class do + let :pre_condition do + 'class { "apache": + default_mods => false, + }' + end + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('ext_filter') } + it { is_expected.not_to contain_file('ext_filter.conf') } + end + describe 'with parameters' do + let :params do + { :ext_filter_define => {'filtA' => 'input=A output=B', + 'filtB' => 'input=C cmd="C"' }, + } + end + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtA\s+input=A output=B$/) } + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtB\s+input=C cmd="C"$/) } + end + + end + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('ext_filter') } + it { is_expected.not_to contain_file('ext_filter.conf') } + end + describe 'with parameters' do + let :params do + { :ext_filter_define => {'filtA' => 'input=A output=B', + 'filtB' => 'input=C cmd="C"' }, + } + end + it { is_expected.to contain_file('ext_filter.conf').with_path('/etc/httpd/conf.d/ext_filter.conf') } + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtA\s+input=A output=B$/) } + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtB\s+input=C cmd="C"$/) } + end + end +end diff --git a/templates/mod/ext_filter.conf.erb b/templates/mod/ext_filter.conf.erb new file mode 100644 index 0000000000..67f98fd4c7 --- /dev/null +++ b/templates/mod/ext_filter.conf.erb @@ -0,0 +1,6 @@ +# mod_ext_filter definitions +<%- if @ext_filter_define.length >= 1 -%> +<%- @ext_filter_define.keys.sort.each do |name| -%> +ExtFilterDefine <%= name %> <%= @ext_filter_define[name] %> +<%- end -%> +<%- end -%> diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index bcb958601a..df6b6615e4 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -198,6 +198,9 @@ ExpiresByType <%= rule %> <%- end -%> <%- end -%> + <%- if directory['ext_filter_options'] -%> + ExtFilterOptions <%= directory['ext_filter_options'] %> + <%- end -%> <%- if directory['force_type'] -%> ForceType <%= directory['force_type'] %> <%- end -%> From e500a5582e1b31996e14f4588ba656527cd1d1e7 Mon Sep 17 00:00:00 2001 From: orthographic-pedant Date: Wed, 30 Sep 2015 13:19:05 -0400 Subject: [PATCH 47/71] Fixed typographical error, changed accomodate to accommodate in README. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 76eab50a48..a5012f4db9 100644 --- a/README.md +++ b/README.md @@ -327,7 +327,7 @@ apache::vhost { 'user.example.com': #### Configuring virtual hosts with SSL -To configure a virtual host to use [SSL encryption][] and default SSL certificates, set the [`ssl`][] parameter. You must also specify the [`port`][] parameter, typically with a value of '443', to accomodate HTTPS requests: +To configure a virtual host to use [SSL encryption][] and default SSL certificates, set the [`ssl`][] parameter. You must also specify the [`port`][] parameter, typically with a value of '443', to accommodate HTTPS requests: ~~~ puppet apache::vhost { 'ssl.example.com': From 8447589abcec675f3ee57e6607861e937e850877 Mon Sep 17 00:00:00 2001 From: Bruno Furtado Date: Wed, 30 Sep 2015 18:40:16 +0100 Subject: [PATCH 48/71] Change SSLProtocol in apache::vhost to be space separated --- templates/vhost/_ssl.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index e99b739a67..3a76bd45de 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -26,7 +26,7 @@ SSLProxyEngine On <%- end -%> <%- if @ssl_protocol -%> - SSLProtocol <%= @ssl_protocol %> + SSLProtocol <%= @ssl_protocol.compact.join(' ') %> <%- end -%> <%- if @ssl_cipher -%> SSLCipherSuite <%= @ssl_cipher %> From d57816b90b9639a5213794b3a408f7aa4d679ea5 Mon Sep 17 00:00:00 2001 From: Bruno Furtado Date: Thu, 1 Oct 2015 13:16:57 +0100 Subject: [PATCH 49/71] Added support for both string and array on ssl_protocol for apache::vhost --- templates/vhost/_ssl.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index 3a76bd45de..a3d76fb13e 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -26,7 +26,7 @@ SSLProxyEngine On <%- end -%> <%- if @ssl_protocol -%> - SSLProtocol <%= @ssl_protocol.compact.join(' ') %> + SSLProtocol <%= [@ssl_protocol].flatten.compact.join(' ') %> <%- end -%> <%- if @ssl_cipher -%> SSLCipherSuite <%= @ssl_cipher %> From 445d4367ddd076109ce36c95bf69d08de72beaa6 Mon Sep 17 00:00:00 2001 From: Tobias Brox Date: Thu, 8 Oct 2015 16:41:27 +0200 Subject: [PATCH 50/71] RC4 is deprecated, ref https://community.qualys.com/blogs/securitylabs/2013/09/17/updated-ssltls-deployment-best-practices-deprecate-rc4 - usage will downgrade the SSL rating from A to B on their rating service at https://www.ssllabs.com/ssltest/ --- README.md | 2 +- manifests/mod/ssl.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a5012f4db9..3a36c2efff 100644 --- a/README.md +++ b/README.md @@ -1513,7 +1513,7 @@ Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template t **Parameters within `apache::mod::ssl`**: -- `ssl_cipher`: Default: 'HIGH:MEDIUM:!aNULL:!MD5'. +- `ssl_cipher`: Default: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'. - `ssl_compression`: Default: 'false'. - `ssl_cryptodevice`: Default: 'builtin'. - `ssl_honorcipherorder`: Default: 'On'. diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 475f233a50..a653badeda 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -3,7 +3,7 @@ $ssl_cryptodevice = 'builtin', $ssl_options = [ 'StdEnvVars' ], $ssl_openssl_conf_cmd = undef, - $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5', + $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4', $ssl_honorcipherorder = 'On', $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], $ssl_pass_phrase_dialog = 'builtin', From 4c87d22f47b0d89dc69496947c8deab841ae4d25 Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Sun, 4 Oct 2015 12:39:58 +0200 Subject: [PATCH 51/71] Add option to configure the include pattern for the vhost_enable dir --- README.md | 10 ++++++++++ manifests/init.pp | 1 + manifests/params.pp | 2 ++ templates/httpd.conf.erb | 4 ++-- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3a36c2efff..5066caac99 100644 --- a/README.md +++ b/README.md @@ -1126,6 +1126,16 @@ Changes your virtual host configuration files' location. Default: determined by - **Gentoo**: `/etc/apache2/vhosts.d` - **Red Hat**: `/etc/httpd/conf.d` +##### `vhost_include_pattern` + +Defines the pattern for files included from the `vhost_dir`. This defaults to '*', also for BC with previous versions of this module. + +However, you may want to set this to a value like '[^.#]\*.conf[^~]' to make sure files accidentally created in this directory (from version +control systems, editor backups or the like) are *not* included in your server configuration. + +A value of '*.conf' is what is shipped by some operating systems. Also note that this module will, by default, create config files ending +in '.conf'. + ##### `user` Changes the user Apache uses to answer requests. Apache's parent process will continue to be run as root, but child processes will access resources as the user defined by this parameter. diff --git a/manifests/init.pp b/manifests/init.pp index 5f02bfd61f..873b42ef47 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -46,6 +46,7 @@ $confd_dir = $::apache::params::confd_dir, $vhost_dir = $::apache::params::vhost_dir, $vhost_enable_dir = $::apache::params::vhost_enable_dir, + $vhost_include_pattern = $::apache::params::vhost_include_pattern, $mod_dir = $::apache::params::mod_dir, $mod_enable_dir = $::apache::params::mod_enable_dir, $mpm_module = $::apache::params::mpm_module, diff --git a/manifests/params.pp b/manifests/params.pp index 5c5233ccdb..a2ab7382c6 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -32,6 +32,8 @@ # should we use systemd module? $use_systemd = true + $vhost_include_pattern = '*' + if $::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04' { $verify_command = '/usr/sbin/apache2ctl -t' } else { diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb index 8664a43e4d..e0d16e1229 100644 --- a/templates/httpd.conf.erb +++ b/templates/httpd.conf.erb @@ -85,9 +85,9 @@ Include "<%= @confd_dir %>/*.conf" <%- end -%> <% if @vhost_load_dir != @confd_dir -%> <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> -IncludeOptional "<%= @vhost_load_dir %>/*" +IncludeOptional "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>" <%- else -%> -Include "<%= @vhost_load_dir %>/*" +Include "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>" <%- end -%> <% end -%> From f57f7f75e5324f3ab857ad05c29fad4a5ea0354a Mon Sep 17 00:00:00 2001 From: Yehuda Katz Date: Thu, 8 Oct 2015 20:02:00 -0400 Subject: [PATCH 52/71] (MODULES-2120) Allow empty docroot README.md updated If `docroot` and [`manage_docroot`][] are both set to `false`, no [`DocumentRoot`][] will be set and the accompanying `` block will not be created. --- README.md | 3 +++ manifests/vhost.pp | 20 ++++++++++++++------ templates/vhost/_docroot.erb | 2 +- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 5066caac99..762689d07b 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,7 @@ [`logroot`]: #logroot [Log security]: http://httpd.apache.org/docs/current/logs.html#security +[`manage_docroot`]: #manage_docroot [`manage_user`]: #manage_user [`manage_group`]: #manage_group [`MaxConnectionsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxconnectionsperchild @@ -1886,6 +1887,8 @@ Sets the list of resources to look for when a client requests an index of the di **Required**. Sets the [`DocumentRoot`][] location, from which Apache serves files. +If `docroot` and [`manage_docroot`][] are both set to `false`, no [`DocumentRoot`][] will be set and the accompanying `` block will not be created. + ##### `docroot_group` Sets group access to the [`docroot`][] directory. Defaults to 'root'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 25530bccb8..36d425ef13 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -227,6 +227,12 @@ if $limit_request_field_size { validate_integer($limit_request_field_size) } + + # Validate the docroot as a string if: + # - $manage_docroot is true + if $manage_docroot { + validate_string($docroot) + } # Input validation ends if $ssl and $ensure == 'present' { @@ -271,7 +277,7 @@ # This ensures that the docroot exists # But enables it to be specified across multiple vhost resources - if ! defined(File[$docroot]) and $manage_docroot { + if $manage_docroot and $docroot and ! defined(File[$docroot]) { file { $docroot: ensure => directory, owner => $docroot_owner, @@ -443,7 +449,7 @@ fail("Apache::Vhost[${name}]: 'directories' must be either a Hash or an Array of Hashes") } $_directories = $directories - } else { + } elsif $docroot { $_directory = { provider => 'directory', path => $docroot, @@ -518,10 +524,12 @@ # Template uses: # - $virtual_docroot # - $docroot - concat::fragment { "${name}-docroot": - target => "${priority_real}${filename}.conf", - order => 10, - content => template('apache/vhost/_docroot.erb'), + if $docroot { + concat::fragment { "${name}-docroot": + target => "${priority_real}${filename}.conf", + order => 10, + content => template('apache/vhost/_docroot.erb'), + } } # Template uses: diff --git a/templates/vhost/_docroot.erb b/templates/vhost/_docroot.erb index 6039fa63cf..b67998b4b4 100644 --- a/templates/vhost/_docroot.erb +++ b/templates/vhost/_docroot.erb @@ -2,6 +2,6 @@ ## Vhost docroot <% if @virtual_docroot -%> VirtualDocumentRoot "<%= @virtual_docroot %>" -<% else -%> +<% elsif @docroot -%> DocumentRoot "<%= @docroot %>" <% end -%> From 9d8efecc1e8baa65d20f11457791ff65d7b8ed56 Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Thu, 8 Oct 2015 23:55:50 +0200 Subject: [PATCH 53/71] Install all modules before adding custom configs The problem is that we have defines (apache::custom_config and apache::mod) on both sides so we cannot easily reference the one side from the other (when we want to avoid the <||> syntax). So, we use an anchor as the reference point and make things happen before or after that. --- manifests/custom_config.pp | 3 ++- manifests/init.pp | 4 ++++ manifests/mod.pp | 2 ++ spec/defines/custom_config_spec.rb | 8 ++++---- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/manifests/custom_config.pp b/manifests/custom_config.pp index ceb1fd077a..7ce755b35c 100644 --- a/manifests/custom_config.pp +++ b/manifests/custom_config.pp @@ -49,12 +49,13 @@ } if $ensure == 'present' and $verify_config { - exec { "service notify for ${name}": + exec { "syntax verification for ${name}": command => $verify_command, subscribe => File["apache_${name}"], refreshonly => true, notify => Class['Apache::Service'], before => Exec["remove ${name} if invalid"], + require => Anchor['::apache::modules_set_up'] } exec { "remove ${name} if invalid": diff --git a/manifests/init.pp b/manifests/init.pp index 873b42ef47..7baa65713c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -381,4 +381,8 @@ manage_docroot => $default_ssl_vhost, } } + + # This anchor can be used as a reference point for things that need to happen *after* + # all modules have been put in place. + anchor { '::apache::modules_set_up': } } diff --git a/manifests/mod.pp b/manifests/mod.pp index 920114a7c7..abdbfcbed5 100644 --- a/manifests/mod.pp +++ b/manifests/mod.pp @@ -162,4 +162,6 @@ } } } + + Apache::Mod[$name] -> Anchor['::apache::modules_set_up'] } diff --git a/spec/defines/custom_config_spec.rb b/spec/defines/custom_config_spec.rb index a5efd15a2f..7d566b0716 100644 --- a/spec/defines/custom_config_spec.rb +++ b/spec/defines/custom_config_spec.rb @@ -26,7 +26,7 @@ 'content' => '# Test', } end - it { is_expected.to contain_exec("service notify for rspec").with({ + it { is_expected.to contain_exec("syntax verification for rspec").with({ 'refreshonly' => 'true', 'subscribe' => 'File[apache_rspec]', 'command' => '/usr/sbin/apachectl -t', @@ -56,7 +56,7 @@ 'verify_command' => '/bin/true', } end - it { is_expected.to contain_exec("service notify for rspec").with({ + it { is_expected.to contain_exec("syntax verification for rspec").with({ 'command' => '/bin/true', }) } @@ -80,7 +80,7 @@ 'verify_config' => false, } end - it { is_expected.to_not contain_exec('service notify for rspec') } + it { is_expected.to_not contain_exec('syntax verification for rspec') } it { is_expected.to_not contain_exec('remove rspec if invalid') } it { is_expected.to contain_file('apache_rspec').with({ 'notify' => 'Class[Apache::Service]' @@ -93,7 +93,7 @@ 'ensure' => 'absent' } end - it { is_expected.to_not contain_exec('service notify for rspec') } + it { is_expected.to_not contain_exec('syntax verification for rspec') } it { is_expected.to_not contain_exec('remove rspec if invalid') } it { is_expected.to contain_file('apache_rspec').with({ 'ensure' => 'absent', From bb5b27ee2757d312b60873245a0f333ff4bc8ed5 Mon Sep 17 00:00:00 2001 From: Bruno Furtado Date: Sun, 11 Oct 2015 21:33:40 +0100 Subject: [PATCH 54/71] Added tests and updated docs for string and array support on ssl_protocol for apache::vhost. --- README.md | 2 +- spec/acceptance/vhost_spec.rb | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 76eab50a48..ff5ecb0485 100644 --- a/README.md +++ b/README.md @@ -3036,7 +3036,7 @@ Specifies the SSL certification. Defaults are based on your OS: '/etc/pki/tls/ce ##### `ssl_protocol` -Specifies [SSLProtocol](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). Expects an array of accepted protocols. Defaults to 'all', '-SSLv2', '-SSLv3'. +Specifies [SSLProtocol](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). Expects an array or space separated string of accepted protocols. Defaults to 'all', '-SSLv2', '-SSLv3'. ##### `ssl_cipher` diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index b5d51e91f4..dd6d03cd19 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1339,4 +1339,31 @@ class { 'apache': } it { is_expected.to be_file } end end + + describe 'SSLProtocol directive' do + it 'applies cleanly' do + pp = <<-EOS + class { 'apache': } + apache::vhost { 'test.server': + docroot => '/tmp', + ssl_protocol => ['All', '-SSLv2'], + } + apache::vhost { 'test2.server': + docroot => '/tmp', + ssl_protocol => 'All -SSLv2', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe file("#{$vhost_dir}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLProtocol All -SSLv2' } + end + + describe file("#{$vhost_dir}/25-test2.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLProtocol All -SSLv2' } + end + end end From b63aac22781cc9cafe33aea9c300f2e36890f643 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Tue, 13 Oct 2015 16:08:54 +0100 Subject: [PATCH 55/71] (MAINT) add a small test for no-docroot-mode --- spec/defines/vhost_spec.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 6fd59f9157..2964e9b280 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -612,6 +612,16 @@ it { is_expected.to_not contain_concat__fragment('rspec.example.com-limits') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } end + context 'when not setting nor managing the docroot' do + let :params do + { + 'docroot' => false, + 'manage_docroot' => false, + } + end + it { is_expected.to compile } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-docroot') } + end end describe 'access logs' do let :facts do From 680f3a9ff04e4d7f057942d72a8834a9be205ad2 Mon Sep 17 00:00:00 2001 From: Damon Conway Date: Tue, 6 Oct 2015 12:22:37 -0700 Subject: [PATCH 56/71] (MODULES-2673) Adding dev_packages to apache class. Allows use of httpd24u-devel from the IUS repo. Adding documentation to README for dev_packages param to the apache class. Adding include apache::dev to example for dev_packages param. --- README.md | 14 ++++++++++++++ manifests/dev.pp | 2 +- manifests/init.pp | 1 + 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a5012f4db9..4f43961768 100644 --- a/README.md +++ b/README.md @@ -888,6 +888,20 @@ Configures a default virtual host when the class is declared. Valid options: Boo To configure [customized virtual hosts][Configuring virtual hosts], set this parameter's value to 'false'. +##### `dev_packages` + +Configures a specific dev package to use. Valid options: String. Default: 'OS default httpd dev package'. + +Example for using httpd 2.4 from the IUS yum repo: + +~~~ puppet +include ::apache::dev +class { 'apache': + apache_name => 'httpd24u', + dev_packages => 'httpd24u-devel', +} +~~~ + ##### `docroot` Sets the default [`DocumentRoot`][] location. Default: Determined by your operating system. diff --git a/manifests/dev.pp b/manifests/dev.pp index b1947e9344..fdebf59f55 100644 --- a/manifests/dev.pp +++ b/manifests/dev.pp @@ -1,6 +1,6 @@ class apache::dev { include ::apache::params - $packages = $::apache::params::dev_packages + $packages = $::apache::dev_packages if $packages { # FreeBSD doesn't have dev packages to install package { $packages: ensure => present, diff --git a/manifests/init.pp b/manifests/init.pp index 5f02bfd61f..2361c5457b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,6 +28,7 @@ $default_ssl_crl = undef, $default_ssl_crl_check = undef, $default_type = 'none', + $dev_packages = $::apache::params::dev_packages, $ip = undef, $service_enable = true, $service_manage = true, From 94b2f0f8dc97a66ee62184edaaf25bb5c1ba0221 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Wed, 14 Oct 2015 17:57:12 +0100 Subject: [PATCH 57/71] (MODULES-2680) fix default nodeset to actually work Centos boxes prior to 6.6 cannot connect to fedoraproject's mirror, because of SSL issues. --- spec/acceptance/nodesets/centos-59-x64.yml | 10 ---------- spec/acceptance/nodesets/centos-64-x64-pe.yml | 12 ------------ spec/acceptance/nodesets/centos-64-x64.yml | 11 ----------- spec/acceptance/nodesets/centos-65-x64.yml | 10 ---------- spec/acceptance/nodesets/default.yml | 5 ++--- 5 files changed, 2 insertions(+), 46 deletions(-) delete mode 100644 spec/acceptance/nodesets/centos-59-x64.yml delete mode 100644 spec/acceptance/nodesets/centos-64-x64-pe.yml delete mode 100644 spec/acceptance/nodesets/centos-64-x64.yml delete mode 100644 spec/acceptance/nodesets/centos-65-x64.yml diff --git a/spec/acceptance/nodesets/centos-59-x64.yml b/spec/acceptance/nodesets/centos-59-x64.yml deleted file mode 100644 index 2ad90b86aa..0000000000 --- a/spec/acceptance/nodesets/centos-59-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - centos-59-x64: - roles: - - master - platform: el-5-x86_64 - box : centos-59-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: git diff --git a/spec/acceptance/nodesets/centos-64-x64-pe.yml b/spec/acceptance/nodesets/centos-64-x64-pe.yml deleted file mode 100644 index 7d9242f1b9..0000000000 --- a/spec/acceptance/nodesets/centos-64-x64-pe.yml +++ /dev/null @@ -1,12 +0,0 @@ -HOSTS: - centos-64-x64: - roles: - - master - - database - - dashboard - platform: el-6-x86_64 - box : centos-64-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: pe diff --git a/spec/acceptance/nodesets/centos-64-x64.yml b/spec/acceptance/nodesets/centos-64-x64.yml deleted file mode 100644 index ce47212a8c..0000000000 --- a/spec/acceptance/nodesets/centos-64-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - centos-64-x64: - roles: - - master - platform: el-6-x86_64 - box : centos-64-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git diff --git a/spec/acceptance/nodesets/centos-65-x64.yml b/spec/acceptance/nodesets/centos-65-x64.yml deleted file mode 100644 index 4e2cb809e8..0000000000 --- a/spec/acceptance/nodesets/centos-65-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - centos-65-x64: - roles: - - master - platform: el-6-x86_64 - box : centos-65-x64-vbox436-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - type: foss diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml index ce47212a8c..00e141d092 100644 --- a/spec/acceptance/nodesets/default.yml +++ b/spec/acceptance/nodesets/default.yml @@ -1,10 +1,9 @@ HOSTS: - centos-64-x64: + centos-66-x64: roles: - master platform: el-6-x86_64 - box : centos-64-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box + box : puppetlabs/centos-6.6-64-nocm hypervisor : vagrant CONFIG: log_level: debug From 1d46f7b6573e6d0ebbe269fa7006575f8087bbc4 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Wed, 14 Oct 2015 17:58:04 +0100 Subject: [PATCH 58/71] (MODULES-2655) fix acceptance tests to correctly detect SELinux $::selinux can be a string that says "false", but evaluates to `true` in the `if`. --- spec/acceptance/apache_parameters_spec.rb | 2 +- spec/acceptance/class_spec.rb | 2 +- spec/acceptance/vhost_spec.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb index 4c6fa7f56d..c46a220432 100644 --- a/spec/acceptance/apache_parameters_spec.rb +++ b/spec/acceptance/apache_parameters_spec.rb @@ -358,7 +358,7 @@ class { 'apache': describe 'setup' do it 'applies cleanly' do pp = <<-EOS - if $::osfamily == 'RedHat' and $::selinux { + if $::osfamily == 'RedHat' and "$::selinux" == "true" { $semanage_package = $::operatingsystemmajrelease ? { '5' => 'policycoreutils', default => 'policycoreutils-python', diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index 0a7d67bbb0..0cf1c36f90 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -45,7 +45,7 @@ class { 'apache': } # Using puppet_apply as a helper it 'should work with no errors' do pp = <<-EOS - if $::osfamily == 'RedHat' and $::selinux { + if $::osfamily == 'RedHat' and "$::selinux" == "true" { $semanage_package = $::operatingsystemmajrelease ? { '5' => 'policycoreutils', default => 'policycoreutils-python', diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index dd6d03cd19..6ca7c350e1 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1287,7 +1287,7 @@ class { 'apache::mod::fastcgi': } describe 'additional_includes' do it 'applies cleanly' do pp = <<-EOS - if $::osfamily == 'RedHat' and $::selinux { + if $::osfamily == 'RedHat' and "$::selinux" == "true" { $semanage_package = $::operatingsystemmajrelease ? { '5' => 'policycoreutils', default => 'policycoreutils-python', From 72df6f3c6dbe992b60ffcb15ccb0c720ee1f7b0a Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Wed, 14 Oct 2015 20:05:24 +0100 Subject: [PATCH 59/71] (MODULES-2655) Fix acceptance testing for SSLProtocol behaviour for real --- spec/acceptance/vhost_spec.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 6ca7c350e1..e903b38d82 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1345,11 +1345,13 @@ class { 'apache': } pp = <<-EOS class { 'apache': } apache::vhost { 'test.server': - docroot => '/tmp', + docroot => '/tmp', + ssl => true, ssl_protocol => ['All', '-SSLv2'], } apache::vhost { 'test2.server': - docroot => '/tmp', + docroot => '/tmp', + ssl => true, ssl_protocol => 'All -SSLv2', } EOS @@ -1358,12 +1360,12 @@ class { 'apache': } describe file("#{$vhost_dir}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain 'SSLProtocol All -SSLv2' } + it { is_expected.to contain 'SSLProtocol *All -SSLv2' } end describe file("#{$vhost_dir}/25-test2.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain 'SSLProtocol All -SSLv2' } + it { is_expected.to contain 'SSLProtocol *All -SSLv2' } end end end From f10e309f40ff5f3ed1cb2f199edd56bbc72c28c4 Mon Sep 17 00:00:00 2001 From: wickedOne Date: Fri, 16 Oct 2015 08:39:42 +0200 Subject: [PATCH 60/71] RewriteLock support added ability to define a RewriteLock file in the httpd.conf for apache version 2.2 --- manifests/init.pp | 1 + templates/httpd.conf.erb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 5db9e90c7d..de6472f9ed 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -55,6 +55,7 @@ $conf_template = $::apache::params::conf_template, $servername = $::apache::params::servername, $pidfile = $::apache::params::pidfile, + $rewrite_lock = false, $manage_user = true, $manage_group = true, $user = $::apache::params::user, diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb index e0d16e1229..6fb9892442 100644 --- a/templates/httpd.conf.erb +++ b/templates/httpd.conf.erb @@ -11,6 +11,10 @@ KeepAlive <%= @keepalive %> MaxKeepAliveRequests <%= @max_keepalive_requests %> KeepAliveTimeout <%= @keepalive_timeout %> +<%- if @rewrite_lock and scope.function_versioncmp([@apache_version, '2.2']) <= 0 -%> +RewriteLock <%= @rewrite_lock %> +<%- end -%> + User <%= @user %> Group <%= @group %> From d38cc4d48f1ab1c027bfd44ac9574fbda2e00196 Mon Sep 17 00:00:00 2001 From: wickedOne Date: Fri, 16 Oct 2015 12:46:52 +0200 Subject: [PATCH 61/71] added rewrite lock tests and doc --- README.md | 8 +++++++- manifests/init.pp | 7 ++++++- spec/classes/apache_spec.rb | 39 +++++++++++++++++++++++++++++++++---- 3 files changed, 48 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 51d2f5dad7..8abaa58197 100644 --- a/README.md +++ b/README.md @@ -1065,6 +1065,12 @@ If the [`vhost_dir`][] parameter's value differs from the [`confd_dir`][] parame Setting `purge_vhost_dir` to 'false' is a stopgap measure to allow the apache Puppet module to coexist with existing or otherwise unmanaged configurations within `vhost_dir`. +##### `rewrite_lock` + +Allows setting a custom location for a rewrite lock - considered best practice if using a RewriteMap of type prg in the [`rewrites`][] parameter of your vhost. Default: 'undef'. + +This parameter only applies to Apache version 2.2 or lower and is ignored on newer versions. + ##### `sendfile` Forces Apache to use the Linux kernel's `sendfile` support to serve static files, via the [`EnableSendfile`][] directive. Valid options: 'On', 'Off'. Default: 'On'. @@ -2023,7 +2029,7 @@ Usage typically looks like: krb_method_negotiate => 'on', krb_auth_realms => ['EXAMPLE.ORG'], krb_local_user_mapping => 'on', - directories => { + directories => { path => '/var/www/html', auth_name => 'Kerberos Login', auth_type => 'Kerberos', diff --git a/manifests/init.pp b/manifests/init.pp index de6472f9ed..d894e324fc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -55,7 +55,7 @@ $conf_template = $::apache::params::conf_template, $servername = $::apache::params::servername, $pidfile = $::apache::params::pidfile, - $rewrite_lock = false, + $rewrite_lock = undef, $manage_user = true, $manage_group = true, $user = $::apache::params::user, @@ -297,6 +297,10 @@ default => false } + if $rewrite_lock { + validate_absolute_path($rewrite_lock) + } + # Template uses: # - $pidfile # - $user @@ -318,6 +322,7 @@ # - $server_tokens # - $server_signature # - $trace_enable + # - $rewrite_lock file { "${::apache::conf_dir}/${::apache::params::conf_file}": ensure => file, content => template($conf_template), diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb index b82eafa0de..0f4d0c5baa 100644 --- a/spec/classes/apache_spec.rb +++ b/spec/classes/apache_spec.rb @@ -156,23 +156,23 @@ :apache_version => '2.2', } end - + context "when default_type => 'none'" do let :params do { :default_type => 'none' } end - + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^DefaultType none$} } end context "when default_type => 'text/plain'" do let :params do { :default_type => 'text/plain' } end - + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^DefaultType text/plain$} } end end - + context "with Apache version >= 2.4" do let :params do { @@ -388,6 +388,37 @@ it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^IncludeOptional "/etc/httpd/conf\.d/\*\.conf"$} } end + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + :rewrite_lock => '/var/lock/subsys/rewrite-lock' + } + end + + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^RewriteLock /var/lock/subsys/rewrite-lock$} } + end + + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2' + } + end + + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").without_content %r{^RewriteLock [.]*$} } + end + + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + :rewrite_lock => '/var/lock/subsys/rewrite-lock' + } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").without_content %r{^RewriteLock [.]*$} } + end + context "when specifying slash encoding behaviour" do let :params do { :allow_encoded_slashes => 'nodecode' } From e226ba8c340acd9eb6f5e887d9958205ba9fb221 Mon Sep 17 00:00:00 2001 From: Mason Malone Date: Wed, 21 Oct 2015 13:03:20 -0400 Subject: [PATCH 62/71] Fix ordering issue with conf_file and ports_file The httpd.conf.erb template explicitly includes the $ports_file, but the resource that uses that template doesn't have a dependency on $ports_file. This means it's possible for a declaration of the apache::custom_config resource to get run between when $conf_file is written and $ports_file is written. This will cause syntax verification via "apachectl -t" to always fail, causing the custom_config to be removed if the $verify_config flag is set to "true". Example: ==> ops: Notice: /Stage[main]/Jci_nagios::Server/Apache::Custom_config[cgid]/Exec[service notify for cgid]/returns: httpd: Syntax error on line 37 of /etc/httpd/conf/httpd.conf: Could not open configuration file /etc/httpd/conf/ports.conf: No such file or directory ==> ops: Error: /Stage[main]/Jci_nagios::Server/Apache::Custom_config[cgid]/Exec[service notify for cgid]: Failed to call refresh: /usr/sbin/apachectl -t returned 1 instead of one of [0] ==> ops: Error: /Stage[main]/Jci_nagios::Server/Apache::Custom_config[cgid]/Exec[service notify for cgid]: /usr/sbin/apachectl -t returned 1 instead of one of [0] ==> ops: Notice: /Stage[main]/Jci_nagios::Server/Apache::Custom_config[cgid]/Exec[remove cgid if invalid]: Triggered 'refresh' from 1 events I wrote a test that reproduces this behavior by using ordering arrows to force apache::custom_config to run before $ports_file is written. This is rather artificial, but I wasn't able to get this is happen "naturally" in the test environment. Take my word for it that it's possible. --- manifests/init.pp | 2 +- spec/acceptance/custom_config_spec.rb | 21 +++++++++++++++++++++ spec/classes/apache_spec.rb | 2 +- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index d894e324fc..6aaa57cacb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -327,7 +327,7 @@ ensure => file, content => template($conf_template), notify => Class['Apache::Service'], - require => Package['httpd'], + require => [Package['httpd'], File[$ports_file]], } # preserve back-wards compatibility to the times when default_mods was diff --git a/spec/acceptance/custom_config_spec.rb b/spec/acceptance/custom_config_spec.rb index 8b59f703fb..4bfd02f8d6 100644 --- a/spec/acceptance/custom_config_spec.rb +++ b/spec/acceptance/custom_config_spec.rb @@ -52,4 +52,25 @@ class { 'apache': } it { is_expected.to be_file } end end + + describe 'custom_config only applied after configs are written' do + it 'applies in the right order' do + pp = <<-EOS + class { 'apache': } + + apache::custom_config { 'ordering_test': + content => '# just a comment', + } + + # Try to wedge the apache::custom_config call between when httpd.conf is written and + # ports.conf is written. This should trigger a dependency cycle + File["#{$conf_file}"] -> Apache::Custom_config['ordering_test'] -> File["#{$ports_file}"] + EOS + expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/Failed to apply catalog: Found 1 dependency cycle/i) + end + + describe file("#{$confd_dir}/25-ordering_test.conf") do + it { is_expected.not_to be_file } + end + end end diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb index 0f4d0c5baa..60c03495ea 100644 --- a/spec/classes/apache_spec.rb +++ b/spec/classes/apache_spec.rb @@ -480,7 +480,7 @@ it { is_expected.to contain_file("/opt/rh/root/etc/httpd/conf/httpd.conf").with( 'ensure' => 'file', 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' + 'require' => ['Package[httpd]', 'File[/etc/httpd/conf/ports.conf]'], ) } end From a686d99566e3133cc1801e5aa20abe97700903cf Mon Sep 17 00:00:00 2001 From: tphoney Date: Fri, 23 Oct 2015 15:17:47 +0100 Subject: [PATCH 63/71] reduce constraints on regex to fix pe tests --- spec/acceptance/custom_config_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/acceptance/custom_config_spec.rb b/spec/acceptance/custom_config_spec.rb index 4bfd02f8d6..d4526e801d 100644 --- a/spec/acceptance/custom_config_spec.rb +++ b/spec/acceptance/custom_config_spec.rb @@ -66,7 +66,7 @@ class { 'apache': } # ports.conf is written. This should trigger a dependency cycle File["#{$conf_file}"] -> Apache::Custom_config['ordering_test'] -> File["#{$ports_file}"] EOS - expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/Failed to apply catalog: Found 1 dependency cycle/i) + expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/Found 1 dependency cycle/i) end describe file("#{$confd_dir}/25-ordering_test.conf") do From fcc4d43f46ee2a0d835b7bbf1ba90387eabf3719 Mon Sep 17 00:00:00 2001 From: abednarik Date: Wed, 28 Oct 2015 12:10:47 -0300 Subject: [PATCH 64/71] (MODULES-2651) Default document root update for Ubuntu 14.04 and Debian 8 For security reasons Debian changes default docroot to /var/www/html. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730372 --- README.md | 2 +- manifests/params.pp | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8abaa58197..5089cfc946 100644 --- a/README.md +++ b/README.md @@ -907,7 +907,7 @@ class { 'apache': Sets the default [`DocumentRoot`][] location. Default: Determined by your operating system. -- **Debian**: `/var/www` +- **Debian**: `/var/www/html` - **FreeBSD**: `/usr/local/www/apache22/data` - **Gentoo**: `/var/www/localhost/htdocs` - **Red Hat**: `/var/www/html` diff --git a/manifests/params.pp b/manifests/params.pp index a2ab7382c6..36d2815fac 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -223,7 +223,11 @@ $fastcgi_lib_path = '/var/lib/apache2/fastcgi' $mime_support_package = 'mime-support' $mime_types_config = '/etc/mime.types' - $docroot = '/var/www' + if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) { + $docroot = '/var/www/html' + } else { + $docroot = '/var/www' + } $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' $mellon_lock_file = undef $mellon_cache_size = undef From c492b2b8094ef3d3cb51bfa43b3b386a1fbf0c70 Mon Sep 17 00:00:00 2001 From: Benedikt Bock Date: Wed, 14 Oct 2015 17:42:17 +0200 Subject: [PATCH 65/71] Allow multiple IP addresses per vhost To make a vhost reachable over 2 IP addresses we need to configure 2 similar vhosts which differ in the IP address. This change allows to use an array of IPs. --- README.md | 10 ++++++ manifests/vhost.pp | 12 ++++---- spec/acceptance/vhost_spec.rb | 53 ++++++++++++++++++++++++++++++++ spec/defines/vhost_spec.rb | 34 ++++++++++++++++++++ templates/vhost/_file_header.erb | 2 +- 5 files changed, 104 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 5066caac99..2f405c6c93 100644 --- a/README.md +++ b/README.md @@ -399,6 +399,16 @@ apache::vhost { 'ip.example.com': } ~~~ +It is also possible to configure more than one IP address per vhost by using an array of IP addresses for the [`ip`][] parameter: + +~~~ puppet +apache::vhost { 'ip.example.com': + ip => ['127.0.0.1','169.254.1.1'], + port => '80', + docroot => '/var/www/ip', +} +~~~ + To configure a virtual host with [aliased servers][], refer to the aliases using the [`serveraliases`][] parameter: ~~~ puppet diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 25530bccb8..43739c966f 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -339,8 +339,8 @@ if $ip { if $port { - $listen_addr_port = "${ip}:${port}" - $nvh_addr_port = "${ip}:${port}" + $listen_addr_port = suffix(any2array($ip),":${port}") + $nvh_addr_port = suffix(any2array($ip),":${port}") } else { $listen_addr_port = undef $nvh_addr_port = $ip @@ -364,13 +364,13 @@ if $ip and defined(Apache::Listen["${port}"]) { fail("Apache::Vhost[${name}]: Mixing IP and non-IP Listen directives is not possible; check the add_listen parameter of the apache::vhost define to disable this") } - if ! defined(Apache::Listen["${listen_addr_port}"]) and $listen_addr_port and $ensure == 'present' { - ::apache::listen { "${listen_addr_port}": } + if $listen_addr_port and $ensure == 'present' { + ensure_resource('apache::listen', $listen_addr_port) } } if ! $ip_based { - if ! defined(Apache::Namevirtualhost[$nvh_addr_port]) and $ensure == 'present' and (versioncmp($apache_version, '2.4') < 0) { - ::apache::namevirtualhost { $nvh_addr_port: } + if $ensure == 'present' and (versioncmp($apache_version, '2.4') < 0) { + ensure_resource('apache::namevirtualhost', $nvh_addr_port) } } diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index b5d51e91f4..5c967209cf 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -190,6 +190,59 @@ class { 'apache': } end end + context 'new vhost with multiple IP addresses on port 80' do + it 'should configure one apache vhost with 2 ip addresses' do + pp = <<-EOS + class { 'apache': + default_vhost => false, + } + apache::vhost { 'example.com': + port => '80', + ip => ['127.0.0.1','::1'], + ip_based => true, + docroot => '/var/www/html', + } + host { 'ipv4.example.com': ip => '127.0.0.1', } + host { 'ipv6.example.com': ip => '::1', } + file { '/var/www/html/index.html': + ensure => file, + content => "Hello from vhost\\n", + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service($service_name) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe file("#{$vhost_dir}/25-example.com.conf") do + it { is_expected.to contain '' } + it { is_expected.to contain "ServerName example.com" } + end + + describe file($ports_file) do + it { is_expected.to be_file } + it { is_expected.to contain 'Listen 127.0.0.1:80' } + it { is_expected.to contain 'Listen ::1:80' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:80' } + it { is_expected.not_to contain 'NameVirtualHost ::1:80' } + end + + it 'should answer to ipv4.example.com' do + shell("/usr/bin/curl ipv4.example.com:80", {:acceptable_exit_codes => 0}) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + + it 'should answer to ipv6.example.com' do + shell("/usr/bin/curl ipv6.example.com:80", {:acceptable_exit_codes => 0}) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + end + context 'apache_directories' do describe 'readme example, adapted' do it 'should configure a vhost with Files' do diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 6fd59f9157..0a86963364 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -459,6 +459,40 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-limits').with( :content => /^\s+LimitRequestFieldSize\s54321$/)} end + context 'vhost with multiple ip addresses' do + let :params do + { + 'port' => '80', + 'ip' => ['127.0.0.1','::1'], + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } + end + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernelversion => '3.6.2', + :is_pe => false, + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + :content => /[.\/m]*[.\/m]*$/ ) } + it { is_expected.to contain_concat__fragment('Listen 127.0.0.1:80') } + it { is_expected.to contain_concat__fragment('Listen ::1:80') } + it { is_expected.to_not contain_concat__fragment('NameVirtualHost 127.0.0.1:80') } + it { is_expected.to_not contain_concat__fragment('NameVirtualHost ::1:80') } + end context 'set only aliases' do let :params do { diff --git a/templates/vhost/_file_header.erb b/templates/vhost/_file_header.erb index e6f2f95e76..9350781d6f 100644 --- a/templates/vhost/_file_header.erb +++ b/templates/vhost/_file_header.erb @@ -3,7 +3,7 @@ # Managed by Puppet # ************************************ -> +> ServerName <%= @servername %> <% if @serveradmin -%> ServerAdmin <%= @serveradmin %> From 6fde679c37b44be6d5b5b7d058969ddce6009ae4 Mon Sep 17 00:00:00 2001 From: abednarik Date: Wed, 28 Oct 2015 23:25:38 -0300 Subject: [PATCH 66/71] (MODULES-2651) Default document root update for Ubuntu 14.04 and Debian 8 Added test cases for Debian 8 and Ubuntu 14.04 --- spec/classes/apache_spec.rb | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb index 60c03495ea..a766764527 100644 --- a/spec/classes/apache_spec.rb +++ b/spec/classes/apache_spec.rb @@ -235,6 +235,18 @@ end end + context "8" do + let :facts do + super().merge({ + :lsbdistcodename => 'jessie', + :operatingsystemrelease => '8' + }) + end + it { is_expected.to contain_file("/var/www/html").with( + 'ensure' => 'directory' + ) + } + end context "on Ubuntu" do let :facts do super().merge({ @@ -242,6 +254,18 @@ }) end + context "14.04" do + let :facts do + super().merge({ + :lsbdistrelease => '14.04', + :operatingsystemrelease => '14.04' + }) + end + it { is_expected.to contain_file("/var/www/html").with( + 'ensure' => 'directory' + ) + } + end context "13.10" do let :facts do super().merge({ From cc443e96e3ca7d0eeda9b76145df681e2882e402 Mon Sep 17 00:00:00 2001 From: tphoney Date: Wed, 4 Nov 2015 14:07:50 +0000 Subject: [PATCH 67/71] removing an over complicated test case --- spec/acceptance/mod_passenger_spec.rb | 110 -------------------------- 1 file changed, 110 deletions(-) diff --git a/spec/acceptance/mod_passenger_spec.rb b/spec/acceptance/mod_passenger_spec.rb index 7b2d0da9af..5af9113e5c 100644 --- a/spec/acceptance/mod_passenger_spec.rb +++ b/spec/acceptance/mod_passenger_spec.rb @@ -194,115 +194,5 @@ class { 'apache::mod::passenger': } end end - - when 'RedHat' - # no fedora 18 passenger package yet, and rhel5 packages only exist for ruby 1.8.5 - unless (fact('operatingsystem') == 'Fedora' and fact('operatingsystemrelease').to_f >= 18) or (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5' and fact('rubyversion') != '1.8.5') - - if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' - pending('test passenger - RHEL7 packages don\'t exist') - else - context "default passenger config" do - it 'succeeds in puppeting passenger' do - pp = <<-EOS - /* EPEL and passenger repositories */ - class { 'epel': } - exec { 'passenger.repo GPG key': - command => '/usr/bin/curl -o /etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc http://passenger.stealthymonkeys.com/RPM-GPG-KEY-stealthymonkeys.asc', - creates => '/etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc', - } - file { 'passenger.repo GPG key': - ensure => file, - path => '/etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc', - require => Exec['passenger.repo GPG key'], - } - epel::rpm_gpg_key { 'passenger.stealthymonkeys.com': - path => '/etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc', - require => [ - Class['epel'], - File['passenger.repo GPG key'], - ] - } - $releasever_string = $operatingsystem ? { - 'Scientific' => '6', - default => '$releasever', - } - yumrepo { 'passenger': - baseurl => "http://passenger.stealthymonkeys.com/rhel/${releasever_string}/\\$basearch" , - descr => "Red Hat Enterprise ${releasever_string} - Phusion Passenger", - enabled => 1, - gpgcheck => 1, - gpgkey => 'http://passenger.stealthymonkeys.com/RPM-GPG-KEY-stealthymonkeys.asc', - mirrorlist => 'http://passenger.stealthymonkeys.com/rhel/mirrors', - require => [ - Epel::Rpm_gpg_key['passenger.stealthymonkeys.com'], - ], - } - /* apache and mod_passenger */ - class { 'apache': - require => [ - Class['epel'], - ], - } - class { 'apache::mod::passenger': - require => [ - Yumrepo['passenger'] - ], - } - #{pp_rackapp} - EOS - apply_manifest(pp, :catch_failures => true) - end - - describe service(service_name) do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - describe file(conf_file) do - it { is_expected.to contain "PassengerRoot #{passenger_root}" } - it { is_expected.to contain "PassengerRuby #{passenger_ruby}" } - it { is_expected.to contain "PassengerTempDir #{passenger_tempdir}" } - end - - describe file(load_file) do - it { is_expected.to contain "LoadModule passenger_module #{passenger_module_path}" } - end - - it 'should output status via passenger-memory-stats' do - shell("/usr/bin/passenger-memory-stats", :pty => true) do |r| - expect(r.stdout).to match(/Apache processes/) - expect(r.stdout).to match(/Nginx processes/) - expect(r.stdout).to match(/Passenger processes/) - expect(r.stdout).to match(/### Processes: [0-9]+/) - expect(r.stdout).to match(/### Total private dirty RSS: [0-9\.]+ MB/) - - expect(r.exit_code).to eq(0) - end - end - - it 'should output status via passenger-status' do - shell("PASSENGER_TMPDIR=/var/run/rubygem-passenger /usr/bin/passenger-status") do |r| - # spacing may vary - r.stdout.should =~ /[\-]+ General information [\-]+/ - r.stdout.should =~ /max[ ]+= [0-9]+/ - r.stdout.should =~ /count[ ]+= [0-9]+/ - r.stdout.should =~ /active[ ]+= [0-9]+/ - r.stdout.should =~ /inactive[ ]+= [0-9]+/ - r.stdout.should =~ /Waiting on global queue: [0-9]+/ - - r.exit_code.should == 0 - end - end - - it 'should answer to passenger.example.com' do - shell("/usr/bin/curl passenger.example.com:80") do |r| - r.stdout.should =~ /^hello world<\/b>$/ - r.exit_code.should == 0 - end - end - end - end - end end end From a9bf898738d579811530ea7a4958b6e740eabe4a Mon Sep 17 00:00:00 2001 From: tphoney Date: Thu, 12 Nov 2015 12:07:12 +0000 Subject: [PATCH 68/71] removing redhat passenger tests, for now --- spec/acceptance/vhost_spec.rb | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 37ac83a0ae..2d3b834747 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1058,40 +1058,6 @@ class { 'apache': } end end - # Passenger isn't even in EPEL on el-5 - if default['platform'] !~ /^el-5/ - if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' - pending('Since we don\'t have passenger on RHEL7 rack_base_uris tests will fail') - else - describe 'rack_base_uris' do - if fact('osfamily') == 'RedHat' - it 'adds epel' do - pp = "class { 'epel': }" - apply_manifest(pp, :catch_failures => true) - end - end - - it 'applies cleanly' do - pp = <<-EOS - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - rack_base_uris => ['/test'], - } - EOS - apply_manifest(pp, :catch_failures => true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'RackBaseURI /test' } - end - end - end - end - - describe 'request_headers' do it 'applies cleanly' do pp = <<-EOS From b9b9565170308a0a3d04577a37c88fa743f5a96e Mon Sep 17 00:00:00 2001 From: tphoney Date: Fri, 13 Nov 2015 15:00:59 +0000 Subject: [PATCH 69/71] updating the test to use ipv4 addresses --- spec/acceptance/vhost_spec.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 2d3b834747..c4a34b1f1c 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -198,12 +198,12 @@ class { 'apache': } apache::vhost { 'example.com': port => '80', - ip => ['127.0.0.1','::1'], + ip => ['127.0.0.1','127.0.0.2'], ip_based => true, docroot => '/var/www/html', } host { 'ipv4.example.com': ip => '127.0.0.1', } - host { 'ipv6.example.com': ip => '::1', } + host { 'ipv6.example.com': ip => '127.0.0.2', } file { '/var/www/html/index.html': ensure => file, content => "Hello from vhost\\n", @@ -218,16 +218,16 @@ class { 'apache': end describe file("#{$vhost_dir}/25-example.com.conf") do - it { is_expected.to contain '' } + it { is_expected.to contain '' } it { is_expected.to contain "ServerName example.com" } end describe file($ports_file) do it { is_expected.to be_file } it { is_expected.to contain 'Listen 127.0.0.1:80' } - it { is_expected.to contain 'Listen ::1:80' } + it { is_expected.to contain 'Listen 127.0.0.2:80' } it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:80' } - it { is_expected.not_to contain 'NameVirtualHost ::1:80' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.2:80' } end it 'should answer to ipv4.example.com' do From bfcf6cc066fd041750ef30fc7c45b4cdffa4e814 Mon Sep 17 00:00:00 2001 From: tphoney Date: Fri, 30 Oct 2015 17:53:02 +0000 Subject: [PATCH 70/71] 1.7.0 release prep --- CHANGELOG.md | 48 ++++++++++++++++++++ README.md | 4 ++ {tests => examples}/apache.pp | 0 {tests => examples}/dev.pp | 0 {tests => examples}/init.pp | 0 {tests => examples}/mod_load_params.pp | 0 {tests => examples}/mods.pp | 0 {tests => examples}/mods_custom.pp | 0 {tests => examples}/php.pp | 0 {tests => examples}/vhost.pp | 0 {tests => examples}/vhost_directories.pp | 0 {tests => examples}/vhost_filter.pp | 4 +- {tests => examples}/vhost_ip_based.pp | 0 {tests => examples}/vhost_proxypass.pp | 0 {tests => examples}/vhost_ssl.pp | 0 {tests => examples}/vhosts_without_listen.pp | 0 metadata.json | 2 +- 17 files changed, 55 insertions(+), 3 deletions(-) rename {tests => examples}/apache.pp (100%) rename {tests => examples}/dev.pp (100%) rename {tests => examples}/init.pp (100%) rename {tests => examples}/mod_load_params.pp (100%) rename {tests => examples}/mods.pp (100%) rename {tests => examples}/mods_custom.pp (100%) rename {tests => examples}/php.pp (100%) rename {tests => examples}/vhost.pp (100%) rename {tests => examples}/vhost_directories.pp (100%) rename {tests => examples}/vhost_filter.pp (90%) rename {tests => examples}/vhost_ip_based.pp (100%) rename {tests => examples}/vhost_proxypass.pp (100%) rename {tests => examples}/vhost_ssl.pp (100%) rename {tests => examples}/vhosts_without_listen.pp (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 985194bf54..fb33a13633 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,51 @@ +## 2015-11-17 - Supported Release 1.7.0 +### Summary +This release includes many new features and bugfixes. There are test, documentation and misc improvements. + +#### Features +- allow groups with - like vhost-users +- ability to enable/disable the secruleengine through a parameter +- add mod_auth_kerb parameters to vhost +- client auth for reverse proxy +- support for mod_auth_mellon +- change SSLProtocol in apache::vhost to be space separated +- RewriteLock support + +#### Bugfixes +- fix apache::mod::cgid so it can be used with the event MPM +- load unixd before fcgid on all operating systems +- fixes conditional in vhost aliases +- corrects mod_cgid worker/event defaults +- ProxyPassMatch parameters were ending up on a newline +- catch that mod_authz_default has been removed in Apache 2.4 +- mod::ssl fails on SLES +- fix typo of MPM_PREFORK for FreeBSD package install +- install all modules before adding custom configs +- fix acceptance testing for SSLProtocol behaviour for real +- fix ordering issue with conf_file and ports_file + +#### Known Issues +- mod_passenger is having issues installing on Redhat/Centos 6, This is due to package dependency issues. + +#### Improvements +- added docs for forcetype directive +- removes ruby 1.8.7 from the travisci test matrix +- readme reorganisation, minor fixups +- support the mod_proxy ProxyPassReverseCookiePath directive +- the purge_vhost_configs parameter is actually called purge_vhost_dir +- add ListenBacklog for mod worker +- deflate application/json by default +- install mod_authn_alias as default mod in debian for apache < 2.4 +- optionally set LimitRequestFieldSize on an apache::vhost +- add SecUploadDir parameter to support file uploads with mod_security +- optionally set parameters for mod_ext_filter module +- allow SetOutputFilter to be set on a directory +- RC4 is deprecated +- allow empty docroot +- add option to configure the include pattern for the vhost_enable dir +- allow multiple IP addresses per vhost +- default document root update for Ubuntu 14.04 and Debian 8 + ## 2015-07-28 - Supported Release 1.6.0 ### Summary This release includes a couple of new features, along with test and documentation updates, and support for the latest AIO puppet builds. diff --git a/README.md b/README.md index 2953d8aba4..8601939aa1 100644 --- a/README.md +++ b/README.md @@ -3259,6 +3259,10 @@ The [`apache::vhost::WSGIImportScript`][] parameter creates a statement inside t The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are untested since repositories are missing compatible packages. +### RHEL/CentOS 6 + +The [`apache::mod::passenger`][] class is not installing as the the EL6 repository is missing compatible packages. + ### RHEL/CentOS 7 The [`apache::mod::passenger`][] class is untested as the EL7 repository is missing compatible packages, which also blocks us from testing the [`apache::vhost`][] define's [`rack_base_uris`][] parameter. diff --git a/tests/apache.pp b/examples/apache.pp similarity index 100% rename from tests/apache.pp rename to examples/apache.pp diff --git a/tests/dev.pp b/examples/dev.pp similarity index 100% rename from tests/dev.pp rename to examples/dev.pp diff --git a/tests/init.pp b/examples/init.pp similarity index 100% rename from tests/init.pp rename to examples/init.pp diff --git a/tests/mod_load_params.pp b/examples/mod_load_params.pp similarity index 100% rename from tests/mod_load_params.pp rename to examples/mod_load_params.pp diff --git a/tests/mods.pp b/examples/mods.pp similarity index 100% rename from tests/mods.pp rename to examples/mods.pp diff --git a/tests/mods_custom.pp b/examples/mods_custom.pp similarity index 100% rename from tests/mods_custom.pp rename to examples/mods_custom.pp diff --git a/tests/php.pp b/examples/php.pp similarity index 100% rename from tests/php.pp rename to examples/php.pp diff --git a/tests/vhost.pp b/examples/vhost.pp similarity index 100% rename from tests/vhost.pp rename to examples/vhost.pp diff --git a/tests/vhost_directories.pp b/examples/vhost_directories.pp similarity index 100% rename from tests/vhost_directories.pp rename to examples/vhost_directories.pp diff --git a/tests/vhost_filter.pp b/examples/vhost_filter.pp similarity index 90% rename from tests/vhost_filter.pp rename to examples/vhost_filter.pp index ab339737f9..ca1a8bbe03 100644 --- a/tests/vhost_filter.pp +++ b/examples/vhost_filter.pp @@ -3,8 +3,8 @@ # Example from README adapted. apache::vhost { 'readme.example.net': - docroot => '/var/www/html', - filters => [ + docroot => '/var/www/html', + filters => [ 'FilterDeclare COMPRESS', 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css', diff --git a/tests/vhost_ip_based.pp b/examples/vhost_ip_based.pp similarity index 100% rename from tests/vhost_ip_based.pp rename to examples/vhost_ip_based.pp diff --git a/tests/vhost_proxypass.pp b/examples/vhost_proxypass.pp similarity index 100% rename from tests/vhost_proxypass.pp rename to examples/vhost_proxypass.pp diff --git a/tests/vhost_ssl.pp b/examples/vhost_ssl.pp similarity index 100% rename from tests/vhost_ssl.pp rename to examples/vhost_ssl.pp diff --git a/tests/vhosts_without_listen.pp b/examples/vhosts_without_listen.pp similarity index 100% rename from tests/vhosts_without_listen.pp rename to examples/vhosts_without_listen.pp diff --git a/metadata.json b/metadata.json index a0e3fc2fac..f06e6d529c 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-apache", - "version": "1.6.0", + "version": "1.7.0", "author": "puppetlabs", "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", "license": "Apache-2.0", From 8dc87f961f4d6e031ae3b7d0c5fa34abea59d0ae Mon Sep 17 00:00:00 2001 From: Garrett Guillotte Date: Mon, 16 Nov 2015 17:32:48 -0800 Subject: [PATCH 71/71] (docs) Fix issues with the 1.7.0 readme. Fixes several typos and links, and reorganizes the `apache::mod::auth_mellon`, `mellon_enable`, and `auth_kerb` sections, and document missing default values. --- README.md | 850 +++++++++++++++++++++----------------------- README.passenger.md | 2 +- 2 files changed, 411 insertions(+), 441 deletions(-) diff --git a/README.md b/README.md index 8601939aa1..15565edfbe 100644 --- a/README.md +++ b/README.md @@ -144,8 +144,11 @@ [`MinSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#minsparethreads [`mod_alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html [`mod_auth_cas`]: https://github.com/Jasig/mod_auth_cas +[`mod_auth_kerb`]: http://modauthkerb.sourceforge.net/configure.html [`mod_authnz_external`]: https://code.google.com/p/mod-auth-external/ [`mod_auth_mellon`]: https://github.com/UNINETT/mod_auth_mellon +[`mod_disk_cache`]: https://httpd.apache.org/docs/2.2/mod/mod_disk_cache.html +[`mod_cache_disk`]: https://httpd.apache.org/docs/current/mod/mod_cache_disk.html [`mod_expires`]: http://httpd.apache.org/docs/current/mod/mod_expires.html [`mod_ext_filter`]: http://httpd.apache.org/docs/current/mod/mod_ext_filter.html [`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html @@ -1301,16 +1304,22 @@ Installs and manages [`mod_alias`][]. - **Gentoo**: `/var/www/icons` - **Red Hat**: `/var/www/icons`, except on Apache 2.4, where it's `/usr/share/httpd/icons` -####Class: `apache::mod::disk_cache` +#### Class: `apache::mod::disk_cache` -Installs and configures mod_disk_cache. The cache root is determined based on apache version and OS. It can be specified directly as well. +Installs and configures [`mod_disk_cache`][] on Apache 2.2, or [`mod_cache_disk`][] on Apache 2.4. The default cache root depends on the Apache version and operating system: -Specifying the cache root: -```puppet - class {'::apache::mod::disk_cache': - cache_root => '/path/to/cache', - } -``` +- **Debian**: `/var/cache/apache2/mod_cache_disk` +- **FreeBSD**: `/var/cache/mod_cache_disk` +- **Red Hat, Apache 2.4**: `/var/cache/httpd/proxy` +- **Red Hat, Apache 2.2**: `/var/cache/mod_proxy` + +You can specify the cache root by passing a path as a string to the `cache_root` parameter. + +~~~ puppet +class {'::apache::mod::disk_cache': + cache_root => '/path/to/cache', +} +~~~ ##### Class: `apache::mod::event` @@ -1352,29 +1361,29 @@ The `cas_login_url` and `cas_validate_url` parameters are required; several othe ##### Class: `apache::mod::auth_mellon` -Installs and manages [`mod_auth_mellon`][]. It's parameters share names with the Apache module's directives. +Installs and manages [`mod_auth_mellon`][]. Its parameters share names with the Apache module's directives. -~~~puppet -class{'apache::mod::auth_mellon': - mellon_cache_size => 101 +~~~ puppet +class{ 'apache::mod::auth_mellon': + mellon_cache_size => 101, } ~~~ **Parameters within `apache::mod::auth_mellon`**: -- `mellon_cache_size`: Size in megabytes of mellon cache. -- `mellon_cache_entry_size`: Maximum size for single session. -- `mellon_lock_file`: Location of lock file. -- `mellon_post_directory`: Full path where post requests are saved. -- `mellon_post_ttl`: Time to keep post requests. -- `mellon_post_size`: Maximum size of post requests. -- `mellon_post_count`: Maxmum number of post requests. +- `mellon_cache_entry_size`: Maximum size for a single session. Default: 'undef'. +- `mellon_cache_size`: Size in megabytes of the mellon cache. Default: 100. +- `mellon_lock_file`: Location of lock file. Default: '`/run/mod_auth_mellon/lock`'. +- `mellon_post_directory`: Full path where post requests are saved. Default: '`/var/cache/apache2/mod_auth_mellon/`' +- `mellon_post_ttl`: Time to keep post requests. Default: 'undef'. +- `mellon_post_size`: Maximum size of post requests. Default: 'undef'. +- `mellon_post_count`: Maximum number of post requests. Default: 'undef'. ##### Class: `apache::mod::deflate` Installs and configures [`mod_deflate`][]. -**Parameters within `apache::mod::deflate`:** +**Parameters within `apache::mod::deflate`**: - `types`: An [array][] of [MIME types][MIME `content-type`] to be deflated. Default: [ 'text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', 'application/rss+xml', 'application/json' ]. - `notes`: A [Hash][] where the key represents the type and the value represents the note name. Default: { 'Input' => 'instream', 'Output' => 'outstream', 'Ratio' => 'ratio' } @@ -1394,7 +1403,7 @@ Installs [`mod_expires`][] and uses the `expires.conf.erb` template to generate Installs and configures [`mod_ext_filter`][]. ~~~ puppet -class{'apache::mod::ext_filter': +class { 'apache::mod::ext_filter': ext_filter_define => { 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', @@ -1410,7 +1419,7 @@ class{'apache::mod::ext_filter': Installs and configures [`mod_fcgid`][]. -The class makes no effort to individually parameterize all available options. Instead, configure `mod_fcgid` using the `options` [Hash][]. For example: +The class makes no effort to individually parameterize all available options. Instead, configure `mod_fcgid` using the `options` [hash][]. For example: ~~~ puppet class { 'apache::mod::fcgid': @@ -1530,7 +1539,7 @@ Default values depend on your operating system. - `package_name`: Names the package that installs `php_mod`. - `path`: Defines the path to the `mod_php` shared object (`.so`) file. -- `source`: Defines the path to the default configuration. Valid options include a `puppet:///` paths. +- `source`: Defines the path to the default configuration. Valid options include a `puppet:///` path. - `template`: Defines the path to the `php.conf` template Puppet uses to generate the configuration file. - `content`: Adds arbitrary content to `php.conf`. @@ -2018,59 +2027,44 @@ Configures [ITK](http://mpm-itk.sesse.net/) in a hash. Keys can be: Usage typically looks like: ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - itk => { - user => 'someuser', - group => 'somegroup', - }, - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + itk => { + user => 'someuser', + group => 'somegroup', + }, +} ~~~ ##### `auth_kerb` -Enable mod_auth_kerb parameters for a virtual host. Valid values are 'true' or 'false'. Defaults to 'false'. +Enable [`mod_auth_kerb`][] parameters for a virtual host. Valid values are 'true' or 'false'. Defaults to 'false'. Usage typically looks like: ~~~ puppet - apache::vhost {'sample.example.net': - auth_kerb => true, - krb_method_negotiate => 'on', - krb_auth_realms => ['EXAMPLE.ORG'], - krb_local_user_mapping => 'on', - directories => { - path => '/var/www/html', - auth_name => 'Kerberos Login', - auth_type => 'Kerberos', - auth_require => 'valid-user', - } - } +apache::vhost { 'sample.example.net': + auth_kerb => true, + krb_method_negotiate => 'on', + krb_auth_realms => ['EXAMPLE.ORG'], + krb_local_user_mapping => 'on', + directories => { + path => '/var/www/html', + auth_name => 'Kerberos Login', + auth_type => 'Kerberos', + auth_require => 'valid-user', + }, +} ~~~ -##### `krb_method_negotiate` - -To enable or disable the use of the Negotiate method. Defaults is 'on' - -##### `krb_method_k5passwd` - -To enable or disable the use of password based authentication for Kerberos v5. Default is 'on' - -##### `krb_authoritative` - -If set to off this directive allow authentication controls to be pass on to another modules. Default is 'on' +Related parameters follow the names of `mod_auth_kerb` directives: -##### `krb_auth_realms` - -Specifies an array Kerberos realm(s) to be used for authentication. Default is [] - -##### `krb_5keytab` - -Location of the Kerberos V5 keytab file. Not set by default. - -##### `krb_local_user_mapping` - -Strips @REALM from username for further use. Not set by default. +- `krb_method_negotiate`: Determines whether to use the Negotiate method. Default: 'on'. +- `krb_method_k5passwd`: Determines whether to use password-based authentication for Kerberos v5. Default: 'on'. +- `krb_authoritative`: If set to 'off', authentication controls can be passed on to another module. Default: 'on'. +- `krb_auth_realms`: Specifies an array of Kerberos realms to use for authentication. Default: `[]`. +- `krb_5keytab`: Specifies the Kerberos v5 keytab file's location. Default: undef. +- `krb_local_user_mapping`: Strips @REALM from usernames for further use. Default: undef. ##### `limit_request_field_size` @@ -2265,11 +2259,11 @@ Specifies the address to redirect to. Defaults to 'undef'. Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent. ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - redirect_source => ['/images','/downloads'], - redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], - } +apache::vhost { 'site.name.fdqn': + … + redirect_source => ['/images','/downloads'], + redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], +} ~~~ ##### `redirect_status` @@ -2277,10 +2271,10 @@ Specifies the source URIs that redirect to the destination specified in `redirec Specifies the status to append to the redirect. Defaults to 'undef'. ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - redirect_status => ['temp','permanent'], - } +apache::vhost { 'site.name.fdqn': + … + redirect_status => ['temp','permanent'], +} ~~~ ##### `redirectmatch_regexp` & `redirectmatch_status` & `redirectmatch_dest` @@ -2288,12 +2282,12 @@ Specifies the status to append to the redirect. Defaults to 'undef'. Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as arrays. Defaults to 'undef'. ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - redirectmatch_status => ['404','404'], - redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'], - redirectmatch_dest => ['http://www.example.com/1','http://www.example.com/2'], - } +apache::vhost { 'site.name.fdqn': + … + redirectmatch_status => ['404','404'], + redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'], + redirectmatch_dest => ['http://www.example.com/1','http://www.example.com/2'], +} ~~~ ##### `request_headers` @@ -2301,13 +2295,13 @@ Determines which server status should be raised for a given regular expression a Modifies collected [request headers](http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) in various ways, including adding additional request headers, removing request headers, etc. Defaults to 'undef'. ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - request_headers => [ - 'append MirrorID "mirror 12"', - 'unset MirrorID', - ], - } +apache::vhost { 'site.name.fdqn': + … + request_headers => [ + 'append MirrorID "mirror 12"', + 'unset MirrorID', + ], +} ~~~ ##### `rewrites` @@ -2316,69 +2310,69 @@ Creates URL rewrite rules. Expects an array of hashes, and the hash keys can be For example, you can specify that anyone trying to access index.html is served welcome.html ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] - } +apache::vhost { 'site.name.fdqn': + … + rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] +} ~~~ The parameter allows rewrite conditions that, when true, execute the associated rule. For instance, if you wanted to rewrite URLs only if the visitor is using IE ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ - { - comment => 'redirect IE', - rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], - rewrite_rule => ['^index\.html$ welcome.html'], - }, - ], - } +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'redirect IE', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} ~~~ You can also apply multiple conditions. For instance, rewrite index.html to welcome.html only when the browser is Lynx or Mozilla (version 1 or 2) ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ - { - comment => 'Lynx or Mozilla v1/2', - rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], - rewrite_rule => ['^index\.html$ welcome.html'], - }, - ], - } +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} ~~~ Multiple rewrites and conditions are also possible ~~~ puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ - { - comment => 'Lynx or Mozilla v1/2', - rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], - rewrite_rule => ['^index\.html$ welcome.html'], - }, - { - comment => 'Internet Explorer', - rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], - rewrite_rule => ['^index\.html$ /index.IE.html [L]'], - }, - { - rewrite_base => /apps/, - rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'], - }, - { comment => 'Rewrite to lower case', - rewrite_cond => ['%{REQUEST_URI} [A-Z]'], - rewrite_map => ['lc int:tolower'], - rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'], - }, - ], - } +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + { + comment => 'Internet Explorer', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ /index.IE.html [L]'], + }, + { + rewrite_base => /apps/, + rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'], + }, + { comment => 'Rewrite to lower case', + rewrite_cond => ['%{REQUEST_URI} [A-Z]'], + rewrite_map => ['lc int:tolower'], + rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'], + }, + ], +} ~~~ Refer to the [`mod_rewrite` documentation](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) for more details on what is possible with rewrite rules and conditions. @@ -2389,32 +2383,32 @@ Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', for exa ##### `scriptaliases` -*Note*: This parameter is deprecated in favour of the `aliases` parameter. +**Note**: This parameter is deprecated in favor of the `aliases` parameter. -Passes an array of hashes to the vhost to create either ScriptAlias or ScriptAliasMatch statements as per the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). These hashes are formatted as follows: +Passes an array of hashes to the vhost to create either ScriptAlias or ScriptAliasMatch statements per the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). ~~~ puppet - scriptaliases => [ - { - alias => '/myscript', - path => '/usr/share/myscript', - }, - { - aliasmatch => '^/foo(.*)', - path => '/usr/share/fooscripts$1', - }, - { - aliasmatch => '^/bar/(.*)', - path => '/usr/share/bar/wrapper.sh/$1', - }, - { - alias => '/neatscript', - path => '/usr/share/neatscript', - }, - ] +scriptaliases => [ + { + alias => '/myscript', + path => '/usr/share/myscript', + }, + { + aliasmatch => '^/foo(.*)', + path => '/usr/share/fooscripts$1', + }, + { + aliasmatch => '^/bar/(.*)', + path => '/usr/share/bar/wrapper.sh/$1', + }, + { + alias => '/neatscript', + path => '/usr/share/neatscript', + }, +] ~~~ -The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with [Alias and AliasMatch](#aliases) directives, more specific aliases should come before more general ones to avoid shadowing. +The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with [Alias and AliasMatch](#aliases) directives, specify more specific aliases before more general ones to avoid shadowing. ##### `serveradmin` @@ -2435,9 +2429,9 @@ Used by HTTPD to set environment variables for vhosts. Defaults to '[]'. Example: ~~~ puppet - apache::vhost { 'setenv.example.com': - setenv => ['SPECIAL_PATH /foo/bin'], - } +apache::vhost { 'setenv.example.com': + setenv => ['SPECIAL_PATH /foo/bin'], +} ~~~ ##### `setenvif` @@ -2457,16 +2451,16 @@ Set up a virtual host with [suPHP](http://suphp.org/DocumentationView.html?file= To set up a virtual host with suPHP ~~~ puppet - apache::vhost { 'suphp.example.com': - port => '80', - docroot => '/home/appuser/myphpapp', - suphp_addhandler => 'x-httpd-php', - suphp_engine => 'on', - suphp_configpath => '/etc/php5/apache2', - directories => { path => '/home/appuser/myphpapp', - 'suphp' => { user => 'myappuser', group => 'myappgroup' }, - } - } +apache::vhost { 'suphp.example.com': + port => '80', + docroot => '/home/appuser/myphpapp', + suphp_addhandler => 'x-httpd-php', + suphp_engine => 'on', + suphp_configpath => '/etc/php5/apache2', + directories => { path => '/home/appuser/myphpapp', + 'suphp' => { user => 'myappuser', group => 'myappgroup' }, + } +} ~~~ ##### `vhost_name` @@ -2478,13 +2472,13 @@ Enables name-based virtual hosting. If no IP is passed to the virtual host, but Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, 'http://example.com' would map to '/var/www/example.com'. Defaults to 'false'. ~~~ puppet - apache::vhost { 'subdomain.loc': - vhost_name => '*', - port => '80', - virtual_docroot' => '/var/www/%-2+', - docroot => '/var/www', - serveraliases => ['*.loc',], - } +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => '80', + virtual_docroot' => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} ~~~ ##### `wsgi_daemon_process`, `wsgi_daemon_process_options`, `wsgi_process_group`, `wsgi_script_aliases`, & `wsgi_pass_authorization` @@ -2506,22 +2500,22 @@ Set up a virtual host with [WSGI](https://code.google.com/p/modwsgi/). To set up a virtual host with WSGI ~~~ puppet - apache::vhost { 'wsgi.example.com': - port => '80', - docroot => '/var/www/pythonapp', - wsgi_daemon_process => 'wsgi', - wsgi_daemon_process_options => - { processes => '2', - threads => '15', - display-name => '%{GROUP}', - }, - wsgi_process_group => 'wsgi', - wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, - wsgi_chunked_request => 'On', - } +apache::vhost { 'wsgi.example.com': + port => '80', + docroot => '/var/www/pythonapp', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => + { processes => '2', + threads => '15', + display-name => '%{GROUP}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, + wsgi_chunked_request => 'On', +} ~~~ -####Parameter `directories` for `apache::vhost` +#### Parameter `directories` for `apache::vhost` The `directories` parameter within the `apache::vhost` class passes an array of hashes to the vhost to create [Directory](http://httpd.apache.org/docs/current/mod/core.html#directory), [File](http://httpd.apache.org/docs/current/mod/core.html#files), and [Location](http://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, '< Directory /path/to/directory>...< /Directory>'. @@ -2532,15 +2526,15 @@ The `provider` key is optional. If missing, this key defaults to 'directory'. Va General `directories` usage looks something like ~~~ puppet - apache::vhost { 'files.example.net': - docroot => '/var/www/files', - directories => [ - { 'path' => '/var/www/files', - 'provider' => 'files', - 'deny' => 'from all' - }, - ], - } +apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => [ + { 'path' => '/var/www/files', + 'provider' => 'files', + 'deny' => 'from all', + }, + ], +} ~~~ *Note:* At least one directory should match the `docroot` parameter. After you start declaring directories, `apache::vhost` assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the `docroot` parameter. @@ -2548,9 +2542,9 @@ General `directories` usage looks something like Available handlers, represented as keys, should be placed within the `directory`, `files`, or `location` hashes. This looks like ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', handler => value } ], +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ { path => '/path/to/directory', handler => value } ], } ~~~ @@ -2561,14 +2555,14 @@ Any handlers you do not set in these hashes are considered 'undefined' within Pu Sets [AddHandler](http://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler) directives, which map filename extensions to the specified handler. Accepts a list of hashes, with `extensions` serving to list the extensions being managed by the handler, and takes the form: `{ handler => 'handler-name', extensions => ['extension']}`. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - addhandlers => [{ handler => 'cgi-script', extensions => ['.cgi']}], - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + addhandlers => [{ handler => 'cgi-script', extensions => ['.cgi']}], + }, + ], +} ~~~ ###### `allow` @@ -2576,14 +2570,14 @@ Sets [AddHandler](http://httpd.apache.org/docs/current/mod/mod_mime.html#addhand Sets an [Allow](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow) directive, which groups authorizations based on hostnames or IPs. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - allow => 'from example.org', - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + allow => 'from example.org', + }, + ], +} ~~~ ###### `allow_override` @@ -2591,14 +2585,14 @@ Sets an [Allow](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow) Sets the types of directives allowed in [.htaccess](http://httpd.apache.org/docs/current/mod/core.html#allowoverride) files. Accepts an array. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - allow_override => ['AuthConfig', 'Indexes'], - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + allow_override => ['AuthConfig', 'Indexes'], + }, + ], +} ~~~ ###### `auth_basic_authoritative` @@ -2704,33 +2698,33 @@ Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) dir An array of hashes used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for the directory. ~~~ puppet - apache::vhost { 'sample.example.net': - directories => [ - { path => '/srv/www', - error_documents => [ - { 'error_code' => '503', - 'document' => '/service-unavail', - }, - ], +apache::vhost { 'sample.example.net': + directories => [ + { path => '/srv/www', + error_documents => [ + { 'error_code' => '503', + 'document' => '/service-unavail', }, ], - } + }, + ], +} ~~~ ###### `ext_filter_options` -Sets the [ExtFilterOptions](http://httpd.apache.org/docs/current/mod/mod_ext_filter.html) directive. -Note that you must delcare `class {'apache::mod::ext_filter': }` before using this directive. +Sets the [ExtFilterOptions](https://httpd.apache.org/docs/current/mod/mod_ext_filter.html) directive. +Note that you must declare `class { 'apache::mod::ext_filter': }` before using this directive. ~~~ puppet - apache::vhost{ 'filter.example.org': - docroot => '/var/www/filter', - directories => [ - { path => '/var/www/filter', - ext_filter_options => 'LogStderr Onfail=abort', - }, - ], - } +apache::vhost { 'filter.example.org': + docroot => '/var/www/filter', + directories => [ + { path => '/var/www/filter', + ext_filter_options => 'LogStderr Onfail=abort', + }, + ], +} ~~~ ###### `geoip_enable` @@ -2739,14 +2733,14 @@ Sets the [GeoIPEnable](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Configura Note that you must declare `class {'apache::mod::geoip': }` before using this directive. ~~~ puppet - apache::vhost { 'first.example.com': - docroot => '/var/www/first', - directories => [ - { path => '/var/www/first', - geoip_enable => true, - }, - ], - } +apache::vhost { 'first.example.com': + docroot => '/var/www/first', + directories => [ + { path => '/var/www/first', + geoip_enable => true, + }, + ], +} ~~~ ###### `headers` @@ -2754,13 +2748,13 @@ Note that you must declare `class {'apache::mod::geoip': }` before using this di Adds lines for [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => { - path => '/path/to/directory', - headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', - }, - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => { + path => '/path/to/directory', + headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', + }, +} ~~~ ###### `index_options` @@ -2768,58 +2762,58 @@ Adds lines for [Header](http://httpd.apache.org/docs/current/mod/mod_headers.htm Allows configuration settings for [directory indexing](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexoptions). ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - directoryindex => 'disabled', # this is needed on Apache 2.4 or mod_autoindex doesn't work - options => ['Indexes','FollowSymLinks','MultiViews'], - index_options => ['IgnoreCase', 'FancyIndexing', 'FoldersFirst', 'NameWidth=*', 'DescriptionWidth=*', 'SuppressHTMLPreamble'], - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + directoryindex => 'disabled', # this is needed on Apache 2.4 or mod_autoindex doesn't work + options => ['Indexes','FollowSymLinks','MultiViews'], + index_options => ['IgnoreCase', 'FancyIndexing', 'FoldersFirst', 'NameWidth=*', 'DescriptionWidth=*', 'SuppressHTMLPreamble'], + }, + ], +} ~~~ ###### `index_order_default` -Sets the [default ordering](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexorderdefault) of the directory index. +Sets the [default ordering](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexorderdefault) of the directory index. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - order => 'Allow,Deny', - index_order_default => ['Descending', 'Date'], - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + order => 'Allow,Deny', + index_order_default => ['Descending', 'Date'], + }, + ], +} ~~~ ###### `index_style_sheet` -Sets the [IndexStyleSheet](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexstylesheet) which adds a CSS stylesheet to the directory index. +Sets the [IndexStyleSheet](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexstylesheet), which adds a CSS stylesheet to the directory index. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - options => ['Indexes','FollowSymLinks','MultiViews'], - index_options => ['FancyIndexing'], - index_style_sheet => '/styles/style.css', - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + options => ['Indexes','FollowSymLinks','MultiViews'], + index_options => ['FancyIndexing'], + index_style_sheet => '/styles/style.css', + }, + ], +} ~~~ ###### `mellon_enable` -Sets the [MellonEnable](https://github.com/UNINETT/mod_auth_mellon) to enable auth_melon on a location. +Sets the [MellonEnable][`mod_auth_mellon`] directory to enable [`mod_auth_melon`][]. You can use [`apache::mod::auth_mellon`][] to install `mod_auth_mellon`. ~~~ puppet -apache::vhost{'sample.example.net': - docroot => '/path/to/directory', +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', directories => [ { path => '/', provider => 'directory', @@ -2827,69 +2821,45 @@ apache::vhost{'sample.example.net': mellon_sp_private_key_file => '/etc/certs/${::fqdn}.key, mellon_endpoint_path => '/mellon', mellon_set_env_no_prefix => { 'ADFS_GROUP' => 'http://schemas.xmlsoap.org/claims/Group', - 'ADFS_EMAIL' => 'http://schemas.xmlsoap.org/claims/EmailAddress'}, - mellon_user => 'ADFS_LOGIN' + 'ADFS_EMAIL' => 'http://schemas.xmlsoap.org/claims/EmailAddress', }, + mellon_user => 'ADFS_LOGIN', }, - { path => '/protected', - provider => 'location', + { path => '/protected', + provider => 'location', mellon_enable => 'auth', - auth_type => 'Mellon', - auth_require => 'valid-user', - mellon_cond => ['ADFS_LOGIN userA [MAP]','ADFS_LOGIN userB [MAP]'] - } + auth_type => 'Mellon', + auth_require => 'valid-user', + mellon_cond => ['ADFS_LOGIN userA [MAP]','ADFS_LOGIN userB [MAP]'], + }, ] } ~~~ -###### `mellon_cond` - -Sets the [MellonCond](https://github.com/UNINETT/mod_auth_mellon) is an array of mellon conditions that must -be met to grant access. - - -###### `mellon_endpoint_path` - -Sets the [MellonEndpointPath](https://github.com/UNINETT/mod_auth_mellon) to set melon endpoint path. - -###### `mellon_idp_metadata_file` - -Sets the [MellonIDPMetadataFile](https://github.com/UNINETT/mod_auth_mellon) location of idp metadata file. - -###### `mellon_saml_rsponse_dump` +Related parameters follow the names of `mod_auth_melon` directives: -Sets the [MellonSamlRepsponseDump](https://github.com/UNINETT/mod_auth_mellon) to enable debug of SAML. - -###### `mellon_set_env_no_prefix` - -Sets the [MellonSetEnvNoPrefix](https://github.com/UNINETT/mod_auth_mellon) is a hash of attribute names to map +- `mellon_cond`: Takes an array of mellon conditions that must be met to grant access, and creates a [MellonCond][`mod_auth_melon`] directive for each item in the array. +- `mellon_endpoint_path`: Sets the [MellonEndpointPath][`mod_auth_melon`] to set the mellon endpoint path. +- `mellon_idp_metadata_file`: Sets the [MellonIDPMetadataFile][`mod_auth_melon`] location of the IDP metadata file. +- `mellon_saml_rsponse_dump`: Sets the [MellonSamlResponseDump][`mod_auth_melon`] directive to enable debug of SAML. +- `mellon_set_env_no_prefix`: Sets the [MellonSetEnvNoPrefix][`mod_auth_melon`] directive to a hash of attribute names to map to environment variables. - - -###### `mellon_sp_private_key_file` - -Sets the [MellonSPPrivateKeyFile](https://github.com/UNINETT/mod_auth_mellon) private key location of service provider. - -###### `mellon_sp_cert_file` - -Sets the [MellonSPCertFile](https://github.com/UNINETT/mod_auth_mellon) public key location of service provider. - -###### `mellon_user` - -Sets the [MellonUser](https://github.com/UNINETT/mod_auth_mellon) attribute we should use for the username. +- `mellon_sp_private_key_file`: Sets the [MellonSPPrivateKeyFile][`mod_auth_melon`] directive for the private key location of the service provider. +- `mellon_sp_cert_file`: Sets the [MellonSPCertFile][`mod_auth_melon`] directive for the public key location of the service provider. +- `mellon_user`: Sets the [MellonUser][`mod_auth_melon`] attribute to use for the username. ###### `options` -Lists the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) for the given Directory block. +Lists the [Options](https://httpd.apache.org/docs/current/mod/core.html#options) for the given Directory block. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - options => ['Indexes','FollowSymLinks','MultiViews'], - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + options => ['Indexes','FollowSymLinks','MultiViews'], + }, + ], +} ~~~ ###### `order` @@ -2897,32 +2867,32 @@ Lists the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) Sets the order of processing Allow and Deny statements as per [Apache core documentation](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - order => 'Allow,Deny', - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + order => 'Allow,Deny', + }, + ], +} ~~~ ###### `passenger_enabled` -Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directory to 'on' or 'off'. Requires `apache::mod::passenger` to be included. +Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directive to 'on' or 'off'. Requires `apache::mod::passenger` to be included. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - passenger_enabled => 'on', - }, - ], - } +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + passenger_enabled => 'on', + }, + ], +} ~~~ -*Note:* Be aware that there is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive. +**Note:** There is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive. ###### `php_value` and `php_flag` @@ -2935,47 +2905,47 @@ Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/ ###### `satisfy` -Sets a `Satisfy` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#satisfy). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. +Sets a `Satisfy` directive per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#satisfy). **Deprecated:** This parameter is deprecated due to a change in Apache and only works with Apache 2.2 and lower. ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - satisfy => 'Any', - } - ], +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + satisfy => 'Any', } + ], +} ~~~ ###### `sethandler` -Sets a `SetHandler` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#sethandler). An example: +Sets a `SetHandler` directive per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#sethandler). ~~~ puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - sethandler => 'None', - } - ], +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + sethandler => 'None', } + ], +} ~~~ ###### `set_output_filter` -Sets a `SetOutputFilter` directive as per [Apache Core documentation](http://httpd.apache.org/docs/current/mod/core.html#setoutputfilter). An example: +Sets a `SetOutputFilter` directive per the [Apache Core documentation](http://httpd.apache.org/docs/current/mod/core.html#setoutputfilter). ~~~ puppet - apache::vhost{ 'filter.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - set_output_filter => puppetdb-strip-resource-params, - }, - ], - } +apache::vhost{ 'filter.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + set_output_filter => puppetdb-strip-resource-params, + }, + ], +} ~~~ ###### `rewrites` @@ -2983,64 +2953,64 @@ Sets a `SetOutputFilter` directive as per [Apache Core documentation](http://htt Creates URL [`rewrites`](#rewrites) rules in vhost directories. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'. ~~~ puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - rewrites => [ { comment => 'Permalink Rewrites', - rewrite_base => '/' - }, - { rewrite_rule => [ '^index\.php$ - [L]' ] - }, - { rewrite_cond => [ '%{REQUEST_FILENAME} !-f', - '%{REQUEST_FILENAME} !-d', - ], - rewrite_rule => [ '. /index.php [L]' ], - } - ], - }, - ], - } +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + rewrites => [ { comment => 'Permalink Rewrites', + rewrite_base => '/' + }, + { rewrite_rule => [ '^index\.php$ - [L]' ] + }, + { rewrite_cond => [ '%{REQUEST_FILENAME} !-f', + '%{REQUEST_FILENAME} !-d', + ], + rewrite_rule => [ '. /index.php [L]' ], + } + ], + }, + ], +} ~~~ -***Note*** If you include rewrites in your directories make sure you are also including `apache::mod::rewrite`. You may also want to consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the vhost directories. +***Note**: If you include rewrites in your directories, also include `apache::mod::rewrite` and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the vhost directories. ###### `shib_request_setting` -Allows an valid content setting to be set or altered for the application request. This command takes two parameters, the name of the content setting, and the value to set it to.Check the Shibboleth [content setting documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) for valid settings. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. +Allows a valid content setting to be set or altered for the application request. This command takes two parameters: the name of the content setting, and the value to set it to. Check the Shibboleth [content setting documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) for valid settings. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. ~~~ puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - shib_request_settings => { 'requiresession' => 'On' }, - shib_use_headers => 'On', - }, - ], - } +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + shib_request_settings => { 'requiresession' => 'On' }, + shib_use_headers => 'On', + }, + ], +} ~~~ ###### `shib_use_headers` -When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. +When set to 'On', this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. ###### `ssl_options` String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the vhost. ~~~ puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - ssl_options => '+ExportCertData', - }, - { path => '/path/to/different/dir', - ssl_options => [ '-StdEnvVars', '+ExportCertData'], - }, - ], - } +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + ssl_options => '+ExportCertData', + }, + { path => '/path/to/different/dir', + ssl_options => [ '-StdEnvVars', '+ExportCertData'], + }, + ], +} ~~~ ###### `suphp` @@ -3048,20 +3018,20 @@ String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl A hash containing the 'user' and 'group' keys for the [suPHP_UserGroup](http://www.suphp.org/DocumentationView.html?file=apache/CONFIG) setting. It must be used with `suphp_engine => on` in the vhost declaration, and can only be passed within `directories`. ~~~ puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - suphp => - { user => 'myappuser', - group => 'myappgroup', - }, - }, - ], - } +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + suphp => { + user => 'myappuser', + group => 'myappgroup', + }, + }, + ], +} ~~~ -####SSL parameters for `apache::vhost` +#### SSL parameters for `apache::vhost` All of the SSL parameters for `::vhost` default to whatever is set in the base `apache` class. Use the below parameters to tweak individual SSL settings for specific vhosts. diff --git a/README.passenger.md b/README.passenger.md index d50b3f4897..c16c5a4a45 100644 --- a/README.passenger.md +++ b/README.passenger.md @@ -172,7 +172,7 @@ http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMaxRe #### passenger_spawn_method -Sets the method by which Ruby application processes are spawned. Default is `smart` +Sets the method by which Ruby application processes are spawned. Default is 'smart', which caches code using the app preloader. Passenger >= 4.0 renamed `conservative` to `direct` and `smart-lv2` to `smart`.