From eb660a6c65270715f4b0f039b8b42bf70fad88c9 Mon Sep 17 00:00:00 2001 From: Damon Conway Date: Mon, 19 Oct 2015 16:14:10 -0700 Subject: [PATCH 001/100] (MODULES-2756) Adding include ::apache so mkdir exec works properly --- manifests/mod/deflate.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/mod/deflate.pp b/manifests/mod/deflate.pp index 0748a54e57..d771209673 100644 --- a/manifests/mod/deflate.pp +++ b/manifests/mod/deflate.pp @@ -12,6 +12,7 @@ 'Ratio' => 'ratio' } ) { + include ::apache ::apache::mod { 'deflate': } file { 'deflate.conf': From 1dfc02d9036e501570aebabc8d02945073e33a6d Mon Sep 17 00:00:00 2001 From: wolfgang hotwagner Date: Wed, 4 Nov 2015 23:12:42 +0100 Subject: [PATCH 002/100] Added support for modsecurity parameter SecPcreMatchLimit and SecPcreMatchLimitRecursion fixed default variables for secpcrematchlimit(recursion) in params.pp added documentation for SecPcreMatchLimit and SecPcreMatchLimitRecursion. also changed the default value to 1500(its modsecurity's default value) removed modsec_-prefix from variable names --- README.md | 2 ++ manifests/mod/security.pp | 4 ++++ manifests/params.pp | 4 ++++ templates/mod/security.conf.erb | 4 ++-- 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 57ba525bfa..aeef9705d4 100644 --- a/README.md +++ b/README.md @@ -1631,6 +1631,8 @@ ${modsec_dir}/activated_rules. - `modsec_secruleengine`: Configures the modsec rules engine. Valid options: 'On', 'Off', and 'DetectionOnly'. Default: `modsec_secruleengine` in [`apache::params`][]. - `restricted_extensions`: A space-separated list of prohibited file extensions. Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'. - `restricted_headers`: A list of restricted headers separated by slashes and spaces. Default: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'. +- `secpcrematchlimit`: Sets the number for the match limit in the PCRE library. Default: '1500' +- `secpcrematchlimitrecursion`: Sets the number for the match limit recursion in the PCRE library. Default: '1500' ##### Class: `apache::mod::wsgi` diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 050b1bd6fa..c4b8c6407f 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -3,6 +3,8 @@ $activated_rules = $::apache::params::modsec_default_rules, $modsec_dir = $::apache::params::modsec_dir, $modsec_secruleengine = $::apache::params::modsec_secruleengine, + $secpcrematchlimit = $::apache::params::secpcrematchlimit, + $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion, $allowed_methods = 'GET HEAD POST OPTIONS', $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', @@ -32,6 +34,8 @@ # Template uses: # - $modsec_dir + # - secpcrematchlimit + # - secpcrematchlimitrecursion file { 'security.conf': ensure => file, content => template('apache/mod/security.conf.erb'), diff --git a/manifests/params.pp b/manifests/params.pp index 9e8cad39b4..6aba3f56f3 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -153,6 +153,8 @@ $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', @@ -248,6 +250,8 @@ $modsec_crs_package = 'modsecurity-crs' $modsec_crs_path = '/usr/share/modsecurity-crs' $modsec_dir = '/etc/modsecurity' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb index 7b2da76135..a71f5887d1 100644 --- a/templates/mod/security.conf.erb +++ b/templates/mod/security.conf.erb @@ -37,8 +37,8 @@ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" - SecPcreMatchLimit 1000 - SecPcreMatchLimitRecursion 1000 + SecPcreMatchLimit <%= @secpcrematchlimit %> + SecPcreMatchLimitRecursion <%= @secpcrematchlimitrecursion %> SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" From ac31d2ec0fcaf2e962cc3d5b0590b512d69744d8 Mon Sep 17 00:00:00 2001 From: Alan Chalmers Date: Tue, 12 Jan 2016 13:53:31 +1100 Subject: [PATCH 003/100] MODULES-2958 : correct CustomLog syslog entry --- templates/vhost/_access_log.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhost/_access_log.erb b/templates/vhost/_access_log.erb index d1ec426a4a..894daa7ce4 100644 --- a/templates/vhost/_access_log.erb +++ b/templates/vhost/_access_log.erb @@ -10,7 +10,7 @@ <% destination = "#{@logroot}/#{log['file']}" -%> <% end -%> <% elsif log['syslog'] -%> -<% destination = "syslog" -%> +<% destination = log['syslog'] -%> <% elsif log['pipe'] -%> <% destination = log['pipe'] -%> <% else -%> From fc3bea1dace807b786c437edcd5311c8d3a3a19a Mon Sep 17 00:00:00 2001 From: Timo Goebel Date: Wed, 20 Jan 2016 10:49:32 +0100 Subject: [PATCH 004/100] add file_mode to mod manifests --- manifests/mod/alias.pp | 1 + manifests/mod/auth_cas.pp | 1 + manifests/mod/auth_mellon.pp | 1 + manifests/mod/authnz_ldap.pp | 1 + manifests/mod/autoindex.pp | 1 + manifests/mod/cgid.pp | 1 + manifests/mod/dav_fs.pp | 1 + manifests/mod/deflate.pp | 1 + manifests/mod/dir.pp | 1 + manifests/mod/disk_cache.pp | 1 + manifests/mod/event.pp | 1 + manifests/mod/expires.pp | 1 + manifests/mod/ext_filter.pp | 1 + manifests/mod/fastcgi.pp | 1 + manifests/mod/fcgid.pp | 1 + manifests/mod/geoip.pp | 1 + manifests/mod/info.pp | 1 + manifests/mod/itk.pp | 1 + manifests/mod/ldap.pp | 1 + manifests/mod/mime.pp | 1 + manifests/mod/mime_magic.pp | 1 + manifests/mod/negotiation.pp | 1 + manifests/mod/nss.pp | 1 + manifests/mod/pagespeed.pp | 1 + manifests/mod/peruser.pp | 1 + manifests/mod/proxy.pp | 1 + manifests/mod/proxy_html.pp | 1 + manifests/mod/remoteip.pp | 1 + manifests/mod/rpaf.pp | 1 + manifests/mod/security.pp | 1 + manifests/mod/setenvif.pp | 1 + manifests/mod/ssl.pp | 1 + manifests/mod/status.pp | 3 ++- manifests/mod/suphp.pp | 1 + manifests/mod/userdir.pp | 1 + manifests/mod/wsgi.pp | 1 + 36 files changed, 37 insertions(+), 1 deletion(-) diff --git a/manifests/mod/alias.pp b/manifests/mod/alias.pp index 5b59baa01d..eac21ba661 100644 --- a/manifests/mod/alias.pp +++ b/manifests/mod/alias.pp @@ -11,6 +11,7 @@ file { 'alias.conf': ensure => file, path => "${::apache::mod_dir}/alias.conf", + mode => $::apache::file_mode, content => template('apache/mod/alias.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/auth_cas.pp b/manifests/mod/auth_cas.pp index 5b13af66a2..0d1b9111ab 100644 --- a/manifests/mod/auth_cas.pp +++ b/manifests/mod/auth_cas.pp @@ -39,6 +39,7 @@ file { 'auth_cas.conf': ensure => file, path => "${::apache::mod_dir}/auth_cas.conf", + mode => $::apache::file_mode, content => template('apache/mod/auth_cas.conf.erb'), require => [ Exec["mkdir ${::apache::mod_dir}"], ], before => File[$::apache::mod_dir], diff --git a/manifests/mod/auth_mellon.pp b/manifests/mod/auth_mellon.pp index 79f6ffebb2..129441bf41 100644 --- a/manifests/mod/auth_mellon.pp +++ b/manifests/mod/auth_mellon.pp @@ -15,6 +15,7 @@ file { 'auth_mellon.conf': ensure => file, path => "${::apache::mod_dir}/auth_mellon.conf", + mode => $::apache::file_mode, content => template('apache/mod/auth_mellon.conf.erb'), require => [ Exec["mkdir ${::apache::mod_dir}"], ], before => File[$::apache::mod_dir], diff --git a/manifests/mod/authnz_ldap.pp b/manifests/mod/authnz_ldap.pp index b75369ffcd..70d0a63630 100644 --- a/manifests/mod/authnz_ldap.pp +++ b/manifests/mod/authnz_ldap.pp @@ -11,6 +11,7 @@ file { 'authnz_ldap.conf': ensure => file, path => "${::apache::mod_dir}/authnz_ldap.conf", + mode => $::apache::file_mode, content => template('apache/mod/authnz_ldap.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/autoindex.pp b/manifests/mod/autoindex.pp index c0969a814e..c8cd0658d8 100644 --- a/manifests/mod/autoindex.pp +++ b/manifests/mod/autoindex.pp @@ -4,6 +4,7 @@ file { 'autoindex.conf': ensure => file, path => "${::apache::mod_dir}/autoindex.conf", + mode => $::apache::file_mode, content => template('apache/mod/autoindex.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/cgid.pp b/manifests/mod/cgid.pp index 4094c3281a..891cdd75b4 100644 --- a/manifests/mod/cgid.pp +++ b/manifests/mod/cgid.pp @@ -23,6 +23,7 @@ file { 'cgid.conf': ensure => file, path => "${::apache::mod_dir}/cgid.conf", + mode => $::apache::file_mode, content => template('apache/mod/cgid.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/dav_fs.pp b/manifests/mod/dav_fs.pp index af037e32d0..f652d4c216 100644 --- a/manifests/mod/dav_fs.pp +++ b/manifests/mod/dav_fs.pp @@ -12,6 +12,7 @@ file { 'dav_fs.conf': ensure => file, path => "${::apache::mod_dir}/dav_fs.conf", + mode => $::apache::file_mode, content => template('apache/mod/dav_fs.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/deflate.pp b/manifests/mod/deflate.pp index 0748a54e57..e63eeca47d 100644 --- a/manifests/mod/deflate.pp +++ b/manifests/mod/deflate.pp @@ -17,6 +17,7 @@ file { 'deflate.conf': ensure => file, path => "${::apache::mod_dir}/deflate.conf", + mode => $::apache::file_mode, content => template('apache/mod/deflate.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/dir.pp b/manifests/mod/dir.pp index 6243a1bb7d..bce05e0a44 100644 --- a/manifests/mod/dir.pp +++ b/manifests/mod/dir.pp @@ -13,6 +13,7 @@ file { 'dir.conf': ensure => file, path => "${::apache::mod_dir}/dir.conf", + mode => $::apache::file_mode, content => template('apache/mod/dir.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/disk_cache.pp b/manifests/mod/disk_cache.pp index 2f0a476fa4..051d69894c 100644 --- a/manifests/mod/disk_cache.pp +++ b/manifests/mod/disk_cache.pp @@ -32,6 +32,7 @@ file { 'disk_cache.conf': ensure => file, path => "${::apache::mod_dir}/disk_cache.conf", + mode => $::apache::file_mode, content => template('apache/mod/disk_cache.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/event.pp b/manifests/mod/event.pp index 0ca201e560..6c70589a35 100644 --- a/manifests/mod/event.pp +++ b/manifests/mod/event.pp @@ -40,6 +40,7 @@ # - $serverlimit file { "${::apache::mod_dir}/event.conf": ensure => file, + mode => $::apache::file_mode, content => template('apache/mod/event.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/expires.pp b/manifests/mod/expires.pp index 10542916aa..1531fc54d9 100644 --- a/manifests/mod/expires.pp +++ b/manifests/mod/expires.pp @@ -12,6 +12,7 @@ file { 'expires.conf': ensure => file, path => "${::apache::mod_dir}/expires.conf", + mode => $::apache::file_mode, content => template('apache/mod/expires.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/ext_filter.pp b/manifests/mod/ext_filter.pp index b78abb6071..244c2b1da1 100644 --- a/manifests/mod/ext_filter.pp +++ b/manifests/mod/ext_filter.pp @@ -15,6 +15,7 @@ file { 'ext_filter.conf': ensure => file, path => "${::apache::mod_dir}/ext_filter.conf", + mode => $::apache::file_mode, content => template('apache/mod/ext_filter.conf.erb'), require => [ Exec["mkdir ${::apache::mod_dir}"], ], before => File[$::apache::mod_dir], diff --git a/manifests/mod/fastcgi.pp b/manifests/mod/fastcgi.pp index 1f7e5df4fb..c4da5b1e63 100644 --- a/manifests/mod/fastcgi.pp +++ b/manifests/mod/fastcgi.pp @@ -14,6 +14,7 @@ file { 'fastcgi.conf': ensure => file, path => "${::apache::mod_dir}/fastcgi.conf", + mode => $::apache::file_mode, content => template('apache/mod/fastcgi.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/fcgid.pp b/manifests/mod/fcgid.pp index 9786670338..4c0f919388 100644 --- a/manifests/mod/fcgid.pp +++ b/manifests/mod/fcgid.pp @@ -11,6 +11,7 @@ file { 'unixd_fcgid.conf': ensure => file, path => "${::apache::mod_dir}/unixd_fcgid.conf", + mode => $::apache::file_mode, content => template('apache/mod/unixd_fcgid.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/geoip.pp b/manifests/mod/geoip.pp index 1f8fb08eeb..2ff5d21918 100644 --- a/manifests/mod/geoip.pp +++ b/manifests/mod/geoip.pp @@ -22,6 +22,7 @@ file { 'geoip.conf': ensure => file, path => "${::apache::mod_dir}/geoip.conf", + mode => $::apache::file_mode, content => template('apache/mod/geoip.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/info.pp b/manifests/mod/info.pp index f0d03eb0f6..bed35af3a1 100644 --- a/manifests/mod/info.pp +++ b/manifests/mod/info.pp @@ -10,6 +10,7 @@ file { 'info.conf': ensure => file, path => "${::apache::mod_dir}/info.conf", + mode => $::apache::file_mode, content => template('apache/mod/info.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/itk.pp b/manifests/mod/itk.pp index dd8a9e3a2d..2d5bf04c1c 100644 --- a/manifests/mod/itk.pp +++ b/manifests/mod/itk.pp @@ -47,6 +47,7 @@ # - $maxrequestsperchild file { "${::apache::mod_dir}/itk.conf": ensure => file, + mode => $::apache::file_mode, content => template('apache/mod/itk.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/ldap.pp b/manifests/mod/ldap.pp index d084186717..95219bd41d 100644 --- a/manifests/mod/ldap.pp +++ b/manifests/mod/ldap.pp @@ -11,6 +11,7 @@ file { 'ldap.conf': ensure => file, path => "${::apache::mod_dir}/ldap.conf", + mode => $::apache::file_mode, content => template('apache/mod/ldap.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/mime.pp b/manifests/mod/mime.pp index ace7663df1..0665eb639c 100644 --- a/manifests/mod/mime.pp +++ b/manifests/mod/mime.pp @@ -8,6 +8,7 @@ file { 'mime.conf': ensure => file, path => "${::apache::mod_dir}/mime.conf", + mode => $::apache::file_mode, content => template('apache/mod/mime.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/mime_magic.pp b/manifests/mod/mime_magic.pp index c057b01f50..722b0df402 100644 --- a/manifests/mod/mime_magic.pp +++ b/manifests/mod/mime_magic.pp @@ -6,6 +6,7 @@ file { 'mime_magic.conf': ensure => file, path => "${::apache::mod_dir}/mime_magic.conf", + mode => $::apache::file_mode, content => template('apache/mod/mime_magic.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/negotiation.pp b/manifests/mod/negotiation.pp index 02a3a0e64d..b9aec3673f 100644 --- a/manifests/mod/negotiation.pp +++ b/manifests/mod/negotiation.pp @@ -16,6 +16,7 @@ # Template uses no variables file { 'negotiation.conf': ensure => file, + mode => $::apache::file_mode, path => "${::apache::mod_dir}/negotiation.conf", content => template('apache/mod/negotiation.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], diff --git a/manifests/mod/nss.pp b/manifests/mod/nss.pp index d275cc493e..16c285e939 100644 --- a/manifests/mod/nss.pp +++ b/manifests/mod/nss.pp @@ -18,6 +18,7 @@ file { 'nss.conf': ensure => file, path => "${::apache::mod_dir}/nss.conf", + mode => $::apache::file_mode, content => template('apache/mod/nss.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/pagespeed.pp b/manifests/mod/pagespeed.pp index 588849c472..e787d88ef5 100644 --- a/manifests/mod/pagespeed.pp +++ b/manifests/mod/pagespeed.pp @@ -47,6 +47,7 @@ file { 'pagespeed.conf': ensure => file, path => "${::apache::mod_dir}/pagespeed.conf", + mode => $::apache::file_mode, content => template('apache/mod/pagespeed.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/peruser.pp b/manifests/mod/peruser.pp index 4eb5669d8c..e875a5afcc 100644 --- a/manifests/mod/peruser.pp +++ b/manifests/mod/peruser.pp @@ -52,6 +52,7 @@ # - $mod_dir file { "${::apache::mod_dir}/peruser.conf": ensure => file, + mode => $::apache::file_mode, content => template('apache/mod/peruser.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/proxy.pp b/manifests/mod/proxy.pp index 8c685d55b5..73b054ab36 100644 --- a/manifests/mod/proxy.pp +++ b/manifests/mod/proxy.pp @@ -8,6 +8,7 @@ file { 'proxy.conf': ensure => file, path => "${::apache::mod_dir}/proxy.conf", + mode => $::apache::file_mode, content => template('apache/mod/proxy.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/proxy_html.pp b/manifests/mod/proxy_html.pp index 8b910c2510..24f332334a 100644 --- a/manifests/mod/proxy_html.pp +++ b/manifests/mod/proxy_html.pp @@ -29,6 +29,7 @@ file { 'proxy_html.conf': ensure => file, path => "${::apache::mod_dir}/proxy_html.conf", + mode => $::apache::file_mode, content => template('apache/mod/proxy_html.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/remoteip.pp b/manifests/mod/remoteip.pp index 564390e94d..abceb08c7d 100644 --- a/manifests/mod/remoteip.pp +++ b/manifests/mod/remoteip.pp @@ -19,6 +19,7 @@ file { 'remoteip.conf': ensure => file, path => "${::apache::mod_dir}/remoteip.conf", + mode => $::apache::file_mode, content => template('apache/mod/remoteip.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/rpaf.pp b/manifests/mod/rpaf.pp index 12b86eb8bd..f21c43ebda 100644 --- a/manifests/mod/rpaf.pp +++ b/manifests/mod/rpaf.pp @@ -12,6 +12,7 @@ file { 'rpaf.conf': ensure => file, path => "${::apache::mod_dir}/rpaf.conf", + mode => $::apache::file_mode, content => template('apache/mod/rpaf.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 4571e2fd29..de8210118b 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -35,6 +35,7 @@ file { 'security.conf': ensure => file, content => template('apache/mod/security.conf.erb'), + mode => $::apache::file_mode, path => "${::apache::mod_dir}/security.conf", owner => $::apache::params::user, group => $::apache::params::group, diff --git a/manifests/mod/setenvif.pp b/manifests/mod/setenvif.pp index c73102dfbe..63d3e321b4 100644 --- a/manifests/mod/setenvif.pp +++ b/manifests/mod/setenvif.pp @@ -4,6 +4,7 @@ file { 'setenvif.conf': ensure => file, path => "${::apache::mod_dir}/setenvif.conf", + mode => $::apache::file_mode, content => template('apache/mod/setenvif.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index a653badeda..dcc31ce8f3 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -73,6 +73,7 @@ file { 'ssl.conf': ensure => file, path => "${::apache::mod_dir}/ssl.conf", + mode => $::apache::file_mode, content => template('apache/mod/ssl.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp index 4c3f8d9e25..d11a464d79 100644 --- a/manifests/mod/status.pp +++ b/manifests/mod/status.pp @@ -11,7 +11,7 @@ # values are 'On' or 'Off'. Defaults to 'On'. # - $status_path is the path assigned to the Location directive which # defines the URL to access the server status. Defaults to '/server-status'. -# +# # Actions: # - Enable and configure Apache mod_status # @@ -38,6 +38,7 @@ file { 'status.conf': ensure => file, path => "${::apache::mod_dir}/status.conf", + mode => $::apache::file_mode, content => template('apache/mod/status.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/suphp.pp b/manifests/mod/suphp.pp index c50beea06c..5d426d7948 100644 --- a/manifests/mod/suphp.pp +++ b/manifests/mod/suphp.pp @@ -5,6 +5,7 @@ file {'suphp.conf': ensure => file, path => "${::apache::mod_dir}/suphp.conf", + mode => $::apache::file_mode, content => template('apache/mod/suphp.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/userdir.pp b/manifests/mod/userdir.pp index 4b3d0b8e80..516bb11654 100644 --- a/manifests/mod/userdir.pp +++ b/manifests/mod/userdir.pp @@ -11,6 +11,7 @@ file { 'userdir.conf': ensure => file, path => "${::apache::mod_dir}/userdir.conf", + mode => $::apache::file_mode, content => template('apache/mod/userdir.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], diff --git a/manifests/mod/wsgi.pp b/manifests/mod/wsgi.pp index bff5b46b7c..d1b8214753 100644 --- a/manifests/mod/wsgi.pp +++ b/manifests/mod/wsgi.pp @@ -32,6 +32,7 @@ file {'wsgi.conf': ensure => file, path => "${::apache::mod_dir}/wsgi.conf", + mode => $::apache::file_mode, content => template('apache/mod/wsgi.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], From 2c54785de4f76ed431eaa2d1060458408f62f6b3 Mon Sep 17 00:00:00 2001 From: slava Date: Wed, 20 Jan 2016 16:09:05 +0300 Subject: [PATCH 005/100] Specify owning permissions for logroot directory The main goal of this patch is to prevent inheritance of owning permissions for File resource. For example, if we define somewhere in high level manifest 'owner' and 'group' values, it will be passed to apache module and wrong owning permissions will be set. It's critical for 'logroot' folder as we have '0750' permissions for this folder in apache package by default. --- README.md | 8 ++++++++ manifests/vhost.pp | 4 ++++ spec/defines/vhost_spec.rb | 2 ++ 3 files changed, 14 insertions(+) diff --git a/README.md b/README.md index 707720a2b6..488421a368 100644 --- a/README.md +++ b/README.md @@ -2137,6 +2137,14 @@ Determines whether or not to remove the logroot directory for a virtual host. Va Overrides the mode the logroot directory is set to. Defaults to undef. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see http://httpd.apache.org/docs/2.4/logs.html#security for details. +##### `logroot_owner` + +Sets individual user access to the logroot directory. Defaults to 'undef'. + +##### `logroot_group` + +Sets group access to the [`logroot`][] directory. Defaults to 'undef'. + ##### `log_level` Specifies the verbosity of the error log. Defaults to 'warn' for the global server configuration and can be overridden on a per-vhost basis. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' or 'debug'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 8b5422e5ae..2201e72cd3 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -43,6 +43,8 @@ $logroot = $::apache::logroot, $logroot_ensure = 'directory', $logroot_mode = undef, + $logroot_owner = undef, + $logroot_group = undef, $log_level = undef, $access_log = true, $access_log_file = false, @@ -307,6 +309,8 @@ if ! defined(File[$logroot]) { file { $logroot: ensure => $logroot_ensure, + owner => $logroot_owner, + group => $logroot_group, mode => $logroot_mode, require => Package['httpd'], before => Concat["${priority_real}${filename}.conf"], diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 9a3027604f..12653e9b1d 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -170,6 +170,8 @@ 'logroot' => '/var/www/logs', 'logroot_ensure' => 'directory', 'logroot_mode' => '0600', + 'logroot_owner' => 'root', + 'logroot_group' => 'root', 'log_level' => 'crit', 'access_log' => false, 'access_log_file' => 'httpd_access_log', From 5532bd08e9d71f56c65701c8134a726db48751a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Barbeira?= Date: Wed, 27 Jan 2016 09:23:32 +0100 Subject: [PATCH 006/100] Remove white space. --- manifests/mod/status.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp index 4c3f8d9e25..3dc0695e9d 100644 --- a/manifests/mod/status.pp +++ b/manifests/mod/status.pp @@ -11,7 +11,7 @@ # values are 'On' or 'Off'. Defaults to 'On'. # - $status_path is the path assigned to the Location directive which # defines the URL to access the server status. Defaults to '/server-status'. -# +# # Actions: # - Enable and configure Apache mod_status # From c748b4502da5534e0ffafd24e5b688e2c1585cd8 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Mon, 25 Jan 2016 14:12:10 +0000 Subject: [PATCH 007/100] (FM-4049) Update to current msync configs [2c99161] --- .gitignore | 1 + .rspec | 2 ++ .travis.yml | 15 +++++++------ CONTRIBUTING.md | 6 ++--- Gemfile | 22 +++++++++---------- Rakefile | 3 ++- spec/acceptance/nodesets/centos-59-x64.yml | 10 +++++++++ spec/acceptance/nodesets/centos-64-x64-pe.yml | 12 ++++++++++ spec/acceptance/nodesets/centos-65-x64.yml | 10 +++++++++ 9 files changed, 59 insertions(+), 22 deletions(-) create mode 100644 .rspec create mode 100644 spec/acceptance/nodesets/centos-59-x64.yml create mode 100644 spec/acceptance/nodesets/centos-64-x64-pe.yml create mode 100644 spec/acceptance/nodesets/centos-65-x64.yml diff --git a/.gitignore b/.gitignore index b5db85e051..3190277498 100644 --- a/.gitignore +++ b/.gitignore @@ -5,5 +5,6 @@ spec/fixtures/ .vagrant/ .bundle/ coverage/ +log/ .idea/ *.iml diff --git a/.rspec b/.rspec new file mode 100644 index 0000000000..16f9cdb013 --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--color +--format documentation diff --git a/.travis.yml b/.travis.yml index c418ab5f2a..e6314a4700 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,18 +1,19 @@ --- sudo: false language: ruby +cache: bundler bundler_args: --without system_tests -script: "bundle exec rake validate && bundle exec rake lint && bundle exec rake spec SPEC_OPTS='--format documentation'" +script: "bundle exec rake validate lint spec" matrix: fast_finish: true include: - - rvm: 1.9.3 - env: PUPPET_GEM_VERSION="~> 3.0" - - rvm: 2.1.5 - env: PUPPET_GEM_VERSION="~> 3.0" - - rvm: 2.1.5 - env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes" - rvm: 2.1.6 env: PUPPET_GEM_VERSION="~> 4.0" STRICT_VARIABLES="yes" + - rvm: 2.1.5 + env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes" + - rvm: 2.1.5 + env: PUPPET_GEM_VERSION="~> 3.0" + - rvm: 1.9.3 + env: PUPPET_GEM_VERSION="~> 3.0" notifications: email: false diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f1cbde4bbf..bfeaa701ca 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -159,7 +159,7 @@ If you already have those gems installed, make sure they are up-to-date: With all dependencies in place and up-to-date we can now run the tests: ```shell -% rake spec +% bundle exec rake spec ``` This will execute all the [rspec tests](http://rspec-puppet.com/) tests @@ -178,8 +178,8 @@ installed on your system. You can run them by issuing the following command ```shell -% rake spec_clean -% rspec spec/acceptance +% bundle exec rake spec_clean +% bundle exec rspec spec/acceptance ``` This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml), diff --git a/Gemfile b/Gemfile index bfe64b186a..ced190e770 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org" def location_for(place, fake_version = nil) - if place =~ /^(git:[^#]*)#(.*)/ + if place =~ /^(git[:@][^#]*)#(.*)/ [fake_version, { :git => $1, :branch => $2, :require => false }].compact elsif place =~ /^file:\/\/(.*)/ ['>= 0', { :path => File.expand_path($1), :require => false }] @@ -11,14 +11,16 @@ def location_for(place, fake_version = nil) end group :development, :unit_tests do - gem 'rspec-core', '3.1.7', :require => false - gem 'puppetlabs_spec_helper', :require => false - gem 'simplecov', :require => false - gem 'puppet_facts', :require => false - gem 'json', :require => false + gem 'json', :require => false + gem 'metadata-json-lint', :require => false + gem 'puppet_facts', :require => false + gem 'puppet-blacksmith', :require => false + gem 'puppetlabs_spec_helper', :require => false + gem 'rspec-puppet', '>= 2.3.2', :require => false + gem 'simplecov', :require => false end - group :system_tests do + gem 'beaker-puppet_install_helper', :require => false if beaker_version = ENV['BEAKER_VERSION'] gem 'beaker', *location_for(beaker_version) end @@ -27,12 +29,10 @@ group :system_tests do else gem 'beaker-rspec', :require => false end - gem 'serverspec', :require => false - gem 'beaker-puppet_install_helper', :require => false + gem 'master_manipulator', :require => false + gem 'serverspec', :require => false end - - if facterversion = ENV['FACTER_GEM_VERSION'] gem 'facter', facterversion, :require => false else diff --git a/Rakefile b/Rakefile index 416807dadc..636508b00e 100644 --- a/Rakefile +++ b/Rakefile @@ -1,5 +1,6 @@ -require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet_blacksmith/rake_tasks' require 'puppet-lint/tasks/puppet-lint' +require 'puppetlabs_spec_helper/rake_tasks' PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.send('relative') diff --git a/spec/acceptance/nodesets/centos-59-x64.yml b/spec/acceptance/nodesets/centos-59-x64.yml new file mode 100644 index 0000000000..2ad90b86aa --- /dev/null +++ b/spec/acceptance/nodesets/centos-59-x64.yml @@ -0,0 +1,10 @@ +HOSTS: + centos-59-x64: + roles: + - master + platform: el-5-x86_64 + box : centos-59-x64-vbox4210-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box + hypervisor : vagrant +CONFIG: + type: git diff --git a/spec/acceptance/nodesets/centos-64-x64-pe.yml b/spec/acceptance/nodesets/centos-64-x64-pe.yml new file mode 100644 index 0000000000..7d9242f1b9 --- /dev/null +++ b/spec/acceptance/nodesets/centos-64-x64-pe.yml @@ -0,0 +1,12 @@ +HOSTS: + centos-64-x64: + roles: + - master + - database + - dashboard + platform: el-6-x86_64 + box : centos-64-x64-vbox4210-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box + hypervisor : vagrant +CONFIG: + type: pe diff --git a/spec/acceptance/nodesets/centos-65-x64.yml b/spec/acceptance/nodesets/centos-65-x64.yml new file mode 100644 index 0000000000..4e2cb809e8 --- /dev/null +++ b/spec/acceptance/nodesets/centos-65-x64.yml @@ -0,0 +1,10 @@ +HOSTS: + centos-65-x64: + roles: + - master + platform: el-6-x86_64 + box : centos-65-x64-vbox436-nocm + box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-nocm.box + hypervisor : vagrant +CONFIG: + type: foss From 5e431279017e900966fc843d75a97c943448d016 Mon Sep 17 00:00:00 2001 From: Joseph Yaworski Date: Fri, 29 Jan 2016 14:51:43 -0500 Subject: [PATCH 008/100] Add apache_version fact --- lib/facter/apache_version.rb | 8 ++++++++ spec/unit/apache_version_spec.rb | 20 ++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 lib/facter/apache_version.rb create mode 100644 spec/unit/apache_version_spec.rb diff --git a/lib/facter/apache_version.rb b/lib/facter/apache_version.rb new file mode 100644 index 0000000000..b45c888346 --- /dev/null +++ b/lib/facter/apache_version.rb @@ -0,0 +1,8 @@ +Facter.add(:apache_version) do + setcode do + if Facter::Util::Resolution.which('apachectl') + apache_version = Facter::Util::Resolution.exec('apachectl -v 2>&1') + %r{^Server version: Apache\/([\w\.]+) \(([\w]+)\)}.match(apache_version)[1] + end + end +end diff --git a/spec/unit/apache_version_spec.rb b/spec/unit/apache_version_spec.rb new file mode 100644 index 0000000000..30f6ef9914 --- /dev/null +++ b/spec/unit/apache_version_spec.rb @@ -0,0 +1,20 @@ +require 'spec_helper' + +describe Facter::Util::Fact do + before do + Facter.clear + end + + describe 'apache_version' do + context 'with value' do + before :each do + Facter::Util::Resolution.stubs(:which).with('apachectl').returns(true) + Facter::Util::Resolution.stubs(:exec).with('apachectl -v 2>&1').returns('Server version: Apache/2.4.16 (Unix) + Server built: Jul 31 2015 15:53:26') + end + it do + expect(Facter.fact(:apache_version).value).to eq('2.4.16') + end + end + end +end From a91d9d7293c0cb26b9bf7b1344ced6fb3dfadcd4 Mon Sep 17 00:00:00 2001 From: Matthew Kennedy Date: Thu, 15 Oct 2015 12:58:52 -0600 Subject: [PATCH 009/100] ThreadLimit needs to be above MaxClients or it is ignored. https://bz.apache.org/bugzilla/show_bug.cgi?id=46113 --- templates/mod/worker.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/mod/worker.conf.erb b/templates/mod/worker.conf.erb index ad2bc44610..8ad6451c75 100644 --- a/templates/mod/worker.conf.erb +++ b/templates/mod/worker.conf.erb @@ -1,11 +1,11 @@ ServerLimit <%= @serverlimit %> StartServers <%= @startservers %> + ThreadLimit <%= @threadlimit %> MaxClients <%= @maxclients %> MinSpareThreads <%= @minsparethreads %> MaxSpareThreads <%= @maxsparethreads %> ThreadsPerChild <%= @threadsperchild %> MaxRequestsPerChild <%= @maxrequestsperchild %> - ThreadLimit <%= @threadlimit %> ListenBacklog <%= @listenbacklog %> From 9fa1dd71aef812bde52337ea6a4b589d53ca10f1 Mon Sep 17 00:00:00 2001 From: Daehyung Lee Date: Mon, 11 Jan 2016 14:03:33 +0900 Subject: [PATCH 010/100] Added support cache related options to apache::mod::ldap Not to set the any options if you were not specified --- manifests/mod/ldap.pp | 5 +++++ templates/mod/ldap.conf.erb | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/manifests/mod/ldap.pp b/manifests/mod/ldap.pp index d084186717..8586756d5a 100644 --- a/manifests/mod/ldap.pp +++ b/manifests/mod/ldap.pp @@ -2,6 +2,11 @@ $apache_version = $::apache::apache_version, $ldap_trusted_global_cert_file = undef, $ldap_trusted_global_cert_type = 'CA_BASE64', + $ldap_shared_cache_size = undef, + $ldap_cache_entries = undef, + $ldap_cache_ttl = undef, + $ldap_opcache_entries = undef, + $ldap_opcache_ttl = undef, ){ if ($ldap_trusted_global_cert_file) { validate_string($ldap_trusted_global_cert_type) diff --git a/templates/mod/ldap.conf.erb b/templates/mod/ldap.conf.erb index fbb4b92136..424fbe8ee7 100644 --- a/templates/mod/ldap.conf.erb +++ b/templates/mod/ldap.conf.erb @@ -12,3 +12,18 @@ <% if @ldap_trusted_global_cert_file -%> LDAPTrustedGlobalCert <%= @ldap_trusted_global_cert_type %> <%= @ldap_trusted_global_cert_file %> <% end -%> +<%- if @ldap_shared_cache_size -%> +LDAPSharedCacheSize <%= @ldap_shared_cache_size %> +<%- end -%> +<%- if @ldap_cache_entries -%> +LDAPCacheEntries <%= @ldap_cache_entries %> +<%- end -%> +<%- if @ldap_cache_ttl -%> +LDAPCacheTTL <%= @ldap_cache_ttl %> +<%- end -%> +<%- if @ldap_opcache_entries -%> +LDAPOpCacheEntries <%= @ldap_opcache_entries %> +<%- end -%> +<%- if @ldap_opcache_ttl -%> +LDAPOpCacheTTL <%= @ldap_opcache_ttl %> +<%- end -%> From ed74be3277eac484254e0bb887c736b35c14389e Mon Sep 17 00:00:00 2001 From: tphoney Date: Mon, 1 Feb 2016 11:14:11 +0000 Subject: [PATCH 011/100] adding docs and tests for ldap parameter additions --- README.md | 10 ++++++++++ spec/classes/mod/ldap_spec.rb | 14 ++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 707720a2b6..05b368686f 100644 --- a/README.md +++ b/README.md @@ -1508,6 +1508,11 @@ Installs and configures [`mod_ldap`][]. Allows you to modify the class { 'apache::mod::ldap': ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt' ldap_trusted_global_cert_type => 'CA_DER', + ldap_shared_cache_size => '500000', + ldap_cache_entries => '1024', + ldap_cache_ttl => '600', + ldap_opcache_entries => '1024', + ldap_opcache_ttl => '600', } ~~~ @@ -1515,6 +1520,11 @@ class { 'apache::mod::ldap': - `ldap_trusted_global_cert_file`: Path and file name of the trusted CA certificates to use when establishing SSL or TLS connections to an LDAP server. - `ldap_trusted_global_cert_type`: The global trust certificate format. Defaults to 'CA_BASE64'. +- `ldap_shared_cache_size`: Size in bytes of the shared-memory cache. +- `ldap_cache_entries`: Maximum number of entries in the primary LDAP cache. +- `ldap_cache_ttl`: Time that cached items remain valid. +- `ldap_opcache_entries`: Number of entries used to cache LDAP compare operations. +- `ldap_opcache_ttl`: Time that entries in the operation cache remain valid. ##### Class: `apache::mod::negotiation` diff --git a/spec/classes/mod/ldap_spec.rb b/spec/classes/mod/ldap_spec.rb index 2b82d8d1bb..f51cafd4f7 100644 --- a/spec/classes/mod/ldap_spec.rb +++ b/spec/classes/mod/ldap_spec.rb @@ -32,12 +32,22 @@ it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPTrustedGlobalCert CA_BASE64 ca\.pem$/) } end - context 'ldap_trusted_global_cert_file and ldap_trusted_global_cert_type params' do + context 'set multiple ldap params' do let(:params) {{ :ldap_trusted_global_cert_file => 'ca.pem', - :ldap_trusted_global_cert_type => 'CA_DER' + :ldap_trusted_global_cert_type => 'CA_DER', + :ldap_shared_cache_size => '500000', + :ldap_cache_entries => '1024', + :ldap_cache_ttl => '600', + :ldap_opcache_entries => '1024', + :ldap_opcache_ttl => '600' }} it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPTrustedGlobalCert CA_DER ca\.pem$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPSharedCacheSize 500000$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPCacheEntries 1024$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPCacheTTL 600$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPOpCacheEntries 1024$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPOpCacheTTL 600$/) } end end #Debian From 2f78dab061378ed6e0e5b7c6aa670dd2625dea14 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Fri, 29 Jan 2016 17:02:16 -0500 Subject: [PATCH 012/100] Bugfix: require concat, not file --- manifests/init.pp | 2 +- spec/classes/apache_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index b67c9f2fb3..13eb5f7172 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -345,7 +345,7 @@ ensure => file, content => template($conf_template), notify => Class['Apache::Service'], - require => [Package['httpd'], File[$ports_file]], + require => [Package['httpd'], Concat[$ports_file]], } # preserve back-wards compatibility to the times when default_mods was diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb index 45f8a690c6..34d56ba4f7 100644 --- a/spec/classes/apache_spec.rb +++ b/spec/classes/apache_spec.rb @@ -504,7 +504,7 @@ it { is_expected.to contain_file("/opt/rh/root/etc/httpd/conf/httpd.conf").with( 'ensure' => 'file', 'notify' => 'Class[Apache::Service]', - 'require' => ['Package[httpd]', 'File[/etc/httpd/conf/ports.conf]'], + 'require' => ['Package[httpd]', 'Concat[/etc/httpd/conf/ports.conf]'], ) } end From 9996cb23a118ee14806197a8597be1c0cbe2e70b Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Tue, 2 Feb 2016 16:34:39 -0800 Subject: [PATCH 013/100] Fix passenger on redhat systems Passenger needs their own repository now, so this PR adds that repo to the apache::mod::passenger class. It also updates the readme documenting which mods need epel or other extra repositories (or at least the packages provided by those repos). It also updates the style of the readme and some other linting issues. --- README.md | 545 +++++++++++++------------- manifests/mod/passenger.pp | 16 + manifests/params.pp | 26 +- spec/acceptance/mod_passenger_spec.rb | 46 +-- spec/acceptance/vhost_spec.rb | 27 ++ 5 files changed, 355 insertions(+), 305 deletions(-) diff --git a/README.md b/README.md index f4dbe7829c..1ee7ce5ae6 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,6 @@ [`apache::version`]: #class-apacheversion [`apache::vhost`]: #define-apachevhost [`apache::vhost::custom`]: #define-apachevhostcustom -[`apache::vhost::WSGIImportScript`]: #wsgiimportscript [Apache HTTP Server]: http://httpd.apache.org [Apache modules]: http://httpd.apache.org/docs/current/mod/ [array]: https://docs.puppetlabs.com/puppet/latest/reference/lang_data_array.html @@ -290,19 +289,19 @@ To temporarily disable full Puppet management, set the [`purge_configs`][] param To have Puppet install Apache with the default parameters, declare the [`apache`][] class: -~~~ puppet +``` puppet class { 'apache': } -~~~ +``` The Puppet module applies a default configuration based on your operating system; Debian, Red Hat, FreeBSD, and Gentoo systems each have unique default configurations. These defaults work in testing environments but are not suggested for production, and Puppet recommends customizing the class's parameters to suit your site. Use the [Reference](#reference) section to find information about the class's parameters and their default values. You can customize parameters when declaring the `apache` class. For instance, this declaration installs Apache without the apache module's [default virtual host configuration][Configuring virtual hosts], allowing you to customize all Apache virtual hosts: -~~~ puppet +``` puppet class { 'apache': default_vhost => false, } -~~~ +``` ## Usage @@ -314,41 +313,41 @@ The default [`apache`][] class sets up a virtual host on port 80, listening on a To configure basic [name-based virtual hosts][], specify the [`port`][] and [`docroot`][] parameters in the [`apache::vhost`][] define: -~~~ puppet +``` puppet apache::vhost { 'vhost.example.com': port => '80', docroot => '/var/www/vhost', } -~~~ +``` **Note**: Apache processes virtual hosts in alphabetical order, and server administrators can prioritize Apache's virtual host processing by prefixing a virtual host's configuration file name with a number. The [`apache::vhost`][] define applies a default [`priority`][] of 15, which Puppet interprets by prefixing the virtual host's file name with `15-`. This all means that if multiple sites have the same priority, or if you disable priority numbers by setting the `priority` parameter's value to 'false', Apache still processes virtual hosts in alphabetical order. To configure user and group ownership for `docroot`, use the [`docroot_owner`][] and [`docroot_group`][] parameters: -~~~ puppet +``` puppet apache::vhost { 'user.example.com': port => '80', docroot => '/var/www/user', docroot_owner => 'www-data', docroot_group => 'www-data', } -~~~ +``` #### Configuring virtual hosts with SSL To configure a virtual host to use [SSL encryption][] and default SSL certificates, set the [`ssl`][] parameter. You must also specify the [`port`][] parameter, typically with a value of '443', to accommodate HTTPS requests: -~~~ puppet +``` puppet apache::vhost { 'ssl.example.com': port => '443', docroot => '/var/www/ssl', ssl => true, } -~~~ +``` To configure a virtual host to use SSL and specific SSL certificates, use the paths to the certificate and key in the [`ssl_cert`][] and [`ssl_key`][] parameters, respectively: -~~~ puppet +``` puppet apache::vhost { 'cert.example.com': port => '443', docroot => '/var/www/cert', @@ -356,11 +355,11 @@ apache::vhost { 'cert.example.com': ssl_cert => '/etc/ssl/fourth.example.com.cert', ssl_key => '/etc/ssl/fourth.example.com.key', } -~~~ +``` To configure a mix of SSL and unencrypted virtual hosts at the same domain, declare them with separate [`apache::vhost`] defines: -~~~ puppet +``` puppet # The non-ssl virtual host apache::vhost { 'mix.example.com non-ssl': servername => 'mix.example.com', @@ -375,11 +374,11 @@ apache::vhost { 'mix.example.com ssl': docroot => '/var/www/mix', ssl => true, } -~~~ +``` To configure a virtual host to redirect unencrypted connections to SSL, declare them with separate [`apache::vhost`] defines and redirect unencrypted requests to the virtual host with SSL enabled: -~~~ puppet +``` puppet apache::vhost { 'redirect.example.com non-ssl': servername => 'redirect.example.com', port => '80', @@ -394,33 +393,33 @@ apache::vhost { 'redirect.example.com ssl': docroot => '/var/www/redirect', ssl => true, } -~~~ +``` #### Configuring virtual host port and address bindings -Virtual hosts listen on all IP addresses ('*') by default. To configure the virtual host to listen on a specific IP address, use the [`ip`][] parameter: +Virtual hosts listen on all IP addresses ('\*') by default. To configure the virtual host to listen on a specific IP address, use the [`ip`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'ip.example.com': ip => '127.0.0.1', port => '80', docroot => '/var/www/ip', } -~~~ +``` It is also possible to configure more than one IP address per vhost by using an array of IP addresses for the [`ip`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'ip.example.com': ip => ['127.0.0.1','169.254.1.1'], port => '80', docroot => '/var/www/ip', } -~~~ +``` To configure a virtual host with [aliased servers][], refer to the aliases using the [`serveraliases`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'aliases.example.com': serveraliases => [ 'aliases.example.org', @@ -429,11 +428,11 @@ apache::vhost { 'aliases.example.com': port => '80', docroot => '/var/www/aliases', } -~~~ +``` To set up a virtual host with a wildcard alias for the subdomain mapped to a same-named directory, such as 'http://example.com.loc' mapped to `/var/www/example.com`, define the wildcard alias using the [`serveraliases`][] parameter and the document root with the [`virtual_docroot`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'subdomain.loc': vhost_name => '*', port => '80', @@ -441,11 +440,11 @@ apache::vhost { 'subdomain.loc': docroot => '/var/www', serveraliases => ['*.loc',], } -~~~ +``` To configure a virtual host with [filter rules][], pass the filter directives as an [array][] using the [`filters`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'subdomain.loc': port => '80', filters => [ @@ -456,13 +455,13 @@ apache::vhost { 'subdomain.loc': ], docroot => '/var/www/html', } -~~~ +``` #### Configuring virtual hosts for apps and processors To set up a virtual host with [suPHP][], use the [`suphp_engine`][] parameter to enable the suPHP engine, [`suphp_addhandler`][] parameter to define a MIME type, [`suphp_configpath`][] to set which path suPHP passes to the PHP interpreter, and the [`directory`][] parameter to configure Directory, File, and Location directive blocks: -~~~ puppet +``` puppet apache::vhost { 'suphp.example.com': port => '80', docroot => '/home/appuser/myphpapp', @@ -478,11 +477,11 @@ apache::vhost { 'suphp.example.com': }, ], } -~~~ +``` You can use a set of parameters to configure a virtual host to use the [Web Server Gateway Interface][] (WSGI) for [Python][] applications: -~~~ puppet +``` puppet apache::vhost { 'wsgi.example.com': port => '80', docroot => '/var/www/pythonapp', @@ -501,53 +500,53 @@ apache::vhost { 'wsgi.example.com': wsgi_process_group => 'wsgi', wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, } -~~~ +``` Starting in Apache 2.2.16, Apache supports [FallbackResource][], a simple replacement for common RewriteRules. You can set a FallbackResource using the [`fallbackresource`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'wordpress.example.com': port => '80', docroot => '/var/www/wordpress', fallbackresource => '/index.php', } -~~~ +``` **Note**: The `fallbackresource` parameter only supports the 'disabled' value since Apache 2.2.24. To configure a virtual host with a designated directory for [Common Gateway Interface][] (CGI) files, use the [`scriptalias`][] parameter to define the `cgi-bin` path: -~~~ puppet +``` puppet apache::vhost { 'cgi.example.com': port => '80', docroot => '/var/www/cgi', scriptalias => '/usr/lib/cgi-bin', } -~~~ +``` To configure a virtual host for [Rack][], use the [`rack_base_uris`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'rack.example.com': port => '80', docroot => '/var/www/rack', rack_base_uris => ['/rackapp1', '/rackapp2'], } -~~~ +``` #### Configuring IP-based virtual hosts You can configure [IP-based virtual hosts][] to listen on any port and have them respond to requests on specific IP addresses. In this example, we set the server to listen on ports 80 and 81 because the example virtual hosts are _not_ declared with a [`port`][] parameter: -~~~ puppet +``` puppet apache::listen { '80': } apache::listen { '81': } -~~~ +``` Then we configure the IP-based virtual hosts with the [`ip_based`][] parameter: -~~~ puppet +``` puppet apache::vhost { 'first.example.com': ip => '10.0.0.10', docroot => '/var/www/first', @@ -559,11 +558,11 @@ apache::vhost { 'second.example.com': docroot => '/var/www/second', ip_based => true, } -~~~ +``` You can also configure a mix of IP- and [name-based virtual hosts][], and in any combination of [SSL][SSL encryption] and unencrypted configurations. First, we add two IP-based virtual hosts on an IP address (in this example, 10.0.0.10). One uses SSL and the other is unencrypted: -~~~ puppet +``` puppet apache::vhost { 'The first IP-based virtual host, non-ssl': servername => 'first.example.com', ip => '10.0.0.10', @@ -580,11 +579,11 @@ apache::vhost { 'The first IP-based vhost, ssl': docroot => '/var/www/first-ssl', ssl => true, } -~~~ +``` Next, we add two name-based virtual hosts listening on a second IP address (10.0.0.20): -~~~ puppet +``` puppet apache::vhost { 'second.example.com': ip => '10.0.0.20', port => '80', @@ -596,11 +595,11 @@ apache::vhost { 'third.example.com': port => '80', docroot => '/var/www/third', } -~~~ +``` To add name-based virtual hosts that answer on either 10.0.0.10 or 10.0.0.20, you **must** set the [`add_listen`][] parameter to 'false' to disable the default Apache setting of `Listen 80`, as it conflicts with the preceding IP-based virtual hosts. -~~~ puppet +``` puppet apache::vhost { 'fourth.example.com': port => '80', docroot => '/var/www/fourth', @@ -612,7 +611,7 @@ apache::vhost { 'fifth.example.com': docroot => '/var/www/fifth', add_listen => false, } -~~~ +``` ### Installing Apache modules @@ -627,17 +626,17 @@ The Puppet apache module supports installing many common [Apache modules][], oft For example, you can install the `mod_ssl` Apache module with default settings by declaring the [`apache::mod::ssl`][] class: -~~~ puppet +``` puppet class { 'apache::mod::ssl': } -~~~ +``` [`apache::mod::ssl`][] has several parameterized options that you can set when declaring it. For instance, to enable `mod_ssl` with compression enabled, set the [`ssl_compression`][] parameter to 'true': -~~~ puppet +``` puppet class { 'apache::mod::ssl': ssl_compression => true, } -~~~ +``` Note that some modules have prerequisites, which are documented in their references under [`apache::mod::`][]. @@ -645,11 +644,11 @@ Note that some modules have prerequisites, which are documented in their referen You can pass the name of any module that your operating system's package manager can install to the [`apache::mod`][] define to install it. Unlike the specific-module classes, the [`apache::mod`][] define doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you. -For example, to install the [`mod_authnz_external`][] Apache module, declare the define with the 'mod_authnz_external' name: +For example, to install the [`mod_authnz_external`][] Apache module, declare the define with the 'mod\_authnz\_external' name: -~~~ puppet +``` puppet apache::mod { 'mod_authnz_external': } -~~~ +``` There's several optional parameters you can specify when defining Apache modules this way. See the [define's reference][`apache::mod`] for details. @@ -657,7 +656,7 @@ There's several optional parameters you can specify when defining Apache modules Add the [`apache::fastcgi::server`][] define to allow [FastCGI][] servers to handle requests for specific files. For example, the following defines a FastCGI server at 127.0.0.1 (localhost) on port 9000 to handle PHP requests: -~~~ puppet +``` puppet apache::fastcgi::server { 'php': host => '127.0.0.1:9000', timeout => 15, @@ -666,17 +665,17 @@ apache::fastcgi::server { 'php': fcgi_alias => '/php.fcgi', file_type => 'application/x-httpd-php' } -~~~ +``` You can then use the [`custom_fragment`] parameter to configure the virtual host to have the FastCGI server handle the specified file type: -~~~ puppet +``` puppet apache::vhost { 'www': ... custom_fragment => 'AddType application/x-httpd-php .php' ... } -~~~ +``` ### Load balancing examples @@ -684,23 +683,23 @@ Apache supports load balancing across groups of servers through the [`mod_proxy` To enable load balancing with [exported resources][], export the [`apache::balancermember`][] define from the load balancer member server: -~~~ puppet +``` puppet @@apache::balancermember { "${::fqdn}-puppet00": balancer_cluster => 'puppet00', url => "ajp://${::fqdn}:8009", options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], } -~~~ +``` Then, on the proxy server, create the load balancing group: -~~~ puppet +``` puppet apache::balancer { 'puppet00': } -~~~ +``` To enable load balancing without exporting resources, declare the following on the proxy server: -~~~ puppet +``` puppet apache::balancer { 'puppet00': } apache::balancermember { "${::fqdn}-puppet00": @@ -708,26 +707,26 @@ apache::balancermember { "${::fqdn}-puppet00": url => "ajp://${::fqdn}:8009", options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], } -~~~ +``` Then declare the `apache::balancer` and `apache::balancermember` defines on the proxy server. If you need to use the [ProxySet](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset) directive on the balancer, use the [`proxy_set`](#proxy_set) parameter of `apache::balancer`: -~~~ puppet +``` puppet apache::balancer { 'puppet01': proxy_set => { 'stickysession' => 'JSESSIONID', }, } -~~~ +``` ## Reference - [**Public Classes**](#public-classes) - [Class: apache](#class-apache) - [Class: apache::dev](#class-apachedev) - - [Classes: apache::mod::*](#classes-apachemodname) + - [Classes: apache::mod::\*](#classes-apachemodname) - [**Private Classes**](#private-classes) - [Class: apache::confd::no_accf](#class-apacheconfdno_accf) - [Class: apache::default_confd_files](#class-apachedefault_confd_files) @@ -763,15 +762,15 @@ When this class is declared with the default options, Puppet: - Installs the appropriate Apache software package and [required Apache modules](#default_mods) for your operating system. - Places the required configuration files in a directory, with the [default location](#conf_dir) determined by your operating system. -- Configures the server with a default virtual host and standard port ('80') and address ('*') bindings. +- Configures the server with a default virtual host and standard port ('80') and address ('\*') bindings. - Creates a document root directory determined by your operating system, typically `/var/www`. - Starts the Apache service. You can simply declare the default `apache` class: -~~~ puppet +``` puppet class { 'apache': } -~~~ +``` You can establish a default virtual host in this class, by using the [`apache::vhost`][] define, or both. You can also configure additional specific virtual hosts with the [`apache::vhost`][] define. Puppet recommends customizing the `apache` class's declaration with the following parameters, as its default settings are not optimized for production. @@ -885,7 +884,7 @@ Configures a default [SSL][SSL encryption] virtual host. Valid options: Boolean. If 'true', Puppet automatically configures the following virtual host using the [`apache::vhost`][] define: -~~~ puppet +``` puppet apache::vhost { 'default-ssl': port => 443, ssl => true, @@ -894,7 +893,7 @@ apache::vhost { 'default-ssl': serveradmin => $serveradmin, access_log_file => "ssl_${access_log_file}", } -~~~ +``` **Note**: SSL virtual hosts only respond to HTTPS queries. @@ -914,13 +913,13 @@ Configures a specific dev package to use. Valid options: String. Default: 'OS d Example for using httpd 2.4 from the IUS yum repo: -~~~ puppet +``` puppet include ::apache::dev class { 'apache': apache_name => 'httpd24u', dev_packages => 'httpd24u-devel', } -~~~ +``` ##### `docroot` @@ -992,19 +991,19 @@ Changes the error log's verbosity. Valid options: 'alert', 'crit', 'debug', 'eme Define additional [`LogFormat`][] directives. Valid options: A [Hash][], such as: -~~~ puppet +``` puppet $log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } -~~~ +``` There are a number of predefined `LogFormats` in the `httpd.conf` that Puppet creates: -~~~ httpd +``` httpd LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded -~~~ +``` If your `log_formats` parameter contains one of those, it will be overwritten with **your** definition. @@ -1175,13 +1174,12 @@ Changes your virtual host configuration files' location. Default: determined by ##### `vhost_include_pattern` -Defines the pattern for files included from the `vhost_dir`. This defaults to '*', also for BC with previous versions of this module. +Defines the pattern for files included from the `vhost_dir`. This defaults to '\*', also for BC with previous versions of this module. However, you may want to set this to a value like '[^.#]\*.conf[^~]' to make sure files accidentally created in this directory (from version control systems, editor backups or the like) are *not* included in your server configuration. -A value of '*.conf' is what is shipped by some operating systems. Also note that this module will, by default, create config files ending -in '.conf'. +A value of '\*.conf' is what is shipped by some operating systems. Also note that this module will, by default, create config files ending in '.conf'. ##### `user` @@ -1225,23 +1223,23 @@ The default value is determined by your operating system: Enables specific [Apache modules][]. You can enable and configure an Apache module by declaring its class. For example, to install and enable [`mod_alias`][] with no icons, you can declare the [`apache::mod::alias`][] class with the `icons_options` parameter set to 'None': -~~~ puppet +``` puppet class { 'apache::mod::alias': icons_options => 'None', } -~~~ +``` The following Apache modules have supported classes, many of which allow for parameterized configuration. You can install other Apache modules with the [`apache::mod`][] define. * `actions` * `alias` (see [`apache::mod::alias`][]) * `auth_basic` -* `auth_cas`* (see [`apache::mod::auth_cas`][]) -* `auth_mellon`* (see [`apache::mod::auth_mellon`][]) +* `auth_cas`\* (see [`apache::mod::auth_cas`][]) +* `auth_mellon`\* (see [`apache::mod::auth_mellon`][]) * `auth_kerb` * `authn_core` * `authn_file` -* `authnz_ldap`* +* `authnz_ldap`\* * `authz_default` * `authz_user` * `autoindex` @@ -1250,10 +1248,10 @@ The following Apache modules have supported classes, many of which allow for par * `cgid` * `dav` * `dav_fs` -* `dav_svn`* -* `deflate` +* `dav_svn`\* +* `deflate\` * `dev` -* `dir`* +* `dir`\* * `disk_cache` (see [`apache::mod::disk_cache`][]) * `event` (see [`apache::mod::event`][]) * `expires` @@ -1264,40 +1262,40 @@ The following Apache modules have supported classes, many of which allow for par * `geoip` (see [`apache::mod::geoip`][]) * `headers` * `include` -* `info`* +* `info`\* * `itk` * `ldap` * `mime` -* `mime_magic`* +* `mime_magic`\* * `negotiation` -* `nss`* +* `nss`\* * `pagespeed` (see [`apache::mod::pagespeed`][]) -* `passenger`* (see [`apache::mod::passenger`][]) +* `passenger`\* (see [`apache::mod::passenger`][]) * `perl` * `peruser` * `php` (requires [`mpm_module`][] set to `prefork`) -* `prefork`* -* `proxy`* +* `prefork`\* +* `proxy`\* * `proxy_ajp` * `proxy_balancer` -* `proxy_html` +* `proxy_html` (see [`apache::mod::proxy_html`][]) * `proxy_http` * `python` * `reqtimeout` -* `remoteip`* +* `remoteip`\* * `rewrite` -* `rpaf`* +* `rpaf`\* * `setenvif` * `security` -* `shib`* (see [`apache::mod::shib`]) +* `shib`\* (see [`apache::mod::shib`]) * `speling` -* `ssl`* (see [`apache::mod::ssl`][]) -* `status`* (see [`apache::mod::status`][]) +* `ssl`\* (see [`apache::mod::ssl`][]) +* `status`\* (see [`apache::mod::status`][]) * `suphp` -* `userdir`* +* `userdir`\* * `version` * `vhost_alias` -* `worker`* +* `worker`\* * `wsgi` (see [`apache::mod::wsgi`][]) * `xsendfile` @@ -1328,11 +1326,11 @@ Installs and configures [`mod_disk_cache`][] on Apache 2.2, or [`mod_cache_disk` You can specify the cache root by passing a path as a string to the `cache_root` parameter. -~~~ puppet +``` puppet class {'::apache::mod::disk_cache': cache_root => '/path/to/cache', } -~~~ +``` ##### Class: `apache::mod::event` @@ -1355,6 +1353,8 @@ Installs and manages [`mod_auth_cas`][]. Its parameters share names with the Apa The `cas_login_url` and `cas_validate_url` parameters are required; several other parameters have 'undef' default values. +**Note**: The auth\_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. See [https://github.com/Jasig/mod_auth_cas]() + **Parameters within `apache::mod::auth_cas`**: - `cas_authoritative`: Determines whether an optional authorization directive is authoritative and binding. Default: 'undef'. @@ -1376,11 +1376,11 @@ The `cas_login_url` and `cas_validate_url` parameters are required; several othe Installs and manages [`mod_auth_mellon`][]. Its parameters share names with the Apache module's directives. -~~~ puppet +``` puppet class{ 'apache::mod::auth_mellon': mellon_cache_size => 101, } -~~~ +``` **Parameters within `apache::mod::auth_mellon`**: @@ -1415,14 +1415,14 @@ Installs [`mod_expires`][] and uses the `expires.conf.erb` template to generate Installs and configures [`mod_ext_filter`][]. -~~~ puppet +``` puppet class { 'apache::mod::ext_filter': ext_filter_define => { 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', }, } -~~~ +``` **Parameters within `apache::mod::ext_filter`**: @@ -1434,7 +1434,7 @@ Installs and configures [`mod_fcgid`][]. The class makes no effort to individually parameterize all available options. Instead, configure `mod_fcgid` using the `options` [hash][]. For example: -~~~ puppet +``` puppet class { 'apache::mod::fcgid': options => { 'FcgidIPCDir' => '/var/run/fcgidsock', @@ -1442,13 +1442,13 @@ class { 'apache::mod::fcgid': 'AddHandler' => 'fcgid-script .fcgi', }, } -~~~ +``` For a full list of options, see the [official `mod_fcgid` documentation][`mod_fcgid`]. If you include `apache::mod::fcgid`, you can set the [`FcgidWrapper`][] per directory, per virtual host. The module must be loaded first; Puppet will not automatically enable it if you set the `fcgiwrapper` parameter in `apache::vhost`. -~~~ puppet +``` puppet include apache::mod::fcgid apache::vhost { 'example.org': @@ -1460,7 +1460,7 @@ apache::vhost { 'example.org': } }, } -~~~ +``` ##### Class: `apache::mod::geoip` @@ -1504,7 +1504,7 @@ Installs and manages [`mod_passenger`][]. Installs and configures [`mod_ldap`][]. Allows you to modify the [`LDAPTrustedGlobalCert`](https://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldaptrustedglobalcert) Directive: -~~~puppet +```puppet class { 'apache::mod::ldap': ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt' ldap_trusted_global_cert_type => 'CA_DER', @@ -1514,7 +1514,7 @@ class { 'apache::mod::ldap': ldap_opcache_entries => '1024', ldap_opcache_ttl => '600', } -~~~ +``` **Parameters within `apache::mod::ldap`:** @@ -1545,7 +1545,7 @@ While this Apache module requires the `mod-pagespeed-stable` package, Puppet **d - `inherit_vhost_config`: Default: 'on'. - `filter_xhtml`: Default: false. -- `cache_path`: Default: '/var/cache/mod_pagespeed/'. +- `cache_path`: Default: '/var/cache/mod\_pagespeed/'. - `log_dir`: Default: '/var/log/pagespeed'. - `memcache_servers`: Default: []. - `rewrite_level`: Default: 'CoreFilters'. @@ -1579,6 +1579,18 @@ While this Apache module requires the `mod-pagespeed-stable` package, Puppet **d The class's parameters correspond to the module's directives. See the [module's documentation][`mod_pagespeed`] for details. +##### Class: `apache::mod::passenger` + +Installs and configures mod\_passenger + +**Parameters within `apache::mod::passenger`**: + +- `manage_repo`: Manage phusionpassenger.com repository. Default: true. + +TODO: The parameters section is incomplete. + +**Note**: The passenger module isn't available on RH/CentOS without providing dependency packages provided by EPEL and mod\_passengers own custom repository. See the `manage_repo` parameter above and [https://www.phusionpassenger.com/library/install/apache/install/oss/el7/]() + ##### Class: `apache::mod::php` Installs and configures [`mod_php`][]. @@ -1595,6 +1607,10 @@ Default values depend on your operating system. - `template`: Defines the path to the `php.conf` template Puppet uses to generate the configuration file. - `content`: Adds arbitrary content to `php.conf`. +##### Class: `apache::mod::proxy_html` + +**Note**: There is no official package available for mod\_proxy\_html and thus it must be made available by means outside of the control of the apache module. + ##### Class: `apache::mod::reqtimeout` Installs and configures [`mod_reqtimeout`][]. @@ -1609,6 +1625,8 @@ Installs the [Shibboleth](http://shibboleth.net/) Apache module `mod_shib`, whic Defining this class enables Shibboleth-specific parameters in `apache::vhost` instances. +**Note**: The shibboleth module isn't available on RH/CentOS without providing dependency packages provided by Shibboleth's repositories. See [http://wiki.aaf.edu.au/tech-info/sp-install-guide]() + ##### Class: `apache::mod::ssl` Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template to generate its configuration. @@ -1655,7 +1673,7 @@ Installs and configures Trustwave's [`mod_security`][]. It is enabled and runs b - `content_types`: A list of one or more allowed [MIME types][MIME `content-type`]. Default: 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf' - `crs_package`: Names the package that installs CRS rules. Default: `modsec_crs_package` in [`apache::params`][]. - `modsec_dir`: Defines the path where Puppet installs the modsec configuration and activated rules links. Default: 'On', set by `modsec_dir` in [`apache::params`][]. -${modsec_dir}/activated_rules. +${modsec\_dir}/activated\_rules. - `modsec_secruleengine`: Configures the modsec rules engine. Valid options: 'On', 'Off', and 'DetectionOnly'. Default: `modsec_secruleengine` in [`apache::params`][]. - `restricted_extensions`: A space-separated list of prohibited file extensions. Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'. - `restricted_headers`: A list of restricted headers separated by slashes and spaces. Default: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'. @@ -1674,7 +1692,7 @@ Otherwise, Puppet follows it literally. - `package_name`: Names the package that installs `mod_wsgi`. Default: undef. - `wsgi_python_home`: Defines the [`WSGIPythonHome`][] directive, such as '/path/to/venv'. Valid options: path. Default: undef. - `wsgi_python_path`: Defines the [`WSGIPythonPath`][] directive, such as '/path/to/venv/site-packages'. Valid options: path. Default: undef. -- `wsgi_socket_prefix`: Defines the [`WSGISocketPrefix`][] directive, such as "\${APACHE_RUN_DIR}WSGI". Default: `wsgi_socket_prefix` in [`apache::params`][]. +- `wsgi_socket_prefix`: Defines the [`WSGISocketPrefix`][] directive, such as "\${APACHE\_RUN\_DIR}WSGI". Default: `wsgi_socket_prefix` in [`apache::params`][]. The class's parameters correspond to the module's directives. See the [module's documentation][`mod_wsgi`] for details. @@ -1766,7 +1784,7 @@ Specifies whether the configuration file should be present. Valid options: 'abse ##### `confdir` -Sets the directory in which Puppet places configuration files. Default: '$::apache::confd_dir'. +Sets the directory in which Puppet places configuration files. Default: '$::apache::confd\_dir'. ##### `content` @@ -1828,7 +1846,7 @@ Sets the [MIME `content-type`][] of the file to be processed by the FastCGI serv #### Define: `apache::listen` -Adds [`Listen`][] directives to `ports.conf` in the Apache configuration directory that define the Apache server's or a virtual host's listening address and port. The [`apache::vhost`][] class uses this define, and titles take the form '', ':', or ':'. +Adds [`Listen`][] directives to `ports.conf` in the Apache configuration directory that define the Apache server's or a virtual host's listening address and port. The [`apache::vhost`][] class uses this define, and titles take the form '\', '\:\', or '\:\'. #### Define: `apache::mod` @@ -1868,7 +1886,7 @@ Specifies a path to the module. Default: [`lib_path`][]/[`lib`][]. Don't manuall #### Define: `apache::namevirtualhost` -Enables [name-based virtual hosts][] and adds all related directives to the `ports.conf` file in the Apache HTTPD configuration directory. Titles can take the forms '\*', '*:', '\_default_:, '', or ':'. +Enables [name-based virtual hosts][] and adds all related directives to the `ports.conf` file in the Apache HTTPD configuration directory. Titles can take the forms '\*', '\*:\', '\_default\_:\, '\', or '\:\'. #### Define: `apache::vhost` @@ -1892,7 +1910,7 @@ Specifies that only requests with particular environment variables be logged. De ##### `access_log_file` -Sets the filename of the `*_access.log` placed in [`logroot`][]. Given a virtual host---for instance, example.com---it defaults to 'example.com_ssl.log' for [SSL-encrypted][SSL encryption] virtual hosts and 'example.com_access.log' for unencrypted virtual hosts. +Sets the filename of the `*_access.log` placed in [`logroot`][]. Given a virtual host---for instance, example.com---it defaults to 'example.com\_ssl.log' for [SSL-encrypted][SSL encryption] virtual hosts and 'example.com\_access.log' for unencrypted virtual hosts. ##### `access_log_format` @@ -1930,7 +1948,7 @@ Passes a list of [Hashes][Hash] to the virtual host to create [`Alias`][], [`Ali For example: -~~~ puppet +``` puppet aliases => [ { aliasmatch => '^/image/(.*)\.jpg$', path => '/files/jpg.images/$1.jpg', @@ -1948,7 +1966,7 @@ aliases => [ path => '/usr/share/nagios/html', }, ], -~~~ +``` For the `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` keys to work, each needs a corresponding context, such as `` or ``. Puppet creates the directives in the order specified in the `aliases` parameter. As described in the [`mod_alias`][] documentation, add more specific `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters before the more general ones to avoid shadowing. @@ -2008,7 +2026,7 @@ Specifies whether `*_error.log` directives should be configured. Defaults to 'tr ##### `error_log_file` -Points to the `*_error.log` file. Given a vhost, example.com, it defaults to 'example.com_ssl_error.log' for SSL vhosts and 'example.com_access_error.log' for non-SSL vhosts. +Points to the `*_error.log` file. Given a vhost, example.com, it defaults to 'example.com\_ssl\_error.log' for SSL vhosts and 'example.com_access_error.log' for non-SSL vhosts. ##### `error_log_pipe` @@ -2022,14 +2040,14 @@ Sends all error log messages to syslog. Defaults to 'undef'. A list of hashes which can be used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for this vhost. Defaults to '[]'. Example: -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': error_documents => [ { 'error_code' => '503', 'document' => '/service-unavail' }, { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' }, ], } -~~~ +``` ##### `ensure` @@ -2043,7 +2061,7 @@ Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.htm [Filters](http://httpd.apache.org/docs/2.2/mod/mod_filter.html) enable smart, context-sensitive configuration of output content filters. -~~~ puppet +``` puppet apache::vhost { "$::fqdn": filters => [ 'FilterDeclare COMPRESS', @@ -2052,7 +2070,7 @@ Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.htm 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', ], } -~~~ +``` ##### `force_type` @@ -2084,7 +2102,7 @@ Configures [ITK](http://mpm-itk.sesse.net/) in a hash. Keys can be: Usage typically looks like: -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', itk => { @@ -2092,7 +2110,7 @@ apache::vhost { 'sample.example.net': group => 'somegroup', }, } -~~~ +``` ##### `auth_kerb` @@ -2100,7 +2118,7 @@ Enable [`mod_auth_kerb`][] parameters for a virtual host. Valid values are 'true Usage typically looks like: -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': auth_kerb => true, krb_method_negotiate => 'on', @@ -2113,7 +2131,7 @@ apache::vhost { 'sample.example.net': auth_require => 'valid-user', }, } -~~~ +``` Related parameters follow the names of `mod_auth_kerb` directives: @@ -2138,7 +2156,7 @@ This option enables credential saving functionality. Default is 'off' ##### `logroot` -Specifies the location of the virtual host's logfiles. Defaults to '/var/log//'. +Specifies the location of the virtual host's logfiles. Defaults to '/var/log/\/'. ##### `$logroot_ensure` @@ -2165,17 +2183,17 @@ Boolean. Only valid if apache::mod::security is included. Used to disable mod_ Array of mod_security IDs to remove from the vhost. Also takes a hash allowing removal of an ID from a specific location. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': modsec_disable_ids => [ 90015, 90016 ], } -~~~ +``` -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': modsec_disable_ids => { '/location1' => [ 90015, 90016 ] }, } -~~~ +``` ###### `modsec_disable_ips` @@ -2203,12 +2221,12 @@ Sets the [ProxyErrorOverride Directive](http://httpd.apache.org/docs/current/mod Sets the [`Options`][] for the specified virtual host. Default: ['Indexes','FollowSymLinks','MultiViews'], as demonstrated below: -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … options => ['Indexes','FollowSymLinks','MultiViews'], } -~~~ +``` **Note**: If you use the [`directories`][] parameter of [`apache::vhost`][], 'Options', 'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. @@ -2274,7 +2292,7 @@ Specifies the destination address of a [ProxyPass](http://httpd.apache.org/docs/ Specifies an array of `path => URI` for a [ProxyPass](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Defaults to 'undef'. Optionally parameters and location options can be added as an array. -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … proxy_pass => [ @@ -2295,7 +2313,7 @@ apache::vhost { 'site.name.fdqn': 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, ], } -~~~ +``` `reverse_urls` is optional and can be an array or a string. It is useful when used with `mod_proxy_balancer`. `reverse_cookies` is optional and is used to set ProxyPassReverseCookiePath and/or ProxyPassReverseCookieDomain. @@ -2316,11 +2334,11 @@ This directive is equivalent to proxy_pass, but takes regular expressions, see [ ##### `rack_base_uris` -Specifies the resource identifiers for a rack configuration. The file paths specified are listed as rack application roots for [Phusion Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsbaseuri_and_rackbaseuri) in the _rack.erb template. Defaults to 'undef'. +Specifies the resource identifiers for a rack configuration. The file paths specified are listed as rack application roots for [Phusion Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsbaseuri_and_rackbaseuri) in the \_rack.erb template. Defaults to 'undef'. #####`passenger_base_uris` -Used to specify that the given URI is a Phusion Passenger-served application. The file paths specified are listed as passenger application roots for [Phusion Passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerBaseURI) in the _passenger_base_uris.erb template. Defaults to 'undef'. +Used to specify that the given URI is a Phusion Passenger-served application. The file paths specified are listed as passenger application roots for [Phusion Passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerBaseURI) in the \_passenger\_base\_uris.erb template. Defaults to 'undef'. ##### `redirect_dest` @@ -2330,43 +2348,43 @@ Specifies the address to redirect to. Defaults to 'undef'. Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent. -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … redirect_source => ['/images','/downloads'], redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], } -~~~ +``` ##### `redirect_status` Specifies the status to append to the redirect. Defaults to 'undef'. -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … redirect_status => ['temp','permanent'], } -~~~ +``` ##### `redirectmatch_regexp` & `redirectmatch_status` & `redirectmatch_dest` Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as arrays. Defaults to 'undef'. -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … redirectmatch_status => ['404','404'], redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'], redirectmatch_dest => ['http://www.example.com/1','http://www.example.com/2'], } -~~~ +``` ##### `request_headers` Modifies collected [request headers](http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) in various ways, including adding additional request headers, removing request headers, etc. Defaults to 'undef'. -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … request_headers => [ @@ -2374,23 +2392,23 @@ apache::vhost { 'site.name.fdqn': 'unset MirrorID', ], } -~~~ +``` ##### `rewrites` Creates URL rewrite rules. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', 'rewrite_rule' or 'rewrite_map'. Defaults to 'undef'. For example, you can specify that anyone trying to access index.html is served welcome.html -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] } -~~~ +``` The parameter allows rewrite conditions that, when true, execute the associated rule. For instance, if you wanted to rewrite URLs only if the visitor is using IE -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … rewrites => [ @@ -2401,11 +2419,11 @@ apache::vhost { 'site.name.fdqn': }, ], } -~~~ +``` You can also apply multiple conditions. For instance, rewrite index.html to welcome.html only when the browser is Lynx or Mozilla (version 1 or 2) -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … rewrites => [ @@ -2416,11 +2434,11 @@ apache::vhost { 'site.name.fdqn': }, ], } -~~~ +``` Multiple rewrites and conditions are also possible -~~~ puppet +``` puppet apache::vhost { 'site.name.fdqn': … rewrites => [ @@ -2445,7 +2463,7 @@ apache::vhost { 'site.name.fdqn': }, ], } -~~~ +``` Refer to the [`mod_rewrite` documentation](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) for more details on what is possible with rewrite rules and conditions. @@ -2459,7 +2477,7 @@ Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', for exa Passes an array of hashes to the vhost to create either ScriptAlias or ScriptAliasMatch statements per the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). -~~~ puppet +``` puppet scriptaliases => [ { alias => '/myscript', @@ -2478,7 +2496,7 @@ scriptaliases => [ path => '/usr/share/neatscript', }, ] -~~~ +``` The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with [Alias and AliasMatch](#aliases) directives, specify more specific aliases before more general ones to avoid shadowing. @@ -2500,11 +2518,11 @@ Used by HTTPD to set environment variables for vhosts. Defaults to '[]'. Example: -~~~ puppet +``` puppet apache::vhost { 'setenv.example.com': setenv => ['SPECIAL_PATH /foo/bin'], } -~~~ +``` ##### `setenvif` @@ -2522,7 +2540,7 @@ Set up a virtual host with [suPHP](http://suphp.org/DocumentationView.html?file= To set up a virtual host with suPHP -~~~ puppet +``` puppet apache::vhost { 'suphp.example.com': port => '80', docroot => '/home/appuser/myphpapp', @@ -2533,17 +2551,17 @@ apache::vhost { 'suphp.example.com': 'suphp' => { user => 'myappuser', group => 'myappgroup' }, } } -~~~ +``` ##### `vhost_name` -Enables name-based virtual hosting. If no IP is passed to the virtual host, but the vhost is assigned a port, then the vhost name is 'vhost_name:port'. If the virtual host has no assigned IP or port, the vhost name is set to the title of the resource. Defaults to '*'. +Enables name-based virtual hosting. If no IP is passed to the virtual host, but the vhost is assigned a port, then the vhost name is 'vhost_name:port'. If the virtual host has no assigned IP or port, the vhost name is set to the title of the resource. Defaults to '\*'. ##### `virtual_docroot` Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, 'http://example.com' would map to '/var/www/example.com'. Defaults to 'false'. -~~~ puppet +``` puppet apache::vhost { 'subdomain.loc': vhost_name => '*', port => '80', @@ -2551,7 +2569,7 @@ apache::vhost { 'subdomain.loc': docroot => '/var/www', serveraliases => ['*.loc',], } -~~~ +``` ##### `wsgi_daemon_process`, `wsgi_daemon_process_options`, `wsgi_process_group`, `wsgi_script_aliases`, & `wsgi_pass_authorization` @@ -2571,7 +2589,7 @@ Set up a virtual host with [WSGI](https://code.google.com/p/modwsgi/). To set up a virtual host with WSGI -~~~ puppet +``` puppet apache::vhost { 'wsgi.example.com': port => '80', docroot => '/var/www/pythonapp', @@ -2585,11 +2603,11 @@ apache::vhost { 'wsgi.example.com': wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, wsgi_chunked_request => 'On', } -~~~ +``` #### Parameter `directories` for `apache::vhost` -The `directories` parameter within the `apache::vhost` class passes an array of hashes to the vhost to create [Directory](http://httpd.apache.org/docs/current/mod/core.html#directory), [File](http://httpd.apache.org/docs/current/mod/core.html#files), and [Location](http://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, '< Directory /path/to/directory>...< /Directory>'. +The `directories` parameter within the `apache::vhost` class passes an array of hashes to the vhost to create [Directory](http://httpd.apache.org/docs/current/mod/core.html#directory), [File](http://httpd.apache.org/docs/current/mod/core.html#files), and [Location](http://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, '\< Directory /path/to/directory\>...\'. The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to `directories` **must** contain `path` as one of the keys. @@ -2597,7 +2615,7 @@ The `provider` key is optional. If missing, this key defaults to 'directory'. Va General `directories` usage looks something like -~~~ puppet +``` puppet apache::vhost { 'files.example.net': docroot => '/var/www/files', directories => [ @@ -2607,18 +2625,18 @@ apache::vhost { 'files.example.net': }, ], } -~~~ +``` *Note:* At least one directory should match the `docroot` parameter. After you start declaring directories, `apache::vhost` assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the `docroot` parameter. Available handlers, represented as keys, should be placed within the `directory`, `files`, or `location` hashes. This looks like -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ { path => '/path/to/directory', handler => value } ], } -~~~ +``` Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are: @@ -2626,7 +2644,7 @@ Any handlers you do not set in these hashes are considered 'undefined' within Pu Sets [AddHandler](http://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler) directives, which map filename extensions to the specified handler. Accepts a list of hashes, with `extensions` serving to list the extensions being managed by the handler, and takes the form: `{ handler => 'handler-name', extensions => ['extension']}`. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2635,13 +2653,13 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `allow` Sets an [Allow](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow) directive, which groups authorizations based on hostnames or IPs. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2650,13 +2668,13 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `allow_override` Sets the types of directives allowed in [.htaccess](http://httpd.apache.org/docs/current/mod/core.html#allowoverride) files. Accepts an array. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2665,7 +2683,7 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `auth_basic_authoritative` @@ -2727,7 +2745,7 @@ Sets the value for [AuthUserFile](http://httpd.apache.org/docs/current/mod/mod_a Pass a string of custom configuration directives to be placed at the end of the directory configuration. -~~~ puppet +``` puppet apache::vhost { 'monitor': … directories => [ @@ -2748,13 +2766,13 @@ Pass a string of custom configuration directives to be placed at the end of the }, ] } -~~~ +``` ###### `deny` Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2763,13 +2781,13 @@ Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) dir }, ], } -~~~ +``` ###### `error_documents` An array of hashes used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for the directory. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': directories => [ { path => '/srv/www', @@ -2781,14 +2799,14 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `ext_filter_options` Sets the [ExtFilterOptions](https://httpd.apache.org/docs/current/mod/mod_ext_filter.html) directive. Note that you must declare `class { 'apache::mod::ext_filter': }` before using this directive. -~~~ puppet +``` puppet apache::vhost { 'filter.example.org': docroot => '/var/www/filter', directories => [ @@ -2797,14 +2815,14 @@ apache::vhost { 'filter.example.org': }, ], } -~~~ +``` ###### `geoip_enable` Sets the [GeoIPEnable](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Configuration) directive. Note that you must declare `class {'apache::mod::geoip': }` before using this directive. -~~~ puppet +``` puppet apache::vhost { 'first.example.com': docroot => '/var/www/first', directories => [ @@ -2813,13 +2831,13 @@ apache::vhost { 'first.example.com': }, ], } -~~~ +``` ###### `headers` Adds lines for [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => { @@ -2827,13 +2845,13 @@ apache::vhost { 'sample.example.net': headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', }, } -~~~ +``` ###### `index_options` Allows configuration settings for [directory indexing](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexoptions). -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2844,13 +2862,13 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `index_order_default` Sets the [default ordering](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexorderdefault) of the directory index. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2860,13 +2878,13 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `index_style_sheet` Sets the [IndexStyleSheet](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexstylesheet), which adds a CSS stylesheet to the directory index. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2877,13 +2895,13 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `mellon_enable` Sets the [MellonEnable][`mod_auth_mellon`] directory to enable [`mod_auth_melon`][]. You can use [`apache::mod::auth_mellon`][] to install `mod_auth_mellon`. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2905,7 +2923,7 @@ apache::vhost { 'sample.example.net': }, ] } -~~~ +``` Related parameters follow the names of `mod_auth_melon` directives: @@ -2923,7 +2941,7 @@ to environment variables. Lists the [Options](https://httpd.apache.org/docs/current/mod/core.html#options) for the given Directory block. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2932,13 +2950,13 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `order` Sets the order of processing Allow and Deny statements as per [Apache core documentation](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2947,13 +2965,13 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` ###### `passenger_enabled` Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directive to 'on' or 'off'. Requires `apache::mod::passenger` to be included. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2962,7 +2980,7 @@ apache::vhost { 'sample.example.net': }, ], } -~~~ +``` **Note:** There is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive. @@ -2980,7 +2998,7 @@ apache::vhost { 'sample.example.net': Sets a `Require` directive as per the [Apache Authz documentation](http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require). If no `require` is set, it will default to `Require all granted`. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -2989,11 +3007,11 @@ Sets a `Require` directive as per the [Apache Authz documentation](http://httpd. } ], } -~~~ +``` If `require` is set to `unmanaged` it will not be set at all. This is useful for complex authentication/authorization requirements which are handled in a custom fragment. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -3002,13 +3020,13 @@ If `require` is set to `unmanaged` it will not be set at all. This is useful for } ], } -~~~ +``` ###### `satisfy` Sets a `Satisfy` directive per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#satisfy). **Deprecated:** This parameter is deprecated due to a change in Apache and only works with Apache 2.2 and lower. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -3017,13 +3035,13 @@ apache::vhost { 'sample.example.net': } ], } -~~~ +``` ###### `sethandler` Sets a `SetHandler` directive per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#sethandler). -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': docroot => '/path/to/directory', directories => [ @@ -3032,13 +3050,13 @@ apache::vhost { 'sample.example.net': } ], } -~~~ +``` ###### `set_output_filter` Sets a `SetOutputFilter` directive per the [Apache Core documentation](http://httpd.apache.org/docs/current/mod/core.html#setoutputfilter). -~~~ puppet +``` puppet apache::vhost{ 'filter.example.net': docroot => '/path/to/directory', directories => [ @@ -3047,13 +3065,13 @@ apache::vhost{ 'filter.example.net': }, ], } -~~~ +``` ###### `rewrites` Creates URL [`rewrites`](#rewrites) rules in vhost directories. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'. -~~~ puppet +``` puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -3072,15 +3090,15 @@ apache::vhost { 'secure.example.net': }, ], } -~~~ +``` -***Note**: If you include rewrites in your directories, also include `apache::mod::rewrite` and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the vhost directories. +**Note**: If you include rewrites in your directories, also include `apache::mod::rewrite` and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the vhost directories. ###### `shib_request_setting` Allows a valid content setting to be set or altered for the application request. This command takes two parameters: the name of the content setting, and the value to set it to. Check the Shibboleth [content setting documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) for valid settings. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. -~~~ puppet +``` puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -3090,7 +3108,7 @@ apache::vhost { 'secure.example.net': }, ], } -~~~ +``` ###### `shib_use_headers` @@ -3100,7 +3118,7 @@ When set to 'On', this turns on the use of request headers to publish attributes String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the vhost. -~~~ puppet +``` puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -3112,13 +3130,13 @@ apache::vhost { 'secure.example.net': }, ], } -~~~ +``` ###### `suphp` A hash containing the 'user' and 'group' keys for the [suPHP_UserGroup](http://www.suphp.org/DocumentationView.html?file=apache/CONFIG) setting. It must be used with `suphp_engine => on` in the vhost declaration, and can only be passed within `directories`. -~~~ puppet +``` puppet apache::vhost { 'secure.example.net': docroot => '/path/to/directory', directories => [ @@ -3130,7 +3148,7 @@ apache::vhost { 'secure.example.net': }, ], } -~~~ +``` #### SSL parameters for `apache::vhost` @@ -3186,25 +3204,25 @@ Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tl ##### `ssl_verify_client` -Sets the [SSLVerifyClient](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) directive, which sets the certificate verification level for client authentication. Valid values are: 'none', 'optional', 'require', and 'optional_no_ca'. Defaults to 'undef'. +Sets the [SSLVerifyClient](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) directive, which sets the certificate verification level for client authentication. Valid values are: 'none', 'optional', 'require', and 'optional\_no\_ca'. Defaults to 'undef'. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': … ssl_verify_client => 'optional', } -~~~ +``` ##### `ssl_verify_depth` Sets the [SSLVerifyDepth](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) directive, which specifies the maximum depth of CA certificates in client certificate verification. Defaults to 'undef'. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': … ssl_verify_depth => 1, } -~~~ +``` ##### `ssl_proxy_verify` @@ -3214,12 +3232,12 @@ Sets the [SSLProxyVerify](http://httpd.apache.org/docs/current/mod/mod_ssl.html# Sets the [SSLProxyMachineCertificateFile](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) directive, which specifies an all-in-one file where you keep the certs and keys used for this server to authenticate itself to remote servers. This file should be a concatenation of the PEM-encoded certificate files in order of preference. Defaults to 'undef'. -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': … ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem', } -~~~ +``` ##### `ssl_proxy_check_peer_cn` @@ -3236,21 +3254,21 @@ Sets the [SSLOptions](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslo A string: -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': … ssl_options => '+ExportCertData', } -~~~ +``` An array: -~~~ puppet +``` puppet apache::vhost { 'sample.example.net': … ssl_options => [ '+StrictRequire', '+ExportCertData' ], } -~~~ +``` ##### `ssl_openssl_conf_cmd` @@ -3262,13 +3280,13 @@ Specifies whether or not to use [SSLProxyEngine](http://httpd.apache.org/docs/cu ####Define: FastCGI Server -This type is intended for use with mod_fastcgi. It allows you to define one or more external FastCGI servers to handle specific file types. +This type is intended for use with mod\_fastcgi. It allows you to define one or more external FastCGI servers to handle specific file types. ** Note ** If using Ubuntu 10.04+, you'll need to manually enable the multiverse repository. Ex: -~~~ puppet +``` puppet apache::fastcgi::server { 'php': host => '127.0.0.1:9000', timeout => 15, @@ -3277,17 +3295,17 @@ apache::fastcgi::server { 'php': fcgi_alias => '/php.fcgi', file_type => 'application/x-httpd-php' } -~~~ +``` Within your virtual host, you can then configure the specified file type to be handled by the fastcgi server specified above. -~~~ puppet +``` puppet apache::vhost { 'www': ... custom_fragment => 'AddType application/x-httpd-php .php' ... } -~~~ +``` ##### `host` @@ -3299,7 +3317,7 @@ The number of seconds of FastCGI application inactivity allowed before the reque ##### `flush` -Force a write to the client as data is received from the application. By default, mod_fastcgi buffers data in order to free the application as quickly as possible. +Force a write to the client as data is received from the application. By default, mod\_fastcgi buffers data in order to free the application as quickly as possible. ##### `faux_path` @@ -3357,22 +3375,6 @@ The Apache module relies heavily on templates to enable the [`apache::vhost`][] ## Limitations -### Ubuntu 10.04 - -The [`apache::vhost::WSGIImportScript`][] parameter creates a statement inside the virtual host that is unsupported on older versions of Apache, causing it to fail. This will be remedied in a future refactoring. - -### RHEL/CentOS 5 - -The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are untested since repositories are missing compatible packages. - -### RHEL/CentOS 6 - -The [`apache::mod::passenger`][] class is not installing as the the EL6 repository is missing compatible packages. - -### RHEL/CentOS 7 - -The [`apache::mod::passenger`][] class is untested as the EL7 repository is missing compatible packages, which also blocks us from testing the [`apache::vhost`][] define's [`rack_base_uris`][] parameter. - ### General This module is CI tested against both [open source Puppet][] and [Puppet Enterprise][] on: @@ -3384,13 +3386,22 @@ This module is CI tested against both [open source Puppet][] and [Puppet Enterpr This module also provides functions for other distributions and operating systems, such as FreeBSD, Gentoo, and Amazon Linux, but is not formally tested on them and are subject to regressions. +### Ubuntu 10.04 + +The [`apache::vhost::wsgi_import_script`][] parameter creates a statement inside the virtual host that is unsupported on older versions of Apache, causing it to fail. This will be remedied in a future refactoring. + +### RHEL/CentOS +The [`apache::mod::auth_cas`][], [`apache::mod::passenger`][], [`apache::mod::proxy_html`][] and [`apache::mod::shib`][] classes are not functional on RH/CentOS without providing dependency packages from extra repositories. + +See their respective documentation above for related repositories and packages. + ### SELinux and custom paths If [SELinux][] is in [enforcing mode][] and you want to use custom paths for `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you need to manage the files' context yourself. You can do this with Puppet: -~~~ puppet +``` puppet exec { 'set_apache_defaults': command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"', path => '/bin:/usr/bin/:/sbin:/usr/sbin', @@ -3427,7 +3438,7 @@ apache::vhost { 'test.server': docroot => '/custom/path', additional_includes => '/custom/path/include', } -~~~ +``` You need to set the contexts using `semanage fcontext` instead of `chcon` because Puppet's `file` resources reset the values' context in the database if the resource doesn't specify it. @@ -3451,18 +3462,18 @@ This project contains tests for both [rspec-puppet][] and [beaker-rspec][] to ve #### Testing quickstart: Ruby > 1.8.7 -~~~ +``` gem install bundler bundle install bundle exec rake spec bundle exec rspec spec/acceptance RS_DEBUG=yes bundle exec rspec spec/acceptance -~~~ +``` #### Testing quickstart: Ruby = 1.8.7 -~~~ +``` gem install bundler bundle install --without system_tests bundle exec rake spec -~~~ +``` diff --git a/manifests/mod/passenger.pp b/manifests/mod/passenger.pp index 8d3622d304..d0b9f73fee 100644 --- a/manifests/mod/passenger.pp +++ b/manifests/mod/passenger.pp @@ -17,6 +17,7 @@ $passenger_use_global_queue = undef, $passenger_app_env = undef, $passenger_log_file = undef, + $manage_repo = true, $mod_package = undef, $mod_package_ensure = undef, $mod_lib = undef, @@ -52,6 +53,21 @@ $_lib_path = $mod_lib_path } + if $::osfamily == 'RedHat' and $manage_repo { + yumrepo { 'passenger': + ensure => 'present', + baseurl => 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch', + descr => 'passenger', + enabled => '1', + gpgcheck => '0', + gpgkey => 'https://packagecloud.io/gpg.key', + repo_gpgcheck => '1', + sslcacert => '/etc/pki/tls/certs/ca-bundle.crt', + sslverify => '1', + before => Apache::Mod['passenger'], + } + } + $_id = $mod_id $_path = $mod_path ::apache::mod { 'passenger': diff --git a/manifests/params.pp b/manifests/params.pp index abef55e0ba..a8cd7bfebd 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -31,15 +31,9 @@ # Default mime types settings $mime_types_additional = { - 'AddHandler' => { - 'type-map' => 'var' - }, - 'AddType' => { - 'text/html' => '.shtml' - }, - 'AddOutputFilter' => { - 'INCLUDES' => '.shtml' - }, + 'AddHandler' => { 'type-map' => 'var', }, + 'AddType' => { 'text/html' => '.shtml', }, + 'AddOutputFilter' => { 'INCLUDES' => '.shtml', }, } # should we use systemd module? @@ -91,9 +85,8 @@ $suphp_addhandler = 'php5-script' $suphp_engine = 'off' $suphp_configpath = undef - # NOTE: The module for Shibboleth is not available to RH/CentOS without an additional repository. http://wiki.aaf.edu.au/tech-info/sp-install-guide - # NOTE: The auth_cas module isn't available to RH/CentOS without enabling EPEL. $mod_packages = { + # NOTE: The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. 'auth_cas' => 'mod_auth_cas', 'auth_kerb' => 'mod_auth_kerb', 'auth_mellon' => 'mod_auth_mellon', @@ -109,6 +102,10 @@ default => undef, }, 'pagespeed' => 'mod-pagespeed-stable', + # NOTE: The passenger module isn't available on RH/CentOS without + # providing dependency packages provided by EPEL and passenger + # repositories. See + # https://www.phusionpassenger.com/library/install/apache/install/oss/el7/ 'passenger' => 'mod_passenger', 'perl' => 'mod_perl', 'php5' => $::apache::version::distrelease ? { @@ -118,6 +115,9 @@ 'proxy_html' => 'mod_proxy_html', 'python' => 'mod_python', 'security' => 'mod_security', + # NOTE: The module for Shibboleth is not available on RH/CentOS without + # providing dependency packages provided by Shibboleth's repositories. + # See http://wiki.aaf.edu.au/tech-info/sp-install-guide 'shibboleth' => 'shibboleth', 'ssl' => 'mod_ssl', 'wsgi' => 'mod_wsgi', @@ -183,7 +183,7 @@ 'base_rules/modsecurity_crs_49_inbound_blocking.conf', 'base_rules/modsecurity_crs_50_outbound.conf', 'base_rules/modsecurity_crs_59_outbound_blocking.conf', - 'base_rules/modsecurity_crs_60_correlation.conf' + 'base_rules/modsecurity_crs_60_correlation.conf', ] } elsif $::osfamily == 'Debian' { $user = 'www-data' @@ -287,7 +287,7 @@ 'base_rules/modsecurity_crs_49_inbound_blocking.conf', 'base_rules/modsecurity_crs_50_outbound.conf', 'base_rules/modsecurity_crs_59_outbound_blocking.conf', - 'base_rules/modsecurity_crs_60_correlation.conf' + 'base_rules/modsecurity_crs_60_correlation.conf', ] $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' diff --git a/spec/acceptance/mod_passenger_spec.rb b/spec/acceptance/mod_passenger_spec.rb index 086c93eea7..fd967d1ea6 100644 --- a/spec/acceptance/mod_passenger_spec.rb +++ b/spec/acceptance/mod_passenger_spec.rb @@ -49,38 +49,34 @@ conf_file = "#{$mod_dir}/passenger.conf" load_file = "#{$mod_dir}/zpassenger.load" # sometimes installs as 3.0.12, sometimes as 3.0.19 - so just check for the stable part - passenger_root = '/usr/lib/ruby/gems/1.8/gems/passenger-3.0.1' + passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' passenger_ruby = '/usr/bin/ruby' - passenger_tempdir = '/var/run/rubygem-passenger' passenger_module_path = 'modules/mod_passenger.so' rackapp_user = 'apache' rackapp_group = 'apache' end pp_rackapp = <<-EOS - /* a simple ruby rack 'hellow world' app */ - file { '/var/www/passenger': - ensure => directory, - owner => '#{rackapp_user}', - group => '#{rackapp_group}', - require => Class['apache::mod::passenger'], - } - file { '/var/www/passenger/config.ru': - ensure => file, - owner => '#{rackapp_user}', - group => '#{rackapp_group}', - content => "app = proc { |env| [200, { \\"Content-Type\\" => \\"text/html\\" }, [\\"hello world\\"]] }\\nrun app", - require => File['/var/www/passenger'] , - } - apache::vhost { 'passenger.example.com': - port => '80', - docroot => '/var/www/passenger/public', - docroot_group => '#{rackapp_group}' , - docroot_owner => '#{rackapp_user}' , - custom_fragment => "PassengerRuby #{passenger_ruby}\\nRailsEnv development" , - require => File['/var/www/passenger/config.ru'] , - } - host { 'passenger.example.com': ip => '127.0.0.1', } + /* a simple ruby rack 'hello world' app */ + file { '/var/www/passenger': + ensure => directory, + owner => '#{rackapp_user}', + group => '#{rackapp_group}', + } + file { '/var/www/passenger/config.ru': + ensure => file, + owner => '#{rackapp_user}', + group => '#{rackapp_group}', + content => "app = proc { |env| [200, { \\"Content-Type\\" => \\"text/html\\" }, [\\"hello world\\"]] }\\nrun app", + } + apache::vhost { 'passenger.example.com': + port => '80', + docroot => '/var/www/passenger/public', + docroot_group => '#{rackapp_group}', + docroot_owner => '#{rackapp_user}', + require => File['/var/www/passenger/config.ru'], + } + host { 'passenger.example.com': ip => '127.0.0.1', } EOS case fact('osfamily') diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index b9b3a80acc..90b42e0e6e 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1106,6 +1106,33 @@ class { 'apache': service_ensure => stopped, } end end + # Passenger isn't even in EPEL on el-5 + if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') != '5') + describe 'rack_base_uris' do + before :all do + pp = "if $::osfamily == 'RedHat' { include epel }" + apply_manifest(pp, :catch_failures => true) + end + + it 'applies cleanly' do + pp = <<-EOS + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + rack_base_uris => ['/test'], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe file("#{$vhost_dir}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'RackBaseURI /test' } + end + end + end + describe 'no_proxy_uris' do it 'applies cleanly' do pp = <<-EOS From b1f60c7c4297de78350a10cbede8ed1149df0fdd Mon Sep 17 00:00:00 2001 From: Alan Chalmers Date: Wed, 3 Feb 2016 16:32:28 +1100 Subject: [PATCH 014/100] allow status code on redirect match to be optional and not a requirement as per apache documentation http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirectmatch --- manifests/vhost.pp | 2 +- templates/vhost/_redirect.erb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 8b5422e5ae..912be76e52 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -748,7 +748,7 @@ # - $redirectmatch_status_a # - $redirectmatch_regexp_a # - $redirectmatch_dest - if ($redirect_source and $redirect_dest) or ($redirectmatch_status and $redirectmatch_regexp and $redirectmatch_dest) { + if ($redirect_source and $redirect_dest) or ($redirectmatch_regexp and $redirectmatch_dest) { concat::fragment { "${name}-redirect": target => "${priority_real}${filename}.conf", order => 180, diff --git a/templates/vhost/_redirect.erb b/templates/vhost/_redirect.erb index 69bbfd09de..209da646cc 100644 --- a/templates/vhost/_redirect.erb +++ b/templates/vhost/_redirect.erb @@ -22,4 +22,14 @@ <% @redirectmatch_dest_a[i] ||= @redirectmatch_dest_a[0] -%> RedirectMatch <%= "#{@redirectmatch_status_a[i]} " %> <%= @redirectmatch_regexp_a[i] %> <%= @redirectmatch_dest_a[i] %> <%- end -%> +<%- elsif @redirectmatch_regexp and @redirectmatch_dest -%> +<% @redirectmatch_regexp_a = Array(@redirectmatch_regexp) -%> +<% @redirectmatch_dest_a = Array(@redirectmatch_dest) -%> + + ## RedirectMatch rules + <%- @redirectmatch_regexp_a.each_with_index do |status, i| -%> +<% @redirectmatch_regexp_a[i] ||= @redirectmatch_regexp_a[0] -%> +<% @redirectmatch_dest_a[i] ||= @redirectmatch_dest_a[0] -%> + RedirectMatch <%= @redirectmatch_regexp_a[i] %> <%= @redirectmatch_dest_a[i] %> + <%- end -%> <% end -%> From fe1dae9f59c756b86d05dd4e3e921b2838031e6d Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Wed, 3 Feb 2016 12:24:18 -0800 Subject: [PATCH 015/100] Need to know where mod_dir is --- spec/acceptance/mod_pagespeed_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/acceptance/mod_pagespeed_spec.rb b/spec/acceptance/mod_pagespeed_spec.rb index 2434fbb4eb..009df6a101 100644 --- a/spec/acceptance/mod_pagespeed_spec.rb +++ b/spec/acceptance/mod_pagespeed_spec.rb @@ -1,4 +1,5 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::pagespeed class' do context "default pagespeed config" do From a85588aa66dbd9c83f3cb0434bc99256618728f3 Mon Sep 17 00:00:00 2001 From: Timo Goebel Date: Wed, 20 Jan 2016 11:39:11 +0100 Subject: [PATCH 016/100] add parameter root_directory_options --- README.md | 4 ++++ manifests/init.pp | 1 + manifests/params.pp | 3 +++ spec/classes/apache_spec.rb | 8 ++++++++ templates/httpd.conf.erb | 2 +- 5 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 707720a2b6..f768eb2d7c 100644 --- a/README.md +++ b/README.md @@ -1164,6 +1164,10 @@ Controls whether the systemd module should be installed on Centos 7 servers, thi The desired permissions mode for config files, in symbolic or numeric notation. This value must be a string. Defaults to '0644'. +##### `root_directory_options` + +Array of the desired options for the / directory in httpd.conf. Defaults to 'FollowSymLinks'. + ##### `vhost_dir` Changes your virtual host configuration files' location. Default: determined by your operating system. diff --git a/manifests/init.pp b/manifests/init.pp index 9422d09d8b..008ab92e26 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -80,6 +80,7 @@ $use_systemd = $::apache::params::use_systemd, $mime_types_additional = $::apache::params::mime_types_additional, $file_mode = $::apache::params::file_mode, + $root_directory_options = $::apache::params::root_directory_options, ) inherits ::apache::params { validate_bool($default_vhost) validate_bool($default_ssl_vhost) diff --git a/manifests/params.pp b/manifests/params.pp index 4120d074c7..faff49a6c8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -48,6 +48,9 @@ # Default mode for files $file_mode = '0644' + # Default options for / directory + $root_directory_options = ['FollowSymLinks'] + $vhost_include_pattern = '*' if $::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04' { diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb index 45f8a690c6..6b9b6b881f 100644 --- a/spec/classes/apache_spec.rb +++ b/spec/classes/apache_spec.rb @@ -845,9 +845,17 @@ ) } end + context 'with a custom root_directory_options parameter' do + let :params do { + :root_directory_options => ['-Indexes', '-FollowSymLinks'] + } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{Options -Indexes -FollowSymLinks} } + end context 'default vhost defaults' do it { is_expected.to contain_apache__vhost('default').with_ensure('present') } it { is_expected.to contain_apache__vhost('default-ssl').with_ensure('absent') } + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{Options FollowSymLinks} } end context 'without default non-ssl vhost' do let :params do { diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb index 9c854cfc31..448d1fec55 100644 --- a/templates/httpd.conf.erb +++ b/templates/httpd.conf.erb @@ -31,7 +31,7 @@ AccessFileName .htaccess - Options FollowSymLinks + Options <%= Array(@root_directory_options).join(' ') %> AllowOverride None From 8871f0be57b66d3b4259efa2bb00b3eec11e0e35 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Thu, 4 Feb 2016 15:06:28 -0800 Subject: [PATCH 017/100] Disable passenger tests other than vhost The module does not yet manage passenger.conf with puppet and so any two tests that use passenger with non-passenger tests between them will cause failures. --- spec/acceptance/mod_passenger_spec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/spec/acceptance/mod_passenger_spec.rb b/spec/acceptance/mod_passenger_spec.rb index fd967d1ea6..5798545ea2 100644 --- a/spec/acceptance/mod_passenger_spec.rb +++ b/spec/acceptance/mod_passenger_spec.rb @@ -2,9 +2,11 @@ require_relative './version.rb' describe 'apache::mod::passenger class' do + pending 'This cannot run in the same test run as apache::vhost with passenger + as the passenger.conf file is not yet managed by puppet and will be wiped out + between tests and not replaced' case fact('osfamily') when 'Debian' - mod_dir = '/etc/apache2/mods-available/' conf_file = "#{$mod_dir}/passenger.conf" load_file = "#{$mod_dir}/zpassenger.load" From 8ca7a6697ab907803789b2aa63e304f19e3497d3 Mon Sep 17 00:00:00 2001 From: Guy Van den Bergh Date: Fri, 5 Feb 2016 11:59:54 +0100 Subject: [PATCH 018/100] changed rpaf Configuration Directives: RPAF -> RPAF_ --- spec/classes/mod/rpaf_spec.rb | 24 ++++++++++++------------ templates/mod/rpaf.conf.erb | 14 +++++++------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/spec/classes/mod/rpaf_spec.rb b/spec/classes/mod/rpaf_spec.rb index 83591bc282..6b2ddd92f3 100644 --- a/spec/classes/mod/rpaf_spec.rb +++ b/spec/classes/mod/rpaf_spec.rb @@ -26,25 +26,25 @@ it { is_expected.to contain_file('rpaf.conf').with({ 'path' => '/etc/apache2/mods-available/rpaf.conf', }) } - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFenable On$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_enable On$/) } describe "with sethostname => true" do let :params do { :sethostname => 'true' } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFsethostname On$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_sethostname On$/) } end describe "with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]" do let :params do { :proxy_ips => [ '10.42.17.8', '10.42.18.99' ] } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFproxy_ips 10.42.17.8 10.42.18.99$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_proxyIPs 10.42.17.8 10.42.18.99$/) } end describe "with header => X-Real-IP" do let :params do { :header => 'X-Real-IP' } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFheader X-Real-IP$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_header X-Real-IP$/) } end end context "on a FreeBSD OS" do @@ -66,25 +66,25 @@ it { is_expected.to contain_file('rpaf.conf').with({ 'path' => '/usr/local/etc/apache24/Modules/rpaf.conf', }) } - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFenable On$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_enable On$/) } describe "with sethostname => true" do let :params do { :sethostname => 'true' } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFsethostname On$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_sethostname On$/) } end describe "with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]" do let :params do { :proxy_ips => [ '10.42.17.8', '10.42.18.99' ] } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFproxy_ips 10.42.17.8 10.42.18.99$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_proxyIPs 10.42.17.8 10.42.18.99$/) } end describe "with header => X-Real-IP" do let :params do { :header => 'X-Real-IP' } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFheader X-Real-IP$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_header X-Real-IP$/) } end end context "on a Gentoo OS" do @@ -106,25 +106,25 @@ it { is_expected.to contain_file('rpaf.conf').with({ 'path' => '/etc/apache2/modules.d/rpaf.conf', }) } - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFenable On$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_enable On$/) } describe "with sethostname => true" do let :params do { :sethostname => 'true' } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFsethostname On$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_sethostname On$/) } end describe "with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]" do let :params do { :proxy_ips => [ '10.42.17.8', '10.42.18.99' ] } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFproxy_ips 10.42.17.8 10.42.18.99$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_proxyIPs 10.42.17.8 10.42.18.99$/) } end describe "with header => X-Real-IP" do let :params do { :header => 'X-Real-IP' } end - it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFheader X-Real-IP$/) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAF_header X-Real-IP$/) } end end end diff --git a/templates/mod/rpaf.conf.erb b/templates/mod/rpaf.conf.erb index 56e2398b55..e0ed8dce8d 100644 --- a/templates/mod/rpaf.conf.erb +++ b/templates/mod/rpaf.conf.erb @@ -1,15 +1,15 @@ # Enable reverse proxy add forward -RPAFenable On -# RPAFsethostname will, when enabled, take the incoming X-Host header and +RPAF_enable On +# RPAF_sethostname will, when enabled, take the incoming X-Host header and # update the virtual host settings accordingly. This allows to have the same # hostnames as in the "real" configuration for the forwarding proxy. <% if @sethostname -%> -RPAFsethostname On +RPAF_sethostname On <% else -%> -RPAFsethostname Off +RPAF_sethostname Off <% end -%> # Which IPs are forwarding requests to us -RPAFproxy_ips <%= Array(@proxy_ips).join(" ") %> -# Setting RPAFheader allows you to change the header name to parse from the +RPAF_proxyIPs <%= Array(@proxy_ips).join(" ") %> +# Setting RPAF_header allows you to change the header name to parse from the # default X-Forwarded-For to something of your choice. -RPAFheader <%= @header %> +RPAF_header <%= @header %> From 65f41c0cb54f3a7ff2843e7c8e4e78b6a90d7257 Mon Sep 17 00:00:00 2001 From: Justin Lambert Date: Fri, 29 Jan 2016 14:36:28 -0700 Subject: [PATCH 019/100] quote php_values when the value is a string --- spec/acceptance/mod_php_spec.rb | 2 +- templates/vhost/_php.erb | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/spec/acceptance/mod_php_spec.rb b/spec/acceptance/mod_php_spec.rb index 11bcafcba5..f9919646f0 100644 --- a/spec/acceptance/mod_php_spec.rb +++ b/spec/acceptance/mod_php_spec.rb @@ -80,7 +80,7 @@ class { 'apache::mod::php': describe file("#{$vhost_dir}/25-php.example.com.conf") do it { is_expected.to contain " php_flag display_errors on" } - it { is_expected.to contain " php_value include_path .:/usr/share/pear:/usr/bin/php" } + it { is_expected.to contain " php_value include_path \".:/usr/share/pear:/usr/bin/php\"" } it { is_expected.to contain " php_admin_flag engine on" } it { is_expected.to contain " php_admin_value open_basedir /var/www/php/:/usr/share/pear/" } end diff --git a/templates/vhost/_php.erb b/templates/vhost/_php.erb index 369fdb7f92..8032a1ade2 100644 --- a/templates/vhost/_php.erb +++ b/templates/vhost/_php.erb @@ -1,6 +1,10 @@ <% if @php_values and not @php_values.empty? -%> <%- @php_values.sort.each do |key,value| -%> + <%- if value.is_a? String -%> + php_value <%= key %> "<%= value %>" + <%- else -%> php_value <%= key %> <%= value %> + <%- end -%> <%- end -%> <% end -%> <% if @php_flags and not @php_flags.empty? -%> @@ -9,4 +13,4 @@ <%- if flag =~ /true|yes|on|1/i then flag = 'on' else flag = 'off' end -%> php_flag <%= key %> <%= flag %> <%- end -%> -<% end -%> \ No newline at end of file +<% end -%> From f1ea11bb5be89956171687b7a5b226b25d20fd3b Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Mon, 1 Feb 2016 11:00:39 -0500 Subject: [PATCH 020/100] Fix in custom fact "apache_version" for RHEL. The custom fact defined by lib/facter/apache_version.rb runs "apachectl -v" and applies the following regular expression: ^Server version: Apache\/([\w\.]+) \(([\w]+)\) On RHEL 7.1, running apachectl -v produces the following output: Server version: Apache/2.4.6 (Red Hat Enterprise Linux) The regex fails to match the output because it does not allow for whitespace inside the parentheses. The following modified regex matches properly: ^Server version: Apache\/([\w\.]+) \(([\w ]+)\) --- lib/facter/apache_version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/facter/apache_version.rb b/lib/facter/apache_version.rb index b45c888346..b84d776150 100644 --- a/lib/facter/apache_version.rb +++ b/lib/facter/apache_version.rb @@ -2,7 +2,7 @@ setcode do if Facter::Util::Resolution.which('apachectl') apache_version = Facter::Util::Resolution.exec('apachectl -v 2>&1') - %r{^Server version: Apache\/([\w\.]+) \(([\w]+)\)}.match(apache_version)[1] + %r{^Server version: Apache\/([\w\.]+) \(([\w ]+)\)}.match(apache_version)[1] end end end From 6c0579d36644859ac4566600c87a5295c1a394a8 Mon Sep 17 00:00:00 2001 From: Mathieu Parent Date: Fri, 15 Jan 2016 15:15:47 +0100 Subject: [PATCH 021/100] Fix fcgid.conf load on Debian family Fix the regression from 1bf0aba (see #879). --- manifests/mod/fcgid.pp | 15 +++++++++++---- spec/classes/mod/fcgid_spec.rb | 18 +++++++++--------- .../{unixd_fcgid.conf.erb => fcgid.conf.erb} | 0 3 files changed, 20 insertions(+), 13 deletions(-) rename templates/mod/{unixd_fcgid.conf.erb => fcgid.conf.erb} (100%) diff --git a/manifests/mod/fcgid.pp b/manifests/mod/fcgid.pp index 4c0f919388..69e3112d4f 100644 --- a/manifests/mod/fcgid.pp +++ b/manifests/mod/fcgid.pp @@ -1,18 +1,25 @@ class apache::mod::fcgid( $options = {}, ) { + if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7') or $::osfamily == 'FreeBSD' { + $loadfile_name = 'unixd_fcgid.load' + $conf_name = 'unixd_fcgid.conf' + } else { + $loadfile_name = undef + $conf_name = 'fcgid.conf' + } ::apache::mod { 'fcgid': - loadfile_name => 'unixd_fcgid.load', + loadfile_name => $loadfile_name, } # Template uses: # - $options - file { 'unixd_fcgid.conf': + file { $conf_name: ensure => file, - path => "${::apache::mod_dir}/unixd_fcgid.conf", + path => "${::apache::mod_dir}/${conf_name}", mode => $::apache::file_mode, - content => template('apache/mod/unixd_fcgid.conf.erb'), + content => template('apache/mod/fcgid.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], notify => Class['apache::service'], diff --git a/spec/classes/mod/fcgid_spec.rb b/spec/classes/mod/fcgid_spec.rb index 98953625ac..b86cc0e6b3 100644 --- a/spec/classes/mod/fcgid_spec.rb +++ b/spec/classes/mod/fcgid_spec.rb @@ -17,17 +17,17 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('fcgid').with({ - 'loadfile_name' => 'unixd_fcgid.load' + 'loadfile_name' => nil }) } it { is_expected.to contain_package("libapache2-mod-fcgid") } end - context "on a RedHat OS" do + context "on a RHEL6" do let :facts do { :osfamily => 'RedHat', @@ -45,7 +45,7 @@ describe 'without parameters' do it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('fcgid').with({ - 'loadfile_name' => 'unixd_fcgid.load' + 'loadfile_name' => nil }) } it { is_expected.to contain_package("mod_fcgid") } end @@ -61,7 +61,7 @@ } end it 'should contain the correct config' do - content = catalogue.resource('file', 'unixd_fcgid.conf').send(:parameters)[:content] + content = catalogue.resource('file', 'fcgid.conf').send(:parameters)[:content] expect(content.split("\n").reject { |c| c =~ /(^#|^$)/ }).to eq([ '', ' AddHandler fcgid-script .fcgi', @@ -85,7 +85,7 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end @@ -109,7 +109,7 @@ :id => 'root', :kernel => 'FreeBSD', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end @@ -130,13 +130,13 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', - :is_pe => false, + :is_pe => false, } end it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('fcgid').with({ - 'loadfile_name' => 'unixd_fcgid.load' + 'loadfile_name' => nil, }) } it { is_expected.to contain_package("www-apache/mod_fcgid") } end diff --git a/templates/mod/unixd_fcgid.conf.erb b/templates/mod/fcgid.conf.erb similarity index 100% rename from templates/mod/unixd_fcgid.conf.erb rename to templates/mod/fcgid.conf.erb From c37677622f8bc11b3ad8620f28d4cbb9bc1325ce Mon Sep 17 00:00:00 2001 From: Michael Moll Date: Sun, 7 Feb 2016 00:38:49 +0100 Subject: [PATCH 022/100] support Ubuntu xenial (16.04) --- manifests/params.pp | 5 +++++ metadata.json | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index 0c6f9a34fd..7b6e93cc01 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -320,6 +320,11 @@ $passenger_ruby = undef $passenger_default_ruby = '/usr/bin/ruby' } + '16.04': { + $passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' + $passenger_ruby = undef + $passenger_default_ruby = '/usr/bin/ruby' + } default: { # The following settings may or may not work on Ubuntu releases not # supported by this module. diff --git a/metadata.json b/metadata.json index 85e6889497..4bdd2f9a85 100644 --- a/metadata.json +++ b/metadata.json @@ -61,7 +61,8 @@ "operatingsystemrelease": [ "10.04", "12.04", - "14.04" + "14.04", + "16.04" ] } ], From 72cb702921953b1e372d773e0c58b8be972ba70a Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Thu, 11 Feb 2016 17:00:51 -0800 Subject: [PATCH 023/100] Disable passenger tests on redhatish 6 RedHat 6 platforms need either their kernel updated (which we can't do in testing) or selinux disabled and rebooted (which is silly) so lets just disable the test. --- README.md | 2 +- spec/acceptance/vhost_spec.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 464d2bc365..48b8cb3d48 100644 --- a/README.md +++ b/README.md @@ -1493,7 +1493,7 @@ Installs and manages [`mod_info`][], which provides a comprehensive overview of ##### Class: `apache::mod::passenger` -Installs and manages [`mod_passenger`][]. +Installs and manages [`mod_passenger`][]. For RedHat based systems, please ensure that you meet the minimum requirements as described in the [passenger docs](https://www.phusionpassenger.com/library/install/apache/install/oss/el6/#step-1:-upgrade-your-kernel,-or-disable-selinux) **Parameters within `apache::mod::passenger`**: - `passenger_high_performance` Sets the [`PassengerHighPerformance`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerhighperformance). Valid options: on, off. Default: undef. diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 90b42e0e6e..2b40af4560 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1106,8 +1106,8 @@ class { 'apache': service_ensure => stopped, } end end - # Passenger isn't even in EPEL on el-5 - if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') != '5') + # Passenger isn't even in EPEL on el-5 and needs a kernel update on el-6 + if (fact('osfamily') == 'RedHat' and ! ['6','5'].include?(fact('operatingsystemmajrelease'))) describe 'rack_base_uris' do before :all do pp = "if $::osfamily == 'RedHat' { include epel }" From cbdd1871b9db73692f4fbe89cfcbe7f308ebc6be Mon Sep 17 00:00:00 2001 From: Sebastian Gerhards Date: Fri, 12 Feb 2016 13:05:08 +0100 Subject: [PATCH 024/100] Fix broken internal link for virtual hosts configuration --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6b8562bddb..c9deb5adc6 100644 --- a/README.md +++ b/README.md @@ -314,7 +314,7 @@ class { 'apache': ## Usage -### Configuring a virtual host +### Configuring virtual hosts The default [`apache`][] class sets up a virtual host on port 80, listening on all interfaces and serving the [`docroot`][] parameter's default directory of `/var/www`. From 4cd7472478eadc4b93f7490e2dff3202e8c125aa Mon Sep 17 00:00:00 2001 From: Jan Schumann Date: Fri, 12 Feb 2016 14:23:29 +0100 Subject: [PATCH 025/100] support pass-header option in apache::fastcgi::server --- manifests/fastcgi/server.pp | 3 ++- spec/defines/fastcgi_server_spec.rb | 5 +++-- templates/fastcgi/server.erb | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/manifests/fastcgi/server.pp b/manifests/fastcgi/server.pp index ec89bf7785..8805484066 100644 --- a/manifests/fastcgi/server.pp +++ b/manifests/fastcgi/server.pp @@ -4,7 +4,8 @@ $flush = false, $faux_path = "/var/www/${name}.fcgi", $fcgi_alias = "/${name}.fcgi", - $file_type = 'application/x-httpd-php' + $file_type = 'application/x-httpd-php', + $pass_header = undef, ) { include apache::mod::fastcgi diff --git a/spec/defines/fastcgi_server_spec.rb b/spec/defines/fastcgi_server_spec.rb index 1a6d3199c4..fdcf2dbca3 100644 --- a/spec/defines/fastcgi_server_spec.rb +++ b/spec/defines/fastcgi_server_spec.rb @@ -116,11 +116,12 @@ :flush => true, :faux_path => '/var/www/php-www.fcgi', :fcgi_alias => '/php-www.fcgi', - :file_type => 'application/x-httpd-php' + :file_type => 'application/x-httpd-php', + :pass_header => 'Authorization' } end let :expected do -'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -host 127.0.0.1:9001 +'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -host 127.0.0.1:9001 -pass-header Authorization Alias /php-www.fcgi /var/www/php-www.fcgi Action application/x-httpd-php /php-www.fcgi ' diff --git a/templates/fastcgi/server.erb b/templates/fastcgi/server.erb index 9cb25b76eb..61169413d1 100644 --- a/templates/fastcgi/server.erb +++ b/templates/fastcgi/server.erb @@ -1,3 +1,4 @@ -FastCGIExternalServer <%= @faux_path %> -idle-timeout <%= @timeout %> <%= if @flush then '-flush' end %> -host <%= @host %> +FastCGIExternalServer <%= @faux_path %> -idle-timeout <%= @timeout %> <%= if @flush then '-flush' end %> -host <%= @host -%> +<%- if @pass_header -%> -pass-header <%= @pass_header %><% end %> Alias <%= @fcgi_alias %> <%= @faux_path %> Action <%= @file_type %> <%= @fcgi_alias %> From fc9ca123e3e3c80010e8373e3f67d30b069f7a5d Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Tue, 16 Feb 2016 15:59:52 +0000 Subject: [PATCH 026/100] (FM-4046) Update to current msync configs [006831f] This moves all copyright statements to the NOTICE file in accordance with the ASFs guidelines on applying the Apache-2.0 license. --- .gitattributes | 5 ++ .gitignore | 1 + .travis.yml | 1 + Gemfile | 39 ++++----- LICENSE | 209 ++++++++++++++++++++++++++++++++++++++++++++++--- NOTICE | 17 ++++ Rakefile | 31 ++++++++ 7 files changed, 268 insertions(+), 35 deletions(-) create mode 100644 .gitattributes create mode 100644 NOTICE diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..900ea0cbb5 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,5 @@ +#This file is generated by ModuleSync, do not edit. +*.rb eol=lf +*.erb eol=lf +*.pp eol=lf +*.sh eol=lf diff --git a/.gitignore b/.gitignore index 3190277498..dd126f2fb2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +#This file is generated by ModuleSync, do not edit. pkg/ Gemfile.lock vendor/ diff --git a/.travis.yml b/.travis.yml index e6314a4700..588fb5b002 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +#This file is generated by ModuleSync, do not edit. --- sudo: false language: ruby diff --git a/Gemfile b/Gemfile index ced190e770..e490bc9b98 100644 --- a/Gemfile +++ b/Gemfile @@ -1,12 +1,14 @@ +#This file is generated by ModuleSync, do not edit. + source ENV['GEM_SOURCE'] || "https://rubygems.org" -def location_for(place, fake_version = nil) +def location_for(place, version = nil) if place =~ /^(git[:@][^#]*)#(.*)/ - [fake_version, { :git => $1, :branch => $2, :require => false }].compact + [version, { :git => $1, :branch => $2, :require => false}].compact elsif place =~ /^file:\/\/(.*)/ - ['>= 0', { :path => File.expand_path($1), :require => false }] + ['>= 0', { :path => File.expand_path($1), :require => false}] else - [place, { :require => false }] + [place, version, { :require => false}].compact end end @@ -20,29 +22,18 @@ group :development, :unit_tests do gem 'simplecov', :require => false end group :system_tests do + gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'] || '>= 3.4') + gem 'beaker', *location_for(ENV['BEAKER_VERSION']) + gem 'serverspec', :require => false gem 'beaker-puppet_install_helper', :require => false - if beaker_version = ENV['BEAKER_VERSION'] - gem 'beaker', *location_for(beaker_version) - end - if beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION'] - gem 'beaker-rspec', *location_for(beaker_rspec_version) - else - gem 'beaker-rspec', :require => false - end gem 'master_manipulator', :require => false - gem 'serverspec', :require => false + gem 'beaker-hostgenerator', *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION']) end -if facterversion = ENV['FACTER_GEM_VERSION'] - gem 'facter', facterversion, :require => false -else - gem 'facter', :require => false -end +gem 'facter', *location_for(ENV['FACTER_GEM_VERSION']) +gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION']) -if puppetversion = ENV['PUPPET_GEM_VERSION'] - gem 'puppet', puppetversion, :require => false -else - gem 'puppet', :require => false -end -# vim:ft=ruby +if File.exists? "#{__FILE__}.local" + eval(File.read("#{__FILE__}.local"), binding) +end diff --git a/LICENSE b/LICENSE index 8961ce8a6d..d645695673 100644 --- a/LICENSE +++ b/LICENSE @@ -1,15 +1,202 @@ -Copyright (C) 2012 Puppet Labs Inc -Puppet Labs can be contacted at: info@puppetlabs.com + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - http://www.apache.org/licenses/LICENSE-2.0 + 1. Definitions. -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000000..c07b29dc8e --- /dev/null +++ b/NOTICE @@ -0,0 +1,17 @@ +apache puppet module + +Copyright (C) 2012-2016 Puppet Labs, Inc. + +Puppet Labs can be contacted at: info@puppetlabs.com + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/Rakefile b/Rakefile index 636508b00e..1e2be6663c 100644 --- a/Rakefile +++ b/Rakefile @@ -10,3 +10,34 @@ PuppetLint.configuration.send('disable_documentation') PuppetLint.configuration.send('disable_single_quote_string_with_variables') PuppetLint.configuration.send('disable_only_variable_string') PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"] + +desc 'Generate pooler nodesets' +task :gen_nodeset do + require 'beaker-hostgenerator' + require 'securerandom' + require 'fileutils' + + agent_target = ENV['TEST_TARGET'] + if ! agent_target + STDERR.puts 'TEST_TARGET environment variable is not set' + STDERR.puts 'setting to default value of "redhat-64default."' + agent_target = 'redhat-64default.' + end + + master_target = ENV['MASTER_TEST_TARGET'] + if ! master_target + STDERR.puts 'MASTER_TEST_TARGET environment variable is not set' + STDERR.puts 'setting to default value of "redhat7-64mdcl"' + master_target = 'redhat7-64mdcl' + end + + targets = "#{master_target}-#{agent_target}" + cli = BeakerHostGenerator::CLI.new([targets]) + nodeset_dir = "tmp/nodesets" + nodeset = "#{nodeset_dir}/#{targets}-#{SecureRandom.uuid}.yaml" + FileUtils.mkdir_p(nodeset_dir) + File.open(nodeset, 'w') do |fh| + fh.print(cli.execute) + end + puts nodeset +end From e4272b38d741d7bade2d34ebbc1ec22befa43aba Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Tue, 16 Feb 2016 09:03:17 -0800 Subject: [PATCH 027/100] Disable passenger testing on el7 due to outdated packages --- spec/acceptance/vhost_spec.rb | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 2b40af4560..47a403f00e 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1106,8 +1106,6 @@ class { 'apache': service_ensure => stopped, } end end - # Passenger isn't even in EPEL on el-5 and needs a kernel update on el-6 - if (fact('osfamily') == 'RedHat' and ! ['6','5'].include?(fact('operatingsystemmajrelease'))) describe 'rack_base_uris' do before :all do pp = "if $::osfamily == 'RedHat' { include epel }" @@ -1115,6 +1113,9 @@ class { 'apache': service_ensure => stopped, } end it 'applies cleanly' do + if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) + pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") + end pp = <<-EOS class { 'apache': } host { 'test.server': ip => '127.0.0.1' } @@ -1127,8 +1128,18 @@ class { 'apache': } end describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'RackBaseURI /test' } + it do + if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) + pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") + end + is_expected.to be_file + end + it do + if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) + pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") + end + is_expected.to contain 'RackBaseURI /test' + end end end end From da16e92d3d8b5167c26b82b9e75e8d86ee108d5e Mon Sep 17 00:00:00 2001 From: Daniele Sluijters Date: Tue, 16 Feb 2016 23:32:05 +0100 Subject: [PATCH 028/100] mod/ssl: Add option to configure SSL mutex This allows the end user to explicitly define or override what the `SSLMutex` or `Mutex` configuration for Apache will be as the platform default might not always be desirable. Supersedes #1346 Closes #1346 --- README.md | 5 ++++ manifests/mod/ssl.pp | 51 ++++++++++++++++++++---------------- spec/classes/mod/ssl_spec.rb | 9 +++++++ templates/mod/ssl.conf.erb | 4 +-- 4 files changed, 44 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index c9deb5adc6..f7997e6cea 100644 --- a/README.md +++ b/README.md @@ -1665,6 +1665,11 @@ Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template t - `ssl_protocol`: Default: [ 'all', '-SSLv2', '-SSLv3' ]. - `ssl_random_seed_bytes`: Valid options: A string. Default: '512'. - `ssl_sessioncachetimeout`: Valid options: A string. Default: '300'. +- `ssl_mutex`: Default: Determined based on the OS. Valid options: See [mod_ssl][mod_ssl] documentation. + - RedHat/FreeBSD/Suse/Gentoo: 'default' + - Debian/Ubuntu + Apache >= 2.4: 'default' + - Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex' + - Ubuntu 10.04: 'file:/var/run/apache2/ssl_mutex' To use SSL with a virtual host, you must either set the [`default_ssl_vhost`][] parameter in `::apache` to true **or** the [`ssl`][] parameter in [`apache::vhost`][] to true. diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index dcc31ce8f3..399131314a 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -9,34 +9,39 @@ $ssl_pass_phrase_dialog = 'builtin', $ssl_random_seed_bytes = '512', $ssl_sessioncachetimeout = '300', + $ssl_mutex = undef, $apache_version = $::apache::apache_version, $package_name = undef, ) { - case $::osfamily { - 'debian': { - if versioncmp($apache_version, '2.4') >= 0 { - $ssl_mutex = 'default' - } elsif $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '10.04' { - $ssl_mutex = 'file:/var/run/apache2/ssl_mutex' - } else { - $ssl_mutex = "file:\${APACHE_RUN_DIR}/ssl_mutex" + if $ssl_mutex { + $_ssl_mutex = $ssl_mutex + } else { + case $::osfamily { + 'debian': { + if versioncmp($apache_version, '2.4') >= 0 { + $_ssl_mutex = 'default' + } elsif $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '10.04' { + $_ssl_mutex = 'file:/var/run/apache2/ssl_mutex' + } else { + $_ssl_mutex = "file:\${APACHE_RUN_DIR}/ssl_mutex" + } + } + 'redhat': { + $_ssl_mutex = 'default' + } + 'freebsd': { + $_ssl_mutex = 'default' + } + 'gentoo': { + $_ssl_mutex = 'default' + } + 'Suse': { + $_ssl_mutex = 'default' + } + default: { + fail("Unsupported osfamily ${::osfamily}, please explicitly pass in \$ssl_mutex") } - } - 'redhat': { - $ssl_mutex = 'default' - } - 'freebsd': { - $ssl_mutex = 'default' - } - 'gentoo': { - $ssl_mutex = 'default' - } - 'Suse': { - $ssl_mutex = 'default' - } - default: { - fail("Unsupported osfamily ${::osfamily}") } } diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index 0fd813d7e1..a738ab0a21 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -161,5 +161,14 @@ end it { is_expected.to contain_file('ssl.conf').with_content(/^\s+SSLOpenSSLConfCmd DHParameters "foo.pem"$/)} end + + context 'setting ssl_mutex' do + let :params do + { + :ssl_mutex => 'posixsem', + } + end + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLMutex posixsem$})} + end end end diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index 96b80b0036..d5120500a9 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -14,9 +14,9 @@ SSLCompression On <% end -%> <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> - Mutex <%= @ssl_mutex %> + Mutex <%= @_ssl_mutex %> <%- else -%> - SSLMutex <%= @ssl_mutex %> + SSLMutex <%= @_ssl_mutex %> <%- end -%> SSLCryptoDevice <%= @ssl_cryptodevice %> SSLHonorCipherOrder <%= @ssl_honorcipherorder %> From 984e0d5655bb5eccea09c6178af53d404aa12788 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Tue, 16 Feb 2016 21:12:49 -0800 Subject: [PATCH 029/100] Missed an end --- spec/acceptance/vhost_spec.rb | 53 +++++++++++++++++------------------ 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 47a403f00e..4e4ddd5e99 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1106,40 +1106,39 @@ class { 'apache': service_ensure => stopped, } end end - describe 'rack_base_uris' do - before :all do - pp = "if $::osfamily == 'RedHat' { include epel }" - apply_manifest(pp, :catch_failures => true) + describe 'rack_base_uris' do + before :all do + pp = "if $::osfamily == 'RedHat' { include epel }" + apply_manifest(pp, :catch_failures => true) + end + + it 'applies cleanly' do + if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) + pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") end + pp = <<-EOS + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + rack_base_uris => ['/test'], + } + EOS + apply_manifest(pp, :catch_failures => true) + end - it 'applies cleanly' do + describe file("#{$vhost_dir}/25-test.server.conf") do + it do if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") end - pp = <<-EOS - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - rack_base_uris => ['/test'], - } - EOS - apply_manifest(pp, :catch_failures => true) + is_expected.to be_file end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it do - if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) - pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") - end - is_expected.to be_file - end - it do - if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) - pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") - end - is_expected.to contain 'RackBaseURI /test' + it do + if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) + pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") end + is_expected.to contain 'RackBaseURI /test' end end end From dd3b4cf1815524b998ab3b15ccee74fc683df800 Mon Sep 17 00:00:00 2001 From: Henri Salo Date: Wed, 17 Feb 2016 19:38:50 +0200 Subject: [PATCH 030/100] Fix syntax typo in documentation. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f7997e6cea..d188f12c70 100644 --- a/README.md +++ b/README.md @@ -2947,7 +2947,7 @@ apache::vhost { 'sample.example.net': { path => '/', provider => 'directory', mellon_enable => 'info', - mellon_sp_private_key_file => '/etc/certs/${::fqdn}.key, + mellon_sp_private_key_file => '/etc/certs/${::fqdn}.key', mellon_endpoint_path => '/mellon', mellon_set_env_no_prefix => { 'ADFS_GROUP' => 'http://schemas.xmlsoap.org/claims/Group', 'ADFS_EMAIL' => 'http://schemas.xmlsoap.org/claims/EmailAddress', }, From 4da066490f45b44dd5b9c05e8e21a1d25ba07519 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Thu, 18 Feb 2016 14:25:48 -0800 Subject: [PATCH 031/100] Move rack test to pending block The pending calls didn't have blocks before, so the tests continued to run as usual. They have to be inside a pending block to work correctly --- spec/acceptance/vhost_spec.rb | 42 +++++++++++++++++------------------ 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 4e4ddd5e99..d65e397849 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1113,32 +1113,30 @@ class { 'apache': service_ensure => stopped, } end it 'applies cleanly' do + test = lambda do + pp = <<-EOS + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + rack_base_uris => ['/test'], + } + EOS + apply_manifest(pp, :catch_failures => true) + end if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) - pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") + pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") do + test.call + end + else + test.call end - pp = <<-EOS - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - rack_base_uris => ['/test'], - } - EOS - apply_manifest(pp, :catch_failures => true) end - describe file("#{$vhost_dir}/25-test.server.conf") do - it do - if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) - pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") - end - is_expected.to be_file - end - it do - if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) - pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") - end - is_expected.to contain 'RackBaseURI /test' + if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) + describe file("#{$vhost_dir}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'RackBaseURI /test' } end end end From 1fef317de1b0d0d26b3ec8af4007750e02af347f Mon Sep 17 00:00:00 2001 From: tphoney Date: Fri, 19 Feb 2016 14:22:59 +0000 Subject: [PATCH 032/100] include apache, so parsing works. --- manifests/mod/alias.pp | 8 +- manifests/mod/auth_cas.pp | 3 +- manifests/mod/auth_kerb.pp | 1 + manifests/mod/auth_mellon.pp | 3 +- manifests/mod/authnz_ldap.pp | 1 + manifests/mod/dav_svn.pp | 1 + manifests/mod/dir.pp | 1 + manifests/mod/status.pp | 6 +- spec/classes/mod/alias_spec.rb | 173 ++++++++++--------- spec/classes/mod/auth_cas_spec.rb | 94 +++++----- spec/classes/mod/auth_kerb_spec.rb | 135 ++++++++------- spec/classes/mod/auth_mellon_spec.rb | 155 ++++++++--------- spec/classes/mod/authnz_ldap_spec.rb | 126 +++++++------- spec/classes/mod/dav_svn_spec.rb | 141 +++++++-------- spec/classes/mod/deflate_spec.rb | 181 +++++++++---------- spec/classes/mod/dev_spec.rb | 5 +- spec/classes/mod/dir_spec.rb | 249 +++++++++++++-------------- spec/classes/mod/status_spec.rb | 247 +++++++++++++------------- spec/spec_helper.rb | 17 ++ templates/mod/alias.conf.erb | 2 +- templates/mod/status.conf.erb | 2 +- 21 files changed, 794 insertions(+), 757 deletions(-) diff --git a/manifests/mod/alias.pp b/manifests/mod/alias.pp index eac21ba661..91f68b2dc2 100644 --- a/manifests/mod/alias.pp +++ b/manifests/mod/alias.pp @@ -1,11 +1,13 @@ class apache::mod::alias( - $apache_version = $apache::apache_version, + $apache_version = undef, $icons_options = 'Indexes MultiViews', # set icons_path to false to disable the alias $icons_path = $::apache::params::alias_icons_path, - -) { +) inherits ::apache::params { + include ::apache + $real_apache_version = pick($apache_version, $apache::apache_version) apache::mod { 'alias': } + # Template uses $icons_path if $icons_path { file { 'alias.conf': diff --git a/manifests/mod/auth_cas.pp b/manifests/mod/auth_cas.pp index 0d1b9111ab..2b5338d1e6 100644 --- a/manifests/mod/auth_cas.pp +++ b/manifests/mod/auth_cas.pp @@ -16,7 +16,7 @@ $cas_cookie_http_only = undef, $cas_authoritative = undef, $suppress_warning = false, -) { +) inherits ::apache::params { validate_string($cas_login_url, $cas_validate_url, $cas_cookie_path) @@ -24,6 +24,7 @@ warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.') } + include ::apache ::apache::mod { 'auth_cas': } file { $cas_cookie_path: diff --git a/manifests/mod/auth_kerb.pp b/manifests/mod/auth_kerb.pp index 6b53262a1b..fe63d22d7b 100644 --- a/manifests/mod/auth_kerb.pp +++ b/manifests/mod/auth_kerb.pp @@ -1,4 +1,5 @@ class apache::mod::auth_kerb { + include ::apache ::apache::mod { 'auth_kerb': } } diff --git a/manifests/mod/auth_mellon.pp b/manifests/mod/auth_mellon.pp index 129441bf41..5dbb6b5771 100644 --- a/manifests/mod/auth_mellon.pp +++ b/manifests/mod/auth_mellon.pp @@ -6,8 +6,9 @@ $mellon_post_ttl = undef, $mellon_post_size = undef, $mellon_post_count = undef -) { +) inherits ::apache::params { + include ::apache ::apache::mod { 'auth_mellon': } # Template uses diff --git a/manifests/mod/authnz_ldap.pp b/manifests/mod/authnz_ldap.pp index 70d0a63630..14a60494b0 100644 --- a/manifests/mod/authnz_ldap.pp +++ b/manifests/mod/authnz_ldap.pp @@ -1,6 +1,7 @@ class apache::mod::authnz_ldap ( $verifyServerCert = true, ) { + include ::apache include '::apache::mod::ldap' ::apache::mod { 'authnz_ldap': } diff --git a/manifests/mod/dav_svn.pp b/manifests/mod/dav_svn.pp index 6e70598d0a..6d2912155b 100644 --- a/manifests/mod/dav_svn.pp +++ b/manifests/mod/dav_svn.pp @@ -2,6 +2,7 @@ $authz_svn_enabled = false, ) { Class['::apache::mod::dav'] -> Class['::apache::mod::dav_svn'] + include ::apache include ::apache::mod::dav ::apache::mod { 'dav_svn': } diff --git a/manifests/mod/dir.pp b/manifests/mod/dir.pp index bce05e0a44..e41aa86ad6 100644 --- a/manifests/mod/dir.pp +++ b/manifests/mod/dir.pp @@ -6,6 +6,7 @@ $indexes = ['index.html','index.html.var','index.cgi','index.pl','index.php','index.xhtml'], ) { validate_array($indexes) + include ::apache ::apache::mod { 'dir': } # Template uses diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp index d11a464d79..364505f7b0 100644 --- a/manifests/mod/status.pp +++ b/manifests/mod/status.pp @@ -28,9 +28,11 @@ class apache::mod::status ( $allow_from = ['127.0.0.1','::1'], $extended_status = 'On', - $apache_version = $::apache::apache_version, + $apache_version = undef, $status_path = '/server-status', -){ +) inherits ::apache::params { + include ::apache + $real_apache_version = pick($apache_version, $apache::apache_version) validate_array($allow_from) validate_re(downcase($extended_status), '^(on|off)$', "${extended_status} is not supported for extended_status. Allowed values are 'On' and 'Off'.") ::apache::mod { 'status': } diff --git a/spec/classes/mod/alias_spec.rb b/spec/classes/mod/alias_spec.rb index 9bb28b3aa2..99854e8182 100644 --- a/spec/classes/mod/alias_spec.rb +++ b/spec/classes/mod/alias_spec.rb @@ -1,96 +1,97 @@ require 'spec_helper' describe 'apache::mod::alias', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } - end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/apache2\/icons\/"/) } - end - context "on a RedHat 6-based OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } - end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/var\/www\/icons\/"/) } - end - context "on a RedHat 7-based OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '7', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/apache2\/icons\/"/) } end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/httpd\/icons\/"/) } - end - context "with icons options", :compile do - let :pre_condition do - 'class { apache: default_mods => false }' + context "on a RedHat 6-based OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/var\/www\/icons\/"/) } end - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '7', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a RedHat 7-based OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '7', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/httpd\/icons\/"/) } end - let :params do - { - 'icons_options' => 'foo' - } + context "with icons options", :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '7', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + let :params do + { + 'icons_options' => 'foo' + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Options foo/) } end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Options foo/) } - end - context "on a FreeBSD OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'FreeBSD', - :osfamily => 'FreeBSD', - :operatingsystem => 'FreeBSD', - :operatingsystemrelease => '10', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a FreeBSD OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '10', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/local\/www\/apache24\/icons\/"/) } end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/local\/www\/apache24\/icons\/"/) } end end diff --git a/spec/classes/mod/auth_cas_spec.rb b/spec/classes/mod/auth_cas_spec.rb index 53c13c5a12..aee3f8c298 100644 --- a/spec/classes/mod/auth_cas_spec.rb +++ b/spec/classes/mod/auth_cas_spec.rb @@ -1,54 +1,64 @@ require 'spec_helper' describe 'apache::mod::auth_cas', :type => :class do - let :params do - { - :cas_login_url => 'https://cas.example.com/login', - :cas_validate_url => 'https://cas.example.com/validate', - } - end - - let :pre_condition do - 'include ::apache' - end - - context "on a Debian OS", :compile do - let :facts do + context "default params" do + let :params do { - :id => 'root', - :kernel => 'Linux', - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, + :cas_login_url => 'https://cas.example.com/login', + :cas_validate_url => 'https://cas.example.com/validate', + :cas_cookie_path => '/var/cache/apache2/mod_auth_cas/' } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_cas") } - it { is_expected.to contain_package("libapache2-mod-auth-cas") } - it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/apache2/mods-available/auth_cas.conf') } - it { is_expected.to contain_file("/var/cache/apache2/mod_auth_cas/").with_owner('www-data') } + + it_behaves_like "a mod class, without including apache" end - context "on a RedHat OS", :compile do - let :facts do + + context "default configuration with parameters" do + let :params do { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, + :cas_login_url => 'https://cas.example.com/login', + :cas_validate_url => 'https://cas.example.com/validate', } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_cas") } - it { is_expected.to contain_package("mod_auth_cas") } - it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/httpd/conf.d/auth_cas.conf') } - it { is_expected.to contain_file("/var/cache/mod_auth_cas/").with_owner('apache') } + + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_cas") } + it { is_expected.to contain_package("libapache2-mod-auth-cas") } + it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/apache2/mods-available/auth_cas.conf') } + it { is_expected.to contain_file("/var/cache/apache2/mod_auth_cas/").with_owner('www-data') } + end + context "on a RedHat OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_cas") } + it { is_expected.to contain_package("mod_auth_cas") } + it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/httpd/conf.d/auth_cas.conf') } + it { is_expected.to contain_file("/var/cache/mod_auth_cas/").with_owner('apache') } + end end end diff --git a/spec/classes/mod/auth_kerb_spec.rb b/spec/classes/mod/auth_kerb_spec.rb index beba378a9d..74b6827d0f 100644 --- a/spec/classes/mod/auth_kerb_spec.rb +++ b/spec/classes/mod/auth_kerb_spec.rb @@ -1,76 +1,77 @@ require 'spec_helper' describe 'apache::mod::auth_kerb', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("libapache2-mod-auth-kerb") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_kerb") } - it { is_expected.to contain_package("libapache2-mod-auth-kerb") } - end - context "on a RedHat OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a RedHat OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("mod_auth_kerb") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_kerb") } - it { is_expected.to contain_package("mod_auth_kerb") } - end - context "on a FreeBSD OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'FreeBSD', - :osfamily => 'FreeBSD', - :operatingsystem => 'FreeBSD', - :operatingsystemrelease => '9', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a FreeBSD OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '9', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("www/mod_auth_kerb2") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_kerb") } - it { is_expected.to contain_package("www/mod_auth_kerb2") } - end - context "on a Gentoo OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'Gentoo', - :operatingsystem => 'Gentoo', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', - :operatingsystemrelease => '3.16.1-gentoo', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a Gentoo OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("www-apache/mod_auth_kerb") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_kerb") } - it { is_expected.to contain_package("www-apache/mod_auth_kerb") } end end diff --git a/spec/classes/mod/auth_mellon_spec.rb b/spec/classes/mod/auth_mellon_spec.rb index 4fac1c3e86..7d0826ff72 100644 --- a/spec/classes/mod/auth_mellon_spec.rb +++ b/spec/classes/mod/auth_mellon_spec.rb @@ -1,89 +1,90 @@ require 'spec_helper' describe 'apache::mod::auth_mellon', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :lsbdistcodename => 'squeeze', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :fqdn => 'test.example.com', - :is_pe => false, - } - end - describe 'with no parameters' do - it { should contain_apache__mod('auth_mellon') } - it { should contain_package('libapache2-mod-auth-mellon') } - it { should contain_file('auth_mellon.conf').with_path('/etc/apache2/mods-available/auth_mellon.conf') } - it { should contain_file('auth_mellon.conf').with_content("MellonPostDirectory \"\/var\/cache\/apache2\/mod_auth_mellon\/\"\n") } - end - describe 'with parameters' do - let :params do - { :mellon_cache_size => '200', - :mellon_cache_entry_size => '2010', - :mellon_lock_file => '/tmp/junk', - :mellon_post_directory => '/tmp/post', - :mellon_post_ttl => '5', - :mellon_post_size => '8', - :mellon_post_count => '10' + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, } end - it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } - end + describe 'with no parameters' do + it { should contain_apache__mod('auth_mellon') } + it { should contain_package('libapache2-mod-auth-mellon') } + it { should contain_file('auth_mellon.conf').with_path('/etc/apache2/mods-available/auth_mellon.conf') } + it { should contain_file('auth_mellon.conf').with_content("MellonPostDirectory \"\/var\/cache\/apache2\/mod_auth_mellon\/\"\n") } + end + describe 'with parameters' do + let :params do + { :mellon_cache_size => '200', + :mellon_cache_entry_size => '2010', + :mellon_lock_file => '/tmp/junk', + :mellon_post_directory => '/tmp/post', + :mellon_post_ttl => '5', + :mellon_post_size => '8', + :mellon_post_count => '10' + } + end + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } + end - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'RedHat', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :fqdn => 'test.example.com', - :is_pe => false, - } - end - describe 'with no parameters' do - it { should contain_apache__mod('auth_mellon') } - it { should contain_package('mod_auth_mellon') } - it { should contain_file('auth_mellon.conf').with_path('/etc/httpd/conf.d/auth_mellon.conf') } - it { should contain_file('auth_mellon.conf').with_content("MellonCacheSize 100\nMellonLockFile \"/run/mod_auth_mellon/lock\"\n") } end - describe 'with parameters' do - let :params do - { :mellon_cache_size => '200', - :mellon_cache_entry_size => '2010', - :mellon_lock_file => '/tmp/junk', - :mellon_post_directory => '/tmp/post', - :mellon_post_ttl => '5', - :mellon_post_size => '8', - :mellon_post_count => '10' + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, } end - it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } - it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } + describe 'with no parameters' do + it { should contain_apache__mod('auth_mellon') } + it { should contain_package('mod_auth_mellon') } + it { should contain_file('auth_mellon.conf').with_path('/etc/httpd/conf.d/auth_mellon.conf') } + it { should contain_file('auth_mellon.conf').with_content("MellonCacheSize 100\nMellonLockFile \"/run/mod_auth_mellon/lock\"\n") } + end + describe 'with parameters' do + let :params do + { :mellon_cache_size => '200', + :mellon_cache_entry_size => '2010', + :mellon_lock_file => '/tmp/junk', + :mellon_post_directory => '/tmp/post', + :mellon_post_ttl => '5', + :mellon_post_size => '8', + :mellon_post_count => '10' + } + end + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } + end end end end diff --git a/spec/classes/mod/authnz_ldap_spec.rb b/spec/classes/mod/authnz_ldap_spec.rb index f897833996..d433bc5337 100644 --- a/spec/classes/mod/authnz_ldap_spec.rb +++ b/spec/classes/mod/authnz_ldap_spec.rb @@ -1,78 +1,76 @@ require 'spec_helper' describe 'apache::mod::authnz_ldap', :type => :class do - let :pre_condition do - 'include apache' - end - - context "on a Debian OS" do - let :facts do - { - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :id => 'root', - :kernel => 'Linux', - :operatingsystem => 'Debian', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_class("apache::mod::ldap") } - it { is_expected.to contain_apache__mod('authnz_ldap') } + it_behaves_like "a mod class, without including apache" - context 'default verifyServerCert' do - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } - end + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :operatingsystem => 'Debian', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class("apache::mod::ldap") } + it { is_expected.to contain_apache__mod('authnz_ldap') } - context 'verifyServerCert = false' do - let(:params) { { :verifyServerCert => false } } - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } - end + context 'default verifyServerCert' do + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } + end - context 'verifyServerCert = wrong' do - let(:params) { { :verifyServerCert => 'wrong' } } - it 'should raise an error' do - expect { is_expected.to raise_error Puppet::Error } + context 'verifyServerCert = false' do + let(:params) { { :verifyServerCert => false } } + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } end - end - end #Debian - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :id => 'root', - :kernel => 'Linux', - :operatingsystem => 'RedHat', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_class("apache::mod::ldap") } - it { is_expected.to contain_apache__mod('authnz_ldap') } + context 'verifyServerCert = wrong' do + let(:params) { { :verifyServerCert => 'wrong' } } + it 'should raise an error' do + expect { is_expected.to raise_error Puppet::Error } + end + end + end #Debian - context 'default verifyServerCert' do - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } - end + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :operatingsystem => 'RedHat', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class("apache::mod::ldap") } + it { is_expected.to contain_apache__mod('authnz_ldap') } - context 'verifyServerCert = false' do - let(:params) { { :verifyServerCert => false } } - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } - end + context 'default verifyServerCert' do + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } + end - context 'verifyServerCert = wrong' do - let(:params) { { :verifyServerCert => 'wrong' } } - it 'should raise an error' do - expect { is_expected.to raise_error Puppet::Error } + context 'verifyServerCert = false' do + let(:params) { { :verifyServerCert => false } } + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } end - end - end # Redhat + context 'verifyServerCert = wrong' do + let(:params) { { :verifyServerCert => 'wrong' } } + it 'should raise an error' do + expect { is_expected.to raise_error Puppet::Error } + end + end + end # Redhat + end end - diff --git a/spec/classes/mod/dav_svn_spec.rb b/spec/classes/mod/dav_svn_spec.rb index 06c6b870f2..1f60e730b1 100644 --- a/spec/classes/mod/dav_svn_spec.rb +++ b/spec/classes/mod/dav_svn_spec.rb @@ -1,79 +1,80 @@ require 'spec_helper' describe 'apache::mod::dav_svn', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :operatingsystemmajrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :operatingsystemmajrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("libapache2-svn") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dav_svn') } - it { is_expected.to contain_package("libapache2-svn") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :operatingsystemmajrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'RedHat', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :operatingsystemmajrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("mod_dav_svn") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dav_svn') } - it { is_expected.to contain_package("mod_dav_svn") } - end - context "on a FreeBSD OS" do - let :facts do - { - :osfamily => 'FreeBSD', - :operatingsystemrelease => '9', - :operatingsystemmajrelease => '9', - :concat_basedir => '/dne', - :operatingsystem => 'FreeBSD', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + context "on a FreeBSD OS" do + let :facts do + { + :osfamily => 'FreeBSD', + :operatingsystemrelease => '9', + :operatingsystemmajrelease => '9', + :concat_basedir => '/dne', + :operatingsystem => 'FreeBSD', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("devel/subversion") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dav_svn') } - it { is_expected.to contain_package("devel/subversion") } - end - context "on a Gentoo OS", :compile do - let :facts do - { - :id => 'root', - :operatingsystemrelease => '3.16.1-gentoo', - :concat_basedir => '/dne', - :kernel => 'Linux', - :osfamily => 'Gentoo', - :operatingsystem => 'Gentoo', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', - :is_pe => false, - } + context "on a Gentoo OS", :compile do + let :facts do + { + :id => 'root', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :kernel => 'Linux', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("dev-vcs/subversion") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dav_svn') } - it { is_expected.to contain_package("dev-vcs/subversion") } end end diff --git a/spec/classes/mod/deflate_spec.rb b/spec/classes/mod/deflate_spec.rb index d0d8fedc21..264c70f362 100644 --- a/spec/classes/mod/deflate_spec.rb +++ b/spec/classes/mod/deflate_spec.rb @@ -16,111 +16,112 @@ def general_deflate_specs end describe 'apache::mod::deflate', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - } - class { "apache::mod::deflate": - types => [ "text/html", "text/css" ], - notes => { - "Input" => "instream", - "Ratio" => "ratio", - } - } - ' - end + it_behaves_like "a mod class, without including apache" - context "On a Debian OS with default params" do - let :facts do - { - :id => 'root', - :lsbdistcodename => 'squeeze', - :kernel => 'Linux', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, + context "default configuration with parameters" do + let :pre_condition do + 'class { "apache::mod::deflate": + types => [ "text/html", "text/css" ], + notes => { + "Input" => "instream", + "Ratio" => "ratio", + } } + ' end - # Load the more generic tests for this context - general_deflate_specs() - - it { is_expected.to contain_file("deflate.conf").with({ - :ensure => 'file', - :path => '/etc/apache2/mods-available/deflate.conf', - } ) } - it { is_expected.to contain_file("deflate.conf symlink").with({ - :ensure => 'link', - :path => '/etc/apache2/mods-enabled/deflate.conf', - } ) } - end + context "On a Debian OS with default params" do + let :facts do + { + :id => 'root', + :lsbdistcodename => 'squeeze', + :kernel => 'Linux', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end - context "on a RedHat OS with default params" do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + # Load the more generic tests for this context + general_deflate_specs() + + it { is_expected.to contain_file("deflate.conf").with({ + :ensure => 'file', + :path => '/etc/apache2/mods-available/deflate.conf', + } ) } + it { is_expected.to contain_file("deflate.conf symlink").with({ + :ensure => 'link', + :path => '/etc/apache2/mods-enabled/deflate.conf', + } ) } end - # Load the more generic tests for this context - general_deflate_specs() + context "on a RedHat OS with default params" do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end - it { is_expected.to contain_file("deflate.conf").with_path("/etc/httpd/conf.d/deflate.conf") } - end + # Load the more generic tests for this context + general_deflate_specs() - context "On a FreeBSD OS with default params" do - let :facts do - { - :id => 'root', - :kernel => 'FreeBSD', - :osfamily => 'FreeBSD', - :operatingsystem => 'FreeBSD', - :operatingsystemrelease => '9', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + it { is_expected.to contain_file("deflate.conf").with_path("/etc/httpd/conf.d/deflate.conf") } end - # Load the more generic tests for this context - general_deflate_specs() + context "On a FreeBSD OS with default params" do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '9', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end - it { is_expected.to contain_file("deflate.conf").with({ - :ensure => 'file', - :path => '/usr/local/etc/apache24/Modules/deflate.conf', - } ) } - end + # Load the more generic tests for this context + general_deflate_specs() - context "On a Gentoo OS with default params" do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'Gentoo', - :operatingsystem => 'Gentoo', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', - :operatingsystemrelease => '3.16.1-gentoo', - :concat_basedir => '/dne', - :is_pe => false, - } + it { is_expected.to contain_file("deflate.conf").with({ + :ensure => 'file', + :path => '/usr/local/etc/apache24/Modules/deflate.conf', + } ) } end - # Load the more generic tests for this context - general_deflate_specs() + context "On a Gentoo OS with default params" do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :is_pe => false, + } + end - it { is_expected.to contain_file("deflate.conf").with({ - :ensure => 'file', - :path => '/etc/apache2/modules.d/deflate.conf', - } ) } + # Load the more generic tests for this context + general_deflate_specs() + + it { is_expected.to contain_file("deflate.conf").with({ + :ensure => 'file', + :path => '/etc/apache2/modules.d/deflate.conf', + } ) } + end end end diff --git a/spec/classes/mod/dev_spec.rb b/spec/classes/mod/dev_spec.rb index 1686a02755..29589f99f2 100644 --- a/spec/classes/mod/dev_spec.rb +++ b/spec/classes/mod/dev_spec.rb @@ -1,9 +1,8 @@ require 'spec_helper' describe 'apache::mod::dev', :type => :class do - let(:pre_condition) {[ - 'include apache' - ]} + it_behaves_like "a mod class, without including apache" + [ ['RedHat', '6', 'Santiago', 'Linux'], ['Debian', '6', 'squeeze', 'Linux'], diff --git a/spec/classes/mod/dir_spec.rb b/spec/classes/mod/dir_spec.rb index 11622a41cb..9aad0d3ff5 100644 --- a/spec/classes/mod/dir_spec.rb +++ b/spec/classes/mod/dir_spec.rb @@ -1,138 +1,137 @@ require 'spec_helper' describe 'apache::mod::dir', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - }' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :lsbdistcodename => 'squeeze', - :is_pe => false, - } - end - context "passing no parameters" do - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dir') } - it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :lsbdistcodename => 'squeeze', + :is_pe => false, + } end - it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } - it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } - end - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Redhat', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - context "passing no parameters" do - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dir') } - it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } end - it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } - it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } - end - end - context "on a FreeBSD OS" do - let :facts do - { - :osfamily => 'FreeBSD', - :operatingsystemrelease => '9', - :concat_basedir => '/dne', - :operatingsystem => 'FreeBSD', - :id => 'root', - :kernel => 'FreeBSD', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - context "passing no parameters" do - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dir') } - it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } end - it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } - it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } end - end - context "on a Gentoo OS" do - let :facts do - { - :osfamily => 'Gentoo', - :operatingsystem => 'Gentoo', - :operatingsystemrelease => '3.16.1-gentoo', - :concat_basedir => '/dne', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', - :is_pe => false, - } + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Redhat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + end + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + end end - context "passing no parameters" do - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dir') } - it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + context "on a FreeBSD OS" do + let :facts do + { + :osfamily => 'FreeBSD', + :operatingsystemrelease => '9', + :concat_basedir => '/dne', + :operatingsystem => 'FreeBSD', + :id => 'root', + :kernel => 'FreeBSD', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + end + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + end end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + end + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } end - it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } - it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } end end end diff --git a/spec/classes/mod/status_spec.rb b/spec/classes/mod/status_spec.rb index e3b3d24428..7bc7831fba 100644 --- a/spec/classes/mod/status_spec.rb +++ b/spec/classes/mod/status_spec.rb @@ -21,139 +21,89 @@ def status_conf_spec(allow_from, extended_status, status_path) end describe 'apache::mod::status', :type => :class do - let :pre_condition do - 'include apache' - end - - context "on a Debian OS with default params" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :lsbdistcodename => 'squeeze', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - - it { is_expected.to contain_apache__mod("status") } + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS with default params" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end - status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") + it { is_expected.to contain_apache__mod("status") } - it { is_expected.to contain_file("status.conf").with({ - :ensure => 'file', - :path => '/etc/apache2/mods-available/status.conf', - } ) } + status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") - it { is_expected.to contain_file("status.conf symlink").with({ - :ensure => 'link', - :path => '/etc/apache2/mods-enabled/status.conf', - } ) } + it { is_expected.to contain_file("status.conf").with({ + :ensure => 'file', + :path => '/etc/apache2/mods-available/status.conf', + } ) } - end + it { is_expected.to contain_file("status.conf symlink").with({ + :ensure => 'link', + :path => '/etc/apache2/mods-enabled/status.conf', + } ) } - context "on a RedHat OS with default params" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'RedHat', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } end - it { is_expected.to contain_apache__mod("status") } + context "on a RedHat OS with default params" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end - status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") + it { is_expected.to contain_apache__mod("status") } - it { is_expected.to contain_file("status.conf").with_path("/etc/httpd/conf.d/status.conf") } + status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") - end + it { is_expected.to contain_file("status.conf").with_path("/etc/httpd/conf.d/status.conf") } - context "with custom parameters $allow_from => ['10.10.10.10','11.11.11.11'], $extended_status => 'Off', $status_path => '/custom-status'" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :lsbdistcodename => 'squeeze', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - let :params do - { - :allow_from => ['10.10.10.10','11.11.11.11'], - :extended_status => 'Off', - :status_path => '/custom-status', - } end - status_conf_spec(["10.10.10.10", "11.11.11.11"], "Off", "/custom-status") - - end + context "with custom parameters $allow_from => ['10.10.10.10','11.11.11.11'], $extended_status => 'Off', $status_path => '/custom-status'" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do + { + :allow_from => ['10.10.10.10','11.11.11.11'], + :extended_status => 'Off', + :status_path => '/custom-status', + } + end - context "with valid parameter type $allow_from => ['10.10.10.10']" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :lsbdistcodename => 'squeeze', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - let :params do - { :allow_from => ['10.10.10.10'] } - end - it 'should expect to succeed array validation' do - expect { - is_expected.to contain_file("status.conf") - }.not_to raise_error() - end - end + status_conf_spec(["10.10.10.10", "11.11.11.11"], "Off", "/custom-status") - context "with invalid parameter type $allow_from => '10.10.10.10'" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - let :params do - { :allow_from => '10.10.10.10' } end - it 'should expect to fail array validation' do - expect { - is_expected.to contain_file("status.conf") - }.to raise_error(Puppet::Error) - end - end - # Only On or Off are valid options - ['On', 'Off'].each do |valid_param| - context "with valid value $extended_status => '#{valid_param}'" do + context "with valid parameter type $allow_from => ['10.10.10.10']" do let :facts do { :osfamily => 'Debian', @@ -168,18 +118,16 @@ def status_conf_spec(allow_from, extended_status, status_path) } end let :params do - { :extended_status => valid_param } + { :allow_from => ['10.10.10.10'] } end - it 'should expect to succeed regular expression validation' do + it 'should expect to succeed array validation' do expect { is_expected.to contain_file("status.conf") }.not_to raise_error() end end - end - ['Yes', 'No'].each do |invalid_param| - context "with invalid value $extended_status => '#{invalid_param}'" do + context "with invalid parameter type $allow_from => '10.10.10.10'" do let :facts do { :osfamily => 'Debian', @@ -193,14 +141,65 @@ def status_conf_spec(allow_from, extended_status, status_path) } end let :params do - { :extended_status => invalid_param } + { :allow_from => '10.10.10.10' } end - it 'should expect to fail regular expression validation' do + it 'should expect to fail array validation' do expect { is_expected.to contain_file("status.conf") }.to raise_error(Puppet::Error) end end - end + # Only On or Off are valid options + ['On', 'Off'].each do |valid_param| + context "with valid value $extended_status => '#{valid_param}'" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do + { :extended_status => valid_param } + end + it 'should expect to succeed regular expression validation' do + expect { + is_expected.to contain_file("status.conf") + }.not_to raise_error() + end + end + end + + ['Yes', 'No'].each do |invalid_param| + context "with invalid value $extended_status => '#{invalid_param}'" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do + { :extended_status => invalid_param } + end + it 'should expect to fail regular expression validation' do + expect { + is_expected.to contain_file("status.conf") + }.to raise_error(Puppet::Error) + end + end + end + end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 475b72c07b..c48f49b1bf 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -21,3 +21,20 @@ shared_examples :compile, :compile => true do it { should compile.with_all_deps } end + +shared_examples 'a mod class, without including apache' do + let :facts do + { + :id => 'root', + :lsbdistcodename => 'squeeze', + :kernel => 'Linux', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { should compile.with_all_deps } +end diff --git a/templates/mod/alias.conf.erb b/templates/mod/alias.conf.erb index 2056476e82..799b2e666b 100644 --- a/templates/mod/alias.conf.erb +++ b/templates/mod/alias.conf.erb @@ -3,7 +3,7 @@ Alias /icons/ "<%= @icons_path %>/" "> Options <%= @icons_options %> AllowOverride None -<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> +<%- if scope.function_versioncmp([@real_apache_version, '2.4']) >= 0 -%> Require all granted <%- else -%> Order allow,deny diff --git a/templates/mod/status.conf.erb b/templates/mod/status.conf.erb index f02ed156ff..895bf0c665 100644 --- a/templates/mod/status.conf.erb +++ b/templates/mod/status.conf.erb @@ -1,6 +1,6 @@ > SetHandler server-status - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@real_apache_version, '2.4']) >= 0 -%> Require ip <%= Array(@allow_from).join(" ") %> <%- else -%> Order deny,allow From 328cb96780d40142c74261137b508daa8aefe98d Mon Sep 17 00:00:00 2001 From: Jason Hancock Date: Fri, 19 Feb 2016 14:27:34 -0800 Subject: [PATCH 033/100] Ensure module packages are installed before evaluating conf.d dir The problem I'm running into on EL7 is that when the ssl module is enabled, the mod_ssl package gets installed and drops `/etc/httpd/conf.d/ssl.conf`. We want to remove that file, but the purge for `/etc/httpd/conf.d` is being evaluated before the mod_ssl package is being installed. On the second client run the `ssl.conf` file will be removed. This change ensures that the `mod_ssl` package gets installed prior to the purge on `/etc/httpd/conf.d` being evaluated so that the ssl.conf file gets removed on the first client run. --- manifests/mod.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/mod.pp b/manifests/mod.pp index 33b4de1ab3..014aa274ae 100644 --- a/manifests/mod.pp +++ b/manifests/mod.pp @@ -64,7 +64,10 @@ File[$_loadfile_name], File["${::apache::conf_dir}/${::apache::params::conf_file}"] ], - default => File[$_loadfile_name], + default => [ + File[$_loadfile_name], + File[$::apache::confd_dir], + ], } # if there are any packages, they should be installed before the associated conf file Package[$_package] -> File<| title == "${mod}.conf" |> From 15950ea9d3e3edbbed1533958a7d00205a95bcc8 Mon Sep 17 00:00:00 2001 From: kaihowl Date: Tue, 23 Feb 2016 08:21:45 +0100 Subject: [PATCH 034/100] [MODULES-1628] Fix mod rewrite typo in examples There is no HTTPS_HOST variable in mod_rewrite --- examples/vhost.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/vhost.pp b/examples/vhost.pp index 0cf8da75c4..79ac994019 100644 --- a/examples/vhost.pp +++ b/examples/vhost.pp @@ -151,7 +151,7 @@ { comment => 'redirect non-SSL traffic to SSL site', rewrite_cond => ['%{HTTPS} off'], - rewrite_rule => ['(.*) https://%{HTTPS_HOST}%{REQUEST_URI}'], + rewrite_rule => ['(.*) https://%{HTTP_HOST}%{REQUEST_URI}'], } ] } @@ -183,7 +183,7 @@ port => '80', docroot => '/var/www/sixteenth', rewrite_cond => '%{HTTPS} off', - rewrite_rule => '(.*) https://%{HTTPS_HOST}%{REQUEST_URI}', + rewrite_rule => '(.*) https://%{HTTP_HOST}%{REQUEST_URI}', } apache::vhost { 'sixteenth.example.com ssl old rewrite': servername => 'sixteenth.example.com', From 779e040e71e15377f8531118096850668717b309 Mon Sep 17 00:00:00 2001 From: tphoney Date: Wed, 24 Feb 2016 16:27:22 +0000 Subject: [PATCH 035/100] only run the passenger tests on non redhat --- spec/acceptance/vhost_spec.rb | 40 +++++++++++------------------------ 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index d65e397849..5a978c4356 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1107,38 +1107,22 @@ class { 'apache': service_ensure => stopped, } end describe 'rack_base_uris' do - before :all do - pp = "if $::osfamily == 'RedHat' { include epel }" - apply_manifest(pp, :catch_failures => true) - end - - it 'applies cleanly' do - test = lambda do - pp = <<-EOS - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - rack_base_uris => ['/test'], - } - EOS - apply_manifest(pp, :catch_failures => true) - end - if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) - pending("Passenger isn't even in EPEL on el-5, needs a kernel update on el-6, and needs selinux-policy >= 3.13.1-60 on el7 which is not available in official repos") do - test.call + if (fact('osfamily') != 'RedHat') + it 'applies cleanly' do + test = lambda do + pp = <<-EOS + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + rack_base_uris => ['/test'], + } + EOS + apply_manifest(pp, :catch_failures => true) end - else test.call end end - - if (fact('osfamily') == 'RedHat' and ! ['7','6','5'].include?(fact('operatingsystemmajrelease'))) - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'RackBaseURI /test' } - end - end end describe 'no_proxy_uris' do From 20440e515f1bacb3780bf386c46a8c85ab3205b2 Mon Sep 17 00:00:00 2001 From: Chris Reeves Date: Wed, 24 Feb 2016 18:48:02 +0000 Subject: [PATCH 036/100] Fix typo in README for shib_request_settings vhost param --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d188f12c70..dd89b37b58 100644 --- a/README.md +++ b/README.md @@ -3133,7 +3133,7 @@ apache::vhost { 'secure.example.net': > **Note**: If you include rewrites in your directories, also include `apache::mod::rewrite` and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the virtual host's directories. -###### `shib_request_setting` +###### `shib_request_settings` Allows a valid content setting to be set or altered for the application request. This command takes two parameters: the name of the content setting, and the value to set it to. Check the Shibboleth [content setting documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) for valid settings. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. From 8150ee15e1f6dcde500a5d092914596ecabc25b4 Mon Sep 17 00:00:00 2001 From: Jan Schumann Date: Thu, 25 Feb 2016 10:36:26 +0100 Subject: [PATCH 037/100] better readable template --- templates/fastcgi/server.erb | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/templates/fastcgi/server.erb b/templates/fastcgi/server.erb index 61169413d1..7a3837b1b3 100644 --- a/templates/fastcgi/server.erb +++ b/templates/fastcgi/server.erb @@ -1,4 +1,17 @@ -FastCGIExternalServer <%= @faux_path %> -idle-timeout <%= @timeout %> <%= if @flush then '-flush' end %> -host <%= @host -%> -<%- if @pass_header -%> -pass-header <%= @pass_header %><% end %> +<% + timeout = " -idle-timeout #{@timeout}" + flush = "" + if @flush + flush = " -flush" + end + host = " -host #{@host}" + pass_header = "" + if @pass_header and ! @pass_header.empty? + pass_header = " -pass-header #{@pass_header}" + end + + options = timeout + flush + host + pass_header +-%> +FastCGIExternalServer <%= @faux_path %><%= options %> Alias <%= @fcgi_alias %> <%= @faux_path %> Action <%= @file_type %> <%= @fcgi_alias %> From 7450d813465e51d3e467322ef2a48fe2d471b54d Mon Sep 17 00:00:00 2001 From: tphoney Date: Wed, 24 Feb 2016 14:58:15 +0000 Subject: [PATCH 038/100] include apache, so parsing works --- manifests/mod/alias.pp | 4 ++-- manifests/mod/expires.pp | 1 + manifests/mod/ext_filter.pp | 2 +- manifests/mod/fastcgi.pp | 1 + manifests/mod/fcgid.pp | 1 + manifests/mod/info.pp | 8 ++++---- manifests/mod/ldap.pp | 6 ++++-- manifests/mod/mime.pp | 8 +++++--- manifests/mod/mime_magic.pp | 4 +++- manifests/mod/negotiation.pp | 1 + manifests/mod/pagespeed.pp | 8 +++++--- manifests/mod/passenger.pp | 4 ++-- manifests/mod/perl.pp | 1 + manifests/mod/proxy.pp | 6 ++++-- manifests/mod/proxy_connect.pp | 6 ++++-- manifests/mod/proxy_html.pp | 1 + manifests/mod/python.pp | 1 + manifests/mod/remoteip.pp | 6 ++++-- manifests/mod/reqtimeout.pp | 1 + manifests/mod/rpaf.pp | 1 + manifests/mod/security.pp | 3 ++- manifests/mod/shib.pp | 4 ++-- manifests/mod/speling.pp | 1 + manifests/mod/ssl.pp | 12 ++++++------ manifests/mod/status.pp | 4 ++-- manifests/mod/suphp.pp | 1 + manifests/mod/wsgi.pp | 4 ++-- spec/classes/mod/expires_spec.rb | 5 ++--- spec/classes/mod/ext_filter_spec.rb | 6 +----- spec/classes/mod/fastcgi_spec.rb | 4 +--- spec/classes/mod/fcgid_spec.rb | 4 +--- spec/classes/mod/info_spec.rb | 4 +--- spec/classes/mod/ldap_spec.rb | 4 +--- spec/classes/mod/mime_magic_spec.rb | 4 +--- spec/classes/mod/mime_spec.rb | 4 +--- spec/classes/mod/negotiation_spec.rb | 11 +---------- spec/classes/mod/pagespeed_spec.rb | 3 --- spec/classes/mod/passenger_spec.rb | 4 +--- spec/classes/mod/perl_spec.rb | 4 +--- spec/classes/mod/proxy_connect_spec.rb | 2 +- spec/classes/mod/proxy_html_spec.rb | 2 +- spec/classes/mod/python_spec.rb | 5 ++--- spec/classes/mod/remoteip_spec.rb | 5 ----- spec/classes/mod/reqtimeout_spec.rb | 6 +----- spec/classes/mod/rpaf_spec.rb | 6 +----- spec/classes/mod/security_spec.rb | 5 +---- spec/classes/mod/shib_spec.rb | 4 +--- spec/classes/mod/speling_spec.rb | 4 +--- spec/classes/mod/ssl_spec.rb | 4 +--- spec/classes/mod/suphp_spec.rb | 4 +--- spec/classes/mod/wsgi_spec.rb | 4 +--- templates/mod/alias.conf.erb | 2 +- templates/mod/info.conf.erb | 2 +- templates/mod/ldap.conf.erb | 2 +- templates/mod/mime.conf.erb | 2 +- templates/mod/mime_magic.conf.erb | 2 +- templates/mod/pagespeed.conf.erb | 6 +++--- templates/mod/proxy.conf.erb | 2 +- templates/mod/ssl.conf.erb | 2 +- templates/mod/status.conf.erb | 2 +- 60 files changed, 98 insertions(+), 132 deletions(-) diff --git a/manifests/mod/alias.pp b/manifests/mod/alias.pp index 91f68b2dc2..4eb42ac974 100644 --- a/manifests/mod/alias.pp +++ b/manifests/mod/alias.pp @@ -5,10 +5,10 @@ $icons_path = $::apache::params::alias_icons_path, ) inherits ::apache::params { include ::apache - $real_apache_version = pick($apache_version, $apache::apache_version) + $_apache_version = pick($apache_version, $apache::apache_version) apache::mod { 'alias': } - # Template uses $icons_path + # Template uses $icons_path, $_apache_version if $icons_path { file { 'alias.conf': ensure => file, diff --git a/manifests/mod/expires.pp b/manifests/mod/expires.pp index 1531fc54d9..07ec82e276 100644 --- a/manifests/mod/expires.pp +++ b/manifests/mod/expires.pp @@ -3,6 +3,7 @@ $expires_default = undef, $expires_by_type = undef, ) { + include ::apache ::apache::mod { 'expires': } # Template uses diff --git a/manifests/mod/ext_filter.pp b/manifests/mod/ext_filter.pp index 244c2b1da1..aa14c10259 100644 --- a/manifests/mod/ext_filter.pp +++ b/manifests/mod/ext_filter.pp @@ -1,7 +1,7 @@ class apache::mod::ext_filter( $ext_filter_define = undef ) { - + include ::apache if $ext_filter_define { validate_hash($ext_filter_define) } diff --git a/manifests/mod/fastcgi.pp b/manifests/mod/fastcgi.pp index c4da5b1e63..543a322336 100644 --- a/manifests/mod/fastcgi.pp +++ b/manifests/mod/fastcgi.pp @@ -1,4 +1,5 @@ class apache::mod::fastcgi { + include ::apache # Debian specifies it's fastcgi lib path, but RedHat uses the default value # with no config file diff --git a/manifests/mod/fcgid.pp b/manifests/mod/fcgid.pp index 69e3112d4f..0e99a9b799 100644 --- a/manifests/mod/fcgid.pp +++ b/manifests/mod/fcgid.pp @@ -1,6 +1,7 @@ class apache::mod::fcgid( $options = {}, ) { + include ::apache if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7') or $::osfamily == 'FreeBSD' { $loadfile_name = 'unixd_fcgid.load' $conf_name = 'unixd_fcgid.conf' diff --git a/manifests/mod/info.pp b/manifests/mod/info.pp index bed35af3a1..2c477c748f 100644 --- a/manifests/mod/info.pp +++ b/manifests/mod/info.pp @@ -1,12 +1,12 @@ class apache::mod::info ( $allow_from = ['127.0.0.1','::1'], - $apache_version = $::apache::apache_version, + $apache_version = undef, $restrict_access = true, ){ + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) apache::mod { 'info': } - # Template uses - # $allow_from - # $apache_version + # Template uses $allow_from, $_apache_version file { 'info.conf': ensure => file, path => "${::apache::mod_dir}/info.conf", diff --git a/manifests/mod/ldap.pp b/manifests/mod/ldap.pp index fe9f6b80a7..d842668361 100644 --- a/manifests/mod/ldap.pp +++ b/manifests/mod/ldap.pp @@ -1,5 +1,5 @@ class apache::mod::ldap ( - $apache_version = $::apache::apache_version, + $apache_version = undef, $ldap_trusted_global_cert_file = undef, $ldap_trusted_global_cert_type = 'CA_BASE64', $ldap_shared_cache_size = undef, @@ -8,11 +8,13 @@ $ldap_opcache_entries = undef, $ldap_opcache_ttl = undef, ){ + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) if ($ldap_trusted_global_cert_file) { validate_string($ldap_trusted_global_cert_type) } ::apache::mod { 'ldap': } - # Template uses $apache_version + # Template uses $_apache_version file { 'ldap.conf': ensure => file, path => "${::apache::mod_dir}/ldap.conf", diff --git a/manifests/mod/mime.pp b/manifests/mod/mime.pp index 0665eb639c..f686930932 100644 --- a/manifests/mod/mime.pp +++ b/manifests/mod/mime.pp @@ -1,10 +1,12 @@ class apache::mod::mime ( $mime_support_package = $::apache::params::mime_support_package, $mime_types_config = $::apache::params::mime_types_config, - $mime_types_additional = $::apache::mime_types_additional, -) { + $mime_types_additional = undef, +) inherits ::apache::params { + include ::apache + $_mime_types_additional = pick($mime_types_additional, $apache::mime_types_additional) apache::mod { 'mime': } - # Template uses $mime_types_config + # Template uses $_mime_types_config file { 'mime.conf': ensure => file, path => "${::apache::mod_dir}/mime.conf", diff --git a/manifests/mod/mime_magic.pp b/manifests/mod/mime_magic.pp index 722b0df402..ecc74cfddc 100644 --- a/manifests/mod/mime_magic.pp +++ b/manifests/mod/mime_magic.pp @@ -1,6 +1,8 @@ class apache::mod::mime_magic ( - $magic_file = "${::apache::conf_dir}/magic" + $magic_file = undef, ) { + include ::apache + $_magic_file = pick($magic_file, "${::apache::conf_dir}/magic") apache::mod { 'mime_magic': } # Template uses $magic_file file { 'mime_magic.conf': diff --git a/manifests/mod/negotiation.pp b/manifests/mod/negotiation.pp index b9aec3673f..c7c34b81fe 100644 --- a/manifests/mod/negotiation.pp +++ b/manifests/mod/negotiation.pp @@ -5,6 +5,7 @@ 'no', 'pl', 'pt', 'pt-BR', 'ru', 'sv', 'zh-CN', 'zh-TW' ], ) { + include ::apache if !is_array($force_language_priority) and !is_string($force_language_priority) { fail('force_languague_priority must be a string or array of strings') } diff --git a/manifests/mod/pagespeed.pp b/manifests/mod/pagespeed.pp index e787d88ef5..a6506007bb 100644 --- a/manifests/mod/pagespeed.pp +++ b/manifests/mod/pagespeed.pp @@ -32,10 +32,11 @@ $allow_pagespeed_message = [], $message_buffer_size = 100000, $additional_configuration = {}, - $apache_version = $::apache::apache_version, + $apache_version = undef, ){ - - $_lib = $::apache::apache_version ? { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + $_lib = $_apache_version ? { '2.4' => 'mod_pagespeed_ap24.so', default => undef } @@ -44,6 +45,7 @@ lib => $_lib, } + # Template uses $_apache_version file { 'pagespeed.conf': ensure => file, path => "${::apache::mod_dir}/pagespeed.conf", diff --git a/manifests/mod/passenger.pp b/manifests/mod/passenger.pp index 7ed7563eb4..e97577d98f 100644 --- a/manifests/mod/passenger.pp +++ b/manifests/mod/passenger.pp @@ -24,8 +24,8 @@ $mod_lib_path = undef, $mod_id = undef, $mod_path = undef, -) { - +) inherits ::apache::params { + include ::apache if $passenger_spawn_method { validate_re($passenger_spawn_method, '(^smart$|^direct$|^smart-lv2$|^conservative$)', "${passenger_spawn_method} is not permitted for passenger_spawn_method. Allowed values are 'smart', 'direct', 'smart-lv2', or 'conservative'.") } diff --git a/manifests/mod/perl.pp b/manifests/mod/perl.pp index b57f25fd5f..3bfeac9770 100644 --- a/manifests/mod/perl.pp +++ b/manifests/mod/perl.pp @@ -1,3 +1,4 @@ class apache::mod::perl { + include ::apache ::apache::mod { 'perl': } } diff --git a/manifests/mod/proxy.pp b/manifests/mod/proxy.pp index 73b054ab36..1f70938921 100644 --- a/manifests/mod/proxy.pp +++ b/manifests/mod/proxy.pp @@ -1,10 +1,12 @@ class apache::mod::proxy ( $proxy_requests = 'Off', $allow_from = undef, - $apache_version = $::apache::apache_version, + $apache_version = undef, ) { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) ::apache::mod { 'proxy': } - # Template uses $proxy_requests, $apache_version + # Template uses $proxy_requests, $_apache_version file { 'proxy.conf': ensure => file, path => "${::apache::mod_dir}/proxy.conf", diff --git a/manifests/mod/proxy_connect.pp b/manifests/mod/proxy_connect.pp index 7adef1f899..cda5b89dc6 100644 --- a/manifests/mod/proxy_connect.pp +++ b/manifests/mod/proxy_connect.pp @@ -1,7 +1,9 @@ class apache::mod::proxy_connect ( - $apache_version = $::apache::apache_version, + $apache_version = undef, ) { - if versioncmp($apache_version, '2.2') >= 0 { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + if versioncmp($_apache_version, '2.2') >= 0 { Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_connect'] ::apache::mod { 'proxy_connect': } } diff --git a/manifests/mod/proxy_html.pp b/manifests/mod/proxy_html.pp index 24f332334a..cceaf0b755 100644 --- a/manifests/mod/proxy_html.pp +++ b/manifests/mod/proxy_html.pp @@ -1,4 +1,5 @@ class apache::mod::proxy_html { + include ::apache Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_html'] Class['::apache::mod::proxy_http'] -> Class['::apache::mod::proxy_html'] diff --git a/manifests/mod/python.pp b/manifests/mod/python.pp index e326c8d757..75af350114 100644 --- a/manifests/mod/python.pp +++ b/manifests/mod/python.pp @@ -1,4 +1,5 @@ class apache::mod::python { + include ::apache ::apache::mod { 'python': } } diff --git a/manifests/mod/remoteip.pp b/manifests/mod/remoteip.pp index abceb08c7d..92010cf960 100644 --- a/manifests/mod/remoteip.pp +++ b/manifests/mod/remoteip.pp @@ -3,9 +3,11 @@ $proxy_ips = [ '127.0.0.1' ], $proxies_header = undef, $trusted_proxy_ips = undef, - $apache_version = $::apache::apache_version + $apache_version = undef, ) { - if versioncmp($apache_version, '2.4') < 0 { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + if versioncmp($_apache_version, '2.4') < 0 { fail('mod_remoteip is only available in Apache 2.4') } diff --git a/manifests/mod/reqtimeout.pp b/manifests/mod/reqtimeout.pp index 34c96a6784..f166f6d6f6 100644 --- a/manifests/mod/reqtimeout.pp +++ b/manifests/mod/reqtimeout.pp @@ -1,6 +1,7 @@ class apache::mod::reqtimeout ( $timeouts = ['header=20-40,minrate=500', 'body=10,minrate=500'] ){ + include ::apache ::apache::mod { 'reqtimeout': } # Template uses no variables file { 'reqtimeout.conf': diff --git a/manifests/mod/rpaf.pp b/manifests/mod/rpaf.pp index f21c43ebda..cb65483605 100644 --- a/manifests/mod/rpaf.pp +++ b/manifests/mod/rpaf.pp @@ -3,6 +3,7 @@ $proxy_ips = [ '127.0.0.1' ], $header = 'X-Forwarded-For' ) { + include ::apache ::apache::mod { 'rpaf': } # Template uses: diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 95018a6809..10145d7f3b 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -9,7 +9,8 @@ $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', -){ +) inherits ::apache::params { + include ::apache if $::osfamily == 'FreeBSD' { fail('FreeBSD is not currently supported') diff --git a/manifests/mod/shib.pp b/manifests/mod/shib.pp index 8ec4c6dd11..4b00889260 100644 --- a/manifests/mod/shib.pp +++ b/manifests/mod/shib.pp @@ -1,7 +1,7 @@ class apache::mod::shib ( $suppress_warning = false, ) { - + include ::apache if $::osfamily == 'RedHat' and ! $suppress_warning { warning('RedHat distributions do not have Apache mod_shib in their default package repositories.') } @@ -12,4 +12,4 @@ id => 'mod_shib', } -} \ No newline at end of file +} diff --git a/manifests/mod/speling.pp b/manifests/mod/speling.pp index eb46d78f04..fbd19d373c 100644 --- a/manifests/mod/speling.pp +++ b/manifests/mod/speling.pp @@ -1,3 +1,4 @@ class apache::mod::speling { + include ::apache ::apache::mod { 'speling': } } diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 399131314a..c0dd1f61bf 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -10,16 +10,17 @@ $ssl_random_seed_bytes = '512', $ssl_sessioncachetimeout = '300', $ssl_mutex = undef, - $apache_version = $::apache::apache_version, + $apache_version = undef, $package_name = undef, ) { - + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) if $ssl_mutex { $_ssl_mutex = $ssl_mutex } else { case $::osfamily { 'debian': { - if versioncmp($apache_version, '2.4') >= 0 { + if versioncmp($_apache_version, '2.4') >= 0 { $_ssl_mutex = 'default' } elsif $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '10.04' { $_ssl_mutex = 'file:/var/run/apache2/ssl_mutex' @@ -57,7 +58,7 @@ package => $package_name, } - if versioncmp($apache_version, '2.4') >= 0 { + if versioncmp($_apache_version, '2.4') >= 0 { ::apache::mod { 'socache_shmcb': } } @@ -73,8 +74,7 @@ # $ssl_mutex # $ssl_random_seed_bytes # $ssl_sessioncachetimeout - # $apache_version - # + # $_apache_version file { 'ssl.conf': ensure => file, path => "${::apache::mod_dir}/ssl.conf", diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp index 364505f7b0..d30a690de8 100644 --- a/manifests/mod/status.pp +++ b/manifests/mod/status.pp @@ -32,11 +32,11 @@ $status_path = '/server-status', ) inherits ::apache::params { include ::apache - $real_apache_version = pick($apache_version, $apache::apache_version) + $_apache_version = pick($apache_version, $apache::apache_version) validate_array($allow_from) validate_re(downcase($extended_status), '^(on|off)$', "${extended_status} is not supported for extended_status. Allowed values are 'On' and 'Off'.") ::apache::mod { 'status': } - # Template uses $allow_from, $extended_status, $apache_version, $status_path + # Template uses $allow_from, $extended_status, $_apache_version, $status_path file { 'status.conf': ensure => file, path => "${::apache::mod_dir}/status.conf", diff --git a/manifests/mod/suphp.pp b/manifests/mod/suphp.pp index 5d426d7948..955bba302c 100644 --- a/manifests/mod/suphp.pp +++ b/manifests/mod/suphp.pp @@ -1,5 +1,6 @@ class apache::mod::suphp ( ){ + include ::apache ::apache::mod { 'suphp': } file {'suphp.conf': diff --git a/manifests/mod/wsgi.pp b/manifests/mod/wsgi.pp index d1b8214753..e726bcfaa4 100644 --- a/manifests/mod/wsgi.pp +++ b/manifests/mod/wsgi.pp @@ -4,8 +4,8 @@ $wsgi_python_home = undef, $package_name = undef, $mod_path = undef, -){ - +) inherits ::apache::params { + include ::apache if ($package_name != undef and $mod_path == undef) or ($package_name == undef and $mod_path != undef) { fail('apache::mod::wsgi - both package_name and mod_path must be specified!') } diff --git a/spec/classes/mod/expires_spec.rb b/spec/classes/mod/expires_spec.rb index e6eab7c48d..397fee0243 100644 --- a/spec/classes/mod/expires_spec.rb +++ b/spec/classes/mod/expires_spec.rb @@ -1,9 +1,8 @@ require 'spec_helper' describe 'apache::mod::expires', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" + context "with expires active", :compile do let :facts do { diff --git a/spec/classes/mod/ext_filter_spec.rb b/spec/classes/mod/ext_filter_spec.rb index ed61db9f20..a0cf37cec5 100644 --- a/spec/classes/mod/ext_filter_spec.rb +++ b/spec/classes/mod/ext_filter_spec.rb @@ -1,11 +1,7 @@ require 'spec_helper' describe 'apache::mod::ext_filter', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - }' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/fastcgi_spec.rb b/spec/classes/mod/fastcgi_spec.rb index e204bb7460..778d27cffb 100644 --- a/spec/classes/mod/fastcgi_spec.rb +++ b/spec/classes/mod/fastcgi_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::fastcgi', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/fcgid_spec.rb b/spec/classes/mod/fcgid_spec.rb index b86cc0e6b3..f08596be6b 100644 --- a/spec/classes/mod/fcgid_spec.rb +++ b/spec/classes/mod/fcgid_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::fcgid', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do diff --git a/spec/classes/mod/info_spec.rb b/spec/classes/mod/info_spec.rb index 8ecbcdd2a3..766a9e4fdb 100644 --- a/spec/classes/mod/info_spec.rb +++ b/spec/classes/mod/info_spec.rb @@ -121,9 +121,7 @@ def general_info_specs_24 end describe 'apache::mod::info', :type => :class do - let :pre_condition do - "class { 'apache': default_mods => false, }" - end + it_behaves_like "a mod class, without including apache" context 'On a Debian OS' do let :facts do diff --git a/spec/classes/mod/ldap_spec.rb b/spec/classes/mod/ldap_spec.rb index f51cafd4f7..73c51adf28 100644 --- a/spec/classes/mod/ldap_spec.rb +++ b/spec/classes/mod/ldap_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::ldap', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do diff --git a/spec/classes/mod/mime_magic_spec.rb b/spec/classes/mod/mime_magic_spec.rb index f846ce386b..cf8f898aa5 100644 --- a/spec/classes/mod/mime_magic_spec.rb +++ b/spec/classes/mod/mime_magic_spec.rb @@ -6,9 +6,7 @@ def general_mime_magic_specs end describe 'apache::mod::mime_magic', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "On a Debian OS with default params" do let :facts do diff --git a/spec/classes/mod/mime_spec.rb b/spec/classes/mod/mime_spec.rb index 3c7ad88d18..b0675a3c0a 100644 --- a/spec/classes/mod/mime_spec.rb +++ b/spec/classes/mod/mime_spec.rb @@ -6,9 +6,7 @@ def general_mime_specs end describe 'apache::mod::mime', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "On a Debian OS with default params", :compile do let :facts do diff --git a/spec/classes/mod/negotiation_spec.rb b/spec/classes/mod/negotiation_spec.rb index 813e76def0..9dadb7651e 100644 --- a/spec/classes/mod/negotiation_spec.rb +++ b/spec/classes/mod/negotiation_spec.rb @@ -1,8 +1,8 @@ require 'spec_helper' describe 'apache::mod::negotiation', :type => :class do + it_behaves_like "a mod class, without including apache" describe "OS independent tests" do - let :facts do { :osfamily => 'Debian', @@ -18,9 +18,6 @@ end context "default params" do - let :pre_condition do - 'class {"::apache": }' - end it { should contain_class("apache") } it do should contain_file('negotiation.conf').with( { @@ -33,9 +30,6 @@ end context 'with force_language_priority parameter' do - let :pre_condition do - 'class {"::apache": default_mods => ["negotiation"]}' - end let :params do { :force_language_priority => 'Prefer' } end @@ -48,9 +42,6 @@ end context 'with language_priority parameter' do - let :pre_condition do - 'class {"::apache": default_mods => ["negotiation"]}' - end let :params do { :language_priority => [ 'en', 'es' ] } end diff --git a/spec/classes/mod/pagespeed_spec.rb b/spec/classes/mod/pagespeed_spec.rb index 44c60053e0..2cbc3d170e 100644 --- a/spec/classes/mod/pagespeed_spec.rb +++ b/spec/classes/mod/pagespeed_spec.rb @@ -1,9 +1,6 @@ require 'spec_helper' describe 'apache::mod::pagespeed', :type => :class do - let :pre_condition do - 'include apache' - end context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/passenger_spec.rb b/spec/classes/mod/passenger_spec.rb index d7e9ce9ed0..70ce4ea60d 100644 --- a/spec/classes/mod/passenger_spec.rb +++ b/spec/classes/mod/passenger_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::passenger', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/perl_spec.rb b/spec/classes/mod/perl_spec.rb index 17ee1b366b..f5b61fe0ce 100644 --- a/spec/classes/mod/perl_spec.rb +++ b/spec/classes/mod/perl_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::perl', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/proxy_connect_spec.rb b/spec/classes/mod/proxy_connect_spec.rb index dbb314c2bf..33059c07b2 100644 --- a/spec/classes/mod/proxy_connect_spec.rb +++ b/spec/classes/mod/proxy_connect_spec.rb @@ -3,10 +3,10 @@ describe 'apache::mod::proxy_connect', :type => :class do let :pre_condition do [ - 'include apache', 'include apache::mod::proxy', ] end + it_behaves_like "a mod class, without including apache" context 'on a Debian OS' do let :facts do { diff --git a/spec/classes/mod/proxy_html_spec.rb b/spec/classes/mod/proxy_html_spec.rb index 80106931e0..ffdaa243ed 100644 --- a/spec/classes/mod/proxy_html_spec.rb +++ b/spec/classes/mod/proxy_html_spec.rb @@ -3,11 +3,11 @@ describe 'apache::mod::proxy_html', :type => :class do let :pre_condition do [ - 'include apache', 'include apache::mod::proxy', 'include apache::mod::proxy_http', ] end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do shared_examples "debian" do |loadfiles| it { is_expected.to contain_class("apache::params") } diff --git a/spec/classes/mod/python_spec.rb b/spec/classes/mod/python_spec.rb index 46c4cde3a2..1393293a97 100644 --- a/spec/classes/mod/python_spec.rb +++ b/spec/classes/mod/python_spec.rb @@ -1,9 +1,8 @@ require 'spec_helper' describe 'apache::mod::python', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" + context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/remoteip_spec.rb b/spec/classes/mod/remoteip_spec.rb index c9f5b4e831..d75ea56031 100644 --- a/spec/classes/mod/remoteip_spec.rb +++ b/spec/classes/mod/remoteip_spec.rb @@ -1,11 +1,6 @@ require 'spec_helper' describe 'apache::mod::remoteip', :type => :class do - let :pre_condition do - [ - 'include apache', - ] - end context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/reqtimeout_spec.rb b/spec/classes/mod/reqtimeout_spec.rb index 1869eb68dc..c3a09777cc 100644 --- a/spec/classes/mod/reqtimeout_spec.rb +++ b/spec/classes/mod/reqtimeout_spec.rb @@ -1,11 +1,7 @@ require 'spec_helper' describe 'apache::mod::reqtimeout', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - }' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/rpaf_spec.rb b/spec/classes/mod/rpaf_spec.rb index 6b2ddd92f3..ef41fcd350 100644 --- a/spec/classes/mod/rpaf_spec.rb +++ b/spec/classes/mod/rpaf_spec.rb @@ -1,11 +1,7 @@ require 'spec_helper' describe 'apache::mod::rpaf', :type => :class do - let :pre_condition do - [ - 'include apache', - ] - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index ba0bb2f711..2b6d16ecb7 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -1,10 +1,7 @@ require 'spec_helper' describe 'apache::mod::security', :type => :class do - let :pre_condition do - 'include apache' - end - + it_behaves_like "a mod class, without including apache" context "on RedHat based systems" do let :facts do { diff --git a/spec/classes/mod/shib_spec.rb b/spec/classes/mod/shib_spec.rb index 11193b2766..a651c280a2 100644 --- a/spec/classes/mod/shib_spec.rb +++ b/spec/classes/mod/shib_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::shib', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/speling_spec.rb b/spec/classes/mod/speling_spec.rb index b07af25897..b4844ec748 100644 --- a/spec/classes/mod/speling_spec.rb +++ b/spec/classes/mod/speling_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::speling', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index a738ab0a21..f76377e859 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::ssl', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context 'on an unsupported OS' do let :facts do { diff --git a/spec/classes/mod/suphp_spec.rb b/spec/classes/mod/suphp_spec.rb index 9b20000f30..71dbab30e4 100644 --- a/spec/classes/mod/suphp_spec.rb +++ b/spec/classes/mod/suphp_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::suphp', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/spec/classes/mod/wsgi_spec.rb b/spec/classes/mod/wsgi_spec.rb index 5fe313acf4..1d54c54081 100644 --- a/spec/classes/mod/wsgi_spec.rb +++ b/spec/classes/mod/wsgi_spec.rb @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::wsgi', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { diff --git a/templates/mod/alias.conf.erb b/templates/mod/alias.conf.erb index 799b2e666b..8580f707c1 100644 --- a/templates/mod/alias.conf.erb +++ b/templates/mod/alias.conf.erb @@ -3,7 +3,7 @@ Alias /icons/ "<%= @icons_path %>/" "> Options <%= @icons_options %> AllowOverride None -<%- if scope.function_versioncmp([@real_apache_version, '2.4']) >= 0 -%> +<%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require all granted <%- else -%> Order allow,deny diff --git a/templates/mod/info.conf.erb b/templates/mod/info.conf.erb index 1a025b7a6e..dd79ecea8d 100644 --- a/templates/mod/info.conf.erb +++ b/templates/mod/info.conf.erb @@ -1,7 +1,7 @@ SetHandler server-info <%- if @restrict_access -%> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip <%= Array(@allow_from).join(" ") %> <%- else -%> Order deny,allow diff --git a/templates/mod/ldap.conf.erb b/templates/mod/ldap.conf.erb index 424fbe8ee7..5ac0c1c546 100644 --- a/templates/mod/ldap.conf.erb +++ b/templates/mod/ldap.conf.erb @@ -1,6 +1,6 @@ SetHandler ldap-status - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%- else -%> Order deny,allow diff --git a/templates/mod/mime.conf.erb b/templates/mod/mime.conf.erb index 8101cf031f..46d021c217 100644 --- a/templates/mod/mime.conf.erb +++ b/templates/mod/mime.conf.erb @@ -31,7 +31,7 @@ AddLanguage sv .sv AddLanguage zh-CN .zh-cn AddLanguage zh-TW .zh-tw -<%- @mime_types_additional.sort.each do |add_mime, config| -%> +<%- @_mime_types_additional.sort.each do |add_mime, config| -%> <%- config.each do |type, extension| %> <%= add_mime %> <%= type %> <%= extension%> <%- end -%> diff --git a/templates/mod/mime_magic.conf.erb b/templates/mod/mime_magic.conf.erb index 1ce1bc3c16..cbc173debc 100644 --- a/templates/mod/mime_magic.conf.erb +++ b/templates/mod/mime_magic.conf.erb @@ -1 +1 @@ -MIMEMagicFile "<%= @magic_file %>" +MIMEMagicFile "<%= @_magic_file %>" diff --git a/templates/mod/pagespeed.conf.erb b/templates/mod/pagespeed.conf.erb index 051cf5bedb..d1ce642976 100644 --- a/templates/mod/pagespeed.conf.erb +++ b/templates/mod/pagespeed.conf.erb @@ -61,7 +61,7 @@ ModPagespeedStatistics <%= @collect_statistics %> # statistics. This might be appropriate in an experimental setup or # if the Apache server is protected by a reverse proxy that will # filter URLs in some fashion. - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%= Array(@allow_view_stats).join(" ") %> <%- else -%> Order allow,deny @@ -72,7 +72,7 @@ ModPagespeedStatistics <%= @collect_statistics %> ModPagespeedStatisticsLogging <%= @statistics_logging %> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%= Array(@allow_pagespeed_console).join(" ") %> <%- else -%> Order allow,deny @@ -84,7 +84,7 @@ ModPagespeedStatisticsLogging <%= @statistics_logging %> ModPagespeedMessageBufferSize <%= @message_buffer_size %> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%= Array(@allow_pagespeed_message).join(" ") %> <%- else -%> Order allow,deny diff --git a/templates/mod/proxy.conf.erb b/templates/mod/proxy.conf.erb index 5ea829eeb3..06fe547140 100644 --- a/templates/mod/proxy.conf.erb +++ b/templates/mod/proxy.conf.erb @@ -10,7 +10,7 @@ <% if @proxy_requests != 'Off' or ( @allow_from and ! @allow_from.empty? ) -%> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip <%= Array(@allow_from).join(" ") %> <%- else -%> Order deny,allow diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index d5120500a9..4ae29e40a0 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -13,7 +13,7 @@ <% if @ssl_compression -%> SSLCompression On <% end -%> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Mutex <%= @_ssl_mutex %> <%- else -%> SSLMutex <%= @_ssl_mutex %> diff --git a/templates/mod/status.conf.erb b/templates/mod/status.conf.erb index 895bf0c665..6a6b3daa2d 100644 --- a/templates/mod/status.conf.erb +++ b/templates/mod/status.conf.erb @@ -1,6 +1,6 @@ > SetHandler server-status - <%- if scope.function_versioncmp([@real_apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip <%= Array(@allow_from).join(" ") %> <%- else -%> Order deny,allow From b07c049d8d09e0b49d3c122f0761987d405c7804 Mon Sep 17 00:00:00 2001 From: Jan Schumann Date: Fri, 26 Feb 2016 10:31:35 +0100 Subject: [PATCH 039/100] add documentation --- README.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 6b8562bddb..5cb0cd3ee9 100644 --- a/README.md +++ b/README.md @@ -3326,12 +3326,13 @@ Ex: ``` puppet apache::fastcgi::server { 'php': - host => '127.0.0.1:9000', - timeout => 15, - flush => false, - faux_path => '/var/www/php.fcgi', - fcgi_alias => '/php.fcgi', - file_type => 'application/x-httpd-php' + host => '127.0.0.1:9000', + timeout => 15, + flush => false, + faux_path => '/var/www/php.fcgi', + fcgi_alias => '/php.fcgi', + file_type => 'application/x-httpd-php', + pass_header => '' } ``` @@ -3369,6 +3370,10 @@ A unique alias. This is used internally to link the action with the FastCGI serv The MIME-type of the file to be processed by the FastCGI server. +##### `pass_header` + +The name of an HTTP Request Header to be passed in the request environment. This option makes available the contents of headers which are normally not available (e.g. Authorization) to a CGI environment. + #### Defined type: `apache::vhost::custom` The `apache::vhost::custom` defined type is a thin wrapper around the `apache::custom_config` defined type, and simply overrides some of its default settings specifc to the virtual host directory in Apache. From d3d1929a297d754d9beb83b073666afc0e1972c6 Mon Sep 17 00:00:00 2001 From: Jan Schumann Date: Fri, 12 Feb 2016 11:20:45 +0100 Subject: [PATCH 040/100] added test --- spec/defines/fastcgi_server_spec.rb | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/spec/defines/fastcgi_server_spec.rb b/spec/defines/fastcgi_server_spec.rb index fdcf2dbca3..89016f03a3 100644 --- a/spec/defines/fastcgi_server_spec.rb +++ b/spec/defines/fastcgi_server_spec.rb @@ -108,7 +108,7 @@ :is_pe => false, } end - describe ".conf content" do + describe ".conf content using TCP communication" do let :params do { :host => '127.0.0.1:9001', @@ -130,5 +130,28 @@ should contain_file("fastcgi-pool-www.conf").with_content(expected) end end + describe ".conf content using socket communication" do + let :params do + { + :host => :undef, + :socket => '/var/run/fcgi.sock', + :timeout => 30, + :flush => true, + :faux_path => '/var/www/php-www.fcgi', + :fcgi_alias => '/php-www.fcgi', + :file_type => 'application/x-httpd-php' + } + end + let :expected do + 'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -socket /var/run/fcgi.sock +Alias /php-www.fcgi /var/www/php-www.fcgi +Action application/x-httpd-php /php-www.fcgi +' + end + it do + should contain_file("fastcgi-pool-www.conf").with_content(expected) + end + end + end end From 42a591a8d158909079fb6d9f9ce0821e3b96d50a Mon Sep 17 00:00:00 2001 From: Jan Schumann Date: Fri, 12 Feb 2016 11:29:04 +0100 Subject: [PATCH 041/100] support socket communication a socket path can now be passed to apache::fastcgi::server::host to support socket communication --- README.md | 8 ++++++++ manifests/fastcgi/server.pp | 4 ++++ spec/defines/fastcgi_server_spec.rb | 5 ++--- templates/fastcgi/server.erb | 9 +++++++-- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 5b88e2958d..915ff06f19 100644 --- a/README.md +++ b/README.md @@ -3355,6 +3355,14 @@ apache::vhost { 'www': The hostname or IP address and TCP port number (1-65535) of the FastCGI server. +It is also possible to pass a unix socket: + +``` puppet +apache::fastcgi::server { 'php': + host => '/var/run/fcgi.sock', +} +``` + ##### `timeout` The number of seconds of FastCGI application inactivity allowed before the request is aborted and the event is logged (at the error LogLevel). The inactivity timer applies only as long as a connection is pending with the FastCGI application. If a request is queued to an application, but the application doesn't respond (by writing and flushing) within this period, the request is aborted. If communication is complete with the application but incomplete with the client (the response is buffered), the timeout does not apply. diff --git a/manifests/fastcgi/server.pp b/manifests/fastcgi/server.pp index 8805484066..3493194917 100644 --- a/manifests/fastcgi/server.pp +++ b/manifests/fastcgi/server.pp @@ -11,6 +11,10 @@ Apache::Mod['fastcgi'] -> Apache::Fastcgi::Server[$title] + if is_absolute_path($host) { + $socket = $host + } + file { "fastcgi-pool-${name}.conf": ensure => present, path => "${::apache::confd_dir}/fastcgi-pool-${name}.conf", diff --git a/spec/defines/fastcgi_server_spec.rb b/spec/defines/fastcgi_server_spec.rb index 89016f03a3..e415461cca 100644 --- a/spec/defines/fastcgi_server_spec.rb +++ b/spec/defines/fastcgi_server_spec.rb @@ -133,8 +133,7 @@ describe ".conf content using socket communication" do let :params do { - :host => :undef, - :socket => '/var/run/fcgi.sock', + :host => '/var/run/fcgi.sock', :timeout => 30, :flush => true, :faux_path => '/var/www/php-www.fcgi', @@ -143,7 +142,7 @@ } end let :expected do - 'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -socket /var/run/fcgi.sock +'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -socket /var/run/fcgi.sock Alias /php-www.fcgi /var/www/php-www.fcgi Action application/x-httpd-php /php-www.fcgi ' diff --git a/templates/fastcgi/server.erb b/templates/fastcgi/server.erb index 7a3837b1b3..bae56d48ef 100644 --- a/templates/fastcgi/server.erb +++ b/templates/fastcgi/server.erb @@ -4,13 +4,18 @@ if @flush flush = " -flush" end - host = " -host #{@host}" + if @socket + host_or_socket = " -socket #{@socket}" + else + host_or_socket = " -host #{@host}" + end + pass_header = "" if @pass_header and ! @pass_header.empty? pass_header = " -pass-header #{@pass_header}" end - options = timeout + flush + host + pass_header + options = timeout + flush + host_or_socket + pass_header -%> FastCGIExternalServer <%= @faux_path %><%= options %> Alias <%= @fcgi_alias %> <%= @faux_path %> From 811e63c9a7ca76d7d13924a5654dece9e7224a68 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Wed, 2 Mar 2016 13:25:13 +0100 Subject: [PATCH 042/100] Remove SSLv3 from the example as we do not want to encourage its usage. --- examples/vhost.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost.pp b/examples/vhost.pp index 79ac994019..486570f815 100644 --- a/examples/vhost.pp +++ b/examples/vhost.pp @@ -239,7 +239,7 @@ ssl_cert => '/etc/ssl/securedomain.cert', ssl_key => '/etc/ssl/securedomain.key', ssl_chain => '/etc/ssl/securedomain.crt', - ssl_protocol => '-ALL +SSLv3 +TLSv1', + ssl_protocol => '-ALL +TLSv1', ssl_cipher => 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM', ssl_honorcipherorder => 'On', add_listen => false, From bef16174075faa1a39d372cc3284f0feb5de6342 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Wed, 2 Mar 2016 13:25:56 +0100 Subject: [PATCH 043/100] Remove insecure SSLv3 from mod_nss --- templates/mod/nss.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/mod/nss.conf.erb b/templates/mod/nss.conf.erb index b6ea504877..36f83d865b 100644 --- a/templates/mod/nss.conf.erb +++ b/templates/mod/nss.conf.erb @@ -121,9 +121,9 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the -# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" -# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". -NSSProtocol SSLv3,TLSv1.0,TLSv1.1 +# middle of a range may be excluded, the entry "NSSProtocol TLSv1.0,TLSv1.2" +# is identical to the entry "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2". +NSSProtocol TLSv1.0,TLSv1.1 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. From e6a1775ce2019998ea34bd36f4e27a9d790d41d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20Mo=CC=88ding?= Date: Wed, 2 Mar 2016 18:07:16 +0100 Subject: [PATCH 044/100] Add JkMount/JkUnmount directives to vhost 'mod_jk' is one of the possibilities to use Apache as a frontend to Tomcat. The module understands 'JkMount' and 'JkUnMount' directives to configure whether an URL should be handled by Apache or by Tomcat. This patch enhances 'apache::vhost' to allow configuration of these two directives for a virtual host. --- README.md | 17 +++++++++++++++++ manifests/vhost.pp | 11 +++++++++++ spec/defines/vhost_spec.rb | 8 ++++++++ templates/vhost/_jk_mounts.erb | 12 ++++++++++++ 4 files changed, 48 insertions(+) create mode 100644 templates/vhost/_jk_mounts.erb diff --git a/README.md b/README.md index 915ff06f19..029d47b544 100644 --- a/README.md +++ b/README.md @@ -2149,6 +2149,23 @@ apache::vhost { 'sample.example.net': } ``` +##### `jk_mounts` + +Sets up a virtual host with 'JkMount' and 'JkUnMount' directives to handle the paths for URL mapping between Tomcat and Apache. Default: undef. + +The parameter must be an array of hashes where each hash must contain the 'worker' and either the 'mount' or 'unmount' keys. + +Usage typically looks like: + +``` puppet +apache::vhost { 'sample.example.net': + jk_mounts => [ + { mount => '/*', worker => 'tcnode1', }, + { unmount => '/*.jpg', worker => 'tcnode1', }, + ], +} +``` + ##### `auth_kerb` Enable [`mod_auth_kerb`][] parameters for a virtual host. Valid options: Boolean. Default: false. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index e909788dfe..b6b47fd560 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -129,6 +129,7 @@ $modsec_disable_ids = undef, $modsec_disable_ips = undef, $modsec_body_limit = undef, + $jk_mounts = undef, $auth_kerb = false, $krb_method_negotiate = 'on', $krb_method_k5passwd = 'on', @@ -994,6 +995,16 @@ } } + # Template uses: + # - $jk_mounts + if $jk_mounts and ! empty($jk_mounts) { + concat::fragment { "${name}-jk_mounts": + target => "${priority_real}${filename}.conf", + order => 340, + content => template('apache/vhost/_jk_mounts.erb'), + } + } + # Template uses no variables concat::fragment { "${name}-file_footer": target => "${priority_real}${filename}.conf", diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 8bcd3cfd59..5ae37bc519 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -338,6 +338,10 @@ 'passenger_start_timeout' => '600', 'passenger_pre_start' => 'http://localhost/myapp', 'add_default_charset' => 'UTF-8', + 'jk_mounts' => [ + { 'mount' => '/*', 'worker' => 'tcnode1', }, + { 'unmount' => '/*.jpg', 'worker' => 'tcnode1', }, + ], 'auth_kerb' => true, 'krb_method_negotiate' => 'off', 'krb_method_k5passwd' => 'off', @@ -484,6 +488,10 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-passenger') } it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } + it { is_expected.to contain_concat__fragment('rspec.example.com-jk_mounts').with( + :content => /^\s+JkMount\s+\/\*\s+tcnode1$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-jk_mounts').with( + :content => /^\s+JkUnMount\s+\/\*\.jpg\s+tcnode1$/)} it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( :content => /^\s+KrbMethodNegotiate\soff$/)} it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( diff --git a/templates/vhost/_jk_mounts.erb b/templates/vhost/_jk_mounts.erb new file mode 100644 index 0000000000..8cb1d116bb --- /dev/null +++ b/templates/vhost/_jk_mounts.erb @@ -0,0 +1,12 @@ +<% if @jk_mounts and not @jk_mounts.empty? -%> + + <%- @jk_mounts.each do |jk| -%> + <%- if jk.is_a?(Hash) -%> + <%- if jk.has_key?('mount') and jk.has_key?('worker') -%> + JkMount <%= jk['mount'] %> <%= jk['worker'] %> + <%- elsif jk.has_key?('unmount') and jk.has_key?('worker') -%> + JkUnMount <%= jk['unmount'] %> <%= jk['worker'] %> + <%- end -%> + <%- end -%> + <%- end -%> +<% end -%> From 7022328bcad17476dd315b198882f4896fc0f6cc Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Thu, 3 Mar 2016 13:03:33 +0100 Subject: [PATCH 045/100] (doc) Fix a typo: specifc -> specific --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 915ff06f19..5f1e77f89b 100644 --- a/README.md +++ b/README.md @@ -3389,7 +3389,7 @@ The name of an HTTP Request Header to be passed in the request environment. This #### Defined type: `apache::vhost::custom` -The `apache::vhost::custom` defined type is a thin wrapper around the `apache::custom_config` defined type, and simply overrides some of its default settings specifc to the virtual host directory in Apache. +The `apache::vhost::custom` defined type is a thin wrapper around the `apache::custom_config` defined type, and simply overrides some of its default settings specific to the virtual host directory in Apache. **Parameters within `apache::vhost::custom`**: From b2bc76f63045bdb4ad8df91a835873fbb1eec025 Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Thu, 3 Mar 2016 22:18:06 +0100 Subject: [PATCH 046/100] apache::balancer: Add a target parameter to write to a custom path Thit commits implements a target parameter to the apache::balancer definition to specify a different configuration path if needed (e.g with a different suffix or in a different location). --- manifests/balancer.pp | 20 ++++++++--- manifests/balancermember.pp | 2 +- spec/defines/balancer_spec.rb | 33 ++++++++++++++++++ spec/defines/balancermember_spec.rb | 52 ++++++++++++++++++++--------- 4 files changed, 86 insertions(+), 21 deletions(-) create mode 100644 spec/defines/balancer_spec.rb diff --git a/manifests/balancer.pp b/manifests/balancer.pp index 9b7511a032..a3534ded8c 100644 --- a/manifests/balancer.pp +++ b/manifests/balancer.pp @@ -23,6 +23,10 @@ # Hash, default empty. If given, each key-value pair will be used as a ProxySet # line in the configuration. # +# [*target*] +# String, default undef. If given, path to the file the balancer definition will +# be written. +# # [*collect_exported*] # Boolean, default 'true'. True means 'collect exported @@balancermember # resources' (for the case when every balancermember node exports itself), @@ -41,21 +45,27 @@ define apache::balancer ( $proxy_set = {}, $collect_exported = true, + $target = undef, ) { include ::apache::mod::proxy_balancer - $target = "${::apache::params::confd_dir}/balancer_${name}.conf" + if $target { + $_target = $target + } else { + $_target = "${::apache::params::confd_dir}/balancer_${name}.conf" + } - concat { $target: + concat { "apache_balancer_${name}": owner => '0', group => '0', + path => $_target, mode => $::apache::file_mode, notify => Class['Apache::Service'], } concat::fragment { "00-${name}-header": ensure => present, - target => $target, + target => "apache_balancer_${name}", order => '01', content => "\n", } @@ -68,14 +78,14 @@ concat::fragment { "01-${name}-proxyset": ensure => present, - target => $target, + target => "apache_balancer_${name}", order => '19', content => inline_template("<% @proxy_set.keys.sort.each do |key| %> Proxyset <%= key %>=<%= @proxy_set[key] %>\n<% end %>"), } concat::fragment { "01-${name}-footer": ensure => present, - target => $target, + target => "apache_balancer_${name}", order => '20', content => "\n", } diff --git a/manifests/balancermember.pp b/manifests/balancermember.pp index 459081a716..78723043bc 100644 --- a/manifests/balancermember.pp +++ b/manifests/balancermember.pp @@ -47,7 +47,7 @@ concat::fragment { "BalancerMember ${name}": ensure => present, - target => "${::apache::params::confd_dir}/balancer_${balancer_cluster}.conf", + target => "apache_balancer_${balancer_cluster}", content => inline_template(" BalancerMember ${url} <%= @options.join ' ' %>\n"), } } diff --git a/spec/defines/balancer_spec.rb b/spec/defines/balancer_spec.rb new file mode 100644 index 0000000000..4a1477b13d --- /dev/null +++ b/spec/defines/balancer_spec.rb @@ -0,0 +1,33 @@ +require 'spec_helper' + +describe 'apache::balancer', :type => :define do + let :pre_condition do + 'include apache' + end + let :facts do + { + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :lsbdistcodename => 'squeeze', + :id => 'root', + :concat_basedir => '/dne', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernel => 'Linux', + :is_pe => false, + } + end + describe "accept a target parameter and use it" do + let :title do + 'myapp' + end + let :params do + { + :target => '/tmp/myapp.conf' + } + end + it { should contain_concat('apache_balancer_myapp').with({ + :path => "/tmp/myapp.conf", + })} + end +end diff --git a/spec/defines/balancermember_spec.rb b/spec/defines/balancermember_spec.rb index 0322d308eb..d99f99686e 100644 --- a/spec/defines/balancermember_spec.rb +++ b/spec/defines/balancermember_spec.rb @@ -2,21 +2,7 @@ describe 'apache::balancermember', :type => :define do let :pre_condition do - 'include apache - apache::balancer {"balancer":} - apache::balancer {"balancer-external":} - apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancer-external"} - ' - end - let :title do - 'http://127.0.0.1:8080/' - end - let :params do - { - :options => [], - :url => 'http://127.0.0.1:8080/', - :balancer_cluster => 'balancer-internal' - } + 'include apache' end let :facts do { @@ -32,6 +18,42 @@ } end describe "allows multiple balancermembers with the same url" do + let :pre_condition do + 'apache::balancer {"balancer":} + apache::balancer {"balancer-external":} + apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancer-external"} + ' + end + let :title do + 'http://127.0.0.1:8080/' + end + let :params do + { + :options => [], + :url => 'http://127.0.0.1:8080/', + :balancer_cluster => 'balancer-internal' + } + end it { should contain_concat__fragment('BalancerMember http://127.0.0.1:8080/') } end + describe "allows balancermember with a different target" do + let :pre_condition do + 'apache::balancer {"balancername": target => "/etc/apache/balancer.conf"} + apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancername"} + ' + end + let :title do + 'http://127.0.0.1:8080/' + end + let :params do + { + :options => [], + :url => 'http://127.0.0.1:8080/', + :balancer_cluster => 'balancername' + } + end + it { should contain_concat__fragment('BalancerMember http://127.0.0.1:8080/').with({ + :target => "apache_balancer_balancername", + })} + end end From 68362b54108e907ef674be3e3c23c17650ea877b Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 4 Mar 2016 10:33:37 -0800 Subject: [PATCH 047/100] Manage mod dir before things that depend on mods On Ubuntu Trusty, the default mpm module is "event". In puppetlabs-apache, the default mpm module is "worker". These can't both be loaded at once. The apache puppet module takes care of this by purging the mods-enabled directory. However, if we try to run a syntax check before the directory is purged, it fails. The apache::custom_config defined type contains an "syntax verification for ${name}" exec that can potentially run before the event mod is unloaded. This patch ensures that the module purging occurs before syntax check happens so that the puppet run is successful. --- manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/init.pp b/manifests/init.pp index 41a879c5ec..e8f6e6f9ba 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -189,6 +189,7 @@ purge => $purge_mod_dir, notify => Class['Apache::Service'], require => Package['httpd'], + before => Anchor['::apache::modules_set_up'], } } From d26c4bbb6f12f90039a370dc1270d90029ff25a7 Mon Sep 17 00:00:00 2001 From: jokajak Date: Sat, 5 Mar 2016 12:12:59 -0500 Subject: [PATCH 048/100] Add mellon_sp_metadata_file parameter for directory entries This allows specifying the mellon_sp_metadata_file parameter --- README.md | 1 + templates/vhost/_directories.erb | 3 +++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 5f1e77f89b..026fb67e05 100644 --- a/README.md +++ b/README.md @@ -2968,6 +2968,7 @@ Related parameters follow the names of `mod_auth_mellon` directives: - `mellon_cond`: Takes an array of mellon conditions that must be met to grant access, and creates a [MellonCond][`mod_auth_mellon`] directive for each item in the array. - `mellon_endpoint_path`: Sets the [MellonEndpointPath][`mod_auth_mellon`] to set the mellon endpoint path. +- `mellon_sp_metadata_file`: Sets the [MellonSPMetadataFile][`mod_auth_mellon`] location of the SP metadata file. - `mellon_idp_metadata_file`: Sets the [MellonIDPMetadataFile][`mod_auth_mellon`] location of the IDP metadata file. - `mellon_saml_rsponse_dump`: Sets the [MellonSamlResponseDump][`mod_auth_mellon`] directive to enable debug of SAML. - `mellon_set_env_no_prefix`: Sets the [MellonSetEnvNoPrefix][`mod_auth_mellon`] directive to a hash of attribute names to map diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 49a9bd9011..9beb89865f 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -270,6 +270,9 @@ <%- end -%> <%- if directory['mellon_sp_cert_file'] -%> MellonSPCertFile "<%= directory['mellon_sp_cert_file'] %>" + <%- end -%> + <%- if directory['mellon_sp_metadata_file'] -%> + MellonSPMetadataFile "<%= directory['mellon_sp_metadata_file'] %>" <%- end -%> <%- if directory['mellon_idp_metadata_file'] -%> MellonIDPMetadataFile "<%= directory['mellon_idp_metadata_file'] %>" From d1e9d46cc26f68d5ac941e8478cee383f00fcef9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20S=C3=A9hier?= Date: Mon, 7 Mar 2016 14:41:41 +0100 Subject: [PATCH 049/100] add support for SSLProxyProtocol directive --- manifests/vhost.pp | 2 ++ templates/vhost/_sslproxy.erb | 3 +++ 2 files changed, 5 insertions(+) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index e909788dfe..561364bead 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -29,6 +29,7 @@ $ssl_proxy_check_peer_cn = undef, $ssl_proxy_check_peer_name = undef, $ssl_proxy_machine_cert = undef, + $ssl_proxy_protocol = undef, $ssl_options = undef, $ssl_openssl_conf_cmd = undef, $ssl_proxyengine = false, @@ -838,6 +839,7 @@ # - $ssl_proxy_check_peer_cn # - $ssl_proxy_check_peer_name # - $ssl_proxy_machine_cert + # - $ssl_proxy_protocol if $ssl_proxyengine { concat::fragment { "${name}-sslproxy": target => "${priority_real}${filename}.conf", diff --git a/templates/vhost/_sslproxy.erb b/templates/vhost/_sslproxy.erb index 568d9d1d0d..393126e439 100644 --- a/templates/vhost/_sslproxy.erb +++ b/templates/vhost/_sslproxy.erb @@ -14,4 +14,7 @@ <%- if @ssl_proxy_machine_cert -%> SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>" <%- end -%> + <%- if @ssl_proxy_protocol -%> + SSLProxyProtocol "<%= @ssl_proxy_protocol %>" + <%- end -%> <% end -%> From fcc9bc541d2ddc5ae1f600147755c2dae9c6e71a Mon Sep 17 00:00:00 2001 From: Philipp Dallig Date: Tue, 8 Mar 2016 15:40:19 +0100 Subject: [PATCH 050/100] (#3139) Add support for PassengerUser --- README.md | 4 ++++ manifests/vhost.pp | 6 ++++-- spec/defines/vhost_spec.rb | 1 + templates/vhost/_passenger.erb | 3 +++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5f1e77f89b..6cd5729786 100644 --- a/README.md +++ b/README.md @@ -2306,6 +2306,10 @@ Sets [PassengerStartTimeout](https://www.phusionpassenger.com/library/config/apa Sets [PassengerPreStart](https://www.phusionpassenger.com/library/config/apache/reference/#passengerprestart), the URL of the application if pre-starting is required. +##### `passenger_user` + +Sets [PassengerUser](https://www.phusionpassenger.com/library/config/apache/reference/#passengeruser), the running user for sandboxing applications. + ##### `php_flags & values` Allows per-virtual host setting [`php_value`s or `php_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Default: '{}'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index e909788dfe..2430272b9b 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -124,6 +124,7 @@ $passenger_min_instances = undef, $passenger_start_timeout = undef, $passenger_pre_start = undef, + $passenger_user = undef, $add_default_charset = undef, $modsec_disable_vhost = undef, $modsec_disable_ids = undef, @@ -274,7 +275,7 @@ include ::apache::mod::suexec } - if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start { + if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user { include ::apache::mod::passenger } @@ -953,7 +954,8 @@ # - $passenger_min_instances # - $passenger_start_timeout # - $passenger_pre_start - if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start { + # - $passenger_user + if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user { concat::fragment { "${name}-passenger": target => "${priority_real}${filename}.conf", order => 300, diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 8bcd3cfd59..b565eaa874 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -337,6 +337,7 @@ 'passenger_min_instances' => '1', 'passenger_start_timeout' => '600', 'passenger_pre_start' => 'http://localhost/myapp', + 'passenger_user' => 'sandbox', 'add_default_charset' => 'UTF-8', 'auth_kerb' => true, 'krb_method_negotiate' => 'off', diff --git a/templates/vhost/_passenger.erb b/templates/vhost/_passenger.erb index 130e769353..91820d3634 100644 --- a/templates/vhost/_passenger.erb +++ b/templates/vhost/_passenger.erb @@ -16,3 +16,6 @@ <% if @passenger_pre_start -%> PassengerPreStart <%= @passenger_pre_start %> <% end -%> +<% if @passenger_user -%> + PassengerUser <%= @passenger_user %> +<% end -%> From 7212175803ea2fab60f5f49df699f9b3216be265 Mon Sep 17 00:00:00 2001 From: Stig Brautaset Date: Tue, 8 Mar 2016 17:07:09 +0000 Subject: [PATCH 051/100] Allow configuring mod_security's SecAuditLogParts The default configuration for this includes "I" which is not always always suitable, e.g. if you cannot tolerate POST parameters appearing in your modsec_audit.log You may want to omit `I` if mod_security is protecting a hypothetical web service that accepts credit card data in a POST request, for example. --- manifests/mod/security.pp | 2 ++ manifests/params.pp | 1 + spec/classes/mod/security_spec.rb | 8 ++++++++ templates/mod/security.conf.erb | 2 +- 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 10145d7f3b..7cd7114c4e 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -3,6 +3,7 @@ $activated_rules = $::apache::params::modsec_default_rules, $modsec_dir = $::apache::params::modsec_dir, $modsec_secruleengine = $::apache::params::modsec_secruleengine, + $audit_log_parts = $::apache::params::modsec_audit_log_parts, $secpcrematchlimit = $::apache::params::secpcrematchlimit, $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion, $allowed_methods = 'GET HEAD POST OPTIONS', @@ -35,6 +36,7 @@ # Template uses: # - $modsec_dir + # - $audit_log_parts # - secpcrematchlimit # - secpcrematchlimitrecursion file { 'security.conf': diff --git a/manifests/params.pp b/manifests/params.pp index 7b6e93cc01..6a40f4d9bf 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -159,6 +159,7 @@ $mellon_lock_file = '/run/mod_auth_mellon/lock' $mellon_cache_size = 100 $mellon_post_directory = undef + $modsec_audit_log_parts = 'ABIJDEFHZ' $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index 2b6d16ecb7..1dd2e9571b 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -27,6 +27,7 @@ it { should contain_file('security.conf').with( :path => '/etc/httpd/conf.modules.d/security.conf' ) } + it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABJDEFHZ$") } it { should contain_file('/etc/httpd/modsecurity.d').with( :ensure => 'directory', :path => '/etc/httpd/modsecurity.d', @@ -43,6 +44,13 @@ :path => '/etc/httpd/modsecurity.d/security_crs.conf' ) } it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') } + + describe 'with parameters' do + let :params do + { :modsec_audit_log_parts => "ABCDZ" + } + end + it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABCDZ$") } end context "on Debian based systems" do diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb index a71f5887d1..1ffd30bb9c 100644 --- a/templates/mod/security.conf.erb +++ b/templates/mod/security.conf.erb @@ -50,7 +50,7 @@ SecDebugLogLevel 0 SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" - SecAuditLogParts ABIJDEFHZ + SecAuditLogParts <%= @audit_log_parts %> SecAuditLogType Serial SecArgumentSeparator & SecCookieFormat 0 From d2699d18e5856ff8841373b3ebc9adc8c321564f Mon Sep 17 00:00:00 2001 From: Stig Brautaset Date: Tue, 8 Mar 2016 17:27:38 +0000 Subject: [PATCH 052/100] Add SecAuditLogParts tests for Debian-based systems --- spec/classes/mod/security_spec.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index 1dd2e9571b..0590b21c1c 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -51,6 +51,7 @@ } end it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABCDZ$") } + end end context "on Debian based systems" do @@ -79,6 +80,7 @@ it { should contain_file('security.conf').with( :path => '/etc/apache2/mods-available/security.conf' ) } + it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABJDEFHZ$") } it { should contain_file('/etc/modsecurity').with( :ensure => 'directory', :path => '/etc/modsecurity', @@ -95,6 +97,14 @@ :path => '/etc/modsecurity/security_crs.conf' ) } it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') } + + describe 'with parameters' do + let :params do + { :modsec_audit_log_parts => "ACEZ" + } + end + it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ACEZ$") } + end end end From 78ee594d71921e86a80ccdfe84952b2cea0097f5 Mon Sep 17 00:00:00 2001 From: Stig Brautaset Date: Wed, 9 Mar 2016 10:36:19 +0000 Subject: [PATCH 053/100] Fix parameter name --- spec/classes/mod/security_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index 0590b21c1c..2730861f06 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -47,7 +47,7 @@ describe 'with parameters' do let :params do - { :modsec_audit_log_parts => "ABCDZ" + { :audit_log_parts => "ABCDZ" } end it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABCDZ$") } @@ -100,7 +100,7 @@ describe 'with parameters' do let :params do - { :modsec_audit_log_parts => "ACEZ" + { :audit_log_parts => "ACEZ" } end it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ACEZ$") } From 388ab4b53de683039c120d138132eebf7c0fbee5 Mon Sep 17 00:00:00 2001 From: Stig Brautaset Date: Wed, 9 Mar 2016 15:04:22 +0000 Subject: [PATCH 054/100] Use regular expression rather than exact string match --- spec/classes/mod/security_spec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index 2730861f06..7a0ba8f299 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -27,7 +27,7 @@ it { should contain_file('security.conf').with( :path => '/etc/httpd/conf.modules.d/security.conf' ) } - it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABJDEFHZ$") } + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABIJDEFHZ$} } it { should contain_file('/etc/httpd/modsecurity.d').with( :ensure => 'directory', :path => '/etc/httpd/modsecurity.d', @@ -50,7 +50,7 @@ { :audit_log_parts => "ABCDZ" } end - it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABCDZ$") } + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} } end end @@ -80,7 +80,7 @@ it { should contain_file('security.conf').with( :path => '/etc/apache2/mods-available/security.conf' ) } - it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ABJDEFHZ$") } + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABIJDEFHZ$} } it { should contain_file('/etc/modsecurity').with( :ensure => 'directory', :path => '/etc/modsecurity', @@ -103,7 +103,7 @@ { :audit_log_parts => "ACEZ" } end - it { should contain_file('security.conf').with_content("^\s*SecAuditLogParts ACEZ$") } + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ACEZ$} } end end From 3d5aa16b3fe927920599566ffda12da483d80124 Mon Sep 17 00:00:00 2001 From: Stig Brautaset Date: Wed, 9 Mar 2016 15:04:56 +0000 Subject: [PATCH 055/100] Move default value outside the redhat-specific section So it is valid for Debian-based systems also. --- manifests/params.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index 6a40f4d9bf..19b3d2a460 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -47,6 +47,8 @@ $vhost_include_pattern = '*' + $modsec_audit_log_parts = 'ABIJDEFHZ' + if $::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04' { $verify_command = '/usr/sbin/apache2ctl -t' } else { @@ -159,7 +161,6 @@ $mellon_lock_file = '/run/mod_auth_mellon/lock' $mellon_cache_size = 100 $mellon_post_directory = undef - $modsec_audit_log_parts = 'ABIJDEFHZ' $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' From 946be7ea59d65735bb4d50deef516fe0a4ab6e58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20S=C3=A9hier?= Date: Thu, 10 Mar 2016 11:12:05 +0100 Subject: [PATCH 056/100] add doc for ssl_proxy_protocol --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 5f1e77f89b..ad1415a812 100644 --- a/README.md +++ b/README.md @@ -3267,6 +3267,10 @@ apache::vhost { 'sample.example.net': ssl_verify_depth => 1, } ``` +##### `ssl_proxy_protocol` + +Sets the [SSLProxyProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyprotocol) directive, which controls the SSL protocol flavors mod_ssl should use when establishing its server environment for proxy. It will only connect to servers using one of the provided protocols. Default: undef. + ##### `ssl_proxy_verify` From e252bd08aed9b66a80677c9c742de29e1e6965fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20S=C3=A9hier?= Date: Thu, 10 Mar 2016 14:14:41 +0100 Subject: [PATCH 057/100] make ssl_proxy_protocol consistent with ssl_protocol usage --- templates/vhost/_sslproxy.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhost/_sslproxy.erb b/templates/vhost/_sslproxy.erb index 393126e439..0bc0a244a1 100644 --- a/templates/vhost/_sslproxy.erb +++ b/templates/vhost/_sslproxy.erb @@ -15,6 +15,6 @@ SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>" <%- end -%> <%- if @ssl_proxy_protocol -%> - SSLProxyProtocol "<%= @ssl_proxy_protocol %>" + SSLProxyProtocol <%= [@ssl_proxy_protocol].flatten.compact.join(' ') %> <%- end -%> <% end -%> From 50d7795cb75c69baa3bf248ee53d1c2845e9667b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20S=C3=A9hier?= Date: Thu, 10 Mar 2016 14:21:32 +0100 Subject: [PATCH 058/100] add tests for SSLProxyProtocol --- spec/acceptance/apache_ssl_spec.rb | 1 + spec/defines/vhost_spec.rb | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/spec/acceptance/apache_ssl_spec.rb b/spec/acceptance/apache_ssl_spec.rb index 254a3c35a2..5df551a414 100644 --- a/spec/acceptance/apache_ssl_spec.rb +++ b/spec/acceptance/apache_ssl_spec.rb @@ -62,6 +62,7 @@ class { 'apache': ssl_verify_depth => 'test', ssl_options => ['test', 'test1'], ssl_proxyengine => true, + ssl_proxy_protocol => 'TLSv1.2', } EOS apply_manifest(pp, :catch_failures => true) diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 8bcd3cfd59..c8d54dd3b7 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -158,6 +158,7 @@ 'ssl_proxy_check_peer_cn' => 'on', 'ssl_proxy_check_peer_name' => 'on', 'ssl_proxyengine' => true, + 'ssl_proxy_protocol' => 'TLSv1.2', 'priority' => '30', 'default_vhost' => true, @@ -470,6 +471,8 @@ :content => /^\s+SSLProxyCheckPeerCN\s+on$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( :content => /^\s+SSLProxyCheckPeerName\s+on$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( + :content => /^\s+SSLProxyProtocol\s+TLSv1.2$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') } it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') } it { is_expected.to contain_concat__fragment('rspec.example.com-header') } @@ -778,6 +781,19 @@ it { is_expected.not_to contain_concat__fragment('rspec.example.com-ssl') } it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy') } end + context 'ssl_proxy_protocol without ssl_proxyengine' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'ssl' => true, + 'ssl_proxyengine' => false, + 'ssl_proxy_protocol' => 'TLSv1.2', + } + end + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-sslproxy') } + end end describe 'access logs' do let :facts do From 9ac6064f58a304392184b10729993a5024641548 Mon Sep 17 00:00:00 2001 From: Stig Brautaset Date: Thu, 10 Mar 2016 14:33:12 +0000 Subject: [PATCH 059/100] Document mod_security's audit_log_parts parameter in README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 5f1e77f89b..76c174cc56 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,8 @@ [Apache modules]: https://httpd.apache.org/docs/current/mod/ [array]: https://docs.puppetlabs.com/puppet/latest/reference/lang_data_array.html +[audit log]: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats#audit-log + [beaker-rspec]: https://github.com/puppetlabs/beaker-rspec [certificate revocation list]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile @@ -1706,6 +1708,7 @@ ${modsec\_dir}/activated\_rules. - `restricted_headers`: A list of restricted headers separated by slashes and spaces. Default: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'. - `secpcrematchlimit`: Sets the number for the match limit in the PCRE library. Default: '1500' - `secpcrematchlimitrecursion`: Sets the number for the match limit recursion in the PCRE library. Default: '1500' +- `audit_log_parts`: Sets the sections to be put in the [audit log][]. Default: 'ABIJDEFHZ' ##### Class: `apache::mod::wsgi` From d2f64a788e7f88326ab18c53ce0d6c002dd68191 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Thu, 10 Mar 2016 11:03:15 -0800 Subject: [PATCH 060/100] Enable multiverse on all Ubuntu hosts multiverse is needed for libapache2-mod-fastcgi but is not enabled by default on any Ubuntu release. --- spec/acceptance/vhost_spec.rb | 68 +++++++++++++++++------------------ 1 file changed, 33 insertions(+), 35 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 5a978c4356..36d4f42c59 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1396,44 +1396,42 @@ class { 'apache': } describe 'fastcgi' do it 'applies cleanly' do pp = <<-EOS - unless $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '12.04') >= 0 { - $_os = $::operatingsystem - - if $_os == 'Ubuntu' { - $_location = "http://archive.ubuntu.com/" - $_security_location = "http://archive.ubuntu.com/" - $_release = $::lsbdistcodename - $_release_security = "${_release}-security" - $_repos = "main universe multiverse" - } else { - $_location = "http://httpredir.debian.org/debian/" - $_security_location = "http://security.debian.org/" - $_release = $::lsbdistcodename - $_release_security = "${_release}/updates" - $_repos = "main contrib non-free" - } + $_os = $::operatingsystem + + if $_os == 'Ubuntu' { + $_location = "http://archive.ubuntu.com/ubuntu/" + $_security_location = "http://archive.ubuntu.com/ubuntu/" + $_release = $::lsbdistcodename + $_release_security = "${_release}-security" + $_repos = "main universe multiverse" + } else { + $_location = "http://httpredir.debian.org/debian/" + $_security_location = "http://security.debian.org/" + $_release = $::lsbdistcodename + $_release_security = "${_release}/updates" + $_repos = "main contrib non-free" + } - include ::apt - apt::source { "${_os}_${_release}": - location => $_location, - release => $_release, - repos => $_repos, - include_src => false, - } + include ::apt + apt::source { "${_os}_${_release}": + location => $_location, + release => $_release, + repos => $_repos, + include_src => false, + } - apt::source { "${_os}_${_release}-updates": - location => $_location, - release => "${_release}-updates", - repos => $_repos, - include_src => false, - } + apt::source { "${_os}_${_release}-updates": + location => $_location, + release => "${_release}-updates", + repos => $_repos, + include_src => false, + } - apt::source { "${_os}_${_release}-security": - location => $_security_location, - release => $_release_security, - repos => $_repos, - include_src => false, - } + apt::source { "${_os}_${_release}-security": + location => $_security_location, + release => $_release_security, + repos => $_repos, + include_src => false, } EOS From 06498f221a8cab2afa2a8a1e7a4d21b463d680df Mon Sep 17 00:00:00 2001 From: Martin Hagstrom Date: Fri, 11 Mar 2016 12:30:38 +0100 Subject: [PATCH 061/100] Use valid parameter name According to this document, uppercase letters are not allowed: https://docs.puppetlabs.com/puppet/latest/reference/lang_reserved.html#parameters --- manifests/mod/authnz_ldap.pp | 14 +++++++++++--- spec/classes/mod/authnz_ldap_spec.rb | 20 ++++++++++---------- templates/mod/authnz_ldap.conf.erb | 2 +- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/manifests/mod/authnz_ldap.pp b/manifests/mod/authnz_ldap.pp index 14a60494b0..45fcc997f5 100644 --- a/manifests/mod/authnz_ldap.pp +++ b/manifests/mod/authnz_ldap.pp @@ -1,14 +1,22 @@ class apache::mod::authnz_ldap ( - $verifyServerCert = true, + $verify_server_cert = true, + $verifyServerCert = undef, ) { include ::apache include '::apache::mod::ldap' ::apache::mod { 'authnz_ldap': } - validate_bool($verifyServerCert) + if $verifyServerCert { + warning('Class[\'apache::mod::authnz_ldap\'] parameter verifyServerCert is deprecated in favor of verify_server_cert') + $_verify_server_cert = $verifyServerCert + } else { + $_verify_server_cert = $verify_server_cert + } + + validate_bool($_verify_server_cert) # Template uses: - # - $verifyServerCert + # - $_verify_server_cert file { 'authnz_ldap.conf': ensure => file, path => "${::apache::mod_dir}/authnz_ldap.conf", diff --git a/spec/classes/mod/authnz_ldap_spec.rb b/spec/classes/mod/authnz_ldap_spec.rb index d433bc5337..7469d165e3 100644 --- a/spec/classes/mod/authnz_ldap_spec.rb +++ b/spec/classes/mod/authnz_ldap_spec.rb @@ -22,17 +22,17 @@ it { is_expected.to contain_class("apache::mod::ldap") } it { is_expected.to contain_apache__mod('authnz_ldap') } - context 'default verifyServerCert' do + context 'default verify_server_cert' do it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } end - context 'verifyServerCert = false' do - let(:params) { { :verifyServerCert => false } } + context 'verify_server_cert = false' do + let(:params) { { :verify_server_cert => false } } it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } end - context 'verifyServerCert = wrong' do - let(:params) { { :verifyServerCert => 'wrong' } } + context 'verify_server_cert = wrong' do + let(:params) { { :verify_server_cert => 'wrong' } } it 'should raise an error' do expect { is_expected.to raise_error Puppet::Error } end @@ -56,17 +56,17 @@ it { is_expected.to contain_class("apache::mod::ldap") } it { is_expected.to contain_apache__mod('authnz_ldap') } - context 'default verifyServerCert' do + context 'default verify_server_cert' do it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } end - context 'verifyServerCert = false' do - let(:params) { { :verifyServerCert => false } } + context 'verify_server_cert = false' do + let(:params) { { :verify_server_cert => false } } it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } end - context 'verifyServerCert = wrong' do - let(:params) { { :verifyServerCert => 'wrong' } } + context 'verify_server_cert = wrong' do + let(:params) { { :verify_server_cert => 'wrong' } } it 'should raise an error' do expect { is_expected.to raise_error Puppet::Error } end diff --git a/templates/mod/authnz_ldap.conf.erb b/templates/mod/authnz_ldap.conf.erb index 565fcf0df9..8d73b239d5 100644 --- a/templates/mod/authnz_ldap.conf.erb +++ b/templates/mod/authnz_ldap.conf.erb @@ -1,4 +1,4 @@ -<% if @verifyServerCert == true -%> +<% if @_verify_server_cert == true -%> LDAPVerifyServerCert On <% else -%> LDAPVerifyServerCert Off From fc8fee7ef3d91e8c4ec2fcc2e19e6ad4cb46028e Mon Sep 17 00:00:00 2001 From: Mathieu Parent Date: Wed, 16 Mar 2016 17:17:11 +0100 Subject: [PATCH 062/100] mod_ssl requires mod_mime for AddType directives --- manifests/mod/ssl.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index c0dd1f61bf..4cbddcbd66 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -14,6 +14,7 @@ $package_name = undef, ) { include ::apache + include ::apache::mod::mime $_apache_version = pick($apache_version, $apache::apache_version) if $ssl_mutex { $_ssl_mutex = $ssl_mutex From a2f636235623c0b024fdbf6b3afc451544511750 Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Wed, 20 May 2015 18:55:41 +0100 Subject: [PATCH 063/100] Move all ensure parameters from concat::fragment to concat Deprecated in 1.1.x and has no effect in 2.x. From commit 1919eb3, but was reverted when temporarily removing 2.x support in f54393e. --- manifests/balancer.pp | 3 --- manifests/balancermember.pp | 1 - manifests/init.pp | 2 +- manifests/listen.pp | 1 - manifests/namevirtualhost.pp | 1 - 5 files changed, 1 insertion(+), 7 deletions(-) diff --git a/manifests/balancer.pp b/manifests/balancer.pp index a3534ded8c..65f6352a32 100644 --- a/manifests/balancer.pp +++ b/manifests/balancer.pp @@ -64,7 +64,6 @@ } concat::fragment { "00-${name}-header": - ensure => present, target => "apache_balancer_${name}", order => '01', content => "\n", @@ -77,14 +76,12 @@ # concat fragments. We don't have to do anything about them. concat::fragment { "01-${name}-proxyset": - ensure => present, target => "apache_balancer_${name}", order => '19', content => inline_template("<% @proxy_set.keys.sort.each do |key| %> Proxyset <%= key %>=<%= @proxy_set[key] %>\n<% end %>"), } concat::fragment { "01-${name}-footer": - ensure => present, target => "apache_balancer_${name}", order => '20', content => "\n", diff --git a/manifests/balancermember.pp b/manifests/balancermember.pp index 78723043bc..6e8b29f13f 100644 --- a/manifests/balancermember.pp +++ b/manifests/balancermember.pp @@ -46,7 +46,6 @@ ) { concat::fragment { "BalancerMember ${name}": - ensure => present, target => "apache_balancer_${balancer_cluster}", content => inline_template(" BalancerMember ${url} <%= @options.join ' ' %>\n"), } diff --git a/manifests/init.pp b/manifests/init.pp index e8f6e6f9ba..194c1741e9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -242,6 +242,7 @@ } concat { $ports_file: + ensure => present, owner => 'root', group => $::apache::params::root_group, mode => $::apache::file_mode, @@ -249,7 +250,6 @@ require => Package['httpd'], } concat::fragment { 'Apache ports header': - ensure => present, target => $ports_file, content => template('apache/ports_header.erb') } diff --git a/manifests/listen.pp b/manifests/listen.pp index e6a8a3c767..503ee8860b 100644 --- a/manifests/listen.pp +++ b/manifests/listen.pp @@ -3,7 +3,6 @@ # Template uses: $listen_addr_port concat::fragment { "Listen ${listen_addr_port}": - ensure => present, target => $::apache::ports_file, content => template('apache/listen.erb'), } diff --git a/manifests/namevirtualhost.pp b/manifests/namevirtualhost.pp index f8c3a80d85..4fa8795185 100644 --- a/manifests/namevirtualhost.pp +++ b/manifests/namevirtualhost.pp @@ -3,7 +3,6 @@ # Template uses: $addr_port concat::fragment { "NameVirtualHost ${addr_port}": - ensure => present, target => $::apache::ports_file, content => template('apache/namevirtualhost.erb'), } From 281da58df7a710b99ae4c61e05a3e29bd06bf1c0 Mon Sep 17 00:00:00 2001 From: Tom Downes Date: Thu, 17 Mar 2016 10:14:49 -0700 Subject: [PATCH 064/100] 1. Fix MODULES-3158 (any string interpreted as SSLCompression on) 2. Convert ssl_honorcipherorder to boolean, backport strings 'on' or 'off' 3. Update documentation accordingly --- README.md | 4 ++-- manifests/mod/ssl.pp | 14 +++++++++++++- templates/mod/ssl.conf.erb | 6 +++++- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cd2ac7c9a4..198a540e6c 100644 --- a/README.md +++ b/README.md @@ -1660,7 +1660,7 @@ Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template t - `ssl_cipher`: Default: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'. - `ssl_compression`: Default: false. - `ssl_cryptodevice`: Default: 'builtin'. -- `ssl_honorcipherorder`: Default: 'On'. +- `ssl_honorcipherorder`: Default: true. - `ssl_openssl_conf_cmd`: Default: undef. - `ssl_options`: Default: [ 'StdEnvVars' ] - `ssl_pass_phrase_dialog`: Default: 'builtin'. @@ -3240,7 +3240,7 @@ Specifies [SSLCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.htm ##### `ssl_honorcipherorder` -Sets [SSLHonorCipherOrder](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), which is used to prefer the server's cipher preference order. Default: 'On' in the base `apache` config. +Sets [SSLHonorCipherOrder](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), to cause Apache to use the server's preferred order of ciphers rather than the client's preferred order. Default: true. In addition to true/false Boolean values, will also accept case-insensitive Strings 'on' or 'off'. ##### `ssl_certs_dir` diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 4cbddcbd66..7a220e8345 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -4,7 +4,7 @@ $ssl_options = [ 'StdEnvVars' ], $ssl_openssl_conf_cmd = undef, $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4', - $ssl_honorcipherorder = 'On', + $ssl_honorcipherorder = true, $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], $ssl_pass_phrase_dialog = 'builtin', $ssl_random_seed_bytes = '512', @@ -47,6 +47,18 @@ } } + validate_bool($ssl_compression) + + if is_bool($ssl_honorcipherorder) { + $_ssl_honorcipherorder = $ssl_honorcipherorder + } else { + $_ssl_honorcipherorder = $ssl_honorcipherorder ? { + 'on' => true, + 'off' => false, + default => true, + } + } + $session_cache = $::osfamily ? { 'debian' => "\${APACHE_RUN_DIR}/ssl_scache(512000)", 'redhat' => '/var/cache/mod_ssl/scache(512000)', diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index 4ae29e40a0..686c62a0e0 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -19,7 +19,11 @@ SSLMutex <%= @_ssl_mutex %> <%- end -%> SSLCryptoDevice <%= @ssl_cryptodevice %> - SSLHonorCipherOrder <%= @ssl_honorcipherorder %> +<% if @_ssl_honorcipherorder -%> + SSLHonorCipherOrder On +<% else -%> + SSLHonorCipherOrder Off +<% end -%> SSLCipherSuite <%= @ssl_cipher %> SSLProtocol <%= @ssl_protocol.compact.join(' ') %> <% if @ssl_options -%> From 3ccd3294dcd866bdc1cf3a3901bcc0b5d21a7c25 Mon Sep 17 00:00:00 2001 From: Tom Downes Date: Fri, 25 Mar 2016 09:15:00 -0500 Subject: [PATCH 065/100] Take igalic's suggestion to use bool2httpd --- templates/mod/ssl.conf.erb | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index 686c62a0e0..a66d73312b 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -10,20 +10,14 @@ SSLPassPhraseDialog <%= @ssl_pass_phrase_dialog %> SSLSessionCache "shmcb:<%= @session_cache %>" SSLSessionCacheTimeout <%= @ssl_sessioncachetimeout %> -<% if @ssl_compression -%> - SSLCompression On -<% end -%> + SSLCompression <%= scope.function_bool2httpd([@ssl_compression]) %> <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Mutex <%= @_ssl_mutex %> <%- else -%> SSLMutex <%= @_ssl_mutex %> <%- end -%> SSLCryptoDevice <%= @ssl_cryptodevice %> -<% if @_ssl_honorcipherorder -%> - SSLHonorCipherOrder On -<% else -%> - SSLHonorCipherOrder Off -<% end -%> + SSLHonorCipherOrder <%= scope.function_bool2httpd([@_ssl_honorcipherorder]) %> SSLCipherSuite <%= @ssl_cipher %> SSLProtocol <%= @ssl_protocol.compact.join(' ') %> <% if @ssl_options -%> From 44495362bd94a7b9c600487b6ced63870d30b9dd Mon Sep 17 00:00:00 2001 From: Justin Lambert Date: Mon, 28 Mar 2016 09:36:26 -0600 Subject: [PATCH 066/100] MODULES-3211: fix broken strict_variable tests --- manifests/dev.pp | 6 +++++- manifests/params.pp | 1 + manifests/vhost.pp | 2 ++ spec/classes/mod/dav_svn_spec.rb | 4 ++-- spec/classes/mod/dev_spec.rb | 28 ---------------------------- spec/classes/mod/proxy_html_spec.rb | 2 +- spec/spec_helper.rb | 25 ++++++++++++++++--------- 7 files changed, 27 insertions(+), 41 deletions(-) delete mode 100644 spec/classes/mod/dev_spec.rb diff --git a/manifests/dev.pp b/manifests/dev.pp index fdebf59f55..d4a25a7e44 100644 --- a/manifests/dev.pp +++ b/manifests/dev.pp @@ -1,5 +1,9 @@ class apache::dev { - include ::apache::params + + if ! defined(Class['apache']) { + fail('You must include the apache base class before using any apache defined resources') + } + $packages = $::apache::dev_packages if $packages { # FreeBSD doesn't have dev packages to install package { $packages: diff --git a/manifests/params.pp b/manifests/params.pp index 19b3d2a460..1cb2f40f5e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -488,6 +488,7 @@ $docroot = '/var/www/localhost/htdocs' $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' + $pidfile = '/var/run/apache2.pid' } elsif $::osfamily == 'Suse' { $user = 'wwwrun' $group = 'wwwrun' diff --git a/manifests/vhost.pp b/manifests/vhost.pp index a02e25f144..90e99d1101 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -493,6 +493,8 @@ } $_directories = [ merge($_directory, $_directory_version) ] + } else { + $_directories = undef } ## Create a global LocationMatch if locations aren't defined diff --git a/spec/classes/mod/dav_svn_spec.rb b/spec/classes/mod/dav_svn_spec.rb index 1f60e730b1..1eb06b22c5 100644 --- a/spec/classes/mod/dav_svn_spec.rb +++ b/spec/classes/mod/dav_svn_spec.rb @@ -34,7 +34,7 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end it { is_expected.to contain_class("apache::params") } @@ -52,7 +52,7 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end it { is_expected.to contain_class("apache::params") } diff --git a/spec/classes/mod/dev_spec.rb b/spec/classes/mod/dev_spec.rb deleted file mode 100644 index 29589f99f2..0000000000 --- a/spec/classes/mod/dev_spec.rb +++ /dev/null @@ -1,28 +0,0 @@ -require 'spec_helper' - -describe 'apache::mod::dev', :type => :class do - it_behaves_like "a mod class, without including apache" - - [ - ['RedHat', '6', 'Santiago', 'Linux'], - ['Debian', '6', 'squeeze', 'Linux'], - ['FreeBSD', '9', 'FreeBSD', 'FreeBSD'], - ].each do |osfamily, operatingsystemrelease, lsbdistcodename, kernel| - context "on a #{osfamily} OS" do - let :facts do - { - :lsbdistcodename => lsbdistcodename, - :osfamily => osfamily, - :operatingsystem => osfamily, - :operatingsystemrelease => operatingsystemrelease, - :is_pe => false, - :concat_basedir => '/foo', - :id => 'root', - :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', - :kernel => kernel - } - end - it { is_expected.to contain_class('apache::dev') } - end - end -end diff --git a/spec/classes/mod/proxy_html_spec.rb b/spec/classes/mod/proxy_html_spec.rb index ffdaa243ed..066ae239a0 100644 --- a/spec/classes/mod/proxy_html_spec.rb +++ b/spec/classes/mod/proxy_html_spec.rb @@ -25,7 +25,7 @@ :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', :hardwaremodel => 'i386', - :is_pe => false, + :is_pe => false, } end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index c48f49b1bf..561f633026 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -25,16 +25,23 @@ shared_examples 'a mod class, without including apache' do let :facts do { - :id => 'root', - :lsbdistcodename => 'squeeze', - :kernel => 'Linux', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, + :id => 'root', + :lsbdistcodename => 'squeeze', + :kernel => 'Linux', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :operatingsystemmajrelease => nil, + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + :hardwaremodel => 'x86_64', } end it { should compile.with_all_deps } end + +RSpec.configure do |config| + config.filter_run focus: true + config.run_all_when_everything_filtered = true +end From 0cbb9c789d45c95620f0c75f15a5e8798515fb2f Mon Sep 17 00:00:00 2001 From: Justin Lambert Date: Fri, 25 Mar 2016 13:17:36 -0600 Subject: [PATCH 067/100] MODULES-2179: Implement SetEnvIfNoCase --- README.md | 4 ++++ manifests/vhost.pp | 9 +++++++-- spec/defines/vhost_spec.rb | 8 +++++++- spec/spec_helper.rb | 5 +++++ templates/vhost/_setenv.erb | 5 +++++ 5 files changed, 28 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 198a540e6c..f123c9a901 100644 --- a/README.md +++ b/README.md @@ -2596,6 +2596,10 @@ apache::vhost { 'setenv.example.com': Used by HTTPD to conditionally set environment variables for virtual hosts. Default: '[]'. +##### `setenvifnocase` + +Used by HTTPD to conditionally set environment variables for virtual hosts (caseless matching). Default: '[]'. + ##### `suphp_addhandler`, `suphp_configpath`, & `suphp_engine` Sets up a virtual host with [suPHP](http://suphp.org/DocumentationView.html?file=apache/CONFIG). diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 90e99d1101..69aee69e7c 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -97,6 +97,7 @@ $rewrite_cond = undef, $setenv = [], $setenvif = [], + $setenvifnocase = [], $block = [], $ensure = 'present', $wsgi_application_group = undef, @@ -460,7 +461,11 @@ } } - if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) { + # Check if mod_setenvif is required and not yet loaded. + # create an expression to simplify the conditional check + $use_setenv_mod = ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) or ($setenvifnocase and ! empty($setenvifnocase)) + + if ($use_setenv_mod) { if ! defined(Class['apache::mod::setenvif']) { include ::apache::mod::setenvif } @@ -803,7 +808,7 @@ # Template uses: # - $setenv # - $setenvif - if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) { + if ($use_setenv_mod) { concat::fragment { "${name}-setenv": target => "${priority_real}${filename}.conf", order => 220, diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 405c2a21e8..e99e2a6ccd 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -299,6 +299,7 @@ 'rewrite_cond' => '%{HTTP_USER_AGENT} ^MSIE', 'setenv' => ['FOO=/bin/true'], 'setenvif' => 'Request_URI "\.gif$" object_is_image=gif', + 'setenvifnocase' => 'REMOTE_ADDR ^127.0.0.1 localhost=true', 'block' => 'scm', 'wsgi_application_group' => '%{GLOBAL}', 'wsgi_daemon_process' => 'wsgi', @@ -465,7 +466,12 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-rewrite') } it { is_expected.to contain_concat__fragment('rspec.example.com-scriptalias') } it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias') } - it { is_expected.to contain_concat__fragment('rspec.example.com-setenv') } + it { is_expected.to contain_concat__fragment('rspec.example.com-setenv').with_content( + %r{SetEnv FOO=/bin/true}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-setenv').with_content( + %r{SetEnvIf Request_URI "\\.gif\$" object_is_image=gif}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-setenv').with_content( + %r{SetEnvIfNoCase REMOTE_ADDR \^127.0.0.1 localhost=true}) } it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with( :content => /^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$/ ) } diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 561f633026..e61b185c1a 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -18,6 +18,11 @@ end end +RSpec.configure do |config| + config.filter_run focus: true + config.run_all_when_everything_filtered = true +end + shared_examples :compile, :compile => true do it { should compile.with_all_deps } end diff --git a/templates/vhost/_setenv.erb b/templates/vhost/_setenv.erb index ce1fa955ef..476a6b19ca 100644 --- a/templates/vhost/_setenv.erb +++ b/templates/vhost/_setenv.erb @@ -10,3 +10,8 @@ SetEnvIf <%= envifvar %> <%- end -%> <% end -%> +<% if @setenvifnocase and ! @setenvifnocase.empty? -%> + <%- Array(@setenvifnocase).each do |envifncvar| -%> + SetEnvIfNoCase <%= envifncvar %> + <%- end -%> +<% end -%> From 3d864609aca8eae82c337eb3b538f701102206c1 Mon Sep 17 00:00:00 2001 From: Justin Lambert Date: Mon, 28 Mar 2016 09:36:26 -0600 Subject: [PATCH 068/100] MODULES-3211: fix broken strict_variable tests --- spec/classes/mod/dev_spec.rb | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 spec/classes/mod/dev_spec.rb diff --git a/spec/classes/mod/dev_spec.rb b/spec/classes/mod/dev_spec.rb new file mode 100644 index 0000000000..4c9f324b38 --- /dev/null +++ b/spec/classes/mod/dev_spec.rb @@ -0,0 +1,32 @@ +require 'spec_helper' + +describe 'apache::mod::dev', :type => :class do + let(:pre_condition) {[ + 'include apache' + ]} + + it_behaves_like "a mod class, without including apache" + + [ + ['RedHat', '6', 'Santiago', 'Linux'], + ['Debian', '6', 'squeeze', 'Linux'], + ['FreeBSD', '9', 'FreeBSD', 'FreeBSD'], + ].each do |osfamily, operatingsystemrelease, lsbdistcodename, kernel| + context "on a #{osfamily} OS" do + let :facts do + { + :lsbdistcodename => lsbdistcodename, + :osfamily => osfamily, + :operatingsystem => osfamily, + :operatingsystemrelease => operatingsystemrelease, + :is_pe => false, + :concat_basedir => '/foo', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', + :kernel => kernel + } + end + it { is_expected.to contain_class('apache::dev') } + end + end +end From 6b662e430db8387d8c192cb60005b49d4b043bda Mon Sep 17 00:00:00 2001 From: Justin Lambert Date: Mon, 28 Mar 2016 10:58:56 -0600 Subject: [PATCH 069/100] MODULES-3212: add parallel_spec option --- .travis.yml | 2 +- Gemfile | 1 + Rakefile | 9 +++++++++ spec/spec.opts | 6 ------ 4 files changed, 11 insertions(+), 7 deletions(-) delete mode 100644 spec/spec.opts diff --git a/.travis.yml b/.travis.yml index 588fb5b002..e366e0ee2e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ sudo: false language: ruby cache: bundler bundler_args: --without system_tests -script: "bundle exec rake validate lint spec" +script: "bundle exec rake validate lint parallel_spec" matrix: fast_finish: true include: diff --git a/Gemfile b/Gemfile index e490bc9b98..21c2dbc3ea 100644 --- a/Gemfile +++ b/Gemfile @@ -20,6 +20,7 @@ group :development, :unit_tests do gem 'puppetlabs_spec_helper', :require => false gem 'rspec-puppet', '>= 2.3.2', :require => false gem 'simplecov', :require => false + gem 'parallel_tests', :require => false end group :system_tests do gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'] || '>= 3.4') diff --git a/Rakefile b/Rakefile index 1e2be6663c..7ef974b94c 100644 --- a/Rakefile +++ b/Rakefile @@ -1,6 +1,8 @@ require 'puppet_blacksmith/rake_tasks' require 'puppet-lint/tasks/puppet-lint' require 'puppetlabs_spec_helper/rake_tasks' +require 'parallel_tests' +require 'parallel_tests/cli' PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.send('relative') @@ -41,3 +43,10 @@ task :gen_nodeset do end puts nodeset end + +desc "Parallel spec tests" +task :parallel_spec do + Rake::Task[:spec_prep].invoke + ParallelTests::CLI.new.run('--type test -t rspec spec/classes spec/defines spec/unit'.split) + Rake::Task[:spec_clean].invoke +end diff --git a/spec/spec.opts b/spec/spec.opts deleted file mode 100644 index 91cd6427ed..0000000000 --- a/spec/spec.opts +++ /dev/null @@ -1,6 +0,0 @@ ---format -s ---colour ---loadby -mtime ---backtrace From 95e6dcd5217e73c94b27aca66f3b3189c1e3b82d Mon Sep 17 00:00:00 2001 From: Johan De Wit Date: Mon, 28 Mar 2016 15:11:47 +0200 Subject: [PATCH 070/100] MODULES-1352: adding support for apache 2.4 require directives. Includes doc and rspec --- README.md | 19 ++++++++++++ spec/defines/vhost_spec.rb | 51 ++++++++++++++++++++++++++++++++ templates/vhost/_directories.erb | 15 +++++++++- 3 files changed, 84 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 198a540e6c..b22bf0168b 100644 --- a/README.md +++ b/README.md @@ -3073,6 +3073,23 @@ apache::vhost { 'sample.example.net': } ``` +When more complex sets of requirement are needed, apache >= 2.4 provides the use of [RequireAll](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall), [RequireNone](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requirenone) or [RequireAny](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireany) directives. +Using the 'enforce' key, which only supports 'any','none','all' (other values are silently ignored), this could be established like: + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + require => { + enforce => 'all', + require => ['group', 'not host host.example.com'], + }, + }, + ], +} +``` + If `require` is set to `unmanaged` it will not be set at all. This is useful for complex authentication/authorization requirements which are handled in a custom fragment. ``` puppet @@ -3086,6 +3103,8 @@ apache::vhost { 'sample.example.net': } ``` + + ###### `satisfy` Sets a `Satisfy` directive per the [Apache Core documentation](https://httpd.apache.org/docs/2.2/mod/core.html#satisfy). **Deprecated:** This parameter is deprecated due to a change in Apache and only works with Apache 2.2 and lower. diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 405c2a21e8..f0bead76ec 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -191,6 +191,33 @@ 'provider' => 'files', 'require' => 'all granted', }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'all', + 'requires' => ['all-valid1', 'all-valid2'], + }, + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'none', + 'requires' => ['none-valid1', 'none-valid2'], + }, + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'any', + 'requires' => ['any-valid1', 'any-valid2'], + }, + }, { 'path' => '*', 'provider' => 'proxy', @@ -422,6 +449,30 @@ :content => /^\s+Require all denied$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( :content => /^\s+Require all granted$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<\/RequireAll>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all-valid1$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all-valid2$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<\/RequireNone>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require none-valid1$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require none-valid2$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<\/RequireAny>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require any-valid1$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require any-valid2$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( :content => /^\s+Options\sIndexes\sFollowSymLinks\sMultiViews$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 9beb89865f..7ef40edd2d 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -58,8 +58,21 @@ <%- end -%> <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> <%- if directory['require'] && directory['require'] != '' && directory['require'] !~ /unmanaged/i -%> - <%- Array(directory['require']).each do |req| -%> + <%- if directory['require'].is_a?(Hash) -%> + <%- case directory['require']['enforce'].downcase -%> + <%- when 'all','none','any' then -%> + > + <%- Array(directory['require']['requires']).each do |req| -%> + Require <%= req.strip %> + <%- end -%> + > + <%- else -%> + <%- scope.function_warning(["Apache::Vhost: Require can only overwritten with all, none or any."]) -%> + <%- end -%> + <%- else -%> + <%- Array(directory['require']).each do |req| -%> Require <%= req %> + <%- end -%> <%- end -%> <%- end -%> <%- if directory['auth_require'] -%> From 837a0885f3e9e00b417e39d44ed11032ca6da1a4 Mon Sep 17 00:00:00 2001 From: FlatKey Date: Sat, 26 Mar 2016 01:57:20 +0100 Subject: [PATCH 071/100] Configurability of SecDefaultAction for OWASP Core Rule Set --- README.md | 1 + manifests/mod/security.pp | 1 + templates/mod/security_crs.conf.erb | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 198a540e6c..0e29fcb6df 100644 --- a/README.md +++ b/README.md @@ -1706,6 +1706,7 @@ ${modsec\_dir}/activated\_rules. - `modsec_secruleengine`: Configures the modsec rules engine. Valid options: 'On', 'Off', and 'DetectionOnly'. Default: `modsec_secruleengine` in [`apache::params`][]. - `restricted_extensions`: A space-separated list of prohibited file extensions. Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'. - `restricted_headers`: A list of restricted headers separated by slashes and spaces. Default: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'. +- `secdefaultaction`: Configures the Mode of Operation, Self-Contained ('deny') vs. Collaborative Detection ('pass'), for the OWASP ModSecurity Core Rule Set. Default: 'deny'. - `secpcrematchlimit`: Sets the number for the match limit in the PCRE library. Default: '1500' - `secpcrematchlimitrecursion`: Sets the number for the match limit recursion in the PCRE library. Default: '1500' - `audit_log_parts`: Sets the sections to be put in the [audit log][]. Default: 'ABIJDEFHZ' diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 7cd7114c4e..36f726b0ac 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -10,6 +10,7 @@ $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', + $secdefaultaction = 'deny', ) inherits ::apache::params { include ::apache diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb index 016efc797e..8c5a83710c 100644 --- a/templates/mod/security_crs.conf.erb +++ b/templates/mod/security_crs.conf.erb @@ -63,8 +63,8 @@ SecComponentSignature "OWASP_CRS/2.2.6" # Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html # Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction # -SecDefaultAction "phase:1,deny,log" - +SecDefaultAction "phase:1,<%= @secdefaultaction -%>,log" +SecDefaultAction "phase:2,<%= @secdefaultaction -%>,log" # # -- [[ Collaborative Detection Severity Levels ]] ---------------------------------------- From d26761c2c990b023ff2e08693335fe8d08dcd5b2 Mon Sep 17 00:00:00 2001 From: FlatKey Date: Sat, 26 Mar 2016 05:57:36 +0100 Subject: [PATCH 072/100] aligned hash rocket within widest attribute of the parameter block ( remaining parameters aligned in #1404 ) --- manifests/mod/security.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 36f726b0ac..dc06786f33 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -10,7 +10,7 @@ $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', - $secdefaultaction = 'deny', + $secdefaultaction = 'deny', ) inherits ::apache::params { include ::apache From 8082d2aa6beafdc90edd768a271ef629b703c41c Mon Sep 17 00:00:00 2001 From: FlatKey Date: Sat, 26 Mar 2016 16:40:17 +0100 Subject: [PATCH 073/100] Added vhost option SecRuleRemoveByTag --- README.md | 16 ++++++++ manifests/vhost.pp | 14 ++++++- spec/acceptance/mod_security_spec.rb | 60 ++++++++++++++++++++++++++++ templates/vhost/_security.erb | 9 +++++ 4 files changed, 98 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 198a540e6c..f597284396 100644 --- a/README.md +++ b/README.md @@ -2263,6 +2263,22 @@ apache::vhost { 'sample.example.net': Specifies an array of IP addresses to exclude from [`mod_security`][] rule matching. Default: undef. +###### `modsec_disable_tags` + +Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing removal of an Tag from a specific location. Default: undef. + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => [ 'WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS' ], +} +``` + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => { '/location1' => [ 'WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS' ] }, +} +``` + ##### `no_proxy_uris` Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [`proxy_dest`](#proxy_dest). diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 90e99d1101..bf1654fad4 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -130,6 +130,7 @@ $modsec_disable_vhost = undef, $modsec_disable_ids = undef, $modsec_disable_ips = undef, + $modsec_disable_tags = undef, $modsec_body_limit = undef, $jk_mounts = undef, $auth_kerb = false, @@ -508,6 +509,16 @@ } } + if $modsec_disable_tags { + if is_hash($modsec_disable_tags) { + $_modsec_disable_tags = $modsec_disable_tags + } elsif is_array($modsec_disable_tags) { + $_modsec_disable_tags = { '.*' => $modsec_disable_tags } + } else { + fail("Apache::Vhost[${name}]: 'modsec_disable_tags' must be either a Hash of location/Tags or an Array of Tags") + } + } + concat { "${priority_real}${filename}.conf": ensure => $ensure, path => "${::apache::vhost_dir}/${priority_real}${filename}.conf", @@ -982,8 +993,9 @@ # - $modsec_disable_vhost # - $modsec_disable_ids # - $modsec_disable_ips + # - $modsec_disable_tags # - $modsec_body_limit - if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips { + if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_tags { concat::fragment { "${name}-security": target => "${priority_real}${filename}.conf", order => 320, diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb index d6f2987df6..b1d1f5dd12 100644 --- a/spec/acceptance/mod_security_spec.rb +++ b/spec/acceptance/mod_security_spec.rb @@ -249,5 +249,65 @@ class { 'apache::mod::security': } end #mod_security should allow disabling by id + context "mod_security should allow disabling by tag" do + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + } + file { '/var/www/html/index.html': + ensure => file, + content => 'Index page', + } + file { '/var/www/html/index2.html': + ensure => file, + content => 'Page 2', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end + + describe file("#{$mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + + it 'should disable mod_security per vhost' do + pp= <<-EOS + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + modsec_disable_tags => [ 'WEB_ATTACK/SQL_INJECTION' ], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + + end #mod_security should allow disabling by tag end #apache::mod::security class diff --git a/templates/vhost/_security.erb b/templates/vhost/_security.erb index 5ab0a5b5da..ca09d4944f 100644 --- a/templates/vhost/_security.erb +++ b/templates/vhost/_security.erb @@ -15,6 +15,15 @@ SecRule REMOTE_ADDR "<%= ips %>" "nolog,allow,id:1234123455" SecAction "phase:2,pass,nolog,id:1234123456" <% end -%> +<% if @_modsec_disable_tags.is_a?(Hash) -%> +<% @_modsec_disable_tags.each do |location,rules| -%> + > +<% Array(rules).each do |rule| -%> + SecRuleRemoveByTag "<%= rule %>" +<% end -%> + +<% end -%> +<% end -%> <% if @modsec_body_limit -%> SecRequestBodyLimit <%= @modsec_body_limit %> <% end -%> From 800c7ce7ba739df2c07d4b4b6d3bb2787ec6d950 Mon Sep 17 00:00:00 2001 From: FlatKey Date: Wed, 30 Mar 2016 21:20:53 +0200 Subject: [PATCH 074/100] Added vhost option SecRuleRemoveByMsg --- README.md | 16 ++++++++ manifests/vhost.pp | 14 ++++++- spec/acceptance/mod_security_spec.rb | 61 ++++++++++++++++++++++++++++ templates/vhost/_security.erb | 9 ++++ 4 files changed, 99 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f597284396..d4cc0a3a24 100644 --- a/README.md +++ b/README.md @@ -2263,6 +2263,22 @@ apache::vhost { 'sample.example.net': Specifies an array of IP addresses to exclude from [`mod_security`][] rule matching. Default: undef. +###### `modsec_disable_msgs` + +Array of mod_security Msgs to remove from the virtual host. Also takes a hash allowing removal of an Msg from a specific location. Default: undef. + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => [ 'Blind SQL Injection Attack', 'Session Fixation Attack' ], +} +``` + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => { '/location1' => [ 'Blind SQL Injection Attack', 'Session Fixation Attack' ] }, +} +``` + ###### `modsec_disable_tags` Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing removal of an Tag from a specific location. Default: undef. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index bf1654fad4..bef9d31fae 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -130,6 +130,7 @@ $modsec_disable_vhost = undef, $modsec_disable_ids = undef, $modsec_disable_ips = undef, + $modsec_disable_msgs = undef, $modsec_disable_tags = undef, $modsec_body_limit = undef, $jk_mounts = undef, @@ -509,6 +510,16 @@ } } + if $modsec_disable_msgs { + if is_hash($modsec_disable_msgs) { + $_modsec_disable_msgs = $modsec_disable_msgs + } elsif is_array($modsec_disable_msgs) { + $_modsec_disable_msgs = { '.*' => $modsec_disable_msgs } + } else { + fail("Apache::Vhost[${name}]: 'modsec_disable_msgs' must be either a Hash of location/Msgs or an Array of Msgs") + } + } + if $modsec_disable_tags { if is_hash($modsec_disable_tags) { $_modsec_disable_tags = $modsec_disable_tags @@ -993,9 +1004,10 @@ # - $modsec_disable_vhost # - $modsec_disable_ids # - $modsec_disable_ips + # - $modsec_disable_msgs # - $modsec_disable_tags # - $modsec_body_limit - if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_tags { + if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_msgs or $modsec_disable_tags { concat::fragment { "${name}-security": target => "${priority_real}${filename}.conf", order => 320, diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb index b1d1f5dd12..8a12296079 100644 --- a/spec/acceptance/mod_security_spec.rb +++ b/spec/acceptance/mod_security_spec.rb @@ -249,6 +249,67 @@ class { 'apache::mod::security': } end #mod_security should allow disabling by id + context "mod_security should allow disabling by msg" do + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + } + file { '/var/www/html/index.html': + ensure => file, + content => 'Index page', + } + file { '/var/www/html/index2.html': + ensure => file, + content => 'Page 2', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end + + describe file("#{$mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + + it 'should disable mod_security per vhost' do + pp= <<-EOS + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + modsec_disable_msgs => [ 'Blind SQL Injection Attack' ], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + + end #mod_security should allow disabling by msg + context "mod_security should allow disabling by tag" do it 'succeeds in puppeting mod_security' do pp= <<-EOS diff --git a/templates/vhost/_security.erb b/templates/vhost/_security.erb index ca09d4944f..7f61da2eb2 100644 --- a/templates/vhost/_security.erb +++ b/templates/vhost/_security.erb @@ -15,6 +15,15 @@ SecRule REMOTE_ADDR "<%= ips %>" "nolog,allow,id:1234123455" SecAction "phase:2,pass,nolog,id:1234123456" <% end -%> +<% if @_modsec_disable_msgs.is_a?(Hash) -%> +<% @_modsec_disable_msgs.each do |location,rules| -%> + > +<% Array(rules).each do |rule| -%> + SecRuleRemoveByMsg "<%= rule %>" +<% end -%> + +<% end -%> +<% end -%> <% if @_modsec_disable_tags.is_a?(Hash) -%> <% @_modsec_disable_tags.each do |location,rules| -%> > From 1d2fe55b19f4e4316fe7c8e7e7842607b08da832 Mon Sep 17 00:00:00 2001 From: Philipp Dallig Date: Thu, 31 Mar 2016 11:23:56 +0200 Subject: [PATCH 075/100] SSLCompression only available with apache 2.4.3 http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression --- templates/mod/ssl.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index a66d73312b..15aab10d78 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -10,9 +10,9 @@ SSLPassPhraseDialog <%= @ssl_pass_phrase_dialog %> SSLSessionCache "shmcb:<%= @session_cache %>" SSLSessionCacheTimeout <%= @ssl_sessioncachetimeout %> - SSLCompression <%= scope.function_bool2httpd([@ssl_compression]) %> <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Mutex <%= @_ssl_mutex %> + SSLCompression <%= scope.function_bool2httpd([@ssl_compression]) %> <%- else -%> SSLMutex <%= @_ssl_mutex %> <%- end -%> From 5739a20b70c33583ee9743f5417eacb08dacf082 Mon Sep 17 00:00:00 2001 From: Philipp Dallig Date: Thu, 31 Mar 2016 11:31:06 +0200 Subject: [PATCH 076/100] Fix in custom fact "apache_version" for OracleLinux. The custom fact defined by lib/facter/apache_version.rb runs "apachectl -v" and applies the following regular expression: ^Server version: Apache\/([\w\.]+) \(([\w ]+)\) On OracleLinux 7.2, running apachectl -v produces the following output: Server version: Apache/2.4.6 () Server built: Nov 21 2015 05:34:59 The regex fails to match the output because it does not allow for nothing inside the parentheses. The following modified regex matches properly: ^Server version: Apache\/([\w\.]+) \(([\w ]*)\) --- lib/facter/apache_version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/facter/apache_version.rb b/lib/facter/apache_version.rb index b84d776150..2790627307 100644 --- a/lib/facter/apache_version.rb +++ b/lib/facter/apache_version.rb @@ -2,7 +2,7 @@ setcode do if Facter::Util::Resolution.which('apachectl') apache_version = Facter::Util::Resolution.exec('apachectl -v 2>&1') - %r{^Server version: Apache\/([\w\.]+) \(([\w ]+)\)}.match(apache_version)[1] + %r{^Server version: Apache\/([\w\.]+) \(([\w ]*)\)}.match(apache_version)[1] end end end From 10632d8d40e4c18d6ddcd5e4587a7f94d2d5d1bd Mon Sep 17 00:00:00 2001 From: Matthew Gyurgyik Date: Tue, 29 Mar 2016 08:11:03 -0400 Subject: [PATCH 077/100] (MODULES-3218) add auth_merging for directory enteries --- README.md | 4 ++++ templates/vhost/_directories.erb | 3 +++ 2 files changed, 7 insertions(+) diff --git a/README.md b/README.md index 198a540e6c..4abe075d83 100644 --- a/README.md +++ b/README.md @@ -2804,6 +2804,10 @@ Sets the value for [AuthType](https://httpd.apache.org/docs/current/mod/mod_auth Sets the value for [AuthUserFile](https://httpd.apache.org/docs/current/mod/mod_authn_file.html#authuserfile), which sets the name of the text file containing the users/passwords for authentication. +###### `auth_merging` + +Sets the value for [AuthMerging](https://httpd.apache.org/docs/current/mod/mod_authz_core.html#authmerging), which determines if authorization logic should be combined + ###### `custom_fragment` Pass a string of custom configuration directives to be placed at the end of the directory configuration. diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 9beb89865f..193955dccc 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -186,6 +186,9 @@ <%- if directory['auth_group_file'] -%> AuthGroupFile <%= directory['auth_group_file'] %> <%- end -%> + <%- if directory['auth_merging'] -%> + AuthMerging <%= directory['auth_merging'] %> + <%- end -%> <%- if directory['fallbackresource'] -%> FallbackResource <%= directory['fallbackresource'] %> <%- end -%> From 0b568a98b53b19672c00950cac900f180c19d21b Mon Sep 17 00:00:00 2001 From: Jason Hancock Date: Thu, 31 Mar 2016 11:28:33 -0700 Subject: [PATCH 078/100] Adding SSLProxyCheckPeerExpire support --- README.md | 4 ++++ manifests/vhost.pp | 6 ++++++ spec/defines/vhost_spec.rb | 3 +++ templates/vhost/_sslproxy.erb | 3 +++ 4 files changed, 16 insertions(+) diff --git a/README.md b/README.md index 198a540e6c..19d9dcfb60 100644 --- a/README.md +++ b/README.md @@ -3320,6 +3320,10 @@ Sets the [SSLProxyMachinePeerCN](https://httpd.apache.org/docs/current/mod/mod_s Sets the [SSLProxyMachinePeerName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) directive, which specifies whether the remote server certificate's CN field is compared against the hostname of the request URL. Valid options: 'on', 'off'. Default: undef. +##### `ssl_proxy_check_peer_expire` + +Sets the [SSLProxyCheckPeerExpire](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeerexpire) directive, which specifies whether the remote server certificate is checked for expiration or not. Valid options: 'on', 'off'. Default: undef. + ##### `ssl_options` Sets the [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions) directive, which configures various SSL engine run-time options. This is the global setting for the given virtual host and can be a string or an array. Default: undef. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 90e99d1101..6843fc886d 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -28,6 +28,7 @@ $ssl_proxy_verify = undef, $ssl_proxy_check_peer_cn = undef, $ssl_proxy_check_peer_name = undef, + $ssl_proxy_check_peer_expire = undef, $ssl_proxy_machine_cert = undef, $ssl_proxy_protocol = undef, $ssl_options = undef, @@ -253,6 +254,10 @@ validate_re($ssl_proxy_check_peer_name,'(^on$|^off$)',"${ssl_proxy_check_peer_name} is not permitted for ssl_proxy_check_peer_name. Allowed values are 'on' or 'off'.") } + if $ssl_proxy_check_peer_expire { + validate_re($ssl_proxy_check_peer_expire,'(^on$|^off$)',"${ssl_proxy_check_peer_expire} is not permitted for ssl_proxy_check_peer_expire. Allowed values are 'on' or 'off'.") + } + # Input validation ends if $ssl and $ensure == 'present' { @@ -842,6 +847,7 @@ # - $ssl_proxy_verify # - $ssl_proxy_check_peer_cn # - $ssl_proxy_check_peer_name + # - $ssl_proxy_check_peer_expire # - $ssl_proxy_machine_cert # - $ssl_proxy_protocol if $ssl_proxyengine { diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 405c2a21e8..8c069dd3c7 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -157,6 +157,7 @@ 'ssl_proxy_verify' => 'require', 'ssl_proxy_check_peer_cn' => 'on', 'ssl_proxy_check_peer_name' => 'on', + 'ssl_proxy_check_peer_expire' => 'on', 'ssl_proxyengine' => true, 'ssl_proxy_protocol' => 'TLSv1.2', @@ -476,6 +477,8 @@ :content => /^\s+SSLProxyCheckPeerCN\s+on$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( :content => /^\s+SSLProxyCheckPeerName\s+on$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( + :content => /^\s+SSLProxyCheckPeerExpire\s+on$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( :content => /^\s+SSLProxyProtocol\s+TLSv1.2$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') } diff --git a/templates/vhost/_sslproxy.erb b/templates/vhost/_sslproxy.erb index 0bc0a244a1..a92bab5524 100644 --- a/templates/vhost/_sslproxy.erb +++ b/templates/vhost/_sslproxy.erb @@ -11,6 +11,9 @@ <%- if @ssl_proxy_check_peer_name -%> SSLProxyCheckPeerName <%= @ssl_proxy_check_peer_name %> <%- end -%> + <%- if @ssl_proxy_check_peer_expire -%> + SSLProxyCheckPeerExpire <%= @ssl_proxy_check_peer_expire %> + <%- end -%> <%- if @ssl_proxy_machine_cert -%> SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>" <%- end -%> From b93680bb04e3047a558b134021f48dc9bcf27019 Mon Sep 17 00:00:00 2001 From: Jason Hancock Date: Thu, 31 Mar 2016 11:38:54 -0700 Subject: [PATCH 079/100] Fixing copy/paste errors in README for sslproxy directives --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 19d9dcfb60..4ca149d9f8 100644 --- a/README.md +++ b/README.md @@ -3314,11 +3314,11 @@ apache::vhost { 'sample.example.net': ##### `ssl_proxy_check_peer_cn` -Sets the [SSLProxyMachinePeerCN](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn) directive, which specifies whether the remote server certificate's CN field is compared against the hostname of the request URL. Valid options: 'on', 'off'. Default: undef. +Sets the [SSLProxyCheckPeerCN](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn) directive, which specifies whether the remote server certificate's CN field is compared against the hostname of the request URL. Valid options: 'on', 'off'. Default: undef. ##### `ssl_proxy_check_peer_name` -Sets the [SSLProxyMachinePeerName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) directive, which specifies whether the remote server certificate's CN field is compared against the hostname of the request URL. Valid options: 'on', 'off'. Default: undef. +Sets the [SSLProxyCheckPeerName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) directive, which specifies whether the remote server certificate's CN field is compared against the hostname of the request URL. Valid options: 'on', 'off'. Default: undef. ##### `ssl_proxy_check_peer_expire` From 6a5df0637afd4d2e9c29ab3152f588d5b711aac7 Mon Sep 17 00:00:00 2001 From: Timo Goebel Date: Fri, 1 Apr 2016 11:40:03 +0200 Subject: [PATCH 080/100] add passenger_high_performance on the vhost level --- README.md | 4 ++++ manifests/vhost.pp | 3 ++- spec/defines/vhost_spec.rb | 1 + templates/vhost/_passenger.erb | 3 +++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4abe075d83..b436ad53f5 100644 --- a/README.md +++ b/README.md @@ -2330,6 +2330,10 @@ Sets [PassengerPreStart](https://www.phusionpassenger.com/library/config/apache/ Sets [PassengerUser](https://www.phusionpassenger.com/library/config/apache/reference/#passengeruser), the running user for sandboxing applications. +##### `passenger_high_performance` + +Sets the [`PassengerHighPerformance`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerhighperformance) parameter. Valid options: 'true', 'false'. Default: undef. + ##### `php_flags & values` Allows per-virtual host setting [`php_value`s or `php_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Default: '{}'. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 90e99d1101..35fe6eacc2 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -126,6 +126,7 @@ $passenger_start_timeout = undef, $passenger_pre_start = undef, $passenger_user = undef, + $passenger_high_performance = undef, $add_default_charset = undef, $modsec_disable_vhost = undef, $modsec_disable_ids = undef, @@ -277,7 +278,7 @@ include ::apache::mod::suexec } - if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user { + if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user or $passenger_high_performance { include ::apache::mod::passenger } diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 405c2a21e8..3a809de9db 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -338,6 +338,7 @@ 'passenger_min_instances' => '1', 'passenger_start_timeout' => '600', 'passenger_pre_start' => 'http://localhost/myapp', + 'passenger_high_performance' => true, 'passenger_user' => 'sandbox', 'add_default_charset' => 'UTF-8', 'jk_mounts' => [ diff --git a/templates/vhost/_passenger.erb b/templates/vhost/_passenger.erb index 91820d3634..becea9c4d0 100644 --- a/templates/vhost/_passenger.erb +++ b/templates/vhost/_passenger.erb @@ -19,3 +19,6 @@ <% if @passenger_user -%> PassengerUser <%= @passenger_user %> <% end -%> +<% if @passenger_high_performance -%> + PassengerHighPerformance <%= scope.function_bool2httpd([@passenger_high_performance]) %> +<% end -%> From 323b601ea53717e806e3685d6639aaea299d49e6 Mon Sep 17 00:00:00 2001 From: Samuel Barabas Date: Fri, 1 Apr 2016 18:43:01 +0200 Subject: [PATCH 081/100] Add parameter passanger_log_level --- README.md | 4 ++++ manifests/mod/passenger.pp | 2 ++ spec/classes/mod/passenger_spec.rb | 6 ++++++ templates/mod/passenger.conf.erb | 3 +++ 4 files changed, 15 insertions(+) diff --git a/README.md b/README.md index 2b7f3da501..f1875481ce 100644 --- a/README.md +++ b/README.md @@ -2311,6 +2311,10 @@ Sets [PassengerAppEnv](https://www.phusionpassenger.com/library/config/apache/re By default, Passenger log messages are written to the Apache global error log. With [PassengerLogFile](https://www.phusionpassenger.com/library/config/apache/reference/#passengerlogfile), you can configure those messages to be logged to a different file. This option is only available since Passenger 5.0.5. +##### `passenger_log_level` + +This option allows to specify how much information should be written to the log file. If not set, [PassengerLogLevel](https://www.phusionpassenger.com/library/config/apache/reference/#passengerloglevel) will not show up in the configuration file and the defaults are used. For Passenger > 3.0.0 the default is '0', since 5.0.0 it's '3'. + ##### `passenger_ruby` Sets [PassengerRuby](https://www.phusionpassenger.com/library/config/apache/reference/#passengerruby), the Ruby interpreter to use for the application, on this virtual host. diff --git a/manifests/mod/passenger.pp b/manifests/mod/passenger.pp index e97577d98f..e127d78267 100644 --- a/manifests/mod/passenger.pp +++ b/manifests/mod/passenger.pp @@ -17,6 +17,7 @@ $passenger_use_global_queue = undef, $passenger_app_env = undef, $passenger_log_file = undef, + $passenger_log_level = undef, $manage_repo = true, $mod_package = undef, $mod_package_ensure = undef, @@ -92,6 +93,7 @@ # - $passenger_stat_throttle_rate # - $passenger_use_global_queue # - $passenger_log_file + # - $passenger_log_level # - $passenger_app_env # - $rack_autodetect # - $rails_autodetect diff --git a/spec/classes/mod/passenger_spec.rb b/spec/classes/mod/passenger_spec.rb index 70ce4ea60d..e9e754202c 100644 --- a/spec/classes/mod/passenger_spec.rb +++ b/spec/classes/mod/passenger_spec.rb @@ -128,6 +128,12 @@ end it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerLogFile /var/log/apache2/passenger.log$}) } end + describe "with passenger_log_level => 3" do + let :params do + { :passenger_log_level => 3 } + end + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerLogLevel 3$}) } + end describe "with mod_path => '/usr/lib/foo/mod_foo.so'" do let :params do { :mod_path => '/usr/lib/foo/mod_foo.so' } diff --git a/templates/mod/passenger.conf.erb b/templates/mod/passenger.conf.erb index 8a3e9d4f37..6eac6fe649 100644 --- a/templates/mod/passenger.conf.erb +++ b/templates/mod/passenger.conf.erb @@ -49,4 +49,7 @@ <%- if @passenger_log_file -%> PassengerLogFile <%= @passenger_log_file %> <%- end -%> + <%- if @passenger_log_level -%> + PassengerLogLevel <%= @passenger_log_level %> + <%- end -%> From 71958f2b922cdfaff8f3f2d9fae05386475d7a3f Mon Sep 17 00:00:00 2001 From: Micha Krause Date: Wed, 23 Mar 2016 11:03:01 +0100 Subject: [PATCH 082/100] Added vhost option fastcgi_idle_timeout --- README.md | 4 ++++ manifests/vhost.pp | 2 ++ spec/defines/vhost_spec.rb | 1 + templates/vhost/_fastcgi.erb | 3 ++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2b7f3da501..551287462f 100644 --- a/README.md +++ b/README.md @@ -2098,6 +2098,10 @@ Specifies if the virtual host is present or absent. Valid options: 'absent', 'pr Sets the [FallbackResource](https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) directive, which specifies an action to take for any URL that doesn't map to anything in your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Valid options must either begin with a '/' or be 'disabled'. Default: undef. +#####`fastcgi_idle_timeout` + +If using fastcgi, this option sets the timeout for the server to respond. + ##### `filters` [Filters](https://httpd.apache.org/docs/current/mod/mod_filter.html) enable smart, context-sensitive configuration of output content filters. diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 90e99d1101..abe60a18eb 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -114,6 +114,7 @@ $fastcgi_server = undef, $fastcgi_socket = undef, $fastcgi_dir = undef, + $fastcgi_idle_timeout = undef, $additional_includes = [], $use_optional_includes = $::apache::use_optional_includes, $apache_version = $::apache::apache_version, @@ -933,6 +934,7 @@ # - $fastcgi_server # - $fastcgi_socket # - $fastcgi_dir + # - $fastcgi_idle_timeout # - $apache_version if $fastcgi_server or $fastcgi_dir { concat::fragment { "${name}-fastcgi": diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 405c2a21e8..6ecee9a4cf 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -327,6 +327,7 @@ 'fastcgi_server' => 'localhost', 'fastcgi_socket' => '/tmp/fastcgi.socket', 'fastcgi_dir' => '/tmp', + 'fastcgi_idle_timeout' => '120', 'additional_includes' => '/custom/path/includes', 'apache_version' => '2.4', 'use_optional_includes' => true, diff --git a/templates/vhost/_fastcgi.erb b/templates/vhost/_fastcgi.erb index 3a2baa5596..b4718391b7 100644 --- a/templates/vhost/_fastcgi.erb +++ b/templates/vhost/_fastcgi.erb @@ -1,6 +1,7 @@ <% if @fastcgi_server -%> - FastCgiExternalServer <%= @fastcgi_server %> -socket <%= @fastcgi_socket %> + FastCgiExternalServer <%= @fastcgi_server %> -socket <%= @fastcgi_socket -%> +<% unless @fastcgi_idle_timeout.nil? %> -idle-timeout <%= @fastcgi_idle_timeout %><% end %> <% end -%> <% if @fastcgi_dir -%> From b97be96e49582943bd64cebd3038f8e8a683d7ee Mon Sep 17 00:00:00 2001 From: Philipp Dallig Date: Mon, 4 Apr 2016 12:12:48 +0200 Subject: [PATCH 083/100] Add spec test for apache_version with an empty OS --- spec/unit/apache_version_spec.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/spec/unit/apache_version_spec.rb b/spec/unit/apache_version_spec.rb index 30f6ef9914..c62339da41 100644 --- a/spec/unit/apache_version_spec.rb +++ b/spec/unit/apache_version_spec.rb @@ -17,4 +17,17 @@ end end end + + describe 'apache_version with empty OS' do + context 'with value' do + before :each do + Facter::Util::Resolution.stubs(:which).with('apachectl').returns(true) + Facter::Util::Resolution.stubs(:exec).with('apachectl -v 2>&1').returns('Server version: Apache/2.4.6 () + Server built: Nov 21 2015 05:34:59') + end + it do + expect(Facter.fact(:apache_version).value).to eq('2.4.6') + end + end + end end From 1f174bcfd8ac6809ad02aaebe5497ad9ddd7ba3d Mon Sep 17 00:00:00 2001 From: FlatKey Date: Mon, 28 Mar 2016 00:28:20 +0200 Subject: [PATCH 084/100] Configurability of Collaborative Detection Blocking for OWASP Core Rule Set --- README.md | 1 + manifests/mod/security.pp | 1 + templates/mod/security_crs.conf.erb | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 328c98ca21..6863383d08 100644 --- a/README.md +++ b/README.md @@ -1710,6 +1710,7 @@ ${modsec\_dir}/activated\_rules. - `secpcrematchlimit`: Sets the number for the match limit in the PCRE library. Default: '1500' - `secpcrematchlimitrecursion`: Sets the number for the match limit recursion in the PCRE library. Default: '1500' - `audit_log_parts`: Sets the sections to be put in the [audit log][]. Default: 'ABIJDEFHZ' +- `anomaly_score_blocking`: De-/Activates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set. Default: off. ##### Class: `apache::mod::wsgi` diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index dc06786f33..5a6aa3227f 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -11,6 +11,7 @@ $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', $secdefaultaction = 'deny', + $anomaly_score_blocking = 'off', ) inherits ::apache::params { include ::apache diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb index 8c5a83710c..6b4bb6f50c 100644 --- a/templates/mod/security_crs.conf.erb +++ b/templates/mod/security_crs.conf.erb @@ -143,11 +143,11 @@ SecAction \ # # If you want to use anomaly scoring mode, then uncomment this line. # -#SecAction \ +SecAction \ "id:'900004', \ phase:1, \ t:none, \ - setvar:tx.anomaly_score_blocking=on, \ + setvar:tx.anomaly_score_blocking=<%= @anomaly_score_blocking -%>, \ nolog, \ pass" From a43cd35a675f3258bbdc15d0110c466ba71c0a1a Mon Sep 17 00:00:00 2001 From: Zarne Date: Thu, 7 Apr 2016 20:17:58 +0200 Subject: [PATCH 085/100] allow include in vhost directory (#1366) * allow include in vhost directory * update include in vhost directory * add some test for include in directory * add some documentation for additional include in vhost directory --- README.md | 14 ++++++++++++++ spec/defines/vhost_spec.rb | 9 +++++++++ templates/vhost/_directories.erb | 5 +++++ 3 files changed, 28 insertions(+) diff --git a/README.md b/README.md index 328c98ca21..1e6c57d7b7 100644 --- a/README.md +++ b/README.md @@ -3226,6 +3226,20 @@ apache::vhost { 'secure.example.net': ], } ``` +###### `additional_includes` + +Specifies paths to additional static, specific Apache configuration files in virtual host directories. Valid options: a array of string path. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/different/dir', + additional_includes => [ '/custom/path/includes', '/custom/path/another_includes', ], + }, + ], +} +``` #### SSL parameters for `apache::vhost` diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 8d50a2ab76..8fc9250143 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -187,6 +187,11 @@ 'provider' => 'files', 'require' => [ 'valid-user', 'all denied', ], }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'additional_includes' => [ '/custom/path/includes', '/custom/path/another_includes', ], + }, { 'path' => '/var/www/files', 'provider' => 'files', @@ -418,6 +423,10 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-directories') } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( :content => /^\s+$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Include\s'\/custom\/path\/includes'$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Include\s'\/custom\/path\/another_includes'$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( :content => /^\s+Require valid-user$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( diff --git a/templates/vhost/_directories.erb b/templates/vhost/_directories.erb index 193955dccc..7bd3377e76 100644 --- a/templates/vhost/_directories.erb +++ b/templates/vhost/_directories.erb @@ -142,6 +142,11 @@ <%- if directory['directoryindex'] and directory['directoryindex'] != '' -%> DirectoryIndex <%= directory['directoryindex'] %> <%- end -%> + <%- if directory['additional_includes'] and ! directory['additional_includes'].empty? -%> + <%- directory['additional_includes'].each do |include| -%> + Include '<%= "#{include}" %>' + <%- end -%> + <%- end -%> <%- if directory['error_documents'] and ! directory['error_documents'].empty? -%> <%- [directory['error_documents']].flatten.compact.each do |error_document| -%> ErrorDocument <%= error_document['error_code'] %> <%= error_document['document'] %> From 8e74af7a53f56cf85eedcaee310aefe581313979 Mon Sep 17 00:00:00 2001 From: Michael Ly Date: Fri, 8 Apr 2016 04:24:30 -0500 Subject: [PATCH 086/100] Allow for pagespeed mod to automatically be updated to the latest version (#1422) * Allow for optionally ensuring to have the lastest pagespeed package, Restart apache if there is a package update --- manifests/mod.pp | 1 + manifests/mod/pagespeed.pp | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/mod.pp b/manifests/mod.pp index 014aa274ae..347179d40b 100644 --- a/manifests/mod.pp +++ b/manifests/mod.pp @@ -76,6 +76,7 @@ ensure => $package_ensure, require => Package['httpd'], before => $package_before, + notify => Class['apache::service'], } } diff --git a/manifests/mod/pagespeed.pp b/manifests/mod/pagespeed.pp index a6506007bb..052dad0b17 100644 --- a/manifests/mod/pagespeed.pp +++ b/manifests/mod/pagespeed.pp @@ -33,6 +33,7 @@ $message_buffer_size = 100000, $additional_configuration = {}, $apache_version = undef, + $package_ensure = undef, ){ include ::apache $_apache_version = pick($apache_version, $apache::apache_version) @@ -42,7 +43,8 @@ } apache::mod { 'pagespeed': - lib => $_lib, + lib => $_lib, + package_ensure => $package_ensure, } # Template uses $_apache_version From cbd2c265ddbe9b7f4f6eb4443ded15f69af72f92 Mon Sep 17 00:00:00 2001 From: FlatKey Date: Sat, 26 Mar 2016 05:42:09 +0100 Subject: [PATCH 087/100] Configurability of Collaborative Detection Threshold Levels for OWASP Core Rule Set --- README.md | 2 ++ manifests/mod/security.pp | 2 ++ templates/mod/security_crs.conf.erb | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 97e0f6b7b9..1a4efd591c 100644 --- a/README.md +++ b/README.md @@ -1711,6 +1711,8 @@ ${modsec\_dir}/activated\_rules. - `secpcrematchlimitrecursion`: Sets the number for the match limit recursion in the PCRE library. Default: '1500' - `audit_log_parts`: Sets the sections to be put in the [audit log][]. Default: 'ABIJDEFHZ' - `anomaly_score_blocking`: De-/Activates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set. Default: off. +- `inbound_anomaly_threshold`: Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'. +- `outbound_anomaly_threshold`: Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '4'. ##### Class: `apache::mod::wsgi` diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 5a6aa3227f..745957fc26 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -12,6 +12,8 @@ $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', $secdefaultaction = 'deny', $anomaly_score_blocking = 'off', + $inbound_anomaly_threshold = '5', + $outbound_anomaly_threshold = '4', ) inherits ::apache::params { include ::apache diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb index 6b4bb6f50c..d5e25e182c 100644 --- a/templates/mod/security_crs.conf.erb +++ b/templates/mod/security_crs.conf.erb @@ -118,7 +118,7 @@ SecAction \ "id:'900002', \ phase:1, \ t:none, \ - setvar:tx.inbound_anomaly_score_level=5, \ + setvar:tx.inbound_anomaly_score_level=<%= @inbound_anomaly_threshold -%>, \ nolog, \ pass" @@ -127,7 +127,7 @@ SecAction \ "id:'900003', \ phase:1, \ t:none, \ - setvar:tx.outbound_anomaly_score_level=4, \ + setvar:tx.outbound_anomaly_score_level=<%= @outbound_anomaly_threshold -%>, \ nolog, \ pass" From b9926431a65722138a64370cef8fdffee365e4b7 Mon Sep 17 00:00:00 2001 From: Mathieu Parent Date: Fri, 25 Mar 2016 16:40:59 +0100 Subject: [PATCH 088/100] Load mod_xml2enc on Apache >= 2.4 on Debian With improved testsuite. --- manifests/mod/proxy_html.pp | 3 +++ spec/classes/mod/proxy_html_spec.rb | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/manifests/mod/proxy_html.pp b/manifests/mod/proxy_html.pp index cceaf0b755..f4f4b44111 100644 --- a/manifests/mod/proxy_html.pp +++ b/manifests/mod/proxy_html.pp @@ -19,6 +19,9 @@ '10' => ['/usr/lib/libxml2.so.2'], default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"], } + if versioncmp($::apache::apache_version, '2.4') >= 0 { + ::apache::mod { 'xml2enc': } + } } } diff --git a/spec/classes/mod/proxy_html_spec.rb b/spec/classes/mod/proxy_html_spec.rb index 066ae239a0..0d70276c26 100644 --- a/spec/classes/mod/proxy_html_spec.rb +++ b/spec/classes/mod/proxy_html_spec.rb @@ -32,9 +32,29 @@ context "on squeeze" do let(:facts) { super().merge({ :operatingsystemrelease => '6' }) } it_behaves_like "debian", ['/usr/lib/libxml2.so.2'] + it { is_expected.to_not contain_apache__mod('xml2enc') } end context "on wheezy" do let(:facts) { super().merge({ :operatingsystemrelease => '7' }) } + it { is_expected.to_not contain_apache__mod('xml2enc') } + context "i386" do + let(:facts) { super().merge({ + :hardwaremodel => 'i686', + :architecture => 'i386' + })} + it_behaves_like "debian", ["/usr/lib/i386-linux-gnu/libxml2.so.2"] + end + context "x64" do + let(:facts) { super().merge({ + :hardwaremodel => 'x86_64', + :architecture => 'amd64' + })} + it_behaves_like "debian", ["/usr/lib/x86_64-linux-gnu/libxml2.so.2"] + end + end + context "on jessie" do + let(:facts) { super().merge({ :operatingsystemrelease => '8' }) } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } context "i386" do let(:facts) { super().merge({ :hardwaremodel => 'i686', @@ -67,6 +87,7 @@ it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('proxy_html').with(:loadfiles => nil) } it { is_expected.to contain_package("mod_proxy_html") } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } end context "on a FreeBSD OS", :compile do let :facts do @@ -83,6 +104,7 @@ end it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('proxy_html').with(:loadfiles => nil) } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } it { is_expected.to contain_package("www/mod_proxy_html") } end context "on a Gentoo OS", :compile do @@ -100,6 +122,7 @@ end it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('proxy_html').with(:loadfiles => nil) } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } it { is_expected.to contain_package("www-apache/mod_proxy_html") } end end From ccd49ca5e802a963902baf47291561391ae007f9 Mon Sep 17 00:00:00 2001 From: Matt Peter Date: Wed, 13 Apr 2016 02:31:08 -0400 Subject: [PATCH 089/100] fix incorrect use of .join() with newlines (#1425) --- templates/mod/pagespeed.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/mod/pagespeed.conf.erb b/templates/mod/pagespeed.conf.erb index d1ce642976..56e72fe29d 100644 --- a/templates/mod/pagespeed.conf.erb +++ b/templates/mod/pagespeed.conf.erb @@ -94,7 +94,7 @@ ModPagespeedMessageBufferSize <%= @message_buffer_size %> <% if @additional_configuration.is_a? Array -%> -<%= @additional_configuration.join('\n') %> +<%= @additional_configuration.join("\n") %> <% else -%> <% @additional_configuration.each_pair do |key, value| -%> <%= key %> <%= value %> From 71cb7302f2d83d5a293dc22f22bb0b955b66684c Mon Sep 17 00:00:00 2001 From: Michael Hess Date: Wed, 13 Apr 2016 02:54:31 -0400 Subject: [PATCH 090/100] add support for fcgi (#1387) * add support for fcgi * Update README.md --- README.md | 1 + manifests/mod/proxy_fcgi.pp | 4 ++++ 2 files changed, 5 insertions(+) create mode 100644 manifests/mod/proxy_fcgi.pp diff --git a/README.md b/README.md index f77e22055e..4f0112eda2 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ [`apache::mod::passenger`]: #class-apachemodpassenger [`apache::mod::peruser`]: #class-apachemodperuser [`apache::mod::prefork`]: #class-apachemodprefork +[`apache::mod::proxy_fcgi`]: #class-apachemodproxy_fcgi [`apache::mod::proxy_html`]: #class-apachemodproxy_html [`apache::mod::security`]: #class-apachemodsecurity [`apache::mod::shib`]: #class-apachemodshib diff --git a/manifests/mod/proxy_fcgi.pp b/manifests/mod/proxy_fcgi.pp new file mode 100644 index 0000000000..21473eb762 --- /dev/null +++ b/manifests/mod/proxy_fcgi.pp @@ -0,0 +1,4 @@ +class apache::mod::proxy_fcgi { + Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_fcgi'] + ::apache::mod { 'proxy_fcgi': } +} From 410fc358d48e43a8df0dfa93880bd868ec03ca8c Mon Sep 17 00:00:00 2001 From: Simon Beirnaert Date: Mon, 4 Apr 2016 18:01:16 +0200 Subject: [PATCH 091/100] Allow package names to be specified for mod_proxy, mod_ldap, and mod_authnz_ldap --- manifests/mod/authnz_ldap.pp | 5 ++++- manifests/mod/ldap.pp | 5 ++++- manifests/mod/proxy.pp | 7 +++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/manifests/mod/authnz_ldap.pp b/manifests/mod/authnz_ldap.pp index 45fcc997f5..0bcd1b887c 100644 --- a/manifests/mod/authnz_ldap.pp +++ b/manifests/mod/authnz_ldap.pp @@ -1,10 +1,13 @@ class apache::mod::authnz_ldap ( $verify_server_cert = true, $verifyServerCert = undef, + $package_name = undef, ) { include ::apache include '::apache::mod::ldap' - ::apache::mod { 'authnz_ldap': } + ::apache::mod { 'authnz_ldap': + package => $package_name, + } if $verifyServerCert { warning('Class[\'apache::mod::authnz_ldap\'] parameter verifyServerCert is deprecated in favor of verify_server_cert') diff --git a/manifests/mod/ldap.pp b/manifests/mod/ldap.pp index d842668361..c3fbb2611c 100644 --- a/manifests/mod/ldap.pp +++ b/manifests/mod/ldap.pp @@ -1,5 +1,6 @@ class apache::mod::ldap ( $apache_version = undef, + $package_name = undef, $ldap_trusted_global_cert_file = undef, $ldap_trusted_global_cert_type = 'CA_BASE64', $ldap_shared_cache_size = undef, @@ -13,7 +14,9 @@ if ($ldap_trusted_global_cert_file) { validate_string($ldap_trusted_global_cert_type) } - ::apache::mod { 'ldap': } + ::apache::mod { 'ldap': + package => $package_name, + } # Template uses $_apache_version file { 'ldap.conf': ensure => file, diff --git a/manifests/mod/proxy.pp b/manifests/mod/proxy.pp index 1f70938921..b69a17e9d9 100644 --- a/manifests/mod/proxy.pp +++ b/manifests/mod/proxy.pp @@ -1,11 +1,14 @@ class apache::mod::proxy ( $proxy_requests = 'Off', - $allow_from = undef, + $allow_from = undef, $apache_version = undef, + $package_name = undef, ) { include ::apache $_apache_version = pick($apache_version, $apache::apache_version) - ::apache::mod { 'proxy': } + ::apache::mod { 'proxy': + package => $package_name, + } # Template uses $proxy_requests, $_apache_version file { 'proxy.conf': ensure => file, From 138c5dba0c6c066f5da3c8ca23da1b1d5e25be68 Mon Sep 17 00:00:00 2001 From: Simon Beirnaert Date: Thu, 14 Apr 2016 15:01:29 +0200 Subject: [PATCH 092/100] Add/improve documentation for mod_proxy, mod_ldap, mod_authnz_ldap --- README.md | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 68e9793874..51fbe5291d 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ [`apache::mod::alias`]: #class-apachemodalias [`apache::mod::auth_cas`]: #class-apachemodauth_cas [`apache::mod::auth_mellon`]: #class-apachemodauth_mellon +[`apache::mod::authnz_ldap`]: #class-apachemodauthnz_ldap [`apache::mod::disk_cache`]: #class-apachemoddisk_cache [`apache::mod::event`]: #class-apachemodevent [`apache::mod::ext_filter`]: #class-apachemodext_filter @@ -55,6 +56,7 @@ [`apache::mod::passenger`]: #class-apachemodpassenger [`apache::mod::peruser`]: #class-apachemodperuser [`apache::mod::prefork`]: #class-apachemodprefork +[`apache::mod::proxy`]: #class-apachemodproxy [`apache::mod::proxy_fcgi`]: #class-apachemodproxy_fcgi [`apache::mod::proxy_html`]: #class-apachemodproxy_html [`apache::mod::security`]: #class-apachemodsecurity @@ -1264,7 +1266,7 @@ The following Apache modules have supported classes, many of which allow for par * `auth_kerb` * `authn_core` * `authn_file` -* `authnz_ldap`\* +* `authnz_ldap`\* (see [`apache::mod::authnz_ldap`][]) * `authz_default` * `authz_user` * `autoindex` @@ -1289,7 +1291,7 @@ The following Apache modules have supported classes, many of which allow for par * `include` * `info`\* * `itk` -* `ldap` +* `ldap` (see [`apache::mod::ldap`][]) * `mime` * `mime_magic`\* * `negotiation` @@ -1300,7 +1302,7 @@ The following Apache modules have supported classes, many of which allow for par * `peruser` * `php` (requires [`mpm_module`][] set to `prefork`) * `prefork`\* -* `proxy`\* +* `proxy`\* (see [`apache::mod::proxy`][]) * `proxy_ajp` * `proxy_balancer` * `proxy_html` (see [`apache::mod::proxy_html`][]) @@ -1417,6 +1419,15 @@ class{ 'apache::mod::auth_mellon': - `mellon_post_size`: Maximum size of post requests. Default: undef. - `mellon_post_count`: Maximum number of post requests. Default: undef. +##### Class: `apache::mod::authnz_ldap` + +Installs `mod_authnz_ldap` and uses the `authnz_ldap.conf.erb` template to generate its configuration. + +**Parameters within `apache::mod::authnz_ldap`**: + +- `package_name`: Default: `undef`. +- `verify_server_cert`: Default: `undef`. + ##### Class: `apache::mod::deflate` Installs and configures [`mod_deflate`][]. @@ -1543,6 +1554,7 @@ class { 'apache::mod::ldap': **Parameters within `apache::mod::ldap`:** +- `apache_version`: The installed Apache version. Defaults to `undef`. - `ldap_trusted_global_cert_file`: Path and file name of the trusted CA certificates to use when establishing SSL or TLS connections to an LDAP server. - `ldap_trusted_global_cert_type`: The global trust certificate format. Default: 'CA_BASE64'. - `ldap_shared_cache_size`: Size in bytes of the shared-memory cache. @@ -1550,6 +1562,7 @@ class { 'apache::mod::ldap': - `ldap_cache_ttl`: Time that cached items remain valid. - `ldap_opcache_entries`: Number of entries used to cache LDAP compare operations. - `ldap_opcache_ttl`: Time that entries in the operation cache remain valid. +- `package_name`: Custom package name. Defaults to `undef`. ##### Class: `apache::mod::negotiation` @@ -1616,6 +1629,17 @@ TODO: The parameters section is incomplete. **Note**: The passenger module isn't available on RH/CentOS without providing dependency packages provided by EPEL and mod\_passengers own custom repository. See the `manage_repo` parameter above and [https://www.phusionpassenger.com/library/install/apache/install/oss/el7/]() +##### Class: `apache::mod::proxy` + +Installs `mod_proxy` and uses the `proxy.conf.erb` template to generate its configuration. + +**Parameters within `apache::mod::proxy`**: + +- `allow_from`: Default: `undef`. +- `apache_version`: Default: `undef`. +- `package_name`: Default: `undef`. +- `proxy_requests`: Default: 'Off'. + ##### Class: `apache::mod::php` Installs and configures [`mod_php`][]. From 20c85511a47fd389970c53e2c7e9f59e150ef780 Mon Sep 17 00:00:00 2001 From: FlatKey Date: Sat, 26 Mar 2016 04:16:22 +0100 Subject: [PATCH 093/100] Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set --- README.md | 4 ++++ manifests/mod/security.pp | 24 ++++++++++++++---------- templates/mod/security_crs.conf.erb | 8 ++++---- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 51fbe5291d..ded6f75d19 100644 --- a/README.md +++ b/README.md @@ -1738,6 +1738,10 @@ ${modsec\_dir}/activated\_rules. - `anomaly_score_blocking`: De-/Activates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set. Default: off. - `inbound_anomaly_threshold`: Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'. - `outbound_anomaly_threshold`: Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '4'. +- `critical_anomaly_score`: Sets the scoring points of the critical severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'. +- `error_anomaly_score`: Sets the scoring points of the error severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '4'. +- `warning_anomaly_score`: Sets the scoring points of the warning severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '3'. +- `notice_anomaly_score`: Sets the scoring points of the notice severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '2'. ##### Class: `apache::mod::wsgi` diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 745957fc26..a4fe57f89a 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -1,19 +1,23 @@ class apache::mod::security ( - $crs_package = $::apache::params::modsec_crs_package, - $activated_rules = $::apache::params::modsec_default_rules, - $modsec_dir = $::apache::params::modsec_dir, - $modsec_secruleengine = $::apache::params::modsec_secruleengine, - $audit_log_parts = $::apache::params::modsec_audit_log_parts, - $secpcrematchlimit = $::apache::params::secpcrematchlimit, + $crs_package = $::apache::params::modsec_crs_package, + $activated_rules = $::apache::params::modsec_default_rules, + $modsec_dir = $::apache::params::modsec_dir, + $modsec_secruleengine = $::apache::params::modsec_secruleengine, + $audit_log_parts = $::apache::params::modsec_audit_log_parts, + $secpcrematchlimit = $::apache::params::secpcrematchlimit, $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion, - $allowed_methods = 'GET HEAD POST OPTIONS', - $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', - $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', - $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', + $allowed_methods = 'GET HEAD POST OPTIONS', + $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', + $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', + $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', $secdefaultaction = 'deny', $anomaly_score_blocking = 'off', $inbound_anomaly_threshold = '5', $outbound_anomaly_threshold = '4', + $critical_anomaly_score = '5', + $error_anomaly_score = '4', + $warning_anomaly_score = '3', + $notice_anomaly_score = '2', ) inherits ::apache::params { include ::apache diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb index d5e25e182c..d5eb70a249 100644 --- a/templates/mod/security_crs.conf.erb +++ b/templates/mod/security_crs.conf.erb @@ -89,10 +89,10 @@ SecAction \ "id:'900001', \ phase:1, \ t:none, \ - setvar:tx.critical_anomaly_score=5, \ - setvar:tx.error_anomaly_score=4, \ - setvar:tx.warning_anomaly_score=3, \ - setvar:tx.notice_anomaly_score=2, \ + setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ + setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ + setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ + setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>, \ nolog, \ pass" From 111247c8d4004c68c0a39be376283a65ec107dbb Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Wed, 13 Apr 2016 20:49:34 +0100 Subject: [PATCH 094/100] Update to newest modulesync_configs [9ca280f] --- .travis.yml | 19 +++++++++++++++++-- Gemfile | 1 - Rakefile | 9 --------- spec/acceptance/nodesets/centos-59-x64.yml | 10 ---------- spec/acceptance/nodesets/centos-64-x64-pe.yml | 12 ------------ spec/acceptance/nodesets/centos-65-x64.yml | 10 ---------- spec/acceptance/nodesets/centos-7-x64.yml | 10 ++++++++++ spec/acceptance/nodesets/centos-70-x64.yml | 11 ----------- spec/acceptance/nodesets/debian-607-x64.yml | 11 ----------- spec/acceptance/nodesets/debian-70rc1-x64.yml | 11 ----------- spec/acceptance/nodesets/debian-73-i386.yml | 11 ----------- spec/acceptance/nodesets/debian-73-x64.yml | 11 ----------- .../{debian-82-x64.yml => debian-8-x64.yml} | 10 +++++----- spec/acceptance/nodesets/default.yml | 14 +++++++------- spec/acceptance/nodesets/docker/centos-7.yml | 12 ++++++++++++ spec/acceptance/nodesets/docker/debian-8.yml | 11 +++++++++++ .../nodesets/docker/ubuntu-14.04.yml | 12 ++++++++++++ spec/acceptance/nodesets/fedora-18-x64.yml | 11 ----------- .../nodesets/ubuntu-server-10044-x64.yml | 10 ---------- .../nodesets/ubuntu-server-12042-x64.yml | 10 ---------- .../nodesets/ubuntu-server-1310-x64.yml | 11 ----------- .../nodesets/ubuntu-server-1404-x64.yml | 11 ----------- 22 files changed, 74 insertions(+), 164 deletions(-) delete mode 100644 spec/acceptance/nodesets/centos-59-x64.yml delete mode 100644 spec/acceptance/nodesets/centos-64-x64-pe.yml delete mode 100644 spec/acceptance/nodesets/centos-65-x64.yml create mode 100644 spec/acceptance/nodesets/centos-7-x64.yml delete mode 100644 spec/acceptance/nodesets/centos-70-x64.yml delete mode 100644 spec/acceptance/nodesets/debian-607-x64.yml delete mode 100644 spec/acceptance/nodesets/debian-70rc1-x64.yml delete mode 100644 spec/acceptance/nodesets/debian-73-i386.yml delete mode 100644 spec/acceptance/nodesets/debian-73-x64.yml rename spec/acceptance/nodesets/{debian-82-x64.yml => debian-8-x64.yml} (66%) create mode 100644 spec/acceptance/nodesets/docker/centos-7.yml create mode 100644 spec/acceptance/nodesets/docker/debian-8.yml create mode 100644 spec/acceptance/nodesets/docker/ubuntu-14.04.yml delete mode 100644 spec/acceptance/nodesets/fedora-18-x64.yml delete mode 100644 spec/acceptance/nodesets/ubuntu-server-10044-x64.yml delete mode 100644 spec/acceptance/nodesets/ubuntu-server-12042-x64.yml delete mode 100644 spec/acceptance/nodesets/ubuntu-server-1310-x64.yml delete mode 100644 spec/acceptance/nodesets/ubuntu-server-1404-x64.yml diff --git a/.travis.yml b/.travis.yml index e366e0ee2e..4e2c66df32 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,18 +3,33 @@ sudo: false language: ruby cache: bundler -bundler_args: --without system_tests -script: "bundle exec rake validate lint parallel_spec" +script: "bundle exec rake validate lint spec" matrix: fast_finish: true include: - rvm: 2.1.6 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_debug=true BEAKER_set=docker/ubuntu-14.04 + script: bundle exec rake beaker + services: docker + sudo: required + - rvm: 2.1.6 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_debug=true BEAKER_set=docker/centos-7 + script: bundle exec rake beaker + services: docker + sudo: required + - rvm: 2.1.6 + bundler_args: --without system_tests env: PUPPET_GEM_VERSION="~> 4.0" STRICT_VARIABLES="yes" - rvm: 2.1.5 + bundler_args: --without system_tests env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes" - rvm: 2.1.5 + bundler_args: --without system_tests env: PUPPET_GEM_VERSION="~> 3.0" - rvm: 1.9.3 + bundler_args: --without system_tests env: PUPPET_GEM_VERSION="~> 3.0" notifications: email: false diff --git a/Gemfile b/Gemfile index 21c2dbc3ea..e490bc9b98 100644 --- a/Gemfile +++ b/Gemfile @@ -20,7 +20,6 @@ group :development, :unit_tests do gem 'puppetlabs_spec_helper', :require => false gem 'rspec-puppet', '>= 2.3.2', :require => false gem 'simplecov', :require => false - gem 'parallel_tests', :require => false end group :system_tests do gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'] || '>= 3.4') diff --git a/Rakefile b/Rakefile index 7ef974b94c..1e2be6663c 100644 --- a/Rakefile +++ b/Rakefile @@ -1,8 +1,6 @@ require 'puppet_blacksmith/rake_tasks' require 'puppet-lint/tasks/puppet-lint' require 'puppetlabs_spec_helper/rake_tasks' -require 'parallel_tests' -require 'parallel_tests/cli' PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.send('relative') @@ -43,10 +41,3 @@ task :gen_nodeset do end puts nodeset end - -desc "Parallel spec tests" -task :parallel_spec do - Rake::Task[:spec_prep].invoke - ParallelTests::CLI.new.run('--type test -t rspec spec/classes spec/defines spec/unit'.split) - Rake::Task[:spec_clean].invoke -end diff --git a/spec/acceptance/nodesets/centos-59-x64.yml b/spec/acceptance/nodesets/centos-59-x64.yml deleted file mode 100644 index 2ad90b86aa..0000000000 --- a/spec/acceptance/nodesets/centos-59-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - centos-59-x64: - roles: - - master - platform: el-5-x86_64 - box : centos-59-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: git diff --git a/spec/acceptance/nodesets/centos-64-x64-pe.yml b/spec/acceptance/nodesets/centos-64-x64-pe.yml deleted file mode 100644 index 7d9242f1b9..0000000000 --- a/spec/acceptance/nodesets/centos-64-x64-pe.yml +++ /dev/null @@ -1,12 +0,0 @@ -HOSTS: - centos-64-x64: - roles: - - master - - database - - dashboard - platform: el-6-x86_64 - box : centos-64-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: pe diff --git a/spec/acceptance/nodesets/centos-65-x64.yml b/spec/acceptance/nodesets/centos-65-x64.yml deleted file mode 100644 index 4e2cb809e8..0000000000 --- a/spec/acceptance/nodesets/centos-65-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - centos-65-x64: - roles: - - master - platform: el-6-x86_64 - box : centos-65-x64-vbox436-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - type: foss diff --git a/spec/acceptance/nodesets/centos-7-x64.yml b/spec/acceptance/nodesets/centos-7-x64.yml new file mode 100644 index 0000000000..1a40c8950f --- /dev/null +++ b/spec/acceptance/nodesets/centos-7-x64.yml @@ -0,0 +1,10 @@ +HOSTS: + centos-7-x64: + roles: + - agent + - default + platform: redhat-7-x86_64 + hypervisor: vagrant + box: puppetlabs/centos-7.2-64-nocm +CONFIG: + type: foss diff --git a/spec/acceptance/nodesets/centos-70-x64.yml b/spec/acceptance/nodesets/centos-70-x64.yml deleted file mode 100644 index 2ab0052043..0000000000 --- a/spec/acceptance/nodesets/centos-70-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - centos-70-x64: - roles: - - master - platform: el-7-x86_64 - box : puppetlabs/centos-7.0-64-nocm - box_url : https://vagrantcloud.com/puppetlabs/boxes/centos-7.0-64-nocm - hypervisor : vagrant -CONFIG: - log_level: verbose - type: foss diff --git a/spec/acceptance/nodesets/debian-607-x64.yml b/spec/acceptance/nodesets/debian-607-x64.yml deleted file mode 100644 index e642e09925..0000000000 --- a/spec/acceptance/nodesets/debian-607-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - debian-607-x64: - roles: - - master - platform: debian-6-amd64 - box : debian-607-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-607-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git diff --git a/spec/acceptance/nodesets/debian-70rc1-x64.yml b/spec/acceptance/nodesets/debian-70rc1-x64.yml deleted file mode 100644 index cbbbfb2cc6..0000000000 --- a/spec/acceptance/nodesets/debian-70rc1-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - debian-70rc1-x64: - roles: - - master - platform: debian-7-amd64 - box : debian-70rc1-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-70rc1-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git diff --git a/spec/acceptance/nodesets/debian-73-i386.yml b/spec/acceptance/nodesets/debian-73-i386.yml deleted file mode 100644 index a38902d897..0000000000 --- a/spec/acceptance/nodesets/debian-73-i386.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - debian-73-i386: - roles: - - master - platform: debian-7-i386 - box : debian-73-i386-virtualbox-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-73-i386-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git diff --git a/spec/acceptance/nodesets/debian-73-x64.yml b/spec/acceptance/nodesets/debian-73-x64.yml deleted file mode 100644 index f9cf0c9b8a..0000000000 --- a/spec/acceptance/nodesets/debian-73-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - debian-73-x64: - roles: - - master - platform: debian-7-amd64 - box : debian-73-x64-virtualbox-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-73-x64-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git diff --git a/spec/acceptance/nodesets/debian-82-x64.yml b/spec/acceptance/nodesets/debian-8-x64.yml similarity index 66% rename from spec/acceptance/nodesets/debian-82-x64.yml rename to spec/acceptance/nodesets/debian-8-x64.yml index 800c49aaa4..fef6e63ca5 100644 --- a/spec/acceptance/nodesets/debian-82-x64.yml +++ b/spec/acceptance/nodesets/debian-8-x64.yml @@ -1,10 +1,10 @@ HOSTS: - debian-82: + debian-8-x64: roles: - - master + - agent + - default platform: debian-8-amd64 - box: puppetlabs/debian-8.2-64-nocm hypervisor: vagrant + box: puppetlabs/debian-8.2-64-nocm CONFIG: - log_level: debug - type: git + type: foss diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml index 00e141d092..dba339c46a 100644 --- a/spec/acceptance/nodesets/default.yml +++ b/spec/acceptance/nodesets/default.yml @@ -1,10 +1,10 @@ HOSTS: - centos-66-x64: + ubuntu-1404-x64: roles: - - master - platform: el-6-x86_64 - box : puppetlabs/centos-6.6-64-nocm - hypervisor : vagrant + - agent + - default + platform: ubuntu-14.04-amd64 + hypervisor: vagrant + box: puppetlabs/ubuntu-14.04-64-nocm CONFIG: - log_level: debug - type: git + type: foss diff --git a/spec/acceptance/nodesets/docker/centos-7.yml b/spec/acceptance/nodesets/docker/centos-7.yml new file mode 100644 index 0000000000..a3333aac53 --- /dev/null +++ b/spec/acceptance/nodesets/docker/centos-7.yml @@ -0,0 +1,12 @@ +HOSTS: + centos-7-x64: + platform: el-7-x86_64 + hypervisor: docker + image: centos:7 + docker_preserve_image: true + docker_cmd: '["/usr/sbin/init"]' + # install various tools required to get the image up to usable levels + docker_image_commands: + - 'yum install -y crontabs tar wget openssl sysvinit-tools iproute which initscripts' +CONFIG: + trace_limit: 200 diff --git a/spec/acceptance/nodesets/docker/debian-8.yml b/spec/acceptance/nodesets/docker/debian-8.yml new file mode 100644 index 0000000000..df5c31944f --- /dev/null +++ b/spec/acceptance/nodesets/docker/debian-8.yml @@ -0,0 +1,11 @@ +HOSTS: + debian-8-x64: + platform: debian-8-amd64 + hypervisor: docker + image: debian:8 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get update && apt-get install -y net-tools wget locales strace lsof && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen' +CONFIG: + trace_limit: 200 diff --git a/spec/acceptance/nodesets/docker/ubuntu-14.04.yml b/spec/acceptance/nodesets/docker/ubuntu-14.04.yml new file mode 100644 index 0000000000..b1efa58390 --- /dev/null +++ b/spec/acceptance/nodesets/docker/ubuntu-14.04.yml @@ -0,0 +1,12 @@ +HOSTS: + ubuntu-1404-x64: + platform: ubuntu-14.04-amd64 + hypervisor: docker + image: ubuntu:14.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + # ensure that upstart is booting correctly in the container + - 'rm /usr/sbin/policy-rc.d && rm /sbin/initctl && dpkg-divert --rename --remove /sbin/initctl && apt-get update && apt-get install -y net-tools wget && locale-gen en_US.UTF-8' +CONFIG: + trace_limit: 200 diff --git a/spec/acceptance/nodesets/fedora-18-x64.yml b/spec/acceptance/nodesets/fedora-18-x64.yml deleted file mode 100644 index 086cae995c..0000000000 --- a/spec/acceptance/nodesets/fedora-18-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - fedora-18-x64: - roles: - - master - platform: fedora-18-x86_64 - box : fedora-18-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/fedora-18-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git diff --git a/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml b/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml deleted file mode 100644 index 5ca1514e40..0000000000 --- a/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - ubuntu-server-10044-x64: - roles: - - master - platform: ubuntu-10.04-amd64 - box : ubuntu-server-10044-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-10044-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: foss diff --git a/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml b/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml deleted file mode 100644 index d065b304f8..0000000000 --- a/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - ubuntu-server-12042-x64: - roles: - - master - platform: ubuntu-12.04-amd64 - box : ubuntu-server-12042-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: foss diff --git a/spec/acceptance/nodesets/ubuntu-server-1310-x64.yml b/spec/acceptance/nodesets/ubuntu-server-1310-x64.yml deleted file mode 100644 index f4b2366f3b..0000000000 --- a/spec/acceptance/nodesets/ubuntu-server-1310-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - ubuntu-server-1310-x64: - roles: - - master - platform: ubuntu-13.10-amd64 - box : ubuntu-server-1310-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-1310-x64-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - log_level : debug - type: git diff --git a/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml b/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml deleted file mode 100644 index cba1cd04c2..0000000000 --- a/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - ubuntu-server-1404-x64: - roles: - - master - platform: ubuntu-14.04-amd64 - box : puppetlabs/ubuntu-14.04-64-nocm - box_url : https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm - hypervisor : vagrant -CONFIG: - log_level : debug - type: git From 4b9f6d312190ca9b25bc9f18b7b369e7460f39e7 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Tue, 19 Apr 2016 10:20:11 +0100 Subject: [PATCH 095/100] (MODULES-3274) mod-info: specify the info_path Changes lifted from Eric Young's feture request. --- manifests/mod/info.pp | 1 + templates/mod/info.conf.erb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/mod/info.pp b/manifests/mod/info.pp index 2c477c748f..5f4ffa7c95 100644 --- a/manifests/mod/info.pp +++ b/manifests/mod/info.pp @@ -2,6 +2,7 @@ $allow_from = ['127.0.0.1','::1'], $apache_version = undef, $restrict_access = true, + $info_path = '/server-info', ){ include ::apache $_apache_version = pick($apache_version, $apache::apache_version) diff --git a/templates/mod/info.conf.erb b/templates/mod/info.conf.erb index dd79ecea8d..c661a23ab5 100644 --- a/templates/mod/info.conf.erb +++ b/templates/mod/info.conf.erb @@ -1,4 +1,4 @@ - +> SetHandler server-info <%- if @restrict_access -%> <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> From 9aedb0446e6b7a77f41494c98bb187bb972b1732 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Tue, 19 Apr 2016 15:29:10 +0100 Subject: [PATCH 096/100] (MODULES-3140) explicitly rely on hasrestart if no restart command is passed Apache always had a restart option for the init script and in some cases does require special handling of the daemon when restarting, so this prefers the init scripts' restart action over just stopping/starting it. --- manifests/service.pp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/manifests/service.pp b/manifests/service.pp index 708027921c..f90097d0bb 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -38,12 +38,16 @@ $_service_ensure = undef } } + + $service_hasrestart = $service_restart == undef + if $service_manage { service { 'httpd': - ensure => $_service_ensure, - name => $service_name, - enable => $service_enable, - restart => $service_restart + ensure => $_service_ensure, + name => $service_name, + enable => $service_enable, + restart => $service_restart, + hasrestart => $service_hasrestart, } } } From 6df5d4160268d21a058847fac8e53d878988dfe6 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 19 Apr 2016 09:23:27 -0700 Subject: [PATCH 097/100] Expose verify_config in apache::vhost::custom In many cases verify_config confuses more than it helps and users would like to be able to turn it off. Expose the $apache::custom_config::verify_config parameter in apache::vhost::custom so custom vhost users can also turn this off. --- README.md | 5 +++++ manifests/vhost/custom.pp | 10 ++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ded6f75d19..74b5183152 100644 --- a/README.md +++ b/README.md @@ -3556,6 +3556,11 @@ Specifies if the virtual host file is present or absent. Valid options: 'absent' Sets the relative load order for Apache HTTPD VirtualHost configuration files. Default: '25'. +##### `verify_config` + +Specifies whether to validate the configuration file before notifying the Apache service. Valid options: Boolean. Default: true. + + ### Private defined types #### Defined type: `apache::peruser::multiplexer` diff --git a/manifests/vhost/custom.pp b/manifests/vhost/custom.pp index 12567f5dbd..e46b4c4d81 100644 --- a/manifests/vhost/custom.pp +++ b/manifests/vhost/custom.pp @@ -3,6 +3,7 @@ $content, $ensure = 'present', $priority = '25', + $verify_config = true, ) { include ::apache @@ -10,10 +11,11 @@ $filename = regsubst($name, ' ', '_', 'G') ::apache::custom_config { $filename: - ensure => $ensure, - confdir => $::apache::vhost_dir, - content => $content, - priority => $priority, + ensure => $ensure, + confdir => $::apache::vhost_dir, + content => $content, + priority => $priority, + verify_config => $verify_config, } # NOTE(pabelanger): This code is duplicated in ::apache::vhost and needs to From d67afdec30ae7a9b51617fb918b167bce05245e5 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Wed, 20 Apr 2016 14:12:08 +0100 Subject: [PATCH 098/100] (maint) update apache::default_mods tests to work on debian 7 Debian 7 and Ubuntu 12.04's init scripts will refuse to restart the service if the configuration is broken. So this commit adds an explicit configuration step to shutdown the apache before the test. --- spec/acceptance/default_mods_spec.rb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/spec/acceptance/default_mods_spec.rb b/spec/acceptance/default_mods_spec.rb index 3f28526966..1c10d02b5e 100644 --- a/spec/acceptance/default_mods_spec.rb +++ b/spec/acceptance/default_mods_spec.rb @@ -20,6 +20,13 @@ class { 'apache': end describe 'no default mods and failing' do + before :all do + pp = <<-PP + include apache::params + class { 'apache': default_mods => false, service_ensure => stopped, } + PP + apply_manifest(pp) + end # Using puppet_apply as a helper it 'should apply with errors' do pp = <<-EOS @@ -39,15 +46,9 @@ class { 'apache': apply_manifest(pp, { :expect_failures => true }) end - # Are these the same? describe service($service_name) do it { is_expected.not_to be_running } end - describe "service #{$service_name}" do - it 'should not be running' do - shell("pidof #{$service_name}", {:acceptable_exit_codes => 1}) - end - end end describe 'alternative default mods' do From b0bd3ed1c37835cbdbb4e8f101f1eb03bdbb8d26 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Thu, 14 Apr 2016 15:24:48 -0700 Subject: [PATCH 099/100] Release prep 1.9.0 --- CHANGELOG.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++ metadata.json | 2 +- 2 files changed, 76 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58cd91ae62..40d313a278 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,78 @@ +## Supported Release 1.9.0 +### Summary + + +#### Features +- Added `apache_version` fact +- Added `apache::balancer::target` attribute +- Added `apache::fastcgi::server::pass_header` attribute +- Added ability for `apache::fastcgi::server::host` using sockets +- Added `apache::root_directory_options` attribute +- Added for `apache::mod::ldap`: + - `ldap_shared_cache_size` + - `ldap_cache_entries` + - `ldap_cache_ttl` + - `ldap_opcache_entries` + - `ldap_opcache_ttl` +- Added `apache::mod::pagespeed::package_ensure` attribute +- Added `apache::mod::passenger` attributes: + - `passenger_log_level` + - `manage_repo` +- Added upstream repo for `apache::mod::passenger` +- Added `apache::mod::proxy_fcgi` class +- Added `apache::mod::security` attributes: + - `audit_log_parts` + - `secpcrematchlimit` + - `secpcrematchlimitrecursion` + - `secdefaultaction` + - `anomaly_score_blocking` + - `inbound_anomaly_threshold` + - `outbound_anomaly_threshold` +- Added `apache::mod::ssl` attributes: + - `ssl_mutex` + - `apache_version` +- Added ubuntu 16.04 support +- Added `apache::mod::authnz_ldap::package_name` attribute +- Added `apache::mod::ldap::package_name` attribute +- Added `apache::mod::proxy::package_name` attribute +- Added `apache::vhost` attributes: + - `ssl_proxy_check_peen_expire` + - `ssl_proxy_protocol` + - `logroot_owner` + - `logroot_group` + - `setenvifnocase` + - `passenger_user` + - `passenger_high_performance` + - `jk_mounts` + - `fastcgi_idle_timeout` + - `modsec_disable_msgs` + - `modsec_disable_tags` +- Added ability for 2.4-style `RequireAll|RequireNone|RequireAny` directory permissions +- Added ability for includes in vhost directory +- Added directory values: + - `AuthMerging` + - `MellonSPMetadataFile` + +#### Bugfixes +- Fixed apache mod setup for event/worker failing syntax +- Fixed concat deprecation warnings +- Fixed pagespeed mod +- Fixed service restart on mod update +- Fixed mod dir purging to happen after package installs +- Fixed various `apache::mod::*` file modes +- Fixed `apache::mod::authnz_ldap` parameter `verifyServerCert` to be `verify_server_cert` +- Fixed loadfile name in `apache::mod::fcgid` +- Fixed `apache::mod::remoteip` to fail on apache < 2.4 (because it is not available) +- Fixed `apache::mod::ssl::ssl_honorcipherorder` interpolation +- Lint fixes +- Strict variable fixes +- Fixed `apache::vhost` attribute `redirectmatch_status` to be optional +- Fixed SSLv3 on by default in mod\_nss +- Fixed mod\_rpaf directive names in template +- Fixed mod\_worker needing MaxClients with ThreadLimit +- Fixed quoting on vhost php\_value +- Fixed xml2enc for proxy\_html on debian + ## Supported Release 1.8.1 ### Summary This release includes bug fixes and a documentation update. diff --git a/metadata.json b/metadata.json index dde60f9115..972f456d07 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-apache", - "version": "1.8.1", + "version": "1.9.0", "author": "puppetlabs", "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", "license": "Apache-2.0", From 0a75a48a271e9cb1b42d4c032a60901702173f15 Mon Sep 17 00:00:00 2001 From: Bryan Jen Date: Wed, 20 Apr 2016 19:34:18 -0700 Subject: [PATCH 100/100] Updates CHANGELOG with newly added features and bugfix --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40d313a278..4b1da63b53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,6 +52,13 @@ - Added directory values: - `AuthMerging` - `MellonSPMetadataFile` +- Adds Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set to `apache::mod::security` class + - `critical_anomaly_score` + - `error_anomaly_score` + - `warning_anomaly_score` + - `notice_anomaly_score` +- Adds ability to configure `info_path` in `apache::mod::info` class +- Adds ability to configure `verify_config` in `apache::vhost::custom` #### Bugfixes - Fixed apache mod setup for event/worker failing syntax @@ -72,6 +79,7 @@ - Fixed mod\_worker needing MaxClients with ThreadLimit - Fixed quoting on vhost php\_value - Fixed xml2enc for proxy\_html on debian +- Fixed a problem where the apache service restarts too fast ## Supported Release 1.8.1 ### Summary