Mercurial > repos > other > Puppet
annotate modules/apache/manifests/mod/security.pp @ 106:ef0926ee389a puppet-3.6
Lock down Apache headers for security, based on https://securityheaders.io/
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 14 May 2016 17:10:10 +0100 |
| parents | 37675581a273 |
| children | 675c1cc61eaf |
| rev | line source |
|---|---|
|
36
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1 class apache::mod::security ( |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
2 $crs_package = $::apache::params::modsec_crs_package, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
3 $activated_rules = $::apache::params::modsec_default_rules, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
4 $modsec_dir = $::apache::params::modsec_dir, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
5 $allowed_methods = 'GET HEAD POST OPTIONS', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
6 $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
7 $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
8 $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
9 ){ |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
10 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
11 if $::osfamily == 'FreeBSD' { |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
12 fail('FreeBSD is not currently supported') |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
13 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 ::apache::mod { 'security': |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 id => 'security2_module', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 lib => 'mod_security2.so', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
19 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 ::apache::mod { 'unique_id_module': |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 id => 'unique_id_module', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
22 lib => 'mod_unique_id.so', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
25 if $crs_package { |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
26 package { $crs_package: |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
27 ensure => 'latest', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
28 before => File['security.conf'], |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
29 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
30 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
31 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
32 # Template uses: |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
33 # - $modsec_dir |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
34 file { 'security.conf': |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 ensure => file, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
36 content => template('apache/mod/security.conf.erb'), |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
37 path => "${::apache::mod_dir}/security.conf", |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
38 owner => $::apache::params::user, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
39 group => $::apache::params::group, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
40 require => Exec["mkdir ${::apache::mod_dir}"], |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
41 before => File[$::apache::mod_dir], |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
42 notify => Class['apache::service'], |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
43 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
44 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
45 file { $modsec_dir: |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
46 ensure => directory, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
47 owner => $::apache::params::user, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
48 group => $::apache::params::group, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
49 mode => '0555', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
50 purge => true, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
51 force => true, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
52 recurse => true, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
53 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
54 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
55 file { "${modsec_dir}/activated_rules": |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
56 ensure => directory, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
57 owner => $::apache::params::user, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
58 group => $::apache::params::group, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
59 mode => '0555', |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
60 purge => true, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
61 force => true, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
62 recurse => true, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
63 notify => Class['apache::service'], |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
64 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
65 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
66 file { "${modsec_dir}/security_crs.conf": |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
67 ensure => file, |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
68 content => template('apache/mod/security_crs.conf.erb'), |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
69 require => File[$modsec_dir], |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
70 notify => Class['apache::service'], |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
71 } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
72 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 apache::security::rule_link { $activated_rules: } |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
74 |
|
37675581a273
Update Puppet module for Apache (pulls in concat module)
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
75 } |