Mercurial > repos > other > Puppet

comparison modules/website/manifests/init.pp @ 284:9431aec4d998

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Switch to using IPv6 prefix and IP per site This is because the proxy seems to break SNI, so we need an IP per SSL cert. We're not short of IPv6 addresses, though! Also corrected to "4to6" naming, because we're letting IPv4 access an IPv6 site
author IBBoard <dev@ibboard.co.uk>
date Sun, 16 Feb 2020 12:07:35 +0000
parents af7df930a670
children e765073832d9
comparison
equal deleted inserted replaced
283:d29f477c51d4 284:9431aec4d998
1 class website( 1 class website(
2 Pattern[/^(\/[^\/]+)*$/] $base_dir, 2 Pattern[/^(\/[^\/]+)*$/] $base_dir,
3 Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom', 3 Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom',
4 Stdlib::IP::Address $primary_ip, 4 Stdlib::IP::Address $primary_ip,
5 Stdlib::IP::Address::V6 $proxy_6to4_ip = undef, 5 Stdlib::IP::Address::V6 $proxy_4to6_ip_prefix = undef,
6 Array[Stdlib::IP::Address::V6] $proxy_upstream = undef, 6 Optional[Integer] $proxy_4to6_mask = undef,
7 Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [],
8 Array $proxy_upstream = undef,
7 String $default_owner, 9 String $default_owner,
8 String $default_group, 10 String $default_group,
9 String $default_tld = 'com', 11 String $default_tld = 'com',
10 Array $default_extra_tlds = [] 12 Array $default_extra_tlds = []
11 ){ 13 ){
123 destination => $primary_ip, 125 destination => $primary_ip,
124 dport => [80, 443], 126 dport => [80, 443],
125 proto => tcp, 127 proto => tcp,
126 action => accept, 128 action => accept,
127 } 129 }
128 if ($proxy_6to4_ip != undef) and ($proxy_upstream != undef) { 130 if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) {
131 $ipv6_secondaries = join($proxy_4to6_addresses, " ")
129 augeas {'/etc/sysconfig/network-scripts/ifcfg-eth0': 132 augeas {'/etc/sysconfig/network-scripts/ifcfg-eth0':
130 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", 133 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
131 changes => "set IPV6ADDR_SECONDARIES $proxy_6to4_ip", 134 changes => "set IPV6ADDR_SECONDARIES '$ipv6_secondaries'",
132 } 135 }
133 136
134 apache::mod { "remoteip": } 137 apache::mod { "remoteip": }
138 $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"
135 139
136 $proxy_upstream.each |String $upstream_addr| { 140 $proxy_upstream.each |String $upstream_addr| {
137 firewall { "100 limit PROXY protocol to upstream $upstream_addr": 141 firewall { "100 limit PROXY protocol to upstream $upstream_addr":
138 source => $upstream_addr, 142 source => $upstream_addr,
139 destination => $proxy_6to4_ip, 143 destination => $proxy_4to6_ip,
140 dport => [80, 443], 144 dport => [80, 443],
141 proto => tcp, 145 proto => tcp,
142 action => accept, 146 action => accept,
143 } 147 }
144 } 148 }
145 firewall { "101 block all other PROXY protocol access": 149 firewall { "101 block all other PROXY protocol access":
146 destination => $proxy_6to4_ip, 150 destination => $proxy_4to6_ip,
147 dport => [80, 443], 151 dport => [80, 443],
148 proto => tcp, 152 proto => tcp,
149 action => reject, 153 action => reject,
150 } 154 }
151 } 155 }