Mercurial > repos > other > Puppet
comparison modules/website/manifests/init.pp @ 284:9431aec4d998
Switch to using IPv6 prefix and IP per site
This is because the proxy seems to break SNI, so we need an IP
per SSL cert. We're not short of IPv6 addresses, though!
Also corrected to "4to6" naming, because we're letting IPv4 access
an IPv6 site
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sun, 16 Feb 2020 12:07:35 +0000 |
parents | af7df930a670 |
children | e765073832d9 |
comparison
equal
deleted
inserted
replaced
283:d29f477c51d4 | 284:9431aec4d998 |
---|---|
1 class website( | 1 class website( |
2 Pattern[/^(\/[^\/]+)*$/] $base_dir, | 2 Pattern[/^(\/[^\/]+)*$/] $base_dir, |
3 Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom', | 3 Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom', |
4 Stdlib::IP::Address $primary_ip, | 4 Stdlib::IP::Address $primary_ip, |
5 Stdlib::IP::Address::V6 $proxy_6to4_ip = undef, | 5 Stdlib::IP::Address::V6 $proxy_4to6_ip_prefix = undef, |
6 Array[Stdlib::IP::Address::V6] $proxy_upstream = undef, | 6 Optional[Integer] $proxy_4to6_mask = undef, |
7 Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [], | |
8 Array $proxy_upstream = undef, | |
7 String $default_owner, | 9 String $default_owner, |
8 String $default_group, | 10 String $default_group, |
9 String $default_tld = 'com', | 11 String $default_tld = 'com', |
10 Array $default_extra_tlds = [] | 12 Array $default_extra_tlds = [] |
11 ){ | 13 ){ |
123 destination => $primary_ip, | 125 destination => $primary_ip, |
124 dport => [80, 443], | 126 dport => [80, 443], |
125 proto => tcp, | 127 proto => tcp, |
126 action => accept, | 128 action => accept, |
127 } | 129 } |
128 if ($proxy_6to4_ip != undef) and ($proxy_upstream != undef) { | 130 if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) { |
131 $ipv6_secondaries = join($proxy_4to6_addresses, " ") | |
129 augeas {'/etc/sysconfig/network-scripts/ifcfg-eth0': | 132 augeas {'/etc/sysconfig/network-scripts/ifcfg-eth0': |
130 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", | 133 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", |
131 changes => "set IPV6ADDR_SECONDARIES $proxy_6to4_ip", | 134 changes => "set IPV6ADDR_SECONDARIES '$ipv6_secondaries'", |
132 } | 135 } |
133 | 136 |
134 apache::mod { "remoteip": } | 137 apache::mod { "remoteip": } |
138 $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask" | |
135 | 139 |
136 $proxy_upstream.each |String $upstream_addr| { | 140 $proxy_upstream.each |String $upstream_addr| { |
137 firewall { "100 limit PROXY protocol to upstream $upstream_addr": | 141 firewall { "100 limit PROXY protocol to upstream $upstream_addr": |
138 source => $upstream_addr, | 142 source => $upstream_addr, |
139 destination => $proxy_6to4_ip, | 143 destination => $proxy_4to6_ip, |
140 dport => [80, 443], | 144 dport => [80, 443], |
141 proto => tcp, | 145 proto => tcp, |
142 action => accept, | 146 action => accept, |
143 } | 147 } |
144 } | 148 } |
145 firewall { "101 block all other PROXY protocol access": | 149 firewall { "101 block all other PROXY protocol access": |
146 destination => $proxy_6to4_ip, | 150 destination => $proxy_4to6_ip, |
147 dport => [80, 443], | 151 dport => [80, 443], |
148 proto => tcp, | 152 proto => tcp, |
149 action => reject, | 153 action => reject, |
150 } | 154 } |
151 } | 155 } |