view modules/website/manifests/https/redir.pp @ 426:1d6cf5d981be

Try to resolve more CSP errors
author IBBoard <dev@ibboard.co.uk>
date Fri, 14 Oct 2022 19:18:57 +0100
parents c68883dde00b
children b8d6ada284dd
line wrap: on
line source

# If the SSL cert and key are defined then the definer deals with them existing
# If the SSL cert and key are not defined then we use template file paths and ensure they exist
define website::https::redir(
    $docroot            = undef,
    $ip                 = $website::primary_ip,
    $proxy_4to6_ip      = undef,
    $redir,
    $ssl_cert           = undef,
    $ssl_key            = undef,
    $ssl_ca_chain       = undef,
    $letsencrypt_name   = undef,
    $docroot_owner      = undef,
    $docroot_group      = undef,
    $serveraliases      = [],
    $ensure             = 'present',
    $separate_log       = false,
  ) {

  $shortname = domain_to_short_name($name)
  $logpart = $shortname
  $shortdomain = domain_to_short_domain($name)

  if $separate_log {
    $log_extra = '_redir'
  } else {
    $log_extra = ''
  }

  if $docroot == undef {
    $siteroot = "${website::basedir}/${shortname}"
  } else {
    $siteroot = $docroot
  }

# These conditionals use an ugly cludge from
# http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi
# because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case
# It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html),
# but that threw syntax errors.
  if $ssl_cert != undef {
    $sslcert = $ssl_cert
    $sslkey = $ssl_key   
  } elsif $ssl_ca_chain == "" and ("" in [$ssl_ca_chain]) {
    $sslcert = "${website::certdir}/${shortdomain}.crt"
    $sslkey = "${website::certdir}/${shortdomain}.key"
    File {
      mode => '0400',
      owner => 'root',
      group => 'root',
    }
    file { $sslcert:
      source => "puppet:///private/pki/custom/${shortdomain}.crt",
      before => Apache::Vhost[$name],
      notify => Service['httpd'],
      ensure => present;
    }
    file { $sslkey:
      source => "puppet:///private/pki/custom/${shortdomain}.key",
      before => Apache::Vhost[$name],
      notify => Service['httpd'],
      ensure => present;
    }
  } elsif $letsencrypt_name != undef {
    $sslcert = "/etc/letsencrypt/live/${letsencrypt_name}/cert.pem"
    $sslkey = "/etc/letsencrypt/live/${letsencrypt_name}/privkey.pem"
  } else {
    $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
    $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
  }

  if $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
    $ssl_chain = undef
  } elsif $ssl_ca_chain != undef {
    $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
    if ! defined(File[$ssl_chain]) {
      file { $ssl_chain:
        ensure => present,
        source => "puppet:///private/pki/custom/$ssl_ca_chain",
        notify  => Service['httpd'],
      }
    }
  } elsif $letsencrypt_name != undef {
    $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem"
  } else {
    $ssl_chain = $website::ca_chain
  }

  if $docroot_owner == undef {
    $owner = $website::docroot_owner
  } else {
    $owner = $docroot_owner
  }

  if $docroot_group == undef {
    $group = $website::docroot_group
  } else {
    $group = $docroot_group
  }

  $custom_conf = 'Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"'

  apache::vhost { $name:
    ip              => $ip,
    port            => '443',
    docroot         => $siteroot,
    docroot_owner   => $owner,
    docroot_group   => $group,
    docroot_mode    => '2775',
    redirect_status => 'permanent',
    redirect_dest   => $redir,
    custom_fragment => $custom_conf,
    logroot         => '/var/log/apache/',
    access_log_file => "access_${logpart}${log_extra}.log",
    access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
    error_log_file  => "error_${logpart}${log_extra}.log",
    serveraliases   => $serveraliases,
    ssl             => true,
    ssl_cert        => $sslcert,
    ssl_key         => $sslkey,
    ssl_chain       => $ssl_chain,
    ensure          => $ensure,
  }

  apache::vhost { "${name}-80":
    servername => $name,
    ip => $ip,
    port => 80,
    docroot => $siteroot,
    docroot_owner   => $owner,
    docroot_group   => $group,
    redirect_status => 'permanent',
    redirect_dest => $redir,
    serveraliases   => $serveraliases,
    logroot         => '/var/log/apache/',
    access_log_file => "access_${logpart}${log_extra}_nossl.log",
    access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
    error_log_file  => "error_${logpart}${log_extra}_nossl.log",
  }


  if ($proxy_4to6_ip != undef) {
    apache::vhost { "$name-PROXY":
      servername      => $name,
      ip              => $proxy_4to6_ip,
      port            => '443',
      docroot         => $siteroot,
      docroot_owner   => $owner,
      docroot_group   => $group,
      docroot_mode    => '2775',
      redirect_status => 'permanent',
      redirect_dest   => $redir,
      custom_fragment => "RemoteIPProxyProtocol On
$custom_conf",
      logroot         => '/var/log/apache/',
      access_log_file => "access_${logpart}${log_extra}.log",
      access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
      error_log_file  => "error_${logpart}${log_extra}.log",
      serveraliases   => $serveraliases,
      ssl             => true,
      ssl_cert        => $sslcert,
      ssl_key         => $sslkey,
      ssl_chain       => $ssl_chain,
      ensure          => $ensure,
    }

    apache::vhost { "${name}-80-PROXY":
      servername => $name,
      ip => $proxy_4to6_ip,
      port => 80,
      docroot => $siteroot,
      docroot_owner   => $owner,
      docroot_group   => $group,
      redirect_status => 'permanent',
      redirect_dest => $redir,
      serveraliases   => $serveraliases,
      custom_fragment => "RemoteIPProxyProtocol On",
      logroot         => '/var/log/apache/',
      access_log_file => "access_${logpart}${log_extra}_nossl.log",
      access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
      error_log_file  => "error_${logpart}${log_extra}_nossl.log",
    }
  }
}