view modules/website/manifests/https/redir.pp @ 161:d2b4750e843a

Add custom log format - combined plus requested domain This helps by logging which domain people hit and got redirected by without having per-domain logs
author IBBoard <dev@ibboard.co.uk>
date Sun, 02 Apr 2017 20:09:13 +0100
parents 060f81349dd6
children c72d2b5f9be2
line source
1 # If the SSL cert and key are defined then the definer deals with them existing
2 # If the SSL cert and key are not defined then we use template file paths and ensure they exist
3 define website::https::redir(
4 $docroot = undef,
5 $ip = $website::primary_ip,
6 $redir,
7 $ssl_cert = undef,
8 $ssl_key = undef,
9 $ssl_ca_chain = undef,
10 $letsencrypt_name = undef,
11 $docroot_owner = undef,
12 $docroot_group = undef,
13 $serveraliases = [],
14 $ensure = 'present',
15 $separate_log = false,
16 ) {
18 validate_re($ensure, '^(present|absent)$',
19 "${ensure} is not supported for ensure.
20 Allowed values are 'present' and 'absent'.")
22 $shortname = domain_to_short_name($name)
23 $logpart = $shortname
24 $shortdomain = domain_to_short_domain($name)
26 if $separate_log {
27 $log_extra = '_redir'
28 } else {
29 $log_extra = ''
30 }
32 if $docroot == undef {
33 $siteroot = "${website::basedir}/${shortname}"
34 } else {
35 $siteroot = $docroot
36 }
38 # These conditionals use an ugly cludge from
39 # http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi
40 # because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case
41 # It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html),
42 # but that threw syntax errors.
43 if $ssl_cert != undef {
44 $sslcert = $ssl_cert
45 $sslkey = $ssl_key
46 } elsif $ssl_ca_chain == "" and ("" in [$ssl_ca_chain]) {
47 $sslcert = "${website::certdir}/${shortdomain}.crt"
48 $sslkey = "${website::certdir}/${shortdomain}.key"
49 File {
50 mode => '0400',
51 owner => 'root',
52 group => 'root',
53 }
54 file { $sslcert:
55 source => "puppet:///private/pki/custom/${shortdomain}.crt",
56 before => Apache::Vhost[$name],
57 notify => Service['httpd'],
58 ensure => present;
59 }
60 file { $sslkey:
61 source => "puppet:///private/pki/custom/${shortdomain}.key",
62 before => Apache::Vhost[$name],
63 notify => Service['httpd'],
64 ensure => present;
65 }
66 } elsif $letsencrypt_name != undef {
67 $sslcert = "/etc/letsencrypt/live/${letsencrypt_name}/cert.pem"
68 $sslkey = "/etc/letsencrypt/live/${letsencrypt_name}/privkey.pem"
69 } else {
70 $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
71 $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
72 }
74 if $ssl_ca_chain != '' {
75 $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
76 if ! defined(File[$ssl_chain]) {
77 file { $ssl_chain:
78 ensure => present,
79 source => "puppet:///private/pki/custom/$ssl_ca_chain",
80 notify => Service['httpd'],
81 }
82 }
83 } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
84 # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
85 $ssl_chain = undef
86 } elsif $letsencrypt_name != undef {
87 $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem"
88 } else {
89 $ssl_chain = $website::ca_chain
90 }
92 if $docroot_owner == undef {
93 $owner = $website::docroot_owner
94 } else {
95 $owner = $docroot_owner
96 }
98 if $docroot_group == undef {
99 $group = $website::docroot_group
100 } else {
101 $group = $docroot_group
102 }
104 $custom_conf = 'Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
105 Header always set X-Xss-Protection "1; mode=block"
106 Header always set X-Content-Type-Options "nosniff"
107 Header always set X-Frame-Options "SAMEORIGIN"'
109 apache::vhost { $name:
110 ip => $ip,
111 port => '443',
112 docroot => $siteroot,
113 docroot_owner => $owner,
114 docroot_group => $group,
115 redirect_status => 'permanent',
116 redirect_dest => $redir,
117 custom_fragment => $custom_conf,
118 logroot => '/var/log/apache/',
119 access_log_file => "access_${logpart}${log_extra}.log",
120 access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
121 error_log_file => "error_${logpart}${log_extra}.log",
122 serveraliases => $serveraliases,
123 ssl => true,
124 ssl_cert => $sslcert,
125 ssl_key => $sslkey,
126 ssl_chain => $ssl_chain,
127 ensure => $ensure,
128 }
130 apache::vhost { "${name}-80":
131 servername => $name,
132 port => 80,
133 docroot => $siteroot,
134 docroot_owner => $owner,
135 docroot_group => $group,
136 redirect_status => 'permanent',
137 redirect_dest => $redir,
138 serveraliases => $serveraliases,
139 logroot => '/var/log/apache/',
140 access_log_file => "access_${logpart}${log_extra}_nossl.log",
141 access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
142 error_log_file => "error_${logpart}${log_extra}_nossl.log",
143 }
144 }