view modules/apache/README.passenger.md @ 106:ef0926ee389a puppet-3.6

Lock down Apache headers for security, based on https://securityheaders.io/
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 May 2016 17:10:10 +0100
parents 37675581a273
children
line wrap: on
line source

# Passenger

Just enabling the Passenger module is insufficient for the use of Passenger in
production. Passenger should be tunable to better fit the environment in which
it is run while being aware of the resources it required.

To this end the Apache passenger module has been modified to apply system wide
Passenger tuning declarations to `passenger.conf`. Declarations specific to a
virtual host should be passed through when defining a `vhost` (e.g.
`rack_base_uris` parameter on the `apache::vhost` type, check `README.md`).

Also, general apache module loading parameters can be supplied to enable using
a customized passenger module in place of a default-package-based version of
the module.

# Operating system support and Passenger versions

The most important configuration directive for the Apache Passenger module is
`PassengerRoot`. Its value depends on the Passenger version used (2.x, 3.x or
4.x) and on the operating system package from which the Apache Passenger module
is installed.

The following table summarises the current *default versions* and
`PassengerRoot` settings for the operating systems supported by
puppetlabs-apache:

OS               | Passenger version  | `PassengerRoot` 
---------------- | ------------------ | ----------------
Debian 7         | 3.0.13             | /usr
Debian 8         | 4.0.53             | /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
Ubuntu 12.04     | 2.2.11             | /usr
Ubuntu 14.04     | 4.0.37             | /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini 
RHEL with EPEL6  | 3.0.21             | /usr/lib/ruby/gems/1.8/gems/passenger-3.0.21 

As mentioned in `README.md` there are no compatible packages available for
RHEL/CentOS 5 or RHEL/CentOS 7.

## Configuration files and locations on RHEL/CentOS

Notice two important points:

1. The Passenger version packaged in the EPEL repositories may change over time.
2. The value of `PassengerRoot` depends on the Passenger version installed.

To prevent the puppetlabs-apache module from having to keep up with these
package versions the Passenger configuration files installed by the
packages are left untouched by this module. All configuration is placed in an
extra configuration file managed by puppetlabs-apache.

This means '/etc/httpd/conf.d/passenger.conf' is installed by the
`mod_passenger` package and contains correct values for `PassengerRoot` and
`PassengerRuby`. Puppet will ignore this file. Additional configuration
directives as described in the remainder of this document are placed in
'/etc/httpd/conf.d/passenger_extra.conf', managed by Puppet.

This pertains *only* to RHEL/CentOS, *not* Debian and Ubuntu.

## Third-party and custom Passenger packages and versions

The Passenger version distributed by the default OS packages may be too old to
be useful. Newer versions may be installed via Gems, from source or from
third-party OS packages.

Most notably the Passenger developers officially provide Debian packages for a
variety of Debian and Ubuntu releases in the [Passenger APT
repository](https://oss-binaries.phusionpassenger.com/apt/passenger). Read more
about [installing these packages in the offical user
guide](http://www.modrails.com/documentation/Users%20guide%20Apache.html#install_on_debian_ubuntu).

If you install custom Passenger packages and newer version make sure to set the
directives `PassengerRoot`, `PassengerRuby` and/or `PassengerDefaultRuby`
correctly, or Passenger and Apache will fail to function properly.

For Passenger 4.x packages on Debian and Ubuntu the `PassengerRoot` directive
should almost universally be set to
`/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini`.

# Parameters for `apache::mod::passenger`

The following class parameters configure Passenger in a global, server-wide
context.

Example:

```puppet
class { 'apache::mod::passenger':
  passenger_root             => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini',
  passenger_default_ruby     => '/usr/bin/ruby1.9.3',
  passenger_high_performance => 'on',
  rails_autodetect           => 'off',
  mod_lib_path               => '/usr/lib/apache2/custom_modules',
}
```

The general form is using the all lower-case version of the configuration
directive, with underscores instead of CamelCase.

## Parameters used with passenger.conf

If you pass a default value to `apache::mod::passenger` it will be ignored and
not passed through to the configuration file. 

### passenger_root

The location to the Phusion Passenger root directory. This configuration option
is essential to Phusion Passenger, and allows Phusion Passenger to locate its
own data files. 

The default depends on the Passenger version and the means of installation. See
the above section on operating system support, versions and packages for more
information.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerroot_lt_directory_gt

### passenger_default_ruby

This option specifies the default Ruby interpreter to use for web apps as well
as for all sorts of internal Phusion Passenger helper scripts, e.g. the one
used by PassengerPreStart.

This directive was introduced in Passenger 4.0.0 and will not work in versions
< 4.x. Do not set this parameter if your Passenger version is older than 4.0.0.

Defaults to `undef` for all operating systems except Ubuntu 14.04, where it is
set to '/usr/bin/ruby'.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerDefaultRuby

### passenger_ruby

This directive is the same as `passenger_default_ruby` for Passenger versions
< 4.x and must be used instead of `passenger_default_ruby` for such versions.

It makes no sense to set `PassengerRuby` for Passenger >= 4.x. That
directive should only be used to override the value of `PassengerDefaultRuby`
on a non-global context, i.e. in `<VirtualHost>`, `<Directory>`, `<Location>`
and so on.

Defaults to `/usr/bin/ruby` for all supported operating systems except Ubuntu
14.04, where it is set to `undef`.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerRuby

### passenger_high_performance

Default is `off`. When turned `on` Passenger runs in a higher performance mode
that can be less compatible with other Apache modules.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerHighPerformance

### passenger_max_pool_size

Sets the maximum number of Passenger application processes that may
simultaneously run. The default value is 6.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengermaxpoolsize_lt_integer_gt

### passenger_pool_idle_time

The maximum number of seconds a Passenger Application process will be allowed
to remain idle before being shut down. The default value is 300.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerPoolIdleTime

### passenger_max_requests

The maximum number of request a Passenger application will process before being
restarted. The default value is 0, which indicates that a process will only
shut down if the Pool Idle Time (see above) expires.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMaxRequests

### passenger_stat_throttle_rate

Sets how often Passenger performs file system checks, at most once every _x_
seconds. Default is 0, which means the checks are performed with every request.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerstatthrottlerate_lt_integer_gt

### rack_autodetect

Should Passenger automatically detect if the document root of a virtual host is
a Rack application. Not set by default (`undef`). Note that this directive has
been removed in Passenger 4.0.0 and `PassengerEnabled` should be used instead.
Use this directive only on Passenger < 4.x.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#_rackautodetect_lt_on_off_gt

### rails_autodetect

Should Passenger automatically detect if the document root of a virtual host is
a Rails application.  Not set by default (`undef`). Note that this directive
has been removed in Passenger 4.0.0 and `PassengerEnabled` should be used
instead. Use this directive only on Passenger < 4.x.

http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsautodetect_lt_on_off_gt

### passenger_use_global_queue

Allows toggling of PassengerUseGlobalQueue.  NOTE: PassengerUseGlobalQueue is
the default in Passenger 4.x and the versions >= 4.x have disabled this
configuration option altogether.  Use with caution.

## Parameters used to load the module

Unlike the tuning parameters specified above, the following parameters are only
used when loading customized passenger modules.

### mod_package

Allows overriding the default package name used for the passenger module
package.

### mod_package_ensure

Allows overriding the package installation setting used by puppet when
installing the passenger module. The default is 'present'.

### mod_id

Allows overriding the value used by apache to identify the passenger module.
The default is 'passenger_module'.

### mod_lib_path

Allows overriding the directory path used by apache when loading the passenger
module. The default is the value of `$apache::params::lib_path`.

### mod_lib

Allows overriding the library file name used by apache when loading the
passenger module. The default is 'mod_passenger.so'.

### mod_path

Allows overriding the full path to the library file used by apache when loading
the passenger module. The default is the concatenation of the `mod_lib_path`
and `mod_lib` parameters.

# Dependencies

RedHat-based systems will need to configure additional package repositories in
order to install Passenger, specifically:

* [Extra Packages for Enterprise Linux](https://fedoraproject.org/wiki/EPEL)
* [Phusion Passenger](http://passenger.stealthymonkeys.com)

Configuration of these repositories is beyond the scope of this module and is
left to the user.

# Attribution

The Passenger tuning parameters for the `apache::mod::passenger` Puppet class
was modified by Aaron Hicks (hicksa@landcareresearch.co.nz) for work on the
NeSI Project and the Tuakiri New Zealand Access Federation as a fork from the
PuppetLabs Apache module on GitHub.

* https://github.com/puppetlabs/puppetlabs-apache
* https://github.com/nesi/puppetlabs-apache
* http://www.nesi.org.nz//
* https://tuakiri.ac.nz/confluence/display/Tuakiri/Home

# Copyright and License

Copyright (C) 2012 [Puppet Labs](https://www.puppetlabs.com/) Inc

Puppet Labs can be contacted at: info@puppetlabs.com

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.