Mercurial > repos > other > Puppet
changeset 262:241fbf45e6f3
Re-merge CentOS 7 vs 8 deviations
This was caused by the CentOS 8 machine having local changes and
being offline due to DNS config issues
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sun, 29 Dec 2019 11:00:05 -0500 |
parents | c3ecb1e58713 (diff) 0ebd8efeef04 (current diff) |
children | f99974dc0f1a |
files | manifests/templates.pp modules/website/manifests/init.pp |
diffstat | 299 files changed, 13984 insertions(+), 5976 deletions(-) [+] |
line wrap: on
line diff
--- a/common/RPM-GPG-KEY-ibboard Sun Dec 29 15:31:28 2019 +0000 +++ b/common/RPM-GPG-KEY-ibboard Sun Dec 29 11:00:05 2019 -0500 @@ -1,19 +1,21 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.5 (GNU/Linux) +Version: GnuPG v2.0.15 (GNU/Linux) -mQGiBEp0lsYRBACQWUDWNIc7XtMjSNyVIfAg4lp36ojSblXMryBqpnMvBfYS0lE8 -QrOwIRZLCZgbsWgoSZXkGotHpq7vgUQc3lKiHcKb3UZeKFdvsifAx9Ilm8ro+zzJ -q30X7+WcIZaFaRe1WnKBN1Pppu+ZIS/XuJWmKPvDa0dxtazVakxCCvrWiwCgz4UA -GHujB//jtS0QmpVrUC1nW3sD+wQqasXmCzAFNzYp7E0Sjq2JRM8grH+pZH9qv8xc -F6cj12sSaCkxotU4MkevKDNXOUJAQ8H4y89oce5c//lkMZnlMob04AwQancNH1Mh -UL2DuQ2Qjre45352qFC7U2ruM3OfC2IVnCaSWBMaDXMrubvtAoGnBW0afZ19Kwe1 -dHbSA/0VF75L8lS1EE8kAzl4nULCGVW2Ej+Wf3jWUUiApNejMLfoXFgbp3qLoeZQ -bVtbtXXZd7KOiJwtvBuhkvRKL0mS/4lwNu/GxEXr2KG2qlyThBVLpLffnbBSWj7c -qJ5qly5+8ygXmxY5nAbW4uERQWrLRJeZe90DgdoqLiHng8GmJ7Q6aG9tZTpJQkJv -YXJkIE9CUyBQcm9qZWN0IDxob21lOklCQm9hcmRAYnVpbGQub3BlbnN1c2Uub3Jn -PohmBBMRAgAmBQJb4dNjAhsDBQkVi+ydBgsJCAcDAgQVAggDBBYCAwECHgECF4AA -CgkQx4YMTixsHgkX9gCgvPkrw9a54cXaH4/qAmbquCYwFd8AnjHOWzdxKeTXhafv -8MBx1Q7t7jZAiEYEExECAAYFAkp0lsYACgkQOzARt2udZSNq0QCgjzvwc5K1Ui4K -+0kcTNrpN9gwcfEAn1pnMKBLzmyNIK3hbnUaZpHVsMZ/ -=PR4U +mQENBF2Xk6sBCAChqNQYg52cTivBelaTpta0tgUBlhwKi0+onUVqf/9pOx8TKjcT +4tSKmWJNoCoji6O4c/pjNGxElY2KNY0nQ3bNf8fJffSpjaYlzzp2OqwgUvkEFkcD +H8LYgZVLmJokdj/fG/cSf8kZn4dU/PxUwzhGA5sJiMzBbBxpoZS1ZMZuqIQY3m4q +2/XaPIgCi/v4VAe5Lu3DGo0u9vvLEYF73kVigNdc9desBn23CKDcmapbhyPLffd/ +K2VTKFOaYKkGizesFyICLakr5kr01OFmzDaxQs4DzcXVN5hAdvqvwmMZRUifbAhq +neB/+YYmW6bJe9dWupEz6hcdMeKWd6DqA9lDABEBAAG0OmhvbWU6SUJCb2FyZCBP +QlMgUHJvamVjdCA8aG9tZTpJQkJvYXJkQGJ1aWxkLm9wZW5zdXNlLm9yZz6JAT4E +EwEIACgFAl2Xk6sCGwMFCQQesAAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ +EKelW4Rdz8vi46kIAIMqdogQatoo03mQwgdrXzlj6nFuPtU2YipXK2dpwzrlmgpJ +tdeW0O/wweEl1ec4lyIeIXSdOSJg09IIlS9X4QEHHUjop3eDca2q4noyaf0dwpsQ +ijlDC6gcJc+oKiAe0b+DyEgbZYQwJDuWxdJ/3RtQjUcVW7/2FIWtal6SvktdKEiF +tJid2nIUAGO5+wI0yzExdcPbEvZkPji2/pcJX+S0GRW8A3CX7uX5hVeh/m6j91ox +55dQqiyrRK13Lt9w3E5aRZRlWOAoM5je9CEIw6bC2xmLzG3S42QxFDwPAGJRThfM +4/9wGNdUpN6KSdV4KkR/JMO+BxJUMewL1+d1FSGIRgQTEQIABgUCXZeTqwAKCRA7 +MBG3a51lI2PpAKCBnhZWIJwbPg2nj73mRJkj4tF3IACgswBiGTBqX+6IXp4XfHe8 +v32GePw= +=M01l -----END PGP PUBLIC KEY BLOCK-----
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/common/named.conf-ibbvps Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,63 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { 127.0.0.1; }; + listen-on-v6 port 53 { ::1; }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + allow-query { localhost; }; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + max-cache-size 10m; + + forwarders { + 2a00:1098:0:80:1000:3b:0:1; + 2a00:1098:0:82:1000:3b:0:1; + }; + + dnssec-enable yes; + dnssec-validation yes; + + /* Path to ISC DLV key */ + bindkeys-file "/etc/named.iscdlv.key"; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; +}; + +logging { + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; +
--- a/common/named.conf-ibbvps.vs.mythic-beasts.com Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,63 +0,0 @@ -// -// named.conf -// -// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS -// server as a caching only nameserver (as a localhost DNS resolver only). -// -// See /usr/share/doc/bind*/sample/ for example named configuration files. -// - -options { - listen-on port 53 { 127.0.0.1; }; - listen-on-v6 port 53 { ::1; }; - directory "/var/named"; - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; - allow-query { localhost; }; - - /* - - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - - If you are building a RECURSIVE (caching) DNS server, you need to enable - recursion. - - If your recursive DNS server has a public IP address, you MUST enable access - control to limit queries to your legitimate users. Failing to do so will - cause your server to become part of large scale DNS amplification - attacks. Implementing BCP38 within your network would greatly - reduce such attack surface - */ - recursion yes; - max-cache-size 10m; - - forwarders { - 2a00:1098:0:80:1000:3b:0:1 - 2a00:1098:0:82:1000:3b:0:1 - }; - - dnssec-enable yes; - dnssec-validation yes; - - /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; - - managed-keys-directory "/var/named/dynamic"; - - pid-file "/run/named/named.pid"; - session-keyfile "/run/named/session.key"; -}; - -logging { - channel default_debug { - file "data/named.run"; - severity dynamic; - }; -}; - -zone "." IN { - type hint; - file "named.ca"; -}; - -include "/etc/named.rfc1912.zones"; -include "/etc/named.root.key"; -
--- a/manifests/templates.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/manifests/templates.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,5 +1,5 @@ # Make sure packages come after their repos -YumRepo<| |> -> Package<| |> +File<| tag == 'repo-config' |> -> YumRepo<| |> -> Package<| |> # Make sure all files are in place before starting services File<| tag != 'post-service' |> -> Service<| |> @@ -209,21 +209,20 @@ } file { "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$osver": ensure => present, - source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver" + source => "puppet:///common/RPM-GPG-KEY-EPEL-$osver", + tag => 'repo-config', } - if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 and versioncmp($operatingsystemrelease, '8') < 0 { - # We only have extra packages for CentOS 7 - yumrepo { 'ibboard': - baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', - descr => 'Extra packages from IBBoard', - enabled => 1, - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', - } - file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': - ensure => present, - source => 'puppet:///common/RPM-GPG-KEY-ibboard' - } + yumrepo { 'ibboard': + baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', + descr => 'Extra packages from IBBoard', + enabled => 1, + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', + } + file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': + ensure => present, + source => 'puppet:///common/RPM-GPG-KEY-ibboard', + tag => 'repo-config', } yumrepo { 'webtatic': ensure => absent, @@ -479,8 +478,19 @@ $mysqlpackage = 'mariadb' $mysqlsuffix = '' + # Required for SELinux rule setting/status checks + if versioncmp($operatingsystemrelease, '8') >= 0 { + $semanage_package_name = 'policycoreutils-python-utils' + } else { + $semanage_package_name = 'policycoreutils-python' + } + + package { 'policycoreutils-python': + name => $semanage_package_name, + ensure => present, + } + $extra_packages = [ - 'policycoreutils-python', # Required for SELinux 'subversion-python', #Required for Trac 'perl-Sys-Syslog', #Required for Perl SPF checking ] @@ -533,10 +543,6 @@ 'authn_core':; } } - $apache_packages = [ 'mod_xsendfile' ] - package { $apache_packages: - ensure => present; - } #Configure our sites, using templates for the custom fragments where the extra content is too long include adminsite @@ -642,9 +648,19 @@ } } class devsite { + if versioncmp($operatingsystemrelease, '8') >= 0 { + # Apache::Mod doesn't map this correctly for CentOS 8 yet + $mod_wsgi_package = 'python3-mod_wsgi' + $mod_wsgi_lib = 'mod_wsgi_python3.so' + } else { + $mod_wsgi_package = 'mod_wsgi' + $mod_wsgi_lib = undef + } apache::mod { # mod_wsgi for Python support - 'wsgi':; + 'wsgi': + package => $mod_wsgi_package, + lib => $mod_wsgi_lib, } include python::venv
--- a/modules/apache/CHANGELOG.md Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/CHANGELOG.md Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,387 @@ -##2015-02-17 - Supported Release 1.3.0 +## Supported Release 1.11.1 +#### Summary +This is a security patch release (CVE-2017-2299) + +#### Changed +- $ssl_certs_dir default to `undef` for all platorms +- $ssl_verify_client must now be set to use any of the following: `$ssl_certs_dir`, `$ssl_ca`, `$ssl_crl_path`, `$ssl_crl`, `$ssl_verify_depth`, `$ssl_crl_check` + +#### Fixed +- **Issue where the $ssl_certs_dir default set Apache to implicitly trust all client certificates that were issued by any CA in that directory** ([MODULES-5471](https://tickets.puppet.com/browse/MODULES-5471)) + +## Supported Release 1.11.0 +#### Summary +This release adds SLES12 Support and many more features and bugfixes. + +#### Features +- (MODULES-4049) Adds SLES 12 Support +- Adds additional directories options for LDAP Auth + - `auth_ldap_url` + - `auth_ldap_bind_dn` + - `auth_ldap_bind_password` + - `auth_ldap_group_attribute` + - `auth_ldap_group_attribute_is_dn` +- Allows `mod_event` parameters to be unset +- Allows management of default root directory access rights +- Adds class `apache::vhosts` to create apache::vhost resources +- Adds class `apache::mod::proxy_wstunnel` +- Adds class `apache::mod::dumpio` +- Adds class `apache::mod::socache_shmcb` +- Adds class `apache::mod::authn_dbd` +- Adds support for apache 2.4 on Amazon Linux +- Support the newer `mod_auth_cas` config options +- Adds `wsgi_script_aliases_match` parameter to `apache::vhost` +- Allow to override all SecDefaultAction attributes +- Add audit_log_relevant_status parameter to apache::mod::security +- Allow absolute path to $apache::mod::security::activated_rules +- Allow setting SecAuditLog +- Adds `passenger_max_instances_per_app` to `mod::passenger` +- Allow the proxy_via setting to be configured +- Allow no_proxy_uris to be used within proxy_pass +- Add rpaf.conf template parameter to `mod::rpaf` +- Allow user to specify alternative package and library names for shibboleth module +- Allows configuration of shibboleth lib path +- Adds parameter `passenger_data_buffer_dir` to `mod::passenger` +- Adds SSL stapling +- Allows use of `balance_manager` with `mod_proxy_balancer` +- Raises lower bound of `stdlib` dependency to version 4.2 +- Adds support for Passenger repo on Amazon Linux +- Add ability to set SSLStaplingReturnResponderErrors on server level +- (MODULES-4213) Allow global rewrite rules inheritance in vhosts +- Moves `mod_env` to its own class and load it when required + +#### Bugfixes +- Deny access to .ht and .hg, which are created by mercurial hg. +- Instead of failing, include apache::mod::prefork in manifests/mod/itk.pp instead. +- Only set SSLCompression when it is set to true. +- Remove duplicate shib2 hash element +- (MODULES-3388) Include mpm_module classes instead of class declaration +- Updates `apache::balancer` to respect `apache::confd_dir` +- Wrap mod_security directives in an IfModule +- Fixes to various mods for Ubuntu Xenial +- Fix /etc/modsecurity perms to match package +- Fix PassengerRoot under Debian stretch +- (MODULES-3476) Updates regex in apache_version custom fact to work with EL5 +- Dont sql_injection_attacks.data +- Add force option to confd file resource to purge directory without warnings +- Patch httpoxy through mod_security +- Fixes config ordering of IncludeOptional +- Fixes bug where port numbers were unquoted +- Fixes bug where empty servername for vhost were written to template +- Auto-load `slotmem_shm` and `lbmethod_byrequests` with `proxy_balancer` on 2.4 +- Simplify MPM setup on FreeBSD +- Adds requirement for httpd package +- Do not set ssl_certs_dir on FreeBSD +- Fixes bug that produces a duplicate `Listen 443` after a package update on EL7 +- Fixes bug where custom facts break structured facts +- Avoid relative classname inclusion +- Fixes a failure in `vhost` if the first element of `$rewrites` is not a hash +- (MODULES-3744) Process $crs_package before $modsec_dir +- (MODULES-1491) Adds `::apache` include to mods that need it + +## Supported Release 1.10.0 +#### Summary +This release fixes backwards compatibility bugs introduced in 1.9.0. Also includes a new mod class and a new vhost feature. + +#### Features +- Allow setting KeepAlive related options per vhost + - `apache::vhost::keepalive` + - `apache::vhost::keepalive_timeout` + - `apache::vhost::max_keepalive_requests` +- Adds new class `apache::mod::cluster` + +#### Bugfixes +- MODULES-2890: Allow php_version != 5 +- MODULES-2890: mod::php: Explicit test on jessie +- MODULES-2890: Fix PHP on Debian stretch and Ubuntu Xenial +- MODULES-2890: Fix mod_php SetHandler and cleanup +- Fixed trailing slash in lib_path on Suse +- Revert "MODULES-2956: Enable options within location block on proxy_match". Bug introduced in release 1.9.0. +- Revert "changed rpaf Configuration Directives: RPAF -> RPAF_". Bug introduced in release 1.9.0. +- Set actual path to apachectl on FreeBSD. Fixes snippets verification. + +## Supported Release 1.9.0 [DELETED] +#### Features +- Added `apache_version` fact +- Added `apache::balancer::target` attribute +- Added `apache::fastcgi::server::pass_header` attribute +- Added ability for `apache::fastcgi::server::host` using sockets +- Added `apache::root_directory_options` attribute +- Added for `apache::mod::ldap`: + - `ldap_shared_cache_size` + - `ldap_cache_entries` + - `ldap_cache_ttl` + - `ldap_opcache_entries` + - `ldap_opcache_ttl` +- Added `apache::mod::pagespeed::package_ensure` attribute +- Added `apache::mod::passenger` attributes: + - `passenger_log_level` + - `manage_repo` +- Added upstream repo for `apache::mod::passenger` +- Added `apache::mod::proxy_fcgi` class +- Added `apache::mod::security` attributes: + - `audit_log_parts` + - `secpcrematchlimit` + - `secpcrematchlimitrecursion` + - `secdefaultaction` + - `anomaly_score_blocking` + - `inbound_anomaly_threshold` + - `outbound_anomaly_threshold` +- Added `apache::mod::ssl` attributes: + - `ssl_mutex` + - `apache_version` +- Added ubuntu 16.04 support +- Added `apache::mod::authnz_ldap::package_name` attribute +- Added `apache::mod::ldap::package_name` attribute +- Added `apache::mod::proxy::package_name` attribute +- Added `apache::vhost` attributes: + - `ssl_proxy_check_peen_expire` + - `ssl_proxy_protocol` + - `logroot_owner` + - `logroot_group` + - `setenvifnocase` + - `passenger_user` + - `passenger_high_performance` + - `jk_mounts` + - `fastcgi_idle_timeout` + - `modsec_disable_msgs` + - `modsec_disable_tags` +- Added ability for 2.4-style `RequireAll|RequireNone|RequireAny` directory permissions +- Added ability for includes in vhost directory +- Added directory values: + - `AuthMerging` + - `MellonSPMetadataFile` +- Adds Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set to `apache::mod::security` class + - `critical_anomaly_score` + - `error_anomaly_score` + - `warning_anomaly_score` + - `notice_anomaly_score` +- Adds ability to configure `info_path` in `apache::mod::info` class +- Adds ability to configure `verify_config` in `apache::vhost::custom` + +#### Bugfixes +- Fixed apache mod setup for event/worker failing syntax +- Fixed concat deprecation warnings +- Fixed pagespeed mod +- Fixed service restart on mod update +- Fixed mod dir purging to happen after package installs +- Fixed various `apache::mod::*` file modes +- Fixed `apache::mod::authnz_ldap` parameter `verifyServerCert` to be `verify_server_cert` +- Fixed loadfile name in `apache::mod::fcgid` +- Fixed `apache::mod::remoteip` to fail on apache < 2.4 (because it is not available) +- Fixed `apache::mod::ssl::ssl_honorcipherorder` interpolation +- Lint fixes +- Strict variable fixes +- Fixed `apache::vhost` attribute `redirectmatch_status` to be optional +- Fixed SSLv3 on by default in mod\_nss +- Fixed mod\_rpaf directive names in template +- Fixed mod\_worker needing MaxClients with ThreadLimit +- Fixed quoting on vhost php\_value +- Fixed xml2enc for proxy\_html on debian +- Fixed a problem where the apache service restarts too fast + +## Supported Release 1.8.1 +### Summary +This release includes bug fixes and a documentation update. + +#### Bugfixes +- Fixes a bug that occurs when using the module in combination with puppetlabs-concat 2.x. +- Fixes a bug where passenger.conf was vulnerable to purging. +- Removes the pin of the concat module dependency. + +## 2016-01-26 - Supported Release 1.8.0 +### Summary +This release includes a lot of bug fixes and feature updates, including support for Debian 8, as well as many test improvements. + +#### Features +- Debian 8 Support. +- Added the 'file_mode' property to allow a custom permission setting for config files. +- Enable 'PassengerMaxRequestQueueSize' to be set for mod_passenger. +- MODULES-2956: Enable options within location block on proxy_match. +- Support itk on redhat. +- Support the mod_ssl SSLProxyVerify directive. +- Support ProxPassReverseCookieDomain directive (mod_proxy). +- Support proxy provider for vhost directories. +- Added new 'apache::vhost::custom' resource. + +#### Bugfixes +- Fixed ProxyPassReverse configuration. +- Fixed error in Amazon operatingsystem detection. +- Fixed mod_security catalog ordering issues for RedHat 7. +- Fixed paths and packages for the shib2 apache module on Debian pre Jessie. +- Fixed EL7 directory path for apache modules. +- Fixed validation error when empty array is passed for the rewrites parameter. +- Idempotency fixes with regards to '::apache::mod_enable_dir'. +- ITK fixes. +- (MODULES-2865) fix $mpm_module logic for 'false'. +- Set SSLProxy directives even if ssl is false, due to issue with RewriteRules and ProxyPass directives. +- Enable setting LimitRequestFieldSize globally, and remove it from vhost. + +#### Improvements +- apache::mod::php now uses FilesMatch to configure the php handler. This is following the recommended upstream configuration guidelines (http://php.net/manual/en/install.unix.apache2.php#example-20) and distribution's default config (e.g.: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/php5/vivid/view/head:/debian/php5.conf). It avoids inadvertently exposing the PHP handler to executing uploads with names like 'file.php.jpg', but might impact setups with unusual requirements. +- Improved compatibility for Gentoo. +- Vhosts can now be supplied with a wildcard listen value. +- Numerous test improvements. +- Removed workarounds for https://bz.apache.org/bugzilla/show_bug.cgi?id=38864 as the issues have been fixed in Apache. +- Documentation updates. +- Ensureed order of ProxyPass and ProxyPassMatch parameters. +- Ensure that ProxyPreserveHost is set to off mode explicitly if not set in manifest. +- Put headers and request headers before proxy with regards to template generation. +- Added X-Forwarded-For into log_formats defaults. +- (MODULES-2703) Allow mod pagespeed to take an array of lines as additional_configuration. + +## Supported Release 1.7.1 ###Summary +Small release for support of newer PE versions. This increments the version of PE in the metadata.json file. + +## 2015-11-17 - Supported Release 1.7.0 +### Summary +This release includes many new features and bugfixes. There are test, documentation and misc improvements. + +#### Features +- allow groups with - like vhost-users +- ability to enable/disable the secruleengine through a parameter +- add mod_auth_kerb parameters to vhost +- client auth for reverse proxy +- support for mod_auth_mellon +- change SSLProtocol in apache::vhost to be space separated +- RewriteLock support + +#### Bugfixes +- fix apache::mod::cgid so it can be used with the event MPM +- load unixd before fcgid on all operating systems +- fixes conditional in vhost aliases +- corrects mod_cgid worker/event defaults +- ProxyPassMatch parameters were ending up on a newline +- catch that mod_authz_default has been removed in Apache 2.4 +- mod::ssl fails on SLES +- fix typo of MPM_PREFORK for FreeBSD package install +- install all modules before adding custom configs +- fix acceptance testing for SSLProtocol behaviour for real +- fix ordering issue with conf_file and ports_file + +#### Known Issues +- mod_passenger is having issues installing on Redhat/Centos 6, This is due to package dependency issues. + +#### Improvements +- added docs for forcetype directive +- removes ruby 1.8.7 from the travisci test matrix +- readme reorganisation, minor fixups +- support the mod_proxy ProxyPassReverseCookiePath directive +- the purge_vhost_configs parameter is actually called purge_vhost_dir +- add ListenBacklog for mod worker +- deflate application/json by default +- install mod_authn_alias as default mod in debian for apache < 2.4 +- optionally set LimitRequestFieldSize on an apache::vhost +- add SecUploadDir parameter to support file uploads with mod_security +- optionally set parameters for mod_ext_filter module +- allow SetOutputFilter to be set on a directory +- RC4 is deprecated +- allow empty docroot +- add option to configure the include pattern for the vhost_enable dir +- allow multiple IP addresses per vhost +- default document root update for Ubuntu 14.04 and Debian 8 + +## 2015-07-28 - Supported Release 1.6.0 +### Summary +This release includes a couple of new features, along with test and documentation updates, and support for the latest AIO puppet builds. + +#### Features +- Add `scan_proxy_header_field` parameter to `apache::mod::geoip` +- Add `ssl_openssl_conf_cmd` parameter to `apache::vhost` and `apache::mod::ssl` +- Add `filters` parameter to `apache::vhost` + +#### Bugfixes +- Test updates +- Do not use systemd on Amazon Linux +- Add missing docs for `timeout` parameter (MODULES-2148) + +## 2015-06-11 - Supported Release 1.5.0 +### Summary +This release primarily adds Suse compatibility. It also adds a handful of other +parameters for greater configuration control. + +#### Features +- Add `apache::lib_path` parameter +- Add `apache::service_restart` parameter +- Add `apache::vhost::geoip_enable` parameter +- Add `apache::mod::geoip` class +- Add `apache::mod::remoteip` class +- Add parameters to `apache::mod::expires` class +- Add `index_style_sheet` handling to `apache::vhost::directories` +- Add some compatibility for SLES 11 +- Add `apache::mod::ssl::ssl_sessioncachetimeout` parameter +- Add `apache::mod::ssl::ssl_cryptodevice` parameter +- Add `apache::mod::ssl::ssl_honorcipherorder` parameter +- Add `apache::mod::userdir::options` parameter + +#### Bugfixes +- Document `apache::user` parameter +- Document `apache::group` parameter +- Fix apache::dev on FreeBSD +- Fix proxy\_connect on apache >= 2.2 +- Validate log levels better +- Fix `apache::apache_name` for package and vhost +- Fix Debian Jessie mod\_prefork package name +- Fix alias module being declared even when vhost is absent +- Fix proxy\_pass\_match handling in vhost's proxy template +- Fix userdir access permissions +- Fix issue where the module was trying to use systemd on Amazon Linux. + +## 2015-04-28 - Supported Release 1.4.1 + +This release corrects a metadata issue that has been present since release 1.2.0. The refactoring of `apache::vhost` to use `puppetlabs-concat` requires a version of concat newer than the version required in PE. If you are using PE 3.3.0 or earlier you will need to use version 1.1.1 or earlier of the `puppetlabs-apache` module. + +## 2015-03-17 - Supported Release 1.4.0 +###Summary + +This release fixes the issue where the docroot was still managed even if the default vhosts were disabled and has many other features and bugfixes including improved support for 'deny' and 'require' as arrays in the 'directories' parameter under `apache::vhost` + +#### Features +- New parameters to `apache` + - `default_charset` + - `default_type` +- New parameters to `apache::vhost` + - `proxy_error_override` + - `passenger_app_env` (MODULES-1776) + - `proxy_dest_match` + - `proxy_dest_reverse_match` + - `proxy_pass_match` + - `no_proxy_uris_match` +- New parameters to `apache::mod::passenger` + - `passenger_app_env` + - `passenger_min_instances` +- New parameter to `apache::mod::alias` + - `icons_options` +- New classes added under `apache::mod::*` + - `authn_file` + - `authz_default` + - `authz_user` +- Added support for 'deny' as an array in 'directories' under `apache::vhost` +- Added support for RewriteMap +- Improved support for FreeBSD. (Note: If using apache < 2.4.12, see the discussion [here](https://github.com/puppetlabs/puppetlabs-apache/pull/1030)) +- Added check for deprecated options in directories and fail when they are unsupported +- Added gentoo compatibility +- Added proper array support for `require` in the `directories` parameter in `apache::vhost` +- Added support for `setenv` inside proxy locations + +### Bugfixes +- Fix issue in `apache::vhost` that was preventing the scriptalias fragment from being included (MODULES-1784) +- Install required `mod_ldap` package for EL7 (MODULES-1779) +- Change default value of `maxrequestworkers` in `apache::mod::event` to be a multiple of the default `ThreadsPerChild` of 25. +- Use the correct `mod_prefork` package name for trusty and jessie +- Don't manage docroot when default vhosts are disabled +- Ensure resources notify `Class['Apache::Service']` instead of `Service['httpd']` (MODULES-1829) +- Change the loadfile name for `mod_passenger` so `mod_proxy` will load by default before `mod_passenger` +- Remove old Debian work-around that removed `passenger_extra.conf` + +## 2015-02-17 - Supported Release 1.3.0 +### Summary + This release has many new features and bugfixes, including the ability to optionally not trigger service restarts on config changes. -####Features +#### Features - New parameters - `apache` - `service_manage` - `use_optional_includes` @@ -21,13 +399,13 @@ - Add ability to omit priority prefix if `$priority` is set to false - Add `apache::security::rule_link` define - Improvements to `apache::mod::*` - - Add `apache::mod::auth_cass` class + - Add `apache::mod::auth_cas` class - Add `threadlimit`, `listenbacklog`, `maxrequestworkers`, `maxconnectionsperchild` parameters to `apache::mod::event` - Add `apache::mod::filter` class - Add `root_group` to `apache::mod::php` - Add `apache::mod::proxy_connect` class - Add `apache::mod::security` class - - Add `ssl_pass_phrase_dialog` and `ssl_random_seed_bytes parameters to `apache::mod::ssl` (MODULES-1719) + - Add `ssl_pass_phrase_dialog` and `ssl_random_seed_bytes` parameters to `apache::mod::ssl` (MODULES-1719) - Add `status_path` parameter to `apache::mod::status` - Add `apache_version` parameter to `apache::mod::version` - Add `package_name` and `mod_path` parameters to `apache::mod::wsgi` (MODULES-1458) @@ -38,7 +416,7 @@ - Add passenger support for Debian Jessie - Add support for not having puppet restart the apache service (MODULES-1559) -####Bugfixes +#### Bugfixes - For apache 2.4 `mod_itk` requires `mod_prefork` (MODULES-825) - Allow SSLCACertificatePath to be unset in `apache::vhost` (MODULES-1457) - Load fcgid after unixd on RHEL7 @@ -57,12 +435,12 @@ - Fix indentation in `vhost/_directories.erb` template (MODULES-1688) - Create symlinks on all distros if `vhost_enable_dir` is specified -##2014-09-30 - Supported Release 1.2.0 -###Summary +## 2014-09-30 - Supported Release 1.2.0 +### Summary This release features many improvements and bugfixes, including several new defines, a reworking of apache::vhost for more extensibility, and many new parameters for more customization. This release also includes improved support for strict variables and the future parser. -####Features +#### Features - Convert apache::vhost to use concat for easier extensions - Test improvements - Synchronize files with modulesync @@ -125,7 +503,7 @@ - Add apache_version parameter to apache::mod::userdir - Add apache::mod::version class -####Bugfixes +#### Bugfixes - Set osfamily defaults for wsgi_socket_prefix - Support multiple balancermembers with the same url - Validate apache::vhost::custom_fragment @@ -156,25 +534,25 @@ - Fix RedirectMatch rules - Fix misleading error message in apache::version -####Known Bugs +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. -##2014-07-15 - Supported Release 1.1.1 -###Summary +## 2014-07-15 - Supported Release 1.1.1 +### Summary This release merely updates metadata.json so the module can be uninstalled and upgraded via the puppet module command. ## 2014-04-14 Supported Release 1.1.0 -###Summary +### Summary This release primarily focuses on extending the httpd 2.4 support, tested through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger 4 support, as well as several new modules and important bugfixes. -####Features +#### Features - Add support for RHEL7 and Ubuntu 14.04 - More complete apache24 support @@ -189,7 +567,7 @@ - Add support for custom extensions for mod_php - Improve proxy_html support for Debian -####Bugfixes +#### Bugfixes - Remove NameVirtualHost directive for apache >= 2.4 - Order proxy_set option so it doesn't change between runs @@ -197,42 +575,42 @@ - Fix missing ensure on concat::fragment resources - Fix bad dependencies in apache::mod and apache::mod::mime -####Known Bugs +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. ## 2014-03-04 Supported Release 1.0.1 -###Summary +### Summary This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath. -####Features -####Bugfixes -####Known Bugs +#### Features +#### Bugfixes +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. ## 2014-03-04 Supported Release 1.0.0 -###Summary +### Summary This is a supported release. This release introduces Apache 2.4 support for Debian and RHEL based osfamilies. -####Features +#### Features - Add apache24 support - Add rewrite_base functionality to rewrites - Updated README documentation - Add WSGIApplicationGroup and WSGIImportScript directives -####Bugfixes +#### Bugfixes - Replace mutating hashes with merge() for Puppet 3.5 - Fix WSGI import_script and mod_ssl issues on Lucid -####Known Bugs +#### Known Bugs * By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. * SLES is unsupported. @@ -414,7 +792,7 @@ - Fix formatting in vhost template - Fix spec tests such that they pass -##2012-05-08 Puppet Labs <info@puppetlabs.com> - 0.0.4 +## 2012-05-08 Puppet Labs <info@puppetlabs.com> - 0.0.4 * e62e362 Fix broken tests for ssl, vhost, vhost::* * 42c6363 Changes to match style guide and pass puppet-lint without error * 42bc8ba changed name => path for file resources in order to name namevar by it's name
--- a/modules/apache/CONTRIBUTING.md Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/CONTRIBUTING.md Sun Dec 29 11:00:05 2019 -0500 @@ -159,7 +159,7 @@ With all dependencies in place and up-to-date we can now run the tests: ```shell -% rake spec +% bundle exec rake spec ``` This will execute all the [rspec tests](http://rspec-puppet.com/) tests @@ -178,8 +178,8 @@ You can run them by issuing the following command ```shell -% rake spec_clean -% rspec spec/acceptance +% bundle exec rake spec_clean +% bundle exec rspec spec/acceptance ``` This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml), @@ -208,11 +208,9 @@ Additional Resources ==================== -* [Getting additional help](http://puppetlabs.com/community/get-help) +* [Getting additional help](http://puppet.com/community/get-help) -* [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests) - -* [Patchwork](https://patchwork.puppetlabs.com) +* [Writing tests](https://docs.puppet.com/guides/module_guides/bgtm.html#step-three-module-testing) * [General GitHub documentation](http://help.github.com/)
--- a/modules/apache/Gemfile Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/Gemfile Sun Dec 29 11:00:05 2019 -0500 @@ -1,31 +1,90 @@ +#This file is generated by ModuleSync, do not edit. + source ENV['GEM_SOURCE'] || "https://rubygems.org" -group :development, :unit_tests do - gem 'rake', :require => false - gem 'rspec-core', '3.1.7', :require => false - gem 'rspec-puppet', '~> 1.0', :require => false - gem 'puppetlabs_spec_helper', :require => false - gem 'puppet-lint', :require => false - gem 'simplecov', :require => false - gem 'puppet_facts', :require => false - gem 'json', :require => false +# Determines what type of gem is requested based on place_or_version. +def gem_type(place_or_version) + if place_or_version =~ /^git:/ + :git + elsif place_or_version =~ /^file:/ + :file + else + :gem + end +end + +# Find a location or specific version for a gem. place_or_version can be a +# version, which is most often used. It can also be git, which is specified as +# `git://somewhere.git#branch`. You can also use a file source location, which +# is specified as `file://some/location/on/disk`. +def location_for(place_or_version, fake_version = nil) + if place_or_version =~ /^(git[:@][^#]*)#(.*)/ + [fake_version, { :git => $1, :branch => $2, :require => false }].compact + elsif place_or_version =~ /^file:\/\/(.*)/ + ['>= 0', { :path => File.expand_path($1), :require => false }] + else + [place_or_version, { :require => false }] + end +end + +# Used for gem conditionals +supports_windows = false + +group :development do + gem 'addressable', '< 2.4.0', :require => false + gem 'puppet-lint', :require => false + gem 'metadata-json-lint', '< 1.2.0', :require => false, :platforms => 'ruby' + gem 'puppet_facts', :require => false + gem 'puppet-blacksmith', '>= 3.4.0', :require => false, :platforms => 'ruby' + gem 'puppetlabs_spec_helper', '>= 1.2.1', :require => false + gem 'rspec-puppet', '>= 2.3.2', :require => false + gem 'rspec-puppet-facts', :require => false, :platforms => 'ruby' + gem 'mocha', '< 1.2.0', :require => false + gem 'simplecov', :require => false, :platforms => 'ruby' + gem 'parallel_tests', '< 2.10.0', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem 'parallel_tests', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.0.0') + gem 'rubocop', '0.41.2', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem 'rubocop', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.0.0') + gem 'rubocop-rspec', '~> 1.6', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0') + gem 'pry', :require => false + gem 'json_pure', '<= 2.0.1', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem 'fast_gettext', '1.1.0', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem 'fast_gettext', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') end group :system_tests do - gem 'beaker-rspec', :require => false - gem 'serverspec', :require => false + gem 'specinfra', '2.66.0', :require => false + gem 'beaker', *location_for(ENV['BEAKER_VERSION'] || '~> 2.20') if supports_windows + gem 'beaker', *location_for(ENV['BEAKER_VERSION']) if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0') and ! supports_windows + gem 'beaker', *location_for(ENV['BEAKER_VERSION'] || '< 3') if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.3.0') and ! supports_windows + gem 'beaker-pe', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0') + gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'] || '>= 3.4') if ! supports_windows + gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'] || '~> 5.1') if supports_windows + gem 'beaker-puppet_install_helper', :require => false + gem 'master_manipulator', :require => false + gem 'beaker-hostgenerator', *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION']) + gem 'beaker-abs', *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1') + gem 'nokogiri', '<= 1.6.8', :require => false end -if facterversion = ENV['FACTER_GEM_VERSION'] - gem 'facter', facterversion, :require => false -else - gem 'facter', :require => false +gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION']) + +# Only explicitly specify Facter/Hiera if a version has been specified. +# Otherwise it can lead to strange bundler behavior. If you are seeing weird +# gem resolution behavior, try setting `DEBUG_RESOLVER` environment variable +# to `1` and then run bundle install. +gem 'facter', *location_for(ENV['FACTER_GEM_VERSION']) if ENV['FACTER_GEM_VERSION'] +gem 'hiera', *location_for(ENV['HIERA_GEM_VERSION']) if ENV['HIERA_GEM_VERSION'] + + +# Evaluate Gemfile.local if it exists +if File.exists? "#{__FILE__}.local" + eval(File.read("#{__FILE__}.local"), binding) end -if puppetversion = ENV['PUPPET_GEM_VERSION'] - gem 'puppet', puppetversion, :require => false -else - gem 'puppet', :require => false +# Evaluate ~/.gemfile if it exists +if File.exists?(File.join(Dir.home, '.gemfile')) + eval(File.read(File.join(Dir.home, '.gemfile')), binding) end # vim:ft=ruby
--- a/modules/apache/LICENSE Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/LICENSE Sun Dec 29 11:00:05 2019 -0500 @@ -1,15 +1,202 @@ -Copyright (C) 2012 Puppet Labs Inc + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. -Puppet Labs can be contacted at: info@puppetlabs.com + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and - http://www.apache.org/licenses/LICENSE-2.0 + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/NOTICE Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,17 @@ +apache puppet module + +Copyright (C) 2012-2016 Puppet Labs, Inc. + +Puppet Labs can be contacted at: info@puppetlabs.com + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License.
--- a/modules/apache/README.md Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/README.md Sun Dec 29 11:00:05 2019 -0500 @@ -1,1034 +1,2222 @@ -#apache - -[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-apache.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-apache) - -####Table of Contents - -1. [Overview - What is the apache module?](#overview) -2. [Module Description - What does the module do?](#module-description) -3. [Setup - The basics of getting started with apache](#setup) - * [Beginning with apache - Installation](#beginning-with-apache) - * [Configure a virtual host - Basic options for getting started](#configure-a-virtual-host) -4. [Usage - The classes and defined types available for configuration](#usage) - * [Classes and Defined Types](#classes-and-defined-types) - * [Class: apache](#class-apache) - * [Defined Type: apache::custom_config](#defined-type-apachecustom_config) - * [Class: apache::default_mods](#class-apachedefault_mods) - * [Defined Type: apache::mod](#defined-type-apachemod) - * [Classes: apache::mod::*](#classes-apachemodname) - * [Class: apache::mod::event](#class-apachemodevent) - * [Class: apache::mod::info](#class-apachemodinfo) - * [Class: apache::mod::pagespeed](#class-apachemodpagespeed) - * [Class: apache::mod::php](#class-apachemodphp) - * [Class: apache::mod::ssl](#class-apachemodssl) - * [Class: apache::mod::status](#class-apachemodstatus) - * [Class: apache::mod::wsgi](#class-apachemodwsgi) - * [Class: apache::mod::fcgid](#class-apachemodfcgid) - * [Class: apache::mod::negotiation](#class-apachemodnegotiation) - * [Class: apache::mod::deflate](#class-apachemoddeflate) - * [Class: apache::mod::reqtimeout](#class-apachemodreqtimeout) - * [Class: apache::mod::security](#class-modsecurity) - * [Class: apache::mod::version](#class-apachemodversion) - * [Defined Type: apache::vhost](#defined-type-apachevhost) - * [Parameter: `directories` for apache::vhost](#parameter-directories-for-apachevhost) - * [SSL parameters for apache::vhost](#ssl-parameters-for-apachevhost) - * [Defined Type: apache::fastcgi::server](#defined-type-fastcgi-server) - * [Virtual Host Examples - Demonstrations of some configuration options](#virtual-host-examples) - * [Load Balancing](#load-balancing) - * [Defined Type: apache::balancer](#defined-type-apachebalancer) - * [Defined Type: apache::balancermember](#defined-type-apachebalancermember) - * [Examples - Load balancing with exported and non-exported resources](#examples) -5. [Reference - An under-the-hood peek at what the module is doing and how](#reference) - * [Classes](#classes) - * [Public Classes](#public-classes) - * [Private Classes](#private-classes) - * [Defined Types](#defined-types) - * [Public Defined Types](#public-defined-types) - * [Private Defined Types](#private-defined-types) - * [Templates](#templates) -6. [Limitations - OS compatibility, etc.](#limitations) -7. [Development - Guide for contributing to the module](#development) - * [Contributing to the apache module](#contributing) - * [Running tests - A quick guide](#running-tests) - -##Overview - -The apache module allows you to set up virtual hosts and manage web services with minimal effort. - -##Module Description - -Apache is a widely-used web server, and this module provides a simplified way of creating configurations to manage your infrastructure. This includes the ability to configure and manage a range of different virtual host setups, as well as a streamlined way to install and configure Apache modules. - -##Setup - -**What apache affects:** - -* configuration files and directories (created and written to) - * **WARNING**: Configurations that are *not* managed by Puppet will be purged. -* package/service/configuration files for Apache -* Apache modules -* virtual hosts -* listened-to ports -* `/etc/make.conf` on FreeBSD - -###Beginning with Apache - -To install Apache with the default parameters - -```puppet - class { 'apache': } +# apache + +[Module description]: #module-description + +[Setup]: #setup +[Beginning with Apache]: #beginning-with-apache + +[Usage]: #usage +[Configuring virtual hosts]: #configuring-virtual-hosts +[Configuring virtual hosts with SSL]: #configuring-virtual-hosts-with-ssl +[Configuring virtual host port and address bindings]: #configuring-virtual-host-port-and-address-bindings +[Configuring virtual hosts for apps and processors]: #configuring-virtual-hosts-for-apps-and-processors +[Configuring IP-based virtual hosts]: #configuring-ip-based-virtual-hosts +[Installing Apache modules]: #installing-apache-modules +[Installing arbitrary modules]: #installing-arbitrary-modules +[Installing specific modules]: #installing-specific-modules +[Configuring FastCGI servers]: #configuring-fastcgi-servers-to-handle-php-files +[Load balancing examples]: #load-balancing-examples + +[Reference]: #reference +[Public classes]: #public-classes +[Private classes]: #private-classes +[Public defined types]: #public-defined-types +[Private defined types]: #private-defined-types +[Templates]: #templates + +[Limitations]: #limitations + +[Development]: #development +[Contributing]: #contributing +[Running tests]: #running-tests + +[`AddDefaultCharset`]: https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset +[`add_listen`]: #add_listen +[`Alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#alias +[`AliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#aliasmatch +[aliased servers]: https://httpd.apache.org/docs/current/urlmapping.html +[`AllowEncodedSlashes`]: https://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes +[`apache`]: #class-apache +[`apache_version`]: #apache_version +[`apache::balancer`]: #defined-type-apachebalancer +[`apache::balancermember`]: #defined-type-apachebalancermember +[`apache::fastcgi::server`]: #defined-type-apachefastcgiserver +[`apache::mod`]: #defined-type-apachemod +[`apache::mod::<MODULE NAME>`]: #classes-apachemodmodule-name +[`apache::mod::alias`]: #class-apachemodalias +[`apache::mod::auth_cas`]: #class-apachemodauth_cas +[`apache::mod::auth_mellon`]: #class-apachemodauth_mellon +[`apache::mod::authn_dbd`]: #class-apachemodauthn_dbd +[`apache::mod::authnz_ldap`]: #class-apachemodauthnz_ldap +[`apache::mod::cluster`]: #class-apachemodcluster +[`apache::mod::disk_cache`]: #class-apachemoddisk_cache +[`apache::mod::dumpio`]: #class-apachemoddumpio +[`apache::mod::event`]: #class-apachemodevent +[`apache::mod::ext_filter`]: #class-apachemodext_filter +[`apache::mod::geoip`]: #class-apachemodgeoip +[`apache::mod::itk`]: #class-apachemoditk +[`apache::mod::ldap`]: #class-apachemodldap +[`apache::mod::passenger`]: #class-apachemodpassenger +[`apache::mod::peruser`]: #class-apachemodperuser +[`apache::mod::prefork`]: #class-apachemodprefork +[`apache::mod::proxy`]: #class-apachemodproxy +[`apache::mod::proxy_balancer`]: #class-apachemodproxybalancer +[`apache::mod::proxy_fcgi`]: #class-apachemodproxy_fcgi +[`apache::mod::proxy_html`]: #class-apachemodproxy_html +[`apache::mod::security`]: #class-apachemodsecurity +[`apache::mod::shib`]: #class-apachemodshib +[`apache::mod::ssl`]: #class-apachemodssl +[`apache::mod::status`]: #class-apachemodstatus +[`apache::mod::worker`]: #class-apachemodworker +[`apache::mod::wsgi`]: #class-apachemodwsgi +[`apache::params`]: #class-apacheparams +[`apache::version`]: #class-apacheversion +[`apache::vhost`]: #defined-type-apachevhost +[`apache::vhost::custom`]: #defined-type-apachevhostcustom +[`apache::vhost::WSGIImportScript`]: #wsgiimportscript +[Apache HTTP Server]: https://httpd.apache.org +[Apache modules]: https://httpd.apache.org/docs/current/mod/ +[array]: https://docs.puppetlabs.com/puppet/latest/reference/lang_data_array.html + +[audit log]: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats#audit-log + +[beaker-rspec]: https://github.com/puppetlabs/beaker-rspec + +[certificate revocation list]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile +[certificate revocation list path]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath +[common gateway interface]: https://httpd.apache.org/docs/current/howto/cgi.html +[`confd_dir`]: #confd_dir +[`content`]: #content +[custom error documents]: https://httpd.apache.org/docs/current/custom-error.html +[`custom_fragment`]: #custom_fragment + +[`default_mods`]: #default_mods +[`default_ssl_crl`]: #default_ssl_crl +[`default_ssl_crl_path`]: #default_ssl_crl_path +[`default_ssl_vhost`]: #default_ssl_vhost +[`dev_packages`]: #dev_packages +[`directory`]: #directory +[`directories`]: #parameter-directories-for-apachevhost +[`DirectoryIndex`]: https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex +[`docroot`]: #docroot +[`docroot_owner`]: #docroot_owner +[`docroot_group`]: #docroot_group +[`DocumentRoot`]: https://httpd.apache.org/docs/current/mod/core.html#documentroot + +[`EnableSendfile`]: https://httpd.apache.org/docs/current/mod/core.html#enablesendfile +[enforcing mode]: http://selinuxproject.org/page/Guide/Mode +[`ensure`]: https://docs.puppetlabs.com/references/latest/type.html#package-attribute-ensure +[`error_log_file`]: #error_log_file +[`error_log_syslog`]: #error_log_syslog +[`error_log_pipe`]: #error_log_pipe +[`ExpiresByType`]: https://httpd.apache.org/docs/current/mod/mod_expires.html#expiresbytype +[exported resources]: http://docs.puppetlabs.com/latest/reference/lang_exported.md +[`ExtendedStatus`]: https://httpd.apache.org/docs/current/mod/core.html#extendedstatus + +[Facter]: http://docs.puppetlabs.com/facter/ +[FastCGI]: http://www.fastcgi.com/ +[FallbackResource]: https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource +[`fallbackresource`]: #fallbackresource +[filter rules]: https://httpd.apache.org/docs/current/filter.html +[`filters`]: #filters +[`ForceType`]: https://httpd.apache.org/docs/current/mod/core.html#forcetype + +[GeoIPScanProxyHeaders]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives +[`gentoo/puppet-portage`]: https://github.com/gentoo/puppet-portage + +[Hash]: https://docs.puppetlabs.com/puppet/latest/reference/lang_data_hash.html + +[`IncludeOptional`]: https://httpd.apache.org/docs/current/mod/core.html#includeoptional +[`Include`]: https://httpd.apache.org/docs/current/mod/core.html#include +[interval syntax]: https://httpd.apache.org/docs/current/mod/mod_expires.html#AltSyn +[`ip`]: #ip +[`ip_based`]: #ip_based +[IP-based virtual hosts]: https://httpd.apache.org/docs/current/vhosts/ip-based.html + +[`KeepAlive`]: https://httpd.apache.org/docs/current/mod/core.html#keepalive +[`KeepAliveTimeout`]: https://httpd.apache.org/docs/current/mod/core.html#keepalivetimeout +[`keepalive` parameter]: #keepalive +[`keepalive_timeout`]: #keepalive_timeout +[`limitreqfieldsize`]: https://httpd.apache.org/docs/current/mod/core.html#limitrequestfieldsize + +[`lib`]: #lib +[`lib_path`]: #lib_path +[`Listen`]: https://httpd.apache.org/docs/current/bind.html +[`ListenBackLog`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#listenbacklog +[`LoadFile`]: https://httpd.apache.org/docs/current/mod/mod_so.html#loadfile +[`LogFormat`]: https://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat +[`logroot`]: #logroot +[Log security]: https://httpd.apache.org/docs/current/logs.html#security + +[`manage_docroot`]: #manage_docroot +[`manage_user`]: #manage_user +[`manage_group`]: #manage_group +[`MaxConnectionsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxconnectionsperchild +[`max_keepalive_requests`]: #max_keepalive_requests +[`MaxRequestWorkers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxrequestworkers +[`MaxSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxsparethreads +[MIME `content-type`]: https://www.iana.org/assignments/media-types/media-types.xhtml +[`MinSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#minsparethreads +[`mod_alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html +[`mod_auth_cas`]: https://github.com/Jasig/mod_auth_cas +[`mod_auth_kerb`]: http://modauthkerb.sourceforge.net/configure.html +[`mod_authnz_external`]: https://github.com/phokz/mod-auth-external +[`mod_auth_dbd`]: http://httpd.apache.org/docs/current/mod/mod_authn_dbd.html +[`mod_auth_mellon`]: https://github.com/UNINETT/mod_auth_mellon +[`mod_dbd`]: http://httpd.apache.org/docs/current/mod/mod_dbd.html +[`mod_disk_cache`]: https://httpd.apache.org/docs/2.2/mod/mod_disk_cache.html +[`mod_dumpio`]: https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html +[`mod_env`]: http://httpd.apache.org/docs/current/mod/mod_env.html +[`mod_expires`]: https://httpd.apache.org/docs/current/mod/mod_expires.html +[`mod_ext_filter`]: https://httpd.apache.org/docs/current/mod/mod_ext_filter.html +[`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html +[`mod_geoip`]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/ +[`mod_info`]: https://httpd.apache.org/docs/current/mod/mod_info.html +[`mod_ldap`]: https://httpd.apache.org/docs/2.2/mod/mod_ldap.html +[`mod_mpm_event`]: https://httpd.apache.org/docs/current/mod/event.html +[`mod_negotiation`]: https://httpd.apache.org/docs/current/mod/mod_negotiation.html +[`mod_pagespeed`]: https://developers.google.com/speed/pagespeed/module/?hl=en +[`mod_passenger`]: https://www.phusionpassenger.com/library/config/apache/reference/ +[`mod_php`]: http://php.net/manual/en/book.apache.php +[`mod_proxy`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html +[`mod_proxy_balancer`]: https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html +[`mod_reqtimeout`]: https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html +[`mod_rewrite`]: https://httpd.apache.org/docs/current/mod/mod_rewrite.html +[`mod_security`]: https://www.modsecurity.org/ +[`mod_ssl`]: https://httpd.apache.org/docs/current/mod/mod_ssl.html +[`mod_status`]: https://httpd.apache.org/docs/current/mod/mod_status.html +[`mod_version`]: https://httpd.apache.org/docs/current/mod/mod_version.html +[`mod_wsgi`]: https://modwsgi.readthedocs.org/en/latest/ +[module contribution guide]: https://docs.puppetlabs.com/forge/contributing.html +[`mpm_module`]: #mpm_module +[multi-processing module]: https://httpd.apache.org/docs/current/mpm.html + +[name-based virtual hosts]: https://httpd.apache.org/docs/current/vhosts/name-based.html +[`no_proxy_uris`]: #no_proxy_uris + +[open source Puppet]: https://docs.puppetlabs.com/puppet/ +[`Options`]: https://httpd.apache.org/docs/current/mod/core.html#options + +[`path`]: #path +[`Peruser`]: https://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr +[`port`]: #port +[`priority`]: #defined-types-apachevhost +[`proxy_dest`]: #proxy_dest +[`proxy_dest_match`]: #proxy_dest_match +[`proxy_pass`]: #proxy_pass +[`ProxyPass`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass +[`ProxySet`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset +[Puppet Enterprise]: https://docs.puppetlabs.com/pe/ +[Puppet Forge]: https://forge.puppetlabs.com +[Puppet Labs]: https://puppetlabs.com +[Puppet module]: https://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html +[Puppet module's code]: https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/default_mods.pp +[`purge_configs`]: #purge_configs +[`purge_vhost_dir`]: #purge_vhost_dir +[Python]: https://www.python.org/ + +[Rack]: http://rack.github.io/ +[`rack_base_uris`]: #rack_base_uris +[RFC 2616]: https://www.ietf.org/rfc/rfc2616.txt +[`RequestReadTimeout`]: https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html#requestreadtimeout +[rspec-puppet]: http://rspec-puppet.com/ + +[`ScriptAlias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptalias +[`ScriptAliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptaliasmatch +[`scriptalias`]: #scriptalias +[SELinux]: http://selinuxproject.org/ +[`ServerAdmin`]: https://httpd.apache.org/docs/current/mod/core.html#serveradmin +[`serveraliases`]: #serveraliases +[`ServerLimit`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#serverlimit +[`ServerName`]: https://httpd.apache.org/docs/current/mod/core.html#servername +[`ServerRoot`]: https://httpd.apache.org/docs/current/mod/core.html#serverroot +[`ServerTokens`]: https://httpd.apache.org/docs/current/mod/core.html#servertokens +[`ServerSignature`]: https://httpd.apache.org/docs/current/mod/core.html#serversignature +[Service attribute restart]: http://docs.puppetlabs.com/references/latest/type.html#service-attribute-restart +[`source`]: #source +[`SSLCARevocationCheck`]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck +[SSL certificate key file]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatekeyfile +[SSL chain]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile +[SSL encryption]: https://httpd.apache.org/docs/current/ssl/index.html +[`ssl`]: #ssl +[`ssl_cert`]: #ssl_cert +[`ssl_compression`]: #ssl_compression +[`ssl_key`]: #ssl_key +[`StartServers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#startservers +[suPHP]: http://www.suphp.org/Home.html +[`suphp_addhandler`]: #suphp_addhandler +[`suphp_configpath`]: #suphp_configpath +[`suphp_engine`]: #suphp_engine +[supported operating system]: https://forge.puppetlabs.com/supported#puppet-supported-modules-compatibility-matrix + +[`ThreadLimit`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#threadlimit +[`ThreadsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#threadsperchild +[`TimeOut`]: https://httpd.apache.org/docs/current/mod/core.html#timeout +[template]: http://docs.puppetlabs.com/puppet/latest/reference/lang_template.html +[`TraceEnable`]: https://httpd.apache.org/docs/current/mod/core.html#traceenable + +[`verify_config`]: #verify_config +[`vhost`]: #defined-type-apachevhost +[`vhost_dir`]: #vhost_dir +[`virtual_docroot`]: #virtual_docroot + +[Web Server Gateway Interface]: https://www.python.org/dev/peps/pep-3333/#abstract +[`WSGIPythonPath`]: http://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIPythonPath.html +[`WSGIPythonHome`]: http://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIPythonHome.html + +#### Table of Contents + +1. [Module description - What is the apache module, and what does it do?][Module description] +2. [Setup - The basics of getting started with apache][Setup] + - [Beginning with Apache - Installation][Beginning with Apache] +3. [Usage - The classes and defined types available for configuration][Usage] + - [Configuring virtual hosts - Examples to help get started][Configuring virtual hosts] + - [Configuring FastCGI servers to handle PHP files][Configuring FastCGI servers] + - [Load balancing with exported and non-exported resources][Load balancing examples] +4. [Reference - An under-the-hood peek at what the module is doing and how][Reference] + - [Public classes][] + - [Private classes][] + - [Public defined types][] + - [Private defined types][] + - [Templates][] +5. [Limitations - OS compatibility, etc.][Limitations] +6. [Development - Guide for contributing to the module][Development] + - [Contributing to the apache module][Contributing] + - [Running tests - A quick guide][Running tests] + +## Module description + +[Apache HTTP Server][] (also called Apache HTTPD, or simply Apache) is a widely used web server. This [Puppet module][] simplifies the task of creating configurations to manage Apache servers in your infrastructure. It can configure and manage a range of virtual host setups and provides a streamlined way to install and configure [Apache modules][]. + +## Setup + +**What the apache Puppet module affects:** + +- Configuration files and directories (created and written to) + - **WARNING**: Configurations *not* managed by Puppet will be purged. +- Package/service/configuration files for Apache +- Apache modules +- Virtual hosts +- Listened-to ports +- `/etc/make.conf` on FreeBSD and Gentoo + +On Gentoo, this module depends on the [`gentoo/puppet-portage`][] Puppet module. Note that while several options apply or enable certain features and settings for Gentoo, it is not a [supported operating system][] for this module. + +> **Note**: This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Apache configuration should be managed by Puppet, as unmanaged configuration files can cause unexpected failures. + +To temporarily disable full Puppet management, set the [`purge_configs`][] parameter in the [`apache`][] class declaration to false. We recommend using this only as a temporary means of saving and relocating customized configurations. + +### Beginning with Apache + +To have Puppet install Apache with the default parameters, declare the [`apache`][] class: + +``` puppet +class { 'apache': } ``` -The defaults are determined by your operating system (e.g. Debian systems have one set of defaults, and RedHat systems have another, as do FreeBSD systems). These defaults work well in a testing environment, but are not suggested for production. To establish customized parameters - -```puppet - class { 'apache': - default_mods => false, - default_confd_files => false, - } +The Puppet module applies a default configuration based on your operating system; Debian, Red Hat, FreeBSD, and Gentoo systems each have unique default configurations. These defaults work in testing environments but are not suggested for production, and Puppet recommends customizing the class's parameters to suit your site. Use the [Reference](#reference) section to find information about the class's parameters and their default values. + +You can customize parameters when declaring the `apache` class. For instance, this declaration installs Apache without the apache module's [default virtual host configuration][Configuring virtual hosts], allowing you to customize all Apache virtual hosts: + +``` puppet +class { 'apache': + default_vhost => false, +} +``` + +> **Note**: When `default_vhost` is set to `false` you have to add at least one `apache::vhost` resource or Apache will not start. + +## Usage + +### Configuring virtual hosts + +The default [`apache`][] class sets up a virtual host on port 80, listening on all interfaces and serving the [`docroot`][] parameter's default directory of `/var/www`. + +> **Note**: See the [`apache::vhost`][] defined type's reference for a list of all virtual host parameters. + +To configure basic [name-based virtual hosts][], specify the [`port`][] and [`docroot`][] parameters in the [`apache::vhost`][] defined type: + +``` puppet +apache::vhost { 'vhost.example.com': + port => '80', + docroot => '/var/www/vhost', +} +``` + +> **Note**: Apache processes virtual hosts in alphabetical order, and server administrators can prioritize Apache's virtual host processing by prefixing a virtual host's configuration file name with a number. The [`apache::vhost`][] defined type applies a default [`priority`][] of 15, which Puppet interprets by prefixing the virtual host's file name with `15-`. This all means that if multiple sites have the same priority, or if you disable priority numbers by setting the `priority` parameter's value to false, Apache still processes virtual hosts in alphabetical order. + +To configure user and group ownership for `docroot`, use the [`docroot_owner`][] and [`docroot_group`][] parameters: + +``` puppet +apache::vhost { 'user.example.com': + port => '80', + docroot => '/var/www/user', + docroot_owner => 'www-data', + docroot_group => 'www-data', +} ``` -###Configure a virtual host - -Declaring the `apache` class creates a default virtual host by setting up a vhost on port 80, listening on all interfaces and serving `$apache::docroot`. - -```puppet - class { 'apache': } +#### Configuring virtual hosts with SSL + +To configure a virtual host to use [SSL encryption][] and default SSL certificates, set the [`ssl`][] parameter. You must also specify the [`port`][] parameter, typically with a value of '443', to accommodate HTTPS requests: + +``` puppet +apache::vhost { 'ssl.example.com': + port => '443', + docroot => '/var/www/ssl', + ssl => true, +} ``` -To configure a very basic, name-based virtual host - -```puppet - apache::vhost { 'first.example.com': - port => '80', - docroot => '/var/www/first', - } +To configure a virtual host to use SSL and specific SSL certificates, use the paths to the certificate and key in the [`ssl_cert`][] and [`ssl_key`][] parameters, respectively: + +``` puppet +apache::vhost { 'cert.example.com': + port => '443', + docroot => '/var/www/cert', + ssl => true, + ssl_cert => '/etc/ssl/fourth.example.com.cert', + ssl_key => '/etc/ssl/fourth.example.com.key', +} +``` + +To configure a mix of SSL and unencrypted virtual hosts at the same domain, declare them with separate [`apache::vhost`][] defined types: + +``` puppet +# The non-ssl virtual host +apache::vhost { 'mix.example.com non-ssl': + servername => 'mix.example.com', + port => '80', + docroot => '/var/www/mix', +} + +# The SSL virtual host at the same domain +apache::vhost { 'mix.example.com ssl': + servername => 'mix.example.com', + port => '443', + docroot => '/var/www/mix', + ssl => true, +} ``` -*Note:* The default priority is 15. If nothing matches this priority, the alphabetically first name-based vhost is used. This is also true if you pass a higher priority and no names match anything else. - -A slightly more complicated example, changes the docroot owner/group from the default 'root' - -```puppet - apache::vhost { 'second.example.com': - port => '80', - docroot => '/var/www/second', - docroot_owner => 'third', - docroot_group => 'third', - } +To configure a virtual host to redirect unencrypted connections to SSL, declare them with separate [`apache::vhost`][] defined types and redirect unencrypted requests to the virtual host with SSL enabled: + +``` puppet +apache::vhost { 'redirect.example.com non-ssl': + servername => 'redirect.example.com', + port => '80', + docroot => '/var/www/redirect', + redirect_status => 'permanent', + redirect_dest => 'https://redirect.example.com/' +} + +apache::vhost { 'redirect.example.com ssl': + servername => 'redirect.example.com', + port => '443', + docroot => '/var/www/redirect', + ssl => true, +} +``` + +#### Configuring virtual host port and address bindings + +Virtual hosts listen on all IP addresses ('\*') by default. To configure the virtual host to listen on a specific IP address, use the [`ip`][] parameter: + +``` puppet +apache::vhost { 'ip.example.com': + ip => '127.0.0.1', + port => '80', + docroot => '/var/www/ip', +} +``` + +It is also possible to configure more than one IP address per virtual host by using an array of IP addresses for the [`ip`][] parameter: + +``` puppet +apache::vhost { 'ip.example.com': + ip => ['127.0.0.1','169.254.1.1'], + port => '80', + docroot => '/var/www/ip', +} ``` -To set up a virtual host with SSL and default SSL certificates - -```puppet - apache::vhost { 'ssl.example.com': - port => '443', - docroot => '/var/www/ssl', - ssl => true, - } +To configure a virtual host with [aliased servers][], refer to the aliases using the [`serveraliases`][] parameter: + +``` puppet +apache::vhost { 'aliases.example.com': + serveraliases => [ + 'aliases.example.org', + 'aliases.example.net', + ], + port => '80', + docroot => '/var/www/aliases', +} +``` + +To set up a virtual host with a wildcard alias for the subdomain mapped to a same-named directory, such as 'http://example.com.loc' mapped to `/var/www/example.com`, define the wildcard alias using the [`serveraliases`][] parameter and the document root with the [`virtual_docroot`][] parameter: + +``` puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => '80', + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} +``` + +To configure a virtual host with [filter rules][], pass the filter directives as an [array][] using the [`filters`][] parameter: + +``` puppet +apache::vhost { 'subdomain.loc': + port => '80', + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], + docroot => '/var/www/html', +} ``` -To set up a virtual host with SSL and specific SSL certificates - -```puppet - apache::vhost { 'fourth.example.com': - port => '443', - docroot => '/var/www/fourth', - ssl => true, - ssl_cert => '/etc/ssl/fourth.example.com.cert', - ssl_key => '/etc/ssl/fourth.example.com.key', - } +#### Configuring virtual hosts for apps and processors + +To set up a virtual host with [suPHP][], use the [`suphp_engine`][] parameter to enable the suPHP engine, [`suphp_addhandler`][] parameter to define a MIME type, [`suphp_configpath`][] to set which path suPHP passes to the PHP interpreter, and the [`directory`][] parameter to configure Directory, File, and Location directive blocks: + +``` puppet +apache::vhost { 'suphp.example.com': + port => '80', + docroot => '/home/appuser/myphpapp', + suphp_addhandler => 'x-httpd-php', + suphp_engine => 'on', + suphp_configpath => '/etc/php5/apache2', + directories => [ + { 'path' => '/home/appuser/myphpapp', + 'suphp' => { + user => 'myappuser', + group => 'myappgroup', + }, + }, + ], +} +``` + +You can use a set of parameters to configure a virtual host to use the [Web Server Gateway Interface][] (WSGI) for [Python][] applications: + +``` puppet +apache::vhost { 'wsgi.example.com': + port => '80', + docroot => '/var/www/pythonapp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => { + processes => '2', + threads => '15', + display-name => '%{GROUP}', + }, + wsgi_import_script => '/var/www/demo.wsgi', + wsgi_import_script_options => { + process-group => 'wsgi', + application-group => '%{GLOBAL}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, +} ``` -Virtual hosts listen on '*' by default. To listen on a specific IP address - -```puppet - apache::vhost { 'subdomain.example.com': - ip => '127.0.0.1', - port => '80', - docroot => '/var/www/subdomain', - } +Starting in Apache 2.2.16, Apache supports [FallbackResource][], a simple replacement for common RewriteRules. You can set a FallbackResource using the [`fallbackresource`][] parameter: + +``` puppet +apache::vhost { 'wordpress.example.com': + port => '80', + docroot => '/var/www/wordpress', + fallbackresource => '/index.php', +} +``` + +> **Note**: The `fallbackresource` parameter only supports the 'disabled' value since Apache 2.2.24. + +To configure a virtual host with a designated directory for [Common Gateway Interface][] (CGI) files, use the [`scriptalias`][] parameter to define the `cgi-bin` path: + +``` puppet +apache::vhost { 'cgi.example.com': + port => '80', + docroot => '/var/www/cgi', + scriptalias => '/usr/lib/cgi-bin', +} ``` -To set up a virtual host with a wildcard alias for the subdomain mapped to a same-named directory, for example: `http://example.com.loc` to `/var/www/example.com` - -```puppet - apache::vhost { 'subdomain.loc': - vhost_name => '*', - port => '80', - virtual_docroot => '/var/www/%-2+', - docroot => '/var/www', - serveraliases => ['*.loc',], - } +To configure a virtual host for [Rack][], use the [`rack_base_uris`][] parameter: + +``` puppet +apache::vhost { 'rack.example.com': + port => '80', + docroot => '/var/www/rack', + rack_base_uris => ['/rackapp1', '/rackapp2'], +} +``` + +#### Configuring IP-based virtual hosts + +You can configure [IP-based virtual hosts][] to listen on any port and have them respond to requests on specific IP addresses. In this example, we set the server to listen on ports 80 and 81 because the example virtual hosts are _not_ declared with a [`port`][] parameter: + +``` puppet +apache::listen { '80': } + +apache::listen { '81': } +``` + +Then we configure the IP-based virtual hosts with the [`ip_based`][] parameter: + +``` puppet +apache::vhost { 'first.example.com': + ip => '10.0.0.10', + docroot => '/var/www/first', + ip_based => true, +} + +apache::vhost { 'second.example.com': + ip => '10.0.0.11', + docroot => '/var/www/second', + ip_based => true, +} ``` -To set up a virtual host with suPHP - -```puppet - apache::vhost { 'suphp.example.com': - port => '80', - docroot => '/home/appuser/myphpapp', - suphp_addhandler => 'x-httpd-php', - suphp_engine => 'on', - suphp_configpath => '/etc/php5/apache2', - directories => { path => '/home/appuser/myphpapp', - 'suphp' => { user => 'myappuser', group => 'myappgroup' }, - } - } +You can also configure a mix of IP- and [name-based virtual hosts][], and in any combination of [SSL][SSL encryption] and unencrypted configurations. First, we add two IP-based virtual hosts on an IP address (in this example, 10.0.0.10). One uses SSL and the other is unencrypted: + +``` puppet +apache::vhost { 'The first IP-based virtual host, non-ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '80', + ip_based => true, + docroot => '/var/www/first', +} + +apache::vhost { 'The first IP-based vhost, ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '443', + ip_based => true, + docroot => '/var/www/first-ssl', + ssl => true, +} +``` + +Next, we add two name-based virtual hosts listening on a second IP address (10.0.0.20): + +``` puppet +apache::vhost { 'second.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/second', +} + +apache::vhost { 'third.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/third', +} +``` + +To add name-based virtual hosts that answer on either 10.0.0.10 or 10.0.0.20, you **must** set the [`add_listen`][] parameter to false to disable the default Apache setting of `Listen 80`, as it conflicts with the preceding IP-based virtual hosts. + +``` puppet +apache::vhost { 'fourth.example.com': + port => '80', + docroot => '/var/www/fourth', + add_listen => false, +} + +apache::vhost { 'fifth.example.com': + port => '80', + docroot => '/var/www/fifth', + add_listen => false, +} +``` + +### Installing Apache modules + +There are two ways to install [Apache modules][] using the Puppet apache module: + +- Use the [`apache::mod::<MODULE NAME>`][] classes to [install specific Apache modules with parameters][Installing specific modules]. +- Use the [`apache::mod`][] defined type to [install arbitrary Apache modules][Installing arbitrary modules]. + +#### Installing specific modules + +The Puppet apache module supports installing many common [Apache modules][], often with parameterized configuration options. For a list of supported Apache modules, see the [`apache::mod::<MODULE NAME>`][] class references. + +For example, you can install the `mod_ssl` Apache module with default settings by declaring the [`apache::mod::ssl`][] class: + +``` puppet +class { 'apache::mod::ssl': } +``` + +[`apache::mod::ssl`][] has several parameterized options that you can set when declaring it. For instance, to enable `mod_ssl` with compression enabled, set the [`ssl_compression`][] parameter to true: + +``` puppet +class { 'apache::mod::ssl': + ssl_compression => true, +} +``` + +Note that some modules have prerequisites, which are documented in their references under [`apache::mod::<MODULE NAME>`][]. + +#### Installing arbitrary modules + +You can pass the name of any module that your operating system's package manager can install to the [`apache::mod`][] defined type to install it. Unlike the specific-module classes, the [`apache::mod`][] defined type doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you. + +For example, to install the [`mod_authnz_external`][] Apache module, declare the defined type with the 'mod_authnz_external' name: + +``` puppet +apache::mod { 'mod_authnz_external': } +``` + +There are several optional parameters you can specify when defining Apache modules this way. See the [defined type's reference][`apache::mod`] for details. + +### Configuring FastCGI servers to handle PHP files + +Add the [`apache::fastcgi::server`][] defined type to allow [FastCGI][] servers to handle requests for specific files. For example, the following defines a FastCGI server at 127.0.0.1 (localhost) on port 9000 to handle PHP requests: + +``` puppet +apache::fastcgi::server { 'php': + host => '127.0.0.1:9000', + timeout => 15, + flush => false, + faux_path => '/var/www/php.fcgi', + fcgi_alias => '/php.fcgi', + file_type => 'application/x-httpd-php' +} ``` -To set up a virtual host with WSGI - -```puppet - apache::vhost { 'wsgi.example.com': - port => '80', - docroot => '/var/www/pythonapp', - wsgi_application_group => '%{GLOBAL}', - wsgi_daemon_process => 'wsgi', - wsgi_daemon_process_options => { - processes => '2', - threads => '15', - display-name => '%{GROUP}', - }, - wsgi_import_script => '/var/www/demo.wsgi', - wsgi_import_script_options => - { process-group => 'wsgi', application-group => '%{GLOBAL}' }, - wsgi_process_group => 'wsgi', - wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, - } +You can then use the [`custom_fragment`][] parameter to configure the virtual host to have the FastCGI server handle the specified file type: + +``` puppet +apache::vhost { 'www': + ... + custom_fragment => 'AddType application/x-httpd-php .php' + ... +} +``` + +### Load balancing examples + +Apache supports load balancing across groups of servers through the [`mod_proxy`][] Apache module. Puppet supports configuring Apache load balancing groups (also known as balancer clusters) through the [`apache::balancer`][] and [`apache::balancermember`][] defined types. + +To enable load balancing with [exported resources][], export the [`apache::balancermember`][] defined type from the load balancer member server: + +``` puppet +@@apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} +``` + +Then, on the proxy server, create the load balancing group: + +``` puppet +apache::balancer { 'puppet00': } +``` + +To enable load balancing without exporting resources, declare the following on the proxy server: + +``` puppet +apache::balancer { 'puppet00': } + +apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} +``` + +Then declare the `apache::balancer` and `apache::balancermember` defined types on the proxy server. + +If you need to use the [ProxySet](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset) directive on the balancer, use the [`proxy_set`](#proxy_set) parameter of `apache::balancer`: + +``` puppet +apache::balancer { 'puppet01': + proxy_set => { + 'stickysession' => 'JSESSIONID', + 'lbmethod' => 'bytraffic', + }, +} ``` -Starting in Apache 2.2.16, HTTPD supports [FallbackResource](https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource), a simple replacement for common RewriteRules. - -```puppet - apache::vhost { 'wordpress.example.com': - port => '80', - docroot => '/var/www/wordpress', - fallbackresource => '/index.php', - } +Load balancing scheduler algorithms (`lbmethod`) are listed [in mod_proxy_balancer documentation](https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html). + +## Reference + +- [**Public classes**](#public-classes) + - [Class: apache](#class-apache) + - [Class: apache::dev](#class-apachedev) + - [Class: apache::vhosts](#class-apachevhosts) + - [Classes: apache::mod::\*](#classes-apachemodname) +- [**Private classes**](#private-classes) + - [Class: apache::confd::no_accf](#class-apacheconfdno_accf) + - [Class: apache::default_confd_files](#class-apachedefault_confd_files) + - [Class: apache::default_mods](#class-apachedefault_mods) + - [Class: apache::package](#class-apachepackage) + - [Class: apache::params](#class-apacheparams) + - [Class: apache::service](#class-apacheservice) + - [Class: apache::version](#class-apacheversion) +- [**Public defined types**](#public-defined-types) + - [Defined type: apache::balancer](#defined-type-apachebalancer) + - [Defined type: apache::balancermember](#defined-type-apachebalancermember) + - [Defined type: apache::custom_config](#defined-type-apachecustom_config) + - [Defined type: apache::fastcgi::server](#defined-type-fastcgi-server) + - [Defined type: apache::listen](#defined-type-apachelisten) + - [Defined type: apache::mod](#defined-type-apachemod) + - [Defined type: apache::namevirtualhost](#defined-type-apachenamevirtualhost) + - [Defined type: apache::vhost](#defined-type-apachevhost) + - [Defined type: apache::vhost::custom](#defined-type-apachevhostcustom) +- [**Private defined types**](#private-defined-types) + - [Defined type: apache::default_mods::load](#defined-type-default_mods-load) + - [Defined type: apache::peruser::multiplexer](#defined-type-apacheperusermultiplexer) + - [Defined type: apache::peruser::processor](#defined-type-apacheperuserprocessor) + - [Defined type: apache::security::file_link](#defined-type-apachesecurityfile_link) +- [**Templates**](#templates) + +### Public Classes + +#### Class: `apache` + +Guides the basic setup and installation of Apache on your system. + +When this class is declared with the default options, Puppet: + +- Installs the appropriate Apache software package and [required Apache modules](#default_mods) for your operating system. +- Places the required configuration files in a directory, with the [default location](#conf_dir) determined by your operating system. +- Configures the server with a default virtual host and standard port ('80') and address ('\*') bindings. +- Creates a document root directory determined by your operating system, typically `/var/www`. +- Starts the Apache service. + +You can simply declare the default `apache` class: + +``` puppet +class { 'apache': } ``` -Please note that the 'disabled' argument to FallbackResource is only supported since Apache 2.2.24. - -See a list of all [virtual host parameters](#defined-type-apachevhost). See an extensive list of [virtual host examples](#virtual-host-examples). - -##Usage - -###Classes and Defined Types - -This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Configuration of Apache should be managed by Puppet, as non-Puppet configuration files can cause unexpected failures. - -It is possible to temporarily disable full Puppet management by setting the [`purge_configs`](#purge_configs) parameter within the base `apache` class to 'false'. This option should only be used as a temporary means of saving and relocating customized configurations. See the [`purge_configs` parameter](#purge_configs) for more information. - -####Class: `apache` - -The apache module's primary class, `apache`, guides the basic setup of Apache on your system. - -You can establish a default vhost in this class, the `vhost` class, or both. You can add additional vhost configurations for specific virtual hosts using a declaration of the `vhost` type. +You can establish a default virtual host in this class, by using the [`apache::vhost`][] defined type, or both. You can also configure additional specific virtual hosts with the [`apache::vhost`][] defined type. Puppet recommends customizing the `apache` class's declaration with the following parameters, as its default settings are not optimized for production. **Parameters within `apache`:** -#####`allow_encoded_slashes` - -This sets the server default for the [`AllowEncodedSlashes` declaration](http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes) which modifies the responses to URLs with `\` and `/` characters. The default is undefined, which omits the declaration from the server configuration and select the Apache default setting of `Off`. Allowed values are: `on`, `off` or `nodecode`. - -#####`apache_version` - -Configures the behavior of the module templates, package names, and default mods by setting the Apache version. Default is determined by the class `apache::version` using the OS family and release. It should not be configured manually without special reason. - -#####`conf_dir` - -Changes the location of the configuration directory the main configuration file is placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2' on Debian, and '/usr/local/etc/apache22' on FreeBSD. - -#####`confd_dir` - -Changes the location of the configuration directory your custom configuration files are placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2/conf.d' on Debian, and '/usr/local/etc/apache22' on FreeBSD. - -#####`conf_template` - -Overrides the template used for the main apache configuration file. Defaults to 'apache/httpd.conf.erb'. - -*Note:* Using this parameter is potentially risky, as the module has been built for a minimal configuration file with the configuration primarily coming from conf.d/ entries. - -#####`default_confd_files` - -Generates default set of include-able Apache configuration files under `${apache::confd_dir}` directory. These configuration files correspond to what is usually installed with the Apache package on a given platform. - -#####`default_mods` - -Sets up Apache with default settings based on your OS. Valid values are 'true', 'false', or an array of mod names. - -Defaults to 'true', which includes the default [HTTPD mods](https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/default_mods.pp). - -If false, it only includes the mods required to make HTTPD work, and any other mods can be declared on their own. - -If an array, the apache module includes the array of mods listed. - -#####`default_ssl_ca` - -The default certificate authority, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_cert` - -The default SSL certification, which is automatically set based on your operating system ('/etc/pki/tls/certs/localhost.crt' for RedHat, '/etc/ssl/certs/ssl-cert-snakeoil.pem' for Debian, and '/usr/local/etc/apache22/server.crt' for FreeBSD). This default works out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_chain` - -The default SSL chain, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_crl` - -The default certificate revocation list to use, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_crl_path` - -The default certificate revocation list path, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_crl_check` - -Sets the default certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), which is automatically set to 'undef'. This default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value is ignored on older versions. - -#####`default_ssl_key` - -The default SSL key, which is automatically set based on your operating system ('/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD). This default works out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_vhost` - -Sets up a default SSL virtual host. Defaults to 'false'. If set to 'true', sets up the following vhost: - -```puppet - apache::vhost { 'default-ssl': - port => 443, - ssl => true, - docroot => $docroot, - scriptalias => $scriptalias, - serveradmin => $serveradmin, - access_log_file => "ssl_${access_log_file}", - } +##### `allow_encoded_slashes` + +Sets the server default for the [`AllowEncodedSlashes`][] declaration, which modifies the responses to URLs containing '\' and '/' characters. Valid options: 'on', 'off', 'nodecode'. Default: undef, which omits the declaration from the server's configuration and uses Apache's default setting of 'off'. + +##### `apache_version` + +Configures module template behavior, package names, and default Apache modules by defining the version of Apache to use. Default: Determined by your operating system family and release via the [`apache::version`][] class. Puppet recommends against manually configuring this parameter without reason. + +##### `conf_dir` + +Sets the directory where the Apache server's main configuration file is located. Default: Depends on your operating system. + +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2` +- **Red Hat**: `/etc/httpd/conf` + +##### `conf_template` + +Defines the [template][] used for the main Apache configuration file. Default: `apache/httpd.conf.erb`. Modifying this parameter is potentially risky, as the apache Puppet module is designed to use a minimal configuration file customized by `conf.d` entries. + +##### `confd_dir` + +Sets the location of the Apache server's custom configuration directory. Default: Depends on your operating system. + +- **Debian**: `/etc/apache2/conf.d` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2/conf.d` +- **Red Hat**: `/etc/httpd/conf.d` + +##### `default_charset` + +Used as the [`AddDefaultCharset`][] directive in the main configuration file. Default: undef. + +##### `default_confd_files` + +Determines whether Puppet generates a default set of includable Apache configuration files in the directory defined by the [`confd_dir`][] parameter. These configuration files correspond to what is typically installed with the Apache package on the server's operating system. Valid options: Boolean. Default: true. + +##### `default_mods` + +Determines whether to configure and enable a set of default [Apache modules][] depending on your operating system. Valid options: true, false, or an array of Apache module names. Default: true. + +If this parameter's value is false, Puppet includes only the Apache modules required to make the HTTP daemon work on your operating system, and you can declare any other modules separately using the [`apache::mod::<MODULE NAME>`][] class or [`apache::mod`][] defined type. + +If true, Puppet installs additional modules, the list of which depends on the operating system as well as the [`apache_version`][] and [`mpm_module`][] parameters' values. As these lists of modules can change frequently, consult the [Puppet module's code][] for up-to-date lists. + +If this parameter contains an array, Puppet instead enables all passed Apache modules. + +##### `default_ssl_ca` + +Sets the default certificate authority for the Apache server. Default: undef. + +While this default value results in a functioning Apache server, you **must** update this parameter with your certificate authority information before deploying this server in a production environment. + +##### `default_ssl_cert` + +Sets the [SSL encryption][] certificate location. Default: Determined by your operating system. + +- **Debian**: `/etc/ssl/certs/ssl-cert-snakeoil.pem` +- **FreeBSD**: `/usr/local/etc/apache22/server.crt` +- **Gentoo**: `/etc/ssl/apache2/server.crt` +- **Red Hat**: `/etc/pki/tls/certs/localhost.crt` + +While the default value results in a functioning Apache server, you **must** update this parameter with your certificate location before deploying this server in a production environment. + +##### `default_ssl_chain` + +Sets the default [SSL chain][] location. Default: undef. + +While this default value results in a functioning Apache server, you **must** update this parameter with your SSL chain before deploying this server in a production environment. + +##### `default_ssl_crl` + +Sets the path of the default [certificate revocation list][] (CRL) file to use. Default: undef. + +While this default value results in a functioning Apache server, you **must** update this parameter with your CRL file's path before deploying this server in a production environment. You can use this parameter with or in place of the [`default_ssl_crl_path`][]. + +##### `default_ssl_crl_path` + +Sets the server's [certificate revocation list path][], which contains your CRLs. Default: undef. + +While this default value results in a functioning Apache server, you **must** update this parameter with the CRL path before deploying this server in a production environment. + +##### `default_ssl_crl_check` + +Sets the default certificate revocation check level via the [`SSLCARevocationCheck`][] directive. Default: undef. + +While this default value results in a functioning Apache server, you **must** specify this parameter when using certificate revocation lists in a production environment. + +This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +##### `default_ssl_key` + +Sets the [SSL certificate key file][] location. Default: Determined by your operating system. + +- **Debian**: `/etc/ssl/private/ssl-cert-snakeoil.key` +- **FreeBSD**: `/usr/local/etc/apache22/server.key` +- **Gentoo**: `/etc/ssl/apache2/server.key` +- **Red Hat**: `/etc/pki/tls/private/localhost.key` + +While these default values result in a functioning Apache server, you **must** update this parameter with your SSL key's location before deploying this server in a production environment. + +##### `default_ssl_vhost` + +Configures a default [SSL][SSL encryption] virtual host. Valid options: Boolean. Default: false. + +If true, Puppet automatically configures the following virtual host using the [`apache::vhost`][] defined type: + +``` puppet +apache::vhost { 'default-ssl': + port => 443, + ssl => true, + docroot => $docroot, + scriptalias => $scriptalias, + serveradmin => $serveradmin, + access_log_file => "ssl_${access_log_file}", + } ``` -SSL vhosts only respond to HTTPS queries. - -#####`default_vhost` - -Sets up a default virtual host. Defaults to 'true', set to 'false' to set up [customized virtual hosts](#configure-a-virtual-host). - -#####`docroot` - -Changes the location of the default [Documentroot](https://httpd.apache.org/docs/current/mod/core.html#documentroot). Defaults to '/var/www/html' on RedHat, '/var/www' on Debian, and '/usr/local/www/apache22/data' on FreeBSD. - -#####`error_documents` - -Enables custom error documents. Defaults to 'false'. - -#####`httpd_dir` - -Changes the base location of the configuration directories used for the apache service. This is useful for specially repackaged HTTPD builds, but might have unintended consequences when used in combination with the default distribution packages. Defaults to '/etc/httpd' on RedHat, '/etc/apache2' on Debian, and '/usr/local/etc/apache22' on FreeBSD. - -#####`keepalive` - -Enables persistent connections. - -#####`keepalive_timeout` - -Sets the amount of time the server waits for subsequent requests on a persistent connection. Defaults to '15'. - -#####`max_keepalive_requests` - -Sets the limit of the number of requests allowed per connection when KeepAlive is on. Defaults to '100'. - -#####`loadfile_name` - -Sets the file name for the module loadfile. Should be in the format *.load. This can be used to set the module load order. - -#####`log_level` - -Changes the verbosity level of the error log. Defaults to 'warn'. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info', or 'debug'. - -#####`log_formats` - -Define additional [LogFormats](https://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat). This is done in a Hash: - -```puppet - $log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } +> **Note**: SSL virtual hosts only respond to HTTPS queries. + +##### `default_type` + +_Apache 2.2 only_. Sets the [MIME `content-type`][] sent if the server cannot otherwise determine an appropriate `content-type`. This directive is deprecated in Apache 2.4 and newer and only exists for backwards compatibility in configuration files. Default: undef. + +##### `default_vhost` + +Configures a default virtual host when the class is declared. Valid options: Boolean. Default: true. + +To configure [customized virtual hosts][Configuring virtual hosts], set this parameter's value to false. + +> **Note**: Apache will not start without at least one virtual host. If you set this to false be sure to configure one elsewhere. + +##### `dev_packages` + +Configures a specific dev package to use. Valid options: A string or array of strings. Default: Depends on the operating system. + +- **Red Hat:** 'httpd-devel' +- **Debian 8/Ubuntu 13.10 or newer:** ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev'] +- **Older Debian/Ubuntu versions:** ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev'] +- **FreeBSD, Gentoo:** undef +- **Suse:** ['libapr-util1-devel', 'libapr1-devel'] + +Example for using httpd 2.4 from the IUS yum repo: + +``` puppet +include ::apache::dev +class { 'apache': + apache_name => 'httpd24u', + dev_packages => 'httpd24u-devel', +} +``` + +##### `docroot` + +Sets the default [`DocumentRoot`][] location. Default: Determined by your operating system. + +- **Debian**: `/var/www/html` +- **FreeBSD**: `/usr/local/www/apache22/data` +- **Gentoo**: `/var/www/localhost/htdocs` +- **Red Hat**: `/var/www/html` + +##### `error_documents` + +Determines whether to enable [custom error documents][] on the Apache server. Valid options: Boolean. Default: false. + +##### `group` + +Sets the group ID that owns any Apache processes spawned to answer requests. + +By default, Puppet attempts to manage this group as a resource under the `apache` class, determining the group based on the operating system as detected by the [`apache::params`][] class. To to prevent the group resource from being created and use a group created by another Puppet module, set the [`manage_group`][] parameter's value to false. + +> **Note**: Modifying this parameter only changes the group ID that Apache uses to spawn child processes to access resources. It does not change the user that owns the parent server process. + +##### `httpd_dir` + +Sets the Apache server's base configuration directory. This is useful for specially repackaged Apache server builds but might have unintended consequences when combined with the default distribution packages. Default: Determined by your operating system. + +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2` +- **Red Hat**: `/etc/httpd` + +##### `keepalive` + +Determines whether to enable persistent HTTP connections with the [`KeepAlive`][] directive. Valid options: 'Off', 'On'. Default: 'Off'. + +If 'On', use the [`keepalive_timeout`][] and [`max_keepalive_requests`][] parameters to set relevant options. + +##### `keepalive_timeout` + +Sets the [`KeepAliveTimeout`] directive, which determines the amount of time the Apache server waits for subsequent requests on a persistent HTTP connection. Default: '15'. + +This parameter is only relevant if the [`keepalive` parameter][] is enabled. + +##### `max_keepalive_requests` + +Limits the number of requests allowed per connection when the [`keepalive` parameter][] is enabled. Default: '100'. + +##### `lib_path` + +Specifies the location where [Apache module][Apache modules] files are stored. Default: Depends on the operating system. + +- **Debian** and **Gentoo**: `/usr/lib/apache2/modules` +- **FreeBSD**: `/usr/local/libexec/apache24` +- **Red Hat**: `modules` + +> **Note**: Do not configure this parameter manually without special reason. + +##### `loadfile_name` + +Sets the [`LoadFile`] directive's filename. Valid options: Filenames in the format `\*.load`. + +This can be used to set the module load order. + +##### `log_level` + +Changes the error log's verbosity. Valid options: 'alert', 'crit', 'debug', 'emerg', 'error', 'info', 'notice', 'warn'. Default: 'warn'. + +##### `log_formats` + +Define additional [`LogFormat`][] directives. Valid options: A [hash][], such as: + +``` puppet +$log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } +``` + +There are a number of predefined `LogFormats` in the `httpd.conf` that Puppet creates: + +``` httpd +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent +LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded ``` -#####`logroot` - -Changes the directory where Apache log files for the virtual host are placed. Defaults to '/var/log/httpd' on RedHat, '/var/log/apache2' on Debian, and '/var/log/apache22' on FreeBSD. - -#####`logroot_mode` - -Overrides the mode the default logroot directory is set to ($::apache::logroot). Defaults to undef. Do NOT give people write access to the directory the logs are stored -in without being aware of the consequences; see http://httpd.apache.org/docs/2.4/logs.html#security for details. - -#####`manage_group` - -Setting this to 'false' stops the group resource from being created. This is for when you have a group, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established group would result in a duplicate resource error. - -#####`manage_user` - -Setting this to 'false' stops the user resource from being created. This is for instances when you have a user, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established user would result in a duplicate resource error. - -#####`mod_dir` - -Changes the location of the configuration directory your Apache modules configuration files are placed in. Defaults to '/etc/httpd/conf.d' for RedHat, '/etc/apache2/mods-available' for Debian, and '/usr/local/etc/apache22/Modules' for FreeBSD. - -#####`mpm_module` - -Determines which MPM is loaded and configured for the HTTPD process. Valid values are 'event', 'itk', 'peruser', 'prefork', 'worker', or 'false'. Defaults to 'prefork' on RedHat and FreeBSD, and 'worker' on Debian. Must be set to 'false' to explicitly declare the following classes with custom parameters: - -* `apache::mod::event` -* `apache::mod::itk` -* `apache::mod::peruser` -* `apache::mod::prefork` -* `apache::mod::worker` - -*Note:* Switching between different MPMs on FreeBSD is possible but quite difficult. Before changing `$mpm_module` you must uninstall all packages that depend on your currently-installed Apache. - -#####`package_ensure` - -Allows control over the package ensure attribute. Can be 'present','absent', or a version string. - -#####`ports_file` - -Changes the name of the file containing Apache ports configuration. Default is `${conf_dir}/ports.conf`. - -#####`purge_configs` - -Removes all other Apache configs and vhosts, defaults to 'true'. Setting this to 'false' is a stopgap measure to allow the apache module to coexist with existing or otherwise-managed configuration. It is recommended that you move your configuration entirely to resources within this module. - -#####`purge_vhost_configs` - -If `vhost_dir` != `confd_dir`, this controls the removal of any configurations that are not managed by Puppet within `vhost_dir`. It defaults to the value of `purge_configs`. Setting this to false is a stopgap measure to allow the apache module to coexist with existing or otherwise unmanaged configurations within `vhost_dir` - -#####`sendfile` - -Makes Apache use the Linux kernel sendfile to serve static files. Defaults to 'On'. - -#####`serveradmin` - -Sets the server administrator. Defaults to 'root@localhost'. - -#####`servername` - -Sets the server name. Defaults to `fqdn` provided by Facter. - -#####`server_root` - -Sets the root directory in which the server resides. Defaults to '/etc/httpd' on RedHat, '/etc/apache2' on Debian, and '/usr/local' on FreeBSD. - -#####`server_signature` - -Configures a trailing footer line under server-generated documents. More information about [ServerSignature](http://httpd.apache.org/docs/current/mod/core.html#serversignature). Defaults to 'On'. - -#####`server_tokens` - -Controls how much information Apache sends to the browser about itself and the operating system. More information about [ServerTokens](http://httpd.apache.org/docs/current/mod/core.html#servertokens). Defaults to 'OS'. - -#####`service_enable` - -Determines whether the HTTPD service is enabled when the machine is booted. Defaults to 'true'. - -#####`service_ensure` - -Determines whether the service should be running. Valid values are 'true', 'false', 'running', or 'stopped' when Puppet should manage the service. Any other value sets ensure to 'false' for the Apache service, which is useful when you want to let the service be managed by some other application like Pacemaker. Defaults to 'running'. - -#####`service_name` - -Name of the Apache service to run. Defaults to: 'httpd' on RedHat, 'apache2' on Debian, and 'apache22' on FreeBSD. - -#####`service_manage` - -Determines whether the HTTPD service state is managed by Puppet . Defaults to 'true'. - -#####`trace_enable` - -Controls how TRACE requests per RFC 2616 are handled. More information about [TraceEnable](http://httpd.apache.org/docs/current/mod/core.html#traceenable). Defaults to 'On'. - -#####`vhost_dir` - -Changes the location of the configuration directory your virtual host configuration files are placed in. Defaults to 'etc/httpd/conf.d' on RedHat, '/etc/apache2/sites-available' on Debian, and '/usr/local/etc/apache22/Vhosts' on FreeBSD. - -#####`apache_name` - -The name of the Apache package to install. This is automatically detected in `::apache::params`. You might need to override this if you are using a non-standard Apache package, such as those from Red Hat's software collections. - -####Defined Type: `apache::custom_config` - -Allows you to create custom configs for Apache. The configuration files are only added to the Apache confd dir if the file is valid. An error is raised during the Puppet run if the file is invalid and `$verify_config` is `true`. - -```puppet - apache::custom_config { 'test': - content => '# Test', - } +If your `log_formats` parameter contains one of those, it will be overwritten with **your** definition. + +##### `logroot` + +Changes the directory of Apache log files for the virtual host. Default: Determined by your operating system. + +- **Debian**: `/var/log/apache2` +- **FreeBSD**: `/var/log/apache22` +- **Gentoo**: `/var/log/apache2` +- **Red Hat**: `/var/log/httpd` + +##### `logroot_mode` + +Overrides the default [`logroot`][] directory's mode. Default: undef. + +> **Note**: Do _not_ grant write access to the directory where the logs are stored without being aware of the consequences. See the [Apache documentation][Log security] for details. + +##### `manage_group` + +When false, stops Puppet from creating the group resource. Valid options: Boolean. Default: true. + +If you have a group created from another Puppet module that you want to use to run Apache, set this to false. Without this parameter, attempting to use a previously established group results in a duplicate resource error. + +##### `manage_user` + +When false, stops Puppet from creating the user resource. Valid options: Boolean. Default: true. + +This is for instances when you have a user, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established user would result in a duplicate resource error. + +##### `mod_dir` + +Sets where Puppet places configuration files for your [Apache modules][]. Default: Determined by your operating system. + +- **Debian**: `/etc/apache2/mods-available` +- **FreeBSD**: `/usr/local/etc/apache22/Modules` +- **Gentoo**: `/etc/apache2/modules.d` +- **Red Hat**: `/etc/httpd/conf.d` + +##### `mpm_module` + +Determines which [multi-processing module][] (MPM) is loaded and configured for the HTTPD process. Valid options: 'event', 'itk', 'peruser', 'prefork', 'worker', or false. Default: Determined by your operating system. + +- **Debian**: 'worker' +- **FreeBSD, Gentoo, and Red Hat**: 'prefork' + +You must set this to false to explicitly declare the following classes with custom parameters: + +- [`apache::mod::event`][] +- [`apache::mod::itk`][] +- [`apache::mod::peruser`][] +- [`apache::mod::prefork`][] +- [`apache::mod::worker`][] + +##### `package_ensure` + +Controls the `package` resource's [`ensure`][] attribute. Valid options: 'absent', 'installed' (or the equivalent 'present'), or a version string. Default: 'installed'. + +##### `pidfile` + +Allows settting a custom location for the pid file - useful if using a custom built Apache rpm. Default: Depends on operating system. + +- **Debian:** '\${APACHE_PID_FILE}' +- **FreeBSD:** '/var/run/httpd.pid' +- **Red Hat:** 'run/httpd.pid' + +##### `ports_file` + +Sets the path to the file containing Apache ports configuration. Default: '{$conf_dir}/ports.conf'. + +##### `purge_configs` + +Removes all other Apache configs and virtual hosts. Valid options: Boolean. Default: true. + +Setting this to false is a stopgap measure to allow the apache Puppet module to coexist with existing or unmanaged configurations. We recommend moving your configuration to resources within this module. For virtual host configurations, see [`purge_vhost_dir`][]. + +##### `purge_vhost_dir` + +If the [`vhost_dir`][] parameter's value differs from the [`confd_dir`][] parameter's, the Boolean parameter `purge_vhost_dir` determines whether Puppet removes any configurations inside `vhost_dir` _not_ managed by Puppet. Valid options: Boolean. Default: same as [`purge_configs`][]. + +Setting `purge_vhost_dir` to false is a stopgap measure to allow the apache Puppet module to coexist with existing or otherwise unmanaged configurations within `vhost_dir`. + +##### `rewrite_lock` + +Allows setting a custom location for a rewrite lock - considered best practice if using a RewriteMap of type prg in the [`rewrites`][] parameter of your virtual host. Default: undef. + +This parameter only applies to Apache version 2.2 or lower and is ignored on newer versions. + +##### `sendfile` + +Forces Apache to use the Linux kernel's `sendfile` support to serve static files, via the [`EnableSendfile`][] directive. Valid options: 'On', 'Off'. Default: 'On'. + +##### `serveradmin` + +Sets the Apache server administrator's contact information via Apache's [`ServerAdmin`][] directive. Default: 'root@localhost'. + +##### `servername` + +Sets the Apache server name via Apache's [`ServerName`][] directive. Default: the 'fqdn' fact reported by [Facter][]. + +Setting to false will not set ServerName at all. + +##### `server_root` + +Sets the Apache server's root directory via Apache's [`ServerRoot`][] directive. Default: determined by your operating system. + +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local` +- **Gentoo**: `/var/www` +- **Red Hat**: `/etc/httpd` + +##### `server_signature` + +Configures a trailing footer line to display at the bottom of server-generated documents, such as error documents and output of certain [Apache modules][], via Apache's [`ServerSignature`][] directive. Valid options: 'Off', 'On'. Default: 'On'. + +##### `server_tokens` + +Controls how much information Apache sends to the browser about itself and the operating system, via Apache's [`ServerTokens`][] directive. Default: 'OS'. + +##### `service_enable` + +Determines whether Puppet enables the Apache HTTPD service when the system is booted. Valid options: Boolean. Default: true. + +##### `service_ensure` + +Determines whether Puppet should make sure the service is running. Valid options: 'true' (equivalent to 'running'), 'false' (equivalent to 'stopped'). Default: 'running'. + +The 'false' or 'stopped' values set the 'httpd' service resource's `ensure` parameter to 'false', which is useful when you want to let the service be managed by another application, such as Pacemaker. + +##### `service_name` + +Sets the name of the Apache service. Default: determined by your operating system. + +- **Debian and Gentoo**: 'apache2' +- **FreeBSD**: 'apache22' +- **Red Hat**: 'httpd' + +##### `service_manage` + +Determines whether Puppet manages the HTTPD service's state. Valid options: Boolean. Default: true. + +##### `service_restart` + +Determines whether Puppet should use a specific command to restart the HTTPD service. Valid options: a command to restart the Apache service. Default: undef, which uses the [default Puppet behavior][Service attribute restart]. + +##### `ssl_stapling` + +Specifies whether or not to use [SSLUseStapling](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling). Valid options: Boolean. Default: false. It is possible to override this on a vhost level. + +This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +##### `ssl_stapling_return_errors` + +Can be used to set the [SSLStaplingReturnResponderErrors](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive. No default. It is possible to override this on a vhost level. + +This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +##### `timeout` + +Sets Apache's [`TimeOut`][] directive, which defines the number of seconds Apache waits for certain events before failing a request. Default: 120. + +##### `trace_enable` + +Controls how Apache handles `TRACE` requests (per [RFC 2616][]) via the [`TraceEnable`][] directive. Valid options: 'Off', 'On'. Default: 'On'. + +##### `use_systemd` + +Controls whether the systemd module should be installed on Centos 7 servers, this is especially useful if using custom-built RPMs. Valid options: Boolean. Default: true. + +##### `file_mode` + +Sets the desired permissions mode for config files, in symbolic or numeric notation. Valid options: A string. Default: '0644'. + +##### `root_directory_options` + +Array of the desired options for the / directory in httpd.conf. Defaults to 'FollowSymLinks'. + +##### `root_directory_secured` + +Sets the default access policy for the / directory in httpd.conf. A value of 'false' allows access to all resources that are missing a more specific access policy. A value of 'true' denies access to all resources by default. In this case more specific rules must be used to allow access to these resources (e.g. in a directory block using the [`directories`](#parameter-directories-for-apachevhost) parameter). Valid options: Boolean. Default: false. + +##### `vhost_dir` + +Changes your virtual host configuration files' location. Default: determined by your operating system. + +- **Debian**: `/etc/apache2/sites-available` +- **FreeBSD**: `/usr/local/etc/apache22/Vhosts` +- **Gentoo**: `/etc/apache2/vhosts.d` +- **Red Hat**: `/etc/httpd/conf.d` + +##### `vhost_include_pattern` + +Defines the pattern for files included from the `vhost_dir`. Default: '*', also for BC with previous versions of this module. + +However, you might want to set this to a value like '[^.#]\*.conf[^~]' to make sure files accidentally created in this directory (such as files created by version control systems or editor backups) are *not* included in your server configuration. + +Some operating systems ship with a value of '*.conf'. Also note that this module will, by default, create configuration files ending in '.conf'. + +##### `user` + +Changes the user Apache uses to answer requests. Apache's parent process will continue to be run as root, but child processes will access resources as the user defined by this parameter. + +Default: Puppet sets the default value via the [`apache::params`][] class, which manages the user based on your operating system: + +- **Debian**: 'www-data' +- **FreeBSD**: 'www' +- **Gentoo** and **Red Hat**: 'apache' + +To prevent Puppet from managing the user, set the [`manage_user`][] parameter to false. + +##### `apache_name` + +The name of the Apache package to install. Default: Puppet sets the default value via the [`apache::params`][] class, which manages the user based on your operating system: + +The default value is determined by your operating system: + +- **Debian**: 'apache2' +- **FreeBSD**: 'apache24' +- **Gentoo**: 'www-servers/apache' +- **Red Hat**: 'httpd' + +You might need to override this if you are using a non-standard Apache package, such as those from Red Hat's software collections. + +##### `error_log` + +The name of the error log file for the main server instance + +The default value is determined by your operating system: + +- **Debian**: 'error.log' +- **FreeBSD**: 'httpd-error.log' +- **Gentoo**: 'error.log' +- **Red Hat**: 'error_log' +- **Suse**: 'error.log' + +If the string starts with / or | or syslog: the full path will be set. Otherwise the filename will be prefixed with $logroot + +##### `scriptalias` + +Directory to use for global script alias + +The default value is determined by your operating system: + +- **Debian**: '/usr/lib/cgi-bin' +- **FreeBSD**: '/usr/local/www/apache24/cgi-bin' +- **Gentoo**: 'var/www/localhost/cgi-bin' +- **Red Hat**: '/var/www/cgi-bin' +- **Suse**: '/usr/lib/cgi-bin' + +##### `access_log_file` + +The name of the access log file for the main server instance + +The default value is determined by your operating system: + +- **Debian**: 'error.log' +- **FreeBSD**: 'httpd-access.log' +- **Gentoo**: 'access.log' +- **Red Hat**: 'access_log' +- **Suse**: 'access.log' + +#### Class: `apache::dev` + +Installs Apache development libraries. By default, the package name is defined by the [`dev_packages`][] parameter of the [`apache::params`][] class based on your operating system: + +The default value is determined by your operating system: + +- **Debian** : 'libaprutil1-dev', 'libapr1-dev'; 'apache2-dev' on Ubuntu 13.10 and Debian 8; 'apache2-prefork-dev' on other versions +- **FreeBSD**: 'undef'; see note below +- **Gentoo**: 'undef' +- **Red Hat**: 'httpd-devel' + +> **Note**: On FreeBSD, you must declare the `apache::package` or `apache` classes before declaring `apache::dev`. + +#### Class: `apache::vhosts` + +Creates [`apache::vhost`][] defined types. + +**Parameters within `apache::vhosts`**: + +- `vhosts`: A [hash][] where the key represents the name and the value represents a [hash][] of [`apache::vhost`][] defined type's parameters. Default: '{}' + +> **Note**: See the [`apache::vhost`][] defined type's reference for a list of all virtual host parameters or [Configuring virtual hosts]. + +For example, to create a [name-based virtual host][name-based virtual hosts] 'custom_vhost_1, you can declare the class with the `vhosts` parameter set to '{ "custom_vhost_1" => { "docroot" => "/var/www/custom_vhost_1", "port" => "81" }': + +``` puppet +class { 'apache::vhosts': + vhosts => { + 'custom_vhost_1' => { + 'docroot' => '/var/www/custom_vhost_1', + 'port' => '81', + }, + }, +} ``` -**Parameters within `apache::custom_config`:** - -#####`ensure` - -Specify whether the configuration file is present or absent. Defaults to 'present'. Valid values are 'present' and 'absent'. - -#####`confdir` - -The directory to place the configuration file in. Defaults to `$::apache::confd_dir`. - -#####`content` - -The content of the configuration file. Only one of `$content` and `$source` can be specified. - -#####`priority` - -The priority of the configuration file, used for ordering. Defaults to '25'. - -Pass priority `false` to omit the priority prefix in file names. - -#####`source` - -The source of the configuration file. Only one of `$content` and `$source` can be specified. - -#####`verify_command` - -The command to use to verify the configuration file. It should use a fully qualified command. Defaults to '/usr/sbin/apachectl -t'. The `$verify_command` is only used if `$verify_config` is `true`. If the `$verify_command` fails, the configuration file is deleted, the Apache service is not notified, and an error is raised during the Puppet run. - -#####`verify_config` - -Boolean to specify whether the configuration file should be validated before the Apache service is notified. Defaults to `true`. - -####Class: `apache::default_mods` - -Installs default Apache modules based on what OS you are running. - -```puppet - class { 'apache::default_mods': } +#### Classes: `apache::mod::<MODULE NAME>` + +Enables specific [Apache modules][]. You can enable and configure an Apache module by declaring its class. For example, to install and enable [`mod_alias`][] with no icons, you can declare the [`apache::mod::alias`][] class with the `icons_options` parameter set to 'None': + +``` puppet +class { 'apache::mod::alias': + icons_options => 'None', +} ``` -####Defined Type: `apache::mod` - -Used to enable arbitrary Apache HTTPD modules for which there is no specific `apache::mod::[name]` class. The `apache::mod` defined type also installs the required packages to enable the module, if any. - -```puppet - apache::mod { 'rewrite': } - apache::mod { 'ldap': } -``` - -####Classes: `apache::mod::[name]` - -There are many `apache::mod::[name]` classes within this module that can be declared using `include`: +The following Apache modules have supported classes, many of which allow for parameterized configuration. You can install other Apache modules with the [`apache::mod`][] defined type. * `actions` -* `alias` +* `alias` (see [`apache::mod::alias`][]) * `auth_basic` -* `auth_cas`* (see [`apache::mod::auth_cas`](#class-apachemodauthcas) below) +* `auth_cas`\* (see [`apache::mod::auth_cas`][]) +* `auth_mellon`\* (see [`apache::mod::auth_mellon`][]) * `auth_kerb` -* `authnz_ldap`* +* `authn_core` +* `authn_dbd`\* (see [`apache::mod::authn_dbd`][]) +* `authn_file` +* `authnz_ldap`\* (see [`apache::mod::authnz_ldap`][]) +* `authz_default` +* `authz_user` * `autoindex` * `cache` * `cgi` * `cgid` +* `cluster` (see [`apache::mod::cluster`][]) * `dav` * `dav_fs` -* `dav_svn`* -* `deflate` +* `dav_svn`\* +* `dbd` +* `deflate\` * `dev` -* `dir`* -* `disk_cache` -* `event`(see [`apache::mod::event`](#class-apachemodevent) below) +* `dir`\* +* `disk_cache` (see [`apache::mod::disk_cache`][]) +* `dumpio` (see [`apache::mod::dumpio`][]) +* `env` +* `event` (see [`apache::mod::event`][]) * `expires` +* `ext_filter` (see [`apache::mod::ext_filter`][]) * `fastcgi` * `fcgid` * `filter` +* `geoip` (see [`apache::mod::geoip`][]) * `headers` * `include` -* `info`* +* `info`\* * `itk` -* `ldap` +* `ldap` (see [`apache::mod::ldap`][]) * `mime` -* `mime_magic`* +* `mime_magic`\* * `negotiation` -* `nss`* -* `pagespeed` (see [`apache::mod::pagespeed`](#class-apachemodpagespeed) below) -* `passenger`* +* `nss`\* +* `pagespeed` (see [`apache::mod::pagespeed`][]) +* `passenger`\* (see [`apache::mod::passenger`][]) * `perl` * `peruser` -* `php` (requires [`mpm_module`](#mpm_module) set to `prefork`) -* `prefork`* -* `proxy`* +* `php` (requires [`mpm_module`][] set to `prefork`) +* `prefork`\* +* `proxy`\* (see [`apache::mod::proxy`][]) * `proxy_ajp` +* `proxy_balancer`\* (see [`apache::mod::proxy_balancer`][]) * `proxy_balancer` -* `proxy_html` +* `proxy_html` (see [`apache::mod::proxy_html`][]) * `proxy_http` * `python` * `reqtimeout` +* `remoteip`\* * `rewrite` -* `rpaf`* +* `rpaf`\* * `setenvif` * `security` -* `shib`* (see [`apache::mod::shib`](#class-apachemodshib) below) +* `shib`\* (see [`apache::mod::shib`]) * `speling` -* `ssl`* (see [`apache::mod::ssl`](#class-apachemodssl) below) -* `status`* (see [`apache::mod::status`](#class-apachemodstatus) below) +* `ssl`\* (see [`apache::mod::ssl`][]) +* `status`\* (see [`apache::mod::status`][]) * `suphp` -* `userdir`* +* `userdir`\* +* `version` * `vhost_alias` -* `worker`* -* `wsgi` (see [`apache::mod::wsgi`](#class-apachemodwsgi) below) +* `worker`\* +* `wsgi` (see [`apache::mod::wsgi`][]) * `xsendfile` -Modules noted with a * indicate that the module has settings and, thus, a template that includes parameters. These parameters control the module's configuration. Most of the time, these parameters do not require any configuration or attention. - -The modules mentioned above, and other Apache modules that have templates, cause template files to be dropped along with the mod install. The module will not work without the template. Any module without a template installs the package but drops no files. - -####Class: `apache::mod::event` - -Installs and manages mpm_event module. - -Full Documentation for mpm_event is available from [Apache](https://httpd.apache.org/docs/current/mod/event.html). - -To configure the event thread limit: - -```puppet - class {'apache::mod::event': - $threadlimit => '128', - } -``` - -####Class: `apache::mod::auth_cas` - -Installs and manages mod_auth_cas. The parameters `cas_login_url` and `cas_validate_url` are required. - -Full documentation on mod_auth_cas is available from [JASIG](https://github.com/Jasig/mod_auth_cas). - -####Class: `apache::mod::info` - -Installs and manages mod_info which provides a comprehensive overview of the server configuration. - -Full documentation for mod_info is available from [Apache](https://httpd.apache.org/docs/current/mod/mod_info.html). - -These are the default settings: - -```puppet - $allow_from = ['127.0.0.1','::1'], - $apache_version = $::apache::apache_version, - $restrict_access = true, -``` - -To set the addresses that are allowed to access /server-info add the following: - -```puppet - class {'apache::mod::info': - allow_from => [ - '10.10.36', - '10.10.38', - '127.0.0.1', - ], - } -``` - -To disable the access restrictions add the following: - -```puppet - class {'apache::mod::info': - restrict_access => false, - } -``` - -It is not recommended to leave this set to false though it can be very useful for testing. For this reason, you can insert this setting in your normal code to temporarily disable the restrictions like so: - -```puppet - class {'apache::mod::info': - restrict_access => false, # false disables the block below - allow_from => [ - '10.10.36', - '10.10.38', - '127.0.0.1', - ], - } +Modules noted with a * indicate that the module has settings and a template that includes parameters to configure the module. Most Apache module class parameters have default values and don't require configuration. For modules with templates, Puppet installs template files with the module; these template files are required for the module to work. + +##### Class: `apache::mod::alias` + +Installs and manages [`mod_alias`][]. + +**Parameters within `apache::mod::alias`**: + +* `icons_options`: Disables directory listings for the icons directory, via Apache [`Options`] directive. Default: 'Indexes MultiViews'. +* `icons_path`: Sets the local path for an `/icons/` Alias. Default: depends on your operating system. + +- **Debian**: `/usr/share/apache2/icons` +- **FreeBSD**: `/usr/local/www/apache24/icons` +- **Gentoo**: `/var/www/icons` +- **Red Hat**: `/var/www/icons`, except on Apache 2.4, where it's `/usr/share/httpd/icons` + +#### Class: `apache::mod::disk_cache` + +Installs and configures [`mod_disk_cache`][] on Apache 2.2, or [`mod_cache_disk`][] on Apache 2.4. The default cache root depends on the Apache version and operating system: + +- **Debian**: `/var/cache/apache2/mod_cache_disk` +- **FreeBSD**: `/var/cache/mod_cache_disk` +- **Red Hat, Apache 2.4**: `/var/cache/httpd/proxy` +- **Red Hat, Apache 2.2**: `/var/cache/mod_proxy` + +You can specify the cache root by passing a path as a string to the `cache_root` parameter. + +``` puppet +class {'::apache::mod::disk_cache': + cache_root => '/path/to/cache', +} ``` - -####Class: `apache::mod::pagespeed` - -Installs and manages mod_pagespeed, which is a Google module that rewrites web pages to reduce latency and bandwidth. - -This module does *not* manage the software repositories needed to automatically install the -mod-pagespeed-stable package. The module does however require that the package be installed, -or be installable using the system's default package provider. You should ensure that this -pre-requisite is met or declaring `apache::mod::pagespeed` causes the Puppet run to fail. - -These are the defaults: - -```puppet - class { 'apache::mod::pagespeed': - inherit_vhost_config => 'on', - filter_xhtml => false, - cache_path => '/var/cache/mod_pagespeed/', - log_dir => '/var/log/pagespeed', - memcache_servers => [], - rewrite_level => 'CoreFilters', - disable_filters => [], - enable_filters => [], - forbid_filters => [], - rewrite_deadline_per_flush_ms => 10, - additional_domains => undef, - file_cache_size_kb => 102400, - file_cache_clean_interval_ms => 3600000, - lru_cache_per_process => 1024, - lru_cache_byte_limit => 16384, - css_flatten_max_bytes => 2048, - css_inline_max_bytes => 2048, - css_image_inline_max_bytes => 2048, - image_inline_max_bytes => 2048, - js_inline_max_bytes => 2048, - css_outline_min_bytes => 3000, - js_outline_min_bytes => 3000, - inode_limit => 500000, - image_max_rewrites_at_once => 8, - num_rewrite_threads => 4, - num_expensive_rewrite_threads => 4, - collect_statistics => 'on', - statistics_logging => 'on', - allow_view_stats => [], - allow_pagespeed_console => [], - allow_pagespeed_message => [], - message_buffer_size => 100000, - additional_configuration => { } - } -``` - -Full documentation for mod_pagespeed is available from [Google](http://modpagespeed.com). - -####Class: `apache::mod::php` - -Installs and configures mod_php. The defaults are OS-dependant. - -Overriding the package name: -```puppet - class {'::apache::mod::php': - package_name => "php54-php", - path => "${::apache::params::lib_path}/libphp54-php5.so", - } -``` - -Overriding the default configuartion: -```puppet - class {'::apache::mod::php': - source => 'puppet:///modules/apache/my_php.conf', - } -``` - -or -```puppet - class {'::apache::mod::php': - template => 'apache/php.conf.erb', - } -``` - -or - -```puppet - class {'::apache::mod::php': - content => ' -AddHandler php5-script .php -AddType text/html .php', - } -``` -####Class: `apache::mod::shib` - -Installs the [Shibboleth](http://shibboleth.net/) module for Apache which allows the use of SAML2 Single-Sign-On (SSO) authentication by Shibboleth Identity Providers and Shibboleth Federations. This class only installs and configures the Apache components of a Shibboleth Service Provider (a web application that consumes Shibboleth SSO identities). The Shibboleth configuration can be managed manually, with Puppet, or using a [Shibboleth Puppet Module](https://github.com/aethylred/puppet-shibboleth). - -Defining this class enables the Shibboleth specific parameters in `apache::vhost` instances. - -####Class: `apache::mod::ssl` - -Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are the defaults: - -```puppet - class { 'apache::mod::ssl': - ssl_compression => false, - ssl_options => [ 'StdEnvVars' ], - ssl_cipher => 'HIGH:MEDIUM:!aNULL:!MD5', - ssl_protocol => 'all -SSLv2 -SSLv3', - ssl_pass_phrase_dialog => 'builtin', - ssl_random_seed_bytes => '512', - } -``` - -To *use* SSL with a virtual host, you must either set the`default_ssl_vhost` parameter in `::apache` to 'true' or set the `ssl` parameter in `apache::vhost` to 'true'. - -####Class: `apache::mod::status` - -Installs Apache mod_status and uses the status.conf.erb template. These are the defaults: - -```puppet - class { 'apache::mod::status': - allow_from = ['127.0.0.1','::1'], - extended_status = 'On', - status_path = '/server-status', -){ - - - } -``` - -####Class: `apache::mod::wsgi` - -Enables Python support in the WSGI module. To use, simply `include 'apache::mod::wsgi'`. - -For customized parameters, which tell Apache how Python is currently configured on the operating system, - -```puppet - class { 'apache::mod::wsgi': - wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI", - wsgi_python_home => '/path/to/venv', - wsgi_python_path => '/path/to/venv/site-packages', - } -``` - -To specify an alternate mod\_wsgi package name to install and the name of the module .so it provides, -(e.g. a "python27-mod\_wsgi" package that provides "python27-mod_wsgi.so" in the default module directory): +##### Class: `apache::mod::diskio` + +Installs and configures [`mod_diskio`][]. ```puppet - class { 'apache::mod::wsgi': - wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI", - wsgi_python_home => '/path/to/venv', - wsgi_python_path => '/path/to/venv/site-packages', - package_name => 'python27-mod_wsgi', - mod_path => 'python27-mod_wsgi.so', - } +class{'apache': + default_mods => false, + log_level => 'dumpio:trace7', +} +class{'apache::mod::diskio': + disk_io_input => 'On', + disk_io_output => 'Off', +} ``` -If ``mod_path`` does not contain "/", it will be prefixed by the default module path -for your OS; otherwise, it will be used literally. - -More information about [WSGI](http://modwsgi.readthedocs.org/en/latest/). - -####Class: `apache::mod::fcgid` - -Installs and configures mod_fcgid. - -The class makes no effort to list all available options, but rather uses an options hash to allow for ultimate flexibility: - -```puppet - class { 'apache::mod::fcgid': - options => { - 'FcgidIPCDir' => '/var/run/fcgidsock', - 'SharememPath' => '/var/run/fcgid_shm', - 'AddHandler' => 'fcgid-script .fcgi', - }, - } + +**Parameters withing `apache::mod::diskio`**: + +- `dump_io_input`: Dump all input data to the error log. Must be `On` or `Off`, defaults to `Off` +- `dump_io_output`: Dump all output data to the error log. Must be `On` or `Off`, defaults to `Off` + +##### Class: `apache::mod::event` + +Installs and manages [`mod_mpm_event`][]. You can't include both `apache::mod::event` and [`apache::mod::itk`][], [`apache::mod::peruser`][], [`apache::mod::prefork`][], or [`apache::mod::worker`][] on the same server. + +**Parameters within `apache::mod::event`**: + +- `listenbacklog`: Sets the maximum length of the pending connections queue via the module's [`ListenBackLog`][] directive. Default: '511'. Setting this to 'false' removes the parameter. +- `maxrequestworkers` (_Apache 2.3.12 or older_: `maxclients`): Sets the maximum number of connections Apache can simultaneously process, via the module's [`MaxRequestWorkers`][] directive. Default: '150'. Setting these to 'false' removes the parameters. +- `maxconnectionsperchild` (_Apache 2.3.8 or older_: `maxrequestsperchild`): Limits the number of connections a child server handles during its life, via the module's [`MaxConnectionsPerChild`][] directive. Default: '0'. Setting these to 'false' removes the parameters. +- `maxsparethreads` and `minsparethreads`: Sets the maximum and minimum number of idle threads, via the [`MaxSpareThreads`][] and [`MinSpareThreads`][] directives. Default: '75' and '25', respectively. Setting these to 'false' removes the parameters. +- `serverlimit`: Limits the configurable number of processes via the [`ServerLimit`][] directive. Default: '25'. Setting this to 'false' removes the parameter. +- `startservers`: Sets the number of child server processes created at startup, via the module's [`StartServers`][] directive. Default: '2'. Setting this to 'false' removes the parameter. +- `threadlimit`: Limits the number of event threads via the module's [`ThreadLimit`][] directive. Default: '64'. Setting this to 'false' removes the parameter. +- `threadsperchild`: Sets the number of threads created by each child process, via the [`ThreadsPerChild`][] directive. Default: '25'. Setting this to 'false' removes the parameter. + +##### Class: `apache::mod::auth_cas` + +Installs and manages [`mod_auth_cas`][]. Its parameters share names with the Apache module's directives. + +The `cas_login_url` and `cas_validate_url` parameters are required; several other parameters have 'undef' default values. + +**Note**: The auth\_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. See [https://github.com/Jasig/mod_auth_cas]() + +**Parameters within `apache::mod::auth_cas`**: + +- `cas_attribute_prefix`: Adds a header with the value of this header being the attribute values when SAML + validation is enabled. Default: CAS_ +- `cas_attribute_delimiter`: The delimiter between attribute values in the header created by `cas_attribute_prefix`. + Default: , +- `cas_authoritative`: Determines whether an optional authorization directive is authoritative and binding. Default: undef. +- `cas_certificate_path`: Sets the path to the X509 certificate of the Certificate Authority for the server in `cas_login_url` and `cas_validate_url`. Default: undef. +- `cas_cache_clean_interval`: Sets the minimum number of seconds that must pass between cache cleanings. Default: undef. +- `cas_cookie_domain`: Sets the value of the `Domain=` parameter in the `Set-Cookie` HTTP header. Default: undef. +- `cas_cookie_entropy`: Sets the number of bytes to use when creating session identifiers. Default: undef. +- `cas_cookie_http_only`: Sets the optional `HttpOnly` flag when `mod_auth_cas` issues cookies. Default: undef. +- `cas_cookie_path`: Where cas cookie session data is stored. Should be writable by web server user. Default: OS dependent. +- `cas_cookie_path_mode`: The mode of `cas_cookie_path`. Default: '0750'. +- `cas_debug`: Determines whether to enable the module's debugging mode. Default: 'Off'. +- `cas_idle_timeout`: Default: undef. +- `cas_login_url`: **Required**. Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don't have an active session. +- `cas_proxy_validate_url`: The URL to use when performing a proxy validation. Default: undef. +- `cas_root_proxied_as`: Sets the URL end users see when access to this Apache server is proxied. Default: undef. +- `cas_scrub_request_headers`: Remove inbound request headers that may have special meaning within mod_auth_cas. +- `cas_sso_enabled`: Enables experimental support for single sign out (may mangle POST data). Default: off +- `cas_timeout`: Limits the number of seconds a `mod_auth_cas` session can remain active. Default: undef. +- `cas_validate_depth`: Limits the depth for chained certificate validation. Default: undef. +- `cas_validate_saml`: Parse response from CAS server for SAML. Default: Off +- `cas_validate_server`: Should we validate the cert of the CAS server (depreciated in 1.1 - RedHat 7). Default: undef. +- `cas_validate_url`: **Required**. Sets the URL to use when validating a client-presented ticket in an HTTP query string. +- `cas_version`: The CAS protocol version to adhere to. Valid options: '1', '2'. Default: '2'. +- `suppress_warning`: Don't wine about being on RedHat (Hint: mod_auth_cas package is now available in epel-testing repo). Default: false. + +##### Class: `apache::mod::auth_mellon` + +Installs and manages [`mod_auth_mellon`][]. Its parameters share names with the Apache module's directives. + +``` puppet +class{ 'apache::mod::auth_mellon': + mellon_cache_size => 101, +} +``` + +**Parameters within `apache::mod::auth_mellon`**: + +- `mellon_cache_entry_size`: Maximum size for a single session. Default: undef. +- `mellon_cache_size`: Size in megabytes of the mellon cache. Default: 100. +- `mellon_lock_file`: Location of lock file. Default: '`/run/mod_auth_mellon/lock`'. +- `mellon_post_directory`: Full path where post requests are saved. Default: '`/var/cache/apache2/mod_auth_mellon/`' +- `mellon_post_ttl`: Time to keep post requests. Default: undef. +- `mellon_post_size`: Maximum size of post requests. Default: undef. +- `mellon_post_count`: Maximum number of post requests. Default: undef. + +##### Class: `apache::mod::authn_dbd` + +Installs `mod_authn_dbd` and uses `authn_dbd.conf.erb` template to generate its configuration. Optionally creates AuthnProviderAlias. + +``` puppet +class { 'apache::mod::authn_dbd': + $authn_dbd_params => + 'host=db01 port=3306 user=apache password=xxxxxx dbname=apacheauth', + $authn_dbd_query => 'SELECT password FROM authn WHERE user = %s', + $authn_dbd_alias => 'db_auth', +} +``` + +** Parameters within `apache::mod::authn_dbd` +- `authn_dbd_alias`: Name for the AuthnProviderAlias. +- `authn_dbd_dbdriver`: Which db driver to use. Default: mysql. +- `authn_dbd_exptime`: corresponds to DBDExptime. Default: 300. +- `authn_dbd_keep`: corresponds to DBDKeep. Default: 8. +- `authn_dbd_max`: corresponds to DBDMax. Default: 20. +- `authn_dbd_min`: corresponds to DBDMin. Default: 4. +- `authn_dbd_params`: **Required**. Corresponds to DBDParams for the connection string. +- `authn_dbd_query`: is the query used to test a user and password for authentication. + +##### Class: `apache::mod::authnz_ldap` + +Installs `mod_authnz_ldap` and uses the `authnz_ldap.conf.erb` template to generate its configuration. + +**Parameters within `apache::mod::authnz_ldap`**: + +- `package_name`: Default: `undef`. +- `verify_server_cert`: Default: `undef`. + +##### Class: `apache::mod::cluster` + +**Note**: There is no official package available for mod\_cluster and thus it must be made available by means outside of the control of the apache module. Binaries can be found at http://mod-cluster.jboss.org/ + +``` puppet +class { '::apache::mod::cluster': + ip => '172.17.0.1', + allowed_network => '172.17.0.', + balancer_name => 'mycluster', + version => '1.3.1' +} ``` -For a full list op options, see the [official mod_fcgid documentation](https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html). - -It is also possible to set the FcgidWrapper per directory per vhost. You must ensure the fcgid module is loaded because there is no auto loading. - -```puppet - include apache::mod::fcgid - apache::vhost { 'example.org': - docroot => '/var/www/html', - directories => { - path => '/var/www/html', - fcgiwrapper => { - command => '/usr/local/bin/fcgiwrapper', - } - }, +**Parameters within `apache::mod::cluster`**: + +- `port`: mod_cluster listen port. Default: '6666'. +- `server_advertise`: Whether the server should advertise. Default: true. +- `manager_allowed_network`: Network allowed to access the mod_cluster_manager. Default: '127.0.0.1'. +- `keep_alive_timeout`: Keep-alive timeout. Default: 60. +- `max_keep_alive_requests`: Max number of requests kept alive. Default: 0 +- `enable_mcpm_receive`: Whether MCPM should be enabled: Default: true. +- `ip`: Listen ip address.. +- `allowed_network`: Balanced members network. +- `version`: mod_cluster version. >= 1.3.0 is required for httpd 2.4. + +##### Class: `apache::mod::deflate` + +Installs and configures [`mod_deflate`][]. + +**Parameters within `apache::mod::deflate`**: + +- `types`: An [array][] of [MIME types][MIME `content-type`] to be deflated. Default: [ 'text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', 'application/rss+xml', 'application/json' ]. +- `notes`: A [Hash][] where the key represents the type and the value represents the note name. Default: { 'Input' => 'instream', 'Output' => 'outstream', 'Ratio' => 'ratio' } + +##### Class: `apache::mod::expires` + +Installs [`mod_expires`][] and uses the `expires.conf.erb` template to generate its configuration. + +**Parameters within `apache::mod::expires`**: + +- `expires_active`: Enables generation of `Expires` headers for a document realm. Valid options: Boolean. Default: true. +- `expires_default`: Default algorithm for calculating expiration time using [`ExpiresByType`][] syntax or [interval syntax][]. Default: undef. +- `expires_by_type`: Describes a set of [MIME `content-type`][] and their expiration times. Valid options: An [array][] of [Hashes][Hash], with each Hash's key a valid MIME `content-type` (i.e. 'text/json') and its value following valid [interval syntax][]. Default: undef. + +##### Class: `apache::mod::ext_filter` + +Installs and configures [`mod_ext_filter`][]. + +``` puppet +class { 'apache::mod::ext_filter': + ext_filter_define => { + 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', + 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', + }, +} +``` + +**Parameters within `apache::mod::ext_filter`**: + +- `ext_filter_define`: A hash of filter names and their parameters. Default: undef. + +##### Class: `apache::mod::fcgid` + +Installs and configures [`mod_fcgid`][]. + +The class makes no effort to individually parameterize all available options. Instead, configure `mod_fcgid` using the `options` [hash][]. For example: + +``` puppet +class { 'apache::mod::fcgid': + options => { + 'FcgidIPCDir' => '/var/run/fcgidsock', + 'SharememPath' => '/var/run/fcgid_shm', + 'AddHandler' => 'fcgid-script .fcgi', + }, +} +``` + +For a full list of options, see the [official `mod_fcgid` documentation][`mod_fcgid`]. + +If you include `apache::mod::fcgid`, you can set the [`FcgidWrapper`][] per directory, per virtual host. The module must be loaded first; Puppet will not automatically enable it if you set the `fcgiwrapper` parameter in `apache::vhost`. + +``` puppet +include apache::mod::fcgid + +apache::vhost { 'example.org': + docroot => '/var/www/html', + directories => { + path => '/var/www/html', + fcgiwrapper => { + command => '/usr/local/bin/fcgiwrapper', } + }, +} ``` -See [FcgidWrapper documentation](https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html#fcgidwrapper) for more information. - -####Class: `apache::mod::negotiation` - -Installs and configures mod_negotiation. If there are not provided any -parameter, default apache mod_negotiation configuration is done. - -```puppet - class { '::apache::mod::negotiation': - force_language_priority => 'Prefer', - language_priority => [ 'es', 'en', 'ca', 'cs', 'da', 'de', 'el', 'eo' ], - } +##### Class: `apache::mod::geoip` + +Installs and manages [`mod_geoip`][]. + +**Parameters within `apache::mod::geoip`**: + +- `db_file`: Sets the path to your GeoIP database file. Valid options: a path, or an [array][] paths for multiple GeoIP database files. Default: `/usr/share/GeoIP/GeoIP.dat`. +- `enable`: Determines whether to globally enable [`mod_geoip`][]. Valid options: Boolean. Default: false. +- `flag`: Sets the GeoIP flag. Valid options: 'CheckCache', 'IndexCache', 'MemoryCache', 'Standard'. Default: 'Standard'. +- `output`: Defines which output variables to use. Valid options: 'All', 'Env', 'Request', 'Notes'. Default: 'All'. +- `enable_utf8`: Changes the output from ISO-8859-1 (Latin-1) to UTF-8. Valid options: Boolean. Default: undef. +- `scan_proxy_headers`: Enables the [GeoIPScanProxyHeaders][] option. Valid options: Boolean. Default: undef. +- `scan_proxy_header_field`: Specifies which header [`mod_geoip`][] should look at to determine the client's IP address. Default: undef. +- `use_last_xforwarededfor_ip` (sic): Determines whether to use the first or last IP address for the client's IP if a comma-separated list of IP addresses is found. Valid options: Boolean. Default: undef. + +##### Class: `apache::mod::info` + +Installs and manages [`mod_info`][], which provides a comprehensive overview of the server configuration. + +**Parameters within `apache::mod::info`**: + +- `allow_from`: Whitelist of IPv4 or IPv6 addresses or ranges that can access `/server-info`. Valid options: One or more octets of an IPv4 address, an IPv6 address or range, or an array of either. Default: ['127.0.0.1','::1']. +- `apache_version`: Apache's version number as a string, such as '2.2' or '2.4'. Default: the value of [`$::apache::apache_version`][`apache_version`]. +- `restrict_access`: Determines whether to enable access restrictions. If false, the `allow_from` whitelist is ignored and any IP address can access `/server-info`. Valid options: Boolean. Default: true. + +##### Class: `apache::mod::passenger` + +Installs and manages [`mod_passenger`][]. For RedHat based systems, please ensure that you meet the minimum requirements as described in the [passenger docs](https://www.phusionpassenger.com/library/install/apache/install/oss/el6/#step-1:-upgrade-your-kernel,-or-disable-selinux) + +**Parameters within `apache::mod::passenger`**: + +- `passenger_high_performance` Sets the [`PassengerHighPerformance`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerhighperformance). Valid options: 'on', 'off'. Default: undef. +- `passenger_pool_idle_time` Sets the [`PassengerPoolIdleTime`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerpoolidletime). Default: undef. +- `passenger_max_pool_size` Sets the [`PassengerMaxPoolSize`](https://www.phusionpassenger.com/library/config/apache/reference/#passengermaxpoolsize). Default: undef. +- `passenger_max_request_queue_size` Sets the [`PassengerMaxRequestQueueSize`](https://www.phusionpassenger.com/library/config/apache/reference/#passengermaxrequestqueuesize). Default: undef. +- `passenger_max_requests` Sets the [`PassengerMaxRequests`](https://www.phusionpassenger.com/library/config/apache/reference/#passengermaxrequests). Default: undef. +- `passenger_data_buffer_dir` Sets the [`PassengerDataBufferDir`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerdatabufferdir). Default: undef. + +##### Class: `apache::mod::ldap` + +Installs and configures [`mod_ldap`][], and allows you to modify the +[`LDAPTrustedGlobalCert`](https://httpd.apache.org/docs/current/mod/mod_ldap.html#ldaptrustedglobalcert) Directive: + +``` puppet +class { 'apache::mod::ldap': + ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt', + ldap_trusted_global_cert_type => 'CA_DER', + ldap_shared_cache_size => '500000', + ldap_cache_entries => '1024', + ldap_cache_ttl => '600', + ldap_opcache_entries => '1024', + ldap_opcache_ttl => '600', +} ``` +**Parameters within `apache::mod::ldap`:** + +- `apache_version`: The installed Apache version. Defaults to `undef`. +- `ldap_trusted_global_cert_file`: Path and file name of the trusted CA certificates to use when establishing SSL or TLS connections to an LDAP server. +- `ldap_trusted_global_cert_type`: The global trust certificate format. Default: 'CA_BASE64'. +- `ldap_shared_cache_size`: Size in bytes of the shared-memory cache. +- `ldap_cache_entries`: Maximum number of entries in the primary LDAP cache. +- `ldap_cache_ttl`: Time that cached items remain valid. +- `ldap_opcache_entries`: Number of entries used to cache LDAP compare operations. +- `ldap_opcache_ttl`: Time that entries in the operation cache remain valid. +- `package_name`: Custom package name. Defaults to `undef`. + +##### Class: `apache::mod::negotiation` + +Installs and configures [`mod_negotiation`][]. + **Parameters within `apache::mod::negotiation`:** -#####`force_language_priority` - -A string that sets the `ForceLanguagePriority` option. Defaults to `Prefer Fallback`. - -#####`language_priority` - -An array of languages to set the `LanguagePriority` option of the module. - -####Class: `apache::mod::deflate` - -Installs and configures mod_deflate. If no parameters are provided, a default configuration is applied. - -```puppet - class { '::apache::mod::deflate': - types => [ 'text/html', 'text/css' ], - notes => { - 'Input' => 'instream', - 'Ratio' => 'ratio', - }, - } -``` - -#####`types` - -An array of mime types to be deflated. - -#####`notes` - -A hash where the key represents the type and the value represents the note name. - - -####Class: `apache::mod::reqtimeout` - -Installs and configures mod_reqtimeout. Defaults to recommended apache -mod_reqtimeout configuration. - -```puppet - class { '::apache::mod::reqtimeout': - timeouts => ['header=20-40,MinRate=500', 'body=20,MinRate=500'], - } -``` - -####Class: `apache::mod::version` - -This wrapper around mod_version warns on Debian and Ubuntu systems with Apache httpd 2.4 -about loading mod_version, as on these platforms it's already built-in. - -```puppet - include '::apache::mod::version' -``` - -#####`timeouts` - -A string or an array that sets the `RequestReadTimeout` option. Defaults to -`['header=20-40,MinRate=500', 'body=20,MinRate=500']`. - - -####Class: `apache::mod::security` - -Installs and configures mod_security. Defaults to enabled and running on all -vhosts. - -```puppet - include '::apache::mod::security' -``` - -#####`crs_package` - -Name of package to install containing crs rules - -#####`modsec_dir` - -Directory to install the modsec configuration and activated rules links into - -#####`activated_rules` - -Array of rules from the modsec_crs_path to activate by symlinking to -${modsec_dir}/activated_rules. - -#####`allowed_methods` - -HTTP methods allowed by mod_security - -#####`content_types` - -Content-types allowed by mod_security - -#####`restricted_extensions` - -Extensions prohibited by mod_security - -#####`restricted_headers` - -Headers restricted by mod_security - - -####Defined Type: `apache::vhost` - -The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to `vhost` being a defined resource type, which allows it to be evaluated multiple times with different parameters. - -The `vhost` defined type allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default vhost within the base `::apache` class, as well as set a customized vhost as default. Your customized vhost (priority 10) will be privileged over the base class vhost (15). - -The `vhost` defined type uses `concat::fragment` to build the configuration file, so if you want to inject custom fragments for pieces of the configuration not supported by default by the defined type, you can add a custom fragment. For the `order` parameter for the custom fragment, the `vhost` defined type uses multiples of 10, so any order that isn't a multiple of 10 should work. - -```puppet - apache::vhost { "example.com": - docroot => '/var/www/html', - priority => '25', - } - concat::fragment { "example.com-my_custom_fragment": - target => '25-example.com.conf', - order => 11, - content => '# my custom comment', - } -``` - -If you have a series of specific configurations and do not want a base `::apache` class default vhost, make sure to set the base class `default_vhost` to 'false'. - -```puppet - class { 'apache': - default_vhost => false, - } -``` - -**Parameters within `apache::vhost`:** - -#####`access_log` - -Specifies whether `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`) should be configured. Setting the value to 'false' chooses none. Defaults to 'true'. - -#####`access_log_file` - -Sets the `*_access.log` filename that is placed in `$logroot`. Given a vhost, example.com, it defaults to 'example.com_ssl.log' for SSL vhosts and 'example.com_access.log' for non-SSL vhosts. - -#####`access_log_pipe` - -Specifies a pipe to send access log messages to. Defaults to 'undef'. - -#####`access_log_syslog` - -Sends all access log messages to syslog. Defaults to 'undef'. - -#####`access_log_format` - -Specifies the use of either a LogFormat nickname or a custom format string for the access log. Defaults to 'combined'. See [these examples](http://httpd.apache.org/docs/current/mod/mod_log_config.html). - -#####`access_log_env_var` - -Specifies that only requests with particular environment variables be logged. Defaults to 'undef'. - -#####`add_default_charset` - -Sets [AddDefaultCharset](http://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset), a default value for the media charset, which is added to text/plain and text/html responses. - -#####`add_listen` - -Determines whether the vhost creates a Listen statement. The default value is 'true'. - -Setting `add_listen` to 'false' stops the vhost from creating a Listen statement, and this is important when you combine vhosts that are not passed an `ip` parameter with vhosts that *are* passed the `ip` parameter. - -#####`use_optional_includes` - -Specifies if for apache > 2.4 it should use IncludeOptional instead of Include for `additional_includes`. Defaults to 'false'. - -#####`additional_includes` - -Specifies paths to additional static, vhost-specific Apache configuration files. Useful for implementing a unique, custom configuration not supported by this module. Can be an array. Defaults to '[]'. - -#####`aliases` - -Passes a list of hashes to the vhost to create Alias, AliasMatch, ScriptAlias or ScriptAliasMatch directives as per the [mod_alias documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). These hashes are formatted as follows: - -```puppet +- `force_language_priority`: Sets the `ForceLanguagePriority` option. Valid option: String. Default: `Prefer Fallback`. +- `language_priority`: An [array][] of languages to set the `LanguagePriority` option of the module. Default: [ 'en', 'ca', 'cs', 'da', 'de', 'el', 'eo', 'es', 'et', 'fr', 'he', 'hr', 'it', 'ja', 'ko', 'ltz', 'nl', 'nn', 'no', 'pl', 'pt', 'pt-BR', 'ru', 'sv', 'zh-CN', 'zh-TW' ] + +##### Class: `apache::mod::pagespeed` + +Installs and manages [`mod_pagespeed`][], a Google module that rewrites web pages to reduce latency and bandwidth. + +While this Apache module requires the `mod-pagespeed-stable` package, Puppet **doesn't** manage the software repositories required to automatically install the package. If you declare this class when the package is either not installed or not available to your package manager, your Puppet run will fail. + +**Note:** Verify that your system is compatible with the latest Google Pagespeed requirements. + +**Parameters within `apache::mod::pagespeed`**: + +- `inherit_vhost_config`: Default: 'on'. +- `filter_xhtml`: Default: false. +- `cache_path`: Default: '/var/cache/mod\_pagespeed/'. +- `log_dir`: Default: '/var/log/pagespeed'. +- `memcache_servers`: Default: []. +- `rewrite_level`: Default: 'CoreFilters'. +- `disable_filters`: Default: []. +- `enable_filters`: Default: []. +- `forbid_filters`: Default: []. +- `rewrite_deadline_per_flush_ms`: Default: 10. +- `additional_domains`: Default: undef. +- `file_cache_size_kb`: Default: 102400. +- `file_cache_clean_interval_ms`: Default: 3600000. +- `lru_cache_per_process`: Default: 1024. +- `lru_cache_byte_limit`: Default: 16384. +- `css_flatten_max_bytes`: Default: 2048. +- `css_inline_max_bytes`: Default: 2048. +- `css_image_inline_max_bytes`: Default: 2048. +- `image_inline_max_bytes`: Default: 2048. +- `js_inline_max_bytes`: Default: 2048. +- `css_outline_min_bytes`: Default: 3000. +- `js_outline_min_bytes`: Default: 3000. +- `inode_limit`: Default: 500000. +- `image_max_rewrites_at_once`: Default: 8. +- `num_rewrite_threads`: Default: 4. +- `num_expensive_rewrite_threads`: Default: 4. +- `collect_statistics`: Default: 'on'. +- `statistics_logging`: Default: 'on'. +- `allow_view_stats`: Default: []. +- `allow_pagespeed_console`: Default: []. +- `allow_pagespeed_message`: Default: []. +- `message_buffer_size`: Default: 100000. +- `additional_configuration`: A hash of directive-value pairs or an array of lines to insert at the end of the pagespeed configuration. Default: '{ }'. + +The class's parameters correspond to the module's directives. See the [module's documentation][`mod_pagespeed`] for details. + +##### Class: `apache::mod::passenger` + +Installs and configures mod\_passenger + +**Parameters within `apache::mod::passenger`**: + +- `manage_repo`: Manage phusionpassenger.com repository. Default: true. + +TODO: The parameters section is incomplete. + +**Note**: The passenger module isn't available on RH/CentOS without providing dependency packages provided by EPEL and mod\_passengers own custom repository. See the `manage_repo` parameter above and [https://www.phusionpassenger.com/library/install/apache/install/oss/el7/]() + +##### Class: `apache::mod::proxy` + +Installs `mod_proxy` and uses the `proxy.conf.erb` template to generate its configuration. + +**Parameters within `apache::mod::proxy`**: + +- `allow_from`: Default: `undef`. +- `apache_version`: Default: `undef`. +- `package_name`: Default: `undef`. +- `proxy_requests`: Default: 'Off'. +- `proxy_via`: Default: 'On'. + +##### Class: `apache::mod::proxy_balancer` + +Installs and manages [`mod_proxy_balancer`][], which provides load balancing. + +**Parameters within `apache::mod::proxy_balancer`**: + +- `manager`: Determines whether to enable balancer manager support. Default: `false`. +- `manager_path`: The server location of the balancer manager. Default: '/balancer-manager'. +- `allow_from`: An [array][] of IPv4 or IPv6 addresses that can access `/balancer-manager`. Default: ['127.0.0.1','::1']. +- `apache_version`: Apache's version number as a string, such as '2.2' or '2.4'. Default: the value of [`$::apache::apache_version`][`apache_version`]. + - On Apache >= 2.4, `mod_slotmem_shm` is loaded. + + +##### Class: `apache::mod::php` + +Installs and configures [`mod_php`][]. + +**Parameters within `apache::mod::php`**: + +Default values depend on your operating system. + +> **Note**: This list is incomplete. Most of this class's parameters correspond to `mod_php` directives; see the [module's documentation][`mod_php`] for details. + +- `package_name`: Names the package that installs `mod_php`. +- `path`: Defines the path to the `mod_php` shared object (`.so`) file. +- `source`: Defines the path to the default configuration. Valid options include a `puppet:///` path. +- `template`: Defines the path to the `php.conf` template Puppet uses to generate the configuration file. +- `content`: Adds arbitrary content to `php.conf`. + +##### Class: `apache::mod::proxy_html` + +**Note**: There is no official package available for mod\_proxy\_html and thus it must be made available by means outside of the control of the apache module. + +##### Class: `apache::mod::reqtimeout` + +Installs and configures [`mod_reqtimeout`][]. + +**Parameters within `apache::mod::reqtimeout`**: + +- `timeouts`: A string or [array][] that sets the [`RequestReadTimeout`][] option. Default: ['header=20-40,MinRate=500', 'body=20,MinRate=500']. + +##### Class: `apache::mod::shib` + +Installs the [Shibboleth](http://shibboleth.net/) Apache module `mod_shib`, which enables SAML2 single sign-on (SSO) authentication by Shibboleth Identity Providers and Shibboleth Federations. This class only installs and configures the Apache components of a web application that consumes Shibboleth SSO identities, also known as a Shibboleth Service Provider. You can manage the Shibboleth configuration manually, with Puppet, or using a [Shibboleth Puppet Module](https://github.com/aethylred/puppet-shibboleth). + +Defining this class enables Shibboleth-specific parameters in `apache::vhost` instances. + +**Note**: The shibboleth module isn't available on RH/CentOS without providing dependency packages provided by Shibboleth's repositories. See [http://wiki.aaf.edu.au/tech-info/sp-install-guide]() + +##### Class: `apache::mod::ssl` + +Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template to generate its configuration. On most operating systems, this ssl.conf is placed in the module configuration directory, however on Red Hat-based operating systems it is placed in the confd directory (/etc/httpd/conf.d), the same location the RPM stores the configuration. + +**Parameters within `apache::mod::ssl`**: + +- `ssl_cipher`: Default: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'. +- `ssl_compression`: Default: false. +- `ssl_cryptodevice`: Default: 'builtin'. +- `ssl_honorcipherorder`: Default: true. +- `ssl_openssl_conf_cmd`: Default: undef. +- `ssl_options`: Default: [ 'StdEnvVars' ] +- `ssl_pass_phrase_dialog`: Default: 'builtin'. +- `ssl_protocol`: Default: [ 'all', '-SSLv2', '-SSLv3' ]. +- `ssl_random_seed_bytes`: Valid options: A string. Default: '512'. +- `ssl_sessioncachetimeout`: Valid options: A string. Default: '300'. +- `ssl_mutex`: Default: Determined based on the OS. Valid options: See [mod_ssl][mod_ssl] documentation. + - RedHat/FreeBSD/Suse/Gentoo: 'default' + - Debian/Ubuntu + Apache >= 2.4: 'default' + - Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex' + - Ubuntu 10.04: 'file:/var/run/apache2/ssl_mutex' + +To use SSL with a virtual host, you must either set the [`default_ssl_vhost`][] parameter in `::apache` to true **or** the [`ssl`][] parameter in [`apache::vhost`][] to true. + +##### Class: `apache::mod::status` + +Installs [`mod_status`][] and uses the `status.conf.erb` template to generate its configuration. + +**Parameters within `apache::mod::status`**: + +- `allow_from`: An [array][] of IPv4 or IPv6 addresses that can access `/server-status`. Default: ['127.0.0.1','::1']. +- `extended_status`: Determines whether to track extended status information for each request, via the [`ExtendedStatus`][] directive. Valid options: 'Off', 'On'. Default: 'On'. +- `status_path`: The server location of the status page. Default: '/server-status'. + +##### Class: `apache::mod::version` + +Installs [`mod_version`][] on many operating systems and Apache configurations. + +If Debian and Ubuntu systems with Apache 2.4 are classified with `apache::mod::version`, Puppet warns that `mod_version` is built-in and can't be loaded. + +##### Class: `apache::mod::security` + +Installs and configures Trustwave's [`mod_security`][]. It is enabled and runs by default on all virtual hosts. + +**Parameters within `apache::mod::security`**: + +- `activated_rules`: An [array][] of rules from the `modsec_crs_path` or absolute to activate via symlinks. Default: `modsec_default_rules` in [`apache::params`][]. +- `allowed_methods`: A space-separated list of allowed HTTP methods. Default: 'GET HEAD POST OPTIONS'. +- `content_types`: A list of one or more allowed [MIME types][MIME `content-type`]. Default: 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf' +- `crs_package`: Names the package that installs CRS rules. Default: `modsec_crs_package` in [`apache::params`][]. +- `modsec_dir`: Defines the path where Puppet installs the modsec configuration and activated rules links. Default: 'On', set by `modsec_dir` in [`apache::params`][]. +${modsec\_dir}/activated\_rules. +- `modsec_secruleengine`: Configures the modsec rules engine. Valid options: 'On', 'Off', and 'DetectionOnly'. Default: `modsec_secruleengine` in [`apache::params`][]. +- `restricted_extensions`: A space-separated list of prohibited file extensions. Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'. +- `restricted_headers`: A list of restricted headers separated by slashes and spaces. Default: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'. +- `secdefaultaction`: Configures the Mode of Operation, Self-Contained ('deny') vs. Collaborative Detection ('pass'), for the OWASP ModSecurity Core Rule Set. Default: 'deny'. Fuller values can be set too like "log,auditlog,deny,status:406,tag:'SLA 24/7'" +- `secpcrematchlimit`: Sets the number for the match limit in the PCRE library. Default: '1500' +- `secpcrematchlimitrecursion`: Sets the number for the match limit recursion in the PCRE library. Default: '1500' +- `logroot`: Configures the location of audit and debug logs. Defaults to apache log directory (Redhat: /var/log/httpd Debian: /var/log/apache2) +- `audit_log_releavant_status`: Configures which response status code is to be considered relevant for the purpose of audit logging. Defaults: '^(?:5|4(?!04))'. +- `audit_log_parts`: Sets the sections to be put in the [audit log][]. Default: 'ABIJDEFHZ' +- `anomaly_score_blocking`: De-/Activates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set. Default: off. +- `inbound_anomaly_threshold`: Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'. +- `outbound_anomaly_threshold`: Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '4'. +- `critical_anomaly_score`: Sets the scoring points of the critical severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'. +- `error_anomaly_score`: Sets the scoring points of the error severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '4'. +- `warning_anomaly_score`: Sets the scoring points of the warning severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '3'. +- `notice_anomaly_score`: Sets the scoring points of the notice severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '2'. +- `secrequestmaxnumargs`: Sets the Maximum number of arguments in the request. Default: '255'. +- `secrequestbodylimit`: Sets the maximum request body size ModSecurity will accept for buffering.. Default: '13107200'. +- `secrequestbodynofileslimit`: Sets the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported in the request. Default: '131072'. +- `secrequestbodyinmemorylimit`: Sets the maximum request body size that ModSecurity will store in memory. Default: '131072' + +##### Class: `apache::mod::wsgi` + +Enables Python support via [`mod_wsgi`][]. + +**Parameters within `apache::mod::wsgi`**: + +- `mod_path`: Defines the path to the `mod_wsgi` shared object (`.so`) file. Default: undef. + - If the `mod_path` parameter doesn't contain `/`, Puppet prefixes it with your operating system's default module path. +Otherwise, Puppet follows it literally. +- `package_name`: Names the package that installs `mod_wsgi`. Default: undef. +- `wsgi_python_home`: Defines the [`WSGIPythonHome`][] directive, such as '/path/to/venv'. Valid options: path. Default: undef. +- `wsgi_python_path`: Defines the [`WSGIPythonPath`][] directive, such as '/path/to/venv/site-packages'. Valid options: path. Default: undef. +- `wsgi_socket_prefix`: Defines the [`WSGISocketPrefix`][] directive, such as "\${APACHE\_RUN\_DIR}WSGI". Default: `wsgi_socket_prefix` in [`apache::params`][]. + +The class's parameters correspond to the module's directives. See the [module's documentation][`mod_wsgi`] for details. + +### Private Classes + +#### Class: `apache::confd::no_accf` + +Creates the `no-accf.conf` configuration file in `conf.d`, required by FreeBSD's Apache 2.4. + +#### Class: `apache::default_confd_files` + +Includes `conf.d` files for FreeBSD. + +#### Class: `apache::default_mods` + +Installs the Apache modules required to run the default configuration. See the `apache` class's [`default_mods`][] parameter for details. + +#### Class: `apache::package` + +Installs and configures basic Apache packages. + +#### Class: `apache::params` + +Manages Apache parameters for different operating systems. + +#### Class: `apache::service` + +Manages the Apache daemon. + +#### Class: `apache::version` + +Attempts to automatically detect the Apache version based on the operating system. + +### Public defined types + +#### Defined type: `apache::balancer` + +Creates an Apache load balancing group, also known as a balancer cluster, using [`mod_proxy`][]. Each load balancing group needs one or more balancer members, which you can declare in Puppet with the [`apache::balancermember`][] define. + +Declare one `apache::balancer` define for each Apache load balancing group. You can export `apache::balancermember` defined types for all balancer members and collect them on a single Apache load balancer server using [exported resources][]. + +**Parameters within `apache::balancer`**: + +##### `name` + +Sets the title of the balancer cluster and name of the `conf.d` file containing its configuration. + +##### `proxy_set` + +Configures key-value pairs as [`ProxySet`][] lines. Valid options: a [hash][]. Default: '{}'. + +##### `collect_exported` + +Determines whether to use [exported resources][]. Valid options: Boolean. Default: true. + +If you statically declare all of your backend servers, set this parameter to false to rely on existing, declared balancer member resources. Also, use `apache::balancermember` with [array][] arguments. + +To dynamically declare backend servers via exported resources collected on a central node, set this parameter to true to collect the balancer member resources exported by the balancer member nodes. + +If you don't use exported resources, a single Puppet run configures all balancer members. If you use exported resources, Puppet has to run on the balanced nodes first, then run on the balancer. + +#### Defined type: `apache::balancermember` + +Defines members of [`mod_proxy_balancer`][], which sets up a balancer member inside a listening service configuration block in the load balancer's `apache.cfg`. + +**Parameters within `apache::balancermember`**: + +##### `balancer_cluster` + +**Required**. Sets the Apache service's instance name, and must match the name of a declared [`apache::balancer`][] resource. + +##### `url` + +Specifies the URL used to contact the balancer member server. Default: 'http://${::fqdn}/'. + +##### `options` + +Specifies an [array][] of [options](https://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember) after the URL, and accepts any key-value pairs available to [`ProxyPass`][]. Default: an empty array. + +#### Defined type: `apache::custom_config` + +Adds a custom configuration file to the Apache server's `conf.d` directory. If the file is invalid and this defined type's [`verify_config`][] parameter's value is true, Puppet throws an error during a Puppet run. + +**Parameters within `apache::custom_config`**: + +##### `ensure` + +Specifies whether the configuration file should be present. Valid options: 'absent', 'present'. Default: 'present'. + +##### `confdir` + +Sets the directory in which Puppet places configuration files. Default: the value of [`$::apache::confd_dir`][`confd_dir`]. + +##### `content` + +Sets the configuration file's content. The `content` and [`source`][] parameters are exclusive of each other. + +##### `filename` + +Sets the name of the file under `confdir` in which Puppet stores the configuration. The default behavior is to generate the filename from the `priority` parameter and the resource name. + +##### `priority` + +Sets the configuration file's priority by prefixing its filename with this parameter's numeric value, as Apache processes configuration files in alphanumeric order. Default: '25'. + +To omit the priority prefix in the configuration file's name, set this parameter to false. + +##### `source` + +Points to the configuration file's source. The [`content`][] and `source` parameters are exclusive of each other. + +##### `verify_command` + +Specifies the command Puppet uses to verify the configuration file. Use a fully qualified command. Default: `/usr/sbin/apachectl -t`. + +This parameter is only used if the [`verify_config`][] parameter's value is 'true'. If the `verify_command` fails, the Puppet run deletes the configuration file, does not notify the Apache service, and raises an error. + +##### `verify_config` + +Specifies whether to validate the configuration file before notifying the Apache service. Valid options: Boolean. Default: true. + +#### Defined type: `apache::fastcgi::server` + +Defines one or more external FastCGI servers to handle specific file types. Use this defined type with [`mod_fastcgi`][FastCGI]. + +**Parameters within `apache::fastcgi::server`:** + +##### `host` + +Determines the FastCGI's hostname or IP address and TCP port number (1-65535). + +##### `timeout` + +Sets the number of seconds a [FastCGI][] application can be inactive before aborting the request and logging the event at the error LogLevel. The inactivity timer applies only as long as a connection is pending with the FastCGI application. If a request is queued to an application, but the application doesn't respond by writing and flushing within this period, the request is aborted. If communication is complete with the application but incomplete with the client (the response is buffered), the timeout does not apply. + +##### `flush` + +Forces [`mod_fastcgi`][FastCGI] to write to the client as data is received from the application. By default, `mod_fastcgi` buffers data in order to free the application as quickly as possible. + +##### `faux_path` + +Apache has [FastCGI][] handle URIs that resolve to this filename. The path set in this parameter does not have to exist in the local filesystem. + +##### `alias` + +Internally links actions with the FastCGI server. This alias must be unique. + +##### `file_type` + +Sets the [MIME `content-type`][] of the file to be processed by the FastCGI server. + +#### Defined type: `apache::listen` + +Adds [`Listen`][] directives to `ports.conf` in the Apache configuration directory that define the Apache server's or a virtual host's listening address and port. The [`apache::vhost`][] class uses this defined type, and titles take the form '<PORT>', '<IPV4>:<PORT>', or '<IPV6>:<PORT>'. + +#### Defined type: `apache::mod` + +Installs packages for an Apache module that doesn't have a corresponding [`apache::mod::<MODULE NAME>`][] class, and checks for or places the module's default configuration files in the Apache server's `module` and `enable` directories. The default locations depend on your operating system. + +**Parameters within `apache::mod`**: + +##### `package` + +**Required**. Names the package Puppet uses to install the Apache module. + +##### `package_ensure` + +Determines whether Puppet ensures the Apache module should be installed. Valid options: 'absent', 'present'. Default: 'present'. + +##### `lib` + +Defines the module's shared object name. Its default value is `mod_$name.so`, and it should not be configured manually without special reason. + +##### `lib_path` + +Specifies a path to the module's libraries. Default: the `apache` class's [`lib_path`][] parameter. + +Don't manually set this parameter without special reason. The [`path`][] parameter overrides this value. + +##### `loadfile_name` + +Sets the filename for the module's [`LoadFile`][] directive, which can also set the module load order as Apache processes them in alphanumeric order. Valid options: filenames formatted `\*.load`. Default: the resource's name followed by 'load', as in '$name.load'. + +##### `loadfiles` + +Specifies an array of [`LoadFile`][] directives. Default: undef. + +##### `path` + +Specifies a path to the module. Default: [`lib_path`][]/[`lib`][]. + +> **Note:** Don't manually set this parameter without a specific reason. + +#### Defined type: `apache::namevirtualhost` +Enables [name-based virtual hosts][] and adds all related directives to the `ports.conf` file in the Apache HTTPD configuration directory. Titles can take the forms '\*', '\*:\<PORT\>', '\_default\_:\<PORT\>, '\<IP\>', or '\<IP\>:\<PORT\>'. + + +#### Defined type: `apache::vhost` + +The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to `vhost` being a defined resource type, which allows Apache to evaluate it multiple times with different parameters. + +The `apache::vhost` defined type allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default virtual host within the base `::apache` class, as well as set a customized virtual host as the default. Customized virtual hosts have a lower numeric [`priority`][] than the base class's, causing Apache to process the customized virtual host first. + +The `apache::vhost` defined type uses `concat::fragment` to build the configuration file. To inject custom fragments for pieces of the configuration that the defined type doesn't inherently support, add a custom fragment. + +For the custom fragment's `order` parameter, the `apache::vhost` defined type uses multiples of 10, so any `order` that isn't a multiple of 10 should work. + +**Parameters within `apache::vhost`**: + +##### `access_log` + +Determines whether to configure `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`). Valid options: Boolean. Default: true. + +##### `access_log_env_var` + +Specifies that only requests with particular environment variables be logged. Default: undef. + +##### `access_log_file` + +Sets the filename of the `*_access.log` placed in [`logroot`][]. Given a virtual host---for instance, example.com---it defaults to 'example.com\_ssl.log' for [SSL-encrypted][SSL encryption] virtual hosts and 'example.com\_access.log' for unencrypted virtual hosts. + +##### `access_log_format` + +Specifies the use of either a [`LogFormat`][] nickname or a custom-formatted string for the access log. Default: 'combined'. + +##### `access_log_pipe` + +Specifies a pipe where Apache sends access log messages. Default: undef. + +##### `access_log_syslog` + +Sends all access log messages to syslog. Default: undef. + +##### `add_default_charset` + +Sets a default media charset value for the [`AddDefaultCharset`][] directive, which is added to `text/plain` and `text/html` responses. + +##### `add_listen` + +Determines whether the virtual host creates a [`Listen`][] statement. Valid options: Boolean. Default: true. + +Setting `add_listen` to false prevents the virtual host from creating a `Listen` statement. This is important when combining virtual hosts that aren't passed an `ip` parameter with those that are. + +##### `use_optional_includes` + +Specifies whether Apache uses the [`IncludeOptional`][] directive instead of [`Include`][] for `additional_includes` in Apache 2.4 or newer. Valid options: Boolean. Default: false. + +##### `additional_includes` + +Specifies paths to additional static, virtual host-specific Apache configuration files. You can use this parameter to implement a unique, custom configuration not supported by this module. Valid options: a string path or [array][] of them. Default: an empty array. + +##### `aliases` + +Passes a list of [hashes][hash] to the virtual host to create [`Alias`][], [`AliasMatch`][], [`ScriptAlias`][] or [`ScriptAliasMatch`][] directives as per the [`mod_alias`][] documentation. + +For example: + +``` puppet aliases => [ { aliasmatch => '^/image/(.*)\.jpg$', path => '/files/jpg.images/$1.jpg', - } + }, { alias => '/image', path => '/ftp/pub/image', }, @@ -1044,108 +2232,173 @@ ], ``` -For `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` to work, each needs a corresponding context, such as `<Directory /path/to/directory>` or `<Location /some/location/here>`. The directives are created in the order specified in the `aliases` parameter. As described in the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html), more specific `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters should come before the more general ones to avoid shadowing. - -*Note*: Using the `aliases` parameter is preferred over the `scriptaliases` parameter since here the order of the various alias directives among each other can be controlled precisely. Defining ScriptAliases using the `scriptaliases` parameter means *all* ScriptAlias directives will come after *all* Alias directives, which can lead to Alias directives shadowing ScriptAlias directives. This is often problematic, for example in case of Nagios. - -*Note:* If `apache::mod::passenger` is loaded and `PassengerHighPerformance => true` is set, then Alias might have issues honoring the `PassengerEnabled => off` statement. See [this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details. - -#####`allow_encoded_slashes` - -This sets the [`AllowEncodedSlashes` declaration](http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes) for the vhost, overriding the server default. This modifies the vhost responses to URLs with `\` and `/` characters. The default is undefined, which omits the declaration from the server configuration and select the Apache default setting of `Off`. Allowed values are: `on`, `off` or `nodecode`. - -#####`block` - -Specifies the list of things Apache blocks access to. The default is an empty set, '[]'. Currently, the only option is 'scm', which blocks web access to .svn, .git and .bzr directories. - -#####`custom_fragment` - -Passes a string of custom configuration directives to be placed at the end of the vhost configuration. Defaults to 'undef'. - -#####`default_vhost` - -Sets a given `apache::vhost` as the default to serve requests that do not match any other `apache::vhost` definitions. The default value is 'false'. - -#####`directories` - -See the [`directories` section](#parameter-directories-for-apachevhost). - -#####`directoryindex` - -Sets the list of resources to look for when a client requests an index of the directory by specifying a '/' at the end of the directory name. [DirectoryIndex](http://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex) has more information. Defaults to 'undef'. - -#####`docroot` - -Provides the -[DocumentRoot](http://httpd.apache.org/docs/current/mod/core.html#documentroot) -directive, which identifies the directory Apache serves files from. Required. - -#####`docroot_group` - -Sets group access to the docroot directory. Defaults to 'root'. - -#####`docroot_owner` - -Sets individual user access to the docroot directory. Defaults to 'root'. - -#####`docroot_mode` - -Sets access permissions of the docroot directory. Defaults to 'undef'. - -#####`manage_docroot` - -Whether to manage to docroot directory at all. Defaults to 'true'. - -#####`error_log` - -Specifies whether `*_error.log` directives should be configured. Defaults to 'true'. - -#####`error_log_file` - -Points to the `*_error.log` file. Given a vhost, example.com, it defaults to 'example.com_ssl_error.log' for SSL vhosts and 'example.com_access_error.log' for non-SSL vhosts. - -#####`error_log_pipe` - -Specifies a pipe to send error log messages to. Defaults to 'undef'. - -#####`error_log_syslog` - -Sends all error log messages to syslog. Defaults to 'undef'. - -#####`error_documents` - -A list of hashes which can be used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for this vhost. Defaults to '[]'. Example: - -```puppet - apache::vhost { 'sample.example.net': - error_documents => [ - { 'error_code' => '503', 'document' => '/service-unavail' }, - { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' }, - ], - } +For the `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` keys to work, each needs a corresponding context, such as `<Directory /path/to/directory>` or `<Location /some/location/here>`. Puppet creates the directives in the order specified in the `aliases` parameter. As described in the [`mod_alias`][] documentation, add more specific `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters before the more general ones to avoid shadowing. + +> **Note**: Use the `aliases` parameter instead of the `scriptaliases` parameter because you can precisely control the various alias directives' order. Defining `ScriptAliases` using the `scriptaliases` parameter means *all* `ScriptAlias` directives will come after *all* `Alias` directives, which can lead to `Alias` directives shadowing `ScriptAlias` directives. This often causes problems, for example with Nagios. + +If [`apache::mod::passenger`][] is loaded and `PassengerHighPerformance` is 'true', the `Alias` directive might not be able to honor the `PassengerEnabled => off` statement. See [this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details. + +##### `allow_encoded_slashes` + +Sets the [`AllowEncodedSlashes`][] declaration for the virtual host, overriding the server default. This modifies the virtual host responses to URLs with `\` and `/` characters. Valid options: 'nodecode', 'off', 'on'. Default: undef, which omits the declaration from the server configuration and selects the Apache default setting of `Off`. + +##### `block` + +Specifies the list of things to which Apache blocks access. Valid option: 'scm', which blocks web access to `.svn`, `.git`, and `.bzr` directories. Default: an empty [array][]. + +##### `cas_attribute_prefix` + +Adds a header with the value of this header being the attribute values when SAML validation is enabled. Defaults to +the value set by [`apache::mod::auth_cas`][] + +##### `cas_attribute_delimiter` + +The delimiter between attribute values in the header created by `cas_attribute_prefix`. Defaults to the value +set by [`apache::mod::auth_cas`][] + +##### `cas_login_url` + +Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and +don't have an active session. Defaults to the value set by [`apache::mod::auth_cas`][] + +##### `cas_scrub_request_headers` + +Remove inbound request headers that may have special meaning within mod_auth_cas. Defaults to the value +set by [`apache::mod::auth_cas`][] + +##### `cas_sso_enabled` + +Enables experimental support for single sign out (may mangle POST data). Defaults to the value +set by [`apache::mod::auth_cas`][] + +##### `cas_validate_saml` + +Parse response from CAS server for SAML. Defaults to the value set by [`apache::mod::auth_cas`][] + +##### `cas_validate_url` + +Sets the URL to use when validating a client-presented ticket in an HTTP query string. Defaults to the value set by +[`apache::mod::auth_cas`][] + +##### `custom_fragment` + +Passes a string of custom configuration directives to place at the end of the virtual host configuration. Default: undef. + +##### `default_vhost` + +Sets a given `apache::vhost` defined type as the default to serve requests that do not match any other `apache::vhost` defined types. Default: false. + +##### `directories` + +See the [`directories`](#parameter-directories-for-apachevhost) section. + +##### `directoryindex` + +Sets the list of resources to look for when a client requests an index of the directory by specifying a '/' at the end of the directory name. See the [`DirectoryIndex`][] directive documentation for details. Default: undef. + +##### `docroot` + +**Required**. Sets the [`DocumentRoot`][] location, from which Apache serves files. + +If `docroot` and [`manage_docroot`][] are both set to false, no [`DocumentRoot`][] will be set and the accompanying `<Directory /path/to/directory>` block will not be created. + +##### `docroot_group` + +Sets group access to the [`docroot`][] directory. Valid options: A string representing a system group. Default: 'root'. + +##### `docroot_owner` + +Sets individual user access to the [`docroot`][] directory. Valid options: A string representing a user account. Default: 'root'. + +##### `docroot_mode` + +Sets access permissions for the [`docroot`][] directory, in numeric notation. Valid options: A string. Default: undef. + +##### `manage_docroot` + +Determines whether Puppet manages the [`docroot`][] directory. Valid options: Boolean. Default: true. + +##### `error_log` + +Specifies whether `*_error.log` directives should be configured. Valid options: Boolean. Default: true. + +##### `error_log_file` + +Points the virtual host's error logs to a `*_error.log` file. If this parameter is undefined, Puppet checks for values in [`error_log_pipe`][], then [`error_log_syslog`][]. + +If none of these parameters is set, given a virtual host `example.com`, Puppet defaults to '$logroot/example.com_error_ssl.log' for SSL virtual hosts and '$logroot/example.com_error.log' for non-SSL virtual hosts. + +##### `error_log_pipe` + +Specifies a pipe to send error log messages to. Default: undef. + +This parameter has no effect if the [`error_log_file`][] parameter has a value. If neither this parameter nor `error_log_file` has a value, Puppet then checks [`error_log_syslog`][]. + +##### `error_log_syslog` + +Determines whether to send all error log messages to syslog. Valid options: Boolean. Default: undef. + +This parameter has no effect if either of the [`error_log_file`][] or [`error_log_pipe`][] parameters has a value. If none of these parameters has a value, given a virtual host `example.com`, Puppet defaults to '$logroot/example.com_error_ssl.log' for SSL virtual hosts and '$logroot/example.com_error.log' for non-SSL virtual hosts. + +##### `error_documents` + +A list of hashes which can be used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for this virtual host. Default: '[]'. + +An example: + +``` puppet +apache::vhost { 'sample.example.net': + error_documents => [ + { 'error_code' => '503', 'document' => '/service-unavail' }, + { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' }, + ], +} ``` -#####`ensure` - -Specifies if the vhost file is present or absent. Defaults to 'present'. - -#####`fallbackresource` - -Sets the [FallbackResource](http://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) directive, which specifies an action to take for any URL that doesn't map to anything in your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Valid values must either begin with a / or be 'disabled'. Defaults to 'undef'. - -#####`headers` - -Adds lines to replace, merge, or remove response headers. See [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) for more information. Can be an array. Defaults to 'undef'. - -#####`ip` - -Sets the IP address the vhost listens on. Defaults to listen on all IPs. - -#####`ip_based` - -Enables an [IP-based](http://httpd.apache.org/docs/current/vhosts/ip-based.html) vhost. This parameter inhibits the creation of a NameVirtualHost directive, since those are used to funnel requests to name-based vhosts. Defaults to 'false'. - -#####`itk` +##### `ensure` + +Specifies if the virtual host is present or absent. Valid options: 'absent', 'present'. Default: 'present'. + +##### `fallbackresource` + +Sets the [FallbackResource](https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) directive, which specifies an action to take for any URL that doesn't map to anything in your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Valid options must either begin with a '/' or be 'disabled'. Default: undef. + +#####`fastcgi_idle_timeout` + +If using fastcgi, this option sets the timeout for the server to respond. + +##### `filters` + +[Filters](https://httpd.apache.org/docs/current/mod/mod_filter.html) enable smart, context-sensitive configuration of output content filters. + +``` puppet +apache::vhost { "$::fqdn": + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], +} +``` + +##### `force_type` + +Sets the [`ForceType`][] directive, which forces Apache to serve all matching files with a [MIME `content-type`][] matching this parameter's value. + +##### `headers` + +Adds lines to replace, merge, or remove response headers. See [Apache's mod_headers documentation](https://httpd.apache.org/docs/current/mod/mod_headers.html#header) for more information. Valid options: A string, an array of strings, or undef. Default: undef. + +##### `ip` + +Sets the IP address the virtual host listens on. Valid options: Strings. Default: undef, which uses Apache's default behavior of listening on all IPs. + +##### `ip_based` + +Enables an [IP-based](https://httpd.apache.org/docs/current/vhosts/ip-based.html) virtual host. This parameter inhibits the creation of a NameVirtualHost directive, since those are used to funnel requests to name-based virtual hosts. Default: false. + +##### `itk` Configures [ITK](http://mpm-itk.sesse.net/) in a hash. Keys can be: @@ -1159,956 +2412,1484 @@ Usage typically looks like: -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - itk => { - user => 'someuser', - group => 'somegroup', - }, - } +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + itk => { + user => 'someuser', + group => 'somegroup', + }, +} +``` + +##### `jk_mounts` + +Sets up a virtual host with 'JkMount' and 'JkUnMount' directives to handle the paths for URL mapping between Tomcat and Apache. Default: undef. + +The parameter must be an array of hashes where each hash must contain the 'worker' and either the 'mount' or 'unmount' keys. + +Usage typically looks like: + +``` puppet +apache::vhost { 'sample.example.net': + jk_mounts => [ + { mount => '/*', worker => 'tcnode1', }, + { unmount => '/*.jpg', worker => 'tcnode1', }, + ], +} ``` -#####`logroot` - -Specifies the location of the virtual host's logfiles. Defaults to '/var/log/<apache log location>/'. - -#####`$logroot_ensure` - -Determines whether or not to remove the logroot directory for a virtual host. Valid values are 'directory', or 'absent'. - -#####`logroot_mode` - -Overrides the mode the logroot directory is set to. Defaults to undef. Do NOT give people write access to the directory the logs are stored -in without being aware of the consequences; see http://httpd.apache.org/docs/2.4/logs.html#security for details. - -#####`log_level` - -Specifies the verbosity of the error log. Defaults to 'warn' for the global server configuration and can be overridden on a per-vhost basis. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' or 'debug'. - -######`modsec_body_limit` +##### `keepalive` + +Determines whether to enable persistent HTTP connections with the [`KeepAlive`][] directive for the virtual host. Valid options: 'Off', 'On' and `undef`. Default: `undef`, meaning the global, server-wide [`KeepAlive`][] setting is in effect. + +Use the `keepalive_timeout` and `max_keepalive_requests` parameters to set relevant options for the virtual host. + +##### `keepalive_timeout` + +Sets the [`KeepAliveTimeout`] directive for the virtual host, which determines the amount of time to wait for subsequent requests on a persistent HTTP connection. Default: `undef`, meaning the global, server-wide [`KeepAlive`][] setting is in effect. + +This parameter is only relevant if either the global, server-wide [`keepalive` parameter][] or the per-vhost `keepalive` parameter is enabled. + +##### `max_keepalive_requests` + +Limits the number of requests allowed per connection to the virtual host. Default: `undef`, meaning the global, server-wide [`KeepAlive`][] setting is in effect. + +This parameter is only relevant if either the global, server-wide [`keepalive` parameter][] or the per-vhost `keepalive` parameter is enabled. + +##### `auth_kerb` + +Enable [`mod_auth_kerb`][] parameters for a virtual host. Valid options: Boolean. Default: false. + +Usage typically looks like: + +``` puppet +apache::vhost { 'sample.example.net': + auth_kerb => true, + krb_method_negotiate => 'on', + krb_auth_realms => ['EXAMPLE.ORG'], + krb_local_user_mapping => 'on', + directories => { + path => '/var/www/html', + auth_name => 'Kerberos Login', + auth_type => 'Kerberos', + auth_require => 'valid-user', + }, +} +``` + +Related parameters follow the names of `mod_auth_kerb` directives: + +- `krb_method_negotiate`: Determines whether to use the Negotiate method. Default: 'on'. +- `krb_method_k5passwd`: Determines whether to use password-based authentication for Kerberos v5. Default: 'on'. +- `krb_authoritative`: If set to 'off', authentication controls can be passed on to another module. Default: 'on'. +- `krb_auth_realms`: Specifies an array of Kerberos realms to use for authentication. Default: '[]'. +- `krb_5keytab`: Specifies the Kerberos v5 keytab file's location. Default: undef. +- `krb_local_user_mapping`: Strips @REALM from usernames for further use. Default: undef. + +##### `krb_verify_kdc` + +This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing attacks. Default: 'on'. + +##### `krb_servicename` + +Specifies the service name that will be used by Apache for authentication. Corresponding key of this name must be stored in the keytab. Default: 'HTTP'. + +##### `krb_save_credentials` + +This option enables credential saving functionality. Default is 'off' + +##### `logroot` + +Specifies the location of the virtual host's logfiles. Default: '/var/log/<apache log location>/'. + +##### `$logroot_ensure` + +Determines whether or not to remove the logroot directory for a virtual host. Valid options: 'directory', 'absent'. + +##### `logroot_mode` + +Overrides the mode the logroot directory is set to. Default: undef. Do *not* grant write access to the directory the logs are stored in without being aware of the consequences; for more information, see [Apache's log security documentation](https://httpd.apache.org/docs/2.4/logs.html#security). + +##### `logroot_owner` + +Sets individual user access to the logroot directory. Defaults to 'undef'. + +##### `logroot_group` + +Sets group access to the [`logroot`][] directory. Defaults to 'undef'. + +##### `log_level` + +Specifies the verbosity of the error log. Valid options: 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' or 'debug'. Default: 'warn' for the global server configuration, which can be overridden on a per-virtual host basis. + +###### `modsec_body_limit` Configures the maximum request body size (in bytes) ModSecurity will accept for buffering -######`modsec_disable_vhost` - -Boolean. Only valid if apache::mod::security is included. Used to disable mod_security on an individual vhost. Only relevant if apache::mod::security is included. - -######`modsec_disable_ids` - -Array of mod_security IDs to remove from the vhost. Also takes a hash allowing removal of an ID from a specific location. - -```puppet - apache::vhost { 'sample.example.net': - modsec_disable_ids => [ 90015, 90016 ], - } +###### `modsec_disable_vhost` + +Disables [`mod_security`][] on a virtual host. Only valid if [`apache::mod::security`][] is included. Valid options: Boolean. Default: undef. + +###### `modsec_disable_ids` + +Array of mod_security IDs to remove from the virtual host. Also takes a hash allowing removal of an ID from a specific location. + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_ids => [ 90015, 90016 ], +} +``` + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_ids => { '/location1' => [ 90015, 90016 ] }, +} +``` + +###### `modsec_disable_ips` + +Specifies an array of IP addresses to exclude from [`mod_security`][] rule matching. Default: undef. + +###### `modsec_disable_msgs` + +Array of mod_security Msgs to remove from the virtual host. Also takes a hash allowing removal of an Msg from a specific location. Default: undef. + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => [ 'Blind SQL Injection Attack', 'Session Fixation Attack' ], +} ``` -```puppet - apache::vhost { 'sample.example.net': - modsec_disable_ids => { '/location1' => [ 90015, 90016 ] }, - } +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => { '/location1' => [ 'Blind SQL Injection Attack', 'Session Fixation Attack' ] }, +} +``` + +###### `modsec_disable_tags` + +Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing removal of an Tag from a specific location. Default: undef. + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => [ 'WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS' ], +} ``` -######`modsec_disable_ips` - -Array of IPs to exclude from mod_security rule matching - -#####`no_proxy_uris` +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => { '/location1' => [ 'WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS' ] }, +} +``` + +##### `modsec_audit_log` & `modsec_audit_log_file` & `modsec_audit_log_pipe` + +Determines how to send mod_security audit log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). + +If `modsec_audit_log_file` is set, it is relative to [`logroot`][]. Default: undef. + +If `modsec_audit_log_pipe` is set, it should start with a pipe. Example '|/path/to/mlogc /path/to/mlogc.conf'. Default: undef. + +If `modsec_audit_log` is true, given a virtual host---for instance, example.com---it defaults to 'example.com\_security\_ssl.log' for [SSL-encrypted][SSL encryption] virtual hosts and 'example.com\_security.log' for unencrypted virtual hosts. Default: false. + +When none of those parameters is set, the global audit log is used (i.e. ''/var/log/apache2/modsec\_audit.log'' on Debian and derivatives, ''/var/log/httpd/modsec\_audit.log'' on others). + +##### `no_proxy_uris` Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [`proxy_dest`](#proxy_dest). -#####`proxy_preserve_host` - -Sets the [ProxyPreserveHost Directive](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypreservehost). true Enables the Host: line from an incoming request to be proxied to the host instead of hostname . false sets this option to off (default). - -#####`options` - -Sets the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) for the specified virtual host. Defaults to '['Indexes','FollowSymLinks','MultiViews']', as demonstrated below: - -```puppet - apache::vhost { 'site.name.fdqn': - … - options => ['Indexes','FollowSymLinks','MultiViews'], - } +##### `no_proxy_uris_match` + +This directive is equivalent to [`no_proxy_uris`][], but takes regular expressions. + +##### `proxy_preserve_host` + +Sets the [ProxyPreserveHost Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost). Valid options: Boolean. Default: false. + +Setting this parameter to true enables the `Host:` line from an incoming request to be proxied to the host instead of hostname. Setting it to false sets this directive to 'Off'. + +##### `proxy_add_headers` + +Sets the [ProxyAddHeaders Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders). Valid Options: Boolean. Default: false. + +This parameter controlls whether proxy-related HTTP headers (X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server) get sent to the backend server. + +##### `proxy_error_override` + +Sets the [ProxyErrorOverride Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride). This directive controls whether Apache should override error pages for proxied content. Default: false. + +##### `options` + +Sets the [`Options`][] for the specified virtual host. Default: ['Indexes','FollowSymLinks','MultiViews'], as demonstrated below: + +``` puppet +apache::vhost { 'site.name.fdqn': + … + options => ['Indexes','FollowSymLinks','MultiViews'], +} ``` -*Note:* If you use [`directories`](#parameter-directories-for-apachevhost), 'Options', 'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. - -#####`override` - -Sets the overrides for the specified virtual host. Accepts an array of [AllowOverride](http://httpd.apache.org/docs/current/mod/core.html#allowoverride) arguments. Defaults to '[none]'. - -#####`passenger_app_root` - -Sets [PassengerRoot](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerAppRoot), the location of the Passenger application root if different from the DocumentRoot. - -#####`passenger_ruby` - -Sets [PassengerRuby](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerRuby) on this virtual host, the Ruby interpreter to use for the application. - -#####`passenger_min_instances` - -Sets [PassengerMinInstances](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerMinInstances), the minimum number of application processes to run. - -#####`passenger_start_timeout` - -Sets [PassengerStartTimeout](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#_passengerstarttimeout_lt_seconds_gt), the timeout for the application startup. - -#####`passenger_pre_start` - -Sets [PassengerPreStart](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerPreStart), the URL of the application if pre-starting is required. - -#####`php_flags & values` - -Allows per-vhost setting [`php_value`s or `php_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Defaults to '[]'. - -#####`php_admin_flags & values` - -Allows per-vhost setting [`php_admin_value`s or `php_admin_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application. Defaults to '[]'. - -#####`port` - -Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL vhosts and port 443 for SSL vhosts. The host only listens on the port set in this parameter. - -#####`priority` - -Sets the relative load-order for Apache HTTPD VirtualHost configuration files. Defaults to '25'. - -If nothing matches the priority, the first name-based vhost is used. Likewise, passing a higher priority causes the alphabetically first name-based vhost to be used if no other names match. - -*Note:* You should not need to use this parameter. However, if you do use it, be aware that the `default_vhost` parameter for `apache::vhost` passes a priority of '15'. - -Pass priority `false` to omit the priority prefix in file names. - -#####`proxy_dest` - -Specifies the destination address of a [ProxyPass](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Defaults to 'undef'. - -#####`proxy_pass` - -Specifies an array of `path => URI` for a [ProxyPass](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Defaults to 'undef'. Optionally parameters can be added as an array. - -```puppet +> **Note**: If you use the [`directories`][] parameter of [`apache::vhost`][], 'Options', 'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. + +##### `override` + +Sets the overrides for the specified virtual host. Accepts an array of [AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) arguments. Default: '[none]'. + +##### `passenger_app_root` + +Sets [PassengerRoot](https://www.phusionpassenger.com/library/config/apache/reference/#passengerapproot), the location of the Passenger application root if different from the DocumentRoot. + +##### `passenger_app_env` + +Sets [PassengerAppEnv](https://www.phusionpassenger.com/library/config/apache/reference/#passengerappenv), the environment for the Passenger application. If not specifies, defaults to the global setting or 'production'. + +##### `passenger_log_file` + +By default, Passenger log messages are written to the Apache global error log. With [PassengerLogFile](https://www.phusionpassenger.com/library/config/apache/reference/#passengerlogfile), you can configure those messages to be logged to a different file. This option is only available since Passenger 5.0.5. + +##### `passenger_log_level` + +This option allows to specify how much information should be written to the log file. If not set, [PassengerLogLevel](https://www.phusionpassenger.com/library/config/apache/reference/#passengerloglevel) will not show up in the configuration file and the defaults are used. For Passenger > 3.0.0 the default is '0', since 5.0.0 it's '3'. + +##### `passenger_ruby` + +Sets [PassengerRuby](https://www.phusionpassenger.com/library/config/apache/reference/#passengerruby), the Ruby interpreter to use for the application, on this virtual host. + +##### `passenger_min_instances` + +Sets [PassengerMinInstances](https://www.phusionpassenger.com/library/config/apache/reference/#passengermininstances), the minimum number of application processes to run. + +##### `passenger_max_instances_per_app` + +Sets [PassengerMaxInstancesPerApp](https://www.phusionpassenger.com/library/config/apache/reference/#passengermaxinstancesperapp), the maximum number of application processes that may simultaneously exist for a single application. + +##### `passenger_start_timeout` + +Sets [PassengerStartTimeout](https://www.phusionpassenger.com/library/config/apache/reference/#passengerstarttimeout), the timeout for the application startup. + +##### `passenger_pre_start` + +Sets [PassengerPreStart](https://www.phusionpassenger.com/library/config/apache/reference/#passengerprestart), the URL of the application if pre-starting is required. + +##### `passenger_user` + +Sets [PassengerUser](https://www.phusionpassenger.com/library/config/apache/reference/#passengeruser), the running user for sandboxing applications. + +##### `passenger_high_performance` + +Sets the [`PassengerHighPerformance`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerhighperformance) parameter. Valid options: 'true', 'false'. Default: undef. + +##### `passenger_nodejs` + +Sets the [`PassengerNodejs`](https://www.phusionpassenger.com/library/config/apache/reference/#passengernodejs), the NodeJS interpreter to use for the application, on this virtual host. + +##### `passenger_sticky_sessions` + +Sets the [`PassengerStickySessions`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerstickysessions) parameter. Valid options: 'true', 'false'. Default: undef. + +##### `passenger_startup_file` + +Sets the [`PassengerStartupFile`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerstartupfile) path. This path is relative to the application root. + +##### `php_flags & values` + +Allows per-virtual host setting [`php_value`s or `php_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Default: '{}'. + +##### `php_admin_flags & values` + +Allows per-virtual host setting [`php_admin_value`s or `php_admin_flag`s](http://php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application. Default: '{}'. + +##### `port` + +Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL virtual hosts and port 443 for SSL virtual hosts. The host only listens on the port set in this parameter. + +##### `priority` + +Sets the relative load-order for Apache HTTPD VirtualHost configuration files. Default: '25'. + +If nothing matches the priority, the first name-based virtual host is used. Likewise, passing a higher priority causes the alphabetically first name-based virtual host to be used if no other names match. + +> **Note:** You should not need to use this parameter. However, if you do use it, be aware that the `default_vhost` parameter for `apache::vhost` passes a priority of '15'. + +To omit the priority prefix in file names, pass a priority of false. + +##### `proxy_dest` + +Specifies the destination address of a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Default: undef. + +##### `proxy_pass` + +Specifies an array of `path => URI` values for a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Defaults to 'undef'. Optionally parameters can be added as an array. + +``` puppet apache::vhost { 'site.name.fdqn': … proxy_pass => [ { 'path' => '/a', 'url' => 'http://backend-a/' }, { 'path' => '/b', 'url' => 'http://backend-b/' }, - { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => 'max=20 ttl=120 retry=300' }, + { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}}, { 'path' => '/l', 'url' => 'http://backend-xy', 'reverse_urls' => ['http://backend-x', 'http://backend-y'] }, { 'path' => '/d', 'url' => 'http://backend-a/d', 'params' => { 'retry' => '0', 'timeout' => '5' }, }, { 'path' => '/e', 'url' => 'http://backend-a/e', 'keywords' => ['nocanon', 'interpolate'] }, + { 'path' => '/f', 'url' => 'http://backend-f/', + 'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1']}, + { 'path' => '/g', 'url' => 'http://backend-g/', + 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, + { 'path' => '/h', 'url' => 'http://backend-h/h', + 'no_proxy_uris' => ['/h/admin', '/h/server-status'] }, ], } ``` -`reverse_urls` is optional and can be an array or a string. It is useful when used with `mod_proxy_balancer`. -`params` is an optional parameter. It allows to provide the ProxyPass key=value parameters (Connection settings). - -#####`rack_base_uris` - -Specifies the resource identifiers for a rack configuration. The file paths specified are listed as rack application roots for [Phusion Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsbaseuri_and_rackbaseuri) in the _rack.erb template. Defaults to 'undef'. - -#####`redirect_dest` - -Specifies the address to redirect to. Defaults to 'undef'. - -#####`redirect_source` +* `reverse_urls`. *Optional.* This setting is useful when used with `mod_proxy_balancer`. Valid options: an array or string. +* `reverse_cookies`. *Optional.* Sets `ProxyPassReverseCookiePath` and `ProxyPassReverseCookieDomain`. +* `params`. *Optional.* Allows for ProxyPass key-value parameters, such as connection settings. +* `setenv`. *Optional.* Sets [environment variables](https://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings) for the proxy directive. Valid options: array. + +##### `proxy_dest_match` + +This directive is equivalent to [`proxy_dest`][], but takes regular expressions, see [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details. + +##### `proxy_dest_reverse_match` + +Allows you to pass a ProxyPassReverse if [`proxy_dest_match`][] is specified. See [ProxyPassReverse](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) for details. + +##### `proxy_pass_match` + +This directive is equivalent to [`proxy_pass`][], but takes regular expressions, see [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details. + +##### `rack_base_uris` + +Specifies the resource identifiers for a rack configuration. The file paths specified are listed as rack application roots for [Phusion Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsbaseuri_and_rackbaseuri) in the _rack.erb template. Default: undef. + +#####`passenger_base_uris` + +Used to specify that the given URI is a Phusion Passenger-served application. The file paths specified are listed as passenger application roots for [Phusion Passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerBaseURI) in the _passenger_base_uris.erb template. Default: undef. + +##### `redirect_dest` + +Specifies the address to redirect to. Default: undef. + +##### `redirect_source` Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent. -```puppet - apache::vhost { 'site.name.fdqn': - … - redirect_source => ['/images','/downloads'], - redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], - } +``` puppet +apache::vhost { 'site.name.fdqn': + … + redirect_source => ['/images','/downloads'], + redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], +} ``` -#####`redirect_status` - -Specifies the status to append to the redirect. Defaults to 'undef'. - -```puppet - apache::vhost { 'site.name.fdqn': - … - redirect_status => ['temp','permanent'], - } +##### `redirect_status` + +Specifies the status to append to the redirect. Default: undef. + +``` puppet +apache::vhost { 'site.name.fdqn': + … + redirect_status => ['temp','permanent'], +} ``` -#####`redirectmatch_regexp` & `redirectmatch_status` & `redirectmatch_dest` - -Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as arrays. Defaults to 'undef'. - -```puppet - apache::vhost { 'site.name.fdqn': - … - redirectmatch_status => ['404','404'], - redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'], - redirectmatch_dest => ['http://www.example.com/1','http://www.example.com/2'], - } +##### `redirectmatch_regexp` & `redirectmatch_status` & `redirectmatch_dest` + +Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as arrays. Default: undef. + +``` puppet +apache::vhost { 'site.name.fdqn': + … + redirectmatch_status => ['404','404'], + redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'], + redirectmatch_dest => ['http://www.example.com/1','http://www.example.com/2'], +} ``` -#####`request_headers` - -Modifies collected [request headers](http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) in various ways, including adding additional request headers, removing request headers, etc. Defaults to 'undef'. - -```puppet - apache::vhost { 'site.name.fdqn': - … - request_headers => [ - 'append MirrorID "mirror 12"', - 'unset MirrorID', - ], - } +##### `request_headers` + +Modifies collected [request headers](https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) in various ways, including adding additional request headers, removing request headers, etc. Default: undef. + +``` puppet +apache::vhost { 'site.name.fdqn': + … + request_headers => [ + 'append MirrorID "mirror 12"', + 'unset MirrorID', + ], +} ``` - -#####`rewrites` - -Creates URL rewrite rules. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'. Defaults to 'undef'. +##### `rewrites` + +Creates URL rewrite rules. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', 'rewrite_rule' or 'rewrite_map'. Default: undef. For example, you can specify that anyone trying to access index.html is served welcome.html -```puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] - } +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] +} ``` The parameter allows rewrite conditions that, when true, execute the associated rule. For instance, if you wanted to rewrite URLs only if the visitor is using IE -```puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ - { - comment => 'redirect IE', - rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], - rewrite_rule => ['^index\.html$ welcome.html'], - }, - ], - } +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'redirect IE', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} ``` You can also apply multiple conditions. For instance, rewrite index.html to welcome.html only when the browser is Lynx or Mozilla (version 1 or 2) -```puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ - { - comment => 'Lynx or Mozilla v1/2', - rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], - rewrite_rule => ['^index\.html$ welcome.html'], - }, - ], - } +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} ``` Multiple rewrites and conditions are also possible -```puppet - apache::vhost { 'site.name.fdqn': - … - rewrites => [ - { - comment => 'Lynx or Mozilla v1/2', - rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], - rewrite_rule => ['^index\.html$ welcome.html'], - }, - { - comment => 'Internet Explorer', - rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], - rewrite_rule => ['^index\.html$ /index.IE.html [L]'], - }, - { - rewrite_base => /apps/, - rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'], - }, - ], - } +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + { + comment => 'Internet Explorer', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ /index.IE.html [L]'], + }, + { + rewrite_base => /apps/, + rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'], + }, + { comment => 'Rewrite to lower case', + rewrite_cond => ['%{REQUEST_URI} [A-Z]'], + rewrite_map => ['lc int:tolower'], + rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'], + }, + ], +} +``` + +Refer to the [`mod_rewrite` documentation][`mod_rewrite`] for more details on what is possible with rewrite rules and conditions. + +##### `rewrite_inherit` + +Determines whether the virtual host inherits global rewrite rules. Default: false. + +Rewrite rules may be specified globally (in `$conf_file` or `$confd_dir`) or inside the virtual host `.conf` file. By default, virtual hosts do not inherit global settings. To activate inheritance, specify the `rewrites` parameter and set `rewrite_inherit` parameter to `true`: + +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + <rules>, + ], + rewrite_inherit => true, +} ``` -Refer to the [`mod_rewrite` documentation](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) for more details on what is possible with rewrite rules and conditions. - -#####`scriptalias` - -Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', for example: '/usr/scripts'. Defaults to 'undef'. - -#####`scriptaliases` - -*Note*: This parameter is deprecated in favour of the `aliases` parameter. - -Passes an array of hashes to the vhost to create either ScriptAlias or ScriptAliasMatch statements as per the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). These hashes are formatted as follows: - -```puppet - scriptaliases => [ - { - alias => '/myscript', - path => '/usr/share/myscript', - }, - { - aliasmatch => '^/foo(.*)', - path => '/usr/share/fooscripts$1', - }, - { - aliasmatch => '^/bar/(.*)', - path => '/usr/share/bar/wrapper.sh/$1', - }, - { - alias => '/neatscript', - path => '/usr/share/neatscript', - }, - ] +> **Note**: The `rewrites` parameter is **required** for this to have effect + +###### Some background + +Apache activates global `Rewrite` rules inheritance if the virtual host files contains the following directives: + +``` ApacheConf +RewriteEngine On +RewriteOptions Inherit ``` -The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with [Alias and AliasMatch](#aliases) directives, more specific aliases should come before more general ones to avoid shadowing. - -#####`serveradmin` - -Specifies the email address Apache displays when it renders one of its error pages. Defaults to 'undef'. - -#####`serveraliases` - -Sets the [ServerAliases](http://httpd.apache.org/docs/current/mod/core.html#serveralias) of the site. Defaults to '[]'. - -#####`servername` - -Sets the servername corresponding to the hostname you connect to the virtual host at. Defaults to the title of the resource. - -#####`setenv` - -Used by HTTPD to set environment variables for vhosts. Defaults to '[]'. +Refer to the [official `mod_rewrite` documentation](https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html), section "Rewriting in Virtual Hosts". + +##### `scriptalias` + +Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', such as '/usr/scripts'. Default: undef. + +##### `scriptaliases` + +> **Note**: This parameter is deprecated in favor of the `aliases` parameter. + +Passes an array of hashes to the virtual host to create either ScriptAlias or ScriptAliasMatch statements per the [`mod_alias` documentation][`mod_alias`]. + +``` puppet +scriptaliases => [ + { + alias => '/myscript', + path => '/usr/share/myscript', + }, + { + aliasmatch => '^/foo(.*)', + path => '/usr/share/fooscripts$1', + }, + { + aliasmatch => '^/bar/(.*)', + path => '/usr/share/bar/wrapper.sh/$1', + }, + { + alias => '/neatscript', + path => '/usr/share/neatscript', + }, +] +``` + +The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with [Alias and AliasMatch](#aliases) directives, specify more specific aliases before more general ones to avoid shadowing. + +##### `serveradmin` + +Specifies the email address Apache displays when it renders one of its error pages. Default: undef. + +##### `serveraliases` + +Sets the [ServerAliases](https://httpd.apache.org/docs/current/mod/core.html#serveralias) of the site. Default: '[]'. + +##### `servername` + +Sets the servername corresponding to the hostname you connect to the virtual host at. Default: the title of the resource. + +##### `setenv` + +Used by HTTPD to set environment variables for virtual hosts. Default: '[]'. Example: -```puppet - apache::vhost { 'setenv.example.com': - setenv => ['SPECIAL_PATH /foo/bin'], - } +``` puppet +apache::vhost { 'setenv.example.com': + setenv => ['SPECIAL_PATH /foo/bin'], +} ``` -#####`setenvif` - -Used by HTTPD to conditionally set environment variables for vhosts. Defaults to '[]'. - -#####`suphp_addhandler`, `suphp_configpath`, & `suphp_engine` - -Set up a virtual host with [suPHP](http://suphp.org/DocumentationView.html?file=apache/CONFIG). - -`suphp_addhandler` defaults to 'php5-script' on RedHat and FreeBSD, and 'x-httpd-php' on Debian. - -`suphp_configpath` defaults to 'undef' on RedHat and FreeBSD, and '/etc/php5/apache2' on Debian. - -`suphp_engine` allows values 'on' or 'off'. Defaults to 'off' - -To set up a virtual host with suPHP - -```puppet - apache::vhost { 'suphp.example.com': - port => '80', - docroot => '/home/appuser/myphpapp', - suphp_addhandler => 'x-httpd-php', - suphp_engine => 'on', - suphp_configpath => '/etc/php5/apache2', - directories => { path => '/home/appuser/myphpapp', - 'suphp' => { user => 'myappuser', group => 'myappgroup' }, - } - } +##### `setenvif` + +Used by HTTPD to conditionally set environment variables for virtual hosts. Default: '[]'. + +##### `setenvifnocase` + +Used by HTTPD to conditionally set environment variables for virtual hosts (caseless matching). Default: '[]'. + +##### `suphp_addhandler`, `suphp_configpath`, & `suphp_engine` + +Sets up a virtual host with [suPHP](http://suphp.org/DocumentationView.html?file=apache/CONFIG). + +* `suphp_addhandler`. Default: 'php5-script' on RedHat and FreeBSD, and 'x-httpd-php' on Debian and Gentoo. +* `suphp_configpath`. Default: undef on RedHat and FreeBSD, and '/etc/php5/apache2' on Debian and Gentoo. +* `suphp_engine`. Valid options: 'on' or 'off'. Default: 'off'. + +An example virtual host configuration with suPHP: + +``` puppet +apache::vhost { 'suphp.example.com': + port => '80', + docroot => '/home/appuser/myphpapp', + suphp_addhandler => 'x-httpd-php', + suphp_engine => 'on', + suphp_configpath => '/etc/php5/apache2', + directories => { path => '/home/appuser/myphpapp', + 'suphp' => { user => 'myappuser', group => 'myappgroup' }, + } +} ``` -#####`vhost_name` - -Enables name-based virtual hosting. If no IP is passed to the virtual host, but the vhost is assigned a port, then the vhost name is 'vhost_name:port'. If the virtual host has no assigned IP or port, the vhost name is set to the title of the resource. Defaults to '*'. - -#####`virtual_docroot` - -Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, 'http://example.com' would map to '/var/www/example.com'. Defaults to 'false'. - -```puppet - apache::vhost { 'subdomain.loc': - vhost_name => '*', - port => '80', - virtual_docroot' => '/var/www/%-2+', - docroot => '/var/www', - serveraliases => ['*.loc',], - } +##### `vhost_name` + +Enables name-based virtual hosting. If no IP is passed to the virtual host, but the virtual host is assigned a port, then the virtual host name is 'vhost_name:port'. If the virtual host has no assigned IP or port, the virtual host name is set to the title of the resource. Default: '*'. + +##### `virtual_docroot` + +Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, 'http://example.com' would map to '/var/www/example.com'. Default: false. + +``` puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => '80', + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} ``` -#####`wsgi_daemon_process`, `wsgi_daemon_process_options`, `wsgi_process_group`, `wsgi_script_aliases`, & `wsgi_pass_authorization` - -Set up a virtual host with [WSGI](https://code.google.com/p/modwsgi/). - -`wsgi_daemon_process` sets the name of the WSGI daemon. It is a hash, accepting [these keys](http://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIDaemonProcess.html), and it defaults to 'undef'. - -`wsgi_daemon_process_options` is optional and defaults to 'undef'. - -`wsgi_process_group` sets the group ID the virtual host runs under. Defaults to 'undef'. - -`wsgi_script_aliases` requires a hash of web paths to filesystem .wsgi paths. Defaults to 'undef'. - -`wsgi_pass_authorization` the WSGI application handles authorisation instead of Apache when set to 'On'. For more information see [here] (http://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html). Defaults to 'undef' where apache sets the defaults setting to 'Off'. - -`wsgi_chunked_request` enables support for chunked requests. Defaults to 'undef'. - -To set up a virtual host with WSGI - -```puppet - apache::vhost { 'wsgi.example.com': - port => '80', - docroot => '/var/www/pythonapp', - wsgi_daemon_process => 'wsgi', - wsgi_daemon_process_options => - { processes => '2', - threads => '15', - display-name => '%{GROUP}', - }, - wsgi_process_group => 'wsgi', - wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, - wsgi_chunked_request => 'On', - } +##### `wsgi_daemon_process`, `wsgi_daemon_process_options`, `wsgi_process_group`, `wsgi_script_aliases`, & `wsgi_pass_authorization` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi). + +* `wsgi_daemon_process`: A hash that sets the name of the WSGI daemon, accepting [certain keys](http://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIDaemonProcess.html). Default: undef. +* `wsgi_daemon_process_options`. _Optional._ Default: undef. +* `wsgi_process_group`: Sets the group ID that the virtual host runs under. Default: undef. +* `wsgi_script_aliases`: Requires a hash of web paths to filesystem .wsgi paths. Default: undef. +* `wsgi_script_aliases_match`: Requires a hash of web path regexes to filesystem .wsgi paths. Default: undef +* `wsgi_pass_authorization`: Uses the WSGI application to handle authorization instead of Apache when set to 'On'. For more information, see [mod_wsgi's WSGIPassAuthorization documentation] (https://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html). Default: undef, leading Apache to use its default value of 'Off'. +* `wsgi_chunked_request`: Enables support for chunked requests. Default: undef. + +An example virtual host configuration with WSGI: + +``` puppet +apache::vhost { 'wsgi.example.com': + port => '80', + docroot => '/var/www/pythonapp', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => + { processes => '2', + threads => '15', + display-name => '%{GROUP}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, + wsgi_chunked_request => 'On', +} ``` -####Parameter `directories` for `apache::vhost` - -The `directories` parameter within the `apache::vhost` class passes an array of hashes to the vhost to create [Directory](http://httpd.apache.org/docs/current/mod/core.html#directory), [File](http://httpd.apache.org/docs/current/mod/core.html#files), and [Location](http://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, '< Directory /path/to/directory>...< /Directory>'. +#### Parameter `directories` for `apache::vhost` + +The `directories` parameter within the `apache::vhost` class passes an array of hashes to the virtual host to create [Directory](https://httpd.apache.org/docs/current/mod/core.html#directory), [File](https://httpd.apache.org/docs/current/mod/core.html#files), and [Location](https://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, '< Directory /path/to/directory>...< /Directory>'. The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to `directories` **must** contain `path` as one of the keys. -The `provider` key is optional. If missing, this key defaults to 'directory'. Valid values for `provider` are 'directory', 'files', 'location', 'directorymatch', 'filesmatch', or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file. - -General `directories` usage looks something like - -```puppet - apache::vhost { 'files.example.net': - docroot => '/var/www/files', - directories => [ - { 'path' => '/var/www/files', - 'provider' => 'files', - 'deny' => 'from all' - }, - ], - } +The `provider` key is optional. If missing, this key defaults to 'directory'. Valid options: 'directory', 'files', 'proxy', 'location', 'directorymatch', 'filesmatch', 'proxymatch' or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file. + +An example use of `directories`: + +``` puppet +apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => [ + { 'path' => '/var/www/files', + 'provider' => 'files', + 'deny' => 'from all', + }, + ], +} ``` -*Note:* At least one directory should match the `docroot` parameter. After you start declaring directories, `apache::vhost` assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the `docroot` parameter. - -Available handlers, represented as keys, should be placed within the `directory`,`'files`, or `location` hashes. This looks like - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', handler => value } ], +> **Note:** At least one directory should match the `docroot` parameter. After you start declaring directories, `apache::vhost` assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the `docroot` parameter. + +Available handlers, represented as keys, should be placed within the `directory`, `files`, or `location` hashes. This looks like + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ { path => '/path/to/directory', handler => value } ], } ``` Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are: -######`addhandlers` - -Sets [AddHandler](http://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler) directives, which map filename extensions to the specified handler. Accepts a list of hashes, with `extensions` serving to list the extensions being managed by the handler, and takes the form: `{ handler => 'handler-name', extensions => ['extension']}`. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - addhandlers => [{ handler => 'cgi-script', extensions => ['.cgi']}], - }, - ], - } +###### `addhandlers` + +Sets [AddHandler](https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler) directives, which map filename extensions to the specified handler. Accepts a list of hashes, with `extensions` serving to list the extensions being managed by the handler, and takes the form: `{ handler => 'handler-name', extensions => ['extension'] }`. + +An example: + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + addhandlers => [{ handler => 'cgi-script', extensions => ['.cgi']}], + }, + ], +} ``` -######`allow` - -Sets an [Allow](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow) directive, which groups authorizations based on hostnames or IPs. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - allow => 'from example.org', - }, - ], - } +###### `allow` + +Sets an [Allow](https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow) directive, which groups authorizations based on hostnames or IPs. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + allow => 'from example.org', + }, + ], +} ``` -######`allow_override` - -Sets the types of directives allowed in [.htaccess](http://httpd.apache.org/docs/current/mod/core.html#allowoverride) files. Accepts an array. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - allow_override => ['AuthConfig', 'Indexes'], - }, - ], - } +###### `allow_override` + +Sets the types of directives allowed in [.htaccess](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) files. Accepts an array. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + allow_override => ['AuthConfig', 'Indexes'], + }, + ], +} ``` -######`auth_basic_authoritative` +###### `auth_basic_authoritative` Sets the value for [AuthBasicAuthoritative](https://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicauthoritative), which determines whether authorization and authentication are passed to lower level Apache modules. -######`auth_basic_fake` - -Sets the value for [AuthBasicFake](http://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicfake), which statically configures authorization credentials for a given directive block. - -######`auth_basic_provider` - -Sets the value for [AuthBasicProvider] (http://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicprovider), which sets the authentication provider for a given location. - -######`auth_digest_algorithm` - -Sets the value for [AuthDigestAlgorithm](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestalgorithm), which selects the algorithm used to calculate the challenge and response hashes. - -######`auth_digest_domain` - -Sets the value for [AuthDigestDomain](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestdomain), which allows you to specify one or more URIs in the same protection space for digest authentication. - -######`auth_digest_nonce_lifetime` - -Sets the value for [AuthDigestNonceLifetime](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestnoncelifetime), which controls how long the server nonce is valid. - -######`auth_digest_provider` - -Sets the value for [AuthDigestProvider](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestprovider), which sets the authentication provider for a given location. - -######`auth_digest_qop` - -Sets the value for [AuthDigestQop](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestqop), which determines the quality-of-protection to use in digest authentication. - -######`auth_digest_shmem_size` - -Sets the value for [AuthAuthDigestShmemSize](http://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestshmemsize), which defines the amount of shared memory allocated to the server for keeping track of clients. - -######`auth_group_file` +###### `auth_basic_fake` + +Sets the value for [AuthBasicFake](https://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicfake), which statically configures authorization credentials for a given directive block. + +###### `auth_basic_provider` + +Sets the value for [AuthBasicProvider](https://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicprovider), which sets the authentication provider for a given location. + +###### `auth_digest_algorithm` + +Sets the value for [AuthDigestAlgorithm](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestalgorithm), which selects the algorithm used to calculate the challenge and response hashes. + +###### `auth_digest_domain` + +Sets the value for [AuthDigestDomain](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestdomain), which allows you to specify one or more URIs in the same protection space for digest authentication. + +###### `auth_digest_nonce_lifetime` + +Sets the value for [AuthDigestNonceLifetime](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestnoncelifetime), which controls how long the server nonce is valid. + +###### `auth_digest_provider` + +Sets the value for [AuthDigestProvider](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestprovider), which sets the authentication provider for a given location. + +###### `auth_digest_qop` + +Sets the value for [AuthDigestQop](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestqop), which determines the quality-of-protection to use in digest authentication. + +###### `auth_digest_shmem_size` + +Sets the value for [AuthAuthDigestShmemSize](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestshmemsize), which defines the amount of shared memory allocated to the server for keeping track of clients. + +###### `auth_group_file` Sets the value for [AuthGroupFile](https://httpd.apache.org/docs/current/mod/mod_authz_groupfile.html#authgroupfile), which sets the name of the text file containing the list of user groups for authorization. -######`auth_name` - -Sets the value for [AuthName](http://httpd.apache.org/docs/current/mod/mod_authn_core.html#authname), which sets the name of the authorization realm. - -######`auth_require` - -Sets the entity name you're requiring to allow access. Read more about [Require](http://httpd.apache.org/docs/current/mod/mod_authz_host.html#requiredirectives). - -######`auth_type` - -Sets the value for [AuthType](http://httpd.apache.org/docs/current/mod/mod_authn_core.html#authtype), which guides the type of user authentication. - -######`auth_user_file` - -Sets the value for [AuthUserFile](http://httpd.apache.org/docs/current/mod/mod_authn_file.html#authuserfile), which sets the name of the text file containing the users/passwords for authentication. - -######`custom_fragment` +###### `auth_name` + +Sets the value for [AuthName](https://httpd.apache.org/docs/current/mod/mod_authn_core.html#authname), which sets the name of the authorization realm. + +###### `auth_require` + +Sets the entity name you're requiring to allow access. Read more about [Require](https://httpd.apache.org/docs/current/mod/mod_authz_host.html#requiredirectives). + +###### `auth_type` + +Sets the value for [AuthType](https://httpd.apache.org/docs/current/mod/mod_authn_core.html#authtype), which guides the type of user authentication. + +###### `auth_user_file` + +Sets the value for [AuthUserFile](https://httpd.apache.org/docs/current/mod/mod_authn_file.html#authuserfile), which sets the name of the text file containing the users/passwords for authentication. + +###### `auth_merging` + +Sets the value for [AuthMerging](https://httpd.apache.org/docs/current/mod/mod_authz_core.html#authmerging), which determines if authorization logic should be combined + +###### `auth_ldap_url` + +Sets the value for [AuthLDAPURL](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapurl), which determines URL of LDAP-server(s) if AuthBasicProvider 'ldap' is used + +###### `auth_ldap_bind_dn` + +Sets the value for [AuthLDAPBindDN](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapbinddn), which allows use of an optional DN used to bind to the LDAP-server when searching for entries if AuthBasicProvider 'ldap' is used + +###### `auth_ldap_bind_password` + +Sets the value for [AuthLDAPBindPassword](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapbindpassword), which allows use of an optional bind password to use in conjunction with the bind DN if AuthBasicProvider 'ldap' is used + +###### `auth_ldap_group_attribute` + +Array of values for [AuthLDAPGroupAttribute](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapgroupattribute), specifies which LDAP attributes are used to check for user members within ldap-groups. defaults are: "member" and "uniquemember" + +###### `auth_ldap_group_attribute_is_dn` + +Sets value for [AuthLDAPGroupAttributeIsDN](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapgroupattributeisdn), specifies if member of a ldapgroup is a dn or simple username. When set on, this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. valid values are: "on" or "off" + +###### `custom_fragment` Pass a string of custom configuration directives to be placed at the end of the directory configuration. -```puppet - apache::vhost { 'monitor': - … - directories => [ - { - path => '/path/to/directory', - custom_fragment => ' - <Location /balancer-manager> - SetHandler balancer-manager - Order allow,deny - Allow from all - </Location> - <Location /server-status> - SetHandler server-status - Order allow,deny - Allow from all - </Location> - ProxyStatus On', - }, - ] - } +``` puppet +apache::vhost { 'monitor': + … + directories => [ + { + path => '/path/to/directory', + custom_fragment => ' +<Location /balancer-manager> + SetHandler balancer-manager + Order allow,deny + Allow from all +</Location> +<Location /server-status> + SetHandler server-status + Order allow,deny + Allow from all +</Location> +ProxyStatus On', + }, + ] +} ``` -######`deny` - -Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - deny => 'from example.org', - }, - ], - } +###### `dav` + +Sets the value for [Dav](http://httpd.apache.org/docs/current/mod/mod_dav.html#dav), which determines if the WebDAV HTTP methods should be enabled. The value can be either `On`, `Off` or the name of the provider. A value of `On` enables the default filesystem provider implemented by the `mod_dav_fs` module. + +###### `dav_depth_infinity` + +Sets the value for [DavDepthInfinity](http://httpd.apache.org/docs/current/mod/mod_dav.html#davdepthinfinity), which is used to enable the processing of `PROPFIND` requests having a `Depth: Infinity` header. + +###### `dav_min_timeout` + +Sets the value for [DavMinTimeout](http://httpd.apache.org/docs/current/mod/mod_dav.html#davmintimeout), which sets the time the server holds a lock on a DAV resource. The value should be the number of seconds to set. + +###### `deny` + +Sets a [Deny](https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + deny => 'from example.org', + }, + ], +} ``` -######`error_documents` +###### `error_documents` An array of hashes used to override the [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) settings for the directory. -```puppet - apache::vhost { 'sample.example.net': - directories => [ - { path => '/srv/www', - error_documents => [ - { 'error_code' => '503', - 'document' => '/service-unavail', - }, - ], +``` puppet +apache::vhost { 'sample.example.net': + directories => [ + { path => '/srv/www', + error_documents => [ + { 'error_code' => '503', + 'document' => '/service-unavail', }, ], - } + }, + ], +} +``` + +###### `ext_filter_options` + +Sets the [ExtFilterOptions](https://httpd.apache.org/docs/current/mod/mod_ext_filter.html) directive. +Note that you must declare `class { 'apache::mod::ext_filter': }` before using this directive. + +``` puppet +apache::vhost { 'filter.example.org': + docroot => '/var/www/filter', + directories => [ + { path => '/var/www/filter', + ext_filter_options => 'LogStderr Onfail=abort', + }, + ], +} ``` -######`headers` - -Adds lines for [Header](http://httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => { - path => '/path/to/directory', - headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', - }, - } +###### `geoip_enable` + +Sets the [GeoIPEnable](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Configuration) directive. +Note that you must declare `class {'apache::mod::geoip': }` before using this directive. + +``` puppet +apache::vhost { 'first.example.com': + docroot => '/var/www/first', + directories => [ + { path => '/var/www/first', + geoip_enable => true, + }, + ], +} +``` + +###### `headers` + +Adds lines for [Header](https://httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => { + path => '/path/to/directory', + headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', + }, +} ``` -######`index_options` - -Allows configuration settings for [directory indexing](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexoptions). - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - options => ['Indexes','FollowSymLinks','MultiViews'], - index_options => ['IgnoreCase', 'FancyIndexing', 'FoldersFirst', 'NameWidth=*', 'DescriptionWidth=*', 'SuppressHTMLPreamble'], - }, - ], - } +###### `index_options` + +Allows configuration settings for [directory indexing](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexoptions). + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + directoryindex => 'disabled', # this is needed on Apache 2.4 or mod_autoindex doesn't work + options => ['Indexes','FollowSymLinks','MultiViews'], + index_options => ['IgnoreCase', 'FancyIndexing', 'FoldersFirst', 'NameWidth=*', 'DescriptionWidth=*', 'SuppressHTMLPreamble'], + }, + ], +} +``` + +###### `index_order_default` + +Sets the [default ordering](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexorderdefault) of the directory index. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + order => 'Allow,Deny', + index_order_default => ['Descending', 'Date'], + }, + ], +} ``` -######`index_order_default` - -Sets the [default ordering](http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexorderdefault) of the directory index. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - order => 'Allow,Deny', - index_order_default => ['Descending', 'Date'], - }, - ], - } +###### `index_style_sheet` + +Sets the [IndexStyleSheet](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexstylesheet), which adds a CSS stylesheet to the directory index. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + options => ['Indexes','FollowSymLinks','MultiViews'], + index_options => ['FancyIndexing'], + index_style_sheet => '/styles/style.css', + }, + ], +} ``` -######`options` - -Lists the [Options](http://httpd.apache.org/docs/current/mod/core.html#options) for the given Directory block. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - options => ['Indexes','FollowSymLinks','MultiViews'], +###### `limit` + +Creates a [Limit](https://httpd.apache.org/docs/current/mod/core.html#limit) block inside the Directory block, which can also contain `require` directives. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/docroot', + directories => [ + { path => '/', + provider => 'location', + limit => [ + { methods => 'GET HEAD', + require => ['valid-user'] }, ], - } + }, + ], +} ``` -######`order` - -Sets the order of processing Allow and Deny statements as per [Apache core documentation](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - order => 'Allow,Deny', - }, - ], - } +###### `mellon_enable` + +Sets the [MellonEnable][`mod_auth_mellon`] directory to enable [`mod_auth_mellon`][]. You can use [`apache::mod::auth_mellon`][] to install `mod_auth_mellon`. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/', + provider => 'directory', + mellon_enable => 'info', + mellon_sp_private_key_file => '/etc/certs/${::fqdn}.key', + mellon_endpoint_path => '/mellon', + mellon_set_env_no_prefix => { 'ADFS_GROUP' => 'http://schemas.xmlsoap.org/claims/Group', + 'ADFS_EMAIL' => 'http://schemas.xmlsoap.org/claims/EmailAddress', }, + mellon_user => 'ADFS_LOGIN', + }, + { path => '/protected', + provider => 'location', + mellon_enable => 'auth', + auth_type => 'Mellon', + auth_require => 'valid-user', + mellon_cond => ['ADFS_LOGIN userA [MAP]','ADFS_LOGIN userB [MAP]'], + }, + ] +} ``` -######`passenger_enabled` - -Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directory to 'on' or 'off'. Requires `apache::mod::passenger` to be included. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - passenger_enabled => 'on', - }, - ], - } +Related parameters follow the names of `mod_auth_mellon` directives: + +- `mellon_cond`: Takes an array of mellon conditions that must be met to grant access, and creates a [MellonCond][`mod_auth_mellon`] directive for each item in the array. +- `mellon_endpoint_path`: Sets the [MellonEndpointPath][`mod_auth_mellon`] to set the mellon endpoint path. +- `mellon_sp_metadata_file`: Sets the [MellonSPMetadataFile][`mod_auth_mellon`] location of the SP metadata file. +- `mellon_idp_metadata_file`: Sets the [MellonIDPMetadataFile][`mod_auth_mellon`] location of the IDP metadata file. +- `mellon_saml_rsponse_dump`: Sets the [MellonSamlResponseDump][`mod_auth_mellon`] directive to enable debug of SAML. +- `mellon_set_env_no_prefix`: Sets the [MellonSetEnvNoPrefix][`mod_auth_mellon`] directive to a hash of attribute names to map +to environment variables. +- `mellon_sp_private_key_file`: Sets the [MellonSPPrivateKeyFile][`mod_auth_mellon`] directive for the private key location of the service provider. +- `mellon_sp_cert_file`: Sets the [MellonSPCertFile][`mod_auth_mellon`] directive for the public key location of the service provider. +- `mellon_user`: Sets the [MellonUser][`mod_auth_mellon`] attribute to use for the username. + +###### `options` + +Lists the [Options](https://httpd.apache.org/docs/current/mod/core.html#options) for the given Directory block. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + options => ['Indexes','FollowSymLinks','MultiViews'], + }, + ], +} ``` -*Note:* Be aware that there is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive. - -######`php_value` and `php_flag` +###### `order` + +Sets the order of processing Allow and Deny statements as per [Apache core documentation](https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + order => 'Allow,Deny', + }, + ], +} +``` + +###### `passenger_enabled` + +Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directive to 'on' or 'off'. Requires `apache::mod::passenger` to be included. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + passenger_enabled => 'on', + }, + ], +} +``` + +> **Note:** There is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive. + +###### `php_value` and `php_flag` `php_value` sets the value of the directory, and `php_flag` uses a boolean to configure the directory. Further information can be found [here](http://php.net/manual/en/configuration.changes.php). -######`php_admin_value` and `php_admin_flag` +###### `php_admin_value` and `php_admin_flag` `php_admin_value` sets the value of the directory, and `php_admin_flag` uses a boolean to configure the directory. Further information can be found [here](http://php.net/manual/en/configuration.changes.php). -######`satisfy` - -Sets a `Satisfy` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#satisfy). **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - satisfy => 'Any', - } - ], +###### `require` + + +Sets a `Require` directive as per the [Apache Authz documentation](https://httpd.apache.org/docs/current/mod/mod_authz_core.html#require). If no `require` is set, it will default to `Require all granted`. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + require => 'ip 10.17.42.23', } + ], +} ``` -######`sethandler` - -Sets a `SetHandler` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#sethandler). An example: - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - sethandler => 'None', - } - ], +When more complex sets of requirement are needed, apache >= 2.4 provides the use of [RequireAll](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall), [RequireNone](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requirenone) or [RequireAny](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireany) directives. +Using the 'enforce' key, which only supports 'any','none','all' (other values are silently ignored), this could be established like: + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + require => { + enforce => 'any', + requires => [ + 'ip 1.2.3.4', + 'not host host.example.com', + 'user xyz', + ], + }, + }, + ], +} +``` + +If `require` is set to `unmanaged` it will not be set at all. This is useful for complex authentication/authorization requirements which are handled in a custom fragment. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + require => 'unmanaged', } + ], +} +``` + + + +###### `satisfy` + +Sets a `Satisfy` directive per the [Apache Core documentation](https://httpd.apache.org/docs/2.2/mod/core.html#satisfy). **Deprecated:** This parameter is deprecated due to a change in Apache and only works with Apache 2.2 and lower. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + satisfy => 'Any', + } + ], +} ``` -######`rewrites` - -Creates URL [`rewrites`](#rewrites) rules in vhost directories. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'. - -```puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - rewrites => [ { comment => 'Permalink Rewrites', - rewrite_base => '/' - }, - { rewrite_rule => [ '^index\.php$ - [L]' ] - }, - { rewrite_cond => [ '%{REQUEST_FILENAME} !-f', - '%{REQUEST_FILENAME} !-d', - ], - rewrite_rule => [ '. /index.php [L]' ], - } - ], - }, - ], +###### `sethandler` + +Sets a `SetHandler` directive per the [Apache Core documentation](https://httpd.apache.org/docs/2.2/mod/core.html#sethandler). + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + sethandler => 'None', } + ], +} +``` + +###### `set_output_filter` + +Sets a `SetOutputFilter` directive per the [Apache Core documentation](https://httpd.apache.org/docs/current/mod/core.html#setoutputfilter). + +``` puppet +apache::vhost{ 'filter.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + set_output_filter => puppetdb-strip-resource-params, + }, + ], +} ``` -***Note*** If you include rewrites in your directories make sure you are also including `apache::mod::rewrite`. You may also want to consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the vhost directories. - -######`shib_request_setting` - -Allows an valid content setting to be set or altered for the application request. This command takes two parameters, the name of the content setting, and the value to set it to.Check the Shibboleth [content setting documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) for valid settings. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. - -```puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - shib_require_setting => 'requiresession 1', - shib_use_headers => 'On', - }, - ], - } +###### `rewrites` + +Creates URL [`rewrites`](#rewrites) rules in virtual host directories. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'. + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + rewrites => [ { comment => 'Permalink Rewrites', + rewrite_base => '/' + }, + { rewrite_rule => [ '^index\.php$ - [L]' ] + }, + { rewrite_cond => [ '%{REQUEST_FILENAME} !-f', + '%{REQUEST_FILENAME} !-d', + ], + rewrite_rule => [ '. /index.php [L]' ], + } + ], + }, + ], +} ``` -######`shib_use_headers` - -When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. - -######`ssl_options` - -String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the vhost. - -```puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - ssl_options => '+ExportCertData', - }, - { path => '/path/to/different/dir', - ssl_options => [ '-StdEnvVars', '+ExportCertData'], - }, - ], - } +> **Note**: If you include rewrites in your directories, also include `apache::mod::rewrite` and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the virtual host's directories. + +###### `shib_request_settings` + +Allows a valid content setting to be set or altered for the application request. This command takes two parameters: the name of the content setting, and the value to set it to. Check the Shibboleth [content setting documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) for valid settings. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + shib_request_settings => { 'requiresession' => 'On' }, + shib_use_headers => 'On', + }, + ], +} ``` -######`suphp` - -A hash containing the 'user' and 'group' keys for the [suPHP_UserGroup](http://www.suphp.org/DocumentationView.html?file=apache/CONFIG) setting. It must be used with `suphp_engine => on` in the vhost declaration, and can only be passed within `directories`. - -```puppet - apache::vhost { 'secure.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', - suphp => - { user => 'myappuser', - group => 'myappgroup', - }, - }, - ], - } +###### `shib_use_headers` + +When set to 'On', this turns on the use of request headers to publish attributes to applications. Valid options for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details. + +###### `ssl_options` + +String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the virtual host. + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + ssl_options => '+ExportCertData', + }, + { path => '/path/to/different/dir', + ssl_options => [ '-StdEnvVars', '+ExportCertData'], + }, + ], +} +``` + +###### `suphp` + +A hash containing the 'user' and 'group' keys for the [suPHP_UserGroup](http://www.suphp.org/DocumentationView.html?file=apache/CONFIG) setting. It must be used with `suphp_engine => on` in the virtual host declaration, and can only be passed within `directories`. + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + suphp => { + user => 'myappuser', + group => 'myappgroup', + }, + }, + ], +} +``` +###### `additional_includes` + +Specifies paths to additional static, specific Apache configuration files in virtual host directories. Valid options: a array of string path. + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/different/dir', + additional_includes => [ '/custom/path/includes', '/custom/path/another_includes', ], + }, + ], +} ``` -####SSL parameters for `apache::vhost` - -All of the SSL parameters for `::vhost` default to whatever is set in the base `apache` class. Use the below parameters to tweak individual SSL settings for specific vhosts. - -#####`ssl` - -Enables SSL for the virtual host. SSL vhosts only respond to HTTPS queries. Valid values are 'true' or 'false'. Defaults to 'false'. - -#####`ssl_ca` - -Specifies the SSL certificate authority. Defaults to 'undef'. - -#####`ssl_cert` - -Specifies the SSL certification. Defaults are based on your OS: '/etc/pki/tls/certs/localhost.crt' for RedHat, '/etc/ssl/certs/ssl-cert-snakeoil.pem' for Debian, and '/usr/local/etc/apache22/server.crt' for FreeBSD. - -#####`ssl_protocol` - -Specifies [SSLProtocol](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). Defaults to 'undef'. - -If you do not use this parameter, it uses the HTTPD default from ssl.conf.erb, 'all -SSLv2 -SSLv3'. - -#####`ssl_cipher` - -Specifies [SSLCipherSuite](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite). Defaults to 'undef'. - -If you do not use this parameter, it uses the HTTPD default from ssl.conf.erb, 'HIGH:MEDIUM:!aNULL:!MD5'. - -#####`ssl_honorcipherorder` - -Sets [SSLHonorCipherOrder](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), which is used to prefer the server's cipher preference order. Defaults to 'On' in the base `apache` config. - -#####`ssl_certs_dir` - -Specifies the location of the SSL certification directory. Defaults to '/etc/ssl/certs' on Debian, '/etc/pki/tls/certs' on RedHat, and '/usr/local/etc/apache22' on FreeBSD. - -#####`ssl_chain` - -Specifies the SSL chain. Defaults to 'undef'. (This default works out of the box, but it must be updated in the base `apache` class with your specific certificate information before being used in production.) - -#####`ssl_crl` - -Specifies the certificate revocation list to use. Defaults to 'undef'. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) - -#####`ssl_crl_path` - -Specifies the location of the certificate revocation list. Defaults to 'undef'. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) - -#####`ssl_crl_check` - -Sets the certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), defaults to 'undef'. This default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on older versions. - -#####`ssl_key` - -Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) - -#####`ssl_verify_client` - -Sets the [SSLVerifyClient](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) directive, which sets the certificate verification level for client authentication. Valid values are: 'none', 'optional', 'require', and 'optional_no_ca'. Defaults to 'undef'. - -```puppet - apache::vhost { 'sample.example.net': - … - ssl_verify_client => 'optional', - } +#### SSL parameters for `apache::vhost` + +All of the SSL parameters for `::vhost` default to whatever is set in the base `apache` class. Use the below parameters to tweak individual SSL settings for specific virtual hosts. + +##### `ssl` + +Enables SSL for the virtual host. SSL virtual hosts only respond to HTTPS queries. Valid options: Boolean. Default: false. + +##### `ssl_ca` + +Specifies the SSL certificate authority to be used to verify client certificates used for authentication. You must also set `ssl_verify_client` to use this. + +Default: `undef`. + +##### `ssl_cert` + +Specifies the SSL certification. Defaults are based on your OS: '/etc/pki/tls/certs/localhost.crt' for RedHat, '/etc/ssl/certs/ssl-cert-snakeoil.pem' for Debian, '/usr/local/etc/apache22/server.crt' for FreeBSD, and '/etc/ssl/apache2/server.crt' on Gentoo. + +##### `ssl_protocol` + +Specifies [SSLProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). Expects an array or space separated string of accepted protocols. Defaults: 'all', '-SSLv2', '-SSLv3'. + +##### `ssl_cipher` + +Specifies [SSLCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite). Default: 'HIGH:MEDIUM:!aNULL:!MD5'. + +##### `ssl_honorcipherorder` + +Sets [SSLHonorCipherOrder](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), to cause Apache to use the server's preferred order of ciphers rather than the client's preferred order. Default: true. In addition to true/false Boolean values, will also accept case-insensitive Strings 'on' or 'off'. + +##### `ssl_certs_dir` + +Specifies the location of the SSL certification directory to verify client certs. Will not be used unless `ssl_verify_client` is also set (see below). + +Default: undef + +##### `ssl_chain` + +Specifies the SSL chain. Default: undef. This default works out of the box, but it must be updated in the base `apache` class with your specific certificate information before being used in production. + +##### `ssl_crl` + +Specifies the certificate revocation list to use. Default: undef. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) + +##### `ssl_crl_path` + +Specifies the location of the certificate revocation list to verify certificates for client authentication with. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) + +Default: `undef`. + +##### `ssl_crl_check` + +Sets the certificate revocation check level via the [SSLCARevocationCheck directive](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck) for ssl client authentication. The default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on older versions. + +Default: `undef`. + +##### `ssl_key` + +Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, '/usr/local/etc/apache22/server.key' for FreeBSD, and '/etc/ssl/apache2/server.key' on Gentoo. (This default works out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) + +##### `ssl_verify_client` + +Sets the [SSLVerifyClient](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) directive, which sets the certificate verification level for client authentication. Valid options are: 'none', 'optional', 'require', and 'optional_no_ca'. Default: undef. + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_verify_client => 'optional', +} ``` -#####`ssl_verify_depth` - -Sets the [SSLVerifyDepth](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) directive, which specifies the maximum depth of CA certificates in client certificate verification. Defaults to 'undef'. - -```puppet - apache::vhost { 'sample.example.net': - … - ssl_verify_depth => 1, - } +##### `ssl_verify_depth` + +Sets the [SSLVerifyDepth](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) directive, which specifies the maximum depth of CA certificates in client certificate verification. You must set `ssl_verify_client` for it to take effect. + +Default: `undef` + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_verify_client => 'require', + ssl_verify_depth => 1, +} ``` - -#####`ssl_options` - -Sets the [SSLOptions](http://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions) directive, which configures various SSL engine run-time options. This is the global setting for the given vhost and can be a string or an array. Defaults to 'undef'. +##### `ssl_proxy_protocol` + +Sets the [SSLProxyProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyprotocol) directive, which controls the SSL protocol flavors mod_ssl should use when establishing its server environment for proxy. It will only connect to servers using one of the provided protocols. Default: undef. + + +##### `ssl_proxy_verify` + +Sets the [SSLProxyVerify](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify) directive, which configures certificate verification of the remote server when a proxy is configured to forward requests to a remote SSL server. Default: undef. + +##### `ssl_proxy_machine_cert` + +Sets the [SSLProxyMachineCertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) directive, which specifies an all-in-one file where you keep the certs and keys used for this server to authenticate itself to remote servers. This file should be a concatenation of the PEM-encoded certificate files in order of preference. Default: undef. + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem', +} +``` + +##### `ssl_proxy_check_peer_cn` + +Sets the [SSLProxyCheckPeerCN](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn) directive, which specifies whether the remote server certificate's CN field is compared against the hostname of the request URL. Valid options: 'on', 'off'. Default: undef. + +##### `ssl_proxy_check_peer_name` + +Sets the [SSLProxyCheckPeerName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) directive, which specifies whether the remote server certificate's CN field is compared against the hostname of the request URL. Valid options: 'on', 'off'. Default: undef. + +##### `ssl_proxy_check_peer_expire` + +Sets the [SSLProxyCheckPeerExpire](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeerexpire) directive, which specifies whether the remote server certificate is checked for expiration or not. Valid options: 'on', 'off'. Default: undef. + +##### `ssl_options` + +Sets the [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions) directive, which configures various SSL engine run-time options. This is the global setting for the given virtual host and can be a string or an array. Default: undef. A string: -```puppet - apache::vhost { 'sample.example.net': - … - ssl_options => '+ExportCertData', - } +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_options => '+ExportCertData', +} ``` An array: -```puppet - apache::vhost { 'sample.example.net': - … - ssl_options => [ '+StrictRequire', '+ExportCertData' ], - } +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_options => [ '+StrictRequire', '+ExportCertData' ], +} ``` -#####`ssl_proxyengine` - -Specifies whether or not to use [SSLProxyEngine](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). Valid values are 'true' and 'false'. Defaults to 'false'. - -####Defined Type: FastCGI Server - -This type is intended for use with mod_fastcgi. It allows you to define one or more external FastCGI servers to handle specific file types. +##### `ssl_openssl_conf_cmd` + +Sets the [SSLOpenSSLConfCmd](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters. Default: undef. + +##### `ssl_proxyengine` + +Specifies whether or not to use [SSLProxyEngine](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). Valid options: Boolean. Default: true. + +##### `ssl_stapling` + +Specifies whether or not to use [SSLUseStapling](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling). Valid options: Boolean or undef. Default: undef, meaning use what is set globally. + +This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +##### `ssl_stapling_timeout` + +Can be used to set the [SSLStaplingResponderTimeout](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingrespondertimeout) directive. No default. + +This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +##### `ssl_stapling_return_errors` + +Can be used to set the [SSLStaplingReturnResponderErrors](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive. No default. + +This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +#### Defined type: FastCGI Server + +This type is intended for use with mod\_fastcgi. It allows you to define one or more external FastCGI servers to handle specific file types. + +** Note ** If using Ubuntu 10.04+, you'll need to manually enable the multiverse repository. Ex: -```puppet +``` puppet apache::fastcgi::server { 'php': - host => '127.0.0.1:9000', - timeout => 15, - flush => false, - faux_path => '/var/www/php.fcgi', - fcgi_alias => '/php.fcgi', - file_type => 'application/x-httpd-php' + host => '127.0.0.1:9000', + timeout => 15, + flush => false, + faux_path => '/var/www/php.fcgi', + fcgi_alias => '/php.fcgi', + file_type => 'application/x-httpd-php', + pass_header => '' } ``` Within your virtual host, you can then configure the specified file type to be handled by the fastcgi server specified above. -```puppet +``` puppet apache::vhost { 'www': ... custom_fragment => 'AddType application/x-httpd-php .php' @@ -2116,398 +3897,207 @@ } ``` -#####`host` +##### `host` The hostname or IP address and TCP port number (1-65535) of the FastCGI server. -#####`timeout` +It is also possible to pass a unix socket: + +``` puppet +apache::fastcgi::server { 'php': + host => '/var/run/fcgi.sock', +} +``` + +##### `timeout` The number of seconds of FastCGI application inactivity allowed before the request is aborted and the event is logged (at the error LogLevel). The inactivity timer applies only as long as a connection is pending with the FastCGI application. If a request is queued to an application, but the application doesn't respond (by writing and flushing) within this period, the request is aborted. If communication is complete with the application but incomplete with the client (the response is buffered), the timeout does not apply. -#####`flush` - -Force a write to the client as data is received from the application. By default, mod_fastcgi buffers data in order to free the application as quickly as possible. - -#####`faux_path` +##### `flush` + +Force a write to the client as data is received from the application. By default, mod\_fastcgi buffers data in order to free the application as quickly as possible. + +##### `faux_path` `faux_path` does not have to exist in the local filesystem. URIs that Apache resolves to this filename are handled by this external FastCGI application. -#####`alias` +##### `alias` A unique alias. This is used internally to link the action with the FastCGI server. -#####`file_type` +##### `file_type` The MIME-type of the file to be processed by the FastCGI server. -###Virtual Host Examples - -The apache module allows you to set up pretty much any configuration of virtual host you might need. This section addresses some common configurations, but look at the [Tests section](https://github.com/puppetlabs/puppetlabs-apache/tree/master/tests) for even more examples. - -Configure a vhost with a server administrator - -```puppet - apache::vhost { 'third.example.com': - port => '80', - docroot => '/var/www/third', - serveradmin => 'admin@example.com', - } -``` - -- - - - -Set up a vhost with aliased servers - -```puppet - apache::vhost { 'sixth.example.com': - serveraliases => [ - 'sixth.example.org', - 'sixth.example.net', - ], - port => '80', - docroot => '/var/www/fifth', - } -``` - -- - - - -Configure a vhost with a cgi-bin - -```puppet - apache::vhost { 'eleventh.example.com': - port => '80', - docroot => '/var/www/eleventh', - scriptalias => '/usr/lib/cgi-bin', - } -``` - -- - - - -Set up a vhost with a rack configuration - -```puppet - apache::vhost { 'fifteenth.example.com': - port => '80', - docroot => '/var/www/fifteenth', - rack_base_uris => ['/rackapp1', '/rackapp2'], - } -``` - -- - - - -Set up a mix of SSL and non-SSL vhosts at the same domain - -```puppet - #The non-ssl vhost - apache::vhost { 'first.example.com non-ssl': - servername => 'first.example.com', - port => '80', - docroot => '/var/www/first', - } - - #The SSL vhost at the same domain - apache::vhost { 'first.example.com ssl': - servername => 'first.example.com', - port => '443', - docroot => '/var/www/first', - ssl => true, - } -``` - -- - - - -Configure a vhost to redirect non-SSL connections to SSL - -```puppet - apache::vhost { 'sixteenth.example.com non-ssl': - servername => 'sixteenth.example.com', - port => '80', - docroot => '/var/www/sixteenth', - redirect_status => 'permanent', - redirect_dest => 'https://sixteenth.example.com/' - } - apache::vhost { 'sixteenth.example.com ssl': - servername => 'sixteenth.example.com', - port => '443', - docroot => '/var/www/sixteenth', - ssl => true, - } -``` - -- - - - -Set up IP-based vhosts on any listen port and have them respond to requests on specific IP addresses. In this example, we set listening on ports 80 and 81. This is required because the example vhosts are not declared with a port parameter. - -```puppet - apache::listen { '80': } - apache::listen { '81': } -``` - -Then we set up the IP-based vhosts - -```puppet - apache::vhost { 'first.example.com': - ip => '10.0.0.10', - docroot => '/var/www/first', - ip_based => true, - } - apache::vhost { 'second.example.com': - ip => '10.0.0.11', - docroot => '/var/www/second', - ip_based => true, - } -``` - -- - - - -Configure a mix of name-based and IP-based vhosts. First, we add two IP-based vhosts on 10.0.0.10, one SSL and one non-SSL - -```puppet - apache::vhost { 'The first IP-based vhost, non-ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '80', - ip_based => true, - docroot => '/var/www/first', - } - apache::vhost { 'The first IP-based vhost, ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '443', - ip_based => true, - docroot => '/var/www/first-ssl', - ssl => true, - } -``` - -Then, we add two name-based vhosts listening on 10.0.0.20 - -```puppet - apache::vhost { 'second.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/second', - } - apache::vhost { 'third.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/third', - } -``` - -If you want to add two name-based vhosts so that they answer on either 10.0.0.10 or 10.0.0.20, you **MUST** declare `add_listen => 'false'` to disable the otherwise automatic 'Listen 80', as it conflicts with the preceding IP-based vhosts. - -```puppet - apache::vhost { 'fourth.example.com': - port => '80', - docroot => '/var/www/fourth', - add_listen => false, - } - apache::vhost { 'fifth.example.com': - port => '80', - docroot => '/var/www/fifth', - add_listen => false, - } +##### `pass_header` + +The name of an HTTP Request Header to be passed in the request environment. This option makes available the contents of headers which are normally not available (e.g. Authorization) to a CGI environment. + +#### Defined type: `apache::vhost::custom` + +The `apache::vhost::custom` defined type is a thin wrapper around the `apache::custom_config` defined type, and simply overrides some of its default settings specific to the virtual host directory in Apache. + +**Parameters within `apache::vhost::custom`**: + +##### `content` + +Sets the configuration file's content. + +##### `ensure` + +Specifies if the virtual host file is present or absent. Valid options: 'absent', 'present'. Default: 'present'. + +##### `priority` + +Sets the relative load order for Apache HTTPD VirtualHost configuration files. Default: '25'. + +##### `verify_config` + +Specifies whether to validate the configuration file before notifying the Apache service. Valid options: Boolean. Default: true. + + +### Private defined types + +#### Defined type: `apache::peruser::multiplexer` + +This defined type checks if an Apache module has a class. If it does, it includes that class. If it does not, it passes the module name to the [`apache::mod`][] defined type. + +#### Defined type: `apache::peruser::multiplexer` + +Enables the [`Peruser`][] module for FreeBSD only. + +#### Defined type: `apache::peruser::processor` + +Enables the [`Peruser`][] module for FreeBSD only. + +#### Defined type: `apache::security::file_link` + +Links the `activated_rules` from [`apache::mod::security`][] to the respective CRS rules on disk. + +### Templates + +The Apache module relies heavily on templates to enable the [`apache::vhost`][] and [`apache::mod`][] defined types. These templates are built based on [Facter][] facts specific to your operating system. Unless explicitly called out, most templates are not meant for configuration. + +## Limitations + +### Ubuntu 10.04 + +The [`apache::vhost::WSGIImportScript`][] parameter creates a statement inside the virtual host that is unsupported on older versions of Apache, causing it to fail. This will be remedied in a future refactoring. + +### Ubuntu 16.04 +The [`apache::mod::suphp`][] class is untested since repositories are missing compatible packages. + +### RHEL/CentOS 5 + +The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are untested since repositories are missing compatible packages. + +### RHEL/CentOS 6 + +The [`apache::mod::passenger`][] class is not installing as the the EL6 repository is missing compatible packages. + +### RHEL/CentOS 7 + +The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are untested as the EL7 repository is missing compatible packages, which also blocks us from testing the [`apache::vhost`][] defined type's [`rack_base_uris`][] parameter. + +### General + +This module is CI tested against both [open source Puppet][] and [Puppet Enterprise][] on: + +- CentOS 5 and 6 +- Ubuntu 12.04 and 14.04 +- Debian 7 +- RHEL 5, 6, and 7 + +This module also provides functions for other distributions and operating systems, such as FreeBSD, Gentoo, and Amazon Linux, but is not formally tested on them and are subject to regressions. + +### Ubuntu 10.04 + +The [`apache::vhost::wsgi_import_script`][] parameter creates a statement inside the virtual host that is unsupported on older versions of Apache, causing it to fail. This will be remedied in a future refactoring. + +### RHEL/CentOS +The [`apache::mod::auth_cas`][], [`apache::mod::passenger`][], [`apache::mod::proxy_html`][] and [`apache::mod::shib`][] classes are not functional on RH/CentOS without providing dependency packages from extra repositories. + +See their respective documentation above for related repositories and packages. + +### SELinux and custom paths + +If [SELinux][] is in [enforcing mode][] and you want to use custom paths for `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you need to manage the files' context yourself. + +You can do this with Puppet: + +``` puppet +exec { 'set_apache_defaults': + command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + require => Package['policycoreutils-python'], +} + +package { 'policycoreutils-python': + ensure => installed, +} + +exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Class['Apache::Service'], + require => Class['apache'], +} + +class { 'apache': } + +host { 'test.server': + ip => '127.0.0.1', +} + +file { '/custom/path': + ensure => directory, +} + +file { '/custom/path/include': + ensure => present, + content => '#additional_includes', +} + +apache::vhost { 'test.server': + docroot => '/custom/path', + additional_includes => '/custom/path/include', +} ``` -###Load Balancing - -####Defined Type: `apache::balancer` - -`apache::balancer` creates an Apache balancer cluster. Each balancer cluster needs one or more balancer members, which are declared with [`apache::balancermember`](#defined-type-apachebalancermember). - -One `apache::balancer` defined resource should be defined for each Apache load balanced set of servers. The `apache::balancermember` resources for all balancer members can be exported and collected on a single Apache load balancer server using exported resources. - -**Parameters within `apache::balancer`:** - -#####`name` - -Sets the balancer cluster's title. This parameter also sets the title of the conf.d file. - -#####`proxy_set` - -Configures key-value pairs as [ProxySet](http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset) lines. Accepts a hash, and defaults to '{}'. - -#####`collect_exported` - -Determines whether or not to use exported resources. Valid values 'true' and 'false', defaults to 'true'. - -If you statically declare all of your backend servers, you should set this to 'false' to rely on existing declared balancer member resources. Also make sure to use `apache::balancermember` with array arguments. - -If you wish to dynamically declare your backend servers via [exported resources](http://docs.puppetlabs.com/guides/exported_resources.html) collected on a central node, you must set this parameter to 'true' in order to collect the exported balancer member resources that were exported by the balancer member nodes. - -If you choose not to use exported resources, all balancer members will be configured in a single Puppet run. If you are using exported resources, Puppet has to run on the balanced nodes, then run on the balancer. - -####Defined Type: `apache::balancermember` - -Defines members of [mod_proxy_balancer](http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html), which sets up a balancer member inside a listening service configuration block in etc/apache/apache.cfg on the load balancer. - -**Parameters within `apache::balancermember`:** - -#####`name` - -Sets the title of the resource. This name also sets the name of the concat fragment. - -#####`balancer_cluster` - -Sets the Apache service's instance name. This must match the name of a declared `apache::balancer` resource. Required. - -#####`url` - -Specifies the URL used to contact the balancer member server. Defaults to 'http://${::fqdn}/'. - -#####`options` - -An array of [options](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#balancermember) to be specified after the URL. Accepts any key-value pairs available to [ProxyPass](http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass). - -####Examples - -To load balance with exported resources, export the `balancermember` from the balancer member - -```puppet - @@apache::balancermember { "${::fqdn}-puppet00": - balancer_cluster => 'puppet00', - url => "ajp://${::fqdn}:8009" - options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], - } -``` - -Then, on the proxy server, create the balancer cluster - -```puppet - apache::balancer { 'puppet00': } -``` - -To load balance without exported resources, declare the following on the proxy - -```puppet - apache::balancer { 'puppet00': } - apache::balancermember { "${::fqdn}-puppet00": - balancer_cluster => 'puppet00', - url => "ajp://${::fqdn}:8009" - options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], - } -``` - -Then declare `apache::balancer` and `apache::balancermember` on the proxy server. - -If you need to use ProxySet in the balancer config - -```puppet - apache::balancer { 'puppet01': - proxy_set => {'stickysession' => 'JSESSIONID'}, - } +You need to set the contexts using `semanage fcontext` instead of `chcon` because Puppet's `file` resources reset the values' context in the database if the resource doesn't specify it. + +### FreeBSD + +In order to use this module on FreeBSD, you _must_ use apache24-2.4.12 (www/apache24) or newer. + +## Development + +### Contributing + +[Puppet Labs][] modules on the [Puppet Forge][] are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve. + +We want to make it as easy as possible to contribute changes so our modules work in your environment, but we also need contributors to follow a few guidelines to help us maintain and improve the modules' quality. + +For more information, please read the complete [module contribution guide][]. + +### Running tests + +This project contains tests for both [rspec-puppet][] and [beaker-rspec][] to verify functionality. For detailed information on using these tools, please see their respective documentation. + +#### Testing quickstart: Ruby > 1.8.7 + ``` - -##Reference - -###Classes - -####Public Classes - -* [`apache`](#class-apache): Guides the basic setup of Apache. -* `apache::dev`: Installs Apache development libraries. (*Note:* On FreeBSD, you must declare `apache::package` or `apache` before `apache::dev`.) -* [`apache::mod::[name]`](#classes-apachemodname): Enables specific Apache HTTPD modules. - -####Private Classes - -* `apache::confd::no_accf`: Creates the no-accf.conf configuration file in conf.d, required by FreeBSD's Apache 2.4. -* `apache::default_confd_files`: Includes conf.d files for FreeBSD. -* `apache::default_mods`: Installs the Apache modules required to run the default configuration. -* `apache::package`: Installs and configures basic Apache packages. -* `apache::params`: Manages Apache parameters. -* `apache::service`: Manages the Apache daemon. - -###Defined Types - -####Public Defined Types - -* `apache::balancer`: Creates an Apache balancer cluster. -* `apache::balancermember`: Defines members of [mod_proxy_balancer](http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html). -* `apache::listen`: Based on the title, controls which ports Apache binds to for listening. Adds [Listen](http://httpd.apache.org/docs/current/bind.html) directives to ports.conf in the Apache HTTPD configuration directory. Titles take the form '<port>', '<ipv4>:<port>', or '<ipv6>:<port>'. -* `apache::mod`: Used to enable arbitrary Apache HTTPD modules for which there is no specific `apache::mod::[name]` class. -* `apache::namevirtualhost`: Enables name-based hosting of a virtual host. Adds all [NameVirtualHost](http://httpd.apache.org/docs/current/vhosts/name-based.html) directives to the `ports.conf` file in the Apache HTTPD configuration directory. Titles take the form '\*', '*:<port>', '\_default_:<port>, '<ip>', or '<ip>:<port>'. -* `apache::vhost`: Allows specialized configurations for virtual hosts that have requirements outside the defaults. - -####Private Defined Types - -* `apache::peruser::multiplexer`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only. -* `apache::peruser::processor`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only. -* `apache::security::file_link`: Links the activated_rules from apache::mod::security to the respective CRS rules on disk. - -###Templates - -The Apache module relies heavily on templates to enable the `vhost` and `apache::mod` defined types. These templates are built based on Facter facts around your operating system. Unless explicitly called out, most templates are not meant for configuration. - -##Limitations - -###Ubuntu 10.04 - -The `apache::vhost::WSGIImportScript` parameter creates a statement inside the VirtualHost which is unsupported on older versions of Apache, causing this to fail. This will be remedied in a future refactoring. - -###RHEL/CentOS 5 - -The `apache::mod::passenger` and `apache::mod::proxy_html` classes are untested since repositories are missing compatible packages. - -###RHEL/CentOS 7 - -The `apache::mod::passenger` class is untested as the repository does not have packages for EL7 yet. The fact that passenger packages aren't available also makes us unable to test the `rack_base_uri` parameter in `apache::vhost`. - -###General - -This module is CI tested on Centos 5 & 6, Ubuntu 12.04 & 14.04, Debian 7, and RHEL 5, 6 & 7 platforms against both the OSS and Enterprise version of Puppet. - -The module contains support for other distributions and operating systems, such as FreeBSD and Amazon Linux, but is not formally tested on those and regressions can occur. - -###SELinux and Custom Paths - -If you are running with SELinux in enforcing mode and want to use custom paths for your `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you need to manage the context for the files yourself. - -Something along the lines of: - -```puppet - exec { 'set_apache_defaults': - command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"', - path => '/bin:/usr/bin/:/sbin:/usr/sbin', - require => Package['policycoreutils-python'], - } - package { 'policycoreutils-python': ensure => installed } - exec { 'restorecon_apache': - command => 'restorecon -Rv /apache_spec', - path => '/bin:/usr/bin/:/sbin:/usr/sbin', - before => Service['httpd'], - require => Class['apache'], - } - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - file { '/custom/path': ensure => directory, } - file { '/custom/path/include': ensure => present, content => '#additional_includes' } - apache::vhost { 'test.server': - docroot => '/custom/path', - additional_includes => '/custom/path/include', - } +gem install bundler +bundle install +bundle exec rake spec +bundle exec rspec spec/acceptance +RS_DEBUG=yes bundle exec rspec spec/acceptance ``` -You need to set the contexts using `semanage fcontext` not `chcon` because `file {...}` resources reset the context to the values in the database if the resource isn't specifying the context. - -##Development - -###Contributing - -Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve. - -We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. - -Read the complete module [contribution guide](https://docs.puppetlabs.com/forge/contributing.html) - -###Running tests - -This project contains tests for both [rspec-puppet](http://rspec-puppet.com/) and [beaker-rspec](https://github.com/puppetlabs/beaker-rspec) to verify functionality. For in-depth information please see their respective documentation. - -Quickstart: - - gem install bundler - bundle install - bundle exec rake spec - bundle exec rspec spec/acceptance - RS_DEBUG=yes bundle exec rspec spec/acceptance +#### Testing quickstart: Ruby = 1.8.7 + +``` +gem install bundler +bundle install --without system_tests +bundle exec rake spec +```
--- a/modules/apache/README.passenger.md Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,279 +0,0 @@ -# Passenger - -Just enabling the Passenger module is insufficient for the use of Passenger in -production. Passenger should be tunable to better fit the environment in which -it is run while being aware of the resources it required. - -To this end the Apache passenger module has been modified to apply system wide -Passenger tuning declarations to `passenger.conf`. Declarations specific to a -virtual host should be passed through when defining a `vhost` (e.g. -`rack_base_uris` parameter on the `apache::vhost` type, check `README.md`). - -Also, general apache module loading parameters can be supplied to enable using -a customized passenger module in place of a default-package-based version of -the module. - -# Operating system support and Passenger versions - -The most important configuration directive for the Apache Passenger module is -`PassengerRoot`. Its value depends on the Passenger version used (2.x, 3.x or -4.x) and on the operating system package from which the Apache Passenger module -is installed. - -The following table summarises the current *default versions* and -`PassengerRoot` settings for the operating systems supported by -puppetlabs-apache: - -OS | Passenger version | `PassengerRoot` ----------------- | ------------------ | ---------------- -Debian 7 | 3.0.13 | /usr -Debian 8 | 4.0.53 | /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini -Ubuntu 12.04 | 2.2.11 | /usr -Ubuntu 14.04 | 4.0.37 | /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini -RHEL with EPEL6 | 3.0.21 | /usr/lib/ruby/gems/1.8/gems/passenger-3.0.21 - -As mentioned in `README.md` there are no compatible packages available for -RHEL/CentOS 5 or RHEL/CentOS 7. - -## Configuration files and locations on RHEL/CentOS - -Notice two important points: - -1. The Passenger version packaged in the EPEL repositories may change over time. -2. The value of `PassengerRoot` depends on the Passenger version installed. - -To prevent the puppetlabs-apache module from having to keep up with these -package versions the Passenger configuration files installed by the -packages are left untouched by this module. All configuration is placed in an -extra configuration file managed by puppetlabs-apache. - -This means '/etc/httpd/conf.d/passenger.conf' is installed by the -`mod_passenger` package and contains correct values for `PassengerRoot` and -`PassengerRuby`. Puppet will ignore this file. Additional configuration -directives as described in the remainder of this document are placed in -'/etc/httpd/conf.d/passenger_extra.conf', managed by Puppet. - -This pertains *only* to RHEL/CentOS, *not* Debian and Ubuntu. - -## Third-party and custom Passenger packages and versions - -The Passenger version distributed by the default OS packages may be too old to -be useful. Newer versions may be installed via Gems, from source or from -third-party OS packages. - -Most notably the Passenger developers officially provide Debian packages for a -variety of Debian and Ubuntu releases in the [Passenger APT -repository](https://oss-binaries.phusionpassenger.com/apt/passenger). Read more -about [installing these packages in the offical user -guide](http://www.modrails.com/documentation/Users%20guide%20Apache.html#install_on_debian_ubuntu). - -If you install custom Passenger packages and newer version make sure to set the -directives `PassengerRoot`, `PassengerRuby` and/or `PassengerDefaultRuby` -correctly, or Passenger and Apache will fail to function properly. - -For Passenger 4.x packages on Debian and Ubuntu the `PassengerRoot` directive -should almost universally be set to -`/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini`. - -# Parameters for `apache::mod::passenger` - -The following class parameters configure Passenger in a global, server-wide -context. - -Example: - -```puppet -class { 'apache::mod::passenger': - passenger_root => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', - passenger_default_ruby => '/usr/bin/ruby1.9.3', - passenger_high_performance => 'on', - rails_autodetect => 'off', - mod_lib_path => '/usr/lib/apache2/custom_modules', -} -``` - -The general form is using the all lower-case version of the configuration -directive, with underscores instead of CamelCase. - -## Parameters used with passenger.conf - -If you pass a default value to `apache::mod::passenger` it will be ignored and -not passed through to the configuration file. - -### passenger_root - -The location to the Phusion Passenger root directory. This configuration option -is essential to Phusion Passenger, and allows Phusion Passenger to locate its -own data files. - -The default depends on the Passenger version and the means of installation. See -the above section on operating system support, versions and packages for more -information. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerroot_lt_directory_gt - -### passenger_default_ruby - -This option specifies the default Ruby interpreter to use for web apps as well -as for all sorts of internal Phusion Passenger helper scripts, e.g. the one -used by PassengerPreStart. - -This directive was introduced in Passenger 4.0.0 and will not work in versions -< 4.x. Do not set this parameter if your Passenger version is older than 4.0.0. - -Defaults to `undef` for all operating systems except Ubuntu 14.04, where it is -set to '/usr/bin/ruby'. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerDefaultRuby - -### passenger_ruby - -This directive is the same as `passenger_default_ruby` for Passenger versions -< 4.x and must be used instead of `passenger_default_ruby` for such versions. - -It makes no sense to set `PassengerRuby` for Passenger >= 4.x. That -directive should only be used to override the value of `PassengerDefaultRuby` -on a non-global context, i.e. in `<VirtualHost>`, `<Directory>`, `<Location>` -and so on. - -Defaults to `/usr/bin/ruby` for all supported operating systems except Ubuntu -14.04, where it is set to `undef`. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerRuby - -### passenger_high_performance - -Default is `off`. When turned `on` Passenger runs in a higher performance mode -that can be less compatible with other Apache modules. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerHighPerformance - -### passenger_max_pool_size - -Sets the maximum number of Passenger application processes that may -simultaneously run. The default value is 6. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengermaxpoolsize_lt_integer_gt - -### passenger_pool_idle_time - -The maximum number of seconds a Passenger Application process will be allowed -to remain idle before being shut down. The default value is 300. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerPoolIdleTime - -### passenger_max_requests - -The maximum number of request a Passenger application will process before being -restarted. The default value is 0, which indicates that a process will only -shut down if the Pool Idle Time (see above) expires. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMaxRequests - -### passenger_stat_throttle_rate - -Sets how often Passenger performs file system checks, at most once every _x_ -seconds. Default is 0, which means the checks are performed with every request. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerstatthrottlerate_lt_integer_gt - -### rack_autodetect - -Should Passenger automatically detect if the document root of a virtual host is -a Rack application. Not set by default (`undef`). Note that this directive has -been removed in Passenger 4.0.0 and `PassengerEnabled` should be used instead. -Use this directive only on Passenger < 4.x. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_rackautodetect_lt_on_off_gt - -### rails_autodetect - -Should Passenger automatically detect if the document root of a virtual host is -a Rails application. Not set by default (`undef`). Note that this directive -has been removed in Passenger 4.0.0 and `PassengerEnabled` should be used -instead. Use this directive only on Passenger < 4.x. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsautodetect_lt_on_off_gt - -### passenger_use_global_queue - -Allows toggling of PassengerUseGlobalQueue. NOTE: PassengerUseGlobalQueue is -the default in Passenger 4.x and the versions >= 4.x have disabled this -configuration option altogether. Use with caution. - -## Parameters used to load the module - -Unlike the tuning parameters specified above, the following parameters are only -used when loading customized passenger modules. - -### mod_package - -Allows overriding the default package name used for the passenger module -package. - -### mod_package_ensure - -Allows overriding the package installation setting used by puppet when -installing the passenger module. The default is 'present'. - -### mod_id - -Allows overriding the value used by apache to identify the passenger module. -The default is 'passenger_module'. - -### mod_lib_path - -Allows overriding the directory path used by apache when loading the passenger -module. The default is the value of `$apache::params::lib_path`. - -### mod_lib - -Allows overriding the library file name used by apache when loading the -passenger module. The default is 'mod_passenger.so'. - -### mod_path - -Allows overriding the full path to the library file used by apache when loading -the passenger module. The default is the concatenation of the `mod_lib_path` -and `mod_lib` parameters. - -# Dependencies - -RedHat-based systems will need to configure additional package repositories in -order to install Passenger, specifically: - -* [Extra Packages for Enterprise Linux](https://fedoraproject.org/wiki/EPEL) -* [Phusion Passenger](http://passenger.stealthymonkeys.com) - -Configuration of these repositories is beyond the scope of this module and is -left to the user. - -# Attribution - -The Passenger tuning parameters for the `apache::mod::passenger` Puppet class -was modified by Aaron Hicks (hicksa@landcareresearch.co.nz) for work on the -NeSI Project and the Tuakiri New Zealand Access Federation as a fork from the -PuppetLabs Apache module on GitHub. - -* https://github.com/puppetlabs/puppetlabs-apache -* https://github.com/nesi/puppetlabs-apache -* http://www.nesi.org.nz// -* https://tuakiri.ac.nz/confluence/display/Tuakiri/Home - -# Copyright and License - -Copyright (C) 2012 [Puppet Labs](https://www.puppetlabs.com/) Inc - -Puppet Labs can be contacted at: info@puppetlabs.com - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License.
--- a/modules/apache/Rakefile Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/Rakefile Sun Dec 29 11:00:05 2019 -0500 @@ -1,11 +1,39 @@ +require 'puppet_blacksmith/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-lint/tasks/puppet-lint' -PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.send('relative') -PuppetLint.configuration.send('disable_80chars') -PuppetLint.configuration.send('disable_class_inherits_from_params_class') PuppetLint.configuration.send('disable_documentation') PuppetLint.configuration.send('disable_single_quote_string_with_variables') PuppetLint.configuration.send('disable_only_variable_string') -PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"] + +desc 'Generate pooler nodesets' +task :gen_nodeset do + require 'beaker-hostgenerator' + require 'securerandom' + require 'fileutils' + + agent_target = ENV['TEST_TARGET'] + if ! agent_target + STDERR.puts 'TEST_TARGET environment variable is not set' + STDERR.puts 'setting to default value of "redhat-64default."' + agent_target = 'redhat-64default.' + end + + master_target = ENV['MASTER_TEST_TARGET'] + if ! master_target + STDERR.puts 'MASTER_TEST_TARGET environment variable is not set' + STDERR.puts 'setting to default value of "redhat7-64mdcl"' + master_target = 'redhat7-64mdcl' + end + + targets = "#{master_target}-#{agent_target}" + cli = BeakerHostGenerator::CLI.new([targets]) + nodeset_dir = "tmp/nodesets" + nodeset = "#{nodeset_dir}/#{targets}-#{SecureRandom.uuid}.yaml" + FileUtils.mkdir_p(nodeset_dir) + File.open(nodeset, 'w') do |fh| + fh.print(cli.execute) + end + puts nodeset +end
--- a/modules/apache/checksums.json Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/checksums.json Sun Dec 29 11:00:05 2019 -0500 @@ -1,286 +1,336 @@ { - "CHANGELOG.md": "3c34aa1eaa9b4685d0ef393bd6fa5a7d", - "CONTRIBUTING.md": "e2b8e8e433fc76b3798b7fe435f49375", - "Gemfile": "bbb8d1178f386bc23c151e2779a73314", - "LICENSE": "b3f8a01d8699078d82e8c3c992307517", - "README.md": "ba64fd805d97ebaf6ae5b9908b127ac7", - "README.passenger.md": "8ad3822671735c941a1d5eed15286346", - "Rakefile": "ed3db0e49f5fcb381a19542c08ec473f", + "CHANGELOG.md": "b4510f2d8d9a3404bbe506b5ef3bbe50", + "CONTRIBUTING.md": "b78f71c1104f00538d50ad2775f58e95", + "Gemfile": "5dfe3b49d93073ee777b00804836bb8e", + "LICENSE": "3b83ef96387f14655fc854ddc3c6bd57", + "NOTICE": "b7f979f1e3cd132677e1cd7762547e6b", + "README.md": "416afb3860e796c589a57319b7bd61c0", + "Rakefile": "3a104cbf874d68f98be0c43522d54a27", + "examples/apache.pp": "41e97262421ea5734fac16a338701a78", + "examples/dev.pp": "8da0d50d9d06834dd06329b8945f06d5", + "examples/init.pp": "d27415f33028c26d4031d30305eec5e0", + "examples/mod_load_params.pp": "e8d1c1b1b96d560c8288c51a76bffc87", + "examples/mods.pp": "78a25c9e226265353eabefd3ddfd4218", + "examples/mods_custom.pp": "bc9e6959c282984cf9cdd93869c89499", + "examples/php.pp": "afa0871b94040e3ae91fce9c375fb725", + "examples/vhost.pp": "2e9880fd36401c2f0b083054e7c69f3c", + "examples/vhost_directories.pp": "95aa446a2fccf9f3561581a5d71c61a7", + "examples/vhost_filter.pp": "62c5af7868af9887b7d71769c319c1e5", + "examples/vhost_ip_based.pp": "7a4d4c1c00147c45e4534f58d2fbf4ed", + "examples/vhost_proxypass.pp": "2f0bd33b34a48554adcdf20d6d31a4c2", + "examples/vhost_ssl.pp": "ddd3c45964df56837d6c051a7d692378", + "examples/vhosts_without_listen.pp": "226afb3e87129a56fc9add21b120feb2", "files/httpd": "295f5e924afe6f752d29327e73fe6d0a", + "lib/facter/apache_version.rb": "babb22b1d567021995b4b5fa9328047b", "lib/puppet/parser/functions/bool2httpd.rb": "05d5deeb6e0c31acee7c55b249ec8e06", + "lib/puppet/parser/functions/enclose_ipv6.rb": "581bc163291824909d1700909db96512", + "lib/puppet/parser/functions/validate_apache_log_level.rb": "d75bc4ef17ff5c9a1f94dd3948e733d1", "lib/puppet/provider/a2mod/a2mod.rb": "d986d8e8373f3f31c97359381c180628", "lib/puppet/provider/a2mod/gentoo.rb": "2492d446adbb68f678e86a75eb7ff3bd", "lib/puppet/provider/a2mod/modfix.rb": "b689a1c83c9ccd8590399c67f3e588e5", "lib/puppet/provider/a2mod/redhat.rb": "c39b80e75e7d0666def31c2a6cdedb0b", "lib/puppet/provider/a2mod.rb": "03ed73d680787dd126ea37a03be0b236", "lib/puppet/type/a2mod.rb": "9042ccc045bfeecca28bebb834114f05", - "manifests/balancer.pp": "c2d55400bccc57be122545fefc73f41b", - "manifests/balancermember.pp": "8f44f65124330b7e9b49a7100f86fe6d", + "manifests/balancer.pp": "b444ff1415ba0bd6c8ec1497bcc9cfb3", + "manifests/balancermember.pp": "d74ab23d74fa198853b13ad837df925c", "manifests/confd/no_accf.pp": "406d0ca41c3b90f83740ca218dc3f484", - "manifests/custom_config.pp": "ea53275ebfa6e8953e7805cac36a8a62", + "manifests/custom_config.pp": "c5df4d455ff918f39e6341784457bca9", "manifests/default_confd_files.pp": "86fdbe5773abb7c2da26db096973865c", "manifests/default_mods/load.pp": "bc0b3b65edd1ba6178c09672352f9bce", - "manifests/default_mods.pp": "aec2420ad9e709cf5908bb62173ac794", - "manifests/dev.pp": "43773feed67d5779892d5e39085b8a00", - "manifests/fastcgi/server.pp": "a47073f4447baef318c823f93b5f59ee", - "manifests/init.pp": "e51bed76070d8d44d32a144c4e6e09cd", - "manifests/listen.pp": "f7e224cba3b8021f90511af4f43d8b1f", + "manifests/default_mods.pp": "e4a7aa787443fce2e76c37e8fec99012", + "manifests/dev.pp": "8a7ead42f991e5dfdd364ba1aa1304e0", + "manifests/fastcgi/server.pp": "f177293f02a2878b43a863e8ab3015db", + "manifests/init.pp": "e76413e0c82c2ae13b658bcd97f31c5a", + "manifests/listen.pp": "6e44a9f49376cefb5694d52be5bc5a88", "manifests/mod/actions.pp": "ec2a5d1cf54790204750f9b67938d230", - "manifests/mod/alias.pp": "d3df09abfb57c33bf6ca4d421ac6d220", + "manifests/mod/alias.pp": "1ef0d98a941bd796d428297b74acc8c4", "manifests/mod/auth_basic.pp": "dffef6ff10145393cb78fcaa27220c53", - "manifests/mod/auth_cas.pp": "80f548698f7309cd8254847ddd0bb3cf", - "manifests/mod/auth_kerb.pp": "08d536cb13281db3b9ed9a966ad431fd", - "manifests/mod/authnz_ldap.pp": "e3f91908be35306a488b44c55608b2a0", - "manifests/mod/autoindex.pp": "05112ccb06dc218f9a7b937767a6ea2d", + "manifests/mod/auth_cas.pp": "73dcf3f9ba2421a271f6c21bcae2fcbb", + "manifests/mod/auth_kerb.pp": "8759cab3dc12d6ba4cc12fcdbb699418", + "manifests/mod/auth_mellon.pp": "5bfbc604dd79923bdb65ecab02353059", + "manifests/mod/authn_core.pp": "4db773ddbc0d875230085782d4521951", + "manifests/mod/authn_dbd.pp": "8f03863a483184ca53b9bc3a45b2297f", + "manifests/mod/authn_file.pp": "eeb11513490beee901574746faaeabdf", + "manifests/mod/authnz_ldap.pp": "41b00baeb26144b889f4f0be4601dae5", + "manifests/mod/authz_default.pp": "b7c94cfa4e008155fffd241d35834064", + "manifests/mod/authz_user.pp": "d446c90c44304594206bd2a0112be625", + "manifests/mod/autoindex.pp": "3b50dc082dba420c3d564309601fd419", "manifests/mod/cache.pp": "b56d68b9401ba3e02a1f2fe55cdfbcca", - "manifests/mod/cgi.pp": "558a0350d1e8634a706543e0c6e28687", - "manifests/mod/cgid.pp": "bafc08448218bbb76c85b9ec2de05a98", + "manifests/mod/cgi.pp": "32d6da37e010b5abe19b1a3be87a6d44", + "manifests/mod/cgid.pp": "fb9ae9b5012d41e22cb85c0b50e17361", + "manifests/mod/cluster.pp": "3d86d95713aea6107ff9e056d1b1698f", "manifests/mod/dav.pp": "9df80d36dd609be9032a8260aa9d10c1", - "manifests/mod/dav_fs.pp": "4528673b6e8d0af6935d9d630028b9f0", - "manifests/mod/dav_svn.pp": "f021fe8048deaa06759cd0b96b450363", - "manifests/mod/deflate.pp": "3dc2dbb0dfde703f47d1dc4993ef5b94", + "manifests/mod/dav_fs.pp": "9ad2359d64b0b6f219bd8a338917d114", + "manifests/mod/dav_svn.pp": "abc1ba954033b0b0187c079f310eb0e2", + "manifests/mod/dbd.pp": "4471dbd9fd67d0db885d4ba2a47a194a", + "manifests/mod/deflate.pp": "20231a22aba12eb905f1d7f1853e383e", "manifests/mod/dev.pp": "42673bab60b6fc0f3aa6e2357ec0a27c", - "manifests/mod/dir.pp": "8e577c570ba5e835c4f82232a1c01a4e", - "manifests/mod/disk_cache.pp": "f4e8aee7c670ddc3c15b71b07a1aba9b", - "manifests/mod/event.pp": "2866f06cd572b3612580f1cb01c09445", - "manifests/mod/expires.pp": "6252f817125e784dfd08b5dc37e2ccec", - "manifests/mod/fastcgi.pp": "237ff6ebc17c35ee2e3c82d2e19cd442", - "manifests/mod/fcgid.pp": "61bec2b414dd7e13315c06ff637699fc", + "manifests/mod/dir.pp": "c7327a2a0ff02bdab2f5421359d6f300", + "manifests/mod/disk_cache.pp": "da18cbefced9bb32fc009e999c5b76e2", + "manifests/mod/dumpio.pp": "755f6072ef3130fa670022f26da7e429", + "manifests/mod/env.pp": "2a0321180a59161565b2b5f1b79d6b15", + "manifests/mod/event.pp": "a82a7ab979cc351eb660576bdc91d0e8", + "manifests/mod/expires.pp": "6f12edcf6863958af832db73b56e5f08", + "manifests/mod/ext_filter.pp": "df12ff3935ffa64f32bf897e433fc0ce", + "manifests/mod/fastcgi.pp": "96a3fcf0508a7eb8c9601eac329622eb", + "manifests/mod/fcgid.pp": "96e0a5f09c2d1ba21b2209a6e21b6847", "manifests/mod/filter.pp": "b0039f3ae932b1204994ef2180dd76d2", + "manifests/mod/geoip.pp": "41762c637ab45dac05e564d1b3d03c3e", "manifests/mod/headers.pp": "ef3de538a0a4c9406236faf43eb89710", "manifests/mod/include.pp": "a3b66eda88e38d90825c16b834bacd8d", - "manifests/mod/info.pp": "bad325232ff8038449dcafc11ff37ca1", - "manifests/mod/itk.pp": "ae340c38395df1471fa0402909c168fa", - "manifests/mod/ldap.pp": "367f13080f78b3e8527172cbb8a2fd4a", - "manifests/mod/mime.pp": "9d13abceb29f36c2f6c3a5a71a77561f", - "manifests/mod/mime_magic.pp": "481e016b74b0649bfdcbb32104a62054", - "manifests/mod/negotiation.pp": "6860ed514001b9f3f6945c78d250fd32", - "manifests/mod/nss.pp": "9d1573a9af62cc17cb9b8e322cf2a2b7", - "manifests/mod/pagespeed.pp": "2638c14081f8065bc8940b8d47782cc3", - "manifests/mod/passenger.pp": "937ca95e90c7cb121a5cf12e67056a17", - "manifests/mod/perl.pp": "0bc488e1ac33e4e8987e0b07aa909682", - "manifests/mod/peruser.pp": "cf54a3ee68df1335d55afe5cfd61fb5f", - "manifests/mod/php.pp": "628b672c8a28d1ebd43bedde63a5dfd3", - "manifests/mod/prefork.pp": "e7dd7fef1871eff6effd8a853c74eca6", - "manifests/mod/proxy.pp": "39e224390d43ffe082ff60fba2b97fc4", + "manifests/mod/info.pp": "c3e815ed9912bb9147805f7274508489", + "manifests/mod/itk.pp": "f631157ebdff68b6fc2bb6dbd5b8e8c4", + "manifests/mod/ldap.pp": "3fdd5ed6f1db898fc2499ed0ece0abe1", + "manifests/mod/mime.pp": "24fe99c65367a3f606441605a2ff26dd", + "manifests/mod/mime_magic.pp": "d31702cee9007c2e65c8d3ccbed1fda3", + "manifests/mod/negotiation.pp": "35fb1e9fa643054271804e215bb47299", + "manifests/mod/nss.pp": "3cc69b59bba579181b0ceb1dfd2976d0", + "manifests/mod/pagespeed.pp": "1fcf4c30084bd1e4fa3006b4d3265c1a", + "manifests/mod/passenger.pp": "55c68abd56d7838bbd6d9cb48bc941bb", + "manifests/mod/perl.pp": "b8180ca0e1e7f8d60030321f52c28d6d", + "manifests/mod/peruser.pp": "13761222709094653bca7bad4435fcdb", + "manifests/mod/php.pp": "64737f2ea2ad8532aaf515b713e9cac7", + "manifests/mod/prefork.pp": "3deff89f43a1f55dda643ac66e3fc4dc", + "manifests/mod/proxy.pp": "a65065f0c7705b7b75b1dd6fc2222e27", "manifests/mod/proxy_ajp.pp": "073e2406aea7822750d4c21f02d8ac80", - "manifests/mod/proxy_balancer.pp": "6d16440ba6bed5427b331b6c6abf4063", - "manifests/mod/proxy_connect.pp": "859998974f8f1a301a2412b971f1cad8", - "manifests/mod/proxy_html.pp": "9bc2520986f76ae093103cffe3825438", + "manifests/mod/proxy_balancer.pp": "a13221d222df646e84910cabd2902dee", + "manifests/mod/proxy_connect.pp": "7cd9b4b61ec6feb020f753ee74910a48", + "manifests/mod/proxy_fcgi.pp": "8c7fd559419b159e27218a17463d850d", + "manifests/mod/proxy_html.pp": "5ce01879add843832f756962dceec845", "manifests/mod/proxy_http.pp": "0db1b26f8b4036b0d46ba86b7eaac561", - "manifests/mod/python.pp": "15f03d79e45737fdf0afca9665706b88", - "manifests/mod/reqtimeout.pp": "aee3d869e6ca6eed18071c8d2aa97aff", + "manifests/mod/proxy_wstunnel.pp": "88ee88d6d56a70f0000e690f80f64acb", + "manifests/mod/python.pp": "6f65b22271cf356832fe7a1949163861", + "manifests/mod/remoteip.pp": "9ad1d5712477f11ae2643f209bb08ce3", + "manifests/mod/reqtimeout.pp": "17b245b5d14f3f7b8c1d5fa07e5c159e", "manifests/mod/rewrite.pp": "292f2d6ce2078fa9df7f686105ea7b95", - "manifests/mod/rpaf.pp": "4844d717d6577aee8a788a7fbdc5e8dd", - "manifests/mod/security.pp": "9289d90560550a265d290a6fa17a1d76", - "manifests/mod/setenvif.pp": "b2ae43541bf1df5374187339e50a081f", - "manifests/mod/shib.pp": "3e2d3b5bf864fd292fa30f7c98d449f6", - "manifests/mod/speling.pp": "fa89a82933d30d2ebfe11e3ad9966bd1", - "manifests/mod/ssl.pp": "770b92e241c874ffc5ad19a4d96ecf14", - "manifests/mod/status.pp": "0b24de931fd8d54b2db0e3d16f0d0d8c", + "manifests/mod/rpaf.pp": "54991f51a06e2b4171956e6ce1caf3a3", + "manifests/mod/security.pp": "eaae214a25fcfa9fc9e4db4d2b88a37d", + "manifests/mod/setenvif.pp": "fa3b3e5f3a7e029f9db5b66ae499c6c8", + "manifests/mod/shib.pp": "8b75f8818fe9dc5728a478fc27962447", + "manifests/mod/socache_shmcb.pp": "c94ae23ab8cce744acad2f7e33dbfa9c", + "manifests/mod/speling.pp": "b6971e10caf22837e410b94910b66b1a", + "manifests/mod/ssl.pp": "a6c6ed342ef96db622671ed99ae0fe0d", + "manifests/mod/status.pp": "2e54208b8e669a7768b8bc4c2ca216a1", "manifests/mod/suexec.pp": "2a8671856a0ece597e9b57867dc35e76", - "manifests/mod/suphp.pp": "6905059571fa21b7de957fd90540acff", - "manifests/mod/userdir.pp": "a2cd9d2ee4c778054af445c98d5bb8d4", + "manifests/mod/suphp.pp": "5a7390ef0a0ceaa2d7e684bcb6300587", + "manifests/mod/userdir.pp": "bb20504fc72d66b8cf80bb270db7bb66", "manifests/mod/version.pp": "6cb31057ebffa796f95642cc95f9499d", "manifests/mod/vhost_alias.pp": "ee1225a748daaf50aca39a6d93fb8470", - "manifests/mod/worker.pp": "eb95ede796d15697481e049277e67a49", - "manifests/mod/wsgi.pp": "510facba62320aa6b697cdb50e4599ac", + "manifests/mod/worker.pp": "41137580c48b89f2795c1295d87962c0", + "manifests/mod/wsgi.pp": "186a34169367a2e64af4faf3036e3af3", "manifests/mod/xsendfile.pp": "fba06f05a19c466654aca5ecaa705bf0", - "manifests/mod.pp": "000ae8575c37f89540c6ae5f6584bc6b", - "manifests/mpm.pp": "f39fe763d839347a0795788ac62dd370", - "manifests/namevirtualhost.pp": "67618d40112e4ddc1b46f64af2a5e875", - "manifests/package.pp": "579269b2d02fdbd3bdb215f99531305d", - "manifests/params.pp": "6e907df88f37870fb6eecec7b7053304", + "manifests/mod.pp": "0986292ef7477c30f6d07209f0591bdf", + "manifests/mpm.pp": "d4bfe77df34110cb253557104b2e6310", + "manifests/namevirtualhost.pp": "5ad54a441ff26a55cc536069d8fad238", + "manifests/package.pp": "ebd1e1e815ef744ebd4e9d8a6c94a07a", + "manifests/params.pp": "87ee0d41960947ec394b03e0c6396ad6", "manifests/peruser/multiplexer.pp": "0ea75341b7a93e55bcfb431a93b1a6c9", "manifests/peruser/processor.pp": "62f0ad5ed2ec36dadc7f40ad2a9e1bb9", "manifests/php.pp": "9c9d07e12bf5d112b0b54f5bd69046fc", "manifests/proxy.pp": "7c8515b88406922e148322ee15044b29", "manifests/python.pp": "ddef4cd73850fdc2dc126d4579c30adf", - "manifests/security/rule_link.pp": "4635131018b0c5cd5f57ecea9f708b65", - "manifests/service.pp": "3aab22a66b618fe53ee4266723f9377c", + "manifests/security/rule_link.pp": "9c879ecfd7534347ccc8cf3ea77fa859", + "manifests/service.pp": "8e51ebf5af2e943030aec043face1bac", "manifests/ssl.pp": "173f3d6a7fd2b5f4100c4ff03d84e13b", - "manifests/version.pp": "20d981c681384653f8c4f5a93c3013e8", - "manifests/vhost.pp": "67573125636aa5d9dfa443aa2baa8346", - "metadata.json": "e62a98601e555a4986322dd98da11981", - "spec/acceptance/apache_parameters_spec.rb": "2bf2a24853b723af816d1543b57ec390", - "spec/acceptance/apache_ssl_spec.rb": "9813a93162e56c80b9eb6c286084437a", - "spec/acceptance/basic_spec.rb": "e9ee3089384d2db23cc5226891b180ac", - "spec/acceptance/class_spec.rb": "55a14f0a728efe8bff4bc1d2d5c85267", - "spec/acceptance/custom_config_spec.rb": "7982e71cd9a786536cb55fef618ac857", - "spec/acceptance/default_mods_spec.rb": "e1e92a645ae200adffed64d16e478cf0", - "spec/acceptance/itk_spec.rb": "45401fe10b565ee9bf86900346a51a85", - "spec/acceptance/mod_dav_svn_spec.rb": "921cddd8b1f7f506859aaaae6cfd2c8a", - "spec/acceptance/mod_deflate_spec.rb": "2b68e9d30e933bbfa2946ef3c136f135", - "spec/acceptance/mod_fcgid_spec.rb": "514cfb3b6bc81ddd0417271be8925956", - "spec/acceptance/mod_mime_spec.rb": "1b2d4eedd42220ba8d40578dfc5cfb85", - "spec/acceptance/mod_negotiation_spec.rb": "b1f46074c5803ba8b73ab69d2c3477e5", - "spec/acceptance/mod_pagespeed_spec.rb": "ddb0219655955277dc343856fe72dff0", - "spec/acceptance/mod_passenger_spec.rb": "521ed9b0e3112efe7fd248678ed5433a", - "spec/acceptance/mod_php_spec.rb": "9bb6491963075c94e4adaafc84804a6d", - "spec/acceptance/mod_proxy_html_spec.rb": "6ca7794b7ea73b5fa3a74f2a45215b7d", - "spec/acceptance/mod_security_spec.rb": "a0b520040b23cd7591535469dc46b4a9", - "spec/acceptance/mod_suphp_spec.rb": "90e5172eec59c0598bd2442edd92cbb0", - "spec/acceptance/nodesets/centos-59-x64.yml": "57eb3e471b9042a8ea40978c467f8151", - "spec/acceptance/nodesets/centos-64-x64-pe.yml": "ec075d95760df3d4702abea1ce0a829b", - "spec/acceptance/nodesets/centos-64-x64.yml": "d65958bdf25fb31eb4838fd984b555df", - "spec/acceptance/nodesets/centos-65-x64.yml": "3e5c36e6aa5a690229e720f4048bb8af", - "spec/acceptance/nodesets/centos-70-x64.yml": "0ae796256280ca157abc98f7cb492ea4", - "spec/acceptance/nodesets/debian-607-x64.yml": "52f42f3b8fc507a5fc825977d62665a3", - "spec/acceptance/nodesets/debian-70rc1-x64.yml": "717aa92150ebe3fca718807c7c93126f", - "spec/acceptance/nodesets/debian-73-i386.yml": "40aeb7ceab29148bb98a1e2bd51aba86", - "spec/acceptance/nodesets/debian-73-x64.yml": "df78f357e1bd0f7f9818d552eeb35026", - "spec/acceptance/nodesets/default.yml": "d65958bdf25fb31eb4838fd984b555df", - "spec/acceptance/nodesets/fedora-18-x64.yml": "9c907e4416a5fd487ff30a672a6b1c9e", - "spec/acceptance/nodesets/ubuntu-server-10044-x64.yml": "75e86400b7889888dc0781c0ae1a1297", - "spec/acceptance/nodesets/ubuntu-server-12042-x64.yml": "d30d73e34cd50b043c7d14e305955269", - "spec/acceptance/nodesets/ubuntu-server-1310-x64.yml": "9deb39279e104d765179b471c6ebb3a2", - "spec/acceptance/nodesets/ubuntu-server-1404-x64.yml": "5f0aed10098ac5b78e4217bb27c7aaf0", - "spec/acceptance/prefork_worker_spec.rb": "671a76b1d0112286ec48b0f570640942", - "spec/acceptance/service_spec.rb": "24ce3caa9990b2f06ac98c7c438e1d5c", - "spec/acceptance/unsupported_spec.rb": "ecb65438d469b70dd7c611414f535771", - "spec/acceptance/version.rb": "fd5b1d11ef1bb78203c3a3d293f6a9d2", - "spec/acceptance/vhost_spec.rb": "b37ae2fc06a68bbf4954ee26efb85550", - "spec/classes/apache_spec.rb": "df8569225b35290bceaf00ebad5853e2", - "spec/classes/dev_spec.rb": "8a59736729227d62b88887ba86ced334", - "spec/classes/mod/alias_spec.rb": "bd4c64dbd15a97c22acde624c699cc1f", - "spec/classes/mod/auth_cas_spec.rb": "34af1e2489fe7f805c760c40b2bc3f5b", - "spec/classes/mod/auth_kerb_spec.rb": "81c36d1383f9948c53e0b23b0b49659e", - "spec/classes/mod/authnz_ldap_spec.rb": "ce2f5fb517d4cc760c913fe131b1550f", - "spec/classes/mod/dav_svn_spec.rb": "683bdd809215d06cd99e3be91c6dd181", - "spec/classes/mod/deflate_spec.rb": "a1ec387446c169659c757727bc7eea9b", - "spec/classes/mod/dev_spec.rb": "7af29e847f7afc3493ebfddb0f55e220", - "spec/classes/mod/dir_spec.rb": "ab631f1b2e0032df355dfc409bde8e78", - "spec/classes/mod/event_spec.rb": "9b0e975494cb761303ceba0e02c67f5a", - "spec/classes/mod/fastcgi_spec.rb": "76ac8328da6c2fe1e126d8dcdcdb5519", - "spec/classes/mod/fcgid_spec.rb": "1bd48e8387ca095082ceaa8f61ea6acb", - "spec/classes/mod/info_spec.rb": "ec117599e1808bd6199872c34ea0288a", - "spec/classes/mod/itk_spec.rb": "437d4e4e776e082db051c99cb05a1058", - "spec/classes/mod/mime_magic_spec.rb": "8291c37b89f9d50f58fa94ab9cbb1bfe", - "spec/classes/mod/mime_spec.rb": "5e527739b595f9b0638ce384648c3187", - "spec/classes/mod/negotiation_spec.rb": "f1b10fe931b96f72f5d0eaf86354fce9", - "spec/classes/mod/pagespeed_spec.rb": "482d0dc3ebf002155d3c728d2043bcac", - "spec/classes/mod/passenger_spec.rb": "8354b9783e8b4abd263ce29ab0afcfca", - "spec/classes/mod/perl_spec.rb": "0e563ccf36864616f1f577533b0b6110", - "spec/classes/mod/peruser_spec.rb": "2992e95775cb5e1302e70eb6df1e593c", - "spec/classes/mod/php_spec.rb": "f18c77c5a136ee1b73cd72930887f0c0", - "spec/classes/mod/prefork_spec.rb": "bf9a3564b32d6b8b1772339e7e1add20", - "spec/classes/mod/proxy_connect_spec.rb": "2d58c91c1a6867b11b8ae6588b6e18c9", - "spec/classes/mod/proxy_html_spec.rb": "0c148ecf366bb5ebd13e865cd9f16f79", - "spec/classes/mod/python_spec.rb": "30e69012295e6d25685838959add60cc", - "spec/classes/mod/reqtimeout_spec.rb": "cf68b961d1ce38b2f14023d78ce28c4e", - "spec/classes/mod/rpaf_spec.rb": "eb3840c8b2fa74547dfce0a9bdae6303", - "spec/classes/mod/security_spec.rb": "a6c7526a69306c1993376e9e0646354f", - "spec/classes/mod/shib_spec.rb": "18107e156dd4682f59ddcc33c0dfc0d7", - "spec/classes/mod/speling_spec.rb": "4727fbb92f074e0cf3911e6cffe3322f", - "spec/classes/mod/ssl_spec.rb": "7cedfc9cce8e456041ce154a27e628e1", - "spec/classes/mod/status_spec.rb": "1c7520050c8bed47492acd51588be52d", - "spec/classes/mod/suphp_spec.rb": "0c4d625a64124e7c9c14ea2b68dc7ebe", - "spec/classes/mod/worker_spec.rb": "b6bf734f060e1f499425a43b0aea7a4d", - "spec/classes/mod/wsgi_spec.rb": "5f42c20c907952cf7adcf90a1c41226b", - "spec/classes/params_spec.rb": "da381f36fd0367d5f7982e1caa5b639a", - "spec/classes/service_spec.rb": "1117ba6a253ea66913ce883b8df371fb", - "spec/defines/balancermember_spec.rb": "6071ddc9a56be6ecccfade6e233fb34b", - "spec/defines/custom_config_spec.rb": "d99514f77523a4ae3f4ccef12cb612b8", - "spec/defines/fastcgi_server_spec.rb": "9b9490ddb6451a19e0f6e96b72e71e0b", - "spec/defines/mod_spec.rb": "92e8255861a40e5dd18545cefcb0d09a", + "manifests/version.pp": "3388b1978b04cba63ed7fc8e2ec3f692", + "manifests/vhost/custom.pp": "421081f6c4f33e1aca07ff789e53345e", + "manifests/vhost.pp": "da0c608533e3010de53a42a09748c633", + "manifests/vhosts.pp": "d5cd9e6b701b7b2948c011546bc55497", + "metadata.json": "6d849e74421ef619c2d202e1fb5a05e3", + "spec/acceptance/apache_parameters_spec.rb": "5b95e67d474cc8a132c45f6e91714037", + "spec/acceptance/apache_ssl_spec.rb": "c57e800714173f00a1bba07c13f7c10e", + "spec/acceptance/class_spec.rb": "9d77ee23b734dd48ecea4353dee3d616", + "spec/acceptance/custom_config_spec.rb": "61e03d814d0671d194dd40e6b1ad5c9b", + "spec/acceptance/default_mods_spec.rb": "2481bfa99dd34e15f2b4c7eed194635f", + "spec/acceptance/itk_spec.rb": "812c855013c08ebb13e642dc5199b41a", + "spec/acceptance/mod_dav_svn_spec.rb": "e792a6d585026dd7bded38e62c8786f6", + "spec/acceptance/mod_deflate_spec.rb": "dd39bfb069e0233bf134caaeb1dc6fe6", + "spec/acceptance/mod_fcgid_spec.rb": "ef0e3368ea14247c05ff43217b5856ee", + "spec/acceptance/mod_mime_spec.rb": "0869792d98c1b2577f02d97c92f1765e", + "spec/acceptance/mod_negotiation_spec.rb": "017f6b0cc1496c25aa9b8a33ef8dbbb3", + "spec/acceptance/mod_pagespeed_spec.rb": "67042ee98dd08596130eee7e5b4296d6", + "spec/acceptance/mod_passenger_spec.rb": "a66264ef73ad6c5396a06ab9b5444c7c", + "spec/acceptance/mod_php_spec.rb": "98bc1ff97a36de86d5a1b800b2afd7a6", + "spec/acceptance/mod_proxy_html_spec.rb": "34478fc2f12a23cd5a95d424f85da150", + "spec/acceptance/mod_security_spec.rb": "c783d44cf3ccba2fa6a3c14de0e486a0", + "spec/acceptance/mod_suphp_spec.rb": "f5c1f21e4c5323b81afc354c82e7ceb9", + "spec/acceptance/nodesets/centos-7-x64.yml": "a713f3abd3657f0ae2878829badd23cd", + "spec/acceptance/nodesets/debian-8-x64.yml": "d2d2977900989f30086ad251a14a1f39", + "spec/acceptance/nodesets/default.yml": "b42da5a1ea0c964567ba7495574b8808", + "spec/acceptance/nodesets/docker/centos-7.yml": "8a3892807bdd62306ae4774f41ba11ae", + "spec/acceptance/nodesets/docker/debian-8.yml": "ac8e871d1068c96de5e85a89daaec6df", + "spec/acceptance/nodesets/docker/ubuntu-14.04.yml": "dc42ee922a96908d85b8f0f08203ce58", + "spec/acceptance/nodesets/suse.yml": "eff62186e4de2ffed45a72a375380338", + "spec/acceptance/prefork_worker_spec.rb": "1570eefe61d667a1b43824adc0b2bb78", + "spec/acceptance/service_spec.rb": "341f157cb33fa48d5166d2274ad3bc65", + "spec/acceptance/version.rb": "6a1f2db3e369f3dc2b5bd76f4921891a", + "spec/acceptance/vhost_spec.rb": "69a14b4e593fa9ecfdccda1ab23b453a", + "spec/acceptance/vhosts_spec.rb": "c9635037681d569a053da6eb7ae5f4f4", + "spec/classes/apache_spec.rb": "fe0d844ef6cb3bad10e2d935ea16e737", + "spec/classes/dev_spec.rb": "6bc9ff7cffb77aac52c5bd3acc157d2d", + "spec/classes/mod/alias_spec.rb": "e62706d9925b0dc1821db78d01986a7e", + "spec/classes/mod/auth_cas_spec.rb": "46a7ba3fe31d3fc6175b8dce5105326e", + "spec/classes/mod/auth_kerb_spec.rb": "a32949cf0f8f93786b58589b102b1fe0", + "spec/classes/mod/auth_mellon_spec.rb": "81d3ea4b7567718ca810b625fd36d231", + "spec/classes/mod/authn_dbd_spec.rb": "8c794faaa5244e16f432c76679cb12d7", + "spec/classes/mod/authnz_ldap_spec.rb": "bef6980f85489c5fd7388511cb65b644", + "spec/classes/mod/cluster_spec.rb": "c1d01cc4a4f9ce10d692294019791e2f", + "spec/classes/mod/dav_svn_spec.rb": "6b3c4123a067e249f6c78c5b0cbcbcc7", + "spec/classes/mod/deflate_spec.rb": "adf6e41357fefe4ff1128e8fea4d3057", + "spec/classes/mod/dev_spec.rb": "1a30ef5fb18073fd2bf6f7923ff9c57f", + "spec/classes/mod/dir_spec.rb": "9e25507c094cb3b2fe6eb1106668b484", + "spec/classes/mod/disk_cache_spec.rb": "e821fa50ace7ab3398c43b16034748e9", + "spec/classes/mod/dumpio_spec.rb": "689d167b05e669c29709fc36940e7b05", + "spec/classes/mod/event_spec.rb": "46a304c796ac3928be0a67bec1f46b4f", + "spec/classes/mod/expires_spec.rb": "0d27e3438627f2ad34abacf582fb8b0b", + "spec/classes/mod/ext_filter_spec.rb": "7af18fdf1376f17e68dc99e5627ba067", + "spec/classes/mod/fastcgi_spec.rb": "59f7ea857b0fa614e8808270c529300f", + "spec/classes/mod/fcgid_spec.rb": "bda06cc347a8da8d7c7374add2654248", + "spec/classes/mod/info_spec.rb": "d51c6a9e6ae4d944488a43c8c15b95c0", + "spec/classes/mod/itk_spec.rb": "622f23a1346383846cbc98e38388034d", + "spec/classes/mod/ldap_spec.rb": "12863d495558fbe9f6cb7a50ab37688c", + "spec/classes/mod/mime_magic_spec.rb": "259304a80e92e4ba15e7cd719fe25c17", + "spec/classes/mod/mime_spec.rb": "d946fb96659b67bf7117ad7ed4b25cce", + "spec/classes/mod/negotiation_spec.rb": "44d50f7e6ef8c6388baa4c7cfc07be43", + "spec/classes/mod/pagespeed_spec.rb": "56bd7d82920cb734ea8139c9fed97de7", + "spec/classes/mod/passenger_spec.rb": "a7cb67b8f93b462dc9a1bf29ad7f2436", + "spec/classes/mod/perl_spec.rb": "1daa227f563ac19ff8dcdea0d0005ec4", + "spec/classes/mod/peruser_spec.rb": "c379ce85a997789856b12c27957bf994", + "spec/classes/mod/php_spec.rb": "2cc1a1d5d097be26eef3139b4e8eafaf", + "spec/classes/mod/prefork_spec.rb": "d82f0f25691ba019b912cd000dbb845f", + "spec/classes/mod/proxy_balancer_spec.rb": "c0bd0c3ebf39d7c66120b3837551f6b1", + "spec/classes/mod/proxy_connect_spec.rb": "baef920356c839b698c2adb865e79b5f", + "spec/classes/mod/proxy_html_spec.rb": "c6fc0e6b0cbcd3d5f9e65d533366ee32", + "spec/classes/mod/proxy_wstunnel.rb": "69bcef5e88aeb115290d8428186c80ec", + "spec/classes/mod/python_spec.rb": "5ca2dd0829b7baa1022c551b66548b20", + "spec/classes/mod/remoteip_spec.rb": "f9bf0bc64fef6d570f7b798ceef0d598", + "spec/classes/mod/reqtimeout_spec.rb": "2af2919e8253100fbc2e001d30a5cd15", + "spec/classes/mod/rpaf_spec.rb": "5c4725a4bcab9339d7309765390aaed1", + "spec/classes/mod/security_spec.rb": "adabc64a0a847c9f448c3282a4de1b94", + "spec/classes/mod/shib_spec.rb": "b4ec345e387f8d7186048f5d286bb71d", + "spec/classes/mod/speling_spec.rb": "96919b9fbd1e894fcfd649044c3dafb5", + "spec/classes/mod/ssl_spec.rb": "54219eac9b409a833a57ecfdce66a196", + "spec/classes/mod/status_spec.rb": "1eeaf906baf6ca82bf24c4e23494c71c", + "spec/classes/mod/suphp_spec.rb": "cc7c02c42e985aa133f9d868e14d9435", + "spec/classes/mod/worker_spec.rb": "c326e36fbcfe9f0c59dc1db389a33926", + "spec/classes/mod/wsgi_spec.rb": "5c76026d8f08ac7d17d7b34f089979a3", + "spec/classes/params_spec.rb": "adbd9f0dee677ea9439b9ce0d620894f", + "spec/classes/service_spec.rb": "d23f6cd3eac018e368e0ba32cbf95f11", + "spec/classes/vhosts_spec.rb": "9baf23eb534e944a1bd593e72dd3050e", + "spec/defines/balancer_spec.rb": "8793815eb22b5190977b154fcd97e85e", + "spec/defines/balancermember_spec.rb": "e93ded8b51cc1d73e52f453880b3576e", + "spec/defines/custom_config_spec.rb": "a7e3392933cabc8ed6bb57deaebb36d9", + "spec/defines/fastcgi_server_spec.rb": "8e167c1525cb9a7473efdde01efe0ca3", + "spec/defines/mod_spec.rb": "a10e5b2570419737c03cd0f6347cc985", "spec/defines/modsec_link_spec.rb": "3421b21f8234637dd1c32ebcf89e44c3", - "spec/defines/vhost_spec.rb": "1886dc77e76861625ad5bf4d612fb72b", - "spec/spec.opts": "a600ded995d948e393fbe2320ba8e51c", - "spec/spec_helper.rb": "eb7ec6afb39e2282e62f2ebf69712707", - "spec/spec_helper_acceptance.rb": "5fd137b203cd262fbf03a4c2091d6d47", - "spec/unit/provider/a2mod/gentoo_spec.rb": "8cf6574e75a4a7e8ff5a92d75a8d7ea8", - "spec/unit/puppet/parser/functions/bool2httpd_spec.rb": "3c47a968139400e5b81af8650f2d0e21", + "spec/defines/vhost_custom_spec.rb": "d5596a7a0c239d4c0ed8bebbb6a124ab", + "spec/defines/vhost_spec.rb": "b9fc940b93fa4bde6e6d1ce1ef91d234", + "spec/fixtures/files/negotiation.conf": "9c11872e26327ec880749b5dfdea25d6", + "spec/fixtures/files/spec": "e964ecac35c35baa9b4c57dac4ff5b3e", + "spec/fixtures/templates/negotiation.conf.erb": "c838e612ce6f82a5efd12871ad562011", + "spec/spec_helper.rb": "b2db3bc02b4ac2fd5142a6621c641b07", + "spec/spec_helper_acceptance.rb": "5153bae117687363a0cf889739c2f834", + "spec/spec_helper_local.rb": "1b6ccd9b2f6946b81560239881774e94", + "spec/unit/apache_version_spec.rb": "c9d7b8ab46fb21d370702f02088281a2", + "spec/unit/provider/a2mod/gentoo_spec.rb": "02f7510cbf4945c5e1094ebcb967c8e0", + "spec/unit/puppet/parser/functions/bool2httpd_spec.rb": "0c9bca53eb43b5fc888126514b2a174c", + "spec/unit/puppet/parser/functions/enclose_ipv6_spec.rb": "0145a78254ea716e5e7600d9464318a8", + "spec/unit/puppet/parser/functions/validate_apache_log_level.rb": "8f558fd81d1655e9ab20896152eca512", "templates/confd/no-accf.conf.erb": "a614f28c4b54370e4fa88403dfe93eb0", - "templates/fastcgi/server.erb": "482ce7a72a08f21e3592e584178d5917", - "templates/httpd.conf.erb": "fd1fb6c9300a37deece420e8a2cfd8bd", + "templates/fastcgi/server.erb": "30cdd04393bdb4f68678d00e2930721b", + "templates/httpd.conf.erb": "5a8eacfe858789a1e2059cd0452b6b01", "templates/listen.erb": "6286aa08f9e28caee54b1e1ee031b9d6", - "templates/mod/alias.conf.erb": "611b6952119607244ae4fb723e2c0612", - "templates/mod/auth_cas.conf.erb": "74595985c3b0f9df1aaa0ad5dd7a7906", - "templates/mod/authnz_ldap.conf.erb": "12c9a1482694ddad3143e5eef03fb531", + "templates/mod/alias.conf.erb": "370e9d394dd462d3ebc0dd345ab68f6f", + "templates/mod/auth_cas.conf.erb": "35e1291a5fa05067d7623c02bafb0ada", + "templates/mod/auth_mellon.conf.erb": "4e17d22a8f1bc312e976e8513199c945", + "templates/mod/authn_dbd.conf.erb": "7a84f5d3b3a4b92a88fe052b13376f8e", + "templates/mod/authnz_ldap.conf.erb": "d648a09c5625a7da5715f03526f2fefd", "templates/mod/autoindex.conf.erb": "2421a3c6df32c7e38c2a7a22afdf5728", "templates/mod/cgid.conf.erb": "f8ce27d60bc495bab16de2696ebb2fd0", + "templates/mod/cluster.conf.erb": "1b12d0b30352527474986eba1973b9b1", "templates/mod/dav_fs.conf.erb": "10c1131168e35319e22b3fbfe51aebfd", "templates/mod/deflate.conf.erb": "e866ecf2bfe8e42ea984267f569723db", "templates/mod/dir.conf.erb": "2485da78a2506c14bf51dde38dd03360", - "templates/mod/disk_cache.conf.erb": "7d3e7a5ee3bd7b6a839924b06a60667f", - "templates/mod/event.conf.erb": "469ef574b0ae1728203002a52f3d5a3b", - "templates/mod/fastcgi.conf.erb": "ab125b9bfdc494b621eec41587bf6101", + "templates/mod/disk_cache.conf.erb": "48d1b54ec1dedea7f68451bc0774790e", + "templates/mod/dumpio.conf.erb": "260a03d5f5b450095a5374690fbb34b2", + "templates/mod/event.conf.erb": "5e4095242d8e5dd99fe0823cfa2f1434", + "templates/mod/expires.conf.erb": "7a77f8b1d50c53ee77a6cb798c51a2b9", + "templates/mod/ext_filter.conf.erb": "4e4e4143ab402a9f9d51301b1a192202", + "templates/mod/fastcgi.conf.erb": "2404caa7d91dea083fc4f8b6f18acd24", "templates/mod/fcgid.conf.erb": "1780c7808bb3811deaf0007c890df4dc", - "templates/mod/info.conf.erb": "dd434aca2b3693c425a2c252a2c39f46", + "templates/mod/geoip.conf.erb": "93b95f44ec733ee8231be82381e02782", + "templates/mod/info.conf.erb": "c8580f35594e8f76da9c961def618739", "templates/mod/itk.conf.erb": "eff84b78e4f2f8c5c3a2e9fc4b8aad16", - "templates/mod/ldap.conf.erb": "57a006daca5fdacc094a872f9f0a4535", + "templates/mod/ldap.conf.erb": "03ef6f461e4778342e6b94b8b4f3cd3a", "templates/mod/load.erb": "01132434e6101080c41548b0ba7e57d8", - "templates/mod/mime.conf.erb": "8f953519790a5900369fb656054cae35", - "templates/mod/mime_magic.conf.erb": "db7ac6bbf365d016852744d339c12d16", + "templates/mod/mime.conf.erb": "2fa5a10d06ff979de1d5d2544586ab45", + "templates/mod/mime_magic.conf.erb": "067c3180b4216439b039822114144e78", "templates/mod/mpm_event.conf.erb": "80097a19d063a4f973465d9ef5c0c0bf", "templates/mod/negotiation.conf.erb": "a2f0fb40cd038cb17bedc2b84d9f48ea", - "templates/mod/nss.conf.erb": "688c134cb37159a92cf85010ea3c67e6", - "templates/mod/pagespeed.conf.erb": "0d1ba456a798d1404205b7fbdee3294e", - "templates/mod/passenger.conf.erb": "206040d2d8009bfcb650e6833a29433e", + "templates/mod/nss.conf.erb": "03a7a3721b19706e00df00e457c5df69", + "templates/mod/pagespeed.conf.erb": "d1d8dfb00e528aab10a24518c7f148a6", + "templates/mod/passenger.conf.erb": "81512838f2fb7f01bf7fd674f023d086", "templates/mod/peruser.conf.erb": "c4f4054aee899249ea6fef5a9e5c14ff", - "templates/mod/php5.conf.erb": "e92f4b41e71318d35f44859b71999887", + "templates/mod/php.conf.erb": "c535da6adea16bdcb0586260eedf8c93", "templates/mod/prefork.conf.erb": "f9ec5a7eaea78a19b04fa69f8acd8a84", - "templates/mod/proxy.conf.erb": "7eef34af57278ea572b267cff9fb6631", + "templates/mod/proxy.conf.erb": "33a6a57edd324ba56e879a7b077ecf08", + "templates/mod/proxy_balancer.conf.erb": "a9f8d51a2a7169e5fd0c8415a3f9c662", "templates/mod/proxy_html.conf.erb": "69c9ce9b7f24e1337065f1ce26b057a0", + "templates/mod/remoteip.conf.erb": "ad58e174410e3ff46ff93d4ad1e7b8a0", "templates/mod/reqtimeout.conf.erb": "314ef068b786ae5afded290a8b6eab15", "templates/mod/rpaf.conf.erb": "5447539c083ae54f3a9e93c1ac8c988b", - "templates/mod/security.conf.erb": "1bd891bb3ed76e493a48c06b53a468f5", - "templates/mod/security_crs.conf.erb": "0533f947d1d418774213bc9eb0444358", + "templates/mod/security.conf.erb": "e309716298ed8709df5496c27d47fe36", + "templates/mod/security_crs.conf.erb": "5c7bc134c0675d75b66a5c8faaf11eb6", "templates/mod/setenvif.conf.erb": "c7ede4173da1915b7ec088201f030c28", - "templates/mod/ssl.conf.erb": "201c794f0ba123a83dc684a3b24a80d5", - "templates/mod/status.conf.erb": "9e959900ac58c8de34783886efeebce7", + "templates/mod/ssl.conf.erb": "6f9557964b967bb6715d1f19f266367a", + "templates/mod/status.conf.erb": "574ecc6f74e8b75d84710a44c4260210", "templates/mod/suphp.conf.erb": "05bb7b3ea23976b032ce405bfd4edd18", - "templates/mod/userdir.conf.erb": "aca41a30ff76f6645eddc5093e697c15", - "templates/mod/worker.conf.erb": "a590811ec67bb7c8a3d3dcf7b442e226", + "templates/mod/userdir.conf.erb": "b555d16697b030d34ad18d41d4084c4c", + "templates/mod/worker.conf.erb": "dc4c7049af7312f5e82b3e72e8fccdfd", "templates/mod/wsgi.conf.erb": "9a416fa3b71be0795679069809686300", "templates/namevirtualhost.erb": "fbfca19a639e18e6c477e191344ac8ae", "templates/ports_header.erb": "afe35cb5747574b700ebaa0f0b3a626e", - "templates/vhost/_access_log.erb": "a0c804cb6fc03e5c573f9bfbcf73d9c6", + "templates/vhost/_access_log.erb": "522414033856b19a50a7ebb1c729438a", "templates/vhost/_action.erb": "a004dfcac2e63cef65cf8aa0e270b636", - "templates/vhost/_additional_includes.erb": "630083ded68174663e79eadf0491c0a8", + "templates/vhost/_additional_includes.erb": "10e9c0056e962c49459839a1576b082e", "templates/vhost/_aliases.erb": "6412f695e911feac18986da38f290dae", "templates/vhost/_allow_encoded_slashes.erb": "37dee0b6fe9287342a10b533955dff81", - "templates/vhost/_block.erb": "cab4365316621b4e06cd1258abeb1d23", + "templates/vhost/_auth_cas.erb": "96fb19c558e7e187fe9160f00f39061c", + "templates/vhost/_auth_kerb.erb": "3d0de0c3066440dffcbc75215174705b", + "templates/vhost/_block.erb": "8fa2f970222dbc0a38898b5a0ab80411", "templates/vhost/_charsets.erb": "d152b6a7815e9edc0fe9bf9acbe2f1ec", - "templates/vhost/_custom_fragment.erb": "67a4475275ec9208e6421b047b9ed7f4", - "templates/vhost/_directories.erb": "cb84af33f7b145cc7d71d003d3e7d56e", - "templates/vhost/_docroot.erb": "1cd82546a85458b1e117ca24f06d4691", + "templates/vhost/_custom_fragment.erb": "325ff48cefc06db035daa3491c391a88", + "templates/vhost/_directories.erb": "f981420e239cc4a615ccb9a7852b37f4", + "templates/vhost/_docroot.erb": "65d882a3c9d6b6bdd2f9b771f378035a", "templates/vhost/_error_document.erb": "81d3007c1301a5c5f244c082cfee9de2", "templates/vhost/_fallbackresource.erb": "e6c103bee7f6f76b10f244fc9fd1cd3b", - "templates/vhost/_fastcgi.erb": "d07c41eae32671b38b5dba14724c14cc", + "templates/vhost/_fastcgi.erb": "e6d743e11b776e155dc4f80c602fb7e1", "templates/vhost/_file_footer.erb": "e27b2525783e590ca1820f1e2118285d", - "templates/vhost/_file_header.erb": "9502d6f3c9cc29c66c08ef94eb27f9fb", + "templates/vhost/_file_header.erb": "7c3c04eb4ac67403604113e2628696cf", + "templates/vhost/_filters.erb": "597b9de5ae210af9182a1c95172115e7", "templates/vhost/_header.erb": "9eb9d4075f288183d8224ddec5b2f126", "templates/vhost/_itk.erb": "8bf90b9855a9277f7a665b10f6c57fe9", + "templates/vhost/_jk_mounts.erb": "ce997ee7b5602af04062cd5f785da345", + "templates/vhost/_keepalive_options.erb": "16876858bac1e55b13545866b0428d90", "templates/vhost/_logging.erb": "5bc4cbb1bc8a292acc0ba0420f96ca4e", - "templates/vhost/_passenger.erb": "02bd1d5c7d221f6b0afb19f45f169425", - "templates/vhost/_php.erb": "0be13b20951791db0f09c328e13b7eaf", + "templates/vhost/_passenger.erb": "54089ef42f49bf8285d2d5ccdcba0699", + "templates/vhost/_passenger_base_uris.erb": "c8d7f4da1434078e856c72671942dcd8", + "templates/vhost/_php.erb": "a16a9f3e146ce463481205e083d4bf79", "templates/vhost/_php_admin.erb": "107a57e9e7b3f86d1abcf743f672a292", - "templates/vhost/_proxy.erb": "9035baf04289a809176f0e9097093459", + "templates/vhost/_proxy.erb": "18b9bbb791d248179a08eb36ab895e12", "templates/vhost/_rack.erb": "ebe187c1bdc81eec9c8e0d9026120b18", - "templates/vhost/_redirect.erb": "639e170cafa9e703ab38797c8fc3030b", + "templates/vhost/_redirect.erb": "2d40ece74203cc00b861a058db91962c", "templates/vhost/_requestheader.erb": "db1b0cdda069ae809b5b83b0871ef991", - "templates/vhost/_rewrite.erb": "dd1aa56817f88b876d673cc9af5c3f21", + "templates/vhost/_require.erb": "8a90d4c632b65ae1d89c66220f73ee80", + "templates/vhost/_rewrite.erb": "b7858eac95352744196006b57d4091df", "templates/vhost/_scriptalias.erb": "98713f33cca15b22c749bd35ea9a7b41", - "templates/vhost/_security.erb": "58cd0f606e104be456dea0b5d52212e8", + "templates/vhost/_security.erb": "0ade536a9d25342e7128996add04be56", "templates/vhost/_serveralias.erb": "95fed45853629924467aefc271d5b396", "templates/vhost/_serversignature.erb": "9bf5a458783ab459e5043e1cdf671fa7", - "templates/vhost/_setenv.erb": "818f65d2936be12a24e59079e28f8f47", - "templates/vhost/_ssl.erb": "af6a1e1b3811a59e19ca11856511d032", + "templates/vhost/_setenv.erb": "6e6a7efb1b168da9673c9e6d00eadec5", + "templates/vhost/_ssl.erb": "92444768ba2ea36ee0cbc3c690b6a154", + "templates/vhost/_sslproxy.erb": "c327d73e1669bde19a64e53109d4b57e", "templates/vhost/_suexec.erb": "f2b3f9b9ff8fbac4e468e02cd824675a", "templates/vhost/_suphp.erb": "a1c4a5e4461adbfce870df0abd158b59", - "templates/vhost/_wsgi.erb": "c4ea9a97580489edc6b589ac46816462", - "tests/apache.pp": "819cf9116ffd349e6757e1926d11ca2f", - "tests/dev.pp": "9f5727f69f536538f8d840fad0852308", - "tests/init.pp": "4eac4a7ef68499854c54a78879e25535", - "tests/mod_load_params.pp": "5981af4d625a906fce1cedeb3f70cb90", - "tests/mods.pp": "0085911ba562b7e56ad8d793099c9240", - "tests/mods_custom.pp": "9afd068edce0538b5c55a3bc19f9c24a", - "tests/php.pp": "60e7939034d531dd6b95af35338bcbe7", - "tests/vhost.pp": "e505171a071ff2454a27696e4fac7375", - "tests/vhost_directories.pp": "b4e6b5a596e5bae122233652b9a33e32", - "tests/vhost_ip_based.pp": "7d9f7b6976de7488ab6ff0a6e647fc73", - "tests/vhost_proxypass.pp": "59b87f88943aa809578288e26b41aade", - "tests/vhost_ssl.pp": "9f3716bc15a9a6760f1d6cc3bf8ce8ac", - "tests/vhosts_without_listen.pp": "a6692104056a56517b4365bcc816e7f4" + "templates/vhost/_wsgi.erb": "8ae86dff3014767479a71441b0e6536e" } \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/apache.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,6 @@ +include ::apache +include ::apache::mod::php +include ::apache::mod::cgi +include ::apache::mod::userdir +include ::apache::mod::disk_cache +include ::apache::mod::proxy_http
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/dev.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,1 @@ +include ::apache::mod::dev
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/init.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,1 @@ +include ::apache
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/mod_load_params.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,11 @@ +# Tests the path and identifier parameters for the apache::mod class + +# Base class for clarity: +class { '::apache': } + + +# Exaple parameter usage: +apache::mod { 'testmod': + path => '/usr/some/path/mod_testmod.so', + id => 'testmod_custom_name', +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/mods.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,9 @@ +## Default mods + +# Base class. Declares default vhost on port 80 and default ssl +# vhost on port 443 listening on all interfaces and serving +# $apache::docroot, and declaring our default set of modules. +class { '::apache': + default_mods => true, +} +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/mods_custom.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,16 @@ +## custom mods + +# Base class. Declares default vhost on port 80 and default ssl +# vhost on port 443 listening on all interfaces and serving +# $apache::docroot, and declaring a custom set of modules. +class { '::apache': + default_mods => [ + 'info', + 'alias', + 'mime', + 'env', + 'setenv', + 'expires', + ], +} +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/php.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,4 @@ +class { '::apache': + mpm_module => 'prefork', +} +include ::apache::mod::php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/vhost.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,261 @@ +## Default vhosts, and custom vhosts +# NB: Please see the other vhost_*.pp example files for further +# examples. + +# Base class. Declares default vhost on port 80 and default ssl +# vhost on port 443 listening on all interfaces and serving +# $apache::docroot +class { '::apache': } + +# Most basic vhost +apache::vhost { 'first.example.com': + port => '80', + docroot => '/var/www/first', +} + +# Vhost with different docroot owner/group/mode +apache::vhost { 'second.example.com': + port => '80', + docroot => '/var/www/second', + docroot_owner => 'third', + docroot_group => 'third', + docroot_mode => '0770', +} + +# Vhost with serveradmin +apache::vhost { 'third.example.com': + port => '80', + docroot => '/var/www/third', + serveradmin => 'admin@example.com', +} + +# Vhost with ssl (uses default ssl certs) +apache::vhost { 'ssl.example.com': + port => '443', + docroot => '/var/www/ssl', + ssl => true, +} + +# Vhost with ssl and specific ssl certs +apache::vhost { 'fourth.example.com': + port => '443', + docroot => '/var/www/fourth', + ssl => true, + ssl_cert => '/etc/ssl/fourth.example.com.cert', + ssl_key => '/etc/ssl/fourth.example.com.key', +} + +# Vhost with english title and servername parameter +apache::vhost { 'The fifth vhost': + servername => 'fifth.example.com', + port => '80', + docroot => '/var/www/fifth', +} + +# Vhost with server aliases +apache::vhost { 'sixth.example.com': + serveraliases => [ + 'sixth.example.org', + 'sixth.example.net', + ], + port => '80', + docroot => '/var/www/fifth', +} + +# Vhost with alternate options +apache::vhost { 'seventh.example.com': + port => '80', + docroot => '/var/www/seventh', + options => [ + 'Indexes', + 'MultiViews', + ], +} + +# Vhost with AllowOverride for .htaccess +apache::vhost { 'eighth.example.com': + port => '80', + docroot => '/var/www/eighth', + override => 'All', +} + +# Vhost with access and error logs disabled +apache::vhost { 'ninth.example.com': + port => '80', + docroot => '/var/www/ninth', + access_log => false, + error_log => false, +} + +# Vhost with custom access and error logs and logroot +apache::vhost { 'tenth.example.com': + port => '80', + docroot => '/var/www/tenth', + access_log_file => 'tenth_vhost.log', + error_log_file => 'tenth_vhost_error.log', + logroot => '/var/log', +} + +# Vhost with a cgi-bin +apache::vhost { 'eleventh.example.com': + port => '80', + docroot => '/var/www/eleventh', + scriptalias => '/usr/lib/cgi-bin', +} + +# Vhost with a proxypass configuration +apache::vhost { 'twelfth.example.com': + port => '80', + docroot => '/var/www/twelfth', + proxy_dest => 'http://internal.example.com:8080/twelfth', + no_proxy_uris => ['/login','/logout'], +} + +# Vhost to redirect /login and /logout +apache::vhost { 'thirteenth.example.com': + port => '80', + docroot => '/var/www/thirteenth', + redirect_source => [ + '/login', + '/logout', + ], + redirect_dest => [ + 'http://10.0.0.10/login', + 'http://10.0.0.10/logout', + ], +} + +# Vhost to permamently redirect +apache::vhost { 'fourteenth.example.com': + port => '80', + docroot => '/var/www/fourteenth', + redirect_source => '/blog', + redirect_dest => 'http://blog.example.com', + redirect_status => 'permanent', +} + +# Vhost with a rack configuration +apache::vhost { 'fifteenth.example.com': + port => '80', + docroot => '/var/www/fifteenth', + rack_base_uris => ['/rackapp1', '/rackapp2'], +} + + +# Vhost to redirect non-ssl to ssl +apache::vhost { 'sixteenth.example.com non-ssl': + servername => 'sixteenth.example.com', + port => '80', + docroot => '/var/www/sixteenth', + rewrites => [ + { + comment => 'redirect non-SSL traffic to SSL site', + rewrite_cond => ['%{HTTPS} off'], + rewrite_rule => ['(.*) https://%{HTTP_HOST}%{REQUEST_URI}'], + } + ], +} + +# Rewrite a URL to lower case +apache::vhost { 'sixteenth.example.com non-ssl': + servername => 'sixteenth.example.com', + port => '80', + docroot => '/var/www/sixteenth', + rewrites => [ + { comment => 'Rewrite to lower case', + rewrite_cond => ['%{REQUEST_URI} [A-Z]'], + rewrite_map => ['lc int:tolower'], + rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'], + } + ], +} + +apache::vhost { 'sixteenth.example.com ssl': + servername => 'sixteenth.example.com', + port => '443', + docroot => '/var/www/sixteenth', + ssl => true, +} + +# Vhost to redirect non-ssl to ssl using old rewrite method +apache::vhost { 'sixteenth.example.com non-ssl old rewrite': + servername => 'sixteenth.example.com', + port => '80', + docroot => '/var/www/sixteenth', + rewrite_cond => '%{HTTPS} off', + rewrite_rule => '(.*) https://%{HTTP_HOST}%{REQUEST_URI}', +} +apache::vhost { 'sixteenth.example.com ssl old rewrite': + servername => 'sixteenth.example.com', + port => '443', + docroot => '/var/www/sixteenth', + ssl => true, +} + +# Vhost to block repository files +apache::vhost { 'seventeenth.example.com': + port => '80', + docroot => '/var/www/seventeenth', + block => 'scm', +} + +# Vhost with special environment variables +apache::vhost { 'eighteenth.example.com': + port => '80', + docroot => '/var/www/eighteenth', + setenv => ['SPECIAL_PATH /foo/bin','KILROY was_here'], +} + +apache::vhost { 'nineteenth.example.com': + port => '80', + docroot => '/var/www/nineteenth', + setenvif => 'Host "^([^\.]*)\.website\.com$" CLIENT_NAME=$1', +} + +# Vhost with additional include files +apache::vhost { 'twentyieth.example.com': + port => '80', + docroot => '/var/www/twelfth', + additional_includes => ['/tmp/proxy_group_a','/tmp/proxy_group_b'], +} + +# Vhost with alias for subdomain mapped to same named directory +# http://example.com.loc => /var/www/example.com +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => '80', + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} + +# Vhost with SSLProtocol,SSLCipherSuite, SSLHonorCipherOrder +apache::vhost { 'securedomain.com': + priority => '10', + vhost_name => 'www.securedomain.com', + port => '443', + docroot => '/var/www/secure', + ssl => true, + ssl_cert => '/etc/ssl/securedomain.cert', + ssl_key => '/etc/ssl/securedomain.key', + ssl_chain => '/etc/ssl/securedomain.crt', + ssl_protocol => '-ALL +TLSv1', + ssl_cipher => 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM', + ssl_honorcipherorder => 'On', + add_listen => false, +} + +# Vhost with access log environment variables writing control +apache::vhost { 'twentyfirst.example.com': + port => '80', + docroot => '/var/www/twentyfirst', + access_log_env_var => 'admin', +} + +# Vhost with a passenger_base configuration +apache::vhost { 'twentysecond.example.com': + port => '80', + docroot => '/var/www/twentysecond', + rack_base_uris => ['/passengerapp1', '/passengerapp2'], +} +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/vhost_directories.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,44 @@ +# Base class. Declares default vhost on port 80 and default ssl +# vhost on port 443 listening on all interfaces and serving +# $apache::docroot +class { '::apache': } + +# Example from README adapted. +apache::vhost { 'readme.example.net': + docroot => '/var/www/readme', + directories => [ + { + 'path' => '/var/www/readme', + 'ServerTokens' => 'prod' , + }, + { + 'path' => '/usr/share/empty', + 'allow' => 'from all', + }, + ], +} + +# location test +apache::vhost { 'location.example.net': + docroot => '/var/www/location', + directories => [ + { + 'path' => '/location', + 'provider' => 'location', + 'ServerTokens' => 'prod' + }, + ], +} + +# files test, curedly disable access to accidental backup files. +apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => [ + { + 'path' => '(\.swp|\.bak|~)$', + 'provider' => 'filesmatch', + 'deny' => 'from all' + }, + ], +} +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/vhost_filter.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,17 @@ +# Base class. Declares default vhost on port 80 with filters. +class { '::apache': } + +# Example from README adapted. +apache::vhost { 'readme.example.net': + docroot => '/var/www/html', + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], +} +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/vhost_ip_based.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,25 @@ +## IP-based vhosts on any listen port +# IP-based vhosts respond to requests on specific IP addresses. + +# Base class. Turn off the default vhosts; we will be declaring +# all vhosts below. +class { '::apache': + default_vhost => false, +} + +# Listen on port 80 and 81; required because the following vhosts +# are not declared with a port parameter. +apache::listen { '80': } +apache::listen { '81': } + +# IP-based vhosts +apache::vhost { 'first.example.com': + ip => '10.0.0.10', + docroot => '/var/www/first', + ip_based => true, +} +apache::vhost { 'second.example.com': + ip => '10.0.0.11', + docroot => '/var/www/second', + ip_based => true, +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/vhost_proxypass.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,66 @@ +## vhost with proxyPass directive +# NB: Please see the other vhost_*.pp example files for further +# examples. + +# Base class. Declares default vhost on port 80 and default ssl +# vhost on port 443 listening on all interfaces and serving +# $apache::docroot +class { '::apache': } + +# Most basic vhost with proxy_pass +apache::vhost { 'first.example.com': + port => 80, + docroot => '/var/www/first', + proxy_pass => [ + { + 'path' => '/first', + 'url' => 'http://localhost:8080/first' + }, + ], +} + +# vhost with proxy_pass and parameters +apache::vhost { 'second.example.com': + port => 80, + docroot => '/var/www/second', + proxy_pass => [ + { + 'path' => '/second', + 'url' => 'http://localhost:8080/second', + 'params' => { + 'retry' => '0', + 'timeout' => '5', + } + }, + ], +} + +# vhost with proxy_pass and keywords +apache::vhost { 'third.example.com': + port => 80, + docroot => '/var/www/third', + proxy_pass => [ + { + 'path' => '/third', + 'url' => 'http://localhost:8080/third', + 'keywords' => ['noquery', 'interpolate'] + }, + ], +} + +# vhost with proxy_pass, parameters and keywords +apache::vhost { 'fourth.example.com': + port => 80, + docroot => '/var/www/fourth', + proxy_pass => [ + { + 'path' => '/fourth', + 'url' => 'http://localhost:8080/fourth', + 'params' => { + 'retry' => '0', + 'timeout' => '5', + }, + 'keywords' => ['noquery', 'interpolate'] + }, + ], +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/vhost_ssl.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,23 @@ +## SSL-enabled vhosts +# SSL-enabled vhosts respond only to HTTPS queries. + +# Base class. Turn off the default vhosts; we will be declaring +# all vhosts below. +class { '::apache': + default_vhost => false, +} + +# Non-ssl vhost +apache::vhost { 'first.example.com non-ssl': + servername => 'first.example.com', + port => '80', + docroot => '/var/www/first', +} + +# SSL vhost at the same domain +apache::vhost { 'first.example.com ssl': + servername => 'first.example.com', + port => '443', + docroot => '/var/www/first', + ssl => true, +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/examples/vhosts_without_listen.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,53 @@ +## Declare ip-based and name-based vhosts +# Mixing Name-based vhost with IP-specific vhosts requires `add_listen => +# 'false'` on the non-IP vhosts + +# Base class. Turn off the default vhosts; we will be declaring +# all vhosts below. +class { '::apache': + default_vhost => false, +} + + +# Add two an IP-based vhost on 10.0.0.10, ssl and non-ssl +apache::vhost { 'The first IP-based vhost, non-ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '80', + ip_based => true, + docroot => '/var/www/first', +} +apache::vhost { 'The first IP-based vhost, ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '443', + ip_based => true, + docroot => '/var/www/first-ssl', + ssl => true, +} + +# Two name-based vhost listening on 10.0.0.20 +apache::vhost { 'second.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/second', +} +apache::vhost { 'third.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/third', +} + +# Two name-based vhosts without IPs specified, so that they will answer on either 10.0.0.10 or 10.0.0.20 . It is requried to declare +# `add_listen => 'false'` to disable declaring "Listen 80" which will conflict +# with the IP-based preceeding vhosts. +apache::vhost { 'fourth.example.com': + port => '80', + docroot => '/var/www/fourth', + add_listen => false, +} +apache::vhost { 'fifth.example.com': + port => '80', + docroot => '/var/www/fifth', + add_listen => false, +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/lib/facter/apache_version.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,13 @@ +Facter.add(:apache_version) do + setcode do + if Facter::Util::Resolution.which('apachectl') + apache_version = Facter::Util::Resolution.exec('apachectl -v 2>&1') + Facter.debug "Matching apachectl '#{apache_version}'" + %r{^Server version: Apache\/(\d+.\d+(.\d+)?)}.match(apache_version)[1] + elsif Facter::Util::Resolution.which('apache2ctl') + apache_version = Facter::Util::Resolution.exec('apache2ctl -v 2>&1') + Facter.debug "Matching apache2ctl '#{apache_version}'" + %r{^Server version: Apache\/(\d+.\d+(.\d+)?)}.match(apache_version)[1] + end + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/lib/puppet/parser/functions/enclose_ipv6.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,45 @@ +# +# enclose_ipv6.rb +# + +module Puppet::Parser::Functions + newfunction(:enclose_ipv6, :type => :rvalue, :doc => <<-EOS +Takes an array of ip addresses and encloses the ipv6 addresses with square brackets. + EOS + ) do |arguments| + + require 'ipaddr' + + rescuable_exceptions = [ ArgumentError ] + if defined?(IPAddr::InvalidAddressError) + rescuable_exceptions << IPAddr::InvalidAddressError + end + + if (arguments.size != 1) then + raise(Puppet::ParseError, "enclose_ipv6(): Wrong number of arguments "+ + "given #{arguments.size} for 1") + end + unless arguments[0].is_a?(String) or arguments[0].is_a?(Array) then + raise(Puppet::ParseError, "enclose_ipv6(): Wrong argument type "+ + "given #{arguments[0].class} expected String or Array") + end + + input = [arguments[0]].flatten.compact + result = [] + + input.each do |val| + unless val == '*' + begin + ip = IPAddr.new(val) + rescue *rescuable_exceptions + raise(Puppet::ParseError, "enclose_ipv6(): Wrong argument "+ + "given #{val} is not an ip address.") + end + val = "[#{ip.to_s}]" if ip.ipv6? + end + result << val + end + + return result.uniq + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/lib/puppet/parser/functions/validate_apache_log_level.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,27 @@ +module Puppet::Parser::Functions + newfunction(:validate_apache_log_level, :doc => <<-'ENDHEREDOC') do |args| + Perform simple validation of a string against the list of known log + levels as per http://httpd.apache.org/docs/current/mod/core.html#loglevel + validate_apache_loglevel('info') + + Modules maybe specified with their own levels like these: + validate_apache_loglevel('warn ssl:info') + validate_apache_loglevel('warn mod_ssl.c:info') + validate_apache_loglevel('warn ssl_module:info') + + Expected to be used from the main or vhost. + + Might be used from directory too later as apaceh supports that + + ENDHEREDOC + if (args.size != 1) then + raise Puppet::ParseError, ("validate_apache_loglevel(): wrong number of arguments (#{args.length}; must be 1)") + end + + log_level = args[0] + msg = "Log level '${log_level}' is not one of the supported Apache HTTP Server log levels." + + raise Puppet::ParseError, (msg) unless log_level =~ Regexp.compile('(emerg|alert|crit|error|warn|notice|info|debug|trace[1-8])') + + end +end
--- a/modules/apache/manifests/balancer.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/balancer.pp Sun Dec 29 11:00:05 2019 -0500 @@ -23,6 +23,10 @@ # Hash, default empty. If given, each key-value pair will be used as a ProxySet # line in the configuration. # +# [*target*] +# String, default undef. If given, path to the file the balancer definition will +# be written. +# # [*collect_exported*] # Boolean, default 'true'. True means 'collect exported @@balancermember # resources' (for the case when every balancermember node exports itself), @@ -41,21 +45,34 @@ define apache::balancer ( $proxy_set = {}, $collect_exported = true, + $target = undef, ) { include ::apache::mod::proxy_balancer - $target = "${::apache::params::confd_dir}/balancer_${name}.conf" + if versioncmp($apache::mod::proxy_balancer::apache_version, '2.4') >= 0 { + $lbmethod = $proxy_set['lbmethod'] ? { + undef => 'byrequests', + default => $proxy_set['lbmethod'], + } + ensure_resource('apache::mod', "lbmethod_${lbmethod}") + } - concat { $target: + if $target { + $_target = $target + } else { + $_target = "${::apache::confd_dir}/balancer_${name}.conf" + } + + concat { "apache_balancer_${name}": owner => '0', group => '0', - mode => '0644', - notify => Service['httpd'], + path => $_target, + mode => $::apache::file_mode, + notify => Class['Apache::Service'], } concat::fragment { "00-${name}-header": - ensure => present, - target => $target, + target => "apache_balancer_${name}", order => '01', content => "<Proxy balancer://${name}>\n", } @@ -67,15 +84,13 @@ # concat fragments. We don't have to do anything about them. concat::fragment { "01-${name}-proxyset": - ensure => present, - target => $target, + target => "apache_balancer_${name}", order => '19', content => inline_template("<% @proxy_set.keys.sort.each do |key| %> Proxyset <%= key %>=<%= @proxy_set[key] %>\n<% end %>"), } concat::fragment { "01-${name}-footer": - ensure => present, - target => $target, + target => "apache_balancer_${name}", order => '20', content => "</Proxy>\n", }
--- a/modules/apache/manifests/balancermember.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/balancermember.pp Sun Dec 29 11:00:05 2019 -0500 @@ -46,8 +46,7 @@ ) { concat::fragment { "BalancerMember ${name}": - ensure => present, - target => "${::apache::params::confd_dir}/balancer_${balancer_cluster}.conf", + target => "apache_balancer_${balancer_cluster}", content => inline_template(" BalancerMember ${url} <%= @options.join ' ' %>\n"), } }
--- a/modules/apache/manifests/custom_config.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/custom_config.pp Sun Dec 29 11:00:05 2019 -0500 @@ -7,6 +7,7 @@ $source = undef, $verify_command = $::apache::params::verify_command, $verify_config = true, + $filename = undef, ) { if $content and $source { @@ -23,25 +24,29 @@ validate_bool($verify_config) - if $priority { - $priority_prefix = "${priority}-" + if $filename { + $_filename = $filename } else { - $priority_prefix = '' + if $priority { + $priority_prefix = "${priority}-" + } else { + $priority_prefix = '' + } + + ## Apache include does not always work with spaces in the filename + $filename_middle = regsubst($name, ' ', '_', 'G') + $_filename = "${priority_prefix}${filename_middle}.conf" } - ## Apache include does not always work with spaces in the filename - $filename_middle = regsubst($name, ' ', '_', 'G') - $filename = "${priority_prefix}${filename_middle}.conf" - if ! $verify_config or $ensure == 'absent' { - $notifies = Service['httpd'] + $notifies = Class['Apache::Service'] } else { $notifies = undef } file { "apache_${name}": ensure => $ensure, - path => "${confdir}/${filename}", + path => "${confdir}/${_filename}", content => $content, source => $source, require => Package['httpd'], @@ -49,16 +54,17 @@ } if $ensure == 'present' and $verify_config { - exec { "service notify for ${name}": + exec { "syntax verification for ${name}": command => $verify_command, subscribe => File["apache_${name}"], refreshonly => true, - notify => Service['httpd'], + notify => Class['Apache::Service'], before => Exec["remove ${name} if invalid"], + require => Anchor['::apache::modules_set_up'], } exec { "remove ${name} if invalid": - command => "/bin/rm ${confdir}/${filename}", + command => "/bin/rm ${confdir}/${_filename}", unless => $verify_command, subscribe => File["apache_${name}"], refreshonly => true,
--- a/modules/apache/manifests/default_mods.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/default_mods.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,8 @@ class apache::default_mods ( $all = true, $mods = undef, - $apache_version = $::apache::apache_version + $apache_version = $::apache::apache_version, + $use_systemd = $::apache::use_systemd, ) { # These are modules required to run the default configuration. # They are not configurable at this time, so we just include @@ -12,8 +13,10 @@ if versioncmp($apache_version, '2.4') >= 0 { # Lets fork it # Do not try to load mod_systemd on RHEL/CentOS 6 SCL. - if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon' and versioncmp($::operatingsystemrelease, '2014.09') <= 0 ) ) { - ::apache::mod { 'systemd': } + if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon') ) { + if ($use_systemd) { + ::apache::mod { 'systemd': } + } } ::apache::mod { 'unixd': } } @@ -22,22 +25,32 @@ ::apache::mod { 'log_config': } ::apache::mod { 'unixd': } } + 'Suse': { + ::apache::mod { 'log_config': } + } default: {} } - ::apache::mod { 'authz_host': } - + case $::osfamily { + 'gentoo': {} + default: { + ::apache::mod { 'authz_host': } + } + } # The rest of the modules only get loaded if we want all modules enabled if $all { case $::osfamily { 'debian': { + include ::apache::mod::authn_core include ::apache::mod::reqtimeout - if versioncmp($apache_version, '2.4') >= 0 { - ::apache::mod { 'authn_core': } + if versioncmp($apache_version, '2.4') < 0 { + ::apache::mod { 'authn_alias': } } } 'redhat': { include ::apache::mod::actions + include ::apache::mod::authn_core include ::apache::mod::cache + include ::apache::mod::ext_filter include ::apache::mod::mime include ::apache::mod::mime_magic include ::apache::mod::rewrite @@ -51,22 +64,19 @@ ::apache::mod { 'authz_dbm': } ::apache::mod { 'authz_owner': } ::apache::mod { 'expires': } - ::apache::mod { 'ext_filter': } ::apache::mod { 'include': } ::apache::mod { 'logio': } ::apache::mod { 'substitute': } ::apache::mod { 'usertrack': } - if versioncmp($apache_version, '2.4') >= 0 { - ::apache::mod { 'authn_core': } - } - else { + if versioncmp($apache_version, '2.4') < 0 { ::apache::mod { 'authn_alias': } ::apache::mod { 'authn_default': } } } 'freebsd': { include ::apache::mod::actions + include ::apache::mod::authn_core include ::apache::mod::cache include ::apache::mod::disk_cache include ::apache::mod::headers @@ -84,7 +94,6 @@ ::apache::mod { 'auth_digest': } ::apache::mod { 'auth_form': } ::apache::mod { 'authn_anon': } - ::apache::mod { 'authn_core': } ::apache::mod { 'authn_dbm': } ::apache::mod { 'authn_socache': } ::apache::mod { 'authz_dbd': } @@ -114,6 +123,7 @@ } } include ::apache::mod::alias + include ::apache::mod::authn_file include ::apache::mod::autoindex include ::apache::mod::dav include ::apache::mod::dav_fs @@ -123,7 +133,6 @@ include ::apache::mod::negotiation include ::apache::mod::setenvif ::apache::mod { 'auth_basic': } - ::apache::mod { 'authn_file': } if versioncmp($apache_version, '2.4') >= 0 { # filter is needed by mod_deflate @@ -137,12 +146,13 @@ # lots of stuff seems to break without access_compat ::apache::mod { 'access_compat': } } else { - ::apache::mod { 'authz_default': } + include ::apache::mod::authz_default } + include ::apache::mod::authz_user + ::apache::mod { 'authz_groupfile': } - ::apache::mod { 'authz_user': } - ::apache::mod { 'env': } + include ::apache::mod::env } elsif $mods { ::apache::default_mods::load { $mods: } @@ -153,7 +163,7 @@ } # filter is needed by mod_deflate - ::apache::mod { 'filter': } + include ::apache::mod::filter } } else { if versioncmp($apache_version, '2.4') >= 0 { @@ -163,7 +173,7 @@ } # filter is needed by mod_deflate - ::apache::mod { 'filter': } + include ::apache::mod::filter } } }
--- a/modules/apache/manifests/dev.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/dev.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,11 +1,14 @@ class apache::dev { - if $::osfamily == 'FreeBSD' and !defined(Class['apache::package']) { - fail('apache::dev requires apache::package; please include apache or apache::package class first') + + if ! defined(Class['apache']) { + fail('You must include the apache base class before using any apache defined resources') } - include ::apache::params - $packages = $::apache::params::dev_packages - package { $packages: - ensure => present, - require => Package['httpd'], + + $packages = $::apache::dev_packages + if $packages { # FreeBSD doesn't have dev packages to install + package { $packages: + ensure => present, + require => Package['httpd'], + } } }
--- a/modules/apache/manifests/fastcgi/server.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/fastcgi/server.pp Sun Dec 29 11:00:05 2019 -0500 @@ -4,18 +4,23 @@ $flush = false, $faux_path = "/var/www/${name}.fcgi", $fcgi_alias = "/${name}.fcgi", - $file_type = 'application/x-httpd-php' + $file_type = 'application/x-httpd-php', + $pass_header = undef, ) { - include apache::mod::fastcgi + include ::apache::mod::fastcgi Apache::Mod['fastcgi'] -> Apache::Fastcgi::Server[$title] + if is_absolute_path($host) { + $socket = $host + } + file { "fastcgi-pool-${name}.conf": ensure => present, path => "${::apache::confd_dir}/fastcgi-pool-${name}.conf", owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, content => template('apache/fastcgi/server.erb'), require => Exec["mkdir ${::apache::confd_dir}"], before => File[$::apache::confd_dir],
--- a/modules/apache/manifests/init.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/init.pp Sun Dec 29 11:00:05 2019 -0500 @@ -17,6 +17,7 @@ $service_name = $::apache::params::service_name, $default_mods = true, $default_vhost = true, + $default_charset = undef, $default_confd_files = true, $default_ssl_vhost = false, $default_ssl_cert = $::apache::params::default_ssl_cert, @@ -26,10 +27,13 @@ $default_ssl_crl_path = undef, $default_ssl_crl = undef, $default_ssl_crl_check = undef, + $default_type = 'none', + $dev_packages = $::apache::params::dev_packages, $ip = undef, $service_enable = true, $service_manage = true, $service_ensure = 'running', + $service_restart = undef, $purge_configs = true, $purge_vhost_dir = undef, $purge_vdir = false, @@ -43,22 +47,28 @@ $confd_dir = $::apache::params::confd_dir, $vhost_dir = $::apache::params::vhost_dir, $vhost_enable_dir = $::apache::params::vhost_enable_dir, + $vhost_include_pattern = $::apache::params::vhost_include_pattern, $mod_dir = $::apache::params::mod_dir, $mod_enable_dir = $::apache::params::mod_enable_dir, $mpm_module = $::apache::params::mpm_module, + $lib_path = $::apache::params::lib_path, $conf_template = $::apache::params::conf_template, $servername = $::apache::params::servername, + $pidfile = $::apache::params::pidfile, + $rewrite_lock = undef, $manage_user = true, $manage_group = true, $user = $::apache::params::user, $group = $::apache::params::group, $keepalive = $::apache::params::keepalive, $keepalive_timeout = $::apache::params::keepalive_timeout, - $max_keepalive_requests = $apache::params::max_keepalive_requests, + $max_keepalive_requests = $::apache::params::max_keepalive_requests, + $limitreqfieldsize = '8190', $logroot = $::apache::params::logroot, $logroot_mode = $::apache::params::logroot_mode, $log_level = $::apache::params::log_level, $log_formats = {}, + $ssl_file = $::apache::params::ssl_file, $ports_file = $::apache::params::ports_file, $docroot = $::apache::params::docroot, $apache_version = $::apache::version::default, @@ -68,6 +78,14 @@ $allow_encoded_slashes = undef, $package_ensure = 'installed', $use_optional_includes = $::apache::params::use_optional_includes, + $use_systemd = $::apache::params::use_systemd, + $mime_types_additional = $::apache::params::mime_types_additional, + $file_mode = $::apache::params::file_mode, + $root_directory_options = $::apache::params::root_directory_options, + $root_directory_secured = false, + $error_log = $::apache::params::error_log, + $scriptalias = $::apache::params::scriptalias, + $access_log_file = $::apache::params::access_log_file, ) inherits ::apache::params { validate_bool($default_vhost) validate_bool($default_ssl_vhost) @@ -76,13 +94,14 @@ validate_bool($service_enable) validate_bool($service_manage) validate_bool($use_optional_includes) + validate_bool($root_directory_secured) $valid_mpms_re = $apache_version ? { '2.4' => '(event|itk|peruser|prefork|worker)', default => '(event|itk|prefork|worker)' } - if $mpm_module { + if $mpm_module and $mpm_module != 'false' { # lint:ignore:quoted_booleans validate_re($mpm_module, $valid_mpms_re) } @@ -118,20 +137,18 @@ if $manage_group { group { $group: ensure => present, - require => Package['httpd'] + require => Package['httpd'], } } - $valid_log_level_re = '(emerg|alert|crit|error|warn|notice|info|debug)' - - validate_re($log_level, $valid_log_level_re, - "Log level '${log_level}' is not one of the supported Apache HTTP Server log levels.") + validate_apache_log_level($log_level) class { '::apache::service': - service_name => $service_name, - service_enable => $service_enable, - service_manage => $service_manage, - service_ensure => $service_ensure, + service_name => $service_name, + service_enable => $service_enable, + service_manage => $service_manage, + service_ensure => $service_ensure, + service_restart => $service_restart, } # Deprecated backwards-compatibility @@ -161,6 +178,7 @@ ensure => directory, recurse => true, purge => $purge_confd, + force => $purge_confd, notify => Class['Apache::Service'], require => Package['httpd'], } @@ -178,6 +196,7 @@ purge => $purge_mod_dir, notify => Class['Apache::Service'], require => Package['httpd'], + before => Anchor['::apache::modules_set_up'], } } @@ -230,40 +249,45 @@ } concat { $ports_file: + ensure => present, owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, notify => Class['Apache::Service'], require => Package['httpd'], } concat::fragment { 'Apache ports header': - ensure => present, target => $ports_file, - content => template('apache/ports_header.erb') + content => template('apache/ports_header.erb'), } if $::apache::conf_dir and $::apache::params::conf_file { - case $::osfamily { - 'debian': { - $pidfile = "\${APACHE_PID_FILE}" - $error_log = 'error.log' - $scriptalias = '/usr/lib/cgi-bin' - $access_log_file = 'access.log' + if $::osfamily == 'gentoo' { + $error_documents_path = '/usr/share/apache2/error' + if is_array($default_mods) { + if versioncmp($apache_version, '2.4') >= 0 { + if defined('apache::mod::ssl') { + ::portage::makeconf { 'apache2_modules': + content => concat($default_mods, [ 'authz_core', 'socache_shmcb' ]), + } + } else { + ::portage::makeconf { 'apache2_modules': + content => concat($default_mods, 'authz_core'), + } + } + } else { + ::portage::makeconf { 'apache2_modules': + content => $default_mods, + } + } } - 'redhat': { - $pidfile = 'run/httpd.pid' - $error_log = 'error_log' - $scriptalias = '/var/www/cgi-bin' - $access_log_file = 'access_log' - } - 'freebsd': { - $pidfile = '/var/run/httpd.pid' - $error_log = 'httpd-error.log' - $scriptalias = '/usr/local/www/apache24/cgi-bin' - $access_log_file = 'httpd-access.log' - } - default: { - fail("Unsupported osfamily ${::osfamily}") + + file { [ + '/etc/apache2/modules.d/.keep_www-servers_apache-2', + '/etc/apache2/vhosts.d/.keep_www-servers_apache-2', + ]: + ensure => absent, + require => Package['httpd'], } } @@ -272,6 +296,10 @@ default => false } + if $rewrite_lock { + validate_absolute_path($rewrite_lock) + } + # Template uses: # - $pidfile # - $user @@ -293,11 +321,13 @@ # - $server_tokens # - $server_signature # - $trace_enable + # - $rewrite_lock + # - $root_directory_secured file { "${::apache::conf_dir}/${::apache::params::conf_file}": ensure => file, content => template($conf_template), notify => Class['Apache::Service'], - require => Package['httpd'], + require => [Package['httpd'], Concat[$ports_file]], } # preserve back-wards compatibility to the times when default_mods was @@ -313,10 +343,10 @@ } } class { '::apache::default_confd_files': - all => $default_confd_files + all => $default_confd_files, } - if $mpm_module { - class { "::apache::mod::${mpm_module}": } + if $mpm_module and $mpm_module != 'false' { # lint:ignore:quoted_booleans + include "::apache::mod::${mpm_module}" } $default_vhost_ensure = $default_vhost ? { @@ -330,7 +360,7 @@ ::apache::vhost { 'default': ensure => $default_vhost_ensure, - port => 80, + port => '80', docroot => $docroot, scriptalias => $scriptalias, serveradmin => $serveradmin, @@ -338,6 +368,7 @@ priority => '15', ip => $ip, logroot_mode => $logroot_mode, + manage_docroot => $default_vhost, } $ssl_access_log_file = $::osfamily ? { 'freebsd' => $access_log_file, @@ -345,7 +376,7 @@ } ::apache::vhost { 'default-ssl': ensure => $default_ssl_vhost_ensure, - port => 443, + port => '443', ssl => true, docroot => $docroot, scriptalias => $scriptalias, @@ -354,6 +385,11 @@ priority => '15', ip => $ip, logroot_mode => $logroot_mode, + manage_docroot => $default_ssl_vhost, } } + + # This anchor can be used as a reference point for things that need to happen *after* + # all modules have been put in place. + anchor { '::apache::modules_set_up': } }
--- a/modules/apache/manifests/listen.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/listen.pp Sun Dec 29 11:00:05 2019 -0500 @@ -3,7 +3,6 @@ # Template uses: $listen_addr_port concat::fragment { "Listen ${listen_addr_port}": - ensure => present, target => $::apache::ports_file, content => template('apache/listen.erb'), }
--- a/modules/apache/manifests/mod.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod.pp Sun Dec 29 11:00:05 2019 -0500 @@ -2,7 +2,7 @@ $package = undef, $package_ensure = 'present', $lib = undef, - $lib_path = $::apache::params::lib_path, + $lib_path = $::apache::lib_path, $id = undef, $path = undef, $loadfile_name = undef, @@ -50,7 +50,12 @@ if $package { $_package = $package } elsif has_key($mod_packages, $mod) { # 2.6 compatibility hack - $_package = $mod_packages[$mod] + if ($::apache::apache_version == '2.4' and $::operatingsystem =~ /^[Aa]mazon$/) { + # On amazon linux we need to prefix our package name with mod24 instead of mod to support apache 2.4 + $_package = regsubst($mod_packages[$mod],'^(mod_)?(.*)','mod24_\2') + } else { + $_package = $mod_packages[$mod] + } } else { $_package = undef } @@ -64,7 +69,10 @@ File[$_loadfile_name], File["${::apache::conf_dir}/${::apache::params::conf_file}"] ], - default => File[$_loadfile_name], + default => [ + File[$_loadfile_name], + File[$::apache::confd_dir], + ], } # if there are any packages, they should be installed before the associated conf file Package[$_package] -> File<| title == "${mod}.conf" |> @@ -73,6 +81,7 @@ ensure => $package_ensure, require => Package['httpd'], before => $package_before, + notify => Class['apache::service'], } } @@ -81,7 +90,7 @@ path => "${mod_dir}/${_loadfile_name}", owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, content => template('apache/mod/load.erb'), require => [ Package['httpd'], @@ -99,7 +108,7 @@ target => "${mod_dir}/${_loadfile_name}", owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, require => [ File[$_loadfile_name], Exec["mkdir ${enable_dir}"], @@ -117,7 +126,42 @@ target => "${mod_dir}/${mod}.conf", owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, + require => [ + File["${mod}.conf"], + Exec["mkdir ${enable_dir}"], + ], + before => File[$enable_dir], + notify => Class['apache::service'], + } + } + } elsif $::osfamily == 'Suse' { + $enable_dir = $::apache::mod_enable_dir + file{ "${_loadfile_name} symlink": + ensure => link, + path => "${enable_dir}/${_loadfile_name}", + target => "${mod_dir}/${_loadfile_name}", + owner => 'root', + group => $::apache::params::root_group, + mode => $::apache::file_mode, + require => [ + File[$_loadfile_name], + Exec["mkdir ${enable_dir}"], + ], + before => File[$enable_dir], + notify => Class['apache::service'], + } + # Each module may have a .conf file as well, which should be + # defined in the class apache::mod::module + # Some modules do not require this file. + if defined(File["${mod}.conf"]) { + file{ "${mod}.conf symlink": + ensure => link, + path => "${enable_dir}/${mod}.conf", + target => "${mod_dir}/${mod}.conf", + owner => 'root', + group => $::apache::params::root_group, + mode => $::apache::file_mode, require => [ File["${mod}.conf"], Exec["mkdir ${enable_dir}"], @@ -127,4 +171,6 @@ } } } + + Apache::Mod[$name] -> Anchor['::apache::modules_set_up'] }
--- a/modules/apache/manifests/mod/alias.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/alias.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,24 +1,23 @@ class apache::mod::alias( - $apache_version = $apache::apache_version -) { - $ver24 = versioncmp($apache_version, '2.4') >= 0 + $apache_version = undef, + $icons_options = 'Indexes MultiViews', + # set icons_path to false to disable the alias + $icons_path = $::apache::params::alias_icons_path, +) inherits ::apache::params { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + apache::mod { 'alias': } - $icons_path = $::osfamily ? { - 'debian' => '/usr/share/apache2/icons', - 'redhat' => $ver24 ? { - true => '/usr/share/httpd/icons', - default => '/var/www/icons', - }, - 'freebsd' => '/usr/local/www/apache24/icons', - } - apache::mod { 'alias': } - # Template uses $icons_path - file { 'alias.conf': - ensure => file, - path => "${::apache::mod_dir}/alias.conf", - content => template('apache/mod/alias.conf.erb'), - require => Exec["mkdir ${::apache::mod_dir}"], - before => File[$::apache::mod_dir], - notify => Class['apache::service'], + # Template uses $icons_path, $_apache_version + if $icons_path { + file { 'alias.conf': + ensure => file, + path => "${::apache::mod_dir}/alias.conf", + mode => $::apache::file_mode, + content => template('apache/mod/alias.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } } }
--- a/modules/apache/manifests/mod/auth_cas.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/auth_cas.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,22 +1,29 @@ class apache::mod::auth_cas ( $cas_login_url, $cas_validate_url, - $cas_cookie_path = $::apache::params::cas_cookie_path, - $cas_version = 2, - $cas_debug = 'Off', - $cas_validate_depth = undef, - $cas_certificate_path = undef, - $cas_proxy_validate_url = undef, - $cas_root_proxied_as = undef, - $cas_cookie_entropy = undef, - $cas_timeout = undef, - $cas_idle_timeout = undef, - $cas_cache_clean_interval = undef, - $cas_cookie_domain = undef, - $cas_cookie_http_only = undef, - $cas_authoritative = undef, - $suppress_warning = false, -) { + $cas_cookie_path = $::apache::params::cas_cookie_path, + $cas_cookie_path_mode = '0750', + $cas_version = 2, + $cas_debug = 'Off', + $cas_validate_server = undef, + $cas_validate_depth = undef, + $cas_certificate_path = undef, + $cas_proxy_validate_url = undef, + $cas_root_proxied_as = undef, + $cas_cookie_entropy = undef, + $cas_timeout = undef, + $cas_idle_timeout = undef, + $cas_cache_clean_interval = undef, + $cas_cookie_domain = undef, + $cas_cookie_http_only = undef, + $cas_authoritative = undef, + $cas_validate_saml = undef, + $cas_sso_enabled = undef, + $cas_attribute_prefix = undef, + $cas_attribute_delimiter = undef, + $cas_scrub_request_headers = undef, + $suppress_warning = false, +) inherits ::apache::params { validate_string($cas_login_url, $cas_validate_url, $cas_cookie_path) @@ -24,12 +31,13 @@ warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.') } + include ::apache ::apache::mod { 'auth_cas': } file { $cas_cookie_path: ensure => directory, before => File['auth_cas.conf'], - mode => '0750', + mode => $cas_cookie_path_mode, owner => $apache::user, group => $apache::group, } @@ -39,10 +47,11 @@ file { 'auth_cas.conf': ensure => file, path => "${::apache::mod_dir}/auth_cas.conf", + mode => $::apache::file_mode, content => template('apache/mod/auth_cas.conf.erb'), require => [ Exec["mkdir ${::apache::mod_dir}"], ], before => File[$::apache::mod_dir], - notify => Service['httpd'], + notify => Class['Apache::Service'], } }
--- a/modules/apache/manifests/mod/auth_kerb.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/auth_kerb.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,4 +1,6 @@ class apache::mod::auth_kerb { + include ::apache + include ::apache::mod::authn_core ::apache::mod { 'auth_kerb': } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/auth_mellon.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,26 @@ +class apache::mod::auth_mellon ( + $mellon_cache_size = $::apache::params::mellon_cache_size, + $mellon_lock_file = $::apache::params::mellon_lock_file, + $mellon_post_directory = $::apache::params::mellon_post_directory, + $mellon_cache_entry_size = undef, + $mellon_post_ttl = undef, + $mellon_post_size = undef, + $mellon_post_count = undef +) inherits ::apache::params { + + include ::apache + ::apache::mod { 'auth_mellon': } + + # Template uses + # - All variables beginning with mellon_ + file { 'auth_mellon.conf': + ensure => file, + path => "${::apache::mod_dir}/auth_mellon.conf", + mode => $::apache::file_mode, + content => template('apache/mod/auth_mellon.conf.erb'), + require => [ Exec["mkdir ${::apache::mod_dir}"], ], + before => File[$::apache::mod_dir], + notify => Class['Apache::Service'], + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/authn_core.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,7 @@ +class apache::mod::authn_core( + $apache_version = $::apache::apache_version +) { + if versioncmp($apache_version, '2.4') >= 0 { + ::apache::mod { 'authn_core': } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/authn_dbd.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,30 @@ +class apache::mod::authn_dbd ( + $authn_dbd_params, + $authn_dbd_dbdriver = 'mysql', + $authn_dbd_query = undef, + $authn_dbd_min = '4', + $authn_dbd_max = '20', + $authn_dbd_keep = '8', + $authn_dbd_exptime = '300', + $authn_dbd_alias = undef, +) inherits ::apache::params { + include ::apache + include ::apache::mod::dbd + ::apache::mod { 'authn_dbd': } + + if $authn_dbd_alias { + include ::apache::mod::authn_core + } + + # Template uses + # - All variables beginning with authn_dbd + file { 'authn_dbd.conf': + ensure => file, + path => "${::apache::mod_dir}/authn_dbd.conf", + mode => $::apache::file_mode, + content => template('apache/mod/authn_dbd.conf.erb'), + require => [ Exec["mkdir ${::apache::mod_dir}"], ], + before => File[$::apache::mod_dir], + notify => Class['Apache::Service'], + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/authn_file.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,3 @@ +class apache::mod::authn_file { + ::apache::mod { 'authn_file': } +}
--- a/modules/apache/manifests/mod/authnz_ldap.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/authnz_ldap.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,19 +1,34 @@ +# lint:ignore:variable_is_lowercase required for compatibility class apache::mod::authnz_ldap ( - $verifyServerCert = true, + $verify_server_cert = true, + $verifyServerCert = undef, + $package_name = undef, ) { + include ::apache include '::apache::mod::ldap' - ::apache::mod { 'authnz_ldap': } + ::apache::mod { 'authnz_ldap': + package => $package_name, + } - validate_bool($verifyServerCert) + if $verifyServerCert { + warning('Class[\'apache::mod::authnz_ldap\'] parameter verifyServerCert is deprecated in favor of verify_server_cert') + $_verify_server_cert = $verifyServerCert + } else { + $_verify_server_cert = $verify_server_cert + } + + validate_bool($_verify_server_cert) # Template uses: - # - $verifyServerCert + # - $_verify_server_cert file { 'authnz_ldap.conf': ensure => file, path => "${::apache::mod_dir}/authnz_ldap.conf", + mode => $::apache::file_mode, content => template('apache/mod/authnz_ldap.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], notify => Class['apache::service'], } } +# lint:endignore
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/authz_default.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,9 @@ +class apache::mod::authz_default( + $apache_version = $::apache::apache_version +) { + if versioncmp($apache_version, '2.4') >= 0 { + warning('apache::mod::authz_default has been removed in Apache 2.4') + } else { + ::apache::mod { 'authz_default': } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/authz_user.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,3 @@ +class apache::mod::authz_user { + ::apache::mod { 'authz_user': } +}
--- a/modules/apache/manifests/mod/autoindex.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/autoindex.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,11 @@ class apache::mod::autoindex { + include ::apache ::apache::mod { 'autoindex': } # Template uses no variables file { 'autoindex.conf': ensure => file, path => "${::apache::mod_dir}/autoindex.conf", + mode => $::apache::file_mode, content => template('apache/mod/autoindex.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/cgi.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/cgi.pp Sun Dec 29 11:00:05 2019 -0500 @@ -6,5 +6,12 @@ } } - ::apache::mod { 'cgi': } + if $::osfamily == 'Suse' { + ::apache::mod { 'cgi': + lib_path => '/usr/lib64/apache2-prefork', + } + } else { + ::apache::mod { 'cgi': } + } + }
--- a/modules/apache/manifests/mod/cgid.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/cgid.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,8 +1,13 @@ class apache::mod::cgid { + include ::apache case $::osfamily { 'FreeBSD': {} default: { - Class['::apache::mod::worker'] -> Class['::apache::mod::cgid'] + if defined(Class['::apache::mod::event']) { + Class['::apache::mod::event'] -> Class['::apache::mod::cgid'] + } else { + Class['::apache::mod::worker'] -> Class['::apache::mod::cgid'] + } } } @@ -13,12 +18,21 @@ 'freebsd' => 'cgisock', default => undef, } - ::apache::mod { 'cgid': } + + if $::osfamily == 'Suse' { + ::apache::mod { 'cgid': + lib_path => '/usr/lib64/apache2-worker', + } + } else { + ::apache::mod { 'cgid': } + } + if $cgisock_path { # Template uses $cgisock_path file { 'cgid.conf': ensure => file, path => "${::apache::mod_dir}/cgid.conf", + mode => $::apache::file_mode, content => template('apache/mod/cgid.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/cluster.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,38 @@ +class apache::mod::cluster ( + $allowed_network, + $balancer_name, + $ip, + $version, + $enable_mcpm_receive = true, + $port = '6666', + $keep_alive_timeout = 60, + $manager_allowed_network = '127.0.0.1', + $max_keep_alive_requests = 0, + $server_advertise = true, +) { + + include ::apache + + ::apache::mod { 'proxy': } + ::apache::mod { 'proxy_ajp': } + ::apache::mod { 'manager': } + ::apache::mod { 'proxy_cluster': } + ::apache::mod { 'advertise': } + + if (versioncmp($version, '1.3.0') >= 0 ) { + ::apache::mod { 'cluster_slotmem': } + } else { + ::apache::mod { 'slotmem': } + } + + file {'cluster.conf': + ensure => file, + path => "${::apache::mod_dir}/cluster.conf", + mode => $::apache::file_mode, + content => template('apache/mod/cluster.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } + +}
--- a/modules/apache/manifests/mod/dav_fs.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/dav_fs.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,4 +1,5 @@ class apache::mod::dav_fs { + include ::apache $dav_lock = $::osfamily ? { 'debian' => "\${APACHE_LOCK_DIR}/DAVLock", 'freebsd' => '/usr/local/var/DavLock', @@ -12,6 +13,7 @@ file { 'dav_fs.conf': ensure => file, path => "${::apache::mod_dir}/dav_fs.conf", + mode => $::apache::file_mode, content => template('apache/mod/dav_fs.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/dav_svn.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/dav_svn.pp Sun Dec 29 11:00:05 2019 -0500 @@ -2,10 +2,18 @@ $authz_svn_enabled = false, ) { Class['::apache::mod::dav'] -> Class['::apache::mod::dav_svn'] + include ::apache include ::apache::mod::dav + if($::operatingsystem == 'SLES' and $::operatingsystemmajrelease < '12'){ + package { 'subversion-server': + ensure => 'installed', + provider => 'zypper', + } + } + ::apache::mod { 'dav_svn': } - if $::osfamily == 'Debian' and ($::operatingsystemmajrelease != '6' and $::operatingsystemmajrelease != '10.04' and $::operatingsystemrelease != '10.04') { + if $::osfamily == 'Debian' and ($::operatingsystemmajrelease != '6' and $::operatingsystemmajrelease != '10.04' and $::operatingsystemrelease != '10.04' and $::operatingsystemmajrelease != '16.04') { $loadfile_name = undef } else { $loadfile_name = 'dav_svn_authz_svn.load'
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/dbd.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,3 @@ +class apache::mod::dbd { + ::apache::mod { 'dbd': } +}
--- a/modules/apache/manifests/mod/deflate.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/deflate.pp Sun Dec 29 11:00:05 2019 -0500 @@ -3,19 +3,22 @@ 'text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', - 'application/rss+xml' + 'application/rss+xml', + 'application/json', ], $notes = { 'Input' => 'instream', 'Output' => 'outstream', - 'Ratio' => 'ratio' + 'Ratio' => 'ratio', } ) { + include ::apache ::apache::mod { 'deflate': } file { 'deflate.conf': ensure => file, path => "${::apache::mod_dir}/deflate.conf", + mode => $::apache::file_mode, content => template('apache/mod/deflate.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/dir.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/dir.pp Sun Dec 29 11:00:05 2019 -0500 @@ -6,6 +6,7 @@ $indexes = ['index.html','index.html.var','index.cgi','index.pl','index.php','index.xhtml'], ) { validate_array($indexes) + include ::apache ::apache::mod { 'dir': } # Template uses @@ -13,6 +14,7 @@ file { 'dir.conf': ensure => file, path => "${::apache::mod_dir}/dir.conf", + mode => $::apache::file_mode, content => template('apache/mod/dir.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/disk_cache.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/disk_cache.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,27 +1,39 @@ -class apache::mod::disk_cache { - $cache_root = $::osfamily ? { - 'debian' => '/var/cache/apache2/mod_disk_cache', - 'redhat' => '/var/cache/mod_proxy', - 'freebsd' => '/var/cache/mod_disk_cache', +class apache::mod::disk_cache ( + $cache_root = undef, +) { + include ::apache + if $cache_root { + $_cache_root = $cache_root + } + elsif versioncmp($::apache::apache_version, '2.4') >= 0 { + $_cache_root = $::osfamily ? { + 'debian' => '/var/cache/apache2/mod_cache_disk', + 'redhat' => '/var/cache/httpd/proxy', + 'freebsd' => '/var/cache/mod_cache_disk', + } + } + else { + $_cache_root = $::osfamily ? { + 'debian' => '/var/cache/apache2/mod_disk_cache', + 'redhat' => '/var/cache/mod_proxy', + 'freebsd' => '/var/cache/mod_disk_cache', + } } - $mod_name = $::osfamily ? { - 'FreeBSD' => 'cache_disk', - default => 'disk_cache', + if versioncmp($::apache::apache_version, '2.4') >= 0 { + apache::mod { 'cache_disk': } + } + else { + apache::mod { 'disk_cache': } } - if $::osfamily != 'FreeBSD' { - # FIXME: investigate why disk_cache was dependent on proxy - # NOTE: on FreeBSD disk_cache is compiled by default but proxy is not - Class['::apache::mod::proxy'] -> Class['::apache::mod::disk_cache'] - } Class['::apache::mod::cache'] -> Class['::apache::mod::disk_cache'] - apache::mod { $mod_name: } - # Template uses $cache_proxy + # Template uses $_cache_root file { 'disk_cache.conf': ensure => file, path => "${::apache::mod_dir}/disk_cache.conf", + mode => $::apache::file_mode, content => template('apache/mod/disk_cache.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/dumpio.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,20 @@ +class apache::mod::dumpio( + $dump_io_input = 'Off', + $dump_io_output = 'Off', +) { + include ::apache + validate_re(downcase($dump_io_input), '^(on|off)$', "${dump_io_input} is not supported for dump_io_input. Allowed values are 'On' and 'Off'.") + validate_re(downcase($dump_io_output), '^(on|off)$', "${dump_io_output} is not supported for dump_io_output. Allowed values are 'On' and 'Off'.") + + ::apache::mod { 'dumpio': } + file{'dumpio.conf': + ensure => file, + path => "${::apache::mod_dir}/dumpio.conf", + mode => $::apache::file_mode, + content => template('apache/mod/dumpio.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/env.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,3 @@ +class apache::mod::env { + ::apache::mod { 'env': } +}
--- a/modules/apache/manifests/mod/event.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/event.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,17 +1,21 @@ class apache::mod::event ( $startservers = '2', $maxclients = '150', + $maxrequestworkers = undef, $minsparethreads = '25', $maxsparethreads = '75', $threadsperchild = '25', $maxrequestsperchild = '0', + $maxconnectionsperchild = undef, $serverlimit = '25', - $apache_version = $::apache::apache_version, + $apache_version = undef, $threadlimit = '64', $listenbacklog = '511', - $maxrequestworkers = '256', - $maxconnectionsperchild = '0', ) { + include ::apache + + $_apache_version = pick($apache_version, $apache::apache_version) + if defined(Class['apache::mod::itk']) { fail('May not include both apache::mod::event and apache::mod::itk on the same node') } @@ -27,7 +31,7 @@ File { owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, } # Template uses: @@ -40,6 +44,7 @@ # - $serverlimit file { "${::apache::mod_dir}/event.conf": ensure => file, + mode => $::apache::file_mode, content => template('apache/mod/event.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], @@ -48,15 +53,20 @@ case $::osfamily { 'redhat': { - if versioncmp($apache_version, '2.4') >= 0 { + if versioncmp($_apache_version, '2.4') >= 0 { apache::mpm{ 'event': - apache_version => $apache_version, + apache_version => $_apache_version, } } } 'debian','freebsd' : { apache::mpm{ 'event': - apache_version => $apache_version, + apache_version => $_apache_version, + } + } + 'gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'event', } } default: {
--- a/modules/apache/manifests/mod/expires.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/expires.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,3 +1,22 @@ -class apache::mod::expires { +class apache::mod::expires ( + $expires_active = true, + $expires_default = undef, + $expires_by_type = undef, +) { + include ::apache ::apache::mod { 'expires': } + + # Template uses + # $expires_active + # $expires_default + # $expires_by_type + file { 'expires.conf': + ensure => file, + path => "${::apache::mod_dir}/expires.conf", + mode => $::apache::file_mode, + content => template('apache/mod/expires.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/ext_filter.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,25 @@ +class apache::mod::ext_filter( + $ext_filter_define = undef +) { + include ::apache + if $ext_filter_define { + validate_hash($ext_filter_define) + } + + ::apache::mod { 'ext_filter': } + + # Template uses + # -$ext_filter_define + + if $ext_filter_define { + file { 'ext_filter.conf': + ensure => file, + path => "${::apache::mod_dir}/ext_filter.conf", + mode => $::apache::file_mode, + content => template('apache/mod/ext_filter.conf.erb'), + require => [ Exec["mkdir ${::apache::mod_dir}"], ], + before => File[$::apache::mod_dir], + notify => Class['Apache::Service'], + } + } +}
--- a/modules/apache/manifests/mod/fastcgi.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/fastcgi.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,4 +1,5 @@ class apache::mod::fastcgi { + include ::apache # Debian specifies it's fastcgi lib path, but RedHat uses the default value # with no config file @@ -14,6 +15,7 @@ file { 'fastcgi.conf': ensure => file, path => "${::apache::mod_dir}/fastcgi.conf", + mode => $::apache::file_mode, content => template('apache/mod/fastcgi.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/fcgid.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/fcgid.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,21 +1,25 @@ class apache::mod::fcgid( $options = {}, ) { - if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' { + include ::apache + if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7') or $::osfamily == 'FreeBSD' { $loadfile_name = 'unixd_fcgid.load' + $conf_name = 'unixd_fcgid.conf' } else { $loadfile_name = undef + $conf_name = 'fcgid.conf' } ::apache::mod { 'fcgid': - loadfile_name => $loadfile_name + loadfile_name => $loadfile_name, } # Template uses: # - $options - file { 'fcgid.conf': + file { $conf_name: ensure => file, - path => "${::apache::mod_dir}/fcgid.conf", + path => "${::apache::mod_dir}/${conf_name}", + mode => $::apache::file_mode, content => template('apache/mod/fcgid.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/geoip.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,33 @@ +class apache::mod::geoip ( + $enable = false, + $db_file = '/usr/share/GeoIP/GeoIP.dat', + $flag = 'Standard', + $output = 'All', + $enable_utf8 = undef, + $scan_proxy_headers = undef, + $scan_proxy_header_field = undef, + $use_last_xforwarededfor_ip = undef, +) { + include ::apache + ::apache::mod { 'geoip': } + + # Template uses: + # - enable + # - db_file + # - flag + # - output + # - enable_utf8 + # - scan_proxy_headers + # - scan_proxy_header_field + # - use_last_xforwarededfor_ip + file { 'geoip.conf': + ensure => file, + path => "${::apache::mod_dir}/geoip.conf", + mode => $::apache::file_mode, + content => template('apache/mod/geoip.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } + +}
--- a/modules/apache/manifests/mod/info.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/info.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,15 +1,30 @@ class apache::mod::info ( $allow_from = ['127.0.0.1','::1'], - $apache_version = $::apache::apache_version, + $apache_version = undef, $restrict_access = true, + $info_path = '/server-info', ){ - apache::mod { 'info': } - # Template uses - # $allow_from - # $apache_version + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + + if $::osfamily == 'Suse' { + if defined(Class['::apache::mod::worker']){ + $suse_path = '/usr/lib64/apache2-worker' + } else { + $suse_path = '/usr/lib64/apache2-prefork' + } + ::apache::mod { 'info': + lib_path => $suse_path, + } + } else { + ::apache::mod { 'info': } + } + + # Template uses $allow_from, $_apache_version file { 'info.conf': ensure => file, path => "${::apache::mod_dir}/info.conf", + mode => $::apache::file_mode, content => template('apache/mod/info.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/itk.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/itk.pp Sun Dec 29 11:00:05 2019 -0500 @@ -5,18 +5,33 @@ $serverlimit = '256', $maxclients = '256', $maxrequestsperchild = '4000', - $apache_version = $::apache::apache_version, + $apache_version = undef, ) { + include ::apache + + $_apache_version = pick($apache_version, $apache::apache_version) + if defined(Class['apache::mod::event']) { fail('May not include both apache::mod::itk and apache::mod::event on the same node') } if defined(Class['apache::mod::peruser']) { fail('May not include both apache::mod::itk and apache::mod::peruser on the same node') } - if versioncmp($apache_version, '2.4') < 0 { + if versioncmp($_apache_version, '2.4') < 0 { if defined(Class['apache::mod::prefork']) { fail('May not include both apache::mod::itk and apache::mod::prefork on the same node') } + } else { + # prefork is a requirement for itk in 2.4; except on FreeBSD and Gentoo, which are special + if $::osfamily =~ /^(FreeBSD|Gentoo)/ { + if defined(Class['apache::mod::prefork']) { + fail('May not include both apache::mod::itk and apache::mod::prefork on the same node') + } + } else { + if ! defined(Class['apache::mod::prefork']) { + include ::apache::mod::prefork + } + } } if defined(Class['apache::mod::worker']) { fail('May not include both apache::mod::itk and apache::mod::worker on the same node') @@ -24,7 +39,7 @@ File { owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, } # Template uses: @@ -36,6 +51,7 @@ # - $maxrequestsperchild file { "${::apache::mod_dir}/itk.conf": ensure => file, + mode => $::apache::file_mode, content => template('apache/mod/itk.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], @@ -43,9 +59,34 @@ } case $::osfamily { + 'redhat': { + package { 'httpd-itk': + ensure => present, + } + if versioncmp($_apache_version, '2.4') >= 0 { + ::apache::mpm{ 'itk': + apache_version => $_apache_version, + } + } + else { + file_line { '/etc/sysconfig/httpd itk enable': + ensure => present, + path => '/etc/sysconfig/httpd', + line => 'HTTPD=/usr/sbin/httpd.itk', + match => '#?HTTPD=/usr/sbin/httpd.itk', + require => Package['httpd'], + notify => Class['apache::service'], + } + } + } 'debian', 'freebsd': { apache::mpm{ 'itk': - apache_version => $apache_version, + apache_version => $_apache_version, + } + } + 'gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'itk', } } default: {
--- a/modules/apache/manifests/mod/ldap.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/ldap.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,11 +1,27 @@ class apache::mod::ldap ( - $apache_version = $::apache::apache_version, + $apache_version = undef, + $package_name = undef, + $ldap_trusted_global_cert_file = undef, + $ldap_trusted_global_cert_type = 'CA_BASE64', + $ldap_shared_cache_size = undef, + $ldap_cache_entries = undef, + $ldap_cache_ttl = undef, + $ldap_opcache_entries = undef, + $ldap_opcache_ttl = undef, ){ - ::apache::mod { 'ldap': } - # Template uses $apache_version + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + if ($ldap_trusted_global_cert_file) { + validate_string($ldap_trusted_global_cert_type) + } + ::apache::mod { 'ldap': + package => $package_name, + } + # Template uses $_apache_version file { 'ldap.conf': ensure => file, path => "${::apache::mod_dir}/ldap.conf", + mode => $::apache::file_mode, content => template('apache/mod/ldap.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/mime.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/mime.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,12 +1,16 @@ class apache::mod::mime ( $mime_support_package = $::apache::params::mime_support_package, $mime_types_config = $::apache::params::mime_types_config, -) { + $mime_types_additional = undef, +) inherits ::apache::params { + include ::apache + $_mime_types_additional = pick($mime_types_additional, $apache::mime_types_additional) apache::mod { 'mime': } - # Template uses $mime_types_config + # Template uses $_mime_types_config file { 'mime.conf': ensure => file, path => "${::apache::mod_dir}/mime.conf", + mode => $::apache::file_mode, content => template('apache/mod/mime.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/mime_magic.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/mime_magic.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,11 +1,14 @@ class apache::mod::mime_magic ( - $magic_file = "${::apache::conf_dir}/magic" + $magic_file = undef, ) { + include ::apache + $_magic_file = pick($magic_file, "${::apache::conf_dir}/magic") apache::mod { 'mime_magic': } # Template uses $magic_file file { 'mime_magic.conf': ensure => file, path => "${::apache::mod_dir}/mime_magic.conf", + mode => $::apache::file_mode, content => template('apache/mod/mime_magic.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/negotiation.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/negotiation.pp Sun Dec 29 11:00:05 2019 -0500 @@ -5,6 +5,7 @@ 'no', 'pl', 'pt', 'pt-BR', 'ru', 'sv', 'zh-CN', 'zh-TW' ], ) { + include ::apache if !is_array($force_language_priority) and !is_string($force_language_priority) { fail('force_languague_priority must be a string or array of strings') } @@ -16,6 +17,7 @@ # Template uses no variables file { 'negotiation.conf': ensure => file, + mode => $::apache::file_mode, path => "${::apache::mod_dir}/negotiation.conf", content => template('apache/mod/negotiation.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"],
--- a/modules/apache/manifests/mod/nss.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/nss.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,8 +1,10 @@ class apache::mod::nss ( $transfer_log = "${::apache::params::logroot}/access.log", $error_log = "${::apache::params::logroot}/error.log", - $passwd_file = undef + $passwd_file = undef, + $port = 8443, ) { + include ::apache include ::apache::mod::mime apache::mod { 'nss': } @@ -17,6 +19,7 @@ file { 'nss.conf': ensure => file, path => "${::apache::mod_dir}/nss.conf", + mode => $::apache::file_mode, content => template('apache/mod/nss.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/pagespeed.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/pagespeed.pp Sun Dec 29 11:00:05 2019 -0500 @@ -32,21 +32,26 @@ $allow_pagespeed_message = [], $message_buffer_size = 100000, $additional_configuration = {}, - $apache_version = $::apache::apache_version, + $apache_version = undef, + $package_ensure = undef, ){ - - $_lib = $::apache::apache_version ? { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + $_lib = $_apache_version ? { '2.4' => 'mod_pagespeed_ap24.so', default => undef } apache::mod { 'pagespeed': - lib => $_lib, + lib => $_lib, + package_ensure => $package_ensure, } + # Template uses $_apache_version file { 'pagespeed.conf': ensure => file, path => "${::apache::mod_dir}/pagespeed.conf", + mode => $::apache::file_mode, content => template('apache/mod/pagespeed.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/passenger.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/passenger.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,42 +1,45 @@ class apache::mod::passenger ( - $passenger_conf_file = $::apache::params::passenger_conf_file, - $passenger_conf_package_file = $::apache::params::passenger_conf_package_file, - $passenger_high_performance = undef, - $passenger_pool_idle_time = undef, - $passenger_max_requests = undef, - $passenger_stat_throttle_rate = undef, - $rack_autodetect = undef, - $rails_autodetect = undef, - $passenger_root = $::apache::params::passenger_root, - $passenger_ruby = $::apache::params::passenger_ruby, - $passenger_default_ruby = $::apache::params::passenger_default_ruby, - $passenger_max_pool_size = undef, - $passenger_use_global_queue = undef, - $mod_package = undef, - $mod_package_ensure = undef, - $mod_lib = undef, - $mod_lib_path = undef, - $mod_id = undef, - $mod_path = undef, -) { + $passenger_conf_file = $::apache::params::passenger_conf_file, + $passenger_conf_package_file = $::apache::params::passenger_conf_package_file, + $passenger_high_performance = undef, + $passenger_pool_idle_time = undef, + $passenger_max_request_queue_size = undef, + $passenger_max_requests = undef, + $passenger_spawn_method = undef, + $passenger_stat_throttle_rate = undef, + $rack_autodetect = undef, + $rails_autodetect = undef, + $passenger_root = $::apache::params::passenger_root, + $passenger_ruby = $::apache::params::passenger_ruby, + $passenger_default_ruby = $::apache::params::passenger_default_ruby, + $passenger_max_pool_size = undef, + $passenger_min_instances = undef, + $passenger_max_instances_per_app = undef, + $passenger_use_global_queue = undef, + $passenger_app_env = undef, + $passenger_log_file = undef, + $passenger_log_level = undef, + $passenger_data_buffer_dir = undef, + $manage_repo = true, + $mod_package = undef, + $mod_package_ensure = undef, + $mod_lib = undef, + $mod_lib_path = undef, + $mod_id = undef, + $mod_path = undef, +) inherits ::apache::params { + include ::apache + if $passenger_spawn_method { + validate_re($passenger_spawn_method, '(^smart$|^direct$|^smart-lv2$|^conservative$)', "${passenger_spawn_method} is not permitted for passenger_spawn_method. Allowed values are 'smart', 'direct', 'smart-lv2', or 'conservative'.") + } + if $passenger_log_file { + validate_absolute_path($passenger_log_file) + } + # Managed by the package, but declare it to avoid purging if $passenger_conf_package_file { file { 'passenger_package.conf': - path => "${::apache::mod_dir}/${passenger_conf_package_file}", - } - } else { - # Remove passenger_extra.conf left over from before Passenger support was - # reworked for Debian. This is a temporary fix for users running this - # module from master after release 1.0.1 It will be removed in two - # releases from now. - $passenger_package_conf_ensure = $::osfamily ? { - 'Debian' => 'absent', - default => undef, - } - - file { 'passenger_package.conf': - ensure => $passenger_package_conf_ensure, - path => "${::apache::mod_dir}/passenger_extra.conf", + path => "${::apache::confd_dir}/${passenger_conf_package_file}", } } @@ -53,15 +56,39 @@ $_lib_path = $mod_lib_path } - $_id = $mod_id - $_path = $mod_path - ::apache::mod { 'passenger': - package => $_package, - package_ensure => $_package_ensure, - lib => $_lib, - lib_path => $_lib_path, - id => $_id, - path => $_path, + if $::osfamily == 'RedHat' and $manage_repo { + if $::operatingsystem == 'Amazon' { + $baseurl = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/6Server/$basearch' + } else { + $baseurl = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch' + } + + yumrepo { 'passenger': + ensure => 'present', + baseurl => $baseurl, + descr => 'passenger', + enabled => '1', + gpgcheck => '0', + gpgkey => 'https://packagecloud.io/gpg.key', + repo_gpgcheck => '1', + sslcacert => '/etc/pki/tls/certs/ca-bundle.crt', + sslverify => '1', + before => Apache::Mod['passenger'], + } + } + + unless ($::operatingsystem == 'SLES') { + $_id = $mod_id + $_path = $mod_path + ::apache::mod { 'passenger': + package => $_package, + package_ensure => $_package_ensure, + lib => $_lib, + lib_path => $_lib_path, + id => $_id, + path => $_path, + loadfile_name => 'zpassenger.load', + } } # Template uses: @@ -69,10 +96,17 @@ # - $passenger_ruby # - $passenger_default_ruby # - $passenger_max_pool_size + # - $passenger_min_instances + # - $passenger_max_instances_per_app # - $passenger_high_performance # - $passenger_max_requests + # - $passenger_spawn_method # - $passenger_stat_throttle_rate # - $passenger_use_global_queue + # - $passenger_log_file + # - $passenger_log_level + # - $passenger_app_env + # - $passenger_data_buffer_dir # - $rack_autodetect # - $rails_autodetect file { 'passenger.conf':
--- a/modules/apache/manifests/mod/perl.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/perl.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,3 +1,4 @@ class apache::mod::perl { + include ::apache ::apache::mod { 'perl': } }
--- a/modules/apache/manifests/mod/peruser.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/peruser.pp Sun Dec 29 11:00:05 2019 -0500 @@ -8,12 +8,18 @@ $expiretimeout = '120', $keepalive = 'Off', ) { - + include ::apache case $::osfamily { 'freebsd' : { fail("Unsupported osfamily ${::osfamily}") } default: { + if $::osfamily == 'gentoo' { + ::portage::makeconf { 'apache2_mpms': + content => 'peruser', + } + } + if defined(Class['apache::mod::event']) { fail('May not include both apache::mod::peruser and apache::mod::event on the same node') } @@ -29,7 +35,7 @@ File { owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, } $mod_dir = $::apache::mod_dir @@ -46,6 +52,7 @@ # - $mod_dir file { "${::apache::mod_dir}/peruser.conf": ensure => file, + mode => $::apache::file_mode, content => template('apache/mod/peruser.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/php.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/php.pp Sun Dec 29 11:00:05 2019 -0500 @@ -4,25 +4,28 @@ $path = undef, $extensions = ['.php'], $content = undef, - $template = 'apache/mod/php5.conf.erb', + $template = 'apache/mod/php.conf.erb', $source = undef, $root_group = $::apache::params::root_group, + $php_version = $::apache::params::php_version, ) inherits apache::params { + include ::apache + $mod = "php${php_version}" if defined(Class['::apache::mod::prefork']) { - Class['::apache::mod::prefork']->File['php5.conf'] + Class['::apache::mod::prefork']->File["${mod}.conf"] } elsif defined(Class['::apache::mod::itk']) { - Class['::apache::mod::itk']->File['php5.conf'] + Class['::apache::mod::itk']->File["${mod}.conf"] } else { fail('apache::mod::php requires apache::mod::prefork or apache::mod::itk; please enable mpm_module => \'prefork\' or mpm_module => \'itk\' on Class[\'apache\']') } validate_array($extensions) - if $source and ($content or $template != 'apache/mod/php5.conf.erb') { + if $source and ($content or $template != 'apache/mod/php.conf.erb') { warning('source and content or template parameters are provided. source parameter will be used') - } elsif $content and $template != 'apache/mod/php5.conf.erb' { + } elsif $content and $template != 'apache/mod/php.conf.erb' { warning('content and template parameters are provided. content parameter will be used') } @@ -34,23 +37,52 @@ default => undef, } - ::apache::mod { 'php5': - package => $package_name, - package_ensure => $package_ensure, - path => $path, + # Determine if we have a package + $mod_packages = $::apache::params::mod_packages + if $package_name { + $_package_name = $package_name + } elsif has_key($mod_packages, $mod) { # 2.6 compatibility hack + $_package_name = $mod_packages[$mod] + } elsif has_key($mod_packages, 'phpXXX') { # 2.6 compatibility hack + $_package_name = regsubst($mod_packages['phpXXX'], 'XXX', $php_version) + } else { + $_package_name = undef } + $_lib = "libphp${php_version}.so" + $_php_major = regsubst($php_version, '^(\d+)\..*$', '\1') + + if $::operatingsystem == 'SLES' { + ::apache::mod { $mod: + package => $_package_name, + package_ensure => $package_ensure, + lib => 'mod_php5.so', + id => "php${_php_major}_module", + path => "${::apache::lib_path}/mod_php5.so", + } + } else { + ::apache::mod { $mod: + package => $_package_name, + package_ensure => $package_ensure, + lib => $_lib, + id => "php${_php_major}_module", + path => $path, + } + + } + + include ::apache::mod::mime include ::apache::mod::dir Class['::apache::mod::mime'] -> Class['::apache::mod::dir'] -> Class['::apache::mod::php'] # Template uses $extensions - file { 'php5.conf': + file { "${mod}.conf": ensure => file, - path => "${::apache::mod_dir}/php5.conf", + path => "${::apache::mod_dir}/${mod}.conf", owner => 'root', group => $root_group, - mode => '0644', + mode => $::apache::file_mode, content => $manage_content, source => $source, require => [
--- a/modules/apache/manifests/mod/prefork.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/prefork.pp Sun Dec 29 11:00:05 2019 -0500 @@ -5,12 +5,14 @@ $serverlimit = '256', $maxclients = '256', $maxrequestsperchild = '4000', - $apache_version = $::apache::apache_version, + $apache_version = undef, ) { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) if defined(Class['apache::mod::event']) { fail('May not include both apache::mod::prefork and apache::mod::event on the same node') } - if versioncmp($apache_version, '2.4') < 0 { + if versioncmp($_apache_version, '2.4') < 0 { if defined(Class['apache::mod::itk']) { fail('May not include both apache::mod::prefork and apache::mod::itk on the same node') } @@ -24,7 +26,7 @@ File { owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, } # Template uses: @@ -44,9 +46,9 @@ case $::osfamily { 'redhat': { - if versioncmp($apache_version, '2.4') >= 0 { + if versioncmp($_apache_version, '2.4') >= 0 { ::apache::mpm{ 'prefork': - apache_version => $apache_version, + apache_version => $_apache_version, } } else { @@ -60,9 +62,20 @@ } } } - 'debian', 'freebsd' : { + 'debian', 'freebsd': { + ::apache::mpm{ 'prefork': + apache_version => $_apache_version, + } + } + 'Suse': { ::apache::mpm{ 'prefork': apache_version => $apache_version, + lib_path => '/usr/lib64/apache2-prefork', + } + } + 'gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'prefork', } } default: {
--- a/modules/apache/manifests/mod/proxy.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/proxy.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,13 +1,20 @@ class apache::mod::proxy ( $proxy_requests = 'Off', - $allow_from = undef, - $apache_version = $::apache::apache_version, + $allow_from = undef, + $apache_version = undef, + $package_name = undef, + $proxy_via = 'On', ) { - ::apache::mod { 'proxy': } - # Template uses $proxy_requests, $apache_version + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + ::apache::mod { 'proxy': + package => $package_name, + } + # Template uses $proxy_requests, $_apache_version file { 'proxy.conf': ensure => file, path => "${::apache::mod_dir}/proxy.conf", + mode => $::apache::file_mode, content => template('apache/mod/proxy.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/proxy_balancer.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/proxy_balancer.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,10 +1,32 @@ -class apache::mod::proxy_balancer { +class apache::mod::proxy_balancer( + $manager = false, + $manager_path = '/balancer-manager', + $allow_from = ['127.0.0.1','::1'], + $apache_version = $::apache::apache_version, +) { + validate_bool($manager) + validate_string($manager_path) + validate_array($allow_from) include ::apache::mod::proxy include ::apache::mod::proxy_http + if versioncmp($apache_version, '2.4') >= 0 { + ::apache::mod { 'slotmem_shm': } + } Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_balancer'] Class['::apache::mod::proxy_http'] -> Class['::apache::mod::proxy_balancer'] ::apache::mod { 'proxy_balancer': } - + if $manager { + include ::apache::mod::status + file { 'proxy_balancer.conf': + ensure => file, + path => "${::apache::mod_dir}/proxy_balancer.conf", + mode => $::apache::file_mode, + content => template('apache/mod/proxy_balancer.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Class['apache::service'], + } + } }
--- a/modules/apache/manifests/mod/proxy_connect.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/proxy_connect.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,9 @@ class apache::mod::proxy_connect ( - $apache_version = $::apache::apache_version, + $apache_version = undef, ) { - if versioncmp($apache_version, '2.4') >= 0 { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + if versioncmp($_apache_version, '2.2') >= 0 { Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_connect'] ::apache::mod { 'proxy_connect': } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/proxy_fcgi.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,4 @@ +class apache::mod::proxy_fcgi { + Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_fcgi'] + ::apache::mod { 'proxy_fcgi': } +}
--- a/modules/apache/manifests/mod/proxy_html.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/proxy_html.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,10 +1,11 @@ class apache::mod::proxy_html { + include ::apache Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_html'] Class['::apache::mod::proxy_http'] -> Class['::apache::mod::proxy_html'] # Add libxml2 case $::osfamily { - /RedHat|FreeBSD/: { + /RedHat|FreeBSD|Gentoo/: { ::apache::mod { 'xml2enc': } $loadfiles = undef } @@ -18,6 +19,9 @@ '10' => ['/usr/lib/libxml2.so.2'], default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"], } + if versioncmp($::apache::apache_version, '2.4') >= 0 { + ::apache::mod { 'xml2enc': } + } } } @@ -29,6 +33,7 @@ file { 'proxy_html.conf': ensure => file, path => "${::apache::mod_dir}/proxy_html.conf", + mode => $::apache::file_mode, content => template('apache/mod/proxy_html.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/proxy_wstunnel.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,5 @@ +class apache::mod::proxy_wstunnel { + include ::apache, ::apache::mod::proxy + Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_wstunnel'] + ::apache::mod { 'proxy_wstunnel': } +}
--- a/modules/apache/manifests/mod/python.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/python.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,4 +1,5 @@ class apache::mod::python { + include ::apache ::apache::mod { 'python': } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/remoteip.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,30 @@ +class apache::mod::remoteip ( + $header = 'X-Forwarded-For', + $proxy_ips = [ '127.0.0.1' ], + $proxies_header = undef, + $trusted_proxy_ips = undef, + $apache_version = undef, +) { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + if versioncmp($_apache_version, '2.4') < 0 { + fail('mod_remoteip is only available in Apache 2.4') + } + + ::apache::mod { 'remoteip': } + + # Template uses: + # - $header + # - $proxy_ips + # - $proxies_header + # - $trusted_proxy_ips + file { 'remoteip.conf': + ensure => file, + path => "${::apache::mod_dir}/remoteip.conf", + mode => $::apache::file_mode, + content => template('apache/mod/remoteip.conf.erb'), + require => Exec["mkdir ${::apache::mod_dir}"], + before => File[$::apache::mod_dir], + notify => Service['httpd'], + } +}
--- a/modules/apache/manifests/mod/reqtimeout.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/reqtimeout.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,7 @@ class apache::mod::reqtimeout ( $timeouts = ['header=20-40,minrate=500', 'body=10,minrate=500'] ){ + include ::apache ::apache::mod { 'reqtimeout': } # Template uses no variables file { 'reqtimeout.conf':
--- a/modules/apache/manifests/mod/rpaf.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/rpaf.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,8 +1,10 @@ class apache::mod::rpaf ( $sethostname = true, $proxy_ips = [ '127.0.0.1' ], - $header = 'X-Forwarded-For' + $header = 'X-Forwarded-For', + $template = 'apache/mod/rpaf.conf.erb' ) { + include ::apache ::apache::mod { 'rpaf': } # Template uses: @@ -12,7 +14,8 @@ file { 'rpaf.conf': ensure => file, path => "${::apache::mod_dir}/rpaf.conf", - content => template('apache/mod/rpaf.conf.erb'), + mode => $::apache::file_mode, + content => template($template), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir], notify => Class['apache::service'],
--- a/modules/apache/manifests/mod/security.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/security.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,22 +1,51 @@ class apache::mod::security ( - $crs_package = $::apache::params::modsec_crs_package, - $activated_rules = $::apache::params::modsec_default_rules, - $modsec_dir = $::apache::params::modsec_dir, - $allowed_methods = 'GET HEAD POST OPTIONS', - $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', - $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', - $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', -){ + $logroot = $::apache::params::logroot, + $crs_package = $::apache::params::modsec_crs_package, + $activated_rules = $::apache::params::modsec_default_rules, + $modsec_dir = $::apache::params::modsec_dir, + $modsec_secruleengine = $::apache::params::modsec_secruleengine, + $audit_log_relevant_status = '^(?:5|4(?!04))', + $audit_log_parts = $::apache::params::modsec_audit_log_parts, + $secpcrematchlimit = $::apache::params::secpcrematchlimit, + $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion, + $allowed_methods = 'GET HEAD POST OPTIONS', + $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', + $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', + $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', + $secdefaultaction = 'deny', + $anomaly_score_blocking = 'off', + $inbound_anomaly_threshold = '5', + $outbound_anomaly_threshold = '4', + $critical_anomaly_score = '5', + $error_anomaly_score = '4', + $warning_anomaly_score = '3', + $notice_anomaly_score = '2', + $secrequestmaxnumargs = '255', + $secrequestbodylimit = '13107200', + $secrequestbodynofileslimit = '131072', + $secrequestbodyinmemorylimit = '131072', +) inherits ::apache::params { + include ::apache + + $_secdefaultaction = $secdefaultaction ? { + /log/ => $secdefaultaction, # it has log or nolog,auditlog or log,noauditlog + default => "${secdefaultaction},log", + } if $::osfamily == 'FreeBSD' { fail('FreeBSD is not currently supported') } + if ($::osfamily == 'Suse' and $::operatingsystemrelease < '11') { + fail('SLES 10 is not currently supported.') + } + ::apache::mod { 'security': id => 'security2_module', lib => 'mod_security2.so', } + ::apache::mod { 'unique_id_module': id => 'unique_id_module', lib => 'mod_unique_id.so', @@ -25,15 +54,26 @@ if $crs_package { package { $crs_package: ensure => 'latest', - before => File['security.conf'], + before => [ + File[$::apache::confd_dir], + File[$modsec_dir], + ], } } # Template uses: + # - logroot # - $modsec_dir + # - $audit_log_parts + # - secpcrematchlimit + # - secpcrematchlimitrecursion + # - secrequestbodylimit + # - secrequestbodynofileslimit + # - secrequestbodyinmemorylimit file { 'security.conf': ensure => file, content => template('apache/mod/security.conf.erb'), + mode => $::apache::file_mode, path => "${::apache::mod_dir}/security.conf", owner => $::apache::params::user, group => $::apache::params::group, @@ -44,12 +84,13 @@ file { $modsec_dir: ensure => directory, - owner => $::apache::params::user, - group => $::apache::params::group, - mode => '0555', + owner => 'root', + group => 'root', + mode => '0755', purge => true, force => true, recurse => true, + require => Package['httpd'], } file { "${modsec_dir}/activated_rules": @@ -63,6 +104,20 @@ notify => Class['apache::service'], } + # Template uses: + # - $_secdefaultaction + # - $critical_anomaly_score + # - $error_anomaly_score + # - $warning_anomaly_score + # - $notice_anomaly_score + # - $inbound_anomaly_threshold + # - $outbound_anomaly_threshold + # - $anomaly_score_blocking + # - $allowed_methods + # - $content_types + # - $restricted_extensions + # - $restricted_headers + # - $secrequestmaxnumargs file { "${modsec_dir}/security_crs.conf": ensure => file, content => template('apache/mod/security_crs.conf.erb'), @@ -70,6 +125,6 @@ notify => Class['apache::service'], } - apache::security::rule_link { $activated_rules: } + unless $::operatingsystem == 'SLES' { apache::security::rule_link { $activated_rules: } } }
--- a/modules/apache/manifests/mod/setenvif.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/setenvif.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,11 @@ class apache::mod::setenvif { + include ::apache ::apache::mod { 'setenvif': } # Template uses no variables file { 'setenvif.conf': ensure => file, path => "${::apache::mod_dir}/setenvif.conf", + mode => $::apache::file_mode, content => template('apache/mod/setenvif.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/shib.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/shib.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,10 @@ class apache::mod::shib ( $suppress_warning = false, + $mod_full_path = undef, + $package_name = undef, + $mod_lib = undef, ) { - + include ::apache if $::osfamily == 'RedHat' and ! $suppress_warning { warning('RedHat distributions do not have Apache mod_shib in their default package repositories.') } @@ -9,7 +12,9 @@ $mod_shib = 'shib2' apache::mod {$mod_shib: - id => 'mod_shib', + id => 'mod_shib', + path => $mod_full_path, + package => $package_name, + lib => $mod_lib, } - -} \ No newline at end of file +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/mod/socache_shmcb.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,3 @@ +class apache::mod::socache_shmcb { + ::apache::mod { 'socache_shmcb': } +} \ No newline at end of file
--- a/modules/apache/manifests/mod/speling.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/speling.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,3 +1,4 @@ class apache::mod::speling { + include ::apache ::apache::mod { 'speling': } }
--- a/modules/apache/manifests/mod/ssl.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/ssl.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,59 +1,126 @@ class apache::mod::ssl ( - $ssl_compression = false, - $ssl_options = [ 'StdEnvVars' ], - $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5', - $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], - $ssl_pass_phrase_dialog = 'builtin', - $ssl_random_seed_bytes = '512', - $apache_version = $::apache::apache_version, - $package_name = undef, + $ssl_compression = false, + $ssl_cryptodevice = 'builtin', + $ssl_options = [ 'StdEnvVars' ], + $ssl_openssl_conf_cmd = undef, + $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4', + $ssl_honorcipherorder = true, + $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], + $ssl_pass_phrase_dialog = 'builtin', + $ssl_random_seed_bytes = '512', + $ssl_sessioncachetimeout = '300', + $ssl_stapling = false, + $ssl_stapling_return_errors = undef, + $ssl_mutex = undef, + $apache_version = undef, + $package_name = undef, ) { + include ::apache + include ::apache::mod::mime + $_apache_version = pick($apache_version, $apache::apache_version) + if $ssl_mutex { + $_ssl_mutex = $ssl_mutex + } else { + case $::osfamily { + 'debian': { + if versioncmp($_apache_version, '2.4') >= 0 { + $_ssl_mutex = 'default' + } elsif $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '10.04' { + $_ssl_mutex = 'file:/var/run/apache2/ssl_mutex' + } else { + $_ssl_mutex = "file:\${APACHE_RUN_DIR}/ssl_mutex" + } + } + 'redhat': { + $_ssl_mutex = 'default' + } + 'freebsd': { + $_ssl_mutex = 'default' + } + 'gentoo': { + $_ssl_mutex = 'default' + } + 'Suse': { + $_ssl_mutex = 'default' + } + default: { + fail("Unsupported osfamily ${::osfamily}, please explicitly pass in \$ssl_mutex") + } + } + } + + validate_bool($ssl_compression) + + if is_bool($ssl_honorcipherorder) { + $_ssl_honorcipherorder = $ssl_honorcipherorder + } else { + $_ssl_honorcipherorder = $ssl_honorcipherorder ? { + 'on' => true, + 'off' => false, + default => true, + } + } + $session_cache = $::osfamily ? { 'debian' => "\${APACHE_RUN_DIR}/ssl_scache(512000)", 'redhat' => '/var/cache/mod_ssl/scache(512000)', 'freebsd' => '/var/run/ssl_scache(512000)', + 'gentoo' => '/var/run/ssl_scache(512000)', + 'Suse' => '/var/lib/apache2/ssl_scache(512000)' + } + + validate_bool($ssl_stapling) + + if $ssl_stapling_return_errors != undef { + validate_bool($ssl_stapling_return_errors) } - case $::osfamily { - 'debian': { - if versioncmp($apache_version, '2.4') >= 0 { - $ssl_mutex = 'default' - } elsif $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '10.04' { - $ssl_mutex = 'file:/var/run/apache2/ssl_mutex' - } else { - $ssl_mutex = "file:\${APACHE_RUN_DIR}/ssl_mutex" - } + $stapling_cache = $::osfamily ? { + 'debian' => "\${APACHE_RUN_DIR}/ocsp(32768)", + 'redhat' => '/run/httpd/ssl_stapling(32768)', + 'freebsd' => '/var/run/ssl_stapling(32768)', + 'gentoo' => '/var/run/ssl_stapling(32768)', + 'Suse' => '/var/lib/apache2/ssl_stapling(32768)', + } + + if $::osfamily == 'Suse' { + if defined(Class['::apache::mod::worker']){ + $suse_path = '/usr/lib64/apache2-worker' + } else { + $suse_path = '/usr/lib64/apache2-worker' } - 'redhat': { - $ssl_mutex = 'default' + ::apache::mod { 'ssl': + package => $package_name, + lib_path => $suse_path, } - 'freebsd': { - $ssl_mutex = 'default' - } - default: { - fail("Unsupported osfamily ${::osfamily}") + } else { + ::apache::mod { 'ssl': + package => $package_name, } } - ::apache::mod { 'ssl': - package => $package_name, - } - - if versioncmp($apache_version, '2.4') >= 0 { - ::apache::mod { 'socache_shmcb': } + if versioncmp($_apache_version, '2.4') >= 0 { + include ::apache::mod::socache_shmcb } # Template uses # # $ssl_compression + # $ssl_cryptodevice + # $ssl_cipher + # $ssl_honorcipherorder # $ssl_options - # $session_cache, + # $ssl_openssl_conf_cmd + # $session_cache + # $stapling_cache # $ssl_mutex - # $apache_version - # + # $ssl_random_seed_bytes + # $ssl_sessioncachetimeout + # $_apache_version file { 'ssl.conf': ensure => file, - path => "${::apache::mod_dir}/ssl.conf", + path => $::apache::ssl_file, + mode => $::apache::file_mode, content => template('apache/mod/ssl.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/status.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/status.pp Sun Dec 29 11:00:05 2019 -0500 @@ -11,7 +11,7 @@ # values are 'On' or 'Off'. Defaults to 'On'. # - $status_path is the path assigned to the Location directive which # defines the URL to access the server status. Defaults to '/server-status'. -# +# # Actions: # - Enable and configure Apache mod_status # @@ -28,16 +28,19 @@ class apache::mod::status ( $allow_from = ['127.0.0.1','::1'], $extended_status = 'On', - $apache_version = $::apache::apache_version, + $apache_version = undef, $status_path = '/server-status', -){ +) inherits ::apache::params { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) validate_array($allow_from) validate_re(downcase($extended_status), '^(on|off)$', "${extended_status} is not supported for extended_status. Allowed values are 'On' and 'Off'.") ::apache::mod { 'status': } - # Template uses $allow_from, $extended_status, $apache_version, $status_path + # Template uses $allow_from, $extended_status, $_apache_version, $status_path file { 'status.conf': ensure => file, path => "${::apache::mod_dir}/status.conf", + mode => $::apache::file_mode, content => template('apache/mod/status.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/suphp.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/suphp.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,10 +1,12 @@ class apache::mod::suphp ( ){ + include ::apache ::apache::mod { 'suphp': } file {'suphp.conf': ensure => file, path => "${::apache::mod_dir}/suphp.conf", + mode => $::apache::file_mode, content => template('apache/mod/suphp.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/userdir.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/userdir.pp Sun Dec 29 11:00:05 2019 -0500 @@ -2,14 +2,19 @@ $home = '/home', $dir = 'public_html', $disable_root = true, - $apache_version = $::apache::apache_version, + $apache_version = undef, + $options = [ 'MultiViews', 'Indexes', 'SymLinksIfOwnerMatch', 'IncludesNoExec' ], ) { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + ::apache::mod { 'userdir': } - # Template uses $home, $dir, $disable_root, $apache_version + # Template uses $home, $dir, $disable_root, $_apache_version file { 'userdir.conf': ensure => file, path => "${::apache::mod_dir}/userdir.conf", + mode => $::apache::file_mode, content => template('apache/mod/userdir.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mod/worker.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/worker.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,3 +1,57 @@ +# == Class: apache::mod::worker +# +# +# === Parameters +# +# [*startservers*] +# (optional) The number of child server processes created on startup +# Defaults is '2' +# +# [*maxclients*] +# (optional) The max number of simultaneous requests that will be served. +# This is the old name and is still supported. The new name is +# MaxRequestWorkers as of 2.3.13. +# Default is '150' +# +# [*minsparethreads*] +# (optional) Minimum number of idle threads to handle request spikes. +# Default is '25' +# +# [*maxsparethreads*] +# (optional) Maximum number of idle threads. +# Default is '75' +# +# [*threadsperchild*] +# (optional) The number of threads created by each child process. +# Default is '25' +# +# [*maxrequestsperchild*] +# (optional) Limit on the number of connectiojns an individual child server +# process will handle. This is the old name and is still supported. The new +# name is MaxConnectionsPerChild as of 2.3.9+. +# Default is '0' +# +# [*serverlimit*] +# (optional) With worker, use this directive only if your MaxRequestWorkers +# and ThreadsPerChild settings require more than 16 server processes +# (default). Do not set the value of this directive any higher than the +# number of server processes required by what you may want for +# MaxRequestWorkers and ThreadsPerChild. +# Default is '25' +# +# [*threadlimit*] +# (optional) This directive sets the maximum configured value for +# ThreadsPerChild for the lifetime of the Apache httpd process. +# Default is '64' +# +# [*listenbacklog*] +# (optional) Maximum length of the queue of pending connections. +# Defaults is '511' +# +# [*apache_version*] +# (optional) +# Default is $::apache::apache_version +# class apache::mod::worker ( $startservers = '2', $maxclients = '150', @@ -7,8 +61,12 @@ $maxrequestsperchild = '0', $serverlimit = '25', $threadlimit = '64', - $apache_version = $::apache::apache_version, + $listenbacklog = '511', + $apache_version = undef, ) { + include ::apache + $_apache_version = pick($apache_version, $apache::apache_version) + if defined(Class['apache::mod::event']) { fail('May not include both apache::mod::worker and apache::mod::event on the same node') } @@ -24,7 +82,7 @@ File { owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, } # Template uses: @@ -36,6 +94,7 @@ # - $maxrequestsperchild # - $serverlimit # - $threadLimit + # - $listenbacklog file { "${::apache::mod_dir}/worker.conf": ensure => file, content => template('apache/mod/worker.conf.erb'), @@ -46,9 +105,10 @@ case $::osfamily { 'redhat': { - if versioncmp($apache_version, '2.4') >= 0 { + + if versioncmp($_apache_version, '2.4') >= 0 { ::apache::mpm{ 'worker': - apache_version => $apache_version, + apache_version => $_apache_version, } } else { @@ -62,9 +122,22 @@ } } } + 'debian', 'freebsd': { ::apache::mpm{ 'worker': + apache_version => $_apache_version, + } + } + 'Suse': { + ::apache::mpm { 'worker': apache_version => $apache_version, + lib_path => '/usr/lib64/apache2-worker', + } + } + + 'gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'worker', } } default: {
--- a/modules/apache/manifests/mod/wsgi.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mod/wsgi.pp Sun Dec 29 11:00:05 2019 -0500 @@ -4,8 +4,8 @@ $wsgi_python_home = undef, $package_name = undef, $mod_path = undef, -){ - +) inherits ::apache::params { + include ::apache if ($package_name != undef and $mod_path == undef) or ($package_name == undef and $mod_path != undef) { fail('apache::mod::wsgi - both package_name and mod_path must be specified!') } @@ -14,7 +14,7 @@ if $mod_path =~ /\// { $_mod_path = $mod_path } else { - $_mod_path = "${::apache::params::lib_path}/${mod_path}" + $_mod_path = "${::apache::lib_path}/${mod_path}" } ::apache::mod { 'wsgi': package => $package_name, @@ -32,6 +32,7 @@ file {'wsgi.conf': ensure => file, path => "${::apache::mod_dir}/wsgi.conf", + mode => $::apache::file_mode, content => template('apache/mod/wsgi.conf.erb'), require => Exec["mkdir ${::apache::mod_dir}"], before => File[$::apache::mod_dir],
--- a/modules/apache/manifests/mpm.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/mpm.pp Sun Dec 29 11:00:05 2019 -0500 @@ -1,5 +1,5 @@ define apache::mpm ( - $lib_path = $::apache::params::lib_path, + $lib_path = $::apache::lib_path, $apache_version = $::apache::apache_version, ) { if ! defined(Class['apache']) { @@ -13,22 +13,36 @@ $_path = "${lib_path}/${_lib}" $_id = "mpm_${mpm}_module" - if versioncmp($apache_version, '2.4') >= 0 and - (($::osfamily != 'FreeBSD') or - ($::osfamily == 'FreeBSD' and $mpm == 'itk')) { - - file { "${mod_dir}/${mpm}.load": - ensure => file, - path => "${mod_dir}/${mpm}.load", - content => "LoadModule ${_id} ${_path}\n", - require => [ - Package['httpd'], - Exec["mkdir ${mod_dir}"], - ], - before => File[$mod_dir], - notify => Class['apache::service'], + if $::osfamily == 'Suse' { + #mpms on Suse 12 don't use .so libraries so create a placeholder load file + if versioncmp($apache_version, '2.4') >= 0 { + file { "${mod_dir}/${mpm}.load": + ensure => file, + path => "${mod_dir}/${mpm}.load", + content => '', + require => [ + Package['httpd'], + Exec["mkdir ${mod_dir}"], + ], + before => File[$mod_dir], + notify => Class['apache::service'], + } } - } + } else { + if versioncmp($apache_version, '2.4') >= 0 { + file { "${mod_dir}/${mpm}.load": + ensure => file, + path => "${mod_dir}/${mpm}.load", + content => "LoadModule ${_id} ${_path}\n", + require => [ + Package['httpd'], + Exec["mkdir ${mod_dir}"], + ], + before => File[$mod_dir], + notify => Class['apache::service'], + } + } + } case $::osfamily { 'debian': { @@ -50,27 +64,83 @@ } if $mpm == 'itk' { - file { "${lib_path}/mod_mpm_itk.so": - ensure => link, - target => "${lib_path}/mpm_itk.so" - } + file { "${lib_path}/mod_mpm_itk.so": + ensure => link, + target => "${lib_path}/mpm_itk.so", + require => Package['httpd'], + before => Class['apache::service'], + } } } - if versioncmp($apache_version, '2.4') < 0 { - package { "apache2-mpm-${mpm}": + if $mpm == 'itk' and $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '14.04' { + # workaround https://bugs.launchpad.net/ubuntu/+source/mpm-itk/+bug/1286882 + exec { + '/usr/sbin/a2dismod mpm_event': + onlyif => '/usr/bin/test -e /etc/apache2/mods-enabled/mpm_event.load', + require => Package['httpd'], + before => Package['apache2-mpm-itk'], + } + } + + if $mpm == 'itk' and $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '16.04' { + $packagename = 'libapache2-mpm-itk' + } else { + $packagename = "apache2-mpm-${mpm}" + } + + if versioncmp($apache_version, '2.4') < 0 or $mpm == 'itk' { + package { $packagename: ensure => present, } + if $::apache::mod_enable_dir { + Package[$packagename] { + before => File[$::apache::mod_enable_dir], + } + } } } 'freebsd': { class { '::apache::package': - mpm_module => $mpm + mpm_module => $mpm, } } + 'gentoo': { + # so we don't fail + } 'redhat': { # so we don't fail } + 'Suse': { + file { "${::apache::mod_enable_dir}/${mpm}.conf": + ensure => link, + target => "${::apache::mod_dir}/${mpm}.conf", + require => Exec["mkdir ${::apache::mod_enable_dir}"], + before => File[$::apache::mod_enable_dir], + notify => Class['apache::service'], + } + + if versioncmp($apache_version, '2.4') >= 0 { + file { "${::apache::mod_enable_dir}/${mpm}.load": + ensure => link, + target => "${::apache::mod_dir}/${mpm}.load", + require => Exec["mkdir ${::apache::mod_enable_dir}"], + before => File[$::apache::mod_enable_dir], + notify => Class['apache::service'], + } + + if $mpm == 'itk' { + file { "${lib_path}/mod_mpm_itk.so": + ensure => link, + target => "${lib_path}/mpm_itk.so", + } + } + } + + package { "apache2-${mpm}": + ensure => present, + } + } default: { fail("Unsupported osfamily ${::osfamily}") }
--- a/modules/apache/manifests/namevirtualhost.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/namevirtualhost.pp Sun Dec 29 11:00:05 2019 -0500 @@ -3,7 +3,6 @@ # Template uses: $addr_port concat::fragment { "NameVirtualHost ${addr_port}": - ensure => present, target => $::apache::ports_file, content => template('apache/namevirtualhost.erb'), }
--- a/modules/apache/manifests/package.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/package.pp Sun Dec 29 11:00:05 2019 -0500 @@ -2,58 +2,36 @@ $ensure = 'present', $mpm_module = $::apache::params::mpm_module, ) inherits ::apache::params { + + # The base class must be included first because it is used by parameter defaults + if ! defined(Class['apache']) { + fail('You must include the apache base class before using any apache defined resources') + } + case $::osfamily { 'FreeBSD': { case $mpm_module { 'prefork': { - $set = 'MPM_PREFORK' - $unset = 'MPM_WORKER MPM_EVENT' } 'worker': { - $set = 'MPM_WORKER' - $unset = 'MPM_PERFORK MPM_EVENT' } 'event': { - $set = 'MPM_EVENT' - $unset = 'MPM_PERFORK MPM_WORKER' } 'itk': { - $set = undef - $unset = undef package { 'www/mod_mpm_itk': ensure => installed, } } default: { fail("MPM module ${mpm_module} not supported on FreeBSD") } } - - # Configure ports to have apache build options set correctly - if $set { - file_line { 'apache SET options in /etc/make.conf': - ensure => $ensure, - path => '/etc/make.conf', - line => "apache24_SET_FORCE=${set}", - match => '^apache24_SET_FORCE=.*', - before => Package['httpd'], - } - file_line { 'apache UNSET options in /etc/make.conf': - ensure => $ensure, - path => '/etc/make.conf', - line => "apache24_UNSET_FORCE=${unset}", - match => '^apache24_UNSET_FORCE=.*', - before => Package['httpd'], - } - } - $apache_package = $::apache::params::apache_name } default: { - $apache_package = $::apache::params::apache_name } } package { 'httpd': ensure => $ensure, - name => $apache_package, + name => $::apache::apache_name, notify => Class['Apache::Service'], } }
--- a/modules/apache/manifests/params.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/params.pp Sun Dec 29 11:00:05 2019 -0500 @@ -29,12 +29,37 @@ $log_level = 'warn' $use_optional_includes = false - if $::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04' { + # Default mime types settings + $mime_types_additional = { + 'AddHandler' => { 'type-map' => 'var', }, + 'AddType' => { 'text/html' => '.shtml', }, + 'AddOutputFilter' => { 'INCLUDES' => '.shtml', }, + } + + # should we use systemd module? + $use_systemd = true + + # Default mode for files + $file_mode = '0644' + + # Default options for / directory + $root_directory_options = ['FollowSymLinks'] + + $vhost_include_pattern = '*' + + $modsec_audit_log_parts = 'ABIJDEFHZ' + + # no client certs should be trusted for auth by default. + $ssl_certs_dir = undef + + if ($::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04') or ($::operatingsystem == 'SLES') { $verify_command = '/usr/sbin/apache2ctl -t' + } elsif $::operatingsystem == 'FreeBSD' { + $verify_command = '/usr/local/sbin/apachectl -t' } else { $verify_command = '/usr/sbin/apachectl -t' } - if $::osfamily == 'RedHat' or $::operatingsystem == 'amazon' { + if $::osfamily == 'RedHat' or $::operatingsystem =~ /^[Aa]mazon$/ { $user = 'apache' $group = 'apache' $root_group = 'root' @@ -44,12 +69,17 @@ $server_root = '/etc/httpd' $conf_dir = "${httpd_dir}/conf" $confd_dir = "${httpd_dir}/conf.d" - $mod_dir = "${httpd_dir}/conf.d" + $mod_dir = $::apache::version::distrelease ? { + '7' => "${httpd_dir}/conf.modules.d", + default => "${httpd_dir}/conf.d", + } $mod_enable_dir = undef $vhost_dir = "${httpd_dir}/conf.d" $vhost_enable_dir = undef $conf_file = 'httpd.conf' + $ssl_file = "${confd_dir}/ssl.conf" $ports_file = "${conf_dir}/ports.conf" + $pidfile = 'run/httpd.pid' $logroot = '/var/log/httpd' $logroot_mode = undef $lib_path = 'modules' @@ -57,7 +87,6 @@ $dev_packages = 'httpd-devel' $default_ssl_cert = '/etc/pki/tls/certs/localhost.crt' $default_ssl_key = '/etc/pki/tls/private/localhost.key' - $ssl_certs_dir = '/etc/pki/tls/certs' $passenger_conf_file = 'passenger_extra.conf' $passenger_conf_package_file = 'passenger.conf' $passenger_root = undef @@ -66,27 +95,41 @@ $suphp_addhandler = 'php5-script' $suphp_engine = 'off' $suphp_configpath = undef - # NOTE: The module for Shibboleth is not available to RH/CentOS without an additional repository. http://wiki.aaf.edu.au/tech-info/sp-install-guide - # NOTE: The auth_cas module isn't available to RH/CentOS without enabling EPEL. + $php_version = '5' $mod_packages = { + # NOTE: The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. 'auth_cas' => 'mod_auth_cas', 'auth_kerb' => 'mod_auth_kerb', + 'auth_mellon' => 'mod_auth_mellon', 'authnz_ldap' => $::apache::version::distrelease ? { '7' => 'mod_ldap', default => 'mod_authz_ldap', }, 'fastcgi' => 'mod_fastcgi', 'fcgid' => 'mod_fcgid', + 'geoip' => 'mod_geoip', + 'ldap' => $::apache::version::distrelease ? { + '7' => 'mod_ldap', + default => undef, + }, 'pagespeed' => 'mod-pagespeed-stable', + # NOTE: The passenger module isn't available on RH/CentOS without + # providing dependency packages provided by EPEL and passenger + # repositories. See + # https://www.phusionpassenger.com/library/install/apache/install/oss/el7/ 'passenger' => 'mod_passenger', 'perl' => 'mod_perl', 'php5' => $::apache::version::distrelease ? { '5' => 'php53', default => 'php', }, + 'phpXXX' => 'php', 'proxy_html' => 'mod_proxy_html', 'python' => 'mod_python', 'security' => 'mod_security', + # NOTE: The module for Shibboleth is not available on RH/CentOS without + # providing dependency packages provided by Shibboleth's repositories. + # See http://wiki.aaf.edu.au/tech-info/sp-install-guide 'shibboleth' => 'shibboleth', 'ssl' => 'mod_ssl', 'wsgi' => 'mod_wsgi', @@ -97,8 +140,7 @@ 'shib2' => 'shibboleth', } $mod_libs = { - 'php5' => 'libphp5.so', - 'nss' => 'libmodnss.so', + 'nss' => 'libmodnss.so', } $conf_template = 'apache/httpd.conf.erb' $keepalive = 'Off' @@ -108,6 +150,10 @@ $mime_support_package = 'mailcap' $mime_types_config = '/etc/mime.types' $docroot = '/var/www/html' + $alias_icons_path = $::apache::version::distrelease ? { + '7' => '/usr/share/httpd/icons', + default => '/var/www/icons', + } $error_documents_path = $::apache::version::distrelease ? { '7' => '/usr/share/httpd/error', default => '/var/www/error' @@ -118,14 +164,19 @@ $wsgi_socket_prefix = undef } $cas_cookie_path = '/var/cache/mod_auth_cas/' + $mellon_lock_file = '/run/mod_auth_mellon/lock' + $mellon_cache_size = 100 + $mellon_post_directory = undef $modsec_crs_package = 'mod_security_crs' $modsec_crs_path = '/usr/lib/modsecurity.d' $modsec_dir = '/etc/httpd/modsecurity.d' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 + $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', 'base_rules/modsecurity_35_scanners.data', 'base_rules/modsecurity_40_generic_attacks.data', - 'base_rules/modsecurity_41_sql_injection_attacks.data', 'base_rules/modsecurity_50_outbound.data', 'base_rules/modsecurity_50_outbound_malware.data', 'base_rules/modsecurity_crs_20_protocol_violations.conf', @@ -142,8 +193,11 @@ 'base_rules/modsecurity_crs_49_inbound_blocking.conf', 'base_rules/modsecurity_crs_50_outbound.conf', 'base_rules/modsecurity_crs_59_outbound_blocking.conf', - 'base_rules/modsecurity_crs_60_correlation.conf' + 'base_rules/modsecurity_crs_60_correlation.conf', ] + $error_log = 'error_log' + $scriptalias = '/var/www/cgi-bin' + $access_log_file = 'access_log' } elsif $::osfamily == 'Debian' { $user = 'www-data' $group = 'www-data' @@ -159,40 +213,57 @@ $vhost_dir = "${httpd_dir}/sites-available" $vhost_enable_dir = "${httpd_dir}/sites-enabled" $conf_file = 'apache2.conf' + $ssl_file = "${mod_dir}/ssl.conf" $ports_file = "${conf_dir}/ports.conf" + $pidfile = "\${APACHE_PID_FILE}" $logroot = '/var/log/apache2' $logroot_mode = undef $lib_path = '/usr/lib/apache2/modules' $mpm_module = 'worker' - $dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev'] $default_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' $default_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key' - $ssl_certs_dir = '/etc/ssl/certs' $suphp_addhandler = 'x-httpd-php' $suphp_engine = 'off' $suphp_configpath = '/etc/php5/apache2' + if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '16.04') < 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') < 0) { + # Only the major version is used here + $php_version = '5' + } else { + # major.minor version used since Debian stretch and Ubuntu Xenial + $php_version = '7.0' + } $mod_packages = { 'auth_cas' => 'libapache2-mod-auth-cas', 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'auth_mellon' => 'libapache2-mod-auth-mellon', 'dav_svn' => 'libapache2-svn', 'fastcgi' => 'libapache2-mod-fastcgi', 'fcgid' => 'libapache2-mod-fcgid', + 'geoip' => 'libapache2-mod-geoip', 'nss' => 'libapache2-mod-nss', 'pagespeed' => 'mod-pagespeed-stable', 'passenger' => 'libapache2-mod-passenger', 'perl' => 'libapache2-mod-perl2', - 'php5' => 'libapache2-mod-php5', + 'phpXXX' => 'libapache2-mod-phpXXX', 'proxy_html' => 'libapache2-mod-proxy-html', 'python' => 'libapache2-mod-python', 'rpaf' => 'libapache2-mod-rpaf', 'security' => 'libapache2-modsecurity', + 'shib2' => 'libapache2-mod-shib2', 'suphp' => 'libapache2-mod-suphp', 'wsgi' => 'libapache2-mod-wsgi', 'xsendfile' => 'libapache2-mod-xsendfile', - 'shib2' => 'libapache2-mod-shib2', + } + $error_log = 'error.log' + $scriptalias = '/usr/lib/cgi-bin' + $access_log_file = 'access.log' + if $::osfamily == 'Debian' and versioncmp($::operatingsystemrelease, '8') < 0 { + $shib2_lib = 'mod_shib_22.so' + } else { + $shib2_lib = 'mod_shib2.so' } $mod_libs = { - 'php5' => 'libphp5.so', + 'shib2' => $shib2_lib, } $conf_template = 'apache/httpd.conf.erb' $keepalive = 'Off' @@ -201,16 +272,25 @@ $fastcgi_lib_path = '/var/lib/apache2/fastcgi' $mime_support_package = 'mime-support' $mime_types_config = '/etc/mime.types' - $docroot = '/var/www' + if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) { + $docroot = '/var/www/html' + } else { + $docroot = '/var/www' + } $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $mellon_lock_file = undef + $mellon_cache_size = undef + $mellon_post_directory = '/var/cache/apache2/mod_auth_mellon/' $modsec_crs_package = 'modsecurity-crs' $modsec_crs_path = '/usr/share/modsecurity-crs' $modsec_dir = '/etc/modsecurity' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 + $modsec_secruleengine = 'On' $modsec_default_rules = [ 'base_rules/modsecurity_35_bad_robots.data', 'base_rules/modsecurity_35_scanners.data', 'base_rules/modsecurity_40_generic_attacks.data', - 'base_rules/modsecurity_41_sql_injection_attacks.data', 'base_rules/modsecurity_50_outbound.data', 'base_rules/modsecurity_50_outbound_malware.data', 'base_rules/modsecurity_crs_20_protocol_violations.conf', @@ -227,9 +307,15 @@ 'base_rules/modsecurity_crs_49_inbound_blocking.conf', 'base_rules/modsecurity_crs_50_outbound.conf', 'base_rules/modsecurity_crs_59_outbound_blocking.conf', - 'base_rules/modsecurity_crs_60_correlation.conf' + 'base_rules/modsecurity_crs_60_correlation.conf', ] + $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' + if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) { + $dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev'] + } else { + $dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev'] + } # # Passenger-specific settings @@ -238,49 +324,14 @@ $passenger_conf_file = 'passenger.conf' $passenger_conf_package_file = undef - case $::operatingsystem { - 'Ubuntu': { - case $::lsbdistrelease { - '12.04': { - $passenger_root = '/usr' - $passenger_ruby = '/usr/bin/ruby' - $passenger_default_ruby = undef - } - '14.04': { - $passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' - $passenger_ruby = undef - $passenger_default_ruby = '/usr/bin/ruby' - } - default: { - # The following settings may or may not work on Ubuntu releases not - # supported by this module. - $passenger_root = '/usr' - $passenger_ruby = '/usr/bin/ruby' - $passenger_default_ruby = undef - } - } - } - 'Debian': { - case $::lsbdistcodename { - 'wheezy': { - $passenger_root = '/usr' - $passenger_ruby = '/usr/bin/ruby' - $passenger_default_ruby = undef - } - 'jessie': { - $passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' - $passenger_ruby = undef - $passenger_default_ruby = '/usr/bin/ruby' - } - default: { - # The following settings may or may not work on Debian releases not - # supported by this module. - $passenger_root = '/usr' - $passenger_ruby = '/usr/bin/ruby' - $passenger_default_ruby = undef - } - } - } + if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '14.04') < 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') < 0) { + $passenger_root = '/usr' + $passenger_ruby = '/usr/bin/ruby' + $passenger_default_ruby = undef + } else { + $passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' + $passenger_ruby = undef + $passenger_default_ruby = '/usr/bin/ruby' } $wsgi_socket_prefix = undef } elsif $::osfamily == 'FreeBSD' { @@ -298,7 +349,9 @@ $vhost_dir = "${httpd_dir}/Vhosts" $vhost_enable_dir = undef $conf_file = 'httpd.conf' + $ssl_file = "${mod_dir}/ssl.conf" $ports_file = "${conf_dir}/ports.conf" + $pidfile = '/var/run/httpd.pid' $logroot = '/var/log/apache24' $logroot_mode = undef $lib_path = '/usr/local/libexec/apache24' @@ -306,15 +359,15 @@ $dev_packages = undef $default_ssl_cert = '/usr/local/etc/apache24/server.crt' $default_ssl_key = '/usr/local/etc/apache24/server.key' - $ssl_certs_dir = '/usr/local/etc/apache24' $passenger_conf_file = 'passenger.conf' $passenger_conf_package_file = undef - $passenger_root = '/usr/local/lib/ruby/gems/1.9/gems/passenger-4.0.10' - $passenger_ruby = '/usr/bin/ruby' + $passenger_root = '/usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58' + $passenger_ruby = '/usr/local/bin/ruby' $passenger_default_ruby = undef $suphp_addhandler = 'php5-script' $suphp_engine = 'off' $suphp_configpath = undef + $php_version = '5' $mod_packages = { # NOTE: I list here only modules that are not included in www/apache24 # NOTE: 'passenger' needs to enable APACHE_SUPPORT in make config @@ -325,7 +378,7 @@ 'fcgid' => 'www/mod_fcgid', 'passenger' => 'www/rubygem-passenger', 'perl' => 'www/mod_perl2', - 'php5' => 'www/mod_php5', + 'phpXXX' => 'www/mod_phpXXX', 'proxy_html' => 'www/mod_proxy_html', 'python' => 'www/mod_python3', 'wsgi' => 'www/mod_wsgi', @@ -335,7 +388,6 @@ 'shib2' => 'security/shibboleth2-sp', } $mod_libs = { - 'php5' => 'libphp5.so', } $conf_template = 'apache/httpd.conf.erb' $keepalive = 'Off' @@ -346,7 +398,166 @@ $mime_types_config = '/usr/local/etc/mime.types' $wsgi_socket_prefix = undef $docroot = '/usr/local/www/apache24/data' + $alias_icons_path = '/usr/local/www/apache24/icons' $error_documents_path = '/usr/local/www/apache24/error' + $error_log = 'httpd-error.log' + $scriptalias = '/usr/local/www/apache24/cgi-bin' + $access_log_file = 'httpd-access.log' + } elsif $::osfamily == 'Gentoo' { + $user = 'apache' + $group = 'apache' + $root_group = 'wheel' + $apache_name = 'www-servers/apache' + $service_name = 'apache2' + $httpd_dir = '/etc/apache2' + $server_root = '/var/www' + $conf_dir = $httpd_dir + $confd_dir = "${httpd_dir}/conf.d" + $mod_dir = "${httpd_dir}/modules.d" + $mod_enable_dir = undef + $vhost_dir = "${httpd_dir}/vhosts.d" + $vhost_enable_dir = undef + $conf_file = 'httpd.conf' + $ssl_file = "${mod_dir}/ssl.conf" + $ports_file = "${conf_dir}/ports.conf" + $logroot = '/var/log/apache2' + $logroot_mode = undef + $lib_path = '/usr/lib/apache2/modules' + $mpm_module = 'prefork' + $dev_packages = undef + $default_ssl_cert = '/etc/ssl/apache2/server.crt' + $default_ssl_key = '/etc/ssl/apache2/server.key' + $passenger_root = '/usr' + $passenger_ruby = '/usr/bin/ruby' + $passenger_conf_file = 'passenger.conf' + $passenger_conf_package_file = undef + $passenger_default_ruby = undef + $suphp_addhandler = 'x-httpd-php' + $suphp_engine = 'off' + $suphp_configpath = '/etc/php5/apache2' + $php_version = '5' + $mod_packages = { + # NOTE: I list here only modules that are not included in www-servers/apache + 'auth_kerb' => 'www-apache/mod_auth_kerb', + 'authnz_external' => 'www-apache/mod_authnz_external', + 'fcgid' => 'www-apache/mod_fcgid', + 'passenger' => 'www-apache/passenger', + 'perl' => 'www-apache/mod_perl', + 'phpXXX' => 'dev-lang/php', + 'proxy_html' => 'www-apache/mod_proxy_html', + 'proxy_fcgi' => 'www-apache/mod_proxy_fcgi', + 'python' => 'www-apache/mod_python', + 'wsgi' => 'www-apache/mod_wsgi', + 'dav_svn' => 'dev-vcs/subversion', + 'xsendfile' => 'www-apache/mod_xsendfile', + 'rpaf' => 'www-apache/mod_rpaf', + 'xml2enc' => 'www-apache/mod_xml2enc', + } + $mod_libs = { + } + $conf_template = 'apache/httpd.conf.erb' + $keepalive = 'Off' + $keepalive_timeout = 15 + $max_keepalive_requests = 100 + $fastcgi_lib_path = undef # TODO: revisit + $mime_support_package = 'app-misc/mime-types' + $mime_types_config = '/etc/mime.types' + $wsgi_socket_prefix = undef + $docroot = '/var/www/localhost/htdocs' + $alias_icons_path = '/usr/share/apache2/icons' + $error_documents_path = '/usr/share/apache2/error' + $pidfile = '/var/run/apache2.pid' + $error_log = 'error.log' + $scriptalias = '/var/www/localhost/cgi-bin' + $access_log_file = 'access.log' + } elsif $::osfamily == 'Suse' { + $user = 'wwwrun' + $group = 'wwwrun' + $root_group = 'root' + $apache_name = 'apache2' + $service_name = 'apache2' + $httpd_dir = '/etc/apache2' + $server_root = '/etc/apache2' + $conf_dir = $httpd_dir + $confd_dir = "${httpd_dir}/conf.d" + $mod_dir = "${httpd_dir}/mods-available" + $mod_enable_dir = "${httpd_dir}/mods-enabled" + $vhost_dir = "${httpd_dir}/sites-available" + $vhost_enable_dir = "${httpd_dir}/sites-enabled" + $conf_file = 'httpd.conf' + $ssl_file = "${mod_dir}/ssl.conf" + $ports_file = "${conf_dir}/ports.conf" + $pidfile = '/var/run/httpd2.pid' + $logroot = '/var/log/apache2' + $logroot_mode = undef + $lib_path = '/usr/lib64/apache2' #changes for some modules based on mpm + $mpm_module = 'prefork' + $default_ssl_cert = '/etc/apache2/ssl.crt/server.crt' + $default_ssl_key = '/etc/apache2/ssl.key/server.key' + $suphp_addhandler = 'x-httpd-php' + $suphp_engine = 'off' + $suphp_configpath = '/etc/php5/apache2' + $php_version = '5' + if $::operatingsystemrelease < '11' or $::operatingsystemrelease >= '12' { + $mod_packages = { + 'auth_kerb' => 'apache2-mod_auth_kerb', + 'perl' => 'apache2-mod_perl', + 'php5' => 'apache2-mod_php5', + 'python' => 'apache2-mod_python', + 'security' => 'apache2-mod_security2', + 'worker' => 'apache2-worker', + } + } else { + $mod_packages = { + 'auth_kerb' => 'apache2-mod_auth_kerb', + 'perl' => 'apache2-mod_perl', + 'php5' => 'apache2-mod_php53', + 'python' => 'apache2-mod_python', + 'security' => 'apache2-mod_security2', + } + } + $mod_libs = { + 'security' => '/usr/lib64/apache2/mod_security2.so', + 'php53' => '/usr/lib64/apache2/mod_php5.so', + } + $conf_template = 'apache/httpd.conf.erb' + $keepalive = 'Off' + $keepalive_timeout = 15 + $max_keepalive_requests = 100 + $fastcgi_lib_path = '/var/lib/apache2/fastcgi' + $mime_support_package = 'aaa_base' + $mime_types_config = '/etc/mime.types' + $docroot = '/srv/www' + $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $mellon_lock_file = undef + $mellon_cache_size = undef + $mellon_post_directory = undef + $alias_icons_path = '/usr/share/apache2/icons' + $error_documents_path = '/usr/share/apache2/error' + $dev_packages = ['libapr-util1-devel', 'libapr1-devel', 'libcurl-devel'] + $modsec_crs_package = undef + $modsec_crs_path = undef + $modsec_default_rules = undef + $modsec_dir = '/etc/apache2/modsecurity' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 + $modsec_secruleengine = 'On' + $error_log = 'error.log' + $scriptalias = '/usr/lib/cgi-bin' + $access_log_file = 'access.log' + + # + # Passenger-specific settings + # + + $passenger_conf_file = 'passenger.conf' + $passenger_conf_package_file = undef + + $passenger_root = '/usr/lib64/ruby/gems/1.8/gems/passenger-5.0.30' + $passenger_ruby = '/usr/bin/ruby' + $passenger_default_ruby = '/usr/bin/ruby' + $wsgi_socket_prefix = undef + } else { fail("Class['apache::params']: Unsupported osfamily: ${::osfamily}") }
--- a/modules/apache/manifests/security/rule_link.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/security/rule_link.pp Sun Dec 29 11:00:05 2019 -0500 @@ -3,10 +3,15 @@ $parts = split($title, '/') $filename = $parts[-1] + $target = $title ? { + /^\// => $title, + default => "${::apache::params::modsec_crs_path}/${title}", + } + file { $filename: ensure => 'link', path => "${::apache::mod::security::modsec_dir}/activated_rules/${filename}", - target => "${::apache::params::modsec_crs_path}/${title}", + target => $target , require => File["${::apache::mod::security::modsec_dir}/activated_rules"], notify => Class['apache::service'], }
--- a/modules/apache/manifests/service.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/service.pp Sun Dec 29 11:00:05 2019 -0500 @@ -21,6 +21,7 @@ $service_enable = true, $service_ensure = 'running', $service_manage = true, + $service_restart = undef ) { # The base class must be included first because parameter defaults depend on it if ! defined(Class['apache::params']) { @@ -37,11 +38,16 @@ $_service_ensure = undef } } + + $service_hasrestart = $service_restart == undef + if $service_manage { service { 'httpd': - ensure => $_service_ensure, - name => $service_name, - enable => $service_enable, + ensure => $_service_ensure, + name => $service_name, + enable => $service_enable, + restart => $service_restart, + hasrestart => $service_hasrestart, } } }
--- a/modules/apache/manifests/version.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/version.pp Sun Dec 29 11:00:05 2019 -0500 @@ -3,7 +3,7 @@ # Try to automatically detect the version by OS # class apache::version { - # This will be 5 or 6 on RedHat, 6 or wheezy on Debian, 12 or quantal on Ubuntu, 3 on Amazon, etc. + # This will be 5 or 6 on RedHat, 6 or wheezy on Debian, 12 or quantal on Ubuntu, etc. $osr_array = split($::operatingsystemrelease,'[\/\.]') $distrelease = $osr_array[0] if ! $distrelease { @@ -12,7 +12,9 @@ case $::osfamily { 'RedHat': { - if ($::operatingsystem == 'Fedora' and versioncmp($distrelease, '18') >= 0) or ($::operatingsystem != 'Fedora' and versioncmp($distrelease, '7') >= 0) { + if ($::operatingsystem == 'Amazon') { + $default = '2.2' + } elsif ($::operatingsystem == 'Fedora' and versioncmp($distrelease, '18') >= 0) or ($::operatingsystem != 'Fedora' and versioncmp($distrelease, '7') >= 0) { $default = '2.4' } else { $default = '2.2' @@ -30,6 +32,16 @@ 'FreeBSD': { $default = '2.4' } + 'Gentoo': { + $default = '2.4' + } + 'Suse': { + if $::operatingsystem == 'SLES' and $::operatingsystemrelease >= '12' { + $default = '2.4' + } else { + $default = '2.2' + } + } default: { fail("Class['apache::version']: Unsupported osfamily: ${::osfamily}") }
--- a/modules/apache/manifests/vhost.pp Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/manifests/vhost.pp Sun Dec 29 11:00:05 2019 -0500 @@ -25,8 +25,18 @@ $ssl_honorcipherorder = undef, $ssl_verify_client = undef, $ssl_verify_depth = undef, + $ssl_proxy_verify = undef, + $ssl_proxy_check_peer_cn = undef, + $ssl_proxy_check_peer_name = undef, + $ssl_proxy_check_peer_expire = undef, + $ssl_proxy_machine_cert = undef, + $ssl_proxy_protocol = undef, $ssl_options = undef, + $ssl_openssl_conf_cmd = undef, $ssl_proxyengine = false, + $ssl_stapling = undef, + $ssl_stapling_timeout = undef, + $ssl_stapling_return_errors = undef, $priority = undef, $default_vhost = false, $servername = $name, @@ -38,6 +48,8 @@ $logroot = $::apache::logroot, $logroot_ensure = 'directory', $logroot_mode = undef, + $logroot_owner = undef, + $logroot_group = undef, $log_level = undef, $access_log = true, $access_log_file = false, @@ -52,12 +64,18 @@ $error_log_file = undef, $error_log_pipe = undef, $error_log_syslog = undef, + $modsec_audit_log = undef, + $modsec_audit_log_file = undef, + $modsec_audit_log_pipe = undef, $error_documents = [], $fallbackresource = undef, $scriptalias = undef, $scriptaliases = [], $proxy_dest = undef, + $proxy_dest_match = undef, + $proxy_dest_reverse_match = undef, $proxy_pass = undef, + $proxy_pass_match = undef, $suphp_addhandler = $::apache::params::suphp_addhandler, $suphp_engine = $::apache::params::suphp_engine, $suphp_configpath = $::apache::params::suphp_configpath, @@ -66,7 +84,10 @@ $php_admin_flags = {}, $php_admin_values = {}, $no_proxy_uris = [], + $no_proxy_uris_match = [], $proxy_preserve_host = false, + $proxy_add_headers = undef, + $proxy_error_override = false, $redirect_source = '/', $redirect_dest = undef, $redirect_status = undef, @@ -74,14 +95,18 @@ $redirectmatch_regexp = undef, $redirectmatch_dest = undef, $rack_base_uris = undef, + $passenger_base_uris = undef, $headers = undef, $request_headers = undef, + $filters = undef, $rewrites = undef, $rewrite_base = undef, $rewrite_rule = undef, $rewrite_cond = undef, + $rewrite_inherit = false, $setenv = [], $setenvif = [], + $setenvifnocase = [], $block = [], $ensure = 'present', $wsgi_application_group = undef, @@ -90,6 +115,7 @@ $wsgi_import_script = undef, $wsgi_import_script_options = undef, $wsgi_process_group = undef, + $wsgi_script_aliases_match = undef, $wsgi_script_aliases = undef, $wsgi_pass_authorization = undef, $wsgi_chunked_request = undef, @@ -99,27 +125,58 @@ $fastcgi_server = undef, $fastcgi_socket = undef, $fastcgi_dir = undef, + $fastcgi_idle_timeout = undef, $additional_includes = [], + $use_optional_includes = $::apache::use_optional_includes, $apache_version = $::apache::apache_version, $allow_encoded_slashes = undef, $suexec_user_group = undef, $passenger_app_root = undef, + $passenger_app_env = undef, $passenger_ruby = undef, $passenger_min_instances = undef, $passenger_start_timeout = undef, $passenger_pre_start = undef, + $passenger_user = undef, + $passenger_high_performance = undef, + $passenger_nodejs = undef, + $passenger_sticky_sessions = undef, + $passenger_startup_file = undef, $add_default_charset = undef, $modsec_disable_vhost = undef, $modsec_disable_ids = undef, $modsec_disable_ips = undef, + $modsec_disable_msgs = undef, + $modsec_disable_tags = undef, $modsec_body_limit = undef, + $jk_mounts = undef, + $auth_kerb = false, + $krb_method_negotiate = 'on', + $krb_method_k5passwd = 'on', + $krb_authoritative = 'on', + $krb_auth_realms = [], + $krb_5keytab = undef, + $krb_local_user_mapping = undef, + $krb_verify_kdc = 'on', + $krb_servicename = 'HTTP', + $krb_save_credentials = 'off', + $keepalive = undef, + $keepalive_timeout = undef, + $max_keepalive_requests = undef, + $cas_attribute_prefix = undef, + $cas_attribute_delimiter = undef, + $cas_scrub_request_headers = undef, + $cas_sso_enabled = undef, + $cas_login_url = undef, + $cas_validate_url = undef, + $cas_validate_saml = undef, ) { # The base class must be included first because it is used by parameter defaults if ! defined(Class['apache']) { fail('You must include the apache base class before using any apache defined resources') } - $apache_name = $::apache::params::apache_name + $apache_name = $::apache::apache_name validate_re($ensure, '^(present|absent)$', "${ensure} is not supported for ensure. @@ -130,18 +187,27 @@ validate_bool($ip_based) validate_bool($access_log) validate_bool($error_log) + if $modsec_audit_log != undef { + validate_bool($modsec_audit_log) + } validate_bool($ssl) validate_bool($default_vhost) validate_bool($ssl_proxyengine) + if $ssl_stapling != undef { + validate_bool($ssl_stapling) + } if $rewrites { validate_array($rewrites) - validate_hash($rewrites[0]) + unless empty($rewrites) { + $rewrites_flattened = delete_undef_values(flatten([$rewrites])) + validate_hash($rewrites_flattened[0]) + } } # Input validation begins if $suexec_user_group { - validate_re($suexec_user_group, '^\w+ \w+$', + validate_re($suexec_user_group, '^[\w-]+ [\w-]+$', "${suexec_user_group} is not supported for suexec_user_group. Must be 'user group'.") } @@ -151,6 +217,12 @@ Allowed values are 'on' and 'off'.") } + if $wsgi_chunked_request { + validate_re(downcase($wsgi_chunked_request), '^(on|off)$', + "${wsgi_chunked_request} is not supported for wsgi_chunked_request. + Allowed values are 'on' and 'off'.") + } + # Deprecated backwards-compatibility if $rewrite_base { warning('Apache::Vhost: parameter rewrite_base is deprecated in favor of rewrites') @@ -165,6 +237,9 @@ if $wsgi_script_aliases { validate_hash($wsgi_script_aliases) } + if $wsgi_script_aliases_match { + validate_hash($wsgi_script_aliases_match) + } if $wsgi_daemon_process_options { validate_hash($wsgi_daemon_process_options) } @@ -180,8 +255,7 @@ Allowed values are 'directory' and 'absent'.") if $log_level { - validate_re($log_level, '^(emerg|alert|crit|error|warn|notice|info|debug)$', - "Log level '${log_level}' is not one of the supported Apache HTTP Server log levels.") + validate_apache_log_level($log_level) } if $access_log_file and $access_log_pipe { @@ -192,6 +266,10 @@ fail("Apache::Vhost[${name}]: 'error_log_file' and 'error_log_pipe' cannot be defined at the same time") } + if $modsec_audit_log_file and $modsec_audit_log_pipe { + fail("Apache::Vhost[${name}]: 'modsec_audit_log_file' and 'modsec_audit_log_pipe' cannot be defined at the same time") + } + if $fallbackresource { validate_re($fallbackresource, '^/|disabled', 'Please make sure fallbackresource starts with a / (or is "disabled")') } @@ -204,6 +282,37 @@ validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.") } + validate_bool($auth_kerb) + + # Validate the docroot as a string if: + # - $manage_docroot is true + if $manage_docroot { + validate_string($docroot) + } + + if $ssl_proxy_verify { + validate_re($ssl_proxy_verify,'^(none|optional|require|optional_no_ca)$',"${ssl_proxy_verify} is not permitted for ssl_proxy_verify. Allowed values are 'none', 'optional', 'require' or 'optional_no_ca'.") + } + + if $ssl_proxy_check_peer_cn { + validate_re($ssl_proxy_check_peer_cn,'(^on$|^off$)',"${ssl_proxy_check_peer_cn} is not permitted for ssl_proxy_check_peer_cn. Allowed values are 'on' or 'off'.") + } + if $ssl_proxy_check_peer_name { + validate_re($ssl_proxy_check_peer_name,'(^on$|^off$)',"${ssl_proxy_check_peer_name} is not permitted for ssl_proxy_check_peer_name. Allowed values are 'on' or 'off'.") + } + + if $ssl_proxy_check_peer_expire { + validate_re($ssl_proxy_check_peer_expire,'(^on$|^off$)',"${ssl_proxy_check_peer_expire} is not permitted for ssl_proxy_check_peer_expire. Allowed values are 'on' or 'off'.") + } + + if $keepalive { + validate_re($keepalive,'(^on$|^off$)',"${keepalive} is not permitted for keepalive. Allowed values are 'on' or 'off'.") + } + + if $passenger_sticky_sessions { + validate_bool($passenger_sticky_sessions) + } + # Input validation ends if $ssl and $ensure == 'present' { @@ -212,6 +321,10 @@ include ::apache::mod::mime } + if $auth_kerb and $ensure == 'present' { + include ::apache::mod::auth_kerb + } + if $virtual_docroot { include ::apache::mod::vhost_alias } @@ -224,7 +337,7 @@ include ::apache::mod::suexec } - if $passenger_app_root or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start { + if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user or $passenger_high_performance or $passenger_nodejs or $passenger_sticky_sessions or $passenger_startup_file { include ::apache::mod::passenger } @@ -244,7 +357,7 @@ # This ensures that the docroot exists # But enables it to be specified across multiple vhost resources - if ! defined(File[$docroot]) and $manage_docroot { + if $manage_docroot and $docroot and ! defined(File[$docroot]) { file { $docroot: ensure => directory, owner => $docroot_owner, @@ -259,6 +372,8 @@ if ! defined(File[$logroot]) { file { $logroot: ensure => $logroot_ensure, + owner => $logroot_owner, + group => $logroot_group, mode => $logroot_mode, require => Package['httpd'], before => Concat["${priority_real}${filename}.conf"], @@ -272,6 +387,9 @@ # Is apache::mod::shib enabled (or apache::mod['shib2']) $shibboleth_enabled = defined(Apache::Mod['shib2']) + # Is apache::mod::cas enabled (or apache::mod['cas']) + $cas_enabled = defined(Apache::Mod['auth_cas']) + if $access_log and !$access_logs { if $access_log_file { $_logs_dest = "${logroot}/${access_log_file}" @@ -310,13 +428,31 @@ } } + if $modsec_audit_log == false { + $modsec_audit_log_destination = undef + } elsif $modsec_audit_log_file { + $modsec_audit_log_destination = "${logroot}/${modsec_audit_log_file}" + } elsif $modsec_audit_log_pipe { + $modsec_audit_log_destination = $modsec_audit_log_pipe + } elsif $modsec_audit_log { + if $ssl { + $modsec_audit_log_destination = "${logroot}/${name}_security_ssl.log" + } else { + $modsec_audit_log_destination = "${logroot}/${name}_security.log" + } + } else { + $modsec_audit_log_destination = undef + } + + if $ip { + $_ip = enclose_ipv6($ip) if $port { - $listen_addr_port = "${ip}:${port}" - $nvh_addr_port = "${ip}:${port}" + $listen_addr_port = suffix(any2array($_ip),":${port}") + $nvh_addr_port = suffix(any2array($_ip),":${port}") } else { $listen_addr_port = undef - $nvh_addr_port = $ip + $nvh_addr_port = $_ip if ! $servername and ! $ip_based { fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters for name-based vhosts") } @@ -328,7 +464,7 @@ } else { $listen_addr_port = undef $nvh_addr_port = $name - if ! $servername { + if ! $servername and $servername != '' { fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters, and/or 'servername' parameter") } } @@ -337,13 +473,13 @@ if $ip and defined(Apache::Listen["${port}"]) { fail("Apache::Vhost[${name}]: Mixing IP and non-IP Listen directives is not possible; check the add_listen parameter of the apache::vhost define to disable this") } - if ! defined(Apache::Listen["${listen_addr_port}"]) and $listen_addr_port and $ensure == 'present' { - ::apache::listen { "${listen_addr_port}": } + if $listen_addr_port and $ensure == 'present' { + ensure_resource('apache::listen', $listen_addr_port) } } if ! $ip_based { - if ! defined(Apache::Namevirtualhost[$nvh_addr_port]) and $ensure == 'present' and (versioncmp($apache_version, '2.4') < 0) { - ::apache::namevirtualhost { $nvh_addr_port: } + if $ensure == 'present' and (versioncmp($apache_version, '2.4') < 0) { + ensure_resource('apache::namevirtualhost', $nvh_addr_port) } } @@ -355,14 +491,14 @@ } # Load mod_alias if needed and not yet loaded - if ($scriptalias or $scriptaliases != []) or ($redirect_source and $redirect_dest) { - if ! defined(Class['apache::mod::alias']) { + if ($scriptalias or $scriptaliases != []) or ($aliases and $aliases != []) or ($redirect_source and $redirect_dest) { + if ! defined(Class['apache::mod::alias']) and ($ensure == 'present') { include ::apache::mod::alias } } # Load mod_proxy if needed and not yet loaded - if ($proxy_dest or $proxy_pass) { + if ($proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match) { if ! defined(Class['apache::mod::proxy']) { include ::apache::mod::proxy } @@ -378,6 +514,11 @@ } } + # Load mod_passenger if needed and not yet loaded + if $passenger_base_uris { + include ::apache::mod::passenger + } + # Load mod_fastci if needed and not yet loaded if $fastcgi_server and $fastcgi_socket { if ! defined(Class['apache::mod::fastcgi']) { @@ -392,7 +533,26 @@ } } - if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) { + # Check if mod_filter is required to process $filters + if $filters { + if ! defined(Class['apache::mod::filter']) { + include ::apache::mod::filter + } + } + + # Check if mod_env is required and not yet loaded. + # create an expression to simplify the conditional check + $use_env_mod = $setenv and ! empty($setenv) + if ($use_env_mod) { + if ! defined(Class['apache::mod::env']) { + include ::apache::mod::env + } + } + # Check if mod_setenvif is required and not yet loaded. + # create an expression to simplify the conditional check + $use_setenvif_mod = ($setenvif and ! empty($setenvif)) or ($setenvifnocase and ! empty($setenvifnocase)) + + if ($use_setenvif_mod) { if ! defined(Class['apache::mod::setenvif']) { include ::apache::mod::setenvif } @@ -404,7 +564,7 @@ fail("Apache::Vhost[${name}]: 'directories' must be either a Hash or an Array of Hashes") } $_directories = $directories - } else { + } elsif $docroot { $_directory = { provider => 'directory', path => $docroot, @@ -425,6 +585,8 @@ } $_directories = [ merge($_directory, $_directory_version) ] + } else { + $_directories = undef } ## Create a global LocationMatch if locations aren't defined @@ -438,16 +600,38 @@ } } + if $modsec_disable_msgs { + if is_hash($modsec_disable_msgs) { + $_modsec_disable_msgs = $modsec_disable_msgs + } elsif is_array($modsec_disable_msgs) { + $_modsec_disable_msgs = { '.*' => $modsec_disable_msgs } + } else { + fail("Apache::Vhost[${name}]: 'modsec_disable_msgs' must be either a Hash of location/Msgs or an Array of Msgs") + } + } + + if $modsec_disable_tags { + if is_hash($modsec_disable_tags) { + $_modsec_disable_tags = $modsec_disable_tags + } elsif is_array($modsec_disable_tags) { + $_modsec_disable_tags = { '.*' => $modsec_disable_tags } + } else { + fail("Apache::Vhost[${name}]: 'modsec_disable_tags' must be either a Hash of location/Tags or an Array of Tags") + } + } + concat { "${priority_real}${filename}.conf": ensure => $ensure, - path => "${::apache::vhost_dir}/zzz-${priority_real}${filename}.conf", + path => "${::apache::vhost_dir}/${priority_real}${filename}.conf", owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, order => 'numeric', require => Package['httpd'], notify => Class['apache::service'], } + # NOTE(pabelanger): This code is duplicated in ::apache::vhost::custom and + # needs to be converted into something generic. if $::apache::vhost_enable_dir { $vhost_enable_dir = $::apache::vhost_enable_dir $vhost_symlink_ensure = $ensure ? { @@ -460,7 +644,7 @@ target => "${::apache::vhost_dir}/${priority_real}${filename}.conf", owner => 'root', group => $::apache::params::root_group, - mode => '0644', + mode => $::apache::file_mode, require => Concat["${priority_real}${filename}.conf"], notify => Class['apache::service'], } @@ -479,10 +663,12 @@ # Template uses: # - $virtual_docroot # - $docroot - concat::fragment { "${name}-docroot": - target => "${priority_real}${filename}.conf", - order => 10, - content => template('apache/vhost/_docroot.erb'), + if $docroot { + concat::fragment { "${name}-docroot": + target => "${priority_real}${filename}.conf", + order => 10, + content => template('apache/vhost/_docroot.erb'), + } } # Template uses: @@ -617,14 +803,36 @@ } # Template uses: + # - $headers + if $headers and ! empty($headers) { + concat::fragment { "${name}-header": + target => "${priority_real}${filename}.conf", + order => 140, + content => template('apache/vhost/_header.erb'), + } + } + + # Template uses: + # - $request_headers + if $request_headers and ! empty($request_headers) { + concat::fragment { "${name}-requestheader": + target => "${priority_real}${filename}.conf", + order => 150, + content => template('apache/vhost/_requestheader.erb'), + } + } + + # Template uses: # - $proxy_dest # - $proxy_pass + # - $proxy_pass_match # - $proxy_preserve_host + # - $proxy_add_headers # - $no_proxy_uris - if $proxy_dest or $proxy_pass { + if $proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match { concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", - order => 140, + order => 160, content => template('apache/vhost/_proxy.erb'), } } @@ -634,12 +842,22 @@ if $rack_base_uris { concat::fragment { "${name}-rack": target => "${priority_real}${filename}.conf", - order => 150, + order => 170, content => template('apache/vhost/_rack.erb'), } } # Template uses: + # - $passenger_base_uris + if $passenger_base_uris { + concat::fragment { "${name}-passenger_uris": + target => "${priority_real}${filename}.conf", + order => 175, + content => template('apache/vhost/_passenger_base_uris.erb'), + } + } + + # Template uses: # - $redirect_source # - $redirect_dest # - $redirect_status @@ -652,10 +870,10 @@ # - $redirectmatch_status_a # - $redirectmatch_regexp_a # - $redirectmatch_dest - if ($redirect_source and $redirect_dest) or ($redirectmatch_status and $redirectmatch_regexp and $redirectmatch_dest) { + if ($redirect_source and $redirect_dest) or ($redirectmatch_regexp and $redirectmatch_dest) { concat::fragment { "${name}-redirect": target => "${priority_real}${filename}.conf", - order => 160, + order => 180, content => template('apache/vhost/_redirect.erb'), } } @@ -665,10 +883,11 @@ # - $rewrite_base # - $rewrite_rule # - $rewrite_cond + # - $rewrite_map if $rewrites or $rewrite_rule { concat::fragment { "${name}-rewrite": target => "${priority_real}${filename}.conf", - order => 170, + order => 190, content => template('apache/vhost/_rewrite.erb'), } } @@ -676,10 +895,10 @@ # Template uses: # - $scriptaliases # - $scriptalias - if $scriptaliases and ! empty($scriptaliases) { + if ( $scriptalias or $scriptaliases != [] ) { concat::fragment { "${name}-scriptalias": target => "${priority_real}${filename}.conf", - order => 180, + order => 200, content => template('apache/vhost/_scriptalias.erb'), } } @@ -689,7 +908,7 @@ if $serveraliases and ! empty($serveraliases) { concat::fragment { "${name}-serveralias": target => "${priority_real}${filename}.conf", - order => 190, + order => 210, content => template('apache/vhost/_serveralias.erb'), } } @@ -697,10 +916,10 @@ # Template uses: # - $setenv # - $setenvif - if ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) { + if ($use_env_mod or $use_setenvif_mod) { concat::fragment { "${name}-setenv": target => "${priority_real}${filename}.conf", - order => 200, + order => 220, content => template('apache/vhost/_setenv.erb'), } } @@ -715,30 +934,63 @@ # - $ssl_crl_path # - $ssl_crl # - $ssl_crl_check - # - $ssl_proxyengine # - $ssl_protocol # - $ssl_cipher # - $ssl_honorcipherorder # - $ssl_verify_client # - $ssl_verify_depth # - $ssl_options + # - $ssl_openssl_conf_cmd + # - $ssl_stapling # - $apache_version if $ssl { concat::fragment { "${name}-ssl": target => "${priority_real}${filename}.conf", - order => 210, + order => 230, content => template('apache/vhost/_ssl.erb'), } } # Template uses: + # - $ssl_proxyengine + # - $ssl_proxy_verify + # - $ssl_proxy_check_peer_cn + # - $ssl_proxy_check_peer_name + # - $ssl_proxy_check_peer_expire + # - $ssl_proxy_machine_cert + # - $ssl_proxy_protocol + if $ssl_proxyengine { + concat::fragment { "${name}-sslproxy": + target => "${priority_real}${filename}.conf", + order => 230, + content => template('apache/vhost/_sslproxy.erb'), + } + } + + # Template uses: + # - $auth_kerb + # - $krb_method_negotiate + # - $krb_method_k5passwd + # - $krb_authoritative + # - $krb_auth_realms + # - $krb_5keytab + # - $krb_local_user_mapping + if $auth_kerb { + concat::fragment { "${name}-auth_kerb": + target => "${priority_real}${filename}.conf", + order => 230, + content => template('apache/vhost/_auth_kerb.erb'), + } + } + + # Template uses: # - $suphp_engine # - $suphp_addhandler # - $suphp_configpath if $suphp_engine == 'on' { concat::fragment { "${name}-suphp": target => "${priority_real}${filename}.conf", - order => 220, + order => 240, content => template('apache/vhost/_suphp.erb'), } } @@ -749,7 +1001,7 @@ if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) { concat::fragment { "${name}-php": target => "${priority_real}${filename}.conf", - order => 220, + order => 240, content => template('apache/vhost/_php.erb'), } } @@ -760,32 +1012,12 @@ if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) { concat::fragment { "${name}-php_admin": target => "${priority_real}${filename}.conf", - order => 230, + order => 250, content => template('apache/vhost/_php_admin.erb'), } } # Template uses: - # - $headers - if $headers and ! empty($headers) { - concat::fragment { "${name}-header": - target => "${priority_real}${filename}.conf", - order => 240, - content => template('apache/vhost/_header.erb'), - } - } - - # Template uses: - # - $request_headers - if $request_headers and ! empty($request_headers) { - concat::fragment { "${name}-requestheader": - target => "${priority_real}${filename}.conf", - order => 250, - content => template('apache/vhost/_requestheader.erb'), - } - } - - # Template uses: # - $wsgi_application_group # - $wsgi_daemon_process # - $wsgi_daemon_process_options @@ -816,6 +1048,7 @@ # - $fastcgi_server # - $fastcgi_socket # - $fastcgi_dir + # - $fastcgi_idle_timeout # - $apache_version if $fastcgi_server or $fastcgi_dir { concat::fragment { "${name}-fastcgi": @@ -837,11 +1070,16 @@ # Template uses: # - $passenger_app_root + # - $passenger_app_env # - $passenger_ruby # - $passenger_min_instances # - $passenger_start_timeout # - $passenger_pre_start - if $passenger_app_root or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start { + # - $passenger_user + # - $passenger_nodejs + # - $passenger_sticky_sessions + # - $passenger_startup_file + if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start or $passenger_user or $passenger_nodejs or $passenger_sticky_sessions or $passenger_startup_file{ concat::fragment { "${name}-passenger": target => "${priority_real}${filename}.conf", order => 300, @@ -863,12 +1101,57 @@ # - $modsec_disable_vhost # - $modsec_disable_ids # - $modsec_disable_ips + # - $modsec_disable_msgs + # - $modsec_disable_tags # - $modsec_body_limit - if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips { + # - $modsec_audit_log_destination + if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination { concat::fragment { "${name}-security": target => "${priority_real}${filename}.conf", order => 320, - content => template('apache/vhost/_security.erb') + content => template('apache/vhost/_security.erb'), + } + } + + # Template uses: + # - $filters + if $filters and ! empty($filters) { + concat::fragment { "${name}-filters": + target => "${priority_real}${filename}.conf", + order => 330, + content => template('apache/vhost/_filters.erb'), + } + } + + # Template uses: + # - $jk_mounts + if $jk_mounts and ! empty($jk_mounts) { + concat::fragment { "${name}-jk_mounts": + target => "${priority_real}${filename}.conf", + order => 340, + content => template('apache/vhost/_jk_mounts.erb'), + } + } + + # Template uses: + # - $keepalive + # - $keepalive_timeout + # - $max_keepalive_requests + if $keepalive or $keepalive_timeout or $max_keepalive_requests { + concat::fragment { "${name}-keepalive_options": + target => "${priority_real}${filename}.conf", + order => 350, + content => template('apache/vhost/_keepalive_options.erb'), + } + } + + # Template uses: + # - $cas_* + if $cas_enabled { + concat::fragment { "${name}-auth_cas": + target => "${priority_real}${filename}.conf", + order => 350, + content => template('apache/vhost/_auth_cas.erb'), } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/vhost/custom.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,40 @@ +# See README.md for usage information +define apache::vhost::custom( + $content, + $ensure = 'present', + $priority = '25', + $verify_config = true, +) { + include ::apache + + ## Apache include does not always work with spaces in the filename + $filename = regsubst($name, ' ', '_', 'G') + + ::apache::custom_config { $filename: + ensure => $ensure, + confdir => $::apache::vhost_dir, + content => $content, + priority => $priority, + verify_config => $verify_config, + } + + # NOTE(pabelanger): This code is duplicated in ::apache::vhost and needs to + # converted into something generic. + if $::apache::vhost_enable_dir { + $vhost_symlink_ensure = $ensure ? { + present => link, + default => $ensure, + } + + file { "${priority}-${filename}.conf symlink": + ensure => $vhost_symlink_ensure, + path => "${::apache::vhost_enable_dir}/${priority}-${filename}.conf", + target => "${::apache::vhost_dir}/${priority}-${filename}.conf", + owner => 'root', + group => $::apache::params::root_group, + mode => $::apache::file_mode, + require => Apache::Custom_config[$filename], + notify => Class['apache::service'], + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/manifests/vhosts.pp Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,6 @@ +class apache::vhosts ( + $vhosts = {}, +) { + include ::apache + create_resources('apache::vhost', $vhosts) +}
--- a/modules/apache/metadata.json Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/metadata.json Sun Dec 29 11:00:05 2019 -0500 @@ -1,12 +1,23 @@ { "name": "puppetlabs-apache", - "version": "1.3.0", + "version": "1.11.1", "author": "puppetlabs", "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", "license": "Apache-2.0", "source": "git://github.com/puppetlabs/puppetlabs-apache.git", "project_page": "https://github.com/puppetlabs/puppetlabs-apache", "issues_url": "https://tickets.puppetlabs.com/browse/MODULES", + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.2.0 < 5.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 1.1.1 < 3.0.0" + } + ], + "data_provider": null, "operatingsystem_support": [ { "operatingsystem": "RedHat", @@ -43,7 +54,15 @@ "operatingsystem": "Debian", "operatingsystemrelease": [ "6", - "7" + "7", + "8" + ] + }, + { + "operatingsystem": "SLES", + "operatingsystemrelease": [ + "11 SP1", + "12" ] }, { @@ -51,23 +70,16 @@ "operatingsystemrelease": [ "10.04", "12.04", - "14.04" + "14.04", + "16.04" ] } ], "requirements": [ { - "name": "pe", - "version_requirement": "3.x" - }, - { "name": "puppet", - "version_requirement": "3.x" + "version_requirement": ">= 3.0.0 < 5.0.0" } ], - "description": "Module for Apache configuration", - "dependencies": [ - {"name":"puppetlabs/stdlib","version_requirement":">= 2.4.0"}, - {"name":"puppetlabs/concat","version_requirement":">= 1.1.1"} - ] + "description": "Module for Apache configuration" }
--- a/modules/apache/spec/acceptance/apache_parameters_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/apache_parameters_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,7 @@ require 'spec_helper_acceptance' require_relative './version.rb' -describe 'apache parameters', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache parameters' do # Currently this test only does something on FreeBSD. describe 'default_confd_files => false' do @@ -55,7 +55,11 @@ describe service($service_name) do it { is_expected.to be_running } - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { is_expected.to be_enabled } + end end end @@ -72,7 +76,11 @@ describe service($service_name) do it { is_expected.not_to be_running } - it { is_expected.not_to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { is_expected.not_to be_enabled } + end end end @@ -90,7 +98,11 @@ describe service($service_name) do it { is_expected.not_to be_running } - it { is_expected.not_to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { is_expected.not_to be_enabled } + end end end @@ -354,11 +366,25 @@ end end + describe 'limitrequestfieldsize' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': limitreqfieldsize => '16830' }" + apply_manifest(pp, :catch_failures => true) + end + end + + describe file($conf_file) do + it { is_expected.to be_file } + it { is_expected.to contain 'LimitRequestFieldSize 16830' } + end + end + describe 'logging' do describe 'setup' do it 'applies cleanly' do pp = <<-EOS - if $::osfamily == 'RedHat' and $::selinux { + if $::osfamily == 'RedHat' and "$::selinux" == "true" { $semanage_package = $::operatingsystemmajrelease ? { '5' => 'policycoreutils', default => 'policycoreutils-python',
--- a/modules/apache/spec/acceptance/apache_ssl_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/apache_ssl_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,14 +1,7 @@ require 'spec_helper_acceptance' require_relative './version.rb' -case fact('osfamily') -when 'RedHat' - vhostd = '/etc/httpd/conf.d' -when 'Debian' - vhostd = '/etc/apache2/sites-available' -end - -describe 'apache ssl', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache ssl' do describe 'ssl parameters' do it 'runs without error' do @@ -26,18 +19,19 @@ } EOS apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) end - describe file("#{vhostd}/15-default-ssl.conf") do + describe file("#{$vhost_dir}/15-default-ssl.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } it { is_expected.to contain 'SSLCertificateChainFile "/tmp/ssl_chain"' } - it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } - it { is_expected.to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' } - it { is_expected.to contain 'SSLCARevocationFile "/tmp/ssl_crl"' } + it { is_expected.not_to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } + it { is_expected.not_to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' } + it { is_expected.not_to contain 'SSLCARevocationFile "/tmp/ssl_crl"' } if $apache_version == '2.4' - it { is_expected.to contain 'SSLCARevocationCheck "chain"' } + it { is_expected.not_to contain 'SSLCARevocationCheck "chain"' } else it { is_expected.not_to contain 'SSLCARevocationCheck' } end @@ -69,17 +63,20 @@ ssl_verify_depth => 'test', ssl_options => ['test', 'test1'], ssl_proxyengine => true, + ssl_proxy_protocol => 'TLSv1.2', } EOS apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) end - describe file("#{vhostd}/25-test_ssl.conf") do + describe file("#{$vhost_dir}/25-test_ssl.conf") do it { is_expected.to be_file } it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } it { is_expected.to contain 'SSLCertificateChainFile "/tmp/ssl_chain"' } it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } + it { is_expected.to contain 'SSLCACertificatePath "/tmp"' } it { is_expected.to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' } it { is_expected.to contain 'SSLCARevocationFile "/tmp/ssl_crl"' } it { is_expected.to contain 'SSLProxyEngine On' } @@ -97,4 +94,63 @@ end end + describe 'vhost ssl ssl_ca only' do + it 'runs without error' do + pp = <<-EOS + class { 'apache': + service_ensure => stopped, + } + + apache::vhost { 'test_ssl_ca_only': + docroot => '/tmp/test', + ssl => true, + ssl_cert => '/tmp/ssl_cert', + ssl_key => '/tmp/ssl_key', + ssl_ca => '/tmp/ssl_ca', + ssl_verify_client => 'test', + } + EOS + apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) + end + + describe file("#{$vhost_dir}/25-test_ssl_ca_only.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } + it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } + it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } + it { is_expected.not_to contain 'SSLCACertificatePath' } + end + end + + describe 'vhost ssl ssl_certs_dir' do + it 'runs without error' do + pp = <<-EOS + class { 'apache': + service_ensure => stopped, + } + + apache::vhost { 'test_ssl_certs_dir_only': + docroot => '/tmp/test', + ssl => true, + ssl_cert => '/tmp/ssl_cert', + ssl_key => '/tmp/ssl_key', + ssl_certs_dir => '/tmp', + ssl_verify_client => 'test', + } + EOS + apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) + end + + describe file("#{$vhost_dir}/25-test_ssl_certs_dir_only.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } + it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } + it { is_expected.to contain 'SSLCACertificatePath "/tmp"' } + it { is_expected.to contain 'SSLVerifyClient test' } + it { is_expected.not_to contain 'SSLCACertificateFile' } + end + end + end
--- a/modules/apache/spec/acceptance/basic_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,12 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'disable selinux:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - it "because otherwise apache won't work" do - apply_manifest(%{ - exec { "setenforce 0": - path => "/bin:/sbin:/usr/bin:/usr/sbin", - onlyif => "which setenforce && getenforce | grep Enforcing", - } - }, :catch_failures => true) - end -end
--- a/modules/apache/spec/acceptance/class_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/class_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,35 +1,36 @@ require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + context 'default parameters' do + let(:pp) { "class { 'apache': }" } + + it_behaves_like "a idempotent resource" -describe 'apache class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - case fact('osfamily') - when 'RedHat' - package_name = 'httpd' - service_name = 'httpd' - when 'Debian' - package_name = 'apache2' - service_name = 'apache2' - when 'FreeBSD' - package_name = 'apache24' - service_name = 'apache24' - end + describe 'apache_version fact' do + before :all do + apply_manifest("include apache", :catch_failures => true) + version_check_pp = <<-EOS + notice("apache_version = >${apache_version}<") + EOS + @result = apply_manifest(version_check_pp, :catch_failures => true) + end - context 'default parameters' do - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': } - EOS - - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero + it { + expect(@result.output).to match(/apache_version = >#{$apache_version}.*</) + } end - describe package(package_name) do + describe package($package_name) do it { is_expected.to be_installed } end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -40,45 +41,48 @@ context 'custom site/mod dir parameters' do # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS - if $::osfamily == 'RedHat' and $::selinux { - $semanage_package = $::operatingsystemmajrelease ? { - '5' => 'policycoreutils', - default => 'policycoreutils-python', - } + let(:pp) do + <<-EOS + if $::osfamily == 'RedHat' and "$::selinux" == "true" { + $semanage_package = $::operatingsystemmajrelease ? { + '5' => 'policycoreutils', + default => 'policycoreutils-python', + } - package { $semanage_package: ensure => installed } - exec { 'set_apache_defaults': - command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"', - path => '/bin:/usr/bin/:/sbin:/usr/sbin', - subscribe => Package[$semanage_package], - refreshonly => true, + package { $semanage_package: ensure => installed } + exec { 'set_apache_defaults': + command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + subscribe => Package[$semanage_package], + refreshonly => true, + } + exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Service['httpd'], + require => Class['apache'], + subscribe => Exec['set_apache_defaults'], + refreshonly => true, + } } - exec { 'restorecon_apache': - command => 'restorecon -Rv /apache_spec', - path => '/bin:/usr/bin/:/sbin:/usr/sbin', - before => Service['httpd'], - require => Class['apache'], - subscribe => Exec['set_apache_defaults'], - refreshonly => true, + file { '/apache_spec': ensure => directory, } + file { '/apache_spec/apache_custom': ensure => directory, } + class { 'apache': + mod_dir => '/apache_spec/apache_custom/mods', + vhost_dir => '/apache_spec/apache_custom/vhosts', } - } - file { '/apache_spec': ensure => directory, } - file { '/apache_spec/apache_custom': ensure => directory, } - class { 'apache': - mod_dir => '/apache_spec/apache_custom/mods', - vhost_dir => '/apache_spec/apache_custom/vhosts', - } EOS - - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - apply_manifest(pp, :catch_changes => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + # Run it twice and test for idempotency + it_behaves_like "a idempotent resource" + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end end
--- a/modules/apache/spec/acceptance/custom_config_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/custom_config_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,7 @@ require 'spec_helper_acceptance' require_relative './version.rb' -describe 'apache::custom_config define', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache::custom_config define' do context 'invalid config' do it 'should not add the config' do pp = <<-EOS @@ -36,6 +36,24 @@ end end + context 'with a custom filename' do + it 'should store content in the described file' do + pp = <<-EOS + class { 'apache': } + apache::custom_config { 'filename_test': + filename => 'custom_filename', + content => '# just another comment', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + describe file("#{$confd_dir}/custom_filename") do + it { is_expected.to contain '# just another comment' } + end + end + describe 'custom_config without priority prefix' do it 'applies cleanly' do pp = <<-EOS @@ -52,4 +70,25 @@ it { is_expected.to be_file } end end + + describe 'custom_config only applied after configs are written' do + it 'applies in the right order' do + pp = <<-EOS + class { 'apache': } + + apache::custom_config { 'ordering_test': + content => '# just a comment', + } + + # Try to wedge the apache::custom_config call between when httpd.conf is written and + # ports.conf is written. This should trigger a dependency cycle + File["#{$conf_file}"] -> Apache::Custom_config['ordering_test'] -> Concat["#{$ports_file}"] + EOS + expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/Found 1 dependency cycle/i) + end + + describe file("#{$confd_dir}/25-ordering_test.conf") do + it { is_expected.not_to be_file } + end + end end
--- a/modules/apache/spec/acceptance/default_mods_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/default_mods_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,72 +1,68 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -case fact('osfamily') -when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - servicename = 'httpd' -when 'Debian' - mod_dir = '/etc/apache2/mods-available' - servicename = 'apache2' -when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - servicename = 'apache24' -end - -describe 'apache::default_mods class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache::default_mods class' do describe 'no default mods' do # Using puppet_apply as a helper - it 'should apply with no errors' do - pp = <<-EOS + let(:pp) do + <<-EOS class { 'apache': default_mods => false, } EOS - - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero end - describe service(servicename) do + # Run it twice and test for idempotency + it_behaves_like "a idempotent resource" + describe service($service_name) do it { is_expected.to be_running } end end - describe 'no default mods and failing' do - # Using puppet_apply as a helper - it 'should apply with errors' do - pp = <<-EOS - class { 'apache': - default_mods => false, - } - apache::vhost { 'defaults.example.com': - docroot => '/var/www/defaults', - aliases => { - alias => '/css', - path => '/var/www/css', - }, - setenv => 'TEST1 one', - } - EOS + unless (fact('operatingsystem') == 'SLES' && fact('operatingsystemmajrelease') == '12') + describe 'no default mods and failing' do + before :all do + pp = <<-PP + include apache::params + class { 'apache': default_mods => false, service_ensure => stopped, } + PP + apply_manifest(pp) + end + # Using puppet_apply as a helper + it 'should apply with errors' do + pp = <<-EOS + class { 'apache': + default_mods => false, + } + apache::vhost { 'defaults.example.com': + docroot => '#{$doc_root}/defaults', + aliases => { + alias => '/css', + path => '#{$doc_root}/css', + }, + directories => [ + { + 'path' => "#{$doc_root}/admin", + 'auth_basic_fake' => 'demo demopass', + } + ], + setenv => 'TEST1 one', + } + EOS - apply_manifest(pp, { :expect_failures => true }) - end + apply_manifest(pp, { :expect_failures => true }) + end + end - # Are these the same? - describe service(servicename) do + describe service($service_name) do it { is_expected.not_to be_running } end - describe "service #{servicename}" do - it 'should not be running' do - shell("pidof #{servicename}", {:acceptable_exit_codes => 1}) - end - end end describe 'alternative default mods' do # Using puppet_apply as a helper - it 'should apply with no errors' do - pp = <<-EOS + let(:pp) do + <<-EOS class { 'apache': default_mods => [ 'info', @@ -77,43 +73,38 @@ ], } apache::vhost { 'defaults.example.com': - docroot => '/var/www/defaults', + docroot => '#{$doc_root}/defaults', aliases => { alias => '/css', - path => '/var/www/css', + path => '#{$doc_root}/css', }, setenv => 'TEST1 one', } EOS + end + it_behaves_like "a idempotent resource" - apply_manifest(pp, :catch_failures => true) - shell('sleep 10') - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero - end - - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } end end describe 'change loadfile name' do - it 'should apply with no errors' do - pp = <<-EOS + let(:pp) do + <<-EOS class { 'apache': default_mods => false } - ::apache::mod { 'auth_basic': + ::apache::mod { 'auth_basic': loadfile_name => 'zz_auth_basic.load', } EOS - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero end - - describe service(servicename) do + # Run it twice and test for idempotency + it_behaves_like "a idempotent resource" + describe service($service_name) do it { is_expected.to be_running } end - describe file("#{mod_dir}/zz_auth_basic.load") do + describe file("#{$mod_dir}/zz_auth_basic.load") do it { is_expected.to be_file } end end
--- a/modules/apache/spec/acceptance/itk_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/itk_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -3,31 +3,58 @@ case fact('osfamily') when 'Debian' service_name = 'apache2' + majrelease = fact('operatingsystemmajrelease') + if ['6', '7', '10.04', '12.04'].include?(majrelease) + variant = :itk_only + else + variant = :prefork + end +when 'RedHat' + unless fact('operatingsystemmajrelease') == '5' + service_name = 'httpd' + majrelease = fact('operatingsystemmajrelease') + if ['6'].include?(majrelease) + variant = :itk_only + else + variant = :prefork + end + end when 'FreeBSD' service_name = 'apache24' -else - # Not implemented yet - service_name = :skip + majrelease = fact('operatingsystemmajrelease') + variant = :prefork end -describe 'apache::mod::itk class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or service_name.equal? :skip do +describe 'apache::mod::itk class', :if => service_name do describe 'running puppet code' do # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': - mpm_module => 'itk', - } - EOS - - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero + let(:pp) do + case variant + when :prefork + <<-EOS + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::itk': } + EOS + when :itk_only + <<-EOS + class { 'apache': + mpm_module => 'itk', + } + EOS + end end + # Run it twice and test for idempotency + it_behaves_like "a idempotent resource" end describe service(service_name) do it { is_expected.to be_running } - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end end end
--- a/modules/apache/spec/acceptance/mod_dav_svn_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_dav_svn_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,22 +1,15 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::dav_svn class', :unless => (fact('operatingsystem') == 'OracleLinux' and fact('operatingsystemmajrelease') == '7') do +describe 'apache::mod::dav_svn class', :unless => (fact('operatingsystem') == 'OracleLinux' and fact('operatingsystemmajrelease') == '7') || (fact('operatingsystem') == 'SLES' and fact('operatingsystemmajorrelease') < '11') do case fact('osfamily') when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - if fact('operatingsystemmajrelease') == '6' or fact('operatingsystemmajrelease') == '10.04' or fact('operatingsystemrelease') == '10.04' + if fact('operatingsystemmajrelease') == '6' or fact('operatingsystemmajrelease') == '10.04' or fact('operatingsystemrelease') == '10.04' or fact('operatingsystemmajrelease') == '16.04' authz_svn_load_file = 'dav_svn_authz_svn.load' else authz_svn_load_file = 'authz_svn.load' end - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - authz_svn_load_file = 'dav_svn_authz_svn.load' - when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' + else authz_svn_load_file = 'dav_svn_authz_svn.load' end @@ -29,12 +22,16 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/dav_svn.load") do + describe file("#{$mod_dir}/dav_svn.load") do it { is_expected.to contain "LoadModule dav_svn_module" } end end @@ -50,12 +47,16 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/#{authz_svn_load_file}") do + describe file("#{$mod_dir}/#{authz_svn_load_file}") do it { is_expected.to contain "LoadModule authz_svn_module" } end end
--- a/modules/apache/spec/acceptance/mod_deflate_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_deflate_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,18 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' describe 'apache::mod::deflate class' do - case fact('osfamily') - when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - end - context "default deflate config" do it 'succeeds in puppeting deflate' do pp= <<-EOS @@ -22,12 +11,16 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/deflate.conf") do + describe file("#{$mod_dir}/deflate.conf") do it { is_expected.to contain "AddOutputFilterByType DEFLATE text/html text/plain text/xml" } it { is_expected.to contain "AddOutputFilterByType DEFLATE text/css" } it { is_expected.to contain "AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript" }
--- a/modules/apache/spec/acceptance/mod_fcgid_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_fcgid_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,7 @@ require 'spec_helper_acceptance' -describe 'apache::mod::fcgid class', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or (fact('operatingsystem') == 'OracleLinux' and fact('operatingsystemmajrelease') == '7')) do - context "default fcgid config", :if => (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') != '5') do +describe 'apache::mod::fcgid class', :if => ((fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') != '5') and !(fact('operatingsystem') == 'OracleLinux' and fact('operatingsystemmajrelease') == '7')) do + context "default fcgid config" do it 'succeeds in puppeting fcgid' do pp = <<-EOS class { 'epel': } # mod_fcgid lives in epel
--- a/modules/apache/spec/acceptance/mod_mime_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_mime_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,18 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::mime class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - case fact('osfamily') - when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - end - +describe 'apache::mod::mime class' do context "default mime config" do it 'succeeds in puppeting mime' do pp= <<-EOS @@ -22,13 +11,20 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/mime.conf") do + describe file("#{$mod_dir}/mime.conf") do it { is_expected.to contain "AddType application/x-compress .Z" } + it { is_expected.to contain "AddHandler type-map var\n" } + it { is_expected.to contain "AddType text/html .shtml\n" } + it { is_expected.to contain "AddOutputFilter INCLUDES .shtml\n" } end end end
--- a/modules/apache/spec/acceptance/mod_negotiation_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_negotiation_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,21 +1,7 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::negotiation class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - case fact('osfamily') - when 'Debian' - vhost_dir = '/etc/apache2/sites-enabled' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - vhost_dir = '/etc/httpd/conf.d' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - vhost_dir = '/usr/local/etc/apache24/Vhosts' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - end - +describe 'apache::mod::negotiation class' do context "default negotiation config" do it 'succeeds in puppeting negotiation' do pp= <<-EOS @@ -25,13 +11,17 @@ apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/negotiation.conf") do + describe file("#{$mod_dir}/negotiation.conf") do it { should contain "LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW ForceLanguagePriority Prefer Fallback" } end - describe service(service_name) do - it { should be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { should be_running } end end @@ -47,12 +37,16 @@ apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/negotiation.conf") do + describe file("#{$mod_dir}/negotiation.conf") do it { should contain "ForceLanguagePriority Prefer" } end - describe service(service_name) do - it { should be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { should be_running } end end @@ -68,12 +62,16 @@ apply_manifest(pp, :catch_failures => true) end - describe file("#{mod_dir}/negotiation.conf") do + describe file("#{$mod_dir}/negotiation.conf") do it { should contain "LanguagePriority en es" } end - describe service(service_name) do - it { should be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { should be_running } end end
--- a/modules/apache/spec/acceptance/mod_pagespeed_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_pagespeed_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,21 +1,13 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::pagespeed class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - case fact('osfamily') - when 'Debian' - vhost_dir = '/etc/apache2/sites-enabled' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - vhost_dir = '/etc/httpd/conf.d' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - vhost_dir = '/usr/local/etc/apache24/Vhosts' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - end - +# Don't run this test on Debian < 8 or Ubuntu < 12, because Debian doesn't like +# updating packages and Pagespeed doesn't like old packages. +describe 'apache::mod::pagespeed class', :unless => + ((fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') < '8') or + (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') < '12') or + (fact('osfamily') == 'RedHat' && fact('operatingsystemmajrelease') < '6') or + (fact('operatingsystem') == 'SLES' )) do context "default pagespeed config" do it 'succeeds in puppeting pagespeed' do pp= <<-EOS @@ -30,12 +22,12 @@ repos => 'main', include_src => false, before => Class['apache'], - } + } } elsif $::osfamily == 'RedHat' { yumrepo { 'mod-pagespeed': baseurl => "http://dl.google.com/linux/mod-pagespeed/rpm/stable/$::architecture", enabled => 1, - gpgcheck => 1, + gpgcheck => 0, gpgkey => 'https://dl-ssl.google.com/linux/linux_signing_key.pub', before => Class['apache'], } @@ -51,10 +43,10 @@ } apache::vhost { 'pagespeed.example.com': port => '80', - docroot => '/var/www/pagespeed', + docroot => '#{$doc_root}/pagespeed', } host { 'pagespeed.example.com': ip => '127.0.0.1', } - file { '/var/www/pagespeed/index.html': + file { '#{$doc_root}/pagespeed/index.html': ensure => file, content => "<html>\n<!-- comment -->\n<body>\n<p>Hello World!</p>\n</body>\n</html>", } @@ -62,12 +54,16 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/pagespeed.conf") do + describe file("#{$mod_dir}/pagespeed.conf") do it { is_expected.to contain "AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html" } it { is_expected.to contain "ModPagespeedEnableFilters remove_comments" } it { is_expected.to contain "ModPagespeedDisableFilters extend_cache" }
--- a/modules/apache/spec/acceptance/mod_passenger_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_passenger_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,12 +1,14 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::passenger class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache::mod::passenger class' do + pending 'This cannot run in the same test run as apache::vhost with passenger + as the passenger.conf file is not yet managed by puppet and will be wiped out + between tests and not replaced' case fact('osfamily') when 'Debian' - service_name = 'apache2' - mod_dir = '/etc/apache2/mods-available/' - conf_file = "#{mod_dir}passenger.conf" - load_file = "#{mod_dir}passenger.load" + conf_file = "#{$mod_dir}/passenger.conf" + load_file = "#{$mod_dir}/zpassenger.load" case fact('operatingsystem') when 'Ubuntu' @@ -21,6 +23,10 @@ passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' passenger_ruby = '/usr/bin/ruby' passenger_default_ruby = '/usr/bin/ruby' + when '16.04' + passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' + passenger_ruby = '/usr/bin/ruby' + passenger_default_ruby = '/usr/bin/ruby' else # This may or may not work on Ubuntu releases other than the above passenger_root = '/usr' @@ -46,43 +52,37 @@ rackapp_user = 'www-data' rackapp_group = 'www-data' when 'RedHat' - service_name = 'httpd' - mod_dir = '/etc/httpd/conf.d/' - conf_file = "#{mod_dir}passenger.conf" - load_file = "#{mod_dir}passenger.load" + conf_file = "#{$mod_dir}/passenger.conf" + load_file = "#{$mod_dir}/zpassenger.load" # sometimes installs as 3.0.12, sometimes as 3.0.19 - so just check for the stable part - passenger_root = '/usr/lib/ruby/gems/1.8/gems/passenger-3.0.1' + passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' passenger_ruby = '/usr/bin/ruby' - passenger_tempdir = '/var/run/rubygem-passenger' passenger_module_path = 'modules/mod_passenger.so' rackapp_user = 'apache' rackapp_group = 'apache' end pp_rackapp = <<-EOS - /* a simple ruby rack 'hellow world' app */ - file { '/var/www/passenger': - ensure => directory, - owner => '#{rackapp_user}', - group => '#{rackapp_group}', - require => Class['apache::mod::passenger'], - } - file { '/var/www/passenger/config.ru': - ensure => file, - owner => '#{rackapp_user}', - group => '#{rackapp_group}', - content => "app = proc { |env| [200, { \\"Content-Type\\" => \\"text/html\\" }, [\\"hello <b>world</b>\\"]] }\\nrun app", - require => File['/var/www/passenger'] , - } - apache::vhost { 'passenger.example.com': - port => '80', - docroot => '/var/www/passenger/public', - docroot_group => '#{rackapp_group}' , - docroot_owner => '#{rackapp_user}' , - custom_fragment => "PassengerRuby #{passenger_ruby}\\nRailsEnv development" , - require => File['/var/www/passenger/config.ru'] , - } - host { 'passenger.example.com': ip => '127.0.0.1', } + /* a simple ruby rack 'hello world' app */ + file { '/var/www/passenger': + ensure => directory, + owner => '#{rackapp_user}', + group => '#{rackapp_group}', + } + file { '/var/www/passenger/config.ru': + ensure => file, + owner => '#{rackapp_user}', + group => '#{rackapp_group}', + content => "app = proc { |env| [200, { \\"Content-Type\\" => \\"text/html\\" }, [\\"hello <b>world</b>\\"]] }\\nrun app", + } + apache::vhost { 'passenger.example.com': + port => '80', + docroot => '/var/www/passenger/public', + docroot_group => '#{rackapp_group}', + docroot_owner => '#{rackapp_user}', + require => File['/var/www/passenger/config.ru'], + } + host { 'passenger.example.com': ip => '127.0.0.1', } EOS case fact('osfamily') @@ -98,8 +98,12 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -118,6 +122,9 @@ when '14.04' it { is_expected.to contain "PassengerDefaultRuby \"#{passenger_ruby}\"" } it { is_expected.not_to contain "/PassengerRuby/" } + when '16.04' + it { is_expected.to contain "PassengerDefaultRuby \"#{passenger_ruby}\"" } + it { is_expected.not_to contain "/PassengerRuby/" } else # This may or may not work on Ubuntu releases other than the above it { is_expected.to contain "PassengerRuby \"#{passenger_ruby}\"" } @@ -152,7 +159,8 @@ # passenger-memory-stats output on newer Debian/Ubuntu verions do not contain # these two lines unless ((fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') or - (fact('operatingsystem') == 'Debian' && fact('operatingsystemrelease') == '8.0')) + (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') or + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8')) expect(r.stdout).to match(/### Processes: [0-9]+/) expect(r.stdout).to match(/### Total private dirty RSS: [0-9\.]+ MB/) end @@ -169,7 +177,9 @@ shell("PATH=/usr/bin:$PATH /usr/sbin/passenger-status") do |r| # spacing may vary expect(r.stdout).to match(/[\-]+ General information [\-]+/) - if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04' + if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04' or + (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') or + fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8' expect(r.stdout).to match(/Max pool size[ ]+: [0-9]+/) expect(r.stdout).to match(/Processes[ ]+: [0-9]+/) expect(r.stdout).to match(/Requests in top-level queue[ ]+: [0-9]+/) @@ -194,115 +204,5 @@ end end - - when 'RedHat' - # no fedora 18 passenger package yet, and rhel5 packages only exist for ruby 1.8.5 - unless (fact('operatingsystem') == 'Fedora' and fact('operatingsystemrelease').to_f >= 18) or (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5' and fact('rubyversion') != '1.8.5') - - if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' - pending('test passenger - RHEL7 packages don\'t exist') - else - context "default passenger config" do - it 'succeeds in puppeting passenger' do - pp = <<-EOS - /* EPEL and passenger repositories */ - class { 'epel': } - exec { 'passenger.repo GPG key': - command => '/usr/bin/curl -o /etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc http://passenger.stealthymonkeys.com/RPM-GPG-KEY-stealthymonkeys.asc', - creates => '/etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc', - } - file { 'passenger.repo GPG key': - ensure => file, - path => '/etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc', - require => Exec['passenger.repo GPG key'], - } - epel::rpm_gpg_key { 'passenger.stealthymonkeys.com': - path => '/etc/yum.repos.d/RPM-GPG-KEY-stealthymonkeys.asc', - require => [ - Class['epel'], - File['passenger.repo GPG key'], - ] - } - $releasever_string = $operatingsystem ? { - 'Scientific' => '6', - default => '$releasever', - } - yumrepo { 'passenger': - baseurl => "http://passenger.stealthymonkeys.com/rhel/${releasever_string}/\\$basearch" , - descr => "Red Hat Enterprise ${releasever_string} - Phusion Passenger", - enabled => 1, - gpgcheck => 1, - gpgkey => 'http://passenger.stealthymonkeys.com/RPM-GPG-KEY-stealthymonkeys.asc', - mirrorlist => 'http://passenger.stealthymonkeys.com/rhel/mirrors', - require => [ - Epel::Rpm_gpg_key['passenger.stealthymonkeys.com'], - ], - } - /* apache and mod_passenger */ - class { 'apache': - require => [ - Class['epel'], - ], - } - class { 'apache::mod::passenger': - require => [ - Yumrepo['passenger'] - ], - } - #{pp_rackapp} - EOS - apply_manifest(pp, :catch_failures => true) - end - - describe service(service_name) do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - describe file(conf_file) do - it { is_expected.to contain "PassengerRoot #{passenger_root}" } - it { is_expected.to contain "PassengerRuby #{passenger_ruby}" } - it { is_expected.to contain "PassengerTempDir #{passenger_tempdir}" } - end - - describe file(load_file) do - it { is_expected.to contain "LoadModule passenger_module #{passenger_module_path}" } - end - - it 'should output status via passenger-memory-stats' do - shell("/usr/bin/passenger-memory-stats", :pty => true) do |r| - expect(r.stdout).to match(/Apache processes/) - expect(r.stdout).to match(/Nginx processes/) - expect(r.stdout).to match(/Passenger processes/) - expect(r.stdout).to match(/### Processes: [0-9]+/) - expect(r.stdout).to match(/### Total private dirty RSS: [0-9\.]+ MB/) - - expect(r.exit_code).to eq(0) - end - end - - it 'should output status via passenger-status' do - shell("PASSENGER_TMPDIR=/var/run/rubygem-passenger /usr/bin/passenger-status") do |r| - # spacing may vary - r.stdout.should =~ /[\-]+ General information [\-]+/ - r.stdout.should =~ /max[ ]+= [0-9]+/ - r.stdout.should =~ /count[ ]+= [0-9]+/ - r.stdout.should =~ /active[ ]+= [0-9]+/ - r.stdout.should =~ /inactive[ ]+= [0-9]+/ - r.stdout.should =~ /Waiting on global queue: [0-9]+/ - - r.exit_code.should == 0 - end - end - - it 'should answer to passenger.example.com' do - shell("/usr/bin/curl passenger.example.com:80") do |r| - r.stdout.should =~ /^hello <b>world<\/b>$/ - r.exit_code.should == 0 - end - end - end - end - end end end
--- a/modules/apache/spec/acceptance/mod_php_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_php_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,139 +1,152 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::php class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - case fact('osfamily') - when 'Debian' - vhost_dir = '/etc/apache2/sites-enabled' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - vhost_dir = '/etc/httpd/conf.d' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - when 'FreeBSD' - vhost_dir = '/usr/local/etc/apache24/Vhosts' - mod_dir = '/usr/local/etc/apache24/Modules' - service_name = 'apache24' - end +unless (fact('operatingsystem') == 'SLES' && fact('operatingsystemmajrelease') == '12') + describe 'apache::mod::php class' do + context "default php config" do + it 'succeeds in puppeting php' do + pp= <<-EOS + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::php': } + apache::vhost { 'php.example.com': + port => '80', + docroot => '#{$doc_root}/php', + } + host { 'php.example.com': ip => '127.0.0.1', } + file { '#{$doc_root}/php/index.php': + ensure => file, + content => "<?php phpinfo(); ?>\\n", + } + EOS + apply_manifest(pp, :catch_failures => true) + end - context "default php config" do - it 'succeeds in puppeting php' do - pp= <<-EOS - class { 'apache': - mpm_module => 'prefork', - } - class { 'apache::mod::php': } - apache::vhost { 'php.example.com': - port => '80', - docroot => '/var/www/php', - } - host { 'php.example.com': ip => '127.0.0.1', } - file { '/var/www/php/index.php': - ensure => file, - content => "<?php phpinfo(); ?>\\n", - } - EOS - apply_manifest(pp, :catch_failures => true) - end + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end - describe service(service_name) do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end + if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') + describe file("#{$mod_dir}/php7.0.conf") do + it { is_expected.to contain "DirectoryIndex index.php" } + end + else + describe file("#{$mod_dir}/php5.conf") do + it { is_expected.to contain "DirectoryIndex index.php" } + end + end - describe file("#{mod_dir}/php5.conf") do - it { is_expected.to contain "DirectoryIndex index.php" } - end - - it 'should answer to php.example.com' do - shell("/usr/bin/curl php.example.com:80") do |r| - expect(r.stdout).to match(/PHP Version/) - expect(r.exit_code).to eq(0) + it 'should answer to php.example.com' do + shell("/usr/bin/curl php.example.com:80") do |r| + expect(r.stdout).to match(/PHP Version/) + expect(r.exit_code).to eq(0) + end end end - end - context "custom extensions, php_flag, php_value, php_admin_flag, and php_admin_value" do - it 'succeeds in puppeting php' do - pp= <<-EOS - class { 'apache': - mpm_module => 'prefork', - } - class { 'apache::mod::php': - extensions => ['.php','.php5'], - } - apache::vhost { 'php.example.com': - port => '80', - docroot => '/var/www/php', - php_values => { 'include_path' => '.:/usr/share/pear:/usr/bin/php', }, - php_flags => { 'display_errors' => 'on', }, - php_admin_values => { 'open_basedir' => '/var/www/php/:/usr/share/pear/', }, - php_admin_flags => { 'engine' => 'on', }, - } - host { 'php.example.com': ip => '127.0.0.1', } - file { '/var/www/php/index.php5': - ensure => file, - content => "<?php phpinfo(); ?>\\n", - } - EOS - apply_manifest(pp, :catch_failures => true) - end + context "custom extensions, php_flag, php_value, php_admin_flag, and php_admin_value" do + it 'succeeds in puppeting php' do + pp= <<-EOS + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::php': + extensions => ['.php','.php5'], + } + apache::vhost { 'php.example.com': + port => '80', + docroot => '#{$doc_root}/php', + php_values => { 'include_path' => '.:/usr/share/pear:/usr/bin/php', }, + php_flags => { 'display_errors' => 'on', }, + php_admin_values => { 'open_basedir' => '/var/www/php/:/usr/share/pear/', }, + php_admin_flags => { 'engine' => 'on', }, + } + host { 'php.example.com': ip => '127.0.0.1', } + file { '#{$doc_root}/php/index.php5': + ensure => file, + content => "<?php phpinfo(); ?>\\n", + } + EOS + apply_manifest(pp, :catch_failures => true) + end - describe service(service_name) do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end - describe file("#{vhost_dir}/25-php.example.com.conf") do - it { is_expected.to contain " php_flag display_errors on" } - it { is_expected.to contain " php_value include_path .:/usr/share/pear:/usr/bin/php" } - it { is_expected.to contain " php_admin_flag engine on" } - it { is_expected.to contain " php_admin_value open_basedir /var/www/php/:/usr/share/pear/" } + describe file("#{$vhost_dir}/25-php.example.com.conf") do + it { is_expected.to contain " php_flag display_errors on" } + it { is_expected.to contain " php_value include_path \".:/usr/share/pear:/usr/bin/php\"" } + it { is_expected.to contain " php_admin_flag engine on" } + it { is_expected.to contain " php_admin_value open_basedir /var/www/php/:/usr/share/pear/" } + end + + it 'should answer to php.example.com' do + shell("/usr/bin/curl php.example.com:80") do |r| + expect(r.stdout).to match(/\/usr\/share\/pear\//) + expect(r.exit_code).to eq(0) + end + end end - it 'should answer to php.example.com' do - shell("/usr/bin/curl php.example.com:80") do |r| - expect(r.stdout).to match(/\/usr\/share\/pear\//) - expect(r.exit_code).to eq(0) + context "provide custom config file" do + it 'succeeds in puppeting php' do + pp= <<-EOS + class {'apache': + mpm_module => 'prefork', + } + class {'apache::mod::php': + content => '# somecontent', + } + EOS + apply_manifest(pp, :catch_failures => true) end - end - end - - context "provide custom config file" do - it 'succeeds in puppeting php' do - pp= <<-EOS - class {'apache': - mpm_module => 'prefork', - } - class {'apache::mod::php': - content => '# somecontent', - } - EOS - apply_manifest(pp, :catch_failures => true) + if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') + describe file("#{$mod_dir}/php7.0.conf") do + it { should contain "# somecontent" } + end + else + describe file("#{$mod_dir}/php5.conf") do + it { should contain "# somecontent" } + end + end end - describe file("#{mod_dir}/php5.conf") do - it { should contain "# somecontent" } - end - end + context "provide content and template config file" do + it 'succeeds in puppeting php' do + pp= <<-EOS + class {'apache': + mpm_module => 'prefork', + } + class {'apache::mod::php': + content => '# somecontent', + template => 'apache/mod/php5.conf.erb', + } + EOS + apply_manifest(pp, :catch_failures => true) + end - context "provide content and template config file" do - it 'succeeds in puppeting php' do - pp= <<-EOS - class {'apache': - mpm_module => 'prefork', - } - class {'apache::mod::php': - content => '# somecontent', - template => 'apache/mod/php5.conf.erb', - } - EOS - apply_manifest(pp, :catch_failures => true) + if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') + describe file("#{$mod_dir}/php7.0.conf") do + it { should contain "# somecontent" } + end + else + describe file("#{$mod_dir}/php5.conf") do + it { should contain "# somecontent" } + end + end end - describe file("#{mod_dir}/php5.conf") do - it { should contain "# somecontent" } - end end - end
--- a/modules/apache/spec/acceptance/mod_proxy_html_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_proxy_html_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,15 +1,8 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::proxy_html class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - case fact('osfamily') - when 'Debian' - service_name = 'apache2' - when 'RedHat' - service_name = 'httpd' - when 'FreeBSD' - service_name = 'apache24' - end - +# Don't run proxy_html tests on RHEL7 because the yum repos are missing packages required by it. +describe 'apache::mod::proxy_html class', :unless => (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7') do context "default proxy_html config" do if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/ it 'adds epel' do @@ -31,8 +24,12 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end end
--- a/modules/apache/spec/acceptance/mod_security_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_security_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,23 +1,25 @@ require 'spec_helper_acceptance' +require_relative './version.rb' -describe 'apache::mod::security class', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise'))) do - case fact('osfamily') - when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - package_name = 'apache2' - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - package_name = 'httpd' - end - +describe 'apache::mod::security class', :unless => (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise' or fact('lsbdistcodename') == 'wheezy')) || (fact('operatingsystem') == 'SLES' and fact('operatingsystemrelease') < '11') do context "default mod_security config" do if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/ it 'adds epel' do pp = "class { 'epel': }" apply_manifest(pp, :catch_failures => true) end + elsif fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' + it 'changes obsoletes, per PUP-4497' do + pp = <<-EOS + ini_setting { 'obsoletes': + path => '/etc/yum.conf', + section => 'main', + setting => 'obsoletes', + value => '0', + } + EOS + apply_manifest(pp, :catch_failures => true) + end end it 'succeeds in puppeting mod_security' do @@ -27,38 +29,51 @@ class { 'apache::mod::security': } apache::vhost { 'modsec.example.com': port => '80', - docroot => '/var/www/html', + docroot => '#{$doc_root}/html', } - file { '/var/www/html/index.html': + file { '#{$doc_root}/html/index.html': ensure => file, content => 'Index page', } EOS apply_manifest(pp, :catch_failures => true) + + #Need to add a short sleep here because on RHEL6 the service takes a bit longer to init + if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/ + sleep 5 + end end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe package(package_name) do + describe package($package_name) do it { is_expected.to be_installed } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end - it 'should return index page' do - shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r| - expect(r.stdout).to match(/Index page/) - expect(r.exit_code).to eq(0) + describe 'should be listening on port 80' do + it 'should return index page' do + shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end end - end - it 'should block query with SQL' do - shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + unless fact('operatingsystem') == 'SLES' + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + end end end #default mod_security config @@ -71,9 +86,9 @@ class { 'apache::mod::security': } apache::vhost { 'modsec.example.com': port => '80', - docroot => '/var/www/html', + docroot => '#{$doc_root}/html', } - file { '/var/www/html/index.html': + file { '#{$doc_root}/html/index.html': ensure => file, content => 'Index page', } @@ -81,17 +96,23 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end - it 'should block query with SQL' do - shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + unless fact('operatingsystem') == 'SLES' + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end end it 'should disable mod_security per vhost' do @@ -100,7 +121,7 @@ class { 'apache::mod::security': } apache::vhost { 'modsec.example.com': port => '80', - docroot => '/var/www/html', + docroot => '#{$doc_root}/html', modsec_disable_vhost => true, } EOS @@ -123,9 +144,9 @@ class { 'apache::mod::security': } apache::vhost { 'modsec.example.com': port => '80', - docroot => '/var/www/html', + docroot => '#{$doc_root}/html', } - file { '/var/www/html/index.html': + file { '#{$doc_root}/html/index.html': ensure => file, content => 'Index page', } @@ -133,17 +154,23 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end - it 'should block query with SQL' do - shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + unless fact('operatingsystem') == 'SLES' + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end end it 'should disable mod_security per vhost' do @@ -152,7 +179,7 @@ class { 'apache::mod::security': } apache::vhost { 'modsec.example.com': port => '80', - docroot => '/var/www/html', + docroot => '#{$doc_root}/html', modsec_disable_ips => [ '127.0.0.1' ], } EOS @@ -175,13 +202,13 @@ class { 'apache::mod::security': } apache::vhost { 'modsec.example.com': port => '80', - docroot => '/var/www/html', + docroot => '#{$doc_root}/html', } - file { '/var/www/html/index.html': + file { '#{$doc_root}/html/index.html': ensure => file, content => 'Index page', } - file { '/var/www/html/index2.html': + file { '#{$doc_root}/html/index2.html': ensure => file, content => 'Page 2', } @@ -189,17 +216,23 @@ apply_manifest(pp, :catch_failures => true) end - describe service(service_name) do - it { is_expected.to be_enabled } + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end - describe file("#{mod_dir}/security.conf") do + describe file("#{$mod_dir}/security.conf") do it { is_expected.to contain "mod_security2.c" } end - it 'should block query with SQL' do - shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + unless fact('operatingsystem') == 'SLES' + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end end it 'should disable mod_security per vhost' do @@ -208,7 +241,7 @@ class { 'apache::mod::security': } apache::vhost { 'modsec.example.com': port => '80', - docroot => '/var/www/html', + docroot => '#{$doc_root}/html', modsec_disable_ids => [ '950007' ], } EOS @@ -224,5 +257,130 @@ end #mod_security should allow disabling by id + context "mod_security should allow disabling by msg" do + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '#{$doc_root}/html', + } + file { '#{$doc_root}/html/index.html': + ensure => file, + content => 'Index page', + } + file { '#{$doc_root}/html/index2.html': + ensure => file, + content => 'Page 2', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end + + describe file("#{$mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + unless fact('operatingsystem') == 'SLES' + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + end + + it 'should disable mod_security per vhost' do + pp= <<-EOS + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '#{$doc_root}/html', + modsec_disable_msgs => [ 'Blind SQL Injection Attack' ], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + + end #mod_security should allow disabling by msg + + context "mod_security should allow disabling by tag" do + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '#{$doc_root}/html', + } + file { '#{$doc_root}/html/index.html': + ensure => file, + content => 'Index page', + } + file { '#{$doc_root}/html/index2.html': + ensure => file, + content => 'Page 2', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end + + describe file("#{$mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + unless fact('operatingsystem') == 'SLES' + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + end + + it 'should disable mod_security per vhost' do + pp= <<-EOS + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '#{$doc_root}/html', + modsec_disable_tags => [ 'WEB_ATTACK/SQL_INJECTION' ], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + + end #mod_security should allow disabling by tag end #apache::mod::security class
--- a/modules/apache/spec/acceptance/mod_suphp_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/mod_suphp_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,45 +1,57 @@ require 'spec_helper_acceptance' -describe 'apache::mod::suphp class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - case fact('osfamily') - when 'Debian' - context "default suphp config" do - it 'succeeds in puppeting suphp' do - pp = <<-EOS - class { 'apache': - mpm_module => 'prefork', - } - class { 'apache::mod::php': } - class { 'apache::mod::suphp': } - apache::vhost { 'suphp.example.com': - port => '80', - docroot => '/var/www/suphp', - } - host { 'suphp.example.com': ip => '127.0.0.1', } - file { '/var/www/suphp/index.php': - ensure => file, - owner => 'daemon', - group => 'daemon', - content => "<?php echo get_current_user(); ?>\\n", - } - EOS - apply_manifest(pp, :catch_failures => true) +describe 'apache::mod::suphp class', :if => (fact('operatingsystem') == 'Ubuntu' and fact('operatingsystemmajrelease') != '16.04') do + context "default suphp config" do + it 'succeeds in puppeting suphp' do + pp = <<-EOS +class { 'apache': + mpm_module => 'prefork', +} +host { 'suphp.example.com': ip => '127.0.0.1', } +apache::vhost { 'suphp.example.com': + port => '80', + docroot => '/var/www/suphp', +} +file { '/var/www/suphp/index.php': + ensure => file, + owner => 'daemon', + group => 'daemon', + content => "<?php echo get_current_user(); ?>\\n", + require => File['/var/www/suphp'], + before => Class['apache::mod::php'], +} +class { 'apache::mod::php': } +class { 'apache::mod::suphp': } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service('apache2') do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } end - - describe service('apache2') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end + it { is_expected.to be_running } + end - it 'should answer to suphp.example.com' do - shell("/bin/sleep 10") - shell("/usr/bin/curl suphp.example.com:80") do |r| - expect(r.stdout).to match(/^daemon$/) - expect(r.exit_code).to eq(0) + it 'should answer to suphp.example.com' do + timeout = 0 + loop do + r = shell('curl suphp.example.com:80') + timeout += 1 + break if r.stdout =~ /^daemon$/ + if timeout > 40 + expect(timeout < 40).to be true + break end + sleep(1) + end + shell("/usr/bin/curl suphp.example.com:80") do |r| + expect(r.stdout).to match(/^daemon$/) + expect(r.exit_code).to eq(0) end end - when 'RedHat' - # Not implemented yet + end end
--- a/modules/apache/spec/acceptance/nodesets/centos-59-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,10 +0,0 @@ -HOSTS: - centos-59-x64: - roles: - - master - platform: el-5-x86_64 - box : centos-59-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: git
--- a/modules/apache/spec/acceptance/nodesets/centos-64-x64-pe.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,12 +0,0 @@ -HOSTS: - centos-64-x64: - roles: - - master - - database - - dashboard - platform: el-6-x86_64 - box : centos-64-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: pe
--- a/modules/apache/spec/acceptance/nodesets/centos-64-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - centos-64-x64: - roles: - - master - platform: el-6-x86_64 - box : centos-64-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git
--- a/modules/apache/spec/acceptance/nodesets/centos-65-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,10 +0,0 @@ -HOSTS: - centos-65-x64: - roles: - - master - platform: el-6-x86_64 - box : centos-65-x64-vbox436-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - type: foss
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/acceptance/nodesets/centos-7-x64.yml Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,10 @@ +HOSTS: + centos-7-x64: + roles: + - agent + - default + platform: el-7-x86_64 + hypervisor: vagrant + box: puppetlabs/centos-7.2-64-nocm +CONFIG: + type: foss
--- a/modules/apache/spec/acceptance/nodesets/centos-70-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - centos-70-x64: - roles: - - master - platform: el-7-x86_64 - box : puppetlabs/centos-7.0-64-nocm - box_url : https://vagrantcloud.com/puppetlabs/boxes/centos-7.0-64-nocm - hypervisor : vagrant -CONFIG: - log_level: verbose - type: foss
--- a/modules/apache/spec/acceptance/nodesets/debian-607-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - debian-607-x64: - roles: - - master - platform: debian-6-amd64 - box : debian-607-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-607-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git
--- a/modules/apache/spec/acceptance/nodesets/debian-70rc1-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - debian-70rc1-x64: - roles: - - master - platform: debian-7-amd64 - box : debian-70rc1-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-70rc1-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git
--- a/modules/apache/spec/acceptance/nodesets/debian-73-i386.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - debian-73-i386: - roles: - - master - platform: debian-7-i386 - box : debian-73-i386-virtualbox-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-73-i386-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git
--- a/modules/apache/spec/acceptance/nodesets/debian-73-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - debian-73-x64: - roles: - - master - platform: debian-7-amd64 - box : debian-73-x64-virtualbox-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/debian-73-x64-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/acceptance/nodesets/debian-8-x64.yml Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,10 @@ +HOSTS: + debian-8-x64: + roles: + - agent + - default + platform: debian-8-amd64 + hypervisor: vagrant + box: puppetlabs/debian-8.2-64-nocm +CONFIG: + type: foss
--- a/modules/apache/spec/acceptance/nodesets/default.yml Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/nodesets/default.yml Sun Dec 29 11:00:05 2019 -0500 @@ -1,11 +1,10 @@ HOSTS: - centos-64-x64: + ubuntu-1404-x64: roles: - - master - platform: el-6-x86_64 - box : centos-64-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box - hypervisor : vagrant + - agent + - default + platform: ubuntu-14.04-amd64 + hypervisor: vagrant + box: puppetlabs/ubuntu-14.04-64-nocm CONFIG: - log_level: debug - type: git + type: foss
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/acceptance/nodesets/docker/centos-7.yml Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,12 @@ +HOSTS: + centos-7-x64: + platform: el-7-x86_64 + hypervisor: docker + image: centos:7 + docker_preserve_image: true + docker_cmd: '["/usr/sbin/init"]' + # install various tools required to get the image up to usable levels + docker_image_commands: + - 'yum install -y crontabs tar wget openssl sysvinit-tools iproute which initscripts' +CONFIG: + trace_limit: 200
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/acceptance/nodesets/docker/debian-8.yml Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,11 @@ +HOSTS: + debian-8-x64: + platform: debian-8-amd64 + hypervisor: docker + image: debian:8 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get update && apt-get install -y net-tools wget locales strace lsof && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen' +CONFIG: + trace_limit: 200
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/acceptance/nodesets/docker/ubuntu-14.04.yml Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,12 @@ +HOSTS: + ubuntu-1404-x64: + platform: ubuntu-14.04-amd64 + hypervisor: docker + image: ubuntu:14.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + # ensure that upstart is booting correctly in the container + - 'rm /usr/sbin/policy-rc.d && rm /sbin/initctl && dpkg-divert --rename --remove /sbin/initctl && apt-get update && apt-get install -y net-tools wget && locale-gen en_US.UTF-8' +CONFIG: + trace_limit: 200
--- a/modules/apache/spec/acceptance/nodesets/fedora-18-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - fedora-18-x64: - roles: - - master - platform: fedora-18-x86_64 - box : fedora-18-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/fedora-18-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - log_level: debug - type: git
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/acceptance/nodesets/suse.yml Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,25 @@ +--- +HOSTS: + sles-11-x86_64-agent: + roles: + - agent + - default + platform: sles-11-x86_64 + template: sles-11-x86_64 + hypervisor: virtualbox + redhat-7-x86_64-master: + roles: + - master + - dashboard + - database + - agent + platform: el-7-x86_64 + template: redhat-7-x86_64 + hypervisor: virtualbox +CONFIG: + nfs_server: none + consoleport: 443 + datastore: instance0 + folder: Delivery/Quality Assurance/Enterprise/Dynamic + resourcepool: delivery/Quality Assurance/Enterprise/Dynamic + pooling_api: http://vcloud.delivery.puppetlabs.net/
--- a/modules/apache/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,10 +0,0 @@ -HOSTS: - ubuntu-server-10044-x64: - roles: - - master - platform: ubuntu-10.04-amd64 - box : ubuntu-server-10044-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-10044-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: foss
--- a/modules/apache/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,10 +0,0 @@ -HOSTS: - ubuntu-server-12042-x64: - roles: - - master - platform: ubuntu-12.04-amd64 - box : ubuntu-server-12042-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box - hypervisor : vagrant -CONFIG: - type: foss
--- a/modules/apache/spec/acceptance/nodesets/ubuntu-server-1310-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - ubuntu-server-1310-x64: - roles: - - master - platform: ubuntu-13.10-amd64 - box : ubuntu-server-1310-x64-vbox4210-nocm - box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-1310-x64-virtualbox-nocm.box - hypervisor : vagrant -CONFIG: - log_level : debug - type: git
--- a/modules/apache/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -HOSTS: - ubuntu-server-1404-x64: - roles: - - master - platform: ubuntu-14.04-amd64 - box : puppetlabs/ubuntu-14.04-64-nocm - box_url : https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm - hypervisor : vagrant -CONFIG: - log_level : debug - type: git
--- a/modules/apache/spec/acceptance/prefork_worker_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/prefork_worker_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,13 +1,5 @@ require 'spec_helper_acceptance' - -case fact('osfamily') -when 'RedHat' - servicename = 'httpd' -when 'Debian' - servicename = 'apache2' -when 'FreeBSD' - servicename = 'apache24' -end +require_relative './version.rb' case fact('osfamily') when 'FreeBSD' @@ -27,53 +19,62 @@ end end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end end end end -describe 'apache::mod::worker class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache::mod::worker class' do describe 'running puppet code' do # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS + let(:pp) do + <<-EOS class { 'apache': mpm_module => 'worker', } EOS + end - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero - end + # Run it twice and test for idempotency + it_behaves_like "a idempotent resource" end - describe service(servicename) do + describe service($service_name) do it { is_expected.to be_running } - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end end end -describe 'apache::mod::prefork class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache::mod::prefork class' do describe 'running puppet code' do # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS + let(:pp) do + <<-EOS class { 'apache': mpm_module => 'prefork', } EOS + end + # Run it twice and test for idempotency + it_behaves_like "a idempotent resource" + end - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero + describe service($service_name) do + it { is_expected.to be_running } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } end end - - describe service(servicename) do - it { is_expected.to be_running } - it { is_expected.to be_enabled } - end end
--- a/modules/apache/spec/acceptance/service_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/service_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,19 +1,18 @@ require 'spec_helper_acceptance' -describe 'apache::service class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache::service class' do describe 'adding dependencies in between the base class and service class' do - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': } - file { '/tmp/test': - require => Class['apache'], - notify => Class['apache::service'], - } + let(:pp) do + <<-EOS + class { 'apache': } + file { '/tmp/test': + require => Class['apache'], + notify => Class['apache::service'], + } EOS + end - # Run it twice and test for idempotency - apply_manifest(pp, :catch_failures => true) - expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero - end + # Run it twice and test for idempotency + it_behaves_like "a idempotent resource" end end
--- a/modules/apache/spec/acceptance/unsupported_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,13 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'unsupported distributions and OSes', :if => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - it 'should fail' do - pp = <<-EOS - class { 'apache': } - apache::vhost { 'test.lan': - docroot => '/var/www', - } - EOS - expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/unsupported/i) - end -end
--- a/modules/apache/spec/acceptance/version.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/version.rb Sun Dec 29 11:00:05 2019 -0500 @@ -5,12 +5,12 @@ case _osfamily when 'RedHat' $confd_dir = '/etc/httpd/conf.d' - $mod_dir = '/etc/httpd/conf.d' $conf_file = '/etc/httpd/conf/httpd.conf' $ports_file = '/etc/httpd/conf/ports.conf' $vhost_dir = '/etc/httpd/conf.d' $vhost = '/etc/httpd/conf.d/15-default.conf' $run_dir = '/var/run/httpd' + $doc_root = '/var/www' $service_name = 'httpd' $package_name = 'httpd' $error_log = 'error_log' @@ -19,8 +19,10 @@ if (_operatingsystem == 'Fedora' and _operatingsystemrelease >= 18) or (_operatingsystem != 'Fedora' and _operatingsystemrelease >= 7) $apache_version = '2.4' + $mod_dir = '/etc/httpd/conf.modules.d' else $apache_version = '2.2' + $mod_dir = '/etc/httpd/conf.d' end when 'Debian' $confd_dir = '/etc/apache2/conf.d' @@ -30,6 +32,7 @@ $vhost = '/etc/apache2/sites-available/15-default.conf' $vhost_dir = '/etc/apache2/sites-enabled' $run_dir = '/var/run/apache2' + $doc_root = '/var/www' $service_name = 'apache2' $package_name = 'apache2' $error_log = 'error.log' @@ -51,12 +54,43 @@ $vhost = '/usr/local/etc/apache24/Vhosts/15-default.conf' $vhost_dir = '/usr/local/etc/apache24/Vhosts' $run_dir = '/var/run/apache24' + $doc_root = '/var/www' $service_name = 'apache24' $package_name = 'apache24' $error_log = 'http-error.log' $apache_version = '2.2' +when 'Gentoo' + $confd_dir = '/etc/apache2/conf.d' + $mod_dir = '/etc/apache2/modules.d' + $conf_file = '/etc/apache2/httpd.conf' + $ports_file = '/etc/apache2/ports.conf' + $vhost = '/etc/apache2/vhosts.d/15-default.conf' + $vhost_dir = '/etc/apache2/vhosts.d' + $run_dir = '/var/run/apache2' + $doc_root = '/var/www' + $service_name = 'apache2' + $package_name = 'www-servers/apache' + $error_log = 'http-error.log' + + $apache_version = '2.4' +when 'Suse' + $confd_dir = '/etc/apache2/conf.d' + $mod_dir = '/etc/apache2/mods-available' + $conf_file = '/etc/apache2/httpd.conf' + $ports_file = '/etc/apache2/ports.conf' + $vhost = '/etc/apache2/sites-available/15-default.conf' + $vhost_dir = '/etc/apache2/sites-available' + $run_dir = '/var/run/apache2' + $doc_root = '/srv/www' + $service_name = 'apache2' + $package_name = 'apache2' + $error_log = 'error.log' + if _operatingsystemrelease < 12 + $apache_version = '2.2' + else + $apache_version = '2.4' + end else $apache_version = '0' end -
--- a/modules/apache/spec/acceptance/vhost_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/acceptance/vhost_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,15 +1,20 @@ require 'spec_helper_acceptance' require_relative './version.rb' -describe 'apache::vhost define', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'apache::vhost define' do context 'no default vhosts' do it 'should create no default vhosts' do pp = <<-EOS class { 'apache': default_vhost => false, default_ssl_vhost => false, - service_ensure => stopped + service_ensure => stopped, } + if ($::osfamily == 'Suse') { + exec { '/usr/bin/gensslcert': + require => Class['apache'], + } + } EOS apply_manifest(pp, :catch_failures => true) @@ -72,7 +77,7 @@ it 'should configure an apache vhost' do pp = <<-EOS class { 'apache': } - file { '#{$run_dir}': + file { '/var/www': ensure => 'directory', recurse => true, } @@ -80,7 +85,7 @@ apache::vhost { 'first.example.com': port => '80', docroot => '/var/www/first', - require => File['#{$run_dir}'], + require => File['/var/www'], } EOS apply_manifest(pp, :catch_failures => true) @@ -103,6 +108,7 @@ { 'path' => '/foo', 'url' => 'http://backend-foo/'}, ], proxy_preserve_host => true, + proxy_error_override => true, } EOS apply_manifest(pp, :catch_failures => true) @@ -113,10 +119,42 @@ it { is_expected.to contain "ServerName proxy.example.com" } it { is_expected.to contain "ProxyPass" } it { is_expected.to contain "ProxyPreserveHost On" } + it { is_expected.to contain "ProxyErrorOverride On" } + it { is_expected.not_to contain "ProxyAddHeaders" } it { is_expected.not_to contain "<Proxy \*>" } end end + unless (fact('operatingsystem') == 'SLES' and fact('operatingsystemmajorrelease') <= '10') + context 'new proxy vhost on port 80' do + it 'should configure an apache proxy vhost' do + pp = <<-EOS + class { 'apache': } + apache::vhost { 'proxy.example.com': + port => '80', + docroot => '#{$docroot}/proxy', + proxy_pass_match => [ + { 'path' => '/foo', 'url' => 'http://backend-foo/'}, + ], + proxy_preserve_host => true, + proxy_error_override => true, + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe file("#{$vhost_dir}/25-proxy.example.com.conf") do + it { is_expected.to contain '<VirtualHost \*:80>' } + it { is_expected.to contain "ServerName proxy.example.com" } + it { is_expected.to contain "ProxyPassMatch /foo http://backend-foo/" } + it { is_expected.to contain "ProxyPreserveHost On" } + it { is_expected.to contain "ProxyErrorOverride On" } + it { is_expected.not_to contain "ProxyAddHeaders" } + it { is_expected.not_to contain "<Proxy \*>" } + end + end + end + context 'new vhost on port 80' do it 'should configure two apache vhosts' do pp = <<-EOS @@ -144,7 +182,11 @@ end describe service($service_name) do - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -161,13 +203,118 @@ end end + context 'new vhost with multiple IP addresses on port 80' do + it 'should configure one apache vhost with 2 ip addresses' do + pp = <<-EOS + class { 'apache': + default_vhost => false, + } + apache::vhost { 'example.com': + port => '80', + ip => ['127.0.0.1','127.0.0.2'], + ip_based => true, + docroot => '/var/www/html', + } + host { 'host1.example.com': ip => '127.0.0.1', } + host { 'host2.example.com': ip => '127.0.0.2', } + file { '/var/www/html/index.html': + ensure => file, + content => "Hello from vhost\\n", + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end + + describe file("#{$vhost_dir}/25-example.com.conf") do + it { is_expected.to contain '<VirtualHost 127.0.0.1:80 127.0.0.2:80>' } + it { is_expected.to contain "ServerName example.com" } + end + + describe file($ports_file) do + it { is_expected.to be_file } + it { is_expected.to contain 'Listen 127.0.0.1:80' } + it { is_expected.to contain 'Listen 127.0.0.2:80' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:80' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.2:80' } + end + + it 'should answer to host1.example.com' do + shell("/usr/bin/curl host1.example.com:80", {:acceptable_exit_codes => 0}) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + + it 'should answer to host2.example.com' do + shell("/usr/bin/curl host2.example.com:80", {:acceptable_exit_codes => 0}) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + end + + context 'new vhost with IPv6 address on port 80', :ipv6 do + it 'should configure one apache vhost with an ipv6 address' do + pp = <<-EOS + class { 'apache': + default_vhost => false, + } + apache::vhost { 'example.com': + port => '80', + ip => '::1', + ip_based => true, + docroot => '/var/www/html', + } + host { 'ipv6.example.com': ip => '::1', } + file { '/var/www/html/index.html': + ensure => file, + content => "Hello from vhost\\n", + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end + + describe file("#{$vhost_dir}/25-example.com.conf") do + it { is_expected.to contain '<VirtualHost [::1]:80>' } + it { is_expected.to contain "ServerName example.com" } + end + + describe file($ports_file) do + it { is_expected.to be_file } + it { is_expected.to contain 'Listen [::1]:80' } + it { is_expected.not_to contain 'NameVirtualHost [::1]:80' } + end + + it 'should answer to ipv6.example.com' do + shell("/usr/bin/curl ipv6.example.com:80", {:acceptable_exit_codes => 0}) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + end + context 'apache_directories' do describe 'readme example, adapted' do it 'should configure a vhost with Files' do pp = <<-EOS class { 'apache': } - if versioncmp($apache::apache_version, '2.4') >= 0 { + if versioncmp($apache_version, '2.4') >= 0 { $_files_match_directory = { 'path' => '(\.swp|\.bak|~)$', 'provider' => 'filesmatch', 'require' => 'all denied', } } else { $_files_match_directory = { 'path' => '(\.swp|\.bak|~)$', 'provider' => 'filesmatch', 'deny' => 'from all', } @@ -196,7 +343,11 @@ end describe service($service_name) do - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -211,7 +362,7 @@ pp = <<-EOS class { 'apache': } - if versioncmp($apache::apache_version, '2.4') >= 0 { + if versioncmp($apache_version, '2.4') >= 0 { $_files_match_directory = { 'path' => 'private.html$', 'provider' => 'filesmatch', 'require' => 'all denied' } } else { $_files_match_directory = [ @@ -254,7 +405,11 @@ end describe service($service_name) do - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -288,7 +443,11 @@ end describe service($service_name) do - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -362,7 +521,11 @@ end describe service($service_name) do - it { should be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { should be_running } end @@ -379,8 +542,8 @@ case fact('lsbdistcodename') when 'precise', 'wheezy' - context 'vhost fallbackresouce example' do - it 'should configure a vhost with Fallbackresource' do + context 'vhost FallbackResource example' do + it 'should configure a vhost with FallbackResource' do pp = <<-EOS class { 'apache': } apache::vhost { 'fallback.example.net': @@ -397,7 +560,11 @@ end describe service($service_name) do - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -438,7 +605,11 @@ end describe service($service_name) do - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -484,7 +655,11 @@ end describe service($service_name) do - it { is_expected.to be_enabled } + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end it { is_expected.to be_running } end @@ -496,6 +671,53 @@ end end + unless (fact('operatingsystem') == 'SLES' and fact('operatingsystemmajorrelease') <= '10') + context 'proxy_pass_match for alternative vhost' do + it 'should configure a local vhost and a proxy vhost' do + apply_manifest(%{ + class { 'apache': default_vhost => false, } + apache::vhost { 'localhost': + docroot => '/var/www/local', + ip => '127.0.0.1', + port => '8888', + } + apache::listen { '*:80': } + apache::vhost { 'proxy.example.com': + docroot => '/var/www', + port => '80', + add_listen => false, + proxy_pass_match => { + 'path' => '/', + 'url' => 'http://localhost:8888/subdir/', + }, + } + host { 'proxy.example.com': ip => '127.0.0.1', } + file { ['/var/www/local', '/var/www/local/subdir']: ensure => directory, } + file { '/var/www/local/subdir/index.html': + ensure => file, + content => "Hello from localhost\\n", + } + }, :catch_failures => true) + end + + describe service($service_name) do + if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + pending 'Should be enabled - Bug 760616 on Debian 8' + else + it { should be_enabled } + end + it { is_expected.to be_running } + end + + it 'should get a response from the back end' do + shell("/usr/bin/curl --max-redirs 0 proxy.example.com:80") do |r| + expect(r.stdout).to eq("Hello from localhost\n") + expect(r.exit_code).to eq(0) + end + end + end + end + describe 'ip_based' do it 'applies cleanly' do pp = <<-EOS @@ -514,6 +736,34 @@ it { is_expected.to be_file } it { is_expected.not_to contain 'NameVirtualHost test.server' } end + describe file("#{$vhost_dir}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain "ServerName test.server" } + end + end + + describe 'ip_based and no servername' do + it 'applies cleanly' do + pp = <<-EOS + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + ip_based => true, + servername => '', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe file($ports_file) do + it { is_expected.to be_file } + it { is_expected.not_to contain 'NameVirtualHost test.server' } + end + describe file("#{$vhost_dir}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.not_to contain "ServerName" } + end end describe 'add_listen' do @@ -581,7 +831,11 @@ it { is_expected.to be_file } if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' it { is_expected.not_to contain 'NameVirtualHost test.server' } - elsif fact('operatingsystem') == 'Ubuntu' and fact('operatingsystemrelease') =~ /(14\.04|13\.10)/ + elsif fact('operatingsystem') == 'Ubuntu' and fact('operatingsystemrelease') =~ /(14\.04|13\.10|16\.04)/ + it { is_expected.not_to contain 'NameVirtualHost test.server' } + elsif fact('operatingsystem') == 'Debian' and fact('operatingsystemmajrelease') == '8' + it { is_expected.not_to contain 'NameVirtualHost test.server' } + elsif fact('operatingsystem') == 'SLES' and fact('operatingsystemrelease') >= '12' it { is_expected.not_to contain 'NameVirtualHost test.server' } else it { is_expected.to contain 'NameVirtualHost test.server' } @@ -846,7 +1100,7 @@ describe file("#{$vhost_dir}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain 'ProxyPass / test2/' } + it { is_expected.to contain 'ProxyPass / test2/' } end end @@ -860,7 +1114,7 @@ action => 'php-fastcgi', } EOS - pp = pp + "\nclass { 'apache::mod::actions': }" if fact('osfamily') == 'Debian' + pp = pp + "\nclass { 'apache::mod::actions': }" if fact('osfamily') == 'Debian' || fact('osfamily') == 'Suse' apply_manifest(pp, :catch_failures => true) end @@ -893,6 +1147,25 @@ end end + describe 'rack_base_uris' do + unless fact('osfamily') == 'RedHat' or fact('operatingsystem') == 'SLES' + it 'applies cleanly' do + test = lambda do + pp = <<-EOS + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + rack_base_uris => ['/test'], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + test.call + end + end + end + describe 'no_proxy_uris' do it 'applies cleanly' do pp = <<-EOS @@ -909,8 +1182,8 @@ describe file("#{$vhost_dir}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain 'ProxyPass / http://test2/' } it { is_expected.to contain 'ProxyPass http://test2/test !' } + it { is_expected.to contain 'ProxyPass / http://test2/' } end end @@ -935,40 +1208,6 @@ end end - # Passenger isn't even in EPEL on el-5 - if default['platform'] !~ /^el-5/ - if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' - pending('Since we don\'t have passenger on RHEL7 rack_base_uris tests will fail') - else - describe 'rack_base_uris' do - if fact('osfamily') == 'RedHat' - it 'adds epel' do - pp = "class { 'epel': }" - apply_manifest(pp, :catch_failures => true) - end - end - - it 'applies cleanly' do - pp = <<-EOS - class { 'apache': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - rack_base_uris => ['/test'], - } - EOS - apply_manifest(pp, :catch_failures => true) - end - - describe file("#{$vhost_dir}/25-test.server.conf") do - it { is_expected.to be_file } - it { is_expected.to contain 'RackBaseURI /test' } - end - end - end - end - - describe 'request_headers' do it 'applies cleanly' do pp = <<-EOS @@ -999,6 +1238,7 @@ { comment => 'test', rewrite_cond => '%{HTTP_USER_AGENT} ^Lynx/ [OR]', rewrite_rule => ['^index\.html$ welcome.html'], + rewrite_map => ['lc int:tolower'], } ], } @@ -1011,6 +1251,7 @@ it { is_expected.to contain '#test' } it { is_expected.to contain 'RewriteCond %{HTTP_USER_AGENT} ^Lynx/ [OR]' } it { is_expected.to contain 'RewriteRule ^index.html$ welcome.html' } + it { is_expected.to contain 'RewriteMap lc int:tolower' } end end @@ -1092,59 +1333,65 @@ describe file("#{$vhost_dir}/25-test.server.conf") do it { is_expected.to be_file } - it { is_expected.to contain '<DirectoryMatch .*\.(svn|git|bzr)/.*>' } + it { is_expected.to contain '<DirectoryMatch .*\.(svn|git|bzr|hg|ht)/.*>' } end end describe 'wsgi' do - it 'import_script applies cleanly' do - pp = <<-EOS - class { 'apache': } - class { 'apache::mod::wsgi': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - wsgi_application_group => '%{GLOBAL}', - wsgi_daemon_process => 'wsgi', - wsgi_daemon_process_options => {processes => '2'}, - wsgi_process_group => 'nobody', - wsgi_script_aliases => { '/test' => '/test1' }, - wsgi_pass_authorization => 'On', - } - EOS - apply_manifest(pp, :catch_failures => true) + context 'on lucid', :if => fact('lsbdistcodename') == 'lucid' do + it 'import_script applies cleanly' do + pp = <<-EOS + class { 'apache': } + class { 'apache::mod::wsgi': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => {processes => '2'}, + wsgi_process_group => 'nobody', + wsgi_script_aliases => { '/test' => '/test1' }, + wsgi_script_aliases_match => { '/test/([^/*])' => '/test1' }, + wsgi_pass_authorization => 'On', + } + EOS + apply_manifest(pp, :catch_failures => true) + end end - it 'import_script applies cleanly', :unless => (fact('lsbdistcodename') == 'lucid' or UNSUPPORTED_PLATFORMS.include?(fact('osfamily'))) do - pp = <<-EOS - class { 'apache': } - class { 'apache::mod::wsgi': } - host { 'test.server': ip => '127.0.0.1' } - apache::vhost { 'test.server': - docroot => '/tmp', - wsgi_application_group => '%{GLOBAL}', - wsgi_daemon_process => 'wsgi', - wsgi_daemon_process_options => {processes => '2'}, - wsgi_import_script => '/test1', - wsgi_import_script_options => { application-group => '%{GLOBAL}', process-group => 'wsgi' }, - wsgi_process_group => 'nobody', - wsgi_script_aliases => { '/test' => '/test1' }, - wsgi_pass_authorization => 'On', - wsgi_chunked_request => 'On', - } - EOS - apply_manifest(pp, :catch_failures => true) - end + context 'on everything but lucid', :unless => (fact('lsbdistcodename') == 'lucid' or fact('operatingsystem') == 'SLES') do + it 'import_script applies cleanly' do + pp = <<-EOS + class { 'apache': } + class { 'apache::mod::wsgi': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => {processes => '2'}, + wsgi_import_script => '/test1', + wsgi_import_script_options => { application-group => '%{GLOBAL}', process-group => 'wsgi' }, + wsgi_process_group => 'nobody', + wsgi_script_aliases => { '/test' => '/test1' }, + wsgi_script_aliases_match => { '/test/([^/*])' => '/test1' }, + wsgi_pass_authorization => 'On', + wsgi_chunked_request => 'On', + } + EOS + apply_manifest(pp, :catch_failures => true) + end - describe file("#{$vhost_dir}/25-test.server.conf"), :unless => (fact('lsbdistcodename') == 'lucid' or UNSUPPORTED_PLATFORMS.include?(fact('osfamily'))) do - it { is_expected.to be_file } - it { is_expected.to contain 'WSGIApplicationGroup %{GLOBAL}' } - it { is_expected.to contain 'WSGIDaemonProcess wsgi processes=2' } - it { is_expected.to contain 'WSGIImportScript /test1 application-group=%{GLOBAL} process-group=wsgi' } - it { is_expected.to contain 'WSGIProcessGroup nobody' } - it { is_expected.to contain 'WSGIScriptAlias /test "/test1"' } - it { is_expected.to contain 'WSGIPassAuthorization On' } - it { is_expected.to contain 'WSGIChunkedRequest On' } + describe file("#{$vhost_dir}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'WSGIApplicationGroup %{GLOBAL}' } + it { is_expected.to contain 'WSGIDaemonProcess wsgi processes=2' } + it { is_expected.to contain 'WSGIImportScript /test1 application-group=%{GLOBAL} process-group=wsgi' } + it { is_expected.to contain 'WSGIProcessGroup nobody' } + it { is_expected.to contain 'WSGIScriptAlias /test "/test1"' } + it { is_expected.to contain 'WSGIPassAuthorization On' } + it { is_expected.to contain 'WSGIChunkedRequest On' } + end end end @@ -1186,11 +1433,55 @@ end end - # So what does this work on? - if default['platform'] !~ /^(debian-(6|7)|el-(5|6|7))/ + # Limit testing to Debian, since Centos does not have fastcgi package. + case fact('osfamily') + when 'Debian' describe 'fastcgi' do it 'applies cleanly' do pp = <<-EOS + $_os = $::operatingsystem + + if $_os == 'Ubuntu' { + $_location = "http://archive.ubuntu.com/ubuntu/" + $_security_location = "http://archive.ubuntu.com/ubuntu/" + $_release = $::lsbdistcodename + $_release_security = "${_release}-security" + $_repos = "main universe multiverse" + } else { + $_location = "http://httpredir.debian.org/debian/" + $_security_location = "http://security.debian.org/" + $_release = $::lsbdistcodename + $_release_security = "${_release}/updates" + $_repos = "main contrib non-free" + } + + include ::apt + apt::source { "${_os}_${_release}": + location => $_location, + release => $_release, + repos => $_repos, + include_src => false, + } + + apt::source { "${_os}_${_release}-updates": + location => $_location, + release => "${_release}-updates", + repos => $_repos, + include_src => false, + } + + apt::source { "${_os}_${_release}-security": + location => $_security_location, + release => $_release_security, + repos => $_repos, + include_src => false, + } + EOS + + #apt-get update may not run clean here. Should be OK. + apply_manifest(pp, :catch_failures => false) + + pp2 = <<-EOS class { 'apache': } class { 'apache::mod::fastcgi': } host { 'test.server': ip => '127.0.0.1' } @@ -1201,7 +1492,7 @@ fastcgi_dir => '/tmp/fast', } EOS - apply_manifest(pp, :catch_failures => true) + apply_manifest(pp2, :catch_failures => true, :acceptable_exit_codes => [0, 2]) end describe file("#{$vhost_dir}/25-test.server.conf") do @@ -1215,7 +1506,7 @@ describe 'additional_includes' do it 'applies cleanly' do pp = <<-EOS - if $::osfamily == 'RedHat' and $::selinux { + if $::osfamily == 'RedHat' and "$::selinux" == "true" { $semanage_package = $::operatingsystemmajrelease ? { '5' => 'policycoreutils', default => 'policycoreutils-python', @@ -1267,4 +1558,33 @@ it { is_expected.to be_file } end end + + describe 'SSLProtocol directive' do + it 'applies cleanly' do + pp = <<-EOS + class { 'apache': } + apache::vhost { 'test.server': + docroot => '/tmp', + ssl => true, + ssl_protocol => ['All', '-SSLv2'], + } + apache::vhost { 'test2.server': + docroot => '/tmp', + ssl => true, + ssl_protocol => 'All -SSLv2', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe file("#{$vhost_dir}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLProtocol *All -SSLv2' } + end + + describe file("#{$vhost_dir}/25-test2.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLProtocol *All -SSLv2' } + end + end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/acceptance/vhosts_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,32 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache::vhosts class' do + context 'custom vhosts defined via class apache::vhosts' do + it 'should create custom vhost config files' do + pp = <<-EOS + class { 'apache::vhosts': + vhosts => { + 'custom_vhost_1' => { + 'docroot' => '/var/www/custom_vhost_1', + 'port' => '81', + }, + 'custom_vhost_2' => { + 'docroot' => '/var/www/custom_vhost_2', + 'port' => '82', + }, + }, + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe file("#{$vhost_dir}/25-custom_vhost_1.conf") do + it { is_expected.to contain '<VirtualHost \*:81>' } + end + + describe file("#{$vhost_dir}/25-custom_vhost_2.conf") do + it { is_expected.to contain '<VirtualHost \*:82>' } + end + end +end
--- a/modules/apache/spec/classes/apache_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/apache_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -110,6 +110,14 @@ it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^AllowEncodedSlashes nodecode$} } end + context "when specifying default character set" do + let :params do + { :default_charset => 'none' } + end + + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^AddDefaultCharset none$} } + end + # Assert that both load files and conf files are placed and symlinked for these mods [ 'alias', @@ -141,6 +149,40 @@ ) } end + describe "Check default type" do + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + } + end + + context "when default_type => 'none'" do + let :params do + { :default_type => 'none' } + end + + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^DefaultType none$} } + end + context "when default_type => 'text/plain'" do + let :params do + { :default_type => 'text/plain' } + end + + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^DefaultType text/plain$} } + end + end + + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + } + end + it { is_expected.to contain_file("/etc/apache2/apache2.conf").without_content %r{^DefaultType [.]*$} } + end + end + describe "Don't create user resource" do context "when parameter manage_user is false" do let :params do @@ -176,6 +218,35 @@ end end + describe "Override existing LogFormats" do + context "When parameter log_formats is a hash" do + let :params do + { :log_formats => { + 'common' => "%v %h %l %u %t \"%r\" %>s %b", + 'combined' => "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" + } } + end + + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^LogFormat "%v %h %l %u %t \"%r\" %>s %b" common\n} } + it { is_expected.to contain_file("/etc/apache2/apache2.conf").without_content %r{^LogFormat "%h %l %u %t \"%r\" %>s %b \"%\{Referer\}i\" \"%\{User-agent\}i\"" combined\n} } + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^LogFormat "%v %h %l %u %t \"%r\" %>s %b" common\n} } + it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%\{Referer\}i\" \"%\{User-agent\}i\"" combined\n} } + it { is_expected.to contain_file("/etc/apache2/apache2.conf").without_content %r{^LogFormat "%h %l %u %t \"%r\" %>s %b \"%\{Referer\}i\" \"%\{User-agent\}i\"" combined\n} } + end + end + + context "8" do + let :facts do + super().merge({ + :lsbdistcodename => 'jessie', + :operatingsystemrelease => '8' + }) + end + it { is_expected.to contain_file("/var/www/html").with( + 'ensure' => 'directory' + ) + } + end context "on Ubuntu" do let :facts do super().merge({ @@ -183,6 +254,18 @@ }) end + context "14.04" do + let :facts do + super().merge({ + :lsbdistrelease => '14.04', + :operatingsystemrelease => '14.04' + }) + end + it { is_expected.to contain_file("/var/www/html").with( + 'ensure' => 'directory' + ) + } + end context "13.10" do let :facts do super().merge({ @@ -329,6 +412,37 @@ it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^IncludeOptional "/etc/httpd/conf\.d/\*\.conf"$} } end + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + :rewrite_lock => '/var/lock/subsys/rewrite-lock' + } + end + + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^RewriteLock /var/lock/subsys/rewrite-lock$} } + end + + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2' + } + end + + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").without_content %r{^RewriteLock [.]*$} } + end + + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + :rewrite_lock => '/var/lock/subsys/rewrite-lock' + } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").without_content %r{^RewriteLock [.]*$} } + end + context "when specifying slash encoding behaviour" do let :params do { :allow_encoded_slashes => 'nodecode' } @@ -337,6 +451,46 @@ it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^AllowEncodedSlashes nodecode$} } end + context "when specifying default character set" do + let :params do + { :default_charset => 'none' } + end + + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^AddDefaultCharset none$} } + end + + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + } + end + + context "when default_type => 'none'" do + let :params do + { :default_type => 'none' } + end + + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^DefaultType none$} } + end + context "when default_type => 'text/plain'" do + let :params do + { :default_type => 'text/plain' } + end + + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^DefaultType text/plain$} } + end + end + + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").without_content %r{^DefaultType [.]*$} } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include "/etc/httpd/site\.d/\*"$} } it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include "/etc/httpd/mod\.d/\*\.conf"$} } it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include "/etc/httpd/mod\.d/\*\.load"$} } @@ -350,7 +504,7 @@ it { is_expected.to contain_file("/opt/rh/root/etc/httpd/conf/httpd.conf").with( 'ensure' => 'file', 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' + 'require' => ['Package[httpd]', 'Concat[/etc/httpd/conf/ports.conf]'], ) } end @@ -405,7 +559,7 @@ let :params do { :mpm_module => 'breakme' } end - it { expect { subject }.to raise_error Puppet::Error, /does not match/ } + it { expect { catalogue }.to raise_error Puppet::Error, /does not match/ } end end @@ -479,7 +633,7 @@ end it "should fail" do expect do - subject + catalogue end.to raise_error(Puppet::Error, /"foo" does not match/) end end @@ -578,6 +732,7 @@ # Assert that load files are placed for these mods, but no conf file. [ 'auth_basic', + 'authn_core', 'authn_file', 'authz_groupfile', 'authz_host', @@ -613,6 +768,48 @@ ) } end end + context "on a Gentoo OS" do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_user("apache") } + it { is_expected.to contain_group("apache") } + it { is_expected.to contain_class("apache::service") } + it { is_expected.to contain_file("/var/www/localhost/htdocs").with( + 'ensure' => 'directory' + ) + } + it { is_expected.to contain_file("/etc/apache2/vhosts.d").with( + 'ensure' => 'directory', + 'recurse' => 'true', + 'purge' => 'true', + 'notify' => 'Class[Apache::Service]', + 'require' => 'Package[httpd]' + ) } + it { is_expected.to contain_file("/etc/apache2/modules.d").with( + 'ensure' => 'directory', + 'recurse' => 'true', + 'purge' => 'true', + 'notify' => 'Class[Apache::Service]', + 'require' => 'Package[httpd]' + ) } + it { is_expected.to contain_concat("/etc/apache2/ports.conf").with( + 'owner' => 'root', + 'group' => 'wheel', + 'mode' => '0644', + 'notify' => 'Class[Apache::Service]' + ) } + end context 'on all OSes' do let :facts do { @@ -638,9 +835,43 @@ ) } end + context 'with a custom file_mode parameter' do + let :params do { + :file_mode => '0640' + } + end + it { is_expected.to contain_concat("/etc/httpd/conf/ports.conf").with( + 'mode' => '0640', + ) + } + end + context 'with a custom root_directory_options parameter' do + let :params do { + :root_directory_options => ['-Indexes', '-FollowSymLinks'] + } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{Options -Indexes -FollowSymLinks} } + end + context 'with a custom root_directory_secured parameter and Apache < 2.4' do + let :params do { + :apache_version => '2.2', + :root_directory_secured => true + } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{Options FollowSymLinks\n\s+AllowOverride None\n\s+Order deny,allow\n\s+Deny from all} } + end + context 'with a custom root_directory_secured parameter and Apache >= 2.4' do + let :params do { + :apache_version => '2.4', + :root_directory_secured => true + } + end + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{Options FollowSymLinks\n\s+AllowOverride None\n\s+Require all denied} } + end context 'default vhost defaults' do it { is_expected.to contain_apache__vhost('default').with_ensure('present') } it { is_expected.to contain_apache__vhost('default-ssl').with_ensure('absent') } + it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{Options FollowSymLinks} } end context 'without default non-ssl vhost' do let :params do { @@ -648,6 +879,7 @@ } end it { is_expected.to contain_apache__vhost('default').with_ensure('absent') } + it { is_expected.not_to contain_file('/var/www/html') } end context 'with default ssl vhost' do let :params do { @@ -655,6 +887,7 @@ } end it { is_expected.to contain_apache__vhost('default-ssl').with_ensure('present') } + it { is_expected.to contain_file('/var/www/html') } end end context 'with unsupported osfamily' do @@ -668,7 +901,7 @@ it do expect { - should compile + catalogue }.to raise_error(Puppet::Error, /Unsupported osfamily/) end end
--- a/modules/apache/spec/classes/dev_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/dev_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,9 @@ require 'spec_helper' describe 'apache::dev', :type => :class do + let(:pre_condition) {[ + 'include apache' + ]} context "on a Debian OS" do let :facts do { @@ -9,6 +12,10 @@ :operatingsystem => 'Debian', :operatingsystemrelease => '6', :is_pe => false, + :concat_basedir => '/foo', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', + :kernel => 'Linux' } end it { is_expected.to contain_class("apache::params") } @@ -16,6 +23,23 @@ it { is_expected.to contain_package("libapr1-dev") } it { is_expected.to contain_package("apache2-prefork-dev") } end + context "on an Ubuntu 14 OS" do + let :facts do + { + :lsbdistrelease => '14.04', + :lsbdistcodename => 'trusty', + :osfamily => 'Debian', + :operatingsystem => 'Ubuntu', + :operatingsystemrelease => '14.04', + :is_pe => false, + :concat_basedir => '/foo', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', + :kernel => 'Linux' + } + end + it { is_expected.to contain_package("apache2-dev") } + end context "on a RedHat OS" do let :facts do { @@ -23,21 +47,41 @@ :operatingsystem => 'RedHat', :operatingsystemrelease => '6', :is_pe => false, + :concat_basedir => '/foo', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', + :kernel => 'Linux' } end it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_package("httpd-devel") } end context "on a FreeBSD OS" do - let :pre_condition do - 'include apache::package' - end let :facts do { :osfamily => 'FreeBSD', :operatingsystem => 'FreeBSD', :operatingsystemrelease => '9', :is_pe => false, + :concat_basedir => '/foo', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', + :kernel => 'FreeBSD' + } + end + it { is_expected.to contain_class("apache::params") } + end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :is_pe => false, + :concat_basedir => '/foo', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', + :kernel => 'Linux' } end it { is_expected.to contain_class("apache::params") }
--- a/modules/apache/spec/classes/mod/alias_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/alias_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,72 +1,97 @@ require 'spec_helper' describe 'apache::mod::alias', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/apache2\/icons\/"/) } end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/apache2\/icons\/"/) } - end - context "on a RedHat 6-based OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a RedHat 6-based OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/var\/www\/icons\/"/) } end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/var\/www\/icons\/"/) } - end - context "on a RedHat 7-based OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '7', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a RedHat 7-based OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '7', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/httpd\/icons\/"/) } end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/share\/httpd\/icons\/"/) } - end - context "on a FreeBSD OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'FreeBSD', - :osfamily => 'FreeBSD', - :operatingsystem => 'FreeBSD', - :operatingsystemrelease => '10', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "with icons options", :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '7', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + let :params do + { + 'icons_options' => 'foo' + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Options foo/) } end - it { is_expected.to contain_apache__mod("alias") } - it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/local\/www\/apache24\/icons\/"/) } + context "on a FreeBSD OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '10', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("alias") } + it { is_expected.to contain_file("alias.conf").with(:content => /Alias \/icons\/ "\/usr\/local\/www\/apache24\/icons\/"/) } + end end end
--- a/modules/apache/spec/classes/mod/auth_cas_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/auth_cas_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,54 +1,64 @@ require 'spec_helper' describe 'apache::mod::auth_cas', :type => :class do - let :params do - { - :cas_login_url => 'https://cas.example.com/login', - :cas_validate_url => 'https://cas.example.com/validate', - } - end + context "default params" do + let :params do + { + :cas_login_url => 'https://cas.example.com/login', + :cas_validate_url => 'https://cas.example.com/validate', + :cas_cookie_path => '/var/cache/apache2/mod_auth_cas/' + } + end - let :pre_condition do - 'include ::apache' + it_behaves_like "a mod class, without including apache" end - context "on a Debian OS", :compile do - let :facts do + context "default configuration with parameters" do + let :params do { - :id => 'root', - :kernel => 'Linux', - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, + :cas_login_url => 'https://cas.example.com/login', + :cas_validate_url => 'https://cas.example.com/validate', } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_cas") } - it { is_expected.to contain_package("libapache2-mod-auth-cas") } - it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/apache2/mods-available/auth_cas.conf') } - it { is_expected.to contain_file("/var/cache/apache2/mod_auth_cas/").with_owner('www-data') } - end - context "on a RedHat OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_cas") } + it { is_expected.to contain_package("libapache2-mod-auth-cas") } + it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/apache2/mods-available/auth_cas.conf') } + it { is_expected.to contain_file("/var/cache/apache2/mod_auth_cas/").with_owner('www-data') } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_cas") } - it { is_expected.to contain_package("mod_auth_cas") } - it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/httpd/conf.d/auth_cas.conf') } - it { is_expected.to contain_file("/var/cache/mod_auth_cas/").with_owner('apache') } + context "on a RedHat OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_cas") } + it { is_expected.to contain_package("mod_auth_cas") } + it { is_expected.to contain_file("auth_cas.conf").with_path('/etc/httpd/conf.d/auth_cas.conf') } + it { is_expected.to contain_file("/var/cache/mod_auth_cas/").with_owner('apache') } + end end end
--- a/modules/apache/spec/classes/mod/auth_kerb_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/auth_kerb_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,59 +1,77 @@ require 'spec_helper' describe 'apache::mod::auth_kerb', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("libapache2-mod-auth-kerb") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_kerb") } - it { is_expected.to contain_package("libapache2-mod-auth-kerb") } - end - context "on a RedHat OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a RedHat OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("mod_auth_kerb") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_kerb") } - it { is_expected.to contain_package("mod_auth_kerb") } - end - context "on a FreeBSD OS", :compile do - let :facts do - { - :id => 'root', - :kernel => 'FreeBSD', - :osfamily => 'FreeBSD', - :operatingsystem => 'FreeBSD', - :operatingsystemrelease => '9', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "on a FreeBSD OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '9', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("www/mod_auth_kerb2") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod("auth_kerb") } - it { is_expected.to contain_package("www/mod_auth_kerb2") } + context "on a Gentoo OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("auth_kerb") } + it { is_expected.to contain_package("www-apache/mod_auth_kerb") } + end end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/auth_mellon_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,90 @@ +require 'spec_helper' + +describe 'apache::mod::auth_mellon', :type => :class do + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { should contain_apache__mod('auth_mellon') } + it { should contain_package('libapache2-mod-auth-mellon') } + it { should contain_file('auth_mellon.conf').with_path('/etc/apache2/mods-available/auth_mellon.conf') } + it { should contain_file('auth_mellon.conf').with_content("MellonPostDirectory \"\/var\/cache\/apache2\/mod_auth_mellon\/\"\n") } + end + describe 'with parameters' do + let :params do + { :mellon_cache_size => '200', + :mellon_cache_entry_size => '2010', + :mellon_lock_file => '/tmp/junk', + :mellon_post_directory => '/tmp/post', + :mellon_post_ttl => '5', + :mellon_post_size => '8', + :mellon_post_count => '10' + } + end + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } + end + + end + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { should contain_apache__mod('auth_mellon') } + it { should contain_package('mod_auth_mellon') } + it { should contain_file('auth_mellon.conf').with_path('/etc/httpd/conf.d/auth_mellon.conf') } + it { should contain_file('auth_mellon.conf').with_content("MellonCacheSize 100\nMellonLockFile \"/run/mod_auth_mellon/lock\"\n") } + end + describe 'with parameters' do + let :params do + { :mellon_cache_size => '200', + :mellon_cache_entry_size => '2010', + :mellon_lock_file => '/tmp/junk', + :mellon_post_directory => '/tmp/post', + :mellon_post_ttl => '5', + :mellon_post_size => '8', + :mellon_post_count => '10' + } + end + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheSize\s+200$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonCacheEntrySize\s+2010$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonLockFile\s+"\/tmp\/junk"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostDirectory\s+"\/tmp\/post"$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostTTL\s+5$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostSize\s+8$/) } + it { should contain_file('auth_mellon.conf').with_content(/^MellonPostCount\s+10$/) } + end + end + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/authn_dbd_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,62 @@ +require 'spec_helper' + +describe 'apache::mod::authn_dbd', :type => :class do + context "default params" do + let :params do + { + :authn_dbd_params => 'host=db_host port=3306 user=apache password=###### dbname=apache_auth', + } + end + + it_behaves_like "a mod class, without including apache" + end + + context "default configuration with parameters" do + let :params do + { + :authn_dbd_params => 'host=db_host port=3306 user=apache password=###### dbname=apache_auth', + :authn_dbd_alias => 'db_authn', + :authn_dbd_query => 'SELECT password FROM authn WHERE username = %s' + } + end + + context "on a Debian OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("authn_dbd") } + it { is_expected.to contain_apache__mod("dbd") } + it { is_expected.to contain_file("authn_dbd.conf").with_path('/etc/apache2/mods-available/authn_dbd.conf') } + end + + context "on a RedHat OS", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("authn_dbd") } + it { is_expected.to contain_apache__mod("dbd") } + it { is_expected.to contain_file("authn_dbd.conf").with_path('/etc/httpd/conf.d/authn_dbd.conf') } + end + end +end
--- a/modules/apache/spec/classes/mod/authnz_ldap_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/authnz_ldap_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,78 +1,76 @@ require 'spec_helper' describe 'apache::mod::authnz_ldap', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" - context "on a Debian OS" do - let :facts do - { - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :id => 'root', - :kernel => 'Linux', - :operatingsystem => 'Debian', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_class("apache::mod::ldap") } - it { is_expected.to contain_apache__mod('authnz_ldap') } + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :operatingsystem => 'Debian', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class("apache::mod::ldap") } + it { is_expected.to contain_apache__mod('authnz_ldap') } - context 'default verifyServerCert' do - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } - end + context 'default verify_server_cert' do + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } + end - context 'verifyServerCert = false' do - let(:params) { { :verifyServerCert => false } } - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } - end + context 'verify_server_cert = false' do + let(:params) { { :verify_server_cert => false } } + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } + end - context 'verifyServerCert = wrong' do - let(:params) { { :verifyServerCert => 'wrong' } } - it 'should raise an error' do - expect { is_expected.to raise_error Puppet::Error } + context 'verify_server_cert = wrong' do + let(:params) { { :verify_server_cert => 'wrong' } } + it 'should raise an error' do + expect { is_expected.to raise_error Puppet::Error } + end end - end - end #Debian + end #Debian - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :id => 'root', - :kernel => 'Linux', - :operatingsystem => 'RedHat', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_class("apache::mod::ldap") } - it { is_expected.to contain_apache__mod('authnz_ldap') } + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :operatingsystem => 'RedHat', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class("apache::mod::ldap") } + it { is_expected.to contain_apache__mod('authnz_ldap') } - context 'default verifyServerCert' do - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } - end + context 'default verify_server_cert' do + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert On$/) } + end - context 'verifyServerCert = false' do - let(:params) { { :verifyServerCert => false } } - it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } - end + context 'verify_server_cert = false' do + let(:params) { { :verify_server_cert => false } } + it { is_expected.to contain_file('authnz_ldap.conf').with_content(/^LDAPVerifyServerCert Off$/) } + end - context 'verifyServerCert = wrong' do - let(:params) { { :verifyServerCert => 'wrong' } } - it 'should raise an error' do - expect { is_expected.to raise_error Puppet::Error } + context 'verify_server_cert = wrong' do + let(:params) { { :verify_server_cert => 'wrong' } } + it 'should raise an error' do + expect { is_expected.to raise_error Puppet::Error } + end end - end - end # Redhat - + end # Redhat + end end -
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/cluster_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,105 @@ +require 'spec_helper' + +describe 'apache::mod::cluster', :type => :class do + context 'on a RedHat OS Release 7 with mod version = 1.3.0' do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + + let(:params) { + { + :allowed_network => '172.17.0', + :balancer_name => 'mycluster', + :ip => '172.17.0.1', + :version => '1.3.0' + } + } + + it { is_expected.to contain_class("apache") } + it { is_expected.to contain_apache__mod('proxy') } + it { is_expected.to contain_apache__mod('proxy_ajp') } + it { is_expected.to contain_apache__mod('manager') } + it { is_expected.to contain_apache__mod('proxy_cluster') } + it { is_expected.to contain_apache__mod('advertise') } + it { is_expected.to contain_apache__mod('cluster_slotmem') } + + it { is_expected.to contain_file('cluster.conf') } + end + + context 'on a RedHat OS Release 7 with mod version > 1.3.0' do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + + let(:params) { + { + :allowed_network => '172.17.0', + :balancer_name => 'mycluster', + :ip => '172.17.0.1', + :version => '1.3.1' + } + } + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_apache__mod('proxy') } + it { is_expected.to contain_apache__mod('proxy_ajp') } + it { is_expected.to contain_apache__mod('manager') } + it { is_expected.to contain_apache__mod('proxy_cluster') } + it { is_expected.to contain_apache__mod('advertise') } + it { is_expected.to contain_apache__mod('cluster_slotmem') } + + it { is_expected.to contain_file('cluster.conf') } + end + + context 'on a RedHat OS Release 6 with mod version < 1.3.0' do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + + let(:params) { + { + :allowed_network => '172.17.0', + :balancer_name => 'mycluster', + :ip => '172.17.0.1', + :version => '1.2.0' + } + } + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_apache__mod('proxy') } + it { is_expected.to contain_apache__mod('proxy_ajp') } + it { is_expected.to contain_apache__mod('manager') } + it { is_expected.to contain_apache__mod('proxy_cluster') } + it { is_expected.to contain_apache__mod('advertise') } + it { is_expected.to contain_apache__mod('slotmem') } + + it { is_expected.to contain_file('cluster.conf') } + end +end
--- a/modules/apache/spec/classes/mod/dav_svn_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/dav_svn_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,62 +1,80 @@ require 'spec_helper' describe 'apache::mod::dav_svn', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :lsbdistcodename => 'squeeze', - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :operatingsystemmajrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :operatingsystemmajrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("libapache2-svn") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dav_svn') } - it { is_expected.to contain_package("libapache2-svn") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :operatingsystemmajrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'RedHat', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :operatingsystemmajrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("mod_dav_svn") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dav_svn') } - it { is_expected.to contain_package("mod_dav_svn") } - end - context "on a FreeBSD OS" do - let :facts do - { - :osfamily => 'FreeBSD', - :operatingsystemrelease => '9', - :operatingsystemmajrelease => '9', - :concat_basedir => '/dne', - :operatingsystem => 'FreeBSD', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + context "on a FreeBSD OS" do + let :facts do + { + :osfamily => 'FreeBSD', + :operatingsystemrelease => '9', + :operatingsystemmajrelease => '9', + :concat_basedir => '/dne', + :operatingsystem => 'FreeBSD', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("devel/subversion") } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dav_svn') } - it { is_expected.to contain_package("devel/subversion") } + context "on a Gentoo OS", :compile do + let :facts do + { + :id => 'root', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :kernel => 'Linux', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package("dev-vcs/subversion") } + end end end
--- a/modules/apache/spec/classes/mod/deflate_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/deflate_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -16,88 +16,112 @@ end describe 'apache::mod::deflate', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - } - class { "apache::mod::deflate": - types => [ "text/html", "text/css" ], - notes => { - "Input" => "instream", - "Ratio" => "ratio", + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + let :pre_condition do + 'class { "apache::mod::deflate": + types => [ "text/html", "text/css" ], + notes => { + "Input" => "instream", + "Ratio" => "ratio", + } } - } - ' - end + ' + end - context "On a Debian OS with default params" do - let :facts do - { - :id => 'root', - :lsbdistcodename => 'squeeze', - :kernel => 'Linux', - :osfamily => 'Debian', - :operatingsystem => 'Debian', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + context "On a Debian OS with default params" do + let :facts do + { + :id => 'root', + :lsbdistcodename => 'squeeze', + :kernel => 'Linux', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + + # Load the more generic tests for this context + general_deflate_specs() + + it { is_expected.to contain_file("deflate.conf").with({ + :ensure => 'file', + :path => '/etc/apache2/mods-available/deflate.conf', + } ) } + it { is_expected.to contain_file("deflate.conf symlink").with({ + :ensure => 'link', + :path => '/etc/apache2/mods-enabled/deflate.conf', + } ) } end - # Load the more generic tests for this context - general_deflate_specs() - - it { is_expected.to contain_file("deflate.conf").with({ - :ensure => 'file', - :path => '/etc/apache2/mods-available/deflate.conf', - } ) } - it { is_expected.to contain_file("deflate.conf symlink").with({ - :ensure => 'link', - :path => '/etc/apache2/mods-enabled/deflate.conf', - } ) } - end + context "on a RedHat OS with default params" do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end - context "on a RedHat OS with default params" do - let :facts do - { - :id => 'root', - :kernel => 'Linux', - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemrelease => '6', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + # Load the more generic tests for this context + general_deflate_specs() + + it { is_expected.to contain_file("deflate.conf").with_path("/etc/httpd/conf.d/deflate.conf") } end - # Load the more generic tests for this context - general_deflate_specs() - - it { is_expected.to contain_file("deflate.conf").with_path("/etc/httpd/conf.d/deflate.conf") } - end + context "On a FreeBSD OS with default params" do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '9', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end - context "On a FreeBSD OS with default params" do - let :facts do - { - :id => 'root', - :kernel => 'FreeBSD', - :osfamily => 'FreeBSD', - :operatingsystem => 'FreeBSD', - :operatingsystemrelease => '9', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :concat_basedir => '/dne', - :is_pe => false, - } + # Load the more generic tests for this context + general_deflate_specs() + + it { is_expected.to contain_file("deflate.conf").with({ + :ensure => 'file', + :path => '/usr/local/etc/apache24/Modules/deflate.conf', + } ) } end - # Load the more generic tests for this context - general_deflate_specs() + context "On a Gentoo OS with default params" do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :is_pe => false, + } + end - it { is_expected.to contain_file("deflate.conf").with({ - :ensure => 'file', - :path => '/usr/local/etc/apache24/Modules/deflate.conf', - } ) } + # Load the more generic tests for this context + general_deflate_specs() + + it { is_expected.to contain_file("deflate.conf").with({ + :ensure => 'file', + :path => '/etc/apache2/modules.d/deflate.conf', + } ) } + end end end
--- a/modules/apache/spec/classes/mod/dev_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/dev_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,16 +1,17 @@ require 'spec_helper' describe 'apache::mod::dev', :type => :class do + let(:pre_condition) {[ + 'include apache' + ]} + + it_behaves_like "a mod class, without including apache" + [ - ['RedHat', '6', 'Santiago'], - ['Debian', '6', 'squeeze'], - ['FreeBSD', '9', 'FreeBSD'], - ].each do |osfamily, operatingsystemrelease, lsbdistcodename| - if osfamily == 'FreeBSD' - let :pre_condition do - 'include apache::package' - end - end + ['RedHat', '6', 'Santiago', 'Linux'], + ['Debian', '6', 'squeeze', 'Linux'], + ['FreeBSD', '9', 'FreeBSD', 'FreeBSD'], + ].each do |osfamily, operatingsystemrelease, lsbdistcodename, kernel| context "on a #{osfamily} OS" do let :facts do { @@ -19,6 +20,10 @@ :operatingsystem => osfamily, :operatingsystemrelease => operatingsystemrelease, :is_pe => false, + :concat_basedir => '/foo', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', + :kernel => kernel } end it { is_expected.to contain_class('apache::dev') }
--- a/modules/apache/spec/classes/mod/dir_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/dir_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,106 +1,137 @@ require 'spec_helper' describe 'apache::mod::dir', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - }' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :lsbdistcodename => 'squeeze', - :is_pe => false, - } - end - context "passing no parameters" do - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dir') } - it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :lsbdistcodename => 'squeeze', + :is_pe => false, + } end - it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } - it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + end + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + end end - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Redhat', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - context "passing no parameters" do - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dir') } - it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Redhat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } end - it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } - it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + end + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + end end - end - context "on a FreeBSD OS" do - let :facts do - { - :osfamily => 'FreeBSD', - :operatingsystemrelease => '9', - :concat_basedir => '/dne', - :operatingsystem => 'FreeBSD', - :id => 'root', - :kernel => 'FreeBSD', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + context "on a FreeBSD OS" do + let :facts do + { + :osfamily => 'FreeBSD', + :operatingsystemrelease => '9', + :concat_basedir => '/dne', + :operatingsystem => 'FreeBSD', + :id => 'root', + :kernel => 'FreeBSD', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + end + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + end end - context "passing no parameters" do - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('dir') } - it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } - it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } end - it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } - it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('dir') } + it { is_expected.to contain_file('dir.conf').with_content(/^DirectoryIndex /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.html\.var /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.cgi /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.pl /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.php /) } + it { is_expected.to contain_file('dir.conf').with_content(/ index\.xhtml$/) } + end + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + {:indexes => ['example.txt','fearsome.aspx']} + end + it { is_expected.to contain_file('dir.conf').with_content(/ example\.txt /) } + it { is_expected.to contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } + end end end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/disk_cache_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,125 @@ +require 'spec_helper' + +describe 'apache::mod::disk_cache', :type => :class do + context "on a Debian OS" do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + context "with Apache version < 2.4" do + let :pre_condition do + 'class{ "apache": + apache_version => "2.2", + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + it { should compile } + it { should contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_apache__mod("disk_cache") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk \/\nCacheRoot \"\/var\/cache\/apache2\/mod_disk_cache\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + context "with Apache version >= 2.4" do + let :pre_condition do + 'class{ "apache": + apache_version => "2.4", + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + it { should compile } + it { should contain_class('apache::mod::disk_cache') } + it { should contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Disk_cache]') } + it { is_expected.to contain_apache__mod("cache_disk") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk \/\nCacheRoot \"\/var\/cache\/apache2\/mod_cache_disk\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + end + + context "on a RedHat 6-based OS" do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + context "with Apache version < 2.4" do + let :pre_condition do + 'class{ "apache": + apache_version => "2.2", + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + it { is_expected.to contain_apache__mod("disk_cache") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk \/\nCacheRoot \"\/var\/cache\/mod_proxy\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + context "with Apache version >= 2.4" do + let :pre_condition do + 'class{ "apache": + apache_version => "2.4", + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + it { is_expected.to contain_apache__mod("cache_disk") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk \/\nCacheRoot \"\/var\/cache\/httpd\/proxy\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + end + context "on a FreeBSD OS" do + let :facts do + { + :id => 'root', + :kernel => 'FreeBSD', + :osfamily => 'FreeBSD', + :operatingsystem => 'FreeBSD', + :operatingsystemrelease => '10', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + context "with Apache version < 2.4" do + let :pre_condition do + 'class{ "apache": + apache_version => "2.2", + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + it { should compile } + it { should contain_class('apache::mod::disk_cache') } + it { should contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Disk_cache]') } + it { is_expected.to contain_apache__mod("disk_cache") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk \/\nCacheRoot \"\/var\/cache\/mod_disk_cache\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + context "with Apache version >= 2.4" do + let :pre_condition do + 'class{ "apache": + apache_version => "2.4", + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + it { should compile } + it { should contain_class('apache::mod::disk_cache') } + it { should contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Disk_cache]') } + it { is_expected.to contain_apache__mod("cache_disk") } + it { is_expected.to contain_file("disk_cache.conf").with(:content => /CacheEnable disk \/\nCacheRoot \"\/var\/cache\/mod_cache_disk\"\nCacheDirLevels 2\nCacheDirLength 1/) } + end + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/dumpio_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,51 @@ +require 'spec_helper' + +describe 'apache::mod::dumpio', :type => :class do + context "on a Debian OS" do + let :pre_condition do + 'class{"apache": + default_mods => false, + mod_dir => "/tmp/junk", + }' + end + let :facts do + { + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :operatingsystemmajrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + context "default configuration fore parameters" do + it { should compile } + it { should contain_class('apache::mod::dumpio') } + it { should contain_file("dumpio.conf").with_path("/tmp/junk/dumpio.conf") } + it { should contain_file("dumpio.conf").with_content(/^\s*DumpIOInput\s+"Off"$/)} + it { should contain_file("dumpio.conf").with_content(/^\s*DumpIOOutput\s+"Off"$/)} + end + context "with dumpio_input set to On" do + let :params do + { + :dump_io_input => 'On', + } + end + it { should contain_file("dumpio.conf").with_content(/^\s*DumpIOInput\s+"On"$/)} + it { should contain_file("dumpio.conf").with_content(/^\s*DumpIOOutput\s+"Off"$/)} + end + context "with dumpio_ouput set to On" do + let :params do + { + :dump_io_output => 'On', + } + end + it { should contain_file("dumpio.conf").with_content(/^\s*DumpIOInput\s+"Off"$/)} + it { should contain_file("dumpio.conf").with_content(/^\s*DumpIOOutput\s+"On"$/)} + end + end +end
--- a/modules/apache/spec/classes/mod/event_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/event_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -21,6 +21,23 @@ it { is_expected.not_to contain_apache__mod('event') } it { is_expected.to contain_file("/usr/local/etc/apache24/Modules/event.conf").with_ensure('file') } end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.not_to contain_apache__mod('event') } + it { is_expected.to contain_file("/etc/apache2/modules.d/event.conf").with_ensure('file') } + end context "on a Debian OS" do let :facts do { @@ -42,7 +59,7 @@ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file') } it { is_expected.to contain_file("/etc/apache2/mods-enabled/event.conf").with_ensure('link') } - context "Test mpm_event params" do + context "Test mpm_event new params" do let :params do { :serverlimit => '0', @@ -58,7 +75,37 @@ :maxconnectionsperchild => '10', } end - + + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ServerLimit\s*0/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*StartServers\s*1/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxClients/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MinSpareThreads\s*3/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxSpareThreads\s*4/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ThreadsPerChild\s*5/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxRequestsPerChild/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ThreadLimit\s*7/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ListenBacklog\s*8/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxRequestWorkers\s*9/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxConnectionsPerChild\s*10/) } + end + + context "Test mpm_event old style params" do + let :params do + { + :serverlimit => '0', + :startservers => '1', + :maxclients => '2', + :minsparethreads => '3', + :maxsparethreads => '4', + :threadsperchild => '5', + :maxrequestsperchild => '6', + :threadlimit => '7', + :listenbacklog => '8', + :maxrequestworkers => :undef, + :maxconnectionsperchild => :undef, + } + end + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ServerLimit\s*0/) } it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*StartServers\s*1/) } it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxClients\s*2/) } @@ -68,8 +115,38 @@ it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxRequestsPerChild\s*6/) } it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ThreadLimit\s*7/) } it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*ListenBacklog\s*8/) } - it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxRequestWorkers\s*9/) } - it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').with_content(/^\s*MaxConnectionsPerChild\s*10/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxRequestWorkers/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxConnectionsPerChild/) } + end + + context "Test mpm_event false params" do + let :params do + { + :serverlimit => false, + :startservers => false, + :maxclients => false, + :minsparethreads => false, + :maxsparethreads => false, + :threadsperchild => false, + :maxrequestsperchild => false, + :threadlimit => false, + :listenbacklog => false, + :maxrequestworkers => false, + :maxconnectionsperchild => false, + } + end + + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*ServerLimit/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*StartServers/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxClients/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MinSpareThreads/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxSpareThreads/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*ThreadsPerChild/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxRequestsPerChild/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*ThreadLimit/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*ListenBacklog/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxRequestWorkers/) } + it { is_expected.to contain_file("/etc/apache2/mods-available/event.conf").with_ensure('file').without_content(/^\s*MaxConnectionsPerChild/) } end context "with Apache version < 2.4" do
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/expires_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,83 @@ +require 'spec_helper' + +describe 'apache::mod::expires', :type => :class do + it_behaves_like "a mod class, without including apache" + + context "with expires active", :compile do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + it { is_expected.to contain_apache__mod("expires") } + it { is_expected.to contain_file("expires.conf").with(:content => /ExpiresActive On\n/) } + end + context "with expires default", :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '7', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + let :params do + { + 'expires_default' => 'access plus 1 month' + } + end + it { is_expected.to contain_apache__mod("expires") } + it { is_expected.to contain_file("expires.conf").with_content( + "ExpiresActive On\n" \ + "ExpiresDefault \"access plus 1 month\"\n" + ) + } + end + context "with expires by type", :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '7', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + } + end + let :params do + { + 'expires_by_type' => [ + { 'text/json' => 'mod plus 1 day' }, + { 'text/html' => 'access plus 1 year' }, + ] + } + end + it { is_expected.to contain_apache__mod("expires") } + it { is_expected.to contain_file("expires.conf").with_content( + "ExpiresActive On\n" \ + "ExpiresByType text/json \"mod plus 1 day\"\n" \ + "ExpiresByType text/html \"access plus 1 year\"\n" + ) + } + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/ext_filter_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,64 @@ +require 'spec_helper' + +describe 'apache::mod::ext_filter', :type => :class do + it_behaves_like "a mod class, without including apache" + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('ext_filter') } + it { is_expected.not_to contain_file('ext_filter.conf') } + end + describe 'with parameters' do + let :params do + { :ext_filter_define => {'filtA' => 'input=A output=B', + 'filtB' => 'input=C cmd="C"' }, + } + end + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtA\s+input=A output=B$/) } + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtB\s+input=C cmd="C"$/) } + end + + end + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :fqdn => 'test.example.com', + :is_pe => false, + } + end + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('ext_filter') } + it { is_expected.not_to contain_file('ext_filter.conf') } + end + describe 'with parameters' do + let :params do + { :ext_filter_define => {'filtA' => 'input=A output=B', + 'filtB' => 'input=C cmd="C"' }, + } + end + it { is_expected.to contain_file('ext_filter.conf').with_path('/etc/httpd/conf.d/ext_filter.conf') } + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtA\s+input=A output=B$/) } + it { is_expected.to contain_file('ext_filter.conf').with_content(/^ExtFilterDefine\s+filtB\s+input=C cmd="C"$/) } + end + end +end
--- a/modules/apache/spec/classes/mod/fastcgi_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/fastcgi_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::fastcgi', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do {
--- a/modules/apache/spec/classes/mod/fcgid_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/fcgid_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::fcgid', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do @@ -17,15 +15,17 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('fcgid') } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => nil + }) } it { is_expected.to contain_package("libapache2-mod-fcgid") } end - context "on a RedHat OS" do + context "on a RHEL6" do let :facts do { :osfamily => 'RedHat', @@ -36,13 +36,15 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end describe 'without parameters' do it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('fcgid') } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => nil + }) } it { is_expected.to contain_package("mod_fcgid") } end @@ -57,7 +59,7 @@ } end it 'should contain the correct config' do - content = subject.resource('file', 'fcgid.conf').send(:parameters)[:content] + content = catalogue.resource('file', 'fcgid.conf').send(:parameters)[:content] expect(content.split("\n").reject { |c| c =~ /(^#|^$)/ }).to eq([ '<IfModule mod_fcgid.c>', ' AddHandler fcgid-script .fcgi', @@ -81,7 +83,7 @@ :id => 'root', :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end @@ -89,8 +91,7 @@ it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('fcgid').with({ 'loadfile_name' => 'unixd_fcgid.load' - }) - } + }) } it { is_expected.to contain_package("mod_fcgid") } end end @@ -99,19 +100,42 @@ let :facts do { :osfamily => 'FreeBSD', - :operatingsystemrelease => '9', - :operatingsystemmajrelease => '9', + :operatingsystemrelease => '10', + :operatingsystemmajrelease => '10', :concat_basedir => '/dne', :operatingsystem => 'FreeBSD', :id => 'root', :kernel => 'FreeBSD', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, + :is_pe => false, } end it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('fcgid') } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => 'unixd_fcgid.load' + }) } it { is_expected.to contain_package("www/mod_fcgid") } end + + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('fcgid').with({ + 'loadfile_name' => nil, + }) } + it { is_expected.to contain_package("www-apache/mod_fcgid") } + end end
--- a/modules/apache/spec/classes/mod/info_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/info_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,3 +1,5 @@ +require 'spec_helper' + # This function is called inside the OS specific contexts def general_info_specs_22 it { is_expected.to contain_apache__mod('info') } @@ -119,9 +121,7 @@ end describe 'apache::mod::info', :type => :class do - let :pre_condition do - "class { 'apache': default_mods => false, }" - end + it_behaves_like "a mod class, without including apache" context 'On a Debian OS' do let :facts do @@ -197,4 +197,26 @@ } ) } end + context 'on a Gentoo OS' do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + + # Load the more generic tests for this context + general_info_specs_24() + + it { is_expected.to contain_file('info.conf').with({ + :ensure => 'file', + :path => '/etc/apache2/modules.d/info.conf', + } ) } + end end
--- a/modules/apache/spec/classes/mod/itk_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/itk_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -37,6 +37,10 @@ end context "with Apache version >= 2.4" do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + let :params do { :apache_version => '2.4', @@ -51,7 +55,60 @@ it { is_expected.to contain_file("/etc/apache2/mods-enabled/itk.load").with_ensure('link') } end end + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.not_to contain_apache__mod('itk') } + it { is_expected.to contain_file("/etc/httpd/conf.d/itk.conf").with_ensure('file') } + it { is_expected.to contain_package("httpd-itk") } + + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + } + end + + it { is_expected.to contain_file_line("/etc/sysconfig/httpd itk enable").with({ + 'require' => 'Package[httpd]', + }) + } + end + + context "with Apache version >= 2.4" do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + + let :params do + { + :apache_version => '2.4', + } + end + + it { is_expected.to contain_file("/etc/httpd/conf.d/itk.load").with({ + 'ensure' => 'file', + 'content' => "LoadModule mpm_itk_module modules/mod_mpm_itk.so\n" + }) + } + end + end context "on a FreeBSD OS" do + let :pre_condition do + 'class { "apache": mpm_module => false, }' + end + let :facts do { :osfamily => 'FreeBSD',
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/ldap_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,86 @@ +require 'spec_helper' + +describe 'apache::mod::ldap', :type => :class do + it_behaves_like "a mod class, without including apache" + + context "on a Debian OS" do + let :facts do + { + :lsbdistcodename => 'squeeze', + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :operatingsystem => 'Debian', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class("apache::mod::ldap") } + it { is_expected.to contain_apache__mod('ldap') } + + context 'default ldap_trusted_global_cert_file' do + it { is_expected.to contain_file('ldap.conf').without_content(/^LDAPTrustedGlobalCert/) } + end + + context 'ldap_trusted_global_cert_file param' do + let(:params) { { :ldap_trusted_global_cert_file => 'ca.pem' } } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPTrustedGlobalCert CA_BASE64 ca\.pem$/) } + end + + context 'set multiple ldap params' do + let(:params) {{ + :ldap_trusted_global_cert_file => 'ca.pem', + :ldap_trusted_global_cert_type => 'CA_DER', + :ldap_shared_cache_size => '500000', + :ldap_cache_entries => '1024', + :ldap_cache_ttl => '600', + :ldap_opcache_entries => '1024', + :ldap_opcache_ttl => '600' + }} + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPTrustedGlobalCert CA_DER ca\.pem$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPSharedCacheSize 500000$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPCacheEntries 1024$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPCacheTTL 600$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPOpCacheEntries 1024$/) } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPOpCacheTTL 600$/) } + end + end #Debian + + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :operatingsystem => 'RedHat', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class("apache::mod::ldap") } + it { is_expected.to contain_apache__mod('ldap') } + + context 'default ldap_trusted_global_cert_file' do + it { is_expected.to contain_file('ldap.conf').without_content(/^LDAPTrustedGlobalCert/) } + end + + context 'ldap_trusted_global_cert_file param' do + let(:params) { { :ldap_trusted_global_cert_file => 'ca.pem' } } + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPTrustedGlobalCert CA_BASE64 ca\.pem$/) } + end + + context 'ldap_trusted_global_cert_file and ldap_trusted_global_cert_type params' do + let(:params) {{ + :ldap_trusted_global_cert_file => 'ca.pem', + :ldap_trusted_global_cert_type => 'CA_DER' + }} + it { is_expected.to contain_file('ldap.conf').with_content(/^LDAPTrustedGlobalCert CA_DER ca\.pem$/) } + end + end # Redhat +end
--- a/modules/apache/spec/classes/mod/mime_magic_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/mime_magic_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -6,9 +6,7 @@ end describe 'apache::mod::mime_magic', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "On a Debian OS with default params" do let :facts do
--- a/modules/apache/spec/classes/mod/mime_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/mime_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -6,9 +6,7 @@ end describe 'apache::mod::mime', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "On a Debian OS with default params", :compile do let :facts do
--- a/modules/apache/spec/classes/mod/negotiation_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/negotiation_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,8 +1,8 @@ require 'spec_helper' describe 'apache::mod::negotiation', :type => :class do + it_behaves_like "a mod class, without including apache" describe "OS independent tests" do - let :facts do { :osfamily => 'Debian', @@ -18,9 +18,6 @@ end context "default params" do - let :pre_condition do - 'class {"::apache": }' - end it { should contain_class("apache") } it do should contain_file('negotiation.conf').with( { @@ -33,9 +30,6 @@ end context 'with force_language_priority parameter' do - let :pre_condition do - 'class {"::apache": default_mods => ["negotiation"]}' - end let :params do { :force_language_priority => 'Prefer' } end @@ -48,9 +42,6 @@ end context 'with language_priority parameter' do - let :pre_condition do - 'class {"::apache": default_mods => ["negotiation"]}' - end let :params do { :language_priority => [ 'en', 'es' ] } end
--- a/modules/apache/spec/classes/mod/pagespeed_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/pagespeed_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,6 @@ require 'spec_helper' describe 'apache::mod::pagespeed', :type => :class do - let :pre_condition do - 'include apache' - end context "on a Debian OS" do let :facts do { @@ -21,7 +18,16 @@ it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('pagespeed') } it { is_expected.to contain_package("mod-pagespeed-stable") } - it { is_expected.to contain_file('pagespeed.conf') } + + context "when setting additional_configuration to a Hash" do + let :params do { :additional_configuration => { 'Key' => 'Value' } } end + it { is_expected.to contain_file('pagespeed.conf').with_content /Key Value/ } + end + + context "when setting additional_configuration to an Array" do + let :params do { :additional_configuration => [ 'Key Value' ] } end + it { is_expected.to contain_file('pagespeed.conf').with_content /Key Value/ } + end end context "on a RedHat OS" do
--- a/modules/apache/spec/classes/mod/passenger_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/passenger_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::passenger', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { @@ -14,7 +12,6 @@ :lsbdistcodename => 'squeeze', :operatingsystem => 'Debian', :id => 'root', - :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', :is_pe => false, } @@ -22,13 +19,12 @@ it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('passenger') } it { is_expected.to contain_package("libapache2-mod-passenger") } - it { is_expected.to contain_file('passenger.load').with({ - 'path' => '/etc/apache2/mods-available/passenger.load', + it { is_expected.to contain_file('zpassenger.load').with({ + 'path' => '/etc/apache2/mods-available/zpassenger.load', }) } it { is_expected.to contain_file('passenger.conf').with({ 'path' => '/etc/apache2/mods-available/passenger.conf', }) } - it { is_expected.to contain_file('passenger_package.conf').with_ensure('absent') } describe "with passenger_root => '/usr/lib/example'" do let :params do { :passenger_root => '/usr/lib/example' } @@ -59,12 +55,31 @@ end it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerPoolIdleTime 1200$/) } end + describe "with passenger_max_request_queue_size => 100" do + let :params do + { :passenger_max_request_queue_size => 100 } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerMaxRequestQueueSize 100$/) } + end + describe "with passenger_max_requests => 20" do let :params do { :passenger_max_requests => 20 } end it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerMaxRequests 20$/) } end + describe "with passenger_spawn_method => bogus" do + let :params do + { :passenger_spawn_method => 'bogus' } + end + it { is_expected.to raise_error(Puppet::Error, /not permitted for passenger_spawn_method/) } + end + describe "with passenger_spawn_method => direct" do + let :params do + { :passenger_spawn_method => 'direct' } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerSpawnMethod direct$/) } + end describe "with passenger_stat_throttle_rate => 10" do let :params do { :passenger_stat_throttle_rate => 10 } @@ -77,6 +92,18 @@ end it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerMaxPoolSize 16$/) } end + describe "with passenger_min_instances => 5" do + let :params do + { :passenger_min_instances => 5 } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerMinInstances 5$/) } + end + describe "with passenger_max_instances_per_app => 8" do + let :params do + { :passenger_max_instances_per_app => 8 } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerMaxInstancesPerApp 8$/) } + end describe "with rack_autodetect => on" do let :params do { :rack_autodetect => 'on' } @@ -95,29 +122,47 @@ end it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerUseGlobalQueue on$/) } end + describe "with passenger_app_env => 'foo'" do + let :params do + { :passenger_app_env => 'foo' } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerAppEnv foo$/) } + end + describe "with passenger_log_file => '/var/log/apache2/passenger.log'" do + let :params do + { :passenger_log_file => '/var/log/apache2/passenger.log' } + end + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerLogFile /var/log/apache2/passenger.log$}) } + end + describe "with passenger_log_level => 3" do + let :params do + { :passenger_log_level => 3 } + end + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerLogLevel 3$}) } + end describe "with mod_path => '/usr/lib/foo/mod_foo.so'" do let :params do { :mod_path => '/usr/lib/foo/mod_foo.so' } end - it { is_expected.to contain_file('passenger.load').with_content(/^LoadModule passenger_module \/usr\/lib\/foo\/mod_foo\.so$/) } + it { is_expected.to contain_file('zpassenger.load').with_content(/^LoadModule passenger_module \/usr\/lib\/foo\/mod_foo\.so$/) } end describe "with mod_lib_path => '/usr/lib/foo'" do let :params do { :mod_lib_path => '/usr/lib/foo' } end - it { is_expected.to contain_file('passenger.load').with_content(/^LoadModule passenger_module \/usr\/lib\/foo\/mod_passenger\.so$/) } + it { is_expected.to contain_file('zpassenger.load').with_content(/^LoadModule passenger_module \/usr\/lib\/foo\/mod_passenger\.so$/) } end describe "with mod_lib => 'mod_foo.so'" do let :params do { :mod_lib => 'mod_foo.so' } end - it { is_expected.to contain_file('passenger.load').with_content(/^LoadModule passenger_module \/usr\/lib\/apache2\/modules\/mod_foo\.so$/) } + it { is_expected.to contain_file('zpassenger.load').with_content(/^LoadModule passenger_module \/usr\/lib\/apache2\/modules\/mod_foo\.so$/) } end describe "with mod_id => 'mod_foo'" do let :params do { :mod_id => 'mod_foo' } end - it { is_expected.to contain_file('passenger.load').with_content(/^LoadModule mod_foo \/usr\/lib\/apache2\/modules\/mod_passenger\.so$/) } + it { is_expected.to contain_file('zpassenger.load').with_content(/^LoadModule mod_foo \/usr\/lib\/apache2\/modules\/mod_passenger\.so$/) } end context "with Ubuntu 12.04 defaults" do @@ -202,10 +247,9 @@ end context "on a RedHat OS" do - let :facts do + let :rh_facts do { :osfamily => 'RedHat', - :operatingsystemrelease => '6', :concat_basedir => '/dne', :operatingsystem => 'RedHat', :id => 'root', @@ -214,30 +258,46 @@ :is_pe => false, } end - it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_apache__mod('passenger') } - it { is_expected.to contain_package("mod_passenger") } - it { is_expected.to contain_file('passenger_package.conf').with({ - 'path' => '/etc/httpd/conf.d/passenger.conf', - }) } - it { is_expected.to contain_file('passenger_package.conf').without_content } - it { is_expected.to contain_file('passenger_package.conf').without_source } - it { is_expected.to contain_file('passenger.load').with({ - 'path' => '/etc/httpd/conf.d/passenger.load', - }) } - it { is_expected.to contain_file('passenger.conf').without_content(/PassengerRoot/) } - it { is_expected.to contain_file('passenger.conf').without_content(/PassengerRuby/) } - describe "with passenger_root => '/usr/lib/example'" do - let :params do - { :passenger_root => '/usr/lib/example' } + + context "on EL6" do + let(:facts) { rh_facts.merge(:operatingsystemrelease => '6') } + + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('passenger') } + it { is_expected.to contain_package("mod_passenger") } + it { is_expected.to contain_file('passenger_package.conf').with({ + 'path' => '/etc/httpd/conf.d/passenger.conf', + }) } + it { is_expected.to contain_file('passenger_package.conf').without_content } + it { is_expected.to contain_file('passenger_package.conf').without_source } + it { is_expected.to contain_file('zpassenger.load').with({ + 'path' => '/etc/httpd/conf.d/zpassenger.load', + }) } + it { is_expected.to contain_file('passenger.conf').without_content(/PassengerRoot/) } + it { is_expected.to contain_file('passenger.conf').without_content(/PassengerRuby/) } + describe "with passenger_root => '/usr/lib/example'" do + let :params do + { :passenger_root => '/usr/lib/example' } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerRoot "\/usr\/lib\/example"$/) } end - it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerRoot "\/usr\/lib\/example"$/) } + describe "with passenger_ruby => /usr/lib/example/ruby" do + let :params do + { :passenger_ruby => '/usr/lib/example/ruby' } + end + it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerRuby "\/usr\/lib\/example\/ruby"$/) } + end end - describe "with passenger_ruby => /usr/lib/example/ruby" do - let :params do - { :passenger_ruby => '/usr/lib/example/ruby' } - end - it { is_expected.to contain_file('passenger.conf').with_content(/^ PassengerRuby "\/usr\/lib\/example\/ruby"$/) } + + context "on EL7" do + let(:facts) { rh_facts.merge(:operatingsystemrelease => '7') } + + it { is_expected.to contain_file('passenger_package.conf').with({ + 'path' => '/etc/httpd/conf.d/passenger.conf', + }) } + it { is_expected.to contain_file('zpassenger.load').with({ + 'path' => '/etc/httpd/conf.modules.d/zpassenger.load', + }) } end end context "on a FreeBSD OS" do @@ -257,4 +317,21 @@ it { is_expected.to contain_apache__mod('passenger') } it { is_expected.to contain_package("www/rubygem-passenger") } end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('passenger') } + it { is_expected.to contain_package("www-apache/passenger") } + end end
--- a/modules/apache/spec/classes/mod/perl_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/perl_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::perl', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { @@ -56,4 +54,21 @@ it { is_expected.to contain_apache__mod('perl') } it { is_expected.to contain_package("www/mod_perl2") } end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :operatingsystem => 'Gentoo', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('perl') } + it { is_expected.to contain_package("www-apache/mod_perl") } + end end
--- a/modules/apache/spec/classes/mod/peruser_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/peruser_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -19,8 +19,25 @@ end it do expect { - should compile + catalogue }.to raise_error(Puppet::Error, /Unsupported osfamily FreeBSD/) end end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.not_to contain_apache__mod('peruser') } + it { is_expected.to contain_file("/etc/apache2/modules.d/peruser.conf").with_ensure('file') } + end end
--- a/modules/apache/spec/classes/mod/php_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/php_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -39,6 +39,32 @@ :content => "LoadModule php5_module /usr/lib/apache2/modules/libphp5.so\n" ) } end + context "on jessie" do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + let(:facts) { super().merge({ + :operatingsystemrelease => '8', + :lsbdistcodename => 'jessie', + }) } + it { is_expected.to contain_file("php5.load").with( + :content => "LoadModule php5_module /usr/lib/apache2/modules/libphp5.so\n" + ) } + end + context "on stretch" do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + let(:facts) { super().merge({ + :operatingsystemrelease => '9', + :lsbdistcodename => 'stretch', + }) } + it { is_expected.to contain_apache__mod('php7.0') } + it { is_expected.to contain_package("libapache2-mod-php7.0") } + it { is_expected.to contain_file("php7.0.load").with( + :content => "LoadModule php7_module /usr/lib/apache2/modules/libphp7.0.so\n" + ) } + end end describe "on a RedHat OS" do let :facts do @@ -88,7 +114,7 @@ let :params do { :extensions => ['.php','.php5']} end - it { is_expected.to contain_file("php5.conf").with_content(/AddHandler php5-script .php .php5\n/) } + it { is_expected.to contain_file("php5.conf").with_content(Regexp.new(Regexp.escape('<FilesMatch ".+(\.php|\.php5)$">'))) } end context "with specific version" do let :pre_condition do @@ -117,9 +143,13 @@ let :pre_condition do 'class { "apache": mpm_module => itk, }' end - it 'should raise an error' do - expect { expect(subject).to contain_class("apache::mod::itk") }.to raise_error Puppet::Error, /Unsupported osfamily RedHat/ - end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class("apache::mod::itk") } + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_package("php") } + it { is_expected.to contain_file("php5.load").with( + :content => "LoadModule php5_module modules/libphp5.so\n" + ) } end end describe "on a FreeBSD OS" do @@ -155,6 +185,39 @@ it { is_expected.to contain_file('php5.load') } end end + describe "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + context "with mpm_module => prefork" do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_package("dev-lang/php") } + it { is_expected.to contain_file('php5.load') } + end + context "with mpm_module => itk" do + let :pre_condition do + 'class { "apache": mpm_module => itk, }' + end + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::itk') } + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_package("dev-lang/php") } + it { is_expected.to contain_file('php5.load') } + end + end describe "OS independent tests" do let :facts do { @@ -185,7 +248,7 @@ 'class { "apache": mpm_module => prefork, }' end let :params do - { :template => 'apache/mod/php5.conf.erb' } + { :template => 'apache/mod/php.conf.erb' } end it { should contain_file('php5.conf').with( :content => /^# PHP is an HTML-embedded scripting language which attempts to make it/
--- a/modules/apache/spec/classes/mod/prefork_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/prefork_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -114,4 +114,21 @@ it { is_expected.not_to contain_apache__mod('prefork') } it { is_expected.to contain_file("/usr/local/etc/apache24/Modules/prefork.conf").with_ensure('file') } end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.not_to contain_apache__mod('prefork') } + it { is_expected.to contain_file("/etc/apache2/modules.d/prefork.conf").with_ensure('file') } + end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/proxy_balancer_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,95 @@ +require 'spec_helper' + +# Helper function for testing the contents of `proxy_balancer.conf` +def balancer_manager_conf_spec(allow_from, manager_path) + it do + is_expected.to contain_file("proxy_balancer.conf").with_content( + "<Location #{manager_path}>\n"\ + " SetHandler balancer-manager\n"\ + " Require ip #{Array(allow_from).join(' ')}\n"\ + "</Location>\n" + ) + end +end + +describe 'apache::mod::proxy_balancer', :type => :class do + let :pre_condition do + [ + 'include apache::mod::proxy', + ] + end + it_behaves_like "a mod class, without including apache" + + context "default configuration with default parameters" do + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '8', + :concat_basedir => '/dne', + :lsbdistcodename => 'jessie', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + + it { is_expected.to contain_apache__mod("proxy_balancer") } + + it { is_expected.to_not contain_file("proxy_balancer.conf") } + it { is_expected.to_not contain_file("proxy_balancer.conf symlink") } + + end + + context "on a RedHat OS" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + + it { is_expected.to contain_apache__mod("proxy_balancer") } + + it { is_expected.to_not contain_file("proxy_balancer.conf") } + it { is_expected.to_not contain_file("proxy_balancer.conf symlink") } + + end + end + + context "default configuration with custom parameters $manager => true, $allow_from => ['10.10.10.10','11.11.11.11'], $status_path => '/custom-manager'" do + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '8', + :concat_basedir => '/dne', + :lsbdistcodename => 'jessie', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do + { + :manager => true, + :allow_from => ['10.10.10.10','11.11.11.11'], + :manager_path => '/custom-manager', + } + end + + balancer_manager_conf_spec(["10.10.10.10", "11.11.11.11"], "/custom-manager") + + end + end +end
--- a/modules/apache/spec/classes/mod/proxy_connect_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/proxy_connect_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -3,10 +3,10 @@ describe 'apache::mod::proxy_connect', :type => :class do let :pre_condition do [ - 'include apache', 'include apache::mod::proxy', ] end + it_behaves_like "a mod class, without including apache" context 'on a Debian OS' do let :facts do { @@ -19,7 +19,21 @@ :is_pe => false, } end - context 'with Apache version < 2.4' do + context 'with Apache version < 2.2' do + let :facts do + super().merge({ + :operatingsystemrelease => '7.0', + :lsbdistcodename => 'wheezy', + }) + end + let :params do + { + :apache_version => '2.1', + } + end + it { is_expected.not_to contain_apache__mod('proxy_connect') } + end + context 'with Apache version = 2.2' do let :facts do super().merge({ :operatingsystemrelease => '7.0', @@ -31,7 +45,7 @@ :apache_version => '2.2', } end - it { is_expected.not_to contain_apache__mod('proxy_connect') } + it { is_expected.to contain_apache__mod('proxy_connect') } end context 'with Apache version >= 2.4' do let :facts do
--- a/modules/apache/spec/classes/mod/proxy_html_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/proxy_html_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -3,11 +3,11 @@ describe 'apache::mod::proxy_html', :type => :class do let :pre_condition do [ - 'include apache', 'include apache::mod::proxy', 'include apache::mod::proxy_http', ] end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do shared_examples "debian" do |loadfiles| it { is_expected.to contain_class("apache::params") } @@ -25,16 +25,36 @@ :kernel => 'Linux', :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', :hardwaremodel => 'i386', - :is_pe => false, + :is_pe => false, } end context "on squeeze" do let(:facts) { super().merge({ :operatingsystemrelease => '6' }) } it_behaves_like "debian", ['/usr/lib/libxml2.so.2'] + it { is_expected.to_not contain_apache__mod('xml2enc') } end context "on wheezy" do let(:facts) { super().merge({ :operatingsystemrelease => '7' }) } + it { is_expected.to_not contain_apache__mod('xml2enc') } + context "i386" do + let(:facts) { super().merge({ + :hardwaremodel => 'i686', + :architecture => 'i386' + })} + it_behaves_like "debian", ["/usr/lib/i386-linux-gnu/libxml2.so.2"] + end + context "x64" do + let(:facts) { super().merge({ + :hardwaremodel => 'x86_64', + :architecture => 'amd64' + })} + it_behaves_like "debian", ["/usr/lib/x86_64-linux-gnu/libxml2.so.2"] + end + end + context "on jessie" do + let(:facts) { super().merge({ :operatingsystemrelease => '8' }) } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } context "i386" do let(:facts) { super().merge({ :hardwaremodel => 'i686', @@ -67,6 +87,7 @@ it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('proxy_html').with(:loadfiles => nil) } it { is_expected.to contain_package("mod_proxy_html") } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } end context "on a FreeBSD OS", :compile do let :facts do @@ -83,6 +104,25 @@ end it { is_expected.to contain_class("apache::params") } it { is_expected.to contain_apache__mod('proxy_html').with(:loadfiles => nil) } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } it { is_expected.to contain_package("www/mod_proxy_html") } end + context "on a Gentoo OS", :compile do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('proxy_html').with(:loadfiles => nil) } + it { is_expected.to contain_apache__mod('xml2enc').with(:loadfiles => nil) } + it { is_expected.to contain_package("www-apache/mod_proxy_html") } + end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/proxy_wstunnel.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,5 @@ +require 'spec_helper' + +describe 'apache::mod::proxy_wstunnel', :type => :class do + it_behaves_like "a mod class, without including apache" +end
--- a/modules/apache/spec/classes/mod/python_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/python_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,8 @@ require 'spec_helper' describe 'apache::mod::python', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" + context "on a Debian OS" do let :facts do { @@ -56,4 +55,21 @@ it { is_expected.to contain_apache__mod("python") } it { is_expected.to contain_package("www/mod_python3") } end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod("python") } + it { is_expected.to contain_package("www-apache/mod_python") } + end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/mod/remoteip_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,48 @@ +require 'spec_helper' + +describe 'apache::mod::remoteip', :type => :class do + context "on a Debian OS" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '8', + :concat_basedir => '/dne', + :lsbdistcodename => 'jessie', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + end + let :params do + { :apache_version => '2.4' } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('remoteip') } + it { is_expected.to contain_file('remoteip.conf').with({ + 'path' => '/etc/apache2/mods-available/remoteip.conf', + }) } + + describe "with header X-Forwarded-For" do + let :params do + { :header => 'X-Forwarded-For' } + end + it { is_expected.to contain_file('remoteip.conf').with_content(/^RemoteIPHeader X-Forwarded-For$/) } + end + describe "with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]" do + let :params do + { :proxy_ips => [ '10.42.17.8', '10.42.18.99' ] } + end + it { is_expected.to contain_file('remoteip.conf').with_content(/^RemoteIPInternalProxy 10.42.17.8$/) } + it { is_expected.to contain_file('remoteip.conf').with_content(/^RemoteIPInternalProxy 10.42.18.99$/) } + end + describe "with Apache version < 2.4" do + let :params do + { :apache_version => '2.2' } + end + it 'should fail' do + expect { catalogue }.to raise_error(Puppet::Error, /mod_remoteip is only available in Apache 2.4/) + end + end + end +end
--- a/modules/apache/spec/classes/mod/reqtimeout_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/reqtimeout_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,11 +1,7 @@ require 'spec_helper' describe 'apache::mod::reqtimeout', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - }' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { @@ -112,4 +108,39 @@ it { is_expected.to contain_file('reqtimeout.conf').with_content(/^RequestReadTimeout header=20-60,minrate=600$/) } end end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + context "passing no parameters" do + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(/^RequestReadTimeout header=20-40,minrate=500\nRequestReadTimeout body=10,minrate=500$/) } + end + context "passing timeouts => ['header=20-60,minrate=600', 'body=60,minrate=600']" do + let :params do + {:timeouts => ['header=20-60,minrate=600', 'body=60,minrate=600']} + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(/^RequestReadTimeout header=20-60,minrate=600\nRequestReadTimeout body=60,minrate=600$/) } + end + context "passing timeouts => 'header=20-60,minrate=600'" do + let :params do + {:timeouts => 'header=20-60,minrate=600'} + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(/^RequestReadTimeout header=20-60,minrate=600$/) } + end + end end
--- a/modules/apache/spec/classes/mod/rpaf_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/rpaf_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,11 +1,7 @@ require 'spec_helper' describe 'apache::mod::rpaf', :type => :class do - let :pre_condition do - [ - 'include apache', - ] - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { @@ -87,4 +83,44 @@ it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFheader X-Real-IP$/) } end end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_apache__mod('rpaf') } + it { is_expected.to contain_package("www-apache/mod_rpaf") } + it { is_expected.to contain_file('rpaf.conf').with({ + 'path' => '/etc/apache2/modules.d/rpaf.conf', + }) } + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFenable On$/) } + + describe "with sethostname => true" do + let :params do + { :sethostname => 'true' } + end + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFsethostname On$/) } + end + describe "with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]" do + let :params do + { :proxy_ips => [ '10.42.17.8', '10.42.18.99' ] } + end + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFproxy_ips 10.42.17.8 10.42.18.99$/) } + end + describe "with header => X-Real-IP" do + let :params do + { :header => 'X-Real-IP' } + end + it { is_expected.to contain_file('rpaf.conf').with_content(/^RPAFheader X-Real-IP$/) } + end + end end
--- a/modules/apache/spec/classes/mod/security_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/security_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,10 +1,8 @@ + require 'spec_helper' describe 'apache::mod::security', :type => :class do - let :pre_condition do - 'include apache' - end - + it_behaves_like "a mod class, without including apache" context "on RedHat based systems" do let :facts do { @@ -28,13 +26,20 @@ ) } it { should contain_package('mod_security_crs') } it { should contain_file('security.conf').with( - :path => '/etc/httpd/conf.d/security.conf' + :path => '/etc/httpd/conf.modules.d/security.conf' ) } + it { should contain_file('security.conf') + .with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$}) + .with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$}) + .with_content(%r{^\s+SecDebugLog /var/log/httpd/modsec_debug.log$}) + .with_content(%r{^\s+SecAuditLog /var/log/httpd/modsec_audit.log$}) + } it { should contain_file('/etc/httpd/modsecurity.d').with( :ensure => 'directory', - :path => '/etc/httpd/modsecurity.d', - :owner => 'apache', - :group => 'apache' + :path => '/etc/httpd/modsecurity.d', + :owner => 'root', + :group => 'root', + :mode => '0755', ) } it { should contain_file('/etc/httpd/modsecurity.d/activated_rules').with( :ensure => 'directory', @@ -46,6 +51,30 @@ :path => '/etc/httpd/modsecurity.d/security_crs.conf' ) } it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') } + it { should contain_file('modsecurity_35_bad_robots.data').with( + :path => '/etc/httpd/modsecurity.d/activated_rules/modsecurity_35_bad_robots.data', + :target => '/usr/lib/modsecurity.d/base_rules/modsecurity_35_bad_robots.data', + ) } + + describe 'with parameters' do + let :params do + { + :activated_rules => [ + '/tmp/foo/bar.conf', + ], + :audit_log_relevant_status => "^(?:5|4(?!01|04))", + :audit_log_parts => "ABCDZ", + :secdefaultaction => "deny,status:406,nolog,auditlog", + } + end + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} } + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} } + it { should contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} } + it { should contain_file('bar.conf').with( + :path => '/etc/httpd/modsecurity.d/activated_rules/bar.conf', + :target => '/tmp/foo/bar.conf', + ) } + end end context "on Debian based systems" do @@ -74,11 +103,18 @@ it { should contain_file('security.conf').with( :path => '/etc/apache2/mods-available/security.conf' ) } + it { should contain_file('security.conf') + .with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$}) + .with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$}) + .with_content(%r{^\s+SecDebugLog /var/log/apache2/modsec_debug.log$}) + .with_content(%r{^\s+SecAuditLog /var/log/apache2/modsec_audit.log$}) + } it { should contain_file('/etc/modsecurity').with( :ensure => 'directory', - :path => '/etc/modsecurity', - :owner => 'www-data', - :group => 'www-data' + :path => '/etc/modsecurity', + :owner => 'root', + :group => 'root', + :mode => '0755', ) } it { should contain_file('/etc/modsecurity/activated_rules').with( :ensure => 'directory', @@ -90,6 +126,30 @@ :path => '/etc/modsecurity/security_crs.conf' ) } it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') } + it { should contain_file('modsecurity_35_bad_robots.data').with( + :path => '/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data', + :target => '/usr/share/modsecurity-crs/base_rules/modsecurity_35_bad_robots.data', + ) } + + describe 'with parameters' do + let :params do + { + :activated_rules => [ + '/tmp/foo/bar.conf', + ], + :audit_log_relevant_status => "^(?:5|4(?!01|04))", + :audit_log_parts => "ABCDZ", + :secdefaultaction => "deny,status:406,nolog,auditlog", + } + end + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} } + it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} } + it { should contain_file('/etc/modsecurity/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} } + it { should contain_file('bar.conf').with( + :path => '/etc/modsecurity/activated_rules/bar.conf', + :target => '/tmp/foo/bar.conf', + ) } + end end end
--- a/modules/apache/spec/classes/mod/shib_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/shib_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,7 @@ +require 'spec_helper' + describe 'apache::mod::shib', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do {
--- a/modules/apache/spec/classes/mod/speling_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/speling_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::speling', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do {
--- a/modules/apache/spec/classes/mod/ssl_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/ssl_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::ssl', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context 'on an unsupported OS' do let :facts do { @@ -17,7 +15,7 @@ :is_pe => false, } end - it { expect { subject }.to raise_error(Puppet::Error, /Unsupported osfamily:/) } + it { expect { catalogue }.to raise_error(Puppet::Error, /Unsupported osfamily:/) } end context 'on a RedHat OS' do @@ -83,6 +81,39 @@ it { is_expected.to contain_apache__mod('ssl') } end + context 'on a Gentoo OS' do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + end + + context 'on a Suse OS' do + let :facts do + { + :osfamily => 'Suse', + :operatingsystem => 'SLES', + :operatingsystemrelease => '12', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + end # Template config doesn't vary by distro context "on all distros" do let :facts do @@ -102,6 +133,72 @@ it { is_expected.to contain_file('ssl.conf').with_content(/^ SSLPassPhraseDialog builtin$/)} end + context "with Apache version < 2.4" do + let :params do + { + :apache_version => '2.2', + } + end + context 'ssl_compression with default value' do + it { is_expected.not_to contain_file('ssl.conf').with_content(/^ SSLCompression Off$/)} + end + + context 'setting ssl_compression to true' do + let :params do + { + :ssl_compression => true, + } + end + it { is_expected.not_to contain_file('ssl.conf').with_content(/^ SSLCompression On$/)} + end + context 'setting ssl_stapling to true' do + let :params do + { + :ssl_stapling => true, + } + end + it { is_expected.not_to contain_file('ssl.conf').with_content(/^ SSLUseStapling/)} + end + end + context "with Apache version >= 2.4" do + let :params do + { + :apache_version => '2.4', + } + end + context 'ssl_compression with default value' do + it { is_expected.not_to contain_file('ssl.conf').with_content(/^ SSLCompression Off$/)} + end + + context 'setting ssl_compression to true' do + let :params do + { + :apache_version => '2.4', + :ssl_compression => true, + } + end + it { is_expected.to contain_file('ssl.conf').with_content(/^ SSLCompression On$/)} + end + context 'setting ssl_stapling to true' do + let :params do + { + :apache_version => '2.4', + :ssl_stapling => true, + } + end + it { is_expected.to contain_file('ssl.conf').with_content(/^ SSLUseStapling On$/)} + end + context 'setting ssl_stapling_return_errors to true' do + let :params do + { + :apache_version => '2.4', + :ssl_stapling_return_errors => true, + } + end + it { is_expected.to contain_file('ssl.conf').with_content(/^ SSLStaplingReturnResponderErrors On$/)} + end + end + context 'setting ssl_pass_phrase_dialog' do let :params do { @@ -120,5 +217,22 @@ it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLRandomSeed startup file:/dev/urandom 1024$})} end + context 'setting ssl_openssl_conf_cmd' do + let :params do + { + :ssl_openssl_conf_cmd => 'DHParameters "foo.pem"', + } + end + it { is_expected.to contain_file('ssl.conf').with_content(/^\s+SSLOpenSSLConfCmd DHParameters "foo.pem"$/)} + end + + context 'setting ssl_mutex' do + let :params do + { + :ssl_mutex => 'posixsem', + } + end + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLMutex posixsem$})} + end end end
--- a/modules/apache/spec/classes/mod/status_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/status_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -21,139 +21,63 @@ end describe 'apache::mod::status', :type => :class do - let :pre_condition do - 'include apache' - end - - context "on a Debian OS with default params" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :lsbdistcodename => 'squeeze', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - - it { is_expected.to contain_apache__mod("status") } - - status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") + it_behaves_like "a mod class, without including apache" + + context "default configuration with parameters" do + context "on a Debian OS with default params" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end - it { is_expected.to contain_file("status.conf").with({ - :ensure => 'file', - :path => '/etc/apache2/mods-available/status.conf', - } ) } + it { is_expected.to contain_apache__mod("status") } - it { is_expected.to contain_file("status.conf symlink").with({ - :ensure => 'link', - :path => '/etc/apache2/mods-enabled/status.conf', - } ) } - - end + status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") - context "on a RedHat OS with default params" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'RedHat', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } + it { is_expected.to contain_file("status.conf").with({ + :ensure => 'file', + :path => '/etc/apache2/mods-available/status.conf', + } ) } + + it { is_expected.to contain_file("status.conf symlink").with({ + :ensure => 'link', + :path => '/etc/apache2/mods-enabled/status.conf', + } ) } + end - it { is_expected.to contain_apache__mod("status") } - - status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") - - it { is_expected.to contain_file("status.conf").with_path("/etc/httpd/conf.d/status.conf") } - - end + context "on a RedHat OS with default params" do + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end - context "with custom parameters $allow_from => ['10.10.10.10','11.11.11.11'], $extended_status => 'Off', $status_path => '/custom-status'" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :lsbdistcodename => 'squeeze', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - let :params do - { - :allow_from => ['10.10.10.10','11.11.11.11'], - :extended_status => 'Off', - :status_path => '/custom-status', - } + it { is_expected.to contain_apache__mod("status") } + + status_conf_spec(["127.0.0.1", "::1"], "On", "/server-status") + + it { is_expected.to contain_file("status.conf").with_path("/etc/httpd/conf.d/status.conf") } + end - status_conf_spec(["10.10.10.10", "11.11.11.11"], "Off", "/custom-status") - - end - - context "with valid parameter type $allow_from => ['10.10.10.10']" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :lsbdistcodename => 'squeeze', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - let :params do - { :allow_from => ['10.10.10.10'] } - end - it 'should expect to succeed array validation' do - expect { - is_expected.to contain_file("status.conf") - }.not_to raise_error() - end - end - - context "with invalid parameter type $allow_from => '10.10.10.10'" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - :operatingsystem => 'Debian', - :id => 'root', - :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - :is_pe => false, - } - end - let :params do - { :allow_from => '10.10.10.10' } - end - it 'should expect to fail array validation' do - expect { - is_expected.to contain_file("status.conf") - }.to raise_error(Puppet::Error) - end - end - - # Only On or Off are valid options - ['On', 'Off'].each do |valid_param| - context "with valid value $extended_status => '#{valid_param}'" do + context "with custom parameters $allow_from => ['10.10.10.10','11.11.11.11'], $extended_status => 'Off', $status_path => '/custom-status'" do let :facts do { :osfamily => 'Debian', @@ -168,18 +92,42 @@ } end let :params do - { :extended_status => valid_param } + { + :allow_from => ['10.10.10.10','11.11.11.11'], + :extended_status => 'Off', + :status_path => '/custom-status', + } end - it 'should expect to succeed regular expression validation' do + + status_conf_spec(["10.10.10.10", "11.11.11.11"], "Off", "/custom-status") + + end + + context "with valid parameter type $allow_from => ['10.10.10.10']" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do + { :allow_from => ['10.10.10.10'] } + end + it 'should expect to succeed array validation' do expect { is_expected.to contain_file("status.conf") }.not_to raise_error() end end - end - ['Yes', 'No'].each do |invalid_param| - context "with invalid value $extended_status => '#{invalid_param}'" do + context "with invalid parameter type $allow_from => '10.10.10.10'" do let :facts do { :osfamily => 'Debian', @@ -193,14 +141,65 @@ } end let :params do - { :extended_status => invalid_param } + { :allow_from => '10.10.10.10' } end - it 'should expect to fail regular expression validation' do + it 'should expect to fail array validation' do expect { is_expected.to contain_file("status.conf") }.to raise_error(Puppet::Error) end end - end + # Only On or Off are valid options + ['On', 'Off'].each do |valid_param| + context "with valid value $extended_status => '#{valid_param}'" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do + { :extended_status => valid_param } + end + it 'should expect to succeed regular expression validation' do + expect { + is_expected.to contain_file("status.conf") + }.not_to raise_error() + end + end + end + + ['Yes', 'No'].each do |invalid_param| + context "with invalid value $extended_status => '#{invalid_param}'" do + let :facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'Debian', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do + { :extended_status => invalid_param } + end + it 'should expect to fail regular expression validation' do + expect { + is_expected.to contain_file("status.conf") + }.to raise_error(Puppet::Error) + end + end + end + end end
--- a/modules/apache/spec/classes/mod/suphp_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/suphp_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::suphp', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do {
--- a/modules/apache/spec/classes/mod/worker_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/worker_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -114,6 +114,23 @@ it { is_expected.not_to contain_apache__mod('worker') } it { is_expected.to contain_file("/usr/local/etc/apache24/Modules/worker.conf").with_ensure('file') } end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.not_to contain_apache__mod('worker') } + it { is_expected.to contain_file("/etc/apache2/modules.d/worker.conf").with_ensure('file') } + end # Template config doesn't vary by distro context "on all distros" do @@ -140,6 +157,7 @@ it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadsPerChild\s+25$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+MaxRequestsPerChild\s+0$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadLimit\s+64$/) } + it { should contain_file("/etc/httpd/conf.d/worker.conf").with(:content => /^\s*ListenBacklog\s*511/) } end context 'setting params' do @@ -152,7 +170,8 @@ :maxsparethreads => 14, :threadsperchild => 15, :maxrequestsperchild => 16, - :threadlimit => 17 + :threadlimit => 17, + :listenbacklog => 8, } end it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^<IfModule mpm_worker_module>$/) } @@ -164,6 +183,7 @@ it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadsPerChild\s+15$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+MaxRequestsPerChild\s+16$/) } it { should contain_file('/etc/httpd/conf.d/worker.conf').with(:content => /^\s+ThreadLimit\s+17$/) } + it { should contain_file("/etc/httpd/conf.d/worker.conf").with(:content => /^\s*ListenBacklog\s*8/) } end end end
--- a/modules/apache/spec/classes/mod/wsgi_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/mod/wsgi_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,7 @@ require 'spec_helper' describe 'apache::mod::wsgi', :type => :class do - let :pre_condition do - 'include apache' - end + it_behaves_like "a mod class, without including apache" context "on a Debian OS" do let :facts do { @@ -93,7 +91,7 @@ :mod_path => '/foo/bar/baz', } end - it { expect { subject }.to raise_error Puppet::Error, /apache::mod::wsgi - both package_name and mod_path must be specified!/ } + it { expect { catalogue }.to raise_error Puppet::Error, /apache::mod::wsgi - both package_name and mod_path must be specified!/ } end describe "with mod_path but no package_name" do let :params do @@ -101,7 +99,7 @@ :package_name => '/foo/bar/baz', } end - it { expect { subject }.to raise_error Puppet::Error, /apache::mod::wsgi - both package_name and mod_path must be specified!/ } + it { expect { catalogue }.to raise_error Puppet::Error, /apache::mod::wsgi - both package_name and mod_path must be specified!/ } end end context "on a FreeBSD OS" do @@ -124,4 +122,24 @@ } it { is_expected.to contain_package("www/mod_wsgi") } end + context "on a Gentoo OS" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_class('apache::mod::wsgi').with( + 'wsgi_socket_prefix' => nil + ) + } + it { is_expected.to contain_package("www-apache/mod_wsgi") } + end end
--- a/modules/apache/spec/classes/params_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/params_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -15,13 +15,8 @@ :is_pe => false, } end - it { is_expected.to contain_apache__params } - # There are 4 resources in this class currently - # there should not be any more resources because it is a params class - # The resources are class[apache::version], class[apache::params], class[main], class[settings], stage[main] - it "Should not contain any resources" do - expect(subject.resources.size).to eq(5) - end + it { is_expected.to compile.with_all_deps } + it { is_expected.to have_resource_count(0) } end end
--- a/modules/apache/spec/classes/service_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/classes/service_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -57,7 +57,7 @@ let (:params) {{ :service_enable => 'not-a-boolean' }} it 'should fail' do - expect { subject }.to raise_error(Puppet::Error, /is not a boolean/) + expect { catalogue }.to raise_error(Puppet::Error, /is not a boolean/) end end @@ -65,7 +65,7 @@ let (:params) {{ :service_manage => 'not-a-boolean' }} it 'should fail' do - expect { subject }.to raise_error(Puppet::Error, /is not a boolean/) + expect { catalogue }.to raise_error(Puppet::Error, /is not a boolean/) end end @@ -91,10 +91,22 @@ let (:params) {{ :service_ensure => 'UNDEF' }} it { is_expected.to contain_service("httpd").without_ensure } end + + context "with $service_restart unset" do + it { is_expected.to contain_service("httpd").without_restart } + end + + context "with $service_restart => '/usr/sbin/apachectl graceful'" do + let (:params) {{ :service_restart => '/usr/sbin/apachectl graceful' }} + it { is_expected.to contain_service("httpd").with( + 'restart' => '/usr/sbin/apachectl graceful' + ) + } + end end - context "on a RedHat 5 OS" do + context "on a RedHat 5 OS, do not manage service" do let :facts do { :osfamily => 'RedHat', @@ -107,12 +119,14 @@ :is_pe => false, } end - it { is_expected.to contain_service("httpd").with( - 'name' => 'httpd', - 'ensure' => 'running', - 'enable' => 'true' - ) - } + let(:params) do + { + 'service_ensure' => 'running', + 'service_name' => 'httpd', + 'service_manage' => false + } + end + it { is_expected.not_to contain_service('httpd') } end context "on a FreeBSD 5 OS" do @@ -136,29 +150,24 @@ } end - context "on a RedHat 5 OS, do not manage service" do + context "on a Gentoo OS" do let :facts do { - :osfamily => 'RedHat', - :operatingsystemrelease => '5', + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', :concat_basedir => '/dne', - :operatingsystem => 'RedHat', :id => 'root', :kernel => 'Linux', - :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', :is_pe => false, } end - let(:params) do - { - 'service_ensure' => 'running', - 'service_name' => 'httpd', - 'service_manage' => false - } - end - it 'should not manage the httpd service' do - subject.should_not contain_service('httpd') - end + it { is_expected.to contain_service("httpd").with( + 'name' => 'apache2', + 'ensure' => 'running', + 'enable' => 'true' + ) + } end - end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/classes/vhosts_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,35 @@ +require 'spec_helper' + +describe 'apache::vhosts', :type => :class do + context 'on all OSes' do + let :facts do + { + :id => 'root', + :kernel => 'Linux', + :osfamily => 'RedHat', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + context 'with custom vhosts parameter' do + let :params do { + :vhosts => { + 'custom_vhost_1' => { + 'docroot' => '/var/www/custom_vhost_1', + 'port' => '81', + }, + 'custom_vhost_2' => { + 'docroot' => '/var/www/custom_vhost_2', + 'port' => '82', + }, + }, + } + end + it { is_expected.to contain_apache__vhost('custom_vhost_1') } + it { is_expected.to contain_apache__vhost('custom_vhost_2') } + end + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/defines/balancer_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,72 @@ +require 'spec_helper' + +describe 'apache::balancer', :type => :define do + let :title do + 'myapp' + end + let :facts do + { + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :lsbdistcodename => 'squeeze', + :id => 'root', + :concat_basedir => '/dne', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernel => 'Linux', + :is_pe => false, + } + end + describe 'apache pre_condition with defaults' do + let :pre_condition do + 'include apache' + end + describe "accept a target parameter and use it" do + let :params do + { + :target => '/tmp/myapp.conf' + } + end + it { should contain_concat('apache_balancer_myapp').with({ + :path => "/tmp/myapp.conf", + })} + it { should_not contain_apache__mod('slotmem_shm') } + it { should_not contain_apache__mod('lbmethod_byrequests') } + end + context "on jessie" do + let(:facts) { super().merge({ + :operatingsystemrelease => '8', + :lsbdistcodename => 'jessie', + }) } + it { should contain_apache__mod('slotmem_shm') } + it { should contain_apache__mod('lbmethod_byrequests') } + end + end + describe 'apache pre_condition with conf_dir set' do + let :pre_condition do + 'class{"apache": + confd_dir => "/junk/path" + }' + end + it { should contain_concat('apache_balancer_myapp').with({ + :path => "/junk/path/balancer_myapp.conf", + })} + end + + describe 'with lbmethod and with apache::mod::proxy_balancer::apache_version set' do + let :pre_condition do + 'class{"apache::mod::proxy_balancer": + apache_version => "2.4" + }' + end + let :params do + { + :proxy_set => { + 'lbmethod' => 'bytraffic', + }, + } + end + it { should contain_apache__mod('slotmem_shm') } + it { should contain_apache__mod('lbmethod_bytraffic') } + end +end
--- a/modules/apache/spec/defines/balancermember_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/defines/balancermember_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -2,21 +2,7 @@ describe 'apache::balancermember', :type => :define do let :pre_condition do - 'include apache - apache::balancer {"balancer":} - apache::balancer {"balancer-external":} - apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancer-external"} - ' - end - let :title do - 'http://127.0.0.1:8080/' - end - let :params do - { - :options => [], - :url => 'http://127.0.0.1:8080/', - :balancer_cluster => 'balancer-internal' - } + 'include apache' end let :facts do { @@ -32,6 +18,44 @@ } end describe "allows multiple balancermembers with the same url" do + let :pre_condition do + 'include apache + apache::balancer {"balancer":} + apache::balancer {"balancer-external":} + apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancer-external"} + ' + end + let :title do + 'http://127.0.0.1:8080/' + end + let :params do + { + :options => [], + :url => 'http://127.0.0.1:8080/', + :balancer_cluster => 'balancer-internal' + } + end it { should contain_concat__fragment('BalancerMember http://127.0.0.1:8080/') } end + describe "allows balancermember with a different target" do + let :pre_condition do + 'include apache + apache::balancer {"balancername": target => "/etc/apache/balancer.conf"} + apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancername"} + ' + end + let :title do + 'http://127.0.0.1:8080/' + end + let :params do + { + :options => [], + :url => 'http://127.0.0.1:8080/', + :balancer_cluster => 'balancername' + } + end + it { should contain_concat__fragment('BalancerMember http://127.0.0.1:8080/').with({ + :target => "apache_balancer_balancername", + })} + end end
--- a/modules/apache/spec/defines/custom_config_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/defines/custom_config_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -26,11 +26,11 @@ 'content' => '# Test', } end - it { is_expected.to contain_exec("service notify for rspec").with({ + it { is_expected.to contain_exec("syntax verification for rspec").with({ 'refreshonly' => 'true', 'subscribe' => 'File[apache_rspec]', 'command' => '/usr/sbin/apachectl -t', - 'notify' => 'Service[httpd]', + 'notify' => 'Class[Apache::Service]', 'before' => 'Exec[remove rspec if invalid]', }) } @@ -56,7 +56,7 @@ 'verify_command' => '/bin/true', } end - it { is_expected.to contain_exec("service notify for rspec").with({ + it { is_expected.to contain_exec("syntax verification for rspec").with({ 'command' => '/bin/true', }) } @@ -80,10 +80,10 @@ 'verify_config' => false, } end - it { is_expected.to_not contain_exec('service notify for rspec') } + it { is_expected.to_not contain_exec('syntax verification for rspec') } it { is_expected.to_not contain_exec('remove rspec if invalid') } it { is_expected.to contain_file('apache_rspec').with({ - 'notify' => 'Service[httpd]' + 'notify' => 'Class[Apache::Service]' }) } end @@ -93,7 +93,7 @@ 'ensure' => 'absent' } end - it { is_expected.to_not contain_exec('service notify for rspec') } + it { is_expected.to_not contain_exec('syntax verification for rspec') } it { is_expected.to_not contain_exec('remove rspec if invalid') } it { is_expected.to contain_file('apache_rspec').with({ 'ensure' => 'absent', @@ -110,14 +110,14 @@ end it do expect { - should compile + catalogue }.to raise_error(Puppet::Error, /Only one of \$content and \$source can be specified\./) end end context 'neither content nor source' do it do expect { - should compile + catalogue }.to raise_error(Puppet::Error, /One of \$content and \$source must be specified\./) end end @@ -130,7 +130,7 @@ end it do expect { - should compile + catalogue }.to raise_error(Puppet::Error, /is not supported for ensure/) end end
--- a/modules/apache/spec/defines/fastcgi_server_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/defines/fastcgi_server_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -72,6 +72,27 @@ :path => "/usr/local/etc/apache24/Includes/fastcgi-pool-#{title}.conf" ) } end + context "on Gentoo systems" do + let :default_facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :kernel => 'Linux', + :id => 'root', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + let :facts do default_facts end + it { should contain_class("apache") } + it { should contain_class("apache::mod::fastcgi") } + it { should contain_file("fastcgi-pool-#{title}.conf").with( + :ensure => 'present', + :path => "/etc/apache2/conf.d/fastcgi-pool-#{title}.conf" + ) } + end end describe 'os-independent items' do let :facts do @@ -87,7 +108,7 @@ :is_pe => false, } end - describe ".conf content" do + describe ".conf content using TCP communication" do let :params do { :host => '127.0.0.1:9001', @@ -95,11 +116,33 @@ :flush => true, :faux_path => '/var/www/php-www.fcgi', :fcgi_alias => '/php-www.fcgi', + :file_type => 'application/x-httpd-php', + :pass_header => 'Authorization' + } + end + let :expected do +'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -host 127.0.0.1:9001 -pass-header Authorization +Alias /php-www.fcgi /var/www/php-www.fcgi +Action application/x-httpd-php /php-www.fcgi +' + end + it do + should contain_file("fastcgi-pool-www.conf").with_content(expected) + end + end + describe ".conf content using socket communication" do + let :params do + { + :host => '/var/run/fcgi.sock', + :timeout => 30, + :flush => true, + :faux_path => '/var/www/php-www.fcgi', + :fcgi_alias => '/php-www.fcgi', :file_type => 'application/x-httpd-php' } end let :expected do -'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -host 127.0.0.1:9001 +'FastCGIExternalServer /var/www/php-www.fcgi -idle-timeout 30 -flush -socket /var/run/fcgi.sock Alias /php-www.fcgi /var/www/php-www.fcgi Action application/x-httpd-php /php-www.fcgi ' @@ -108,5 +151,6 @@ should contain_file("fastcgi-pool-www.conf").with_content(expected) end end + end end
--- a/modules/apache/spec/defines/mod_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/defines/mod_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -34,6 +34,20 @@ end end + describe "with file_mode set" do + let :pre_condition do + "class {'::apache': file_mode => '0640'}" + end + let :title do + 'spec_m' + end + it "should manage the module load file" do + is_expected.to contain_file('spec_m.load').with({ + :mode => '0640', + } ) + end + end + describe "with shibboleth module and package param passed" do # name/title for the apache::mod define let :title do @@ -118,4 +132,35 @@ end end end + + context "on a Gentoo osfamily" do + let :facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + + describe "for non-special modules" do + let :title do + 'spec_m' + end + it { is_expected.to contain_class("apache::params") } + it "should manage the module load file" do + is_expected.to contain_file('spec_m.load').with({ + :path => '/etc/apache2/modules.d/spec_m.load', + :content => "LoadModule spec_m_module /usr/lib/apache2/modules/mod_spec_m.so\n", + :owner => 'root', + :group => 'wheel', + :mode => '0644', + } ) + end + end + end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/defines/vhost_custom_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,99 @@ +require 'spec_helper' + +describe 'apache::vhost::custom', :type => :define do + let :title do + 'rspec.example.com' + end + let :default_params do + { + :content => 'foobar' + } + end + describe 'os-dependent items' do + context "on RedHat based systems" do + let :default_facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :operatingsystem => 'RedHat', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do default_params end + let :facts do default_facts end + end + context "on Debian based systems" do + let :default_facts do + { + :osfamily => 'Debian', + :operatingsystemrelease => '6', + :lsbdistcodename => 'squeeze', + :operatingsystem => 'Debian', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do default_params end + let :facts do default_facts end + it { is_expected.to contain_file("apache_rspec.example.com").with( + :ensure => 'present', + :content => 'foobar', + :path => '/etc/apache2/sites-available/25-rspec.example.com.conf', + ) } + it { is_expected.to contain_file("25-rspec.example.com.conf symlink").with( + :ensure => 'link', + :path => '/etc/apache2/sites-enabled/25-rspec.example.com.conf', + :target => '/etc/apache2/sites-available/25-rspec.example.com.conf' + ) } + end + context "on FreeBSD systems" do + let :default_facts do + { + :osfamily => 'FreeBSD', + :operatingsystemrelease => '9', + :operatingsystem => 'FreeBSD', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'FreeBSD', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end + let :params do default_params end + let :facts do default_facts end + it { is_expected.to contain_file("apache_rspec.example.com").with( + :ensure => 'present', + :content => 'foobar', + :path => '/usr/local/etc/apache24/Vhosts/25-rspec.example.com.conf', + ) } + end + context "on Gentoo systems" do + let :default_facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + let :params do default_params end + let :facts do default_facts end + it { is_expected.to contain_file("apache_rspec.example.com").with( + :ensure => 'present', + :content => 'foobar', + :path => '/etc/apache2/vhosts.d/25-rspec.example.com.conf', + ) } + end + end +end
--- a/modules/apache/spec/defines/vhost_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/defines/vhost_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -50,7 +50,7 @@ let :facts do default_facts end it { is_expected.to contain_class("apache") } it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_file("25-rspec.example.com.conf").with( + it { is_expected.to contain_concat("25-rspec.example.com.conf").with( :ensure => 'present', :path => '/etc/apache2/sites-available/25-rspec.example.com.conf' ) } @@ -77,11 +77,33 @@ let :facts do default_facts end it { is_expected.to contain_class("apache") } it { is_expected.to contain_class("apache::params") } - it { is_expected.to contain_file("25-rspec.example.com.conf").with( + it { is_expected.to contain_concat("25-rspec.example.com.conf").with( :ensure => 'present', :path => '/usr/local/etc/apache24/Vhosts/25-rspec.example.com.conf' ) } end + context "on Gentoo systems" do + let :default_facts do + { + :osfamily => 'Gentoo', + :operatingsystem => 'Gentoo', + :operatingsystemrelease => '3.16.1-gentoo', + :concat_basedir => '/dne', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + :is_pe => false, + } + end + let :params do default_params end + let :facts do default_facts end + it { is_expected.to contain_class("apache") } + it { is_expected.to contain_class("apache::params") } + it { is_expected.to contain_concat("25-rspec.example.com.conf").with( + :ensure => 'present', + :path => '/etc/apache2/vhosts.d/25-rspec.example.com.conf' + ) } + end end describe 'os-independent items' do let :facts do @@ -131,7 +153,14 @@ 'ssl_verify_client' => 'optional', 'ssl_verify_depth' => '3', 'ssl_options' => '+ExportCertData', + 'ssl_openssl_conf_cmd' => 'DHParameters "foo.pem"', + 'ssl_proxy_verify' => 'require', + 'ssl_proxy_check_peer_cn' => 'on', + 'ssl_proxy_check_peer_name' => 'on', + 'ssl_proxy_check_peer_expire' => 'on', 'ssl_proxyengine' => true, + 'ssl_proxy_protocol' => 'TLSv1.2', + 'priority' => '30', 'default_vhost' => true, 'servername' => 'example.com', @@ -143,22 +172,87 @@ 'logroot' => '/var/www/logs', 'logroot_ensure' => 'directory', 'logroot_mode' => '0600', + 'logroot_owner' => 'root', + 'logroot_group' => 'root', 'log_level' => 'crit', 'access_log' => false, 'access_log_file' => 'httpd_access_log', - 'access_log_pipe' => '', 'access_log_syslog' => true, 'access_log_format' => '%h %l %u %t \"%r\" %>s %b', 'access_log_env_var' => '', 'aliases' => '/image', - 'directories' => { - 'path' => '/var/www/files', - 'provider' => 'files', - 'deny' => 'from all' - }, + 'directories' => [ + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => [ 'valid-user', 'all denied', ], + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'additional_includes' => [ '/custom/path/includes', '/custom/path/another_includes', ], + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => 'all granted', + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'all', + 'requires' => ['all-valid1', 'all-valid2'], + }, + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'none', + 'requires' => ['none-valid1', 'none-valid2'], + }, + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'any', + 'requires' => ['any-valid1', 'any-valid2'], + }, + }, + { + 'path' => '*', + 'provider' => 'proxy', + }, + { 'path' => '/var/www/files/indexed_directory', + 'directoryindex' => 'disabled', + 'options' => ['Indexes','FollowSymLinks','MultiViews'], + 'index_options' => ['FancyIndexing'], + 'index_style_sheet' => '/styles/style.css', + }, + { 'path' => '/var/www/files/output_filtered', + 'set_output_filter' => 'output_filter', + }, + { 'path' => '/var/www/files', + 'provider' => 'location', + 'limit' => [ + { 'methods' => 'GET HEAD', + 'require' => ['valid-user'] + }, + ], + }, + { 'path' => '/var/www/dav', + 'dav' => 'filesystem', + 'dav_depth_infinity' => true, + 'dav_min_timeout' => '600', + }, + ], 'error_log' => false, 'error_log_file' => 'httpd_error_log', - 'error_log_pipe' => '', 'error_log_syslog' => true, 'error_documents' => 'true', 'fallbackresource' => '/index.php', @@ -176,13 +270,40 @@ 'proxy_dest' => '/', 'proxy_pass' => [ { + 'path' => '/a', + 'url' => 'http://backend-a/', + 'keywords' => ['noquery', 'interpolate'], + 'no_proxy_uris' => ['/a/foo', '/a/bar'], + 'no_proxy_uris_match' => ['/a/foomatch'], + 'reverse_cookies' => [ + { + 'path' => '/a', + 'url' => 'http://backend-a/', + }, + { + 'domain' => 'foo', + 'url' => 'http://foo', + } + ], + 'params' => { + 'retry' => '0', + 'timeout' => '5' + }, + 'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1'], + } + ], + 'proxy_pass_match' => [ + { 'path' => '/a', 'url' => 'http://backend-a/', 'keywords' => ['noquery', 'interpolate'], + 'no_proxy_uris' => ['/a/foo', '/a/bar'], + 'no_proxy_uris_match' => ['/a/foomatch'], 'params' => { 'retry' => '0', 'timeout' => '5' - } + }, + 'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1'], } ], 'suphp_addhandler' => 'foo', @@ -191,7 +312,10 @@ 'php_admin_flags' => ['foo', 'bar'], 'php_admin_values' => ['true', 'false'], 'no_proxy_uris' => '/foo', + 'no_proxy_uris_match' => '/foomatch', 'proxy_preserve_host' => true, + 'proxy_add_headers' => true, + 'proxy_error_override' => true, 'redirect_source' => '/bar', 'redirect_dest' => '/', 'redirect_status' => 'temp', @@ -199,6 +323,7 @@ 'redirectmatch_regexp' => ['\.git$'], 'redirectmatch_dest' => ['http://www.example.com'], 'rack_base_uris' => ['/rackapp1'], + 'passenger_base_uris' => ['/passengerapp1'], 'headers' => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', 'request_headers' => ['append MirrorID "mirror 12"'], 'rewrites' => [ @@ -206,11 +331,22 @@ 'rewrite_rule' => ['^index\.html$ welcome.html'] } ], + 'filters' => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], 'rewrite_base' => '/', 'rewrite_rule' => '^index\.html$ welcome.html', 'rewrite_cond' => '%{HTTP_USER_AGENT} ^MSIE', + 'rewrite_inherit' => true, 'setenv' => ['FOO=/bin/true'], 'setenvif' => 'Request_URI "\.gif$" object_is_image=gif', + 'setenvifnocase' => 'REMOTE_ADDR ^127.0.0.1 localhost=true', 'block' => 'scm', 'wsgi_application_group' => '%{GLOBAL}', 'wsgi_daemon_process' => 'wsgi', @@ -228,6 +364,9 @@ 'wsgi_script_aliases' => { '/' => '/var/www/demo.wsgi' }, + 'wsgi_script_aliases_match' => { + '^/test/(^[/*)' => '/var/www/demo.wsgi' + }, 'wsgi_pass_authorization' => 'On', 'custom_fragment' => '#custom string', 'itk' => { @@ -239,22 +378,44 @@ 'fastcgi_server' => 'localhost', 'fastcgi_socket' => '/tmp/fastcgi.socket', 'fastcgi_dir' => '/tmp', + 'fastcgi_idle_timeout' => '120', 'additional_includes' => '/custom/path/includes', 'apache_version' => '2.4', + 'use_optional_includes' => true, 'suexec_user_group' => 'root root', 'allow_encoded_slashes' => 'nodecode', 'passenger_app_root' => '/usr/share/myapp', + 'passenger_app_env' => 'test', 'passenger_ruby' => '/usr/bin/ruby1.9.1', 'passenger_min_instances' => '1', 'passenger_start_timeout' => '600', 'passenger_pre_start' => 'http://localhost/myapp', + 'passenger_high_performance' => true, + 'passenger_user' => 'sandbox', + 'passenger_nodejs' => '/usr/bin/node', + 'passenger_sticky_sessions' => true, + 'passenger_startup_file' => 'bin/www', 'add_default_charset' => 'UTF-8', + 'jk_mounts' => [ + { 'mount' => '/*', 'worker' => 'tcnode1', }, + { 'unmount' => '/*.jpg', 'worker' => 'tcnode1', }, + ], + 'auth_kerb' => true, + 'krb_method_negotiate' => 'off', + 'krb_method_k5passwd' => 'off', + 'krb_authoritative' => 'off', + 'krb_auth_realms' => ['EXAMPLE.ORG','EXAMPLE.NET'], + 'krb_5keytab' => '/tmp/keytab5', + 'krb_local_user_mapping' => 'off', + 'keepalive' => 'on', + 'keepalive_timeout' => '100', + 'max_keepalive_requests' => '1000', } end let :facts do { :osfamily => 'RedHat', - :operatingsystemrelease => '6', + :operatingsystemrelease => '7', :concat_basedir => '/dne', :operatingsystem => 'RedHat', :id => 'root', @@ -268,6 +429,12 @@ it { is_expected.to compile } it { is_expected.to_not contain_file('/var/www/foo') } it { is_expected.to contain_class('apache::mod::ssl') } + it { is_expected.to contain_file('ssl.conf').with( + :content => /^\s+SSLHonorCipherOrder On$/ ) } + it { is_expected.to contain_file('ssl.conf').with( + :content => /^\s+SSLPassPhraseDialog builtin$/ ) } + it { is_expected.to contain_file('ssl.conf').with( + :content => /^\s+SSLSessionCacheTimeout 300$/ ) } it { is_expected.to contain_class('apache::mod::mime') } it { is_expected.to contain_class('apache::mod::vhost_alias') } it { is_expected.to contain_class('apache::mod::wsgi') } @@ -286,6 +453,8 @@ it { is_expected.to contain_class('apache::mod::passenger') } it { is_expected.to contain_class('apache::mod::fastcgi') } it { is_expected.to contain_class('apache::mod::headers') } + it { is_expected.to contain_class('apache::mod::filter') } + it { is_expected.to contain_class('apache::mod::env') } it { is_expected.to contain_class('apache::mod::setenvif') } it { is_expected.to contain_concat('30-rspec.example.com.conf').with({ 'owner' => 'root', @@ -305,6 +474,62 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-itk') } it { is_expected.to contain_concat__fragment('rspec.example.com-fallbackresource') } it { is_expected.to contain_concat__fragment('rspec.example.com-directories') } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<Proxy "\*">$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Include\s'\/custom\/path\/includes'$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Include\s'\/custom\/path\/another_includes'$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require valid-user$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all denied$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all granted$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<RequireAll>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<\/RequireAll>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all-valid1$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all-valid2$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<RequireNone>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<\/RequireNone>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require none-valid1$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require none-valid2$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<RequireAny>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<\/RequireAny>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require any-valid1$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require any-valid2$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Options\sIndexes\sFollowSymLinks\sMultiViews$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+IndexOptions\sFancyIndexing$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+IndexStyleSheet\s'\/styles\/style\.css'$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+DirectoryIndex\sdisabled$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+SetOutputFilter\soutput_filter$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+<Limit GET HEAD>$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /\s+<Limit GET HEAD>\s*Require valid-user\s*<\/Limit>/m ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Dav\sfilesystem$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+DavDepthInfinity\sOn$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+DavMinTimeout\s600$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-additional_includes') } it { is_expected.to contain_concat__fragment('rspec.example.com-logging') } it { is_expected.to contain_concat__fragment('rspec.example.com-serversignature') } @@ -317,17 +542,51 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( /timeout=5/) } it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /SetEnv force-proxy-request-1.0 1/) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /SetEnv proxy-nokeepalive 1/) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( /noquery interpolate/) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPreserveHost On/) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyAddHeaders On/) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassReverseCookiePath\s+\/a\s+http:\/\//) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassReverseCookieDomain\s+foo\s+http:\/\/foo/) } it { is_expected.to contain_concat__fragment('rspec.example.com-rack') } it { is_expected.to contain_concat__fragment('rspec.example.com-redirect') } it { is_expected.to contain_concat__fragment('rspec.example.com-rewrite') } + it { is_expected.to contain_concat__fragment('rspec.example.com-rewrite').with( + :content => /^\s+RewriteOptions Inherit$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-scriptalias') } it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias') } - it { is_expected.to contain_concat__fragment('rspec.example.com-setenv') } + it { is_expected.to contain_concat__fragment('rspec.example.com-setenv').with_content( + %r{SetEnv FOO=/bin/true}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-setenv').with_content( + %r{SetEnvIf Request_URI "\\.gif\$" object_is_image=gif}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-setenv').with_content( + %r{SetEnvIfNoCase REMOTE_ADDR \^127.0.0.1 localhost=true}) } it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with( + :content => /^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy') } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( + :content => /^\s+SSLProxyEngine On$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( + :content => /^\s+SSLProxyCheckPeerCN\s+on$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( + :content => /^\s+SSLProxyCheckPeerName\s+on$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( + :content => /^\s+SSLProxyCheckPeerExpire\s+on$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with( + :content => /^\s+SSLProxyProtocol\s+TLSv1.2$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') } it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') } it { is_expected.to contain_concat__fragment('rspec.example.com-header') } + it { is_expected.to contain_concat__fragment('rspec.example.com-filters').with( + :content => /^\s+FilterDeclare COMPRESS$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-requestheader') } it { is_expected.to contain_concat__fragment('rspec.example.com-wsgi') } it { is_expected.to contain_concat__fragment('rspec.example.com-custom_fragment') } @@ -336,7 +595,196 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-allow_encoded_slashes') } it { is_expected.to contain_concat__fragment('rspec.example.com-passenger') } it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } + it { is_expected.to_not contain_concat__fragment('rspec.example.com-security') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } + it { is_expected.to contain_concat__fragment('rspec.example.com-jk_mounts').with( + :content => /^\s+JkMount\s+\/\*\s+tcnode1$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-jk_mounts').with( + :content => /^\s+JkUnMount\s+\/\*\.jpg\s+tcnode1$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbMethodNegotiate\soff$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbAuthoritative\soff$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbAuthRealms\sEXAMPLE.ORG\sEXAMPLE.NET$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+Krb5Keytab\s\/tmp\/keytab5$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbLocalUserMapping\soff$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbServiceName\sHTTP$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbSaveCredentials\soff$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-auth_kerb').with( + :content => /^\s+KrbVerifyKDC\son$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-keepalive_options').with( + :content => /^\s+KeepAlive\son$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-keepalive_options').with( + :content => /^\s+KeepAliveTimeout\s100$/)} + it { is_expected.to contain_concat__fragment('rspec.example.com-keepalive_options').with( + :content => /^\s+MaxKeepAliveRequests\s1000$/)} + end + context 'vhost with multiple ip addresses' do + let :params do + { + 'port' => '80', + 'ip' => ['127.0.0.1','::1'], + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } + end + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernelversion => '3.6.2', + :is_pe => false, + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + :content => /[.\/m]*<VirtualHost 127.0.0.1:80 \[::1\]:80>[.\/m]*$/ ) } + it { is_expected.to contain_concat__fragment('Listen 127.0.0.1:80') } + it { is_expected.to contain_concat__fragment('Listen [::1]:80') } + it { is_expected.to_not contain_concat__fragment('NameVirtualHost 127.0.0.1:80') } + it { is_expected.to_not contain_concat__fragment('NameVirtualHost [::1]:80') } + end + + context 'vhost with ipv6 address' do + let :params do + { + 'port' => '80', + 'ip' => '::1', + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } + end + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernelversion => '3.6.2', + :is_pe => false, + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + :content => /[.\/m]*<VirtualHost \[::1\]:80>[.\/m]*$/ ) } + it { is_expected.to contain_concat__fragment('Listen [::1]:80') } + it { is_expected.to_not contain_concat__fragment('NameVirtualHost [::1]:80') } + end + + context 'vhost with wildcard ip address' do + let :params do + { + 'port' => '80', + 'ip' => '*', + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } + end + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernelversion => '3.6.2', + :is_pe => false, + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with( + :content => /[.\/m]*<VirtualHost \*:80>[.\/m]*$/ ) } + it { is_expected.to contain_concat__fragment('Listen *:80') } + it { is_expected.to_not contain_concat__fragment('NameVirtualHost *:80') } + end + + context 'modsec_audit_log' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'modsec_audit_log' => true, + } + end + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-security').with( + :content => /^\s*SecAuditLog "\/var\/log\/apache2\/rspec\.example\.com_security\.log"$/ ) } + end + context 'modsec_audit_log_file' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'modsec_audit_log_file' => 'foo.log', + } + end + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-security').with( + :content => /\s*SecAuditLog "\/var\/log\/apache2\/foo.log"$/ ) } + end + context 'set only aliases' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'aliases' => [ + { + 'alias' => '/alias', + 'path' => '/rspec/docroot', + }, + ] + } + end + it { is_expected.to contain_class('apache::mod::alias')} + end + context 'proxy_pass_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_pass_match' => [ + { + 'path' => '.*', + 'url' => 'http://backend-a/', + 'params' => { 'timeout' => 300 }, + } + ], + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassMatch .* http:\/\/backend-a\/ timeout=300/).with_content(/## Proxy rules/) } + end + context 'proxy_dest_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_dest_match' => '/' + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(/## Proxy rules/) } end context 'not everything can be set together...' do let :params do @@ -348,6 +796,23 @@ 'manage_docroot' => true, 'logroot' => '/tmp/logroot', 'logroot_ensure' => 'absent', + 'directories' => [ + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'allow' => [ 'from 127.0.0.1', 'from 127.0.0.2', ], + 'deny' => [ 'from 127.0.0.3', 'from 127.0.0.4', ], + 'satisfy' => 'any', + }, + { + 'path' => '/var/www/foo', + 'provider' => 'files', + 'allow' => 'from 127.0.0.5', + 'deny' => 'from all', + 'order' => 'deny,allow', + }, + ], + } end let :facts do @@ -372,7 +837,7 @@ it { is_expected.to_not contain_class('apache::mod::passenger') } it { is_expected.to_not contain_class('apache::mod::suexec') } it { is_expected.to_not contain_class('apache::mod::rewrite') } - it { is_expected.to contain_class('apache::mod::alias') } + it { is_expected.to_not contain_class('apache::mod::alias') } it { is_expected.to_not contain_class('apache::mod::proxy') } it { is_expected.to_not contain_class('apache::mod::proxy_http') } it { is_expected.to_not contain_class('apache::mod::passenger') } @@ -392,6 +857,22 @@ it { is_expected.to_not contain_concat__fragment('rspec.example.com-itk') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-fallbackresource') } it { is_expected.to contain_concat__fragment('rspec.example.com-directories') } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Allow from 127\.0\.0\.1$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Allow from 127\.0\.0\.2$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Allow from 127\.0\.0\.5$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Deny from 127\.0\.0\.3$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Deny from 127\.0\.0\.4$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Deny from all$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Satisfy any$/ ) } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Order deny,allow$/ ) } it { is_expected.to_not contain_concat__fragment('rspec.example.com-additional_includes') } it { is_expected.to contain_concat__fragment('rspec.example.com-logging') } it { is_expected.to contain_concat__fragment('rspec.example.com-serversignature') } @@ -407,6 +888,7 @@ it { is_expected.to_not contain_concat__fragment('rspec.example.com-serveralias') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-setenv') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.to_not contain_concat__fragment('rspec.example.com-sslproxy') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-suphp') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-php_admin') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-header') } @@ -416,8 +898,44 @@ it { is_expected.to_not contain_concat__fragment('rspec.example.com-fastcgi') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-suexec') } it { is_expected.to_not contain_concat__fragment('rspec.example.com-charsets') } + it { is_expected.to_not contain_concat__fragment('rspec.example.com-limits') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } end + context 'when not setting nor managing the docroot' do + let :params do + { + 'docroot' => false, + 'manage_docroot' => false, + } + end + it { is_expected.to compile } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-docroot') } + end + context 'ssl_proxyengine without ssl' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'ssl' => false, + 'ssl_proxyengine' => true, + } + end + it { is_expected.to compile } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy') } + end + context 'ssl_proxy_protocol without ssl_proxyengine' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'ssl' => true, + 'ssl_proxyengine' => false, + 'ssl_proxy_protocol' => 'TLSv1.2', + } + end + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-sslproxy') } + end end describe 'access logs' do let :facts do @@ -478,6 +996,18 @@ end end # access logs describe 'validation' do + let :default_facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '6', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :is_pe => false, + } + end context 'bad ensure' do let :params do { @@ -578,6 +1108,16 @@ let :facts do default_facts end it { expect { is_expected.to compile }.to raise_error } end + context 'empty rewrites' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'rewrites' => [], + } + end + let :facts do default_facts end + it { is_expected.to compile } + end context 'bad suexec_user_group' do let :params do { @@ -700,5 +1240,72 @@ let :facts do default_facts end it { expect { is_expected.to compile }.to raise_error } end + context 'default of require all granted' do + let :params do + { + 'docroot' => '/var/www/foo', + 'directories' => [ + { + 'path' => '/var/www/foo/files', + 'provider' => 'files', + }, + ], + + } + end + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernelversion => '3.19.2', + :is_pe => false, + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat('25-rspec.example.com.conf') } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories') } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all granted$/ ) } + end + context 'require unmanaged' do + let :params do + { + 'docroot' => '/var/www/foo', + 'directories' => [ + { + 'path' => '/var/www/foo', + 'require' => 'unmanaged', + }, + ], + + } + end + let :facts do + { + :osfamily => 'RedHat', + :operatingsystemrelease => '7', + :concat_basedir => '/dne', + :operatingsystem => 'RedHat', + :id => 'root', + :kernel => 'Linux', + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :kernelversion => '3.19.2', + :is_pe => false, + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat('25-rspec.example.com.conf') } + it { is_expected.to contain_concat__fragment('rspec.example.com-directories') } + it { is_expected.to_not contain_concat__fragment('rspec.example.com-directories').with( + :content => /^\s+Require all granted$/ ) + } + end end end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/fixtures/files/negotiation.conf Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,4 @@ +# This is a file only for spec testing + +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW +ForceLanguagePriority Prefer Fallback
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/fixtures/files/spec Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,1 @@ +# This is a file only for spec testing
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/fixtures/templates/negotiation.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,4 @@ +# This is a template only for spec testing + +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW +ForceLanguagePriority Prefer Fallback
--- a/modules/apache/spec/spec.opts Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,6 +0,0 @@ ---format -s ---colour ---loadby -mtime ---backtrace
--- a/modules/apache/spec/spec_helper.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/spec_helper.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,25 +1,8 @@ +#This file is generated by ModuleSync, do not edit. require 'puppetlabs_spec_helper/module_spec_helper' -RSpec.configure do |c| - c.treat_symbols_as_metadata_keys_with_true_values = true - - c.before :each do - # Ensure that we don't accidentally cache facts and environment - # between test cases. - Facter::Util::Loader.any_instance.stubs(:load_all) - Facter.clear - Facter.clear_messages - - # Store any environment variables away to be restored later - @old_env = {} - ENV.each_key {|k| @old_env[k] = ENV[k]} - - if ENV['STRICT_VARIABLES'] == 'yes' - Puppet.settings[:strict_variables]=true - end - end +# put local configuration and setup into spec_helper_local +begin + require 'spec_helper_local' +rescue LoadError end - -shared_examples :compile, :compile => true do - it { should compile.with_all_deps } -end
--- a/modules/apache/spec/spec_helper_acceptance.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/spec_helper_acceptance.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,47 +1,82 @@ require 'beaker-rspec/spec_helper' require 'beaker-rspec/helpers/serverspec' - - -unless ENV['RS_PROVISION'] == 'no' - # This will install the latest available package on el and deb based - # systems fail on windows and osx, and install via gem on other *nixes - foss_opts = { :default_action => 'gem_install' } - - if default.is_pe?; then install_pe; else install_puppet( foss_opts ); end +require 'beaker/puppet_install_helper' - hosts.each do |host| - if host['platform'] =~ /debian/ - on host, 'echo \'export PATH=/var/lib/gems/1.8/bin/:${PATH}\' >> ~/.bashrc' - end - - on host, "mkdir -p #{host['distmoduledir']}" - end -end - -UNSUPPORTED_PLATFORMS = ['Suse','windows','AIX','Solaris'] +run_puppet_install_helper RSpec.configure do |c| + c.filter_run :focus => true + c.run_all_when_everything_filtered = true + # apache on Ubuntu 10.04 and 12.04 doesn't like IPv6 VirtualHosts, so we skip ipv6 tests on those systems + if fact('operatingsystem') == 'Ubuntu' and (fact('operatingsystemrelease') == '10.04' or fact('operatingsystemrelease') == '12.04') + c.filter_run_excluding :ipv6 => true + end + # Project root proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) # Readable test descriptions c.formatter = :documentation + # detect the situation where PUP-5016 is triggered and skip the idempotency tests in that case + # also note how fact('puppetversion') is not available because of PUP-4359 + if fact('osfamily') == 'Debian' && fact('operatingsystemmajrelease') == '8' && shell('puppet --version').stdout =~ /^4\.2/ + c.filter_run_excluding :skip_pup_5016 => true + end + # Configure all nodes in nodeset c.before :suite do + # net-tools required for netstat utility being used by be_listening + if fact('osfamily') == 'RedHat' && fact('operatingsystemmajrelease') == '7' + pp = <<-EOS + package { 'net-tools': ensure => installed } + EOS + + apply_manifest_on(agents, pp, :catch_failures => false) + end + + if fact('osfamily') == 'Debian' + # Make sure snake-oil certs are installed. + shell 'apt-get install -y ssl-cert' + end + # Install module and dependencies hosts.each do |host| copy_module_to(host, :source => proj_root, :module_name => 'apache') + + on host, puppet('module','install','puppetlabs-stdlib') + on host, puppet('module','install','puppetlabs-concat') + # Required for mod_passenger tests. if fact('osfamily') == 'RedHat' - on host, puppet('module','install','stahnma/epel'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module','install','stahnma/epel') + on host, puppet('module','install','puppetlabs/inifile') + #we need epel installed, so we can get plugins, wsgi, mime ... + pp = <<-EOS + class { 'epel': } + EOS + + apply_manifest_on(host, pp, :catch_failures => true) end + # Required for manifest to make mod_pagespeed repository available if fact('osfamily') == 'Debian' - on host, puppet('module','install','puppetlabs-apt'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module','install','puppetlabs-apt','-v','2.4.0') end - on host, puppet('module','install','puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] } - on host, puppet('module','install','puppetlabs-concat', '--version 1.1.1', '--force'), { :acceptable_exit_codes => [0,1] } + + # Make sure selinux is disabled so the tests work. + on host, puppet('apply', '-e', + %{"exec { 'setenforce 0': path => '/bin:/sbin:/usr/bin:/usr/sbin', onlyif => 'which setenforce && getenforce | grep Enforcing', }"}) end end end + +shared_examples "a idempotent resource" do + it 'should apply with no errors' do + apply_manifest(pp, :catch_failures => true) + end + + it 'should apply a second time without changes', :skip_pup_5016 do + apply_manifest(pp, :catch_changes => true) + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/spec_helper_local.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,39 @@ +RSpec.configure do |c| + c.before :each do + # Ensure that we don't accidentally cache facts and environment + # between test cases. + Facter::Util::Loader.any_instance.stubs(:load_all) + Facter.clear + Facter.clear_messages + end +end + +RSpec.configure do |config| + config.filter_run focus: true + config.run_all_when_everything_filtered = true + #as soon as psh is updated, the following line can be removed + config.mock_with :rspec +end + +shared_examples :compile, :compile => true do + it { should compile.with_all_deps } +end + +shared_examples 'a mod class, without including apache' do + let :facts do + { + :id => 'root', + :lsbdistcodename => 'squeeze', + :kernel => 'Linux', + :osfamily => 'Debian', + :operatingsystem => 'Debian', + :operatingsystemrelease => '6', + :operatingsystemmajrelease => nil, + :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + :concat_basedir => '/dne', + :is_pe => false, + :hardwaremodel => 'x86_64', + } + end + it { should compile.with_all_deps } +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/unit/apache_version_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,33 @@ +require 'spec_helper' + +describe Facter::Util::Fact do + before do + Facter.clear + end + + describe 'apache_version' do + context 'with value' do + before :each do + expect(Facter::Util::Resolution).to receive(:which).with('apachectl') { true } + expect(Facter::Util::Resolution).to receive(:exec).with('apachectl -v 2>&1') {'Server version: Apache/2.4.16 (Unix) + Server built: Jul 31 2015 15:53:26'} + end + it do + expect(Facter.fact(:apache_version).value).to eq('2.4.16') + end + end + end + + describe 'apache_version with empty OS' do + context 'with value' do + before :each do + expect(Facter::Util::Resolution).to receive(:which).with('apachectl') { true } + expect(Facter::Util::Resolution).to receive(:exec).with('apachectl -v 2>&1') {'Server version: Apache/2.4.6 () + Server built: Nov 21 2015 05:34:59' } + end + it do + expect(Facter.fact(:apache_version).value).to eq('2.4.6') + end + end + end +end
--- a/modules/apache/spec/unit/provider/a2mod/gentoo_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/unit/provider/a2mod/gentoo_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,5 +1,3 @@ -#!/usr/bin/env rspec - require 'spec_helper' provider_class = Puppet::Type.type(:a2mod).provider(:gentoo) @@ -17,19 +15,19 @@ describe "when fetching modules" do before do - @filetype = mock() + @filetype = double() end it "should return a sorted array of the defined parameters" do - @filetype.expects(:read).returns(%Q{APACHE2_OPTS="-D FOO -D BAR -D BAZ"\n}) - provider_class.expects(:filetype).returns(@filetype) + expect(@filetype).to receive(:read) { %Q{APACHE2_OPTS="-D FOO -D BAR -D BAZ"\n} } + expect(provider_class).to receive(:filetype) { @filetype } expect(provider_class.modules).to eq(%w{bar baz foo}) end it "should cache the module list" do - @filetype.expects(:read).once.returns(%Q{APACHE2_OPTS="-D FOO -D BAR -D BAZ"\n}) - provider_class.expects(:filetype).once.returns(@filetype) + expect(@filetype).to receive(:read).once { %Q{APACHE2_OPTS="-D FOO -D BAR -D BAZ"\n} } + expect(provider_class).to receive(:filetype).once { @filetype } 2.times { expect(provider_class.modules).to eq(%w{bar baz foo}) } end @@ -44,121 +42,121 @@ describe "when prefetching" do it "should match providers to resources" do - provider = mock("ssl_provider", :name => "ssl") - resource = mock("ssl_resource") + provider = double("ssl_provider", :name => "ssl") + resource = double("ssl_resource") resource.expects(:provider=).with(provider) - provider_class.expects(:instances).returns([provider]) + expect(provider_class).to receive(:instances) { [provider] } provider_class.prefetch("ssl" => resource) end end describe "when flushing" do before :each do - @filetype = mock() - @filetype.stubs(:backup) - provider_class.expects(:filetype).at_least_once.returns(@filetype) + @filetype = double() + allow(@filetype).to receive(:backup) + allow(provider_class).to receive(:filetype).at_least(:once) { @filetype } - @info = mock() - @info.stubs(:[]).with(:name).returns("info") - @info.stubs(:provider=) + @info = double() + allow(@info).to receive(:[]).with(:name) { "info" } + allow(@info).to receive(:provider=) - @mpm = mock() - @mpm.stubs(:[]).with(:name).returns("mpm") - @mpm.stubs(:provider=) + @mpm = double() + allow(@mpm).to receive(:[]).with(:name) { "mpm" } + allow(@mpm).to receive(:provider=) - @ssl = mock() - @ssl.stubs(:[]).with(:name).returns("ssl") - @ssl.stubs(:provider=) + @ssl = double() + allow(@ssl).to receive(:[]).with(:name) { "ssl" } + allow(@ssl).to receive(:provider=) end it "should add modules whose ensure is present" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS="-D INFO"}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS=""} } + expect(@filetype).to receive(:write).with(%Q{APACHE2_OPTS="-D INFO"}) - @info.stubs(:should).with(:ensure).returns(:present) + allow(@info).to receive(:should).with(:ensure) { :present } provider_class.prefetch("info" => @info) provider_class.flush end it "should remove modules whose ensure is present" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-D INFO"}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS=""}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS="-D INFO"} } + expect(@filetype).to receive(:write).with(%Q{APACHE2_OPTS=""}) - @info.stubs(:should).with(:ensure).returns(:absent) - @info.stubs(:provider=) + allow(@info).to receive(:should).with(:ensure) { :absent } + allow(@info).to receive(:provider=) provider_class.prefetch("info" => @info) provider_class.flush end it "should not modify providers without resources" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-D INFO -D MPM"}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS="-D MPM -D SSL"}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS="-D INFO -D MPM"} } + expect(@filetype).to receive(:write).with(%Q{APACHE2_OPTS="-D MPM -D SSL"}) - @info.stubs(:should).with(:ensure).returns(:absent) + allow(@info).to receive(:should).with(:ensure) { :absent } provider_class.prefetch("info" => @info) - @ssl.stubs(:should).with(:ensure).returns(:present) + allow(@ssl).to receive(:should).with(:ensure) { :present } provider_class.prefetch("ssl" => @ssl) provider_class.flush end it "should write the modules in sorted order" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS="-D INFO -D MPM -D SSL"}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS=""} } + expect(@filetype).to receive(:write).with(%Q{APACHE2_OPTS="-D INFO -D MPM -D SSL"}) - @mpm.stubs(:should).with(:ensure).returns(:present) + allow(@mpm).to receive(:should).with(:ensure) { :present } provider_class.prefetch("mpm" => @mpm) - @info.stubs(:should).with(:ensure).returns(:present) + allow(@info).to receive(:should).with(:ensure) { :present } provider_class.prefetch("info" => @info) - @ssl.stubs(:should).with(:ensure).returns(:present) + allow(@ssl).to receive(:should).with(:ensure) { :present } provider_class.prefetch("ssl" => @ssl) provider_class.flush end it "should write the records back once" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).once.with(%Q{APACHE2_OPTS="-D INFO -D SSL"}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS=""} } + expect(@filetype).to receive(:write).once.with(%Q{APACHE2_OPTS="-D INFO -D SSL"}) - @info.stubs(:should).with(:ensure).returns(:present) + allow(@info).to receive(:should).with(:ensure) { :present } provider_class.prefetch("info" => @info) - @ssl.stubs(:should).with(:ensure).returns(:present) + allow(@ssl).to receive(:should).with(:ensure) { :present } provider_class.prefetch("ssl" => @ssl) provider_class.flush end it "should only modify the line containing APACHE2_OPTS" do - @filetype.expects(:read).at_least_once.returns(%Q{# Comment\nAPACHE2_OPTS=""\n# Another comment}) - @filetype.expects(:write).once.with(%Q{# Comment\nAPACHE2_OPTS="-D INFO"\n# Another comment}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{# Comment\nAPACHE2_OPTS=""\n# Another comment} } + expect(@filetype).to receive(:write).once.with(%Q{# Comment\nAPACHE2_OPTS="-D INFO"\n# Another comment}) - @info.stubs(:should).with(:ensure).returns(:present) + allow(@info).to receive(:should).with(:ensure) { :present } provider_class.prefetch("info" => @info) provider_class.flush end it "should restore any arbitrary arguments" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-Y -D MPM -X"}) - @filetype.expects(:write).once.with(%Q{APACHE2_OPTS="-Y -X -D INFO -D MPM"}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS="-Y -D MPM -X"} } + expect(@filetype).to receive(:write).once.with(%Q{APACHE2_OPTS="-Y -X -D INFO -D MPM"}) - @info.stubs(:should).with(:ensure).returns(:present) + allow(@info).to receive(:should).with(:ensure) { :present } provider_class.prefetch("info" => @info) provider_class.flush end it "should backup the file once if changes were made" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).once.with(%Q{APACHE2_OPTS="-D INFO -D SSL"}) + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS=""} } + expect(@filetype).to receive(:write).once.with(%Q{APACHE2_OPTS="-D INFO -D SSL"}) - @info.stubs(:should).with(:ensure).returns(:present) + allow(@info).to receive(:should).with(:ensure) { :present } provider_class.prefetch("info" => @info) - @ssl.stubs(:should).with(:ensure).returns(:present) + allow(@ssl).to receive(:should).with(:ensure) { :present } provider_class.prefetch("ssl" => @ssl) @filetype.unstub(:backup) @@ -167,13 +165,13 @@ end it "should not write the file or run backups if no changes were made" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-X -D INFO -D SSL -Y"}) - @filetype.expects(:write).never + expect(@filetype).to receive(:read).at_least(:once) { %Q{APACHE2_OPTS="-X -D INFO -D SSL -Y"} } + expect(@filetype).to receive(:write).never - @info.stubs(:should).with(:ensure).returns(:present) + allow(@info).to receive(:should).with(:ensure) { :present } provider_class.prefetch("info" => @info) - @ssl.stubs(:should).with(:ensure).returns(:present) + allow(@ssl).to receive(:should).with(:ensure) { :present } provider_class.prefetch("ssl" => @ssl) @filetype.unstub(:backup)
--- a/modules/apache/spec/unit/puppet/parser/functions/bool2httpd_spec.rb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/spec/unit/puppet/parser/functions/bool2httpd_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -1,4 +1,3 @@ -#! /usr/bin/env ruby -S rspec require 'spec_helper' describe "the bool2httpd function" do
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/unit/puppet/parser/functions/enclose_ipv6_spec.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,69 @@ +#! /usr/bin/env ruby -S rspec +require 'spec_helper' + +describe "the enclose_ipv6 function" do + let(:scope) { PuppetlabsSpec::PuppetInternals.scope } + + it "should exist" do + expect(Puppet::Parser::Functions.function("enclose_ipv6")).to eq("function_enclose_ipv6") + end + + it "should raise a ParseError if there is less than 1 arguments" do + expect { scope.function_enclose_ipv6([]) }.to( raise_error(Puppet::ParseError) ) + end + + it "should raise a ParseError if there is more than 1 arguments" do + expect { scope.function_enclose_ipv6(['argument1','argument2']) }.to( raise_error(Puppet::ParseError) ) + end + + it "should raise a ParseError when given garbage" do + expect { scope.function_enclose_ipv6(['garbage']) }.to( raise_error(Puppet::ParseError) ) + end + + it "should raise a ParseError when given something else than a string or an array" do + expect { scope.function_enclose_ipv6([['1' => '127.0.0.1']]) }.to( raise_error(Puppet::ParseError) ) + end + + it "should not raise a ParseError when given a single ip string" do + expect { scope.function_enclose_ipv6(['127.0.0.1']) }.to_not raise_error + end + + it "should not raise a ParseError when given * as ip string" do + expect { scope.function_enclose_ipv6(['*']) }.to_not raise_error + end + + it "should not raise a ParseError when given an array of ip strings" do + expect { scope.function_enclose_ipv6([['127.0.0.1','fe80::1']]) }.to_not raise_error + end + + it "should not raise a ParseError when given differently notations of ip addresses" do + expect { scope.function_enclose_ipv6([['127.0.0.1','fe80::1','[fe80::1]']]) }.to_not raise_error + end + + it "should raise a ParseError when given a wrong ipv4 address" do + expect { scope.function_enclose_ipv6(['127..0.0.1']) }.to( raise_error(Puppet::ParseError) ) + end + + it "should raise a ParseError when given a ipv4 address with square brackets" do + expect { scope.function_enclose_ipv6(['[127.0.0.1]']) }.to( raise_error(Puppet::ParseError) ) + end + + it "should raise a ParseError when given a wrong ipv6 address" do + expect { scope.function_enclose_ipv6(['fe80:::1']) }.to( raise_error(Puppet::ParseError) ) + end + + it "should embrace ipv6 adresses within an array of ip addresses" do + result = scope.function_enclose_ipv6([['127.0.0.1','fe80::1','[fe80::2]']]) + expect(result).to(eq(['127.0.0.1','[fe80::1]','[fe80::2]'])) + end + + it "should embrace a single ipv6 adresse" do + result = scope.function_enclose_ipv6(['fe80::1']) + expect(result).to(eq(['[fe80::1]'])) + end + + it "should not embrace a single ipv4 adresse" do + result = scope.function_enclose_ipv6(['127.0.0.1']) + expect(result).to(eq(['127.0.0.1'])) + end +end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/spec/unit/puppet/parser/functions/validate_apache_log_level.rb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,39 @@ +#! /usr/bin/env ruby -S rspec +require 'spec_helper' + +describe "the validate_apache_log_level function" do + let(:scope) { PuppetlabsSpec::PuppetInternals.scope } + + it "should exist" do + expect(Puppet::Parser::Functions.function("validate_apache_log_level")).to eq("function_validate_apache_log_level") + end + + it "should raise a ParseError if there is less than 1 arguments" do + expect { scope.function_validate_apache_log_level([]) }.to( raise_error(Puppet::ParseError) ) + end + + it "should raise a ParseError when given garbage" do + expect { scope.function_validate_apache_log_level(['garbage']) }.to( raise_error(Puppet::ParseError) ) + end + + it "should not raise a ParseError when given a plain log level" do + expect { scope.function_validate_apache_log_level(['info']) }.to_not raise_error + end + + it "should not raise a ParseError when given a log level and module log level" do + expect { scope.function_validate_apache_log_level(['warn ssl:info']) }.to_not raise_error + end + + it "should not raise a ParseError when given a log level and module log level" do + expect { scope.function_validate_apache_log_level(['warn mod_ssl.c:info']) }.to_not raise_error + end + + it "should not raise a ParseError when given a log level and module log level" do + expect { scope.function_validate_apache_log_level(['warn ssl_module:info']) }.to_not raise_error + end + + it "should not raise a ParseError when given a trace level" do + expect { scope.function_validate_apache_log_level(['trace4']) }.to_not raise_error + end + +end
--- a/modules/apache/templates/fastcgi/server.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/fastcgi/server.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,3 +1,22 @@ -FastCGIExternalServer <%= @faux_path %> -idle-timeout <%= @timeout %> <%= if @flush then '-flush' end %> -host <%= @host %> +<% + timeout = " -idle-timeout #{@timeout}" + flush = "" + if @flush + flush = " -flush" + end + if @socket + host_or_socket = " -socket #{@socket}" + else + host_or_socket = " -host #{@host}" + end + + pass_header = "" + if @pass_header and ! @pass_header.empty? + pass_header = " -pass-header #{@pass_header}" + end + + options = timeout + flush + host_or_socket + pass_header +-%> +FastCGIExternalServer <%= @faux_path %><%= options %> Alias <%= @fcgi_alias %> <%= @faux_path %> Action <%= @file_type %> <%= @fcgi_alias %>
--- a/modules/apache/templates/httpd.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/httpd.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -10,6 +10,11 @@ KeepAlive <%= @keepalive %> MaxKeepAliveRequests <%= @max_keepalive_requests %> KeepAliveTimeout <%= @keepalive_timeout %> +LimitRequestFieldSize <%= @limitreqfieldsize %> + +<%- if @rewrite_lock and scope.function_versioncmp([@apache_version, '2.2']) <= 0 -%> +RewriteLock <%= @rewrite_lock %> +<%- end -%> User <%= @user %> Group <%= @group %> @@ -26,13 +31,31 @@ </FilesMatch> <Directory /> - Options FollowSymLinks + Options <%= Array(@root_directory_options).join(' ') %> AllowOverride None +<%- if @root_directory_secured -%> +<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + Require all denied +<%- else -%> + Order deny,allow + Deny from all +<%- end -%> +<%- end -%> </Directory> -DefaultType none +<% if @default_charset -%> +AddDefaultCharset <%= @default_charset %> +<% end -%> + +<%- if scope.function_versioncmp([@apache_version, '2.4']) < 0 -%> +DefaultType <%= @default_type %> +<%- end -%> HostnameLookups Off +<%- if /^[|\/]/.match(@error_log) || /^syslog:/.match(@error_log) -%> +ErrorLog "<%= @error_log %>" +<%- else -%> ErrorLog "<%= @logroot %>/<%= @error_log %>" +<%- end -%> LogLevel <%= @log_level %> EnableSendfile <%= @sendfile %> <%- if @allow_encoded_slashes -%> @@ -54,10 +77,21 @@ <% end -%> Include "<%= @ports_file %>" +<% unless @log_formats.has_key?('combined') -%> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +<% end -%> +<% unless @log_formats.has_key?('common') -%> LogFormat "%h %l %u %t \"%r\" %>s %b" common +<% end -%> +<% unless @log_formats.has_key?('referer') -%> LogFormat "%{Referer}i -> %U" referer +<% end -%> +<% unless @log_formats.has_key?('agent') -%> LogFormat "%{User-agent}i" agent +<% end -%> +<% unless @log_formats.has_key?('forwarded') -%> +LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded +<% end -%> <% if @log_formats and !@log_formats.empty? -%> <%- @log_formats.sort.each do |nickname,format| -%> LogFormat "<%= format -%>" <%= nickname %> @@ -71,9 +105,9 @@ <%- end -%> <% if @vhost_load_dir != @confd_dir -%> <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> -IncludeOptional "<%= @vhost_load_dir %>/*" +IncludeOptional "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>" <%- else -%> -Include "<%= @vhost_load_dir %>/*" +Include "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>" <%- end -%> <% end -%>
--- a/modules/apache/templates/mod/alias.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/alias.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,9 @@ <IfModule alias_module> Alias /icons/ "<%= @icons_path %>/" <Directory "<%= @icons_path %>"> - Options Indexes MultiViews + Options <%= @icons_options %> AllowOverride None -<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> +<%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require all granted <%- else -%> Order allow,deny
--- a/modules/apache/templates/mod/auth_cas.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/auth_cas.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -11,6 +11,9 @@ <% if @cas_proxy_validate_url -%> CASProxyValidateURL <%= @cas_proxy_validate_url %> <% end -%> +<% if @cas_validate_server -%> +CASValidateServer <%= @cas_validate_server %> +<% end -%> <% if @cas_validate_depth -%> CASValidateDepth <%= @cas_validate_depth %> <% end -%> @@ -38,3 +41,18 @@ <% if @cas_authoritative -%> CASAuthoritative <%= @cas_authoritative %> <% end -%> +<%- if @cas_sso_enabled -%> +CASSSOEnabled On +<%- end -%> +<%- if @cas_validate_saml -%> +CASValidateSAML On +<%- end -%> +<%- if @cas_attribute_prefix -%> +CASAttributePrefix <%= @cas_attribute_prefix %> +<%- end -%> +<%- if @cas_attribute_delimiter -%> +CASAttributeDelimiter <%= @cas_attribute_delimiter %> +<%- end -%> +<%- if @cas_scrub_request_headers -%> +CASAttributeDelimiter On +<%- end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/auth_mellon.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,21 @@ +<%- if @mellon_cache_size -%> +MellonCacheSize <%= @mellon_cache_size %> +<%- end -%> +<%- if @mellon_cache_entry_size -%> +MellonCacheEntrySize <%= @mellon_cache_entry_size %> +<%- end -%> +<%- if @mellon_lock_file -%> +MellonLockFile "<%= @mellon_lock_file %>" +<%- end -%> +<%- if @mellon_post_directory -%> +MellonPostDirectory "<%= @mellon_post_directory %>" +<%- end -%> +<%- if @mellon_post_ttl -%> +MellonPostTTL <%= @mellon_post_ttl %> +<%- end -%> +<%- if @mellon_post_size -%> +MellonPostSize <%= @mellon_post_size %> +<%- end -%> +<%- if @mellon_post_count -%> +MellonPostCount <%= @mellon_post_count %> +<%- end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/authn_dbd.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,17 @@ +#Database Management +DBDriver <%= @authn_dbd_dbdriver %> + +#Connection string: database name and login credentials +DBDParams "<%= @authn_dbd_params %>" + +#Parameters for Connection Pool Management +DBDMin <%= @authn_dbd_min %> +DBDMax <%= @authn_dbd_max %> +DBDKeep <%= @authn_dbd_keep %> +DBDExptime <%= @authn_dbd_exptime %> + +<%- if @authn_dbd_alias -%> +<AuthnProviderAlias dbd <%= @authn_dbd_alias %>> + AuthDBDUserPWQuery "<%= @authn_dbd_query %>" +</AuthnProviderAlias> +<%- end -%>
--- a/modules/apache/templates/mod/authnz_ldap.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/authnz_ldap.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,4 +1,4 @@ -<% if @verifyServerCert == true -%> +<% if @_verify_server_cert == true -%> LDAPVerifyServerCert On <% else -%> LDAPVerifyServerCert Off
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/cluster.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,23 @@ +Listen <%= @ip %>:<%= @port %> +<VirtualHost <%= @ip %>:<%= @port %>> + <Location /> + Order deny,allow + Deny from all + Allow from <%= @allowed_network %> + </Location> + + KeepAliveTimeout <%= @keep_alive_timeout %> + MaxKeepAliveRequests <%= @max_keep_alive_requests %> + EnableMCPMReceive <%= scope.function_bool2httpd([@enable_mcpm_receive]) %> + + ManagerBalancerName <%= @balancer_name %> + ServerAdvertise <%= scope.function_bool2httpd([@server_advertise]) %> + + <Location /mod_cluster_manager> + SetHandler mod_cluster-manager + Order deny,allow + Deny from all + Allow from <%= @manager_allowed_network %> + </Location> + +</VirtualHost>
--- a/modules/apache/templates/mod/disk_cache.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/disk_cache.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,8 +1,4 @@ -<IfModule mod_proxy.c> - <IfModule mod_disk_cache.c> - CacheEnable disk / - CacheRoot "<%= @cache_root %>" - CacheDirLevels 2 - CacheDirLength 1 - </IfModule> -</IfModule> +CacheEnable disk / +CacheRoot "<%= @_cache_root %>" +CacheDirLevels 2 +CacheDirLength 1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/dumpio.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,3 @@ +# https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html +DumpIOInput "<%= @dump_io_input %>" +DumpIOOutput "<%= @dump_io_output %>"
--- a/modules/apache/templates/mod/event.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/event.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,13 +1,33 @@ <IfModule mpm_event_module> + <%- if @serverlimit -%> ServerLimit <%= @serverlimit %> + <%- end -%> + <%- if @startservers -%> StartServers <%= @startservers %> + <%- end -%> + <%- if @maxrequestworkers -%> + MaxRequestWorkers <%= @maxrequestworkers %> + <%- elsif @maxclients -%> MaxClients <%= @maxclients %> + <%- end -%> + <%- if @minsparethreads -%> MinSpareThreads <%= @minsparethreads %> + <%- end -%> + <%- if @maxsparethreads -%> MaxSpareThreads <%= @maxsparethreads %> + <%- end -%> + <%- if @threadsperchild -%> ThreadsPerChild <%= @threadsperchild %> + <%- end -%> + <%- if @maxconnectionsperchild -%> + MaxConnectionsPerChild <%= @maxconnectionsperchild %> + <%- elsif @maxrequestsperchild -%> MaxRequestsPerChild <%= @maxrequestsperchild %> + <%- end -%> + <%- if @threadlimit -%> ThreadLimit <%= @threadlimit %> + <%- end -%> + <%- if @listenbacklog -%> ListenBacklog <%= @listenbacklog %> - MaxRequestWorkers <%= @maxrequestworkers %> - MaxConnectionsPerChild <%= @maxconnectionsperchild %> + <%- end -%> </IfModule>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/expires.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,11 @@ +ExpiresActive <%= scope.function_bool2httpd([@expires_active]) %> +<%- if ! @expires_default.nil? and ! @expires_default.empty? -%> +ExpiresDefault "<%= @expires_default %>" +<%- end -%> +<%- if ! @expires_by_type.nil? and ! @expires_by_type.empty? -%> +<%- [@expires_by_type].flatten.each do |line| -%> +<%- line.map do |type, seconds| -%> +ExpiresByType <%= type %> "<%= seconds -%>" +<%- end -%> +<%- end -%> +<%- end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/ext_filter.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,6 @@ +# mod_ext_filter definitions +<%- if @ext_filter_define.length >= 1 -%> +<%- @ext_filter_define.keys.sort.each do |name| -%> +ExtFilterDefine <%= name %> <%= @ext_filter_define[name] %> +<%- end -%> +<%- end -%>
--- a/modules/apache/templates/mod/fastcgi.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/fastcgi.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,8 @@ # The Fastcgi Apache module configuration file is being # managed by Puppet and changes will be overwritten. <IfModule mod_fastcgi.c> - AddHandler fastcgi-script .fcgi + <FilesMatch ".+(\.fcgi)$"> + SetHandler fastcgi-script + </FilesMatch> FastCgiIpcDir "<%= @fastcgi_lib_path %>" </IfModule>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/geoip.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,25 @@ +GeoIPEnable <%= scope.function_bool2httpd([@enable]) %> + +<%- if @db_file and ! [ false, 'false', '' ].include?(@db_file) -%> + <%- if @db_file.kind_of?(Array) -%> + <%- Array(@db_file).each do |file| -%> +GeoIPDBFile <%= file %> <%= @flag %> + <%- end -%> + <%- else -%> +GeoIPDBFile <%= @db_file %> <%= @flag %> + <%- end -%> +<%- end -%> +GeoIPOutput <%= @output %> +<% if ! @enable_utf8.nil? -%> +GeoIPEnableUTF8 <%= scope.function_bool2httpd([@enable_utf8]) %> +<% end -%> +<% if ! @scan_proxy_headers.nil? -%> +GeoIPScanProxyHeaders <%= scope.function_bool2httpd([@scan_proxy_headers]) %> +<% end -%> +<% if ! @scan_proxy_header_field.nil? -%> +GeoIPScanProxyHeaderField <%= @scan_proxy_header_field %> +<% end -%> +<% if ! @use_last_xforwarededfor_ip.nil? -%> +GeoIPUseLastXForwardedForIP <%= scope.function_bool2httpd([@use_last_xforwarededfor_ip]) %> +<% end -%> +
--- a/modules/apache/templates/mod/info.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/info.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,7 +1,7 @@ -<Location /server-info> +<Location <%= @info_path %>> SetHandler server-info <%- if @restrict_access -%> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip <%= Array(@allow_from).join(" ") %> <%- else -%> Order deny,allow
--- a/modules/apache/templates/mod/ldap.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/ldap.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,6 @@ <Location /ldap-status> SetHandler ldap-status - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%- else -%> Order deny,allow @@ -9,3 +9,21 @@ Satisfy all <%- end -%> </Location> +<% if @ldap_trusted_global_cert_file -%> +LDAPTrustedGlobalCert <%= @ldap_trusted_global_cert_type %> <%= @ldap_trusted_global_cert_file %> +<% end -%> +<%- if @ldap_shared_cache_size -%> +LDAPSharedCacheSize <%= @ldap_shared_cache_size %> +<%- end -%> +<%- if @ldap_cache_entries -%> +LDAPCacheEntries <%= @ldap_cache_entries %> +<%- end -%> +<%- if @ldap_cache_ttl -%> +LDAPCacheTTL <%= @ldap_cache_ttl %> +<%- end -%> +<%- if @ldap_opcache_entries -%> +LDAPOpCacheEntries <%= @ldap_opcache_entries %> +<%- end -%> +<%- if @ldap_opcache_ttl -%> +LDAPOpCacheTTL <%= @ldap_opcache_ttl %> +<%- end -%>
--- a/modules/apache/templates/mod/mime.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/mime.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -31,6 +31,8 @@ AddLanguage zh-CN .zh-cn AddLanguage zh-TW .zh-tw -AddHandler type-map var -AddType text/html .shtml -AddOutputFilter INCLUDES .shtml +<%- @_mime_types_additional.sort.each do |add_mime, config| -%> + <%- config.each do |type, extension| %> +<%= add_mime %> <%= type %> <%= extension%> + <%- end -%> +<% end %>
--- a/modules/apache/templates/mod/mime_magic.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/mime_magic.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,1 +1,1 @@ -MIMEMagicFile "<%= @magic_file %>" +MIMEMagicFile "<%= @_magic_file %>"
--- a/modules/apache/templates/mod/nss.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/nss.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -17,7 +17,7 @@ # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" # -Listen 8443 +Listen <%= @port %> ## ## SSL Global Context @@ -84,7 +84,7 @@ ## SSL Virtual Host Context ## -<VirtualHost _default_:8443> +<VirtualHost _default_:<%= @port %>> # General setup for the virtual host #DocumentRoot "/etc/httpd/htdocs" @@ -121,9 +121,9 @@ # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the -# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" -# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". -NSSProtocol SSLv3,TLSv1.0,TLSv1.1 +# middle of a range may be excluded, the entry "NSSProtocol TLSv1.0,TLSv1.2" +# is identical to the entry "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2". +NSSProtocol TLSv1.0,TLSv1.1 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use.
--- a/modules/apache/templates/mod/pagespeed.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/pagespeed.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -7,7 +7,7 @@ <% end -%> ModPagespeedFileCachePath "<%= @cache_path %>" ModPagespeedLogDir "<%= @log_dir %>" - + <% @memcache_servers.each do |server| -%> ModPagespeedMemcachedServers <%= server %> <% end -%> @@ -17,7 +17,7 @@ <% @disable_filters.each do |filter| -%> ModPagespeedDisableFilters <%= filter %> <% end -%> - + <% @enable_filters.each do |filter| -%> ModPagespeedEnableFilters <%= filter %> <% end -%> @@ -61,7 +61,7 @@ # statistics. This might be appropriate in an experimental setup or # if the Apache server is protected by a reverse proxy that will # filter URLs in some fashion. - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%= Array(@allow_view_stats).join(" ") %> <%- else -%> Order allow,deny @@ -72,7 +72,7 @@ ModPagespeedStatisticsLogging <%= @statistics_logging %> <Location /pagespeed_console> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%= Array(@allow_pagespeed_console).join(" ") %> <%- else -%> Order allow,deny @@ -84,7 +84,7 @@ ModPagespeedMessageBufferSize <%= @message_buffer_size %> <Location /mod_pagespeed_message> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip 127.0.0.1 ::1 <%= Array(@allow_pagespeed_message).join(" ") %> <%- else -%> Order allow,deny @@ -93,6 +93,10 @@ SetHandler mod_pagespeed_message </Location> +<% if @additional_configuration.is_a? Array -%> +<%= @additional_configuration.join("\n") %> +<% else -%> <% @additional_configuration.each_pair do |key, value| -%> <%= key %> <%= value %> <% end -%> +<% end -%>
--- a/modules/apache/templates/mod/passenger.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/passenger.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -16,12 +16,24 @@ <%- if @passenger_max_pool_size -%> PassengerMaxPoolSize <%= @passenger_max_pool_size %> <%- end -%> + <%- if @passenger_min_instances -%> + PassengerMinInstances <%= @passenger_min_instances %> + <%- end -%> + <%- if @passenger_max_instances_per_app -%> + PassengerMaxInstancesPerApp <%= @passenger_max_instances_per_app %> + <%- end -%> <%- if @passenger_pool_idle_time -%> PassengerPoolIdleTime <%= @passenger_pool_idle_time %> <%- end -%> + <%- if @passenger_max_request_queue_size -%> + PassengerMaxRequestQueueSize <%= @passenger_max_request_queue_size %> + <%- end -%> <%- if @passenger_max_requests -%> PassengerMaxRequests <%= @passenger_max_requests %> <%- end -%> + <%- if @passenger_spawn_method -%> + PassengerSpawnMethod <%= @passenger_spawn_method %> + <%- end -%> <%- if @passenger_stat_throttle_rate -%> PassengerStatThrottleRate <%= @passenger_stat_throttle_rate %> <%- end -%> @@ -34,4 +46,16 @@ <%- if @passenger_use_global_queue -%> PassengerUseGlobalQueue <%= @passenger_use_global_queue %> <%- end -%> + <%- if @passenger_app_env -%> + PassengerAppEnv <%= @passenger_app_env %> + <%- end -%> + <%- if @passenger_log_file -%> + PassengerLogFile <%= @passenger_log_file %> + <%- end -%> + <%- if @passenger_log_level -%> + PassengerLogLevel <%= @passenger_log_level %> + <%- end -%> + <%- if @passenger_data_buffer_dir -%> + PassengerDataBufferDir <%= @passenger_data_buffer_dir %> + <%- end -%> </IfModule>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/php.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,23 @@ +# +# PHP is an HTML-embedded scripting language which attempts to make it +# easy for developers to write dynamically generated webpages. +# + +# +# Cause the PHP interpreter to handle files with a .php extension. +# +<FilesMatch ".+(<%= @extensions.flatten.compact.collect { |s| Regexp.escape(s) }.join('|') %>)$"> + SetHandler application/x-httpd-php +</FilesMatch> + +# +# Add index.php to the list of files that will be served as directory +# indexes. +# +DirectoryIndex index.php + +# +# Uncomment the following line to allow PHP to pretty-print .phps +# files as PHP source code: +# +#AddType application/x-httpd-php-source .phps
--- a/modules/apache/templates/mod/php5.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,30 +0,0 @@ -# -# PHP is an HTML-embedded scripting language which attempts to make it -# easy for developers to write dynamically generated webpages. -# -#<IfModule prefork.c> -# LoadModule php5_module modules/libphp5.so -#</IfModule> -#<IfModule worker.c> -# # Use of the "ZTS" build with worker is experimental, and no shared -# # modules are supported. -# LoadModule php5_module modules/libphp5-zts.so -#</IfModule> - -# -# Cause the PHP interpreter to handle files with a .php extension. -# -AddHandler php5-script <%= @extensions.flatten.compact.join(' ') %> -AddType text/html .php - -# -# Add index.php to the list of files that will be served as directory -# indexes. -# -DirectoryIndex index.php - -# -# Uncomment the following line to allow PHP to pretty-print .phps -# files as PHP source code: -# -#AddType application/x-httpd-php-source .phps
--- a/modules/apache/templates/mod/proxy.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/proxy.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -10,7 +10,7 @@ <% if @proxy_requests != 'Off' or ( @allow_from and ! @allow_from.empty? ) -%> <Proxy *> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip <%= Array(@allow_from).join(" ") %> <%- else -%> Order deny,allow @@ -23,5 +23,5 @@ # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block - ProxyVia On + ProxyVia <%= @proxy_via %> </IfModule>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/proxy_balancer.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,10 @@ +<Location <%= @manager_path %>> + SetHandler balancer-manager + <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + Require ip <%= Array(@allow_from).join(" ") %> + <%- else -%> + Order deny,allow + Deny from all + Allow from <%= Array(@allow_from).join(" ") %> + <%- end -%> +</Location>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/mod/remoteip.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,23 @@ +# Declare the header field which should be parsed for useragent IP addresses +RemoteIPHeader <%= @header %> + +<%- if @proxy_ips -%> +# Declare client intranet IP addresses trusted to present +# the RemoteIPHeader value +<%- [@proxy_ips].flatten.each do |proxy| -%> +RemoteIPInternalProxy <%= proxy %> +<%- end -%> +<%- end -%> + +<%- if @proxies_header -%> +# Declare the header field which will record all intermediate IP addresses +RemoteIPProxiesHeader <%= @proxies_header %> +<%- end -%> + +<%- if @trusted_proxy_ips -%> +# Declare client intranet IP addresses trusted to present +# the RemoteIPHeader value + <%- [@trusted_proxy_ips].flatten.each do |proxy| -%> +RemoteIPTrustedProxy <%= proxy %> + <%- end -%> +<%- end -%>
--- a/modules/apache/templates/mod/security.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/security.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,21 +1,12 @@ <IfModule mod_security2.c> - # ModSecurity Core Rules Set configuration -<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%> - IncludeOptional <%= @modsec_dir %>/*.conf - IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf -<%- else -%> - Include <%= @modsec_dir %>/*.conf - Include <%= @modsec_dir %>/activated_rules/*.conf -<%- end -%> - # Default recommended configuration - SecRuleEngine On + SecRuleEngine <%= @modsec_secruleengine %> SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" - SecRequestBodyLimit 13107200 - SecRequestBodyNoFilesLimit 131072 - SecRequestBodyInMemoryLimit 131072 + SecRequestBodyLimit <%= @secrequestbodylimit %> + SecRequestBodyNoFilesLimit <%= @secrequestbodynofileslimit %> + SecRequestBodyInMemoryLimit <%= @secrequestbodyinmemorylimit %> SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" @@ -34,11 +25,14 @@ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'" + + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" - SecPcreMatchLimit 1000 - SecPcreMatchLimitRecursion 1000 + SecPcreMatchLimit <%= @secpcrematchlimit %> + SecPcreMatchLimitRecursion <%= @secpcrematchlimitrecursion %> SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" @@ -49,20 +43,38 @@ SecResponseBodyLimitAction ProcessPartial SecDebugLogLevel 0 SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus "^(?:5|4(?!04))" - SecAuditLogParts ABIJDEFHZ + SecAuditLogRelevantStatus "<%= @audit_log_relevant_status %>" + SecAuditLogParts <%= @audit_log_parts %> SecAuditLogType Serial SecArgumentSeparator & SecCookieFormat 0 <%- if scope.lookupvar('::osfamily') == 'Debian' -%> - SecDebugLog /var/log/apache2/modsec_debug.log - SecAuditLog /var/log/apache2/modsec_audit.log + SecDebugLog <%= @logroot %>/modsec_debug.log + SecAuditLog <%= @logroot %>/modsec_audit.log SecTmpDir /var/cache/modsecurity SecDataDir /var/cache/modsecurity + SecUploadDir /var/cache/modsecurity +<%- elsif scope.lookupvar('::osfamily') == 'Suse' -%> + SecDebugLog /var/log/apache2/modsec_debug.log + SecAuditLog /var/log/apache2/modsec_audit.log + SecTmpDir /var/lib/mod_security + SecDataDir /var/lib/mod_security + SecUploadDir /var/lib/mod_security <% else -%> - SecDebugLog /var/log/httpd/modsec_debug.log - SecAuditLog /var/log/httpd/modsec_audit.log + SecDebugLog <%= @logroot %>/modsec_debug.log + SecAuditLog <%= @logroot %>/modsec_audit.log SecTmpDir /var/lib/mod_security SecDataDir /var/lib/mod_security + SecUploadDir /var/lib/mod_security <% end -%> + SecUploadKeepFiles Off + + # ModSecurity Core Rules Set configuration +<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%> + IncludeOptional <%= @modsec_dir %>/*.conf + IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf +<%- else -%> + Include <%= @modsec_dir %>/*.conf + Include <%= @modsec_dir %>/activated_rules/*.conf +<%- end -%> </IfModule>
--- a/modules/apache/templates/mod/security_crs.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/security_crs.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,20 +1,20 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.2.6 +# Core ModSecurity Rule Set ver.2.2.9 # Copyright (C) 2006-2012 Trustwave All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # -# -- [[ Recommended Base Configuration ]] ------------------------------------------------- +# -- [[ Recommended Base Configuration ]] ------------------------------------------------- # # The configuration directives/settings in this file are used to control # the OWASP ModSecurity CRS. These settings do **NOT** configure the main # ModSecurity settings such as: -# +# # - SecRuleEngine # - SecRequestBodyAccess # - SecAuditEngine @@ -23,7 +23,7 @@ # You should use the modsecurity.conf-recommended file that comes with the # ModSecurity source code archive. # -# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended +# Ref: https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended # @@ -34,9 +34,9 @@ # # - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4. # -# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature # -SecComponentSignature "OWASP_CRS/2.2.6" +SecComponentSignature "OWASP_CRS/2.2.9" # @@ -51,7 +51,7 @@ # -- [[ Collaborative Detection Mode ]] -- # This is a "delayed blocking" mode of operation where each matching rule will inherit # the "pass" action and will only contribute to anomaly scores. Transactional blocking -# can be applied +# can be applied # # -- [[ Alert Logging Control ]] -- # You have three options - @@ -61,10 +61,10 @@ # - To log *only* to the Apache error_log file use: "log,noauditlog" # # Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html -# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecDefaultAction # -SecDefaultAction "phase:1,deny,log" - +SecDefaultAction "phase:1,<%= @_secdefaultaction -%>" +SecDefaultAction "phase:2,<%= @_secdefaultaction -%>" # # -- [[ Collaborative Detection Severity Levels ]] ---------------------------------------- @@ -89,16 +89,16 @@ "id:'900001', \ phase:1, \ t:none, \ - setvar:tx.critical_anomaly_score=5, \ - setvar:tx.error_anomaly_score=4, \ - setvar:tx.warning_anomaly_score=3, \ - setvar:tx.notice_anomaly_score=2, \ + setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ + setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ + setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ + setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>, \ nolog, \ pass" # -# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------ +# -- [[ Collaborative Detection Scoring Initialization and Threshold Levels ]] ------------------------------ # # These variables are used in macro expansion in the 49 inbound blocking and 59 # outbound blocking files. @@ -107,18 +107,23 @@ # operators. If you have an earlier version, edit the 49/59 files directly to # set the appropriate anomaly score levels. # -# You should set the score to the proper threshold you would prefer. If set to "5" -# it will work similarly to previous Mod CRS rules and will create an event in the error_log -# file if there are any rules that match. If you would like to lessen the number of events -# generated in the error_log file, you should increase the anomaly score threshold to -# something like "20". This would only generate an event in the error_log file if -# there are multiple lower severity rule matches or if any 1 higher severity item matches. +# You should set the score level (rule 900003) to the proper threshold you +# would prefer. If set to "5" it will work similarly to previous Mod CRS rules +# and will create an event in the error_log file if there are any rules that +# match. If you would like to lessen the number of events generated in the +# error_log file, you should increase the anomaly score threshold to something +# like "20". This would only generate an event in the error_log file if there +# are multiple lower severity rule matches or if any 1 higher severity item matches. # SecAction \ "id:'900002', \ phase:1, \ t:none, \ - setvar:tx.inbound_anomaly_score_level=5, \ + setvar:tx.anomaly_score=0, \ + setvar:tx.sql_injection_score=0, \ + setvar:tx.xss_score=0, \ + setvar:tx.inbound_anomaly_score=0, \ + setvar:tx.outbound_anomaly_score=0, \ nolog, \ pass" @@ -127,12 +132,13 @@ "id:'900003', \ phase:1, \ t:none, \ - setvar:tx.outbound_anomaly_score_level=4, \ + setvar:tx.inbound_anomaly_score_level=<%= @inbound_anomaly_threshold -%>, \ + setvar:tx.outbound_anomaly_score_level=<%= @outbound_anomaly_threshold -%>, \ nolog, \ pass" -# +# # -- [[ Collaborative Detection Blocking ]] ----------------------------------------------- # # This is a collaborative detection mode where each rule will increment an overall @@ -143,11 +149,11 @@ # # If you want to use anomaly scoring mode, then uncomment this line. # -#SecAction \ +SecAction \ "id:'900004', \ phase:1, \ t:none, \ - setvar:tx.anomaly_score_blocking=on, \ + setvar:tx.anomaly_score_blocking=<%= @anomaly_score_blocking -%>, \ nolog, \ pass" @@ -156,7 +162,7 @@ # -- [[ GeoIP Database ]] ----------------------------------------------------------------- # # There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data. -# +# # You must first download the MaxMind GeoIP Lite City DB - # # http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz @@ -193,19 +199,19 @@ # -- [[ HTTP Policy Settings ]] ---------------------------------------------------------- # # Set the following policy settings here and they will be propagated to the 23 rules -# file (modsecurity_common_23_request_limits.conf) by using macro expansion. +# file (modsecurity_common_23_request_limits.conf) by using macro expansion. # If you run into false positives, you can adjust the settings here. # # Only the max number of args is uncommented by default as there are a high rate # of false positives. Uncomment the items you wish to set. -# +# # # -- Maximum number of arguments in request limited SecAction \ "id:'900006', \ phase:1, \ t:none, \ - setvar:tx.max_num_args=255, \ + setvar:tx.max_num_args=<%= @secrequestmaxnumargs %>, \ nolog, \ pass" @@ -262,7 +268,7 @@ # # Set the following policy settings here and they will be propagated to the 30 rules -# file (modsecurity_crs_30_http_policy.conf) by using macro expansion. +# file (modsecurity_crs_30_http_policy.conf) by using macro expansion. # If you run into false positves, you can adjust the settings here. # SecAction \ @@ -284,7 +290,7 @@ # The purpose of these settings is to send CSP response headers to # Mozilla FireFox users so that you can enforce how dynamic content # is used. CSP usage helps to prevent XSS attacks against your users. -# +# # Reference Link: # # https://developer.mozilla.org/en/Security/CSP @@ -292,7 +298,7 @@ # Uncomment this SecAction line if you want use CSP enforcement. # You need to set the appropriate directives and settings for your site/domain and # and activate the CSP file in the experimental_rules directory. -# +# # Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html # #SecAction \ @@ -320,7 +326,7 @@ "id:'900014', \ phase:1, \ t:none, \ - setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \ + setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ @@ -337,7 +343,7 @@ # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # -#SecAction \ +SecAction \ "id:'900015', \ phase:1, \ t:none, \ @@ -424,5 +430,7 @@ t:none, \ initcol:global=global, \ initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ + setvar:tx.real_ip=%{remote_addr}, \ nolog, \ pass" +
--- a/modules/apache/templates/mod/ssl.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/ssl.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -9,20 +9,30 @@ SSLPassPhraseDialog <%= @ssl_pass_phrase_dialog %> SSLSessionCache "shmcb:<%= @session_cache %>" - SSLSessionCacheTimeout 300 -<% if @ssl_compression -%> - SSLCompression On + SSLSessionCacheTimeout <%= @ssl_sessioncachetimeout %> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> + Mutex <%= @_ssl_mutex %> + <%- if @ssl_compression -%> + SSLCompression <%= scope.function_bool2httpd([@ssl_compression]) %> + <%- end -%> + <%- else -%> + SSLMutex <%= @_ssl_mutex %> + <%- end -%> + SSLCryptoDevice <%= @ssl_cryptodevice %> + SSLHonorCipherOrder <%= scope.function_bool2httpd([@_ssl_honorcipherorder]) %> +<% if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> + SSLUseStapling <%= scope.function_bool2httpd([@ssl_stapling]) %> + <%- if not @ssl_stapling_return_errors.nil? -%> + SSLStaplingReturnResponderErrors <%= scope.function_bool2httpd([@ssl_stapling_return_errors]) %> + <%- end -%> + SSLStaplingCache "shmcb:<%= @stapling_cache %>" <% end -%> - <% if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> - Mutex <%= @ssl_mutex %> - <% else -%> - SSLMutex <%= @ssl_mutex %> - <% end -%> - SSLCryptoDevice builtin - SSLHonorCipherOrder On SSLCipherSuite <%= @ssl_cipher %> SSLProtocol <%= @ssl_protocol.compact.join(' ') %> <% if @ssl_options -%> SSLOptions <%= @ssl_options.compact.join(' ') %> <% end -%> +<%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> +<%- end -%> </IfModule>
--- a/modules/apache/templates/mod/status.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/status.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,6 @@ <Location <%= @status_path %>> SetHandler server-status - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Require ip <%= Array(@allow_from).join(" ") %> <%- else -%> Order deny,allow
--- a/modules/apache/templates/mod/userdir.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/userdir.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -2,22 +2,22 @@ <% if @disable_root -%> UserDir disabled root <% end -%> - UserDir <%= @dir %> + UserDir <%= @home %>/*/<%= @dir %> <Directory "<%= @home %>/*/<%= @dir %>"> AllowOverride FileInfo AuthConfig Limit Indexes - Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + Options <%= @options.join(' ') %> <Limit GET POST OPTIONS> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> - Require all denied + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> + Require all granted <%- else -%> Order allow,deny Allow from all <%- end -%> </Limit> <LimitExcept GET POST OPTIONS> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> - Require all denied + <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> + Require all granted <%- else -%> Order allow,deny Allow from all
--- a/modules/apache/templates/mod/worker.conf.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/mod/worker.conf.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,10 +1,11 @@ <IfModule mpm_worker_module> ServerLimit <%= @serverlimit %> StartServers <%= @startservers %> + ThreadLimit <%= @threadlimit %> MaxClients <%= @maxclients %> MinSpareThreads <%= @minsparethreads %> MaxSpareThreads <%= @maxsparethreads %> ThreadsPerChild <%= @threadsperchild %> MaxRequestsPerChild <%= @maxrequestsperchild %> - ThreadLimit <%= @threadlimit %> + ListenBacklog <%= @listenbacklog %> </IfModule>
--- a/modules/apache/templates/vhost/_access_log.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_access_log.erb Sun Dec 29 11:00:05 2019 -0500 @@ -10,7 +10,7 @@ <% destination = "#{@logroot}/#{log['file']}" -%> <% end -%> <% elsif log['syslog'] -%> -<% destination = "syslog" -%> +<% destination = log['syslog'] -%> <% elsif log['pipe'] -%> <% destination = log['pipe'] -%> <% else -%>
--- a/modules/apache/templates/vhost/_additional_includes.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_additional_includes.erb Sun Dec 29 11:00:05 2019 -0500 @@ -2,9 +2,8 @@ ## Load additional static includes <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 && @use_optional_includes -%> -IncludeOptional "<%= include %>" + IncludeOptional "<%= include %>" <%- else -%> -Include "<%= include %>" + Include "<%= include %>" <%- end -%> - <% end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_auth_cas.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,65 @@ +<% if @cas_enabled -%> + <%- if @cas_cookie_path -%> + CASCookiePath <%= @cas_cookie_path %> + <%- end -%> + <%- if @cas_login_url -%> + CASLoginURL <%= @cas_login_url %> + <%- end -%> + <%- if @cas_validate_url -%> + CASValidateURL <%= @cas_validate_url %> + <%- end -%> + <%- if @cas_version -%> + CASVersion <%= @cas_version %> + <%- end -%> + <%- if @cas_debug -%> + CASDebug <%= @cas_debug %> + <%- end -%> + <%- if @cas_certificate_path -%> + CASCertificatePath <%= @cas_certificate_path %> + <%- end -%> + <%- if @cas_proxy_validate_url -%> + CASProxyValidateURL <%= @cas_proxy_validate_url %> + <%- end -%> + <%- if @cas_validate_depth -%> + CASValidateDepth <%= @cas_validate_depth %> + <%- end -%> + <%- if @cas_root_proxied_as -%> + CASRootProxiedAs <%= @cas_root_proxied_as %> + <%- end -%> + <%- if @cas_cookie_entropy -%> + CASCookieEntropy <%= @cas_cookie_entropy %> + <%- end -%> + <%- if @cas_timeout -%> + CASTimeout <%= @cas_timeout %> + <%- end -%> + <%- if @cas_idle_timeout -%> + CASIdleTimeout <%= @cas_idle_timeout %> + <%- end -%> + <%- if @cas_cache_clean_interval -%> + CASCacheCleanInterval <%= @cas_cache_clean_interval %> + <%- end -%> + <%- if @cas_cookie_domain -%> + CASCookieDomain <%= @cas_cookie_domain %> + <%- end -%> + <%- if @cas_cookie_http_only -%> + CASCookieHttpOnly <%= @cas_cookie_http_only %> + <%- end -%> + <%- if @cas_authoritative -%> + CASAuthoritative <%= @cas_authoritative %> + <%- end -%> + <%- if @cas_sso_enabled -%> + CASSSOEnabled On + <%- end -%> + <%- if @cas_validate_saml -%> + CASValidateSAML On + <%- end -%> + <%- if @cas_attribute_prefix -%> + CASAttributePrefix <%= @cas_attribute_prefix %> + <%- end -%> + <%- if @cas_attribute_delimiter -%> + CASAttributeDelimiter <%= @cas_attribute_delimiter %> + <%- end -%> + <%- if @cas_scrub_request_headers -%> + CASAttributeDelimiter On + <%- end -%> +<%- end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_auth_kerb.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,32 @@ +<% if @auth_kerb -%> + + ## Kerberos directives + <%- if @krb_method_negotiate -%> + KrbMethodNegotiate <%= @krb_method_negotiate %> + <%- end -%> + <%- if @krb_method_k5passwd -%> + KrbMethodK5Passwd <%= @krb_method_k5passwd %> + <%- end -%> + <%- if @krb_authoritative -%> + KrbAuthoritative <%= @krb_authoritative %> + <%- end -%> + <%- if @krb_auth_realms and @krb_auth_realms.length >= 1 -%> + KrbAuthRealms <%= @krb_auth_realms.join(' ') %> + <%- end -%> + <%- if @krb_5keytab -%> + Krb5Keytab <%= @krb_5keytab %> + <%- end -%> + <%- if @krb_local_user_mapping -%> + KrbLocalUserMapping <%= @krb_local_user_mapping %> + <%- end -%> + <%- if @krb_verify_kdc -%> + KrbVerifyKDC <%= @krb_verify_kdc %> + <%- end -%> + <%- if @krb_servicename -%> + KrbServiceName <%= @krb_servicename %> + <%- end -%> + <%- if @krb_save_credentials -%> + KrbSaveCredentials <%= @krb_save_credentials -%> + <%- end -%> + +<% end -%>
--- a/modules/apache/templates/vhost/_block.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_block.erb Sun Dec 29 11:00:05 2019 -0500 @@ -3,7 +3,7 @@ ## Block access statements <% if @block.include? 'scm' -%> # Block access to SCM directories. - <DirectoryMatch .*\.(svn|git|bzr)/.*> + <DirectoryMatch .*\.(svn|git|bzr|hg|ht)/.*> <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> Require all denied <%- else -%>
--- a/modules/apache/templates/vhost/_custom_fragment.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_custom_fragment.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,5 +1,5 @@ <% if @custom_fragment -%> ## Custom fragment -<%= @custom_fragment %> + <%= @custom_fragment %> <% end -%>
--- a/modules/apache/templates/vhost/_directories.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_directories.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,9 +1,24 @@ <% if @_directories and ! @_directories.empty? -%> + <%- scope.setvar('_template_scope', {}) -%> ## Directories, there should at least be a declaration for <%= @docroot %> <%- [@_directories].flatten.compact.each do |directory| -%> + <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if directory['allow'] and ! [ false, 'false', '' ].include?(directory['allow']) -%> + <%- scope.function_warning(["Apache::Vhost: Using allow is deprecated in your Apache version"]) -%> + <%- end -%> + <%- if directory['deny'] and ! [ false, 'false', '' ].include?(directory['deny']) -%> + <%- scope.function_warning(["Apache::Vhost: Using deny is deprecated in your Apache version"]) -%> + <%- end -%> + <%- if directory['order'] and ! [ false, 'false', '' ].include?(directory['order']) -%> + <%- scope.function_warning(["Apache::Vhost: Using order is deprecated in your Apache version"]) -%> + <%- end -%> + <%- if directory['satisfy'] and ! [ false, 'false', '' ].include?(directory['satisfy']) -%> + <%- scope.function_warning(["Apache::Vhost: Using satisfy is deprecated in your Apache version"]) -%> + <%- end -%> + <%- end -%> <%- if directory['path'] and directory['path'] != '' -%> - <%- if directory['provider'] and directory['provider'].match('(directory|location|files)') -%> + <%- if directory['provider'] and directory['provider'].match('(directory|location|files|proxy)') -%> <%- if /^(.*)match$/ =~ directory['provider'] -%> <%- provider = $1.capitalize + 'Match' -%> <%- else -%> @@ -20,6 +35,9 @@ Header <%= header %> <%- end -%> <%- end -%> + <%- if ! directory['geoip_enable'].nil? -%> + GeoIPEnable <%= scope.function_bool2httpd([directory['geoip_enable']]) %> + <%- end -%> <%- if directory['options'] -%> Options <%= Array(directory['options']).join(' ') %> <%- end -%> @@ -30,55 +48,30 @@ <%- if directory['index_order_default'] -%> IndexOrderDefault <%= Array(directory['index_order_default']).join(' ') %> <%- end -%> + <%- if directory['index_style_sheet'] -%> + IndexStyleSheet '<%= directory['index_style_sheet'] %>' + <%- end -%> <%- if directory['allow_override'] -%> AllowOverride <%= Array(directory['allow_override']).join(' ') %> <%- elsif provider == 'Directory' -%> AllowOverride None <%- end -%> <%- end -%> - <%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> - <%- if directory['require'] and directory['require'] != '' -%> - Require <%= Array(directory['require']).join(' ') %> - <%- end -%> - <%- if directory['auth_require'] -%> - Require <%= directory['auth_require'] %> - <%- end -%> - <%- if !(directory['require'] and directory['require'] != '') && !(directory['auth_require']) -%> - Require all granted - <%- end -%> - <%- else -%> - <%- if directory['auth_require'] -%> - Require <%= directory['auth_require'] %> - <%- end -%> - <%- if directory['order'] and directory['order'] != '' -%> - Order <%= Array(directory['order']).join(',') %> - <%- else -%> - Order allow,deny - <%- end -%> - <%- if directory['deny'] and directory['deny'] != '' -%> - Deny <%= directory['deny'] %> - <%- end -%> - <%- if directory['allow'] and ! [ false, 'false', '' ].include?(directory['allow']) -%> - <%- if directory['allow'].kind_of?(Array) -%> - <%- Array(directory['allow']).each do |access| -%> - Allow <%= access %> - <%- end -%> - <%- else -%> - Allow <%= directory['allow'] %> - <%- end -%> - <%- elsif [ 'from all', 'from All' ].include?(directory['deny']) -%> - <%- elsif ! directory['deny'] and [ false, 'false', '' ].include?(directory['allow']) -%> - Deny from all - <%- else -%> - Allow from all - <%- end -%> - <%- if directory['satisfy'] and directory['satisfy'] != '' -%> - Satisfy <%= directory['satisfy'] %> + <%- scope.lookupvar('_template_scope')[:item] = directory -%> +<%= scope.function_template(["apache/vhost/_require.erb"]) -%> + <%- if directory['limit'] && directory['limit'] != '' -%> + <%- Array(directory['limit']).each do |lim| -%> + <Limit <%= lim['methods'] %>> + <%- scope.lookupvar('_template_scope')[:item] = lim -%> + <%= scope.function_template(["apache/vhost/_require.erb"]) -%> + </Limit> <%- end -%> <%- end -%> <%- if directory['addhandlers'] and ! directory['addhandlers'].empty? -%> <%- [directory['addhandlers']].flatten.compact.each do |addhandler| -%> - AddHandler <%= addhandler['handler'] %> <%= Array(addhandler['extensions']).join(' ') %> + <FilesMatch ".+(<%= Array(addhandler['extensions']).collect { |s| Regexp.escape(s) }.join('|') %>)$"> + SetHandler <%= addhandler['handler'] %> + </FilesMatch> <%- end -%> <%- end -%> <%- if directory['sethandler'] and directory['sethandler'] != '' -%> @@ -112,11 +105,25 @@ <%- if directory['directoryindex'] and directory['directoryindex'] != '' -%> DirectoryIndex <%= directory['directoryindex'] %> <%- end -%> + <%- if directory['additional_includes'] and ! directory['additional_includes'].empty? -%> + <%- directory['additional_includes'].each do |include| -%> + Include '<%= "#{include}" %>' + <%- end -%> + <%- end -%> <%- if directory['error_documents'] and ! directory['error_documents'].empty? -%> <%- [directory['error_documents']].flatten.compact.each do |error_document| -%> ErrorDocument <%= error_document['error_code'] %> <%= error_document['document'] %> <%- end -%> <%- end -%> + <%- if directory['dav'] -%> + Dav <%= directory['dav'] %> + <%- if directory['dav_depth_infinity'] -%> + DavDepthInfinity <%= scope.function_bool2httpd([directory['dav_depth_infinity']]) %> + <%- end -%> + <%- if directory['dav_min_timeout'] -%> + DavMinTimeout <%= directory['dav_min_timeout'] %> + <%- end -%> + <%- end -%> <%- if directory['auth_type'] -%> AuthType <%= directory['auth_type'] %> <%- end -%> @@ -156,6 +163,29 @@ <%- if directory['auth_group_file'] -%> AuthGroupFile <%= directory['auth_group_file'] %> <%- end -%> + <%- if directory['auth_merging'] -%> + AuthMerging <%= directory['auth_merging'] %> + <%- end -%> + <%- if directory['auth_ldap_url'] -%> + AuthLDAPURL <%= directory['auth_ldap_url'] %> + <%- end -%> + <%- if directory['auth_ldap_bind_dn'] -%> + AuthLDAPBindDN <%= directory['auth_ldap_bind_dn'] %> + <%- end -%> + <%- if directory['auth_ldap_bind_password'] -%> + AuthLDAPBindPassword <%= directory['auth_ldap_bind_password'] %> + <%- end -%> + <%- if directory['auth_ldap_group_attribute'] -%> + <%- Array(directory['auth_ldap_group_attribute']).each do |groupattr| -%> + AuthLDAPGroupAttribute <%= groupattr %> + <%- end -%> + <%- end -%> + <%- if directory['auth_ldap_group_attribute_is_dn'] == 'off' -%> + AuthLDAPGroupAttributeIsDN Off + <%- end -%> + <%- if directory['auth_ldap_group_attribute_is_dn'] == 'on' -%> + AuthLDAPGroupAttributeIsDN On + <%- end -%> <%- if directory['fallbackresource'] -%> FallbackResource <%= directory['fallbackresource'] %> <%- end -%> @@ -170,6 +200,9 @@ ExpiresByType <%= rule %> <%- end -%> <%- end -%> + <%- if directory['ext_filter_options'] -%> + ExtFilterOptions <%= directory['ext_filter_options'] %> + <%- end -%> <%- if directory['force_type'] -%> ForceType <%= directory['force_type'] %> <%- end -%> @@ -211,6 +244,9 @@ SetEnv <%= setenv %> <%- end -%> <%- end -%> + <%- if directory['set_output_filter'] -%> + SetOutputFilter <%= directory['set_output_filter'] %> + <%- end -%> <%- if @shibboleth_enabled -%> <%- if directory['shib_require_session'] and ! directory['shib_require_session'].empty? -%> ShibRequireSession <%= directory['shib_require_session'] %> @@ -224,6 +260,63 @@ ShibUseHeaders <%= directory['shib_use_headers'] %> <%- end -%> <%- end -%> + <%- if @cas_enabled -%> + <%- if directory['cas_scope'] -%> + CASScope <%= directory['cas_scope'] %> + <%- end -%> + <%- if directory['cas_renew'] -%> + CASRenew <%= directory['cas_renew'] %> + <%- end -%> + <%- if directory['cas_gateway'] -%> + CASGateway <%= directory['cas_gateway'] %> + <%- end -%> + <%- if directory['cas_cookie'] -%> + CASCookie <%= directory['cas_cookie'] %> + <%- end -%> + <%- if directory['cas_secure_cookie'] -%> + CASSecureCookie <%= directory['cas_secure_cookie'] %> + <%- end -%> + <%- if directory['cas_gateway_cookie'] -%> + CASGatewayCookie <%= directory['cas_gateway_cookie'] %> + <%- end -%> + <%- if directory['cas_authn_header'] -%> + CASAuthNHeader <%= directory['cas_authn_header'] %> + <%- end -%> + <%- end -%> + <%- if directory['mellon_enable'] -%> + MellonEnable "<%= directory['mellon_enable'] %>" + <%- if directory['mellon_endpoint_path'] -%> + MellonEndpointPath "<%= directory['mellon_endpoint_path'] %>" + <%- end -%> + <%- if directory['mellon_sp_private_key_file'] -%> + MellonSPPrivateKeyFile "<%= directory['mellon_sp_private_key_file'] %>" + <%- end -%> + <%- if directory['mellon_sp_cert_file'] -%> + MellonSPCertFile "<%= directory['mellon_sp_cert_file'] %>" + <%- end -%> + <%- if directory['mellon_sp_metadata_file'] -%> + MellonSPMetadataFile "<%= directory['mellon_sp_metadata_file'] %>" + <%- end -%> + <%- if directory['mellon_idp_metadata_file'] -%> + MellonIDPMetadataFile "<%= directory['mellon_idp_metadata_file'] %>" + <%- end -%> + <%- if directory['mellon_set_env_no_prefix'] -%> + <%- directory['mellon_set_env_no_prefix'].each do |key, value| -%> + MellonSetEnvNoPrefix "<%= key %>" "<%= value %>" + <%- end -%> + <%- end -%> + <%- if directory['mellon_user'] -%> + MellonUser "<%= directory['mellon_user'] %>" + <%- end -%> + <%- if directory['mellon_saml_response_dump'] -%> + MellonSamlResponseDump "<%= directory['mellon_saml_response_dump'] %>" + <%- end -%> + <%- if directory['mellon_cond'] -%> + <%- Array(directory['mellon_cond']).each do |cond| -%> + MellonCond <%= cond %> + <%- end -%> + <%- end -%> + <%- end -%> <%- if directory['custom_fragment'] -%> <%= directory['custom_fragment'] %> <%- end -%>
--- a/modules/apache/templates/vhost/_docroot.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_docroot.erb Sun Dec 29 11:00:05 2019 -0500 @@ -2,6 +2,6 @@ ## Vhost docroot <% if @virtual_docroot -%> VirtualDocumentRoot "<%= @virtual_docroot %>" -<% else -%> +<% elsif @docroot -%> DocumentRoot "<%= @docroot %>" <% end -%>
--- a/modules/apache/templates/vhost/_fastcgi.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_fastcgi.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,7 @@ <% if @fastcgi_server -%> - FastCgiExternalServer <%= @fastcgi_server %> -socket <%= @fastcgi_socket %> + FastCgiExternalServer <%= @fastcgi_server %> -socket <%= @fastcgi_socket -%> +<% unless @fastcgi_idle_timeout.nil? %> -idle-timeout <%= @fastcgi_idle_timeout %><% end %> <% end -%> <% if @fastcgi_dir -%>
--- a/modules/apache/templates/vhost/_file_header.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_file_header.erb Sun Dec 29 11:00:05 2019 -0500 @@ -3,8 +3,10 @@ # Managed by Puppet # ************************************ -<VirtualHost <%= @nvh_addr_port %>> +<VirtualHost <%= [@nvh_addr_port].flatten.compact.join(' ') %>> +<% if @servername and not @servername.empty? -%> ServerName <%= @servername %> +<% end -%> <% if @serveradmin -%> ServerAdmin <%= @serveradmin %> <% end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_filters.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,10 @@ +<% if @filters and ! @filters.empty? -%> + + ## Filter module rules + ## as per http://httpd.apache.org/docs/2.2/mod/mod_filter.html + <%- Array(@filters).each do |filter| -%> + <%- if filter != '' -%> + <%= filter %> + <%- end -%> + <%- end -%> +<% end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_jk_mounts.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,12 @@ +<% if @jk_mounts and not @jk_mounts.empty? -%> + + <%- @jk_mounts.each do |jk| -%> + <%- if jk.is_a?(Hash) -%> + <%- if jk.has_key?('mount') and jk.has_key?('worker') -%> + JkMount <%= jk['mount'] %> <%= jk['worker'] %> + <%- elsif jk.has_key?('unmount') and jk.has_key?('worker') -%> + JkUnMount <%= jk['unmount'] %> <%= jk['worker'] %> + <%- end -%> + <%- end -%> + <%- end -%> +<% end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_keepalive_options.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,9 @@ +<%- if @keepalive -%> + KeepAlive <%= @keepalive %> +<%- end -%> +<%- if @keepalive_timeout -%> + KeepAliveTimeout <%= @keepalive_timeout %> +<%- end -%> +<%- if @max_keepalive_requests -%> + MaxKeepAliveRequests <%= @max_keepalive_requests %> +<%- end -%>
--- a/modules/apache/templates/vhost/_passenger.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_passenger.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,9 @@ <% if @passenger_app_root -%> PassengerAppRoot <%= @passenger_app_root %> <% end -%> +<% if @passenger_app_env -%> + PassengerAppEnv <%= @passenger_app_env %> +<% end -%> <% if @passenger_ruby -%> PassengerRuby <%= @passenger_ruby %> <% end -%> @@ -13,3 +16,18 @@ <% if @passenger_pre_start -%> PassengerPreStart <%= @passenger_pre_start %> <% end -%> +<% if @passenger_user -%> + PassengerUser <%= @passenger_user %> +<% end -%> +<% if @passenger_high_performance -%> + PassengerHighPerformance <%= scope.function_bool2httpd([@passenger_high_performance]) %> +<% end -%> +<% if @passenger_nodejs -%> + PassengerNodejs <%= @passenger_nodejs -%> +<% end -%> +<% if @passenger_sticky_sessions -%> + PassengerStickySessions <%= scope.function_bool2httpd([@passenger_sticky_sessions]) %> +<% end -%> +<% if @passenger_startup_file -%> + PassengerStartupFile <%= @passenger_startup_file -%> +<% end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_passenger_base_uris.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,7 @@ +<% if @passenger_base_uris -%> + + ## Enable passenger base uris +<% Array(@passenger_base_uris).each do |uri| -%> + PassengerBaseURI <%= uri %> +<% end -%> +<% end -%>
--- a/modules/apache/templates/vhost/_php.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_php.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,10 @@ <% if @php_values and not @php_values.empty? -%> <%- @php_values.sort.each do |key,value| -%> + <%- if value.is_a? String -%> + php_value <%= key %> "<%= value %>" + <%- else -%> php_value <%= key %> <%= value %> + <%- end -%> <%- end -%> <% end -%> <% if @php_flags and not @php_flags.empty? -%> @@ -9,4 +13,4 @@ <%- if flag =~ /true|yes|on|1/i then flag = 'on' else flag = 'off' end -%> php_flag <%= key %> <%= flag %> <%- end -%> -<% end -%> \ No newline at end of file +<% end -%>
--- a/modules/apache/templates/vhost/_proxy.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_proxy.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,35 +1,98 @@ -<% if @proxy_dest or @proxy_pass -%> +<% if @proxy_dest or @proxy_pass or @proxy_pass_match or @proxy_dest_match -%> ## Proxy rules ProxyRequests Off <%- end -%> <% if @proxy_preserve_host -%> ProxyPreserveHost On +<% else -%> + ProxyPreserveHost Off +<%- end -%> +<%- if defined?(@proxy_add_headers) -%> + <%- if @proxy_add_headers -%> + ProxyAddHeaders On + <%- else -%> + ProxyAddHeaders Off + <%- end -%> +<%- end -%> +<% if @proxy_error_override -%> + ProxyErrorOverride On <%- end -%> <%- [@proxy_pass].flatten.compact.each do |proxy| -%> + <%- Array(proxy['no_proxy_uris']).each do |uri| -%> + ProxyPass <%= uri %> ! + <%- end -%> + <%- Array(proxy['no_proxy_uris_match']).each do |uri| -%> + ProxyPassMatch <%= uri %> ! + <%- end -%> ProxyPass <%= proxy['path'] %> <%= proxy['url'] -%> <%- if proxy['params'] -%> - <%- proxy['params'].each_pair do |key, value| -%> <%= key %>=<%= value -%> + <%- proxy['params'].keys.sort.each do |key| -%> <%= key %>=<%= proxy['params'][key] -%> <%- end -%> <%- end -%> <%- if proxy['keywords'] %> <%= proxy['keywords'].join(' ') -%> <%- end %> - <Location <%= proxy['path']%>> + <%- if not proxy['reverse_cookies'].nil? -%> + <%- Array(proxy['reverse_cookies']).each do |reverse_cookies| -%> + <%- if reverse_cookies['path'] -%> + ProxyPassReverseCookiePath <%= reverse_cookies['path'] %> <%= reverse_cookies['url'] %> + <%- end -%> + <%- if reverse_cookies['domain'] -%> + ProxyPassReverseCookieDomain <%= reverse_cookies['domain'] %> <%= reverse_cookies['url'] %> + <%- end -%> + <%- end -%> + <%- end -%> <%- if proxy['reverse_urls'].nil? -%> - ProxyPassReverse <%= proxy['url'] %> + ProxyPassReverse <%= proxy['path'] %> <%= proxy['url'] %> <%- else -%> <%- Array(proxy['reverse_urls']).each do |reverse_url| -%> - ProxyPassReverse <%= reverse_url %> + ProxyPassReverse <%= proxy['path'] %> <%= reverse_url %> + <%- end -%> + <%- end -%> + <%- if proxy['setenv'] -%> + <%- Array(proxy['setenv']).each do |setenv_var| -%> + SetEnv <%= setenv_var %> <%- end -%> <%- end -%> - </Location> +<% end -%> +<% [@proxy_pass_match].flatten.compact.each do |proxy| %> + <%- Array(proxy['no_proxy_uris']).each do |uri| -%> + ProxyPass <%= uri %> ! + <%- end -%> + <%- Array(proxy['no_proxy_uris_match']).each do |uri| -%> + ProxyPassMatch <%= uri %> ! + <%- end -%> + ProxyPassMatch <%= proxy['path'] %> <%= proxy['url'] -%> + <%- if proxy['params'] -%> + <%- proxy['params'].keys.sort.each do |key| -%> <%= key %>=<%= proxy['params'][key] -%> + <%- end -%> + <%- end -%> + <%- if proxy['keywords'] %> <%= proxy['keywords'].join(' ') -%> + <%- end %> + <%- if proxy['reverse_urls'].nil? -%> + ProxyPassReverse <%= proxy['path'] %> <%= proxy['url'] %> + <%- else -%> + <%- Array(proxy['reverse_urls']).each do |reverse_url| -%> + ProxyPassReverse <%= proxy['path'] %> <%= reverse_url %> + <%- end -%> + <%- end -%> + <%- if proxy['setenv'] -%> + <%- Array(proxy['setenv']).each do |setenv_var| -%> + SetEnv <%= setenv_var %> + <%- end -%> + <%- end -%> <% end -%> <% if @proxy_dest -%> <%- Array(@no_proxy_uris).each do |uri| -%> ProxyPass <%= uri %> ! <% end -%> - ProxyPass / <%= @proxy_dest %>/ - <Location /> - ProxyPassReverse <%= @proxy_dest %>/ - </Location> + ProxyPass / <%= @proxy_dest %>/ + ProxyPassReverse / <%= @proxy_dest %>/ <% end -%> +<% if @proxy_dest_match -%> +<%- Array(@no_proxy_uris_match).each do |uri| -%> + ProxyPassMatch <%= uri %> ! +<% end -%> + ProxyPassMatch / <%= @proxy_dest_match %>/ + ProxyPassReverse / <%= @proxy_dest_reverse_match %>/ +<% end -%>
--- a/modules/apache/templates/vhost/_redirect.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_redirect.erb Sun Dec 29 11:00:05 2019 -0500 @@ -22,4 +22,14 @@ <% @redirectmatch_dest_a[i] ||= @redirectmatch_dest_a[0] -%> RedirectMatch <%= "#{@redirectmatch_status_a[i]} " %> <%= @redirectmatch_regexp_a[i] %> <%= @redirectmatch_dest_a[i] %> <%- end -%> +<%- elsif @redirectmatch_regexp and @redirectmatch_dest -%> +<% @redirectmatch_regexp_a = Array(@redirectmatch_regexp) -%> +<% @redirectmatch_dest_a = Array(@redirectmatch_dest) -%> + + ## RedirectMatch rules + <%- @redirectmatch_regexp_a.each_with_index do |status, i| -%> +<% @redirectmatch_regexp_a[i] ||= @redirectmatch_regexp_a[0] -%> +<% @redirectmatch_dest_a[i] ||= @redirectmatch_dest_a[0] -%> + RedirectMatch <%= @redirectmatch_regexp_a[i] %> <%= @redirectmatch_dest_a[i] %> + <%- end -%> <% end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_require.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,62 @@ +<%- _item = scope.lookupvar('_template_scope')[:item] -%> +<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + <%- if _item['require'] && _item['require'] != '' && _item['require'] !~ /unmanaged/i -%> + <%- if _item['require'].is_a?(Hash) -%> + <%- case _item['require']['enforce'].downcase -%> + <%- when 'all','none','any' then -%> + <Require<%= _item['require']['enforce'].capitalize %>> + <%- Array(_item['require']['requires']).each do |req| -%> + Require <%= req.strip %> + <%- end -%> + </Require<%= _item['require']['enforce'].capitalize %>> + <%- else -%> + <%- scope.function_warning(["Apache::Vhost: Require can only overwritten with all, none or any."]) -%> + <%- end -%> + <%- else -%> + <%- Array(_item['require']).each do |req| -%> + Require <%= req %> + <%- end -%> + <%- end -%> + <%- end -%> + <%- if _item['auth_require'] -%> + Require <%= _item['auth_require'] %> + <%- end -%> + <%- if !(_item['require'] && _item['require'] != '') && _item['require'] !~ /unmanaged/i && !(_item['auth_require']) -%> + Require all granted + <%- end -%> +<%- else -%> + <%- if _item['auth_require'] -%> + Require <%= _item['auth_require'] %> + <%- end -%> + <%- if _item['order'] and _item['order'] != '' -%> + Order <%= Array(_item['order']).join(',') %> + <%- else -%> + Order allow,deny + <%- end -%> + <%- if _item['deny'] and ! [ false, 'false', '' ].include?(_item['deny']) -%> + <%- if _item['deny'].kind_of?(Array) -%> + <%- Array(_item['deny']).each do |restrict| -%> + Deny <%= restrict %> + <%- end -%> + <%- else -%> + Deny <%= _item['deny'] %> + <%- end -%> + <%- end -%> + <%- if _item['allow'] and ! [ false, 'false', '' ].include?(_item['allow']) -%> + <%- if _item['allow'].kind_of?(Array) -%> + <%- Array(_item['allow']).each do |access| -%> + Allow <%= access %> + <%- end -%> + <%- else -%> + Allow <%= _item['allow'] %> + <%- end -%> + <%- elsif [ 'from all', 'from All' ].include?(_item['deny']) -%> + <%- elsif ! _item['deny'] and [ false, 'false', '' ].include?(_item['allow']) -%> + Deny from all + <%- else -%> + Allow from all + <%- end -%> + <%- if _item['satisfy'] and _item['satisfy'] != '' -%> + Satisfy <%= _item['satisfy'] %> + <%- end -%> +<%- end -%>
--- a/modules/apache/templates/vhost/_rewrite.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_rewrite.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,9 @@ <%- if @rewrites -%> ## Rewrite rules RewriteEngine On + <%- if @rewrite_inherit -%> + RewriteOptions Inherit + <%- end -%> <%- if @rewrite_base -%> RewriteBase <%= @rewrite_base %> <%- end -%> @@ -19,6 +22,13 @@ <%- end -%> <%- end -%> <%- end -%> + <%- if rewrite_details['rewrite_map'] -%> + <%- Array(rewrite_details['rewrite_map']).each do |commands| -%> + <%- Array(commands).each do |command| -%> + RewriteMap <%= command %> + <%- end -%> + <%- end -%> + <%- end -%> <%- Array(rewrite_details['rewrite_rule']).each do |commands| -%> <%- Array(commands).each do |command| -%> RewriteRule <%= command %>
--- a/modules/apache/templates/vhost/_security.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_security.erb Sun Dec 29 11:00:05 2019 -0500 @@ -1,6 +1,10 @@ +<IfModule mod_security2.c> <% if @modsec_disable_vhost -%> SecRuleEngine Off <% end -%> +<% if @modsec_audit_log_destination -%> + SecAuditLog "<%= @modsec_audit_log_destination %>" +<% end -%> <% if @_modsec_disable_ids.is_a?(Hash) -%> <% @_modsec_disable_ids.each do |location,rules| -%> <LocationMatch <%= location %>> @@ -15,6 +19,25 @@ SecRule REMOTE_ADDR "<%= ips %>" "nolog,allow,id:1234123455" SecAction "phase:2,pass,nolog,id:1234123456" <% end -%> +<% if @_modsec_disable_msgs.is_a?(Hash) -%> +<% @_modsec_disable_msgs.each do |location,rules| -%> + <LocationMatch <%= location %>> +<% Array(rules).each do |rule| -%> + SecRuleRemoveByMsg "<%= rule %>" +<% end -%> + </LocationMatch> +<% end -%> +<% end -%> +<% if @_modsec_disable_tags.is_a?(Hash) -%> +<% @_modsec_disable_tags.each do |location,rules| -%> + <LocationMatch <%= location %>> +<% Array(rules).each do |rule| -%> + SecRuleRemoveByTag "<%= rule %>" +<% end -%> + </LocationMatch> +<% end -%> +<% end -%> <% if @modsec_body_limit -%> SecRequestBodyLimit <%= @modsec_body_limit %> <% end -%> +</IfModule>
--- a/modules/apache/templates/vhost/_setenv.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_setenv.erb Sun Dec 29 11:00:05 2019 -0500 @@ -10,3 +10,8 @@ SetEnvIf <%= envifvar %> <%- end -%> <% end -%> +<% if @setenvifnocase and ! @setenvifnocase.empty? -%> + <%- Array(@setenvifnocase).each do |envifncvar| -%> + SetEnvIfNoCase <%= envifncvar %> + <%- end -%> +<% end -%>
--- a/modules/apache/templates/vhost/_ssl.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_ssl.erb Sun Dec 29 11:00:05 2019 -0500 @@ -7,6 +7,17 @@ <%- if @ssl_chain -%> SSLCertificateChainFile "<%= @ssl_chain %>" <%- end -%> + <%- if @ssl_protocol -%> + SSLProtocol <%= [@ssl_protocol].flatten.compact.join(' ') %> + <%- end -%> + <%- if @ssl_cipher -%> + SSLCipherSuite <%= @ssl_cipher %> + <%- end -%> + <%- if @ssl_honorcipherorder -%> + SSLHonorCipherOrder <%= @ssl_honorcipherorder %> + <%- end -%> + <%- if @ssl_verify_client -%> + SSLVerifyClient <%= @ssl_verify_client %> <%- if @ssl_certs_dir && @ssl_certs_dir != '' -%> SSLCACertificatePath "<%= @ssl_certs_dir %>" <%- end -%> @@ -19,28 +30,26 @@ <%- if @ssl_crl -%> SSLCARevocationFile "<%= @ssl_crl %>" <%- end -%> + <%- if @ssl_verify_depth -%> + SSLVerifyDepth <%= @ssl_verify_depth %> + <%- end -%> <%- if @ssl_crl_check && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> SSLCARevocationCheck "<%= @ssl_crl_check %>" <%- end -%> - <%- if @ssl_proxyengine -%> - SSLProxyEngine On - <%- end -%> - <%- if @ssl_protocol -%> - SSLProtocol <%= @ssl_protocol %> - <%- end -%> - <%- if @ssl_cipher -%> - SSLCipherSuite <%= @ssl_cipher %> - <%- end -%> - <%- if @ssl_honorcipherorder -%> - SSLHonorCipherOrder <%= @ssl_honorcipherorder %> - <%- end -%> - <%- if @ssl_verify_client -%> - SSLVerifyClient <%= @ssl_verify_client %> - <%- end -%> - <%- if @ssl_verify_depth -%> - SSLVerifyDepth <%= @ssl_verify_depth %> <%- end -%> <%- if @ssl_options -%> SSLOptions <%= Array(@ssl_options).join(' ') %> <%- end -%> + <%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> + <%- end -%> + <%- if (not @ssl_stapling.nil?) && (scope.function_versioncmp([@apache_version, '2.4']) >= 0) -%> + SSLUseStapling <%= scope.function_bool2httpd([@ssl_stapling]) %> + <%- end -%> + <%- if @ssl_stapling_timeout && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + SSLStaplingResponderTimeout <%= @ssl_stapling_timeout %> + <%- end -%> + <%- if (not @ssl_stapling_return_errors.nil?) && (scope.function_versioncmp([@apache_version, '2.4']) >= 0) -%> + SSLStaplingReturnResponderErrors <%= scope.function_bool2httpd([@ssl_stapling_return_errors]) %> + <%- end -%> <% end -%>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/apache/templates/vhost/_sslproxy.erb Sun Dec 29 11:00:05 2019 -0500 @@ -0,0 +1,23 @@ +<% if @ssl_proxyengine -%> + + # SSL Proxy directives + SSLProxyEngine On + <%- if @ssl_proxy_verify -%> + SSLProxyVerify <%= @ssl_proxy_verify %> + <%- end -%> + <%- if @ssl_proxy_check_peer_cn -%> + SSLProxyCheckPeerCN <%= @ssl_proxy_check_peer_cn %> + <%- end -%> + <%- if @ssl_proxy_check_peer_name -%> + SSLProxyCheckPeerName <%= @ssl_proxy_check_peer_name %> + <%- end -%> + <%- if @ssl_proxy_check_peer_expire -%> + SSLProxyCheckPeerExpire <%= @ssl_proxy_check_peer_expire %> + <%- end -%> + <%- if @ssl_proxy_machine_cert -%> + SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>" + <%- end -%> + <%- if @ssl_proxy_protocol -%> + SSLProxyProtocol <%= [@ssl_proxy_protocol].flatten.compact.join(' ') %> + <%- end -%> +<% end -%>
--- a/modules/apache/templates/vhost/_wsgi.erb Sun Dec 29 15:31:28 2019 +0000 +++ b/modules/apache/templates/vhost/_wsgi.erb Sun Dec 29 11:00:05 2019 -0500 @@ -12,6 +12,13 @@ <% if @wsgi_process_group -%> WSGIProcessGroup <%= @wsgi_process_group %> <% end -%> +<% if @wsgi_script_aliases_match and ! @wsgi_script_aliases_match.empty? -%> + <%- @wsgi_script_aliases_match.keys.sort.each do |key| -%> + <%- if key != '' and @wsgi_script_aliases_match[key] != ''-%> + WSGIScriptAliasMatch <%= key %> "<%= @wsgi_script_aliases_match[key] %>" + <%- end -%> + <%- end -%> +<% end -%> <% if @wsgi_script_aliases and ! @wsgi_script_aliases.empty? -%> <%- @wsgi_script_aliases.keys.sort.each do |key| -%> <%- if key != '' and @wsgi_script_aliases[key] != ''-%>
--- a/modules/apache/tests/apache.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,6 +0,0 @@ -include apache -include apache::mod::php -include apache::mod::cgi -include apache::mod::userdir -include apache::mod::disk_cache -include apache::mod::proxy_http
--- a/modules/apache/tests/dev.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -include apache::mod::dev
--- a/modules/apache/tests/init.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -include apache
--- a/modules/apache/tests/mod_load_params.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ -# Tests the path and identifier parameters for the apache::mod class - -# Base class for clarity: -class { 'apache': } - - -# Exaple parameter usage: -apache::mod { 'testmod': - path => '/usr/some/path/mod_testmod.so', - id => 'testmod_custom_name', -}
--- a/modules/apache/tests/mods.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,9 +0,0 @@ -## Default mods - -# Base class. Declares default vhost on port 80 and default ssl -# vhost on port 443 listening on all interfaces and serving -# $apache::docroot, and declaring our default set of modules. -class { 'apache': - default_mods => true, -} -
--- a/modules/apache/tests/mods_custom.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,16 +0,0 @@ -## custom mods - -# Base class. Declares default vhost on port 80 and default ssl -# vhost on port 443 listening on all interfaces and serving -# $apache::docroot, and declaring a custom set of modules. -class { 'apache': - default_mods => [ - 'info', - 'alias', - 'mime', - 'env', - 'setenv', - 'expires', - ], -} -
--- a/modules/apache/tests/php.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,4 +0,0 @@ -class { 'apache': - mpm_module => 'prefork', -} -include apache::mod::php
--- a/modules/apache/tests/vhost.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,238 +0,0 @@ -## Default vhosts, and custom vhosts -# NB: Please see the other vhost_*.pp example files for further -# examples. - -# Base class. Declares default vhost on port 80 and default ssl -# vhost on port 443 listening on all interfaces and serving -# $apache::docroot -class { 'apache': } - -# Most basic vhost -apache::vhost { 'first.example.com': - port => '80', - docroot => '/var/www/first', -} - -# Vhost with different docroot owner/group/mode -apache::vhost { 'second.example.com': - port => '80', - docroot => '/var/www/second', - docroot_owner => 'third', - docroot_group => 'third', - docroot_mode => '0770', -} - -# Vhost with serveradmin -apache::vhost { 'third.example.com': - port => '80', - docroot => '/var/www/third', - serveradmin => 'admin@example.com', -} - -# Vhost with ssl (uses default ssl certs) -apache::vhost { 'ssl.example.com': - port => '443', - docroot => '/var/www/ssl', - ssl => true, -} - -# Vhost with ssl and specific ssl certs -apache::vhost { 'fourth.example.com': - port => '443', - docroot => '/var/www/fourth', - ssl => true, - ssl_cert => '/etc/ssl/fourth.example.com.cert', - ssl_key => '/etc/ssl/fourth.example.com.key', -} - -# Vhost with english title and servername parameter -apache::vhost { 'The fifth vhost': - servername => 'fifth.example.com', - port => '80', - docroot => '/var/www/fifth', -} - -# Vhost with server aliases -apache::vhost { 'sixth.example.com': - serveraliases => [ - 'sixth.example.org', - 'sixth.example.net', - ], - port => '80', - docroot => '/var/www/fifth', -} - -# Vhost with alternate options -apache::vhost { 'seventh.example.com': - port => '80', - docroot => '/var/www/seventh', - options => [ - 'Indexes', - 'MultiViews', - ], -} - -# Vhost with AllowOverride for .htaccess -apache::vhost { 'eighth.example.com': - port => '80', - docroot => '/var/www/eighth', - override => 'All', -} - -# Vhost with access and error logs disabled -apache::vhost { 'ninth.example.com': - port => '80', - docroot => '/var/www/ninth', - access_log => false, - error_log => false, -} - -# Vhost with custom access and error logs and logroot -apache::vhost { 'tenth.example.com': - port => '80', - docroot => '/var/www/tenth', - access_log_file => 'tenth_vhost.log', - error_log_file => 'tenth_vhost_error.log', - logroot => '/var/log', -} - -# Vhost with a cgi-bin -apache::vhost { 'eleventh.example.com': - port => '80', - docroot => '/var/www/eleventh', - scriptalias => '/usr/lib/cgi-bin', -} - -# Vhost with a proxypass configuration -apache::vhost { 'twelfth.example.com': - port => '80', - docroot => '/var/www/twelfth', - proxy_dest => 'http://internal.example.com:8080/twelfth', - no_proxy_uris => ['/login','/logout'], -} - -# Vhost to redirect /login and /logout -apache::vhost { 'thirteenth.example.com': - port => '80', - docroot => '/var/www/thirteenth', - redirect_source => [ - '/login', - '/logout', - ], - redirect_dest => [ - 'http://10.0.0.10/login', - 'http://10.0.0.10/logout', - ], -} - -# Vhost to permamently redirect -apache::vhost { 'fourteenth.example.com': - port => '80', - docroot => '/var/www/fourteenth', - redirect_source => '/blog', - redirect_dest => 'http://blog.example.com', - redirect_status => 'permanent', -} - -# Vhost with a rack configuration -apache::vhost { 'fifteenth.example.com': - port => '80', - docroot => '/var/www/fifteenth', - rack_base_uris => ['/rackapp1', '/rackapp2'], -} - -# Vhost to redirect non-ssl to ssl -apache::vhost { 'sixteenth.example.com non-ssl': - servername => 'sixteenth.example.com', - port => '80', - docroot => '/var/www/sixteenth', - rewrites => [ - { - comment => 'redirect non-SSL traffic to SSL site', - rewrite_cond => ['%{HTTPS} off'], - rewrite_rule => ['(.*) https://%{HTTPS_HOST}%{REQUEST_URI}'], - } - ] -} -apache::vhost { 'sixteenth.example.com ssl': - servername => 'sixteenth.example.com', - port => '443', - docroot => '/var/www/sixteenth', - ssl => true, -} - -# Vhost to redirect non-ssl to ssl using old rewrite method -apache::vhost { 'sixteenth.example.com non-ssl old rewrite': - servername => 'sixteenth.example.com', - port => '80', - docroot => '/var/www/sixteenth', - rewrite_cond => '%{HTTPS} off', - rewrite_rule => '(.*) https://%{HTTPS_HOST}%{REQUEST_URI}', -} -apache::vhost { 'sixteenth.example.com ssl old rewrite': - servername => 'sixteenth.example.com', - port => '443', - docroot => '/var/www/sixteenth', - ssl => true, -} - -# Vhost to block repository files -apache::vhost { 'seventeenth.example.com': - port => '80', - docroot => '/var/www/seventeenth', - block => 'scm', -} - -# Vhost with special environment variables -apache::vhost { 'eighteenth.example.com': - port => '80', - docroot => '/var/www/eighteenth', - setenv => ['SPECIAL_PATH /foo/bin','KILROY was_here'], -} - -apache::vhost { 'nineteenth.example.com': - port => '80', - docroot => '/var/www/nineteenth', - setenvif => 'Host "^([^\.]*)\.website\.com$" CLIENT_NAME=$1', -} - -# Vhost with additional include files -apache::vhost { 'twentyieth.example.com': - port => '80', - docroot => '/var/www/twelfth', - additional_includes => ['/tmp/proxy_group_a','/tmp/proxy_group_b'], -} - -# Vhost with alias for subdomain mapped to same named directory -# http://example.com.loc => /var/www/example.com -apache::vhost { 'subdomain.loc': - vhost_name => '*', - port => '80', - virtual_docroot => '/var/www/%-2+', - docroot => '/var/www', - serveraliases => ['*.loc',], -} - -# Vhost with SSLProtocol,SSLCipherSuite, SSLHonorCipherOrder -apache::vhost { 'securedomain.com': - priority => '10', - vhost_name => 'www.securedomain.com', - port => '443', - docroot => '/var/www/secure', - ssl => true, - ssl_cert => '/etc/ssl/securedomain.cert', - ssl_key => '/etc/ssl/securedomain.key', - ssl_chain => '/etc/ssl/securedomain.crt', - ssl_protocol => '-ALL +SSLv3 +TLSv1', - ssl_cipher => 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM', - ssl_honorcipherorder => 'On', - add_listen => false, -} - -# Vhost with access log environment variables writing control -apache::vhost { 'twentyfirst.example.com': - port => '80', - docroot => '/var/www/twentyfirst', - access_log_env_var => 'admin', -} -
--- a/modules/apache/tests/vhost_directories.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,44 +0,0 @@ -# Base class. Declares default vhost on port 80 and default ssl -# vhost on port 443 listening on all interfaces and serving -# $apache::docroot -class { 'apache': } - -# Example from README adapted. -apache::vhost { 'readme.example.net': - docroot => '/var/www/readme', - directories => [ - { - 'path' => '/var/www/readme', - 'ServerTokens' => 'prod' , - }, - { - 'path' => '/usr/share/empty', - 'allow' => 'from all', - }, - ], -} - -# location test -apache::vhost { 'location.example.net': - docroot => '/var/www/location', - directories => [ - { - 'path' => '/location', - 'provider' => 'location', - 'ServerTokens' => 'prod' - }, - ], -} - -# files test, curedly disable access to accidental backup files. -apache::vhost { 'files.example.net': - docroot => '/var/www/files', - directories => [ - { - 'path' => '(\.swp|\.bak|~)$', - 'provider' => 'filesmatch', - 'deny' => 'from all' - }, - ], -} -
--- a/modules/apache/tests/vhost_ip_based.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,25 +0,0 @@ -## IP-based vhosts on any listen port -# IP-based vhosts respond to requests on specific IP addresses. - -# Base class. Turn off the default vhosts; we will be declaring -# all vhosts below. -class { 'apache': - default_vhost => false, -} - -# Listen on port 80 and 81; required because the following vhosts -# are not declared with a port parameter. -apache::listen { '80': } -apache::listen { '81': } - -# IP-based vhosts -apache::vhost { 'first.example.com': - ip => '10.0.0.10', - docroot => '/var/www/first', - ip_based => true, -} -apache::vhost { 'second.example.com': - ip => '10.0.0.11', - docroot => '/var/www/second', - ip_based => true, -}
--- a/modules/apache/tests/vhost_proxypass.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,66 +0,0 @@ -## vhost with proxyPass directive -# NB: Please see the other vhost_*.pp example files for further -# examples. - -# Base class. Declares default vhost on port 80 and default ssl -# vhost on port 443 listening on all interfaces and serving -# $apache::docroot -class { 'apache': } - -# Most basic vhost with proxy_pass -apache::vhost { 'first.example.com': - port => 80, - docroot => '/var/www/first', - proxy_pass => [ - { - 'path' => '/first', - 'url' => 'http://localhost:8080/first' - }, - ], -} - -# vhost with proxy_pass and parameters -apache::vhost { 'second.example.com': - port => 80, - docroot => '/var/www/second', - proxy_pass => [ - { - 'path' => '/second', - 'url' => 'http://localhost:8080/second', - 'params' => { - 'retry' => '0', - 'timeout' => '5' - } - }, - ], -} - -# vhost with proxy_pass and keywords -apache::vhost { 'third.example.com': - port => 80, - docroot => '/var/www/third', - proxy_pass => [ - { - 'path' => '/third', - 'url' => 'http://localhost:8080/third', - 'keywords' => ['noquery', 'interpolate'] - }, - ], -} - -# vhost with proxy_pass, parameters and keywords -apache::vhost { 'fourth.example.com': - port => 80, - docroot => '/var/www/fourth', - proxy_pass => [ - { - 'path' => '/fourth', - 'url' => 'http://localhost:8080/fourth', - 'params' => { - 'retry' => '0', - 'timeout' => '5' - }, - 'keywords' => ['noquery', 'interpolate'] - }, - ], -}
--- a/modules/apache/tests/vhost_ssl.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,23 +0,0 @@ -## SSL-enabled vhosts -# SSL-enabled vhosts respond only to HTTPS queries. - -# Base class. Turn off the default vhosts; we will be declaring -# all vhosts below. -class { 'apache': - default_vhost => false, -} - -# Non-ssl vhost -apache::vhost { 'first.example.com non-ssl': - servername => 'first.example.com', - port => '80', - docroot => '/var/www/first', -} - -# SSL vhost at the same domain -apache::vhost { 'first.example.com ssl': - servername => 'first.example.com', - port => '443', - docroot => '/var/www/first', - ssl => true, -}
--- a/modules/apache/tests/vhosts_without_listen.pp Sun Dec 29 15:31:28 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,53 +0,0 @@ -## Declare ip-based and name-based vhosts -# Mixing Name-based vhost with IP-specific vhosts requires `add_listen => -# 'false'` on the non-IP vhosts - -# Base class. Turn off the default vhosts; we will be declaring -# all vhosts below. -class { 'apache': - default_vhost => false, -} - - -# Add two an IP-based vhost on 10.0.0.10, ssl and non-ssl -apache::vhost { 'The first IP-based vhost, non-ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '80', - ip_based => true, - docroot => '/var/www/first', -} -apache::vhost { 'The first IP-based vhost, ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '443', - ip_based => true, - docroot => '/var/www/first-ssl', - ssl => true, -} - -# Two name-based vhost listening on 10.0.0.20 -apache::vhost { 'second.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/second', -} -apache::vhost { 'third.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/third', -} - -# Two name-based vhosts without IPs specified, so that they will answer on either 10.0.0.10 or 10.0.0.20 . It is requried to declare -# `add_listen => 'false'` to disable declaring "Listen 80" which will conflict -# with the IP-based preceeding vhosts. -apache::vhost { 'fourth.example.com': - port => '80', - docroot => '/var/www/fourth', - add_listen => false, -} -apache::vhost { 'fifth.example.com': - port => '80', - docroot => '/var/www/fifth', - add_listen => false, -}