Mercurial > repos > other > Puppet
changeset 281:af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
Includes adding a separate fragment for the proxy (defaults to
the main fragment) for sites like Dev where duplicate WSGIDaemon
definitions cause errors.
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 15 Feb 2020 19:07:11 +0000 |
| parents | 8f33f0bddd39 |
| children | 6668c0708887 |
| files | manifests/templates.pp modules/website/manifests/http.pp modules/website/manifests/https.pp modules/website/manifests/https/multitld.pp modules/website/manifests/https/redir.pp modules/website/manifests/init.pp |
| diffstat | 6 files changed, 113 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/manifests/templates.pp Sat Feb 15 15:10:28 2020 +0000 +++ b/manifests/templates.pp Sat Feb 15 19:07:11 2020 +0000 @@ -703,6 +703,7 @@ priority => 1, letsencrypt_name => 'dev.ibboard.co.uk', custom_fragment => template("privat/apache/dev.fragment"), + proxy_fragment => template("privat/apache/dev-proxy.fragment"), force_no_index => false, } }
--- a/modules/website/manifests/http.pp Sat Feb 15 15:10:28 2020 +0000 +++ b/modules/website/manifests/http.pp Sat Feb 15 19:07:11 2020 +0000 @@ -4,7 +4,8 @@ $docroot_group = 'root', $serveraliases = [], $ensure = 'present', - $custom_fragment = undef + $custom_fragment = undef, + Optional[String] $proxy_fragment = $custom_fragment, ) { if ! defined(Class['website']) { fail('You must include the website base class before using any website defined resources') @@ -32,4 +33,22 @@ serveraliases => $serveraliases, ensure => $ensure, } + + if ($website::proxy_6to4_ip != undef) { + apache::vhost { "$name-PROXY": + ip => $website::proxy_6to4_ip, + port => '80', + docroot => $siteroot, + docroot_owner => $docroot_owner, + docroot_group => $docroot_group, + docroot_mode => '2775', + custom_fragment => "RemoteIPProxyProtocol On +$proxy_fragment", + logroot => '/var/log/apache/', + access_log_file => "access_${logpart}.log", + access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i", + serveraliases => $serveraliases, + ensure => $ensure, + } + } }
--- a/modules/website/manifests/https.pp Sat Feb 15 15:10:28 2020 +0000 +++ b/modules/website/manifests/https.pp Sat Feb 15 19:07:11 2020 +0000 @@ -13,6 +13,7 @@ $serveraliases = [], $ensure = 'present', $custom_fragment = '', + Optional[String] $proxy_fragment = $custom_fragment, $force_no_www = true, $force_no_index = true, $lockdown_requests = true, @@ -161,6 +162,7 @@ apache::vhost { "${name}-80": servername => $name, + ip => $ip, port => 80, docroot => $siteroot, redirect_status => 'permanent', @@ -171,4 +173,45 @@ access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i", error_log_file => "error_${logpart}_nossl.log", } + + if ($website::proxy_6to4_ip != undef) { + apache::vhost { "$name-PROXY": + servername => $name, + ip => $website::proxy_6to4_ip, + port => '443', + priority => $priority, + docroot => $siteroot, + docroot_owner => $owner, + docroot_group => $group, + docroot_mode => '2775', + custom_fragment => "RemoteIPProxyProtocol On +$custom_conf2 +$proxy_fragment", + logroot => '/var/log/apache/', + access_log_file => "access_${logpart}.log", + access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i", + error_log_file => "error_${logpart}.log", + serveraliases => $serveraliases, + ssl => true, + ssl_cert => $sslcert, + ssl_key => $sslkey, + ssl_chain => $ssl_chain, + ensure => $ensure, + } + + apache::vhost { "${name}-80-PROXY": + servername => $name, + ip => $website::proxy_6to4_ip, + port => 80, + docroot => $siteroot, + redirect_status => 'permanent', + redirect_dest => "https://$name/", + serveraliases => $serveraliases, + custom_fragment => "RemoteIPProxyProtocol On", + logroot => '/var/log/apache/', + access_log_file => "access_${logpart}_nossl.log", + access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i", + error_log_file => "error_${logpart}_nossl.log", + } + } }
--- a/modules/website/manifests/https/multitld.pp Sat Feb 15 15:10:28 2020 +0000 +++ b/modules/website/manifests/https/multitld.pp Sat Feb 15 19:07:11 2020 +0000 @@ -10,6 +10,7 @@ Optional[String] $docroot_owner = undef, Optional[String] $docroot_group = undef, Optional[String] $custom_fragment = undef, + Optional[String] $proxy_fragment = $custom_fragment, Optional[Boolean] $force_no_index = undef, Optional[Boolean] $force_no_www = undef, Optional[Boolean] $csp = true, @@ -43,6 +44,7 @@ ssl_ca_chain => $ssl_ca_chain, letsencrypt_name => $letsencrypt_name, custom_fragment => $custom_fragment, + proxy_fragment => $proxy_fragment, force_no_index => $force_no_index, force_no_www => $force_no_www, csp => $csp,
--- a/modules/website/manifests/https/redir.pp Sat Feb 15 15:10:28 2020 +0000 +++ b/modules/website/manifests/https/redir.pp Sat Feb 15 19:07:11 2020 +0000 @@ -126,6 +126,7 @@ apache::vhost { "${name}-80": servername => $name, + ip => $ip, port => 80, docroot => $siteroot, docroot_owner => $owner, @@ -138,4 +139,47 @@ access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i", error_log_file => "error_${logpart}${log_extra}_nossl.log", } + + + if ($website::proxy_6to4_ip != undef) { + apache::vhost { "$name-PROXY": + ip => $website::proxy_6to4_ip, + port => '443', + docroot => $siteroot, + docroot_owner => $owner, + docroot_group => $group, + docroot_mode => '2775', + redirect_status => 'permanent', + redirect_dest => $redir, + custom_fragment => "RemoteIPProxyProtocol On +$custom_conf", + logroot => '/var/log/apache/', + access_log_file => "access_${logpart}${log_extra}.log", + access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i", + error_log_file => "error_${logpart}${log_extra}.log", + serveraliases => $serveraliases, + ssl => true, + ssl_cert => $sslcert, + ssl_key => $sslkey, + ssl_chain => $ssl_chain, + ensure => $ensure, + } + + apache::vhost { "${name}-80-PROXY": + servername => $name, + ip => $website::proxy_6to4_ip, + port => 80, + docroot => $siteroot, + docroot_owner => $owner, + docroot_group => $group, + redirect_status => 'permanent', + redirect_dest => $redir, + serveraliases => $serveraliases, + custom_fragment => "RemoteIPProxyProtocol On", + logroot => '/var/log/apache/', + access_log_file => "access_${logpart}${log_extra}_nossl.log", + access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i", + error_log_file => "error_${logpart}${log_extra}_nossl.log", + } + } }
--- a/modules/website/manifests/init.pp Sat Feb 15 15:10:28 2020 +0000 +++ b/modules/website/manifests/init.pp Sat Feb 15 19:07:11 2020 +0000 @@ -130,6 +130,9 @@ context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", changes => "set IPV6ADDR_SECONDARIES $proxy_6to4_ip", } + + apache::mod { "remoteip": } + $proxy_upstream.each |String $upstream_addr| { firewall { "100 limit PROXY protocol to upstream $upstream_addr": source => $upstream_addr,