Mercurial > repos > other > Puppet

changeset 469:e0147f345e65

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Rework main vs proxy fragments and redirects This ensures our site for IPv4 proxy users has the same config while avoiding redefining any per-site WSGI pools etc Redirects and logging were reworked to avoid redirecting users that we're only going to block anyway
author IBBoard <dev@ibboard.co.uk>
date Sun, 12 May 2024 19:49:42 +0100
parents 8a3c3eb60fdd
children f68d7f7c080b
files manifests/templates.pp modules/website/manifests/https.pp modules/website/manifests/https/multitld.pp
diffstat 3 files changed, 19 insertions(+), 18 deletions(-) [+]
line wrap: on
line diff
--- a/manifests/templates.pp	Sat Apr 06 19:01:04 2024 +0100
+++ b/manifests/templates.pp	Sun May 12 19:49:42 2024 +0100
@@ -920,7 +920,7 @@
 		priority => 1,
 		letsencrypt_name => 'dev.ibboard.co.uk',
 		custom_fragment => template("privat/apache/dev.fragment"),
-		proxy_fragment => template("privat/apache/dev-proxy.fragment"),
+		non_proxy_fragment => template("privat/apache/dev-nonproxy.fragment"),
 		force_no_index => false,
 	}
 }
--- a/modules/website/manifests/https.pp	Sat Apr 06 19:01:04 2024 +0100
+++ b/modules/website/manifests/https.pp	Sun May 12 19:49:42 2024 +0100
@@ -14,7 +14,7 @@
     $serveraliases      = [],
     $ensure             = 'present',
     $custom_fragment    = '',
-    Optional[String] $proxy_fragment  = $custom_fragment,
+    Optional[String] $non_proxy_fragment  = '',
     $force_no_www       = true,
     $force_no_index     = true,
     $lockdown_requests  = true,
@@ -140,6 +140,12 @@
     $group = $docroot_group
   }
 
+  $redir_fragment = "RemoteIPProxyProtocol On
+# Filter before we redirect to HTTPS
+Include conf.custom/filter-core.conf
+Redirect permanent / https://$name/"
+
+
   apache::vhost { $name:
     ip              => $ip,
     port            => 443,
@@ -148,7 +154,7 @@
     docroot_owner   => $owner,
     docroot_group   => $group,
     docroot_mode    => '2775',
-    custom_fragment => $custom_conf,
+    custom_fragment => "$non_proxy_fragment\n$custom_conf",
     logroot         => '/var/log/apache/',
     access_log_file => "access_${logpart}.log",
     access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i %D",
@@ -166,13 +172,12 @@
     ip => $ip,
     port => 80,
     docroot => $siteroot,
-    redirect_status => 'permanent',
-    redirect_dest => "https://$name/",
     serveraliases   => $serveraliases,
+    custom_fragment => $redir_fragment,
     logroot         => '/var/log/apache/',
-    access_log_file => "access_${logpart}_nossl.log",
+    access_log_file => "access_${logpart}_80.log",
     access_log_format => "%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
-    error_log_file  => "error_${logpart}_nossl.log",
+    error_log_file  => "error_${logpart}_80.log",
   }
 
   if ($proxy_4to6_ip != undef) {
@@ -185,12 +190,10 @@
       docroot_owner   => $owner,
       docroot_group   => $group,
       docroot_mode    => '2775',
-      custom_fragment => "RemoteIPProxyProtocol On
-$custom_conf2
-$proxy_fragment",
+      custom_fragment => "RemoteIPProxyProtocol On\n$custom_conf",
       logroot         => '/var/log/apache/',
       access_log_file => "access_${logpart}.log",
-      access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
+      access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i %D",
       error_log_file  => "error_${logpart}.log",
       serveraliases   => $serveraliases,
       ssl             => true,
@@ -205,14 +208,12 @@
       ip => $proxy_4to6_ip,
       port => 80,
       docroot => $siteroot,
-      redirect_status => 'permanent',
-      redirect_dest => "https://$name/",
       serveraliases   => $serveraliases,
-      custom_fragment => "RemoteIPProxyProtocol On",
+      custom_fragment => $redir_fragment,
       logroot         => '/var/log/apache/',
-      access_log_file => "access_${logpart}_nossl.log",
+      access_log_file => "access_${logpart}_80.log",
       access_log_format => "%a %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\" %{Host}i",
-      error_log_file  => "error_${logpart}_nossl.log",
+      error_log_file  => "error_${logpart}_80.log",
     }
   }
 }
--- a/modules/website/manifests/https/multitld.pp	Sat Apr 06 19:01:04 2024 +0100
+++ b/modules/website/manifests/https/multitld.pp	Sun May 12 19:49:42 2024 +0100
@@ -11,7 +11,7 @@
   Optional[String] $docroot_owner   = undef,
   Optional[String] $docroot_group   = undef,
   Optional[String] $custom_fragment = undef,
-  Optional[String] $proxy_fragment  = $custom_fragment,
+  Optional[String] $non_proxy_fragment  = undef,
   Optional[Boolean] $force_no_index = undef,
   Optional[Boolean] $force_no_www   = undef,
   Optional[Boolean] $csp            = true,
@@ -46,7 +46,7 @@
     ssl_ca_chain    => $ssl_ca_chain,
     letsencrypt_name => $letsencrypt_name,
     custom_fragment => $custom_fragment,
-    proxy_fragment  => $proxy_fragment,
+    non_proxy_fragment  => $non_proxy_fragment,
     force_no_index  => $force_no_index,
     force_no_www    => $force_no_www,
     csp             => $csp,