diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile new file mode 100644 index 0000000000..12ed4ff109 --- /dev/null +++ b/.devcontainer/Dockerfile @@ -0,0 +1,6 @@ +FROM puppet/pdk:latest + +# [Optional] Uncomment this section to install additional packages. +# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ +# && apt-get -y install --no-install-recommends + diff --git a/.devcontainer/README.md b/.devcontainer/README.md new file mode 100644 index 0000000000..a719361689 --- /dev/null +++ b/.devcontainer/README.md @@ -0,0 +1,38 @@ +# devcontainer + + +For format details, see https://aka.ms/devcontainer.json. + +For config options, see the README at: +https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet + +``` json +{ + "name": "Puppet Development Kit (Community)", + "dockerFile": "Dockerfile", + + // Set *default* container specific settings.json values on container create. + "settings": { + "terminal.integrated.profiles.linux": { + "bash": { + "path": "bash", + } + } + }, + + // Add the IDs of extensions you want installed when the container is created. + "extensions": [ + "puppet.puppet-vscode", + "rebornix.Ruby" + ], + + // Use 'forwardPorts' to make a list of ports inside the container available locally. + "forwardPorts": [], + + // Use 'postCreateCommand' to run commands after the container is created. + "postCreateCommand": "pdk --version", +} +``` + + + diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000000..cdd65d220a --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,17 @@ +{ + "name": "Puppet Development Kit (Community)", + "dockerFile": "Dockerfile", + + "settings": { + "terminal.integrated.profiles.linux": { + "bash": { + "path": "bash" + } + } + }, + + "extensions": [ + "puppet.puppet-vscode", + "rebornix.Ruby" + ] +} diff --git a/.fixtures.yml b/.fixtures.yml index b5f76c03ac..68ef109e1b 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,6 +1,13 @@ +--- fixtures: repositories: - stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git" - concat: "git://github.com/puppetlabs/puppetlabs-concat.git" + concat: "https://github.com/puppetlabs/puppetlabs-concat.git" + facts: 'https://github.com/puppetlabs/puppetlabs-facts.git' + portage: "https://github.com/gentoo/puppet-portage.git" + provision: 'https://github.com/puppetlabs/provision.git' + puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git' + stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib.git" + yumrepo_core: "https://github.com/puppetlabs/puppetlabs-yumrepo_core.git" symlinks: apache: "#{source_dir}" + site_apache: "#{source_dir}/spec/fixtures/site_apache" diff --git a/.geppetto-rc.json b/.geppetto-rc.json new file mode 100644 index 0000000000..7df2329891 --- /dev/null +++ b/.geppetto-rc.json @@ -0,0 +1,9 @@ +{ + "excludes": [ + "**/contrib/**", + "**/examples/**", + "**/tests/**", + "**/spec/**", + "**/pkg/**" + ] +} diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..9032a014a0 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,5 @@ +*.rb eol=lf +*.erb eol=lf +*.pp eol=lf +*.sh eol=lf +*.epp eol=lf diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000000..e3a97007e3 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,15 @@ +## Summary +Provide a detailed description of all the changes present in this pull request. + +## Additional Context +Add any additional context about the problem here. +- [ ] Root cause and the steps to reproduce. (If applicable) +- [ ] Thought process behind the implementation. + +## Related Issues (if any) +Mention any related issues or pull requests. + +## Checklist +- [ ] 🟢 Spec tests. +- [ ] 🟢 Acceptance tests. +- [ ] Manually verified. (For example `puppet apply`) \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..93cd3406b7 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,21 @@ +name: "ci" + +on: + pull_request: + branches: + - "main" + workflow_dispatch: + +jobs: + Spec: + uses: "puppetlabs/cat-github-actions/.github/workflows/module_ci.yml@main" + with: + runs_on: "ubuntu-24.04" + secrets: "inherit" + + Acceptance: + needs: Spec + uses: "puppetlabs/cat-github-actions/.github/workflows/module_acceptance.yml@main" + with: + runs_on: "ubuntu-24.04" + secrets: "inherit" diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml new file mode 100644 index 0000000000..b4100a5af0 --- /dev/null +++ b/.github/workflows/mend.yml @@ -0,0 +1,15 @@ +name: "mend" + +on: + pull_request: + branches: + - "main" + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +jobs: + + mend: + uses: "puppetlabs/cat-github-actions/.github/workflows/mend_ruby.yml@main" + secrets: "inherit" diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml new file mode 100644 index 0000000000..dddcf87b3b --- /dev/null +++ b/.github/workflows/nightly.yml @@ -0,0 +1,21 @@ +name: "nightly" + +on: + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +jobs: + Spec: + uses: "puppetlabs/cat-github-actions/.github/workflows/module_ci.yml@main" + with: + runs_on: "ubuntu-24.04" + secrets: "inherit" + + Acceptance: + needs: Spec + uses: "puppetlabs/cat-github-actions/.github/workflows/module_acceptance.yml@main" + with: + runs_on: "ubuntu-24.04" + secrets: "inherit" + diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..4b3b80fc80 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,9 @@ +name: "Publish module" + +on: + workflow_dispatch: + +jobs: + release: + uses: "puppetlabs/cat-github-actions/.github/workflows/module_release.yml@main" + secrets: "inherit" diff --git a/.github/workflows/release_prep.yml b/.github/workflows/release_prep.yml new file mode 100644 index 0000000000..bb0b7acce1 --- /dev/null +++ b/.github/workflows/release_prep.yml @@ -0,0 +1,15 @@ +name: "Release Prep" + +on: + workflow_dispatch: + inputs: + version: + description: "Module version to be released. Must be a valid semver string. (1.2.3)" + required: true + +jobs: + release_prep: + uses: "puppetlabs/cat-github-actions/.github/workflows/module_release_prep.yml@main" + with: + version: "${{ github.event.inputs.version }}" + secrets: "inherit" diff --git a/.github_changelog_generator b/.github_changelog_generator new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.gitignore b/.gitignore index e41102bd82..2803e566b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,35 @@ -.pkg -Gemfile.lock -vendor -spec/fixtures -.rspec_system -.bundle +.git/ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/* +/tmp/ +/vendor/ +/.vendor/ +/convert_report.txt +/update_report.txt +.DS_Store +.project +.envrc +/inventory.yaml +/spec/fixtures/litmus_inventory.yaml +.resource_types +.modules +.task_cache.json +.plan_cache.json +.rerun.json +bolt-debug.log diff --git a/.gitpod.Dockerfile b/.gitpod.Dockerfile new file mode 100644 index 0000000000..0814c5e61f --- /dev/null +++ b/.gitpod.Dockerfile @@ -0,0 +1,18 @@ +FROM gitpod/workspace-full +RUN sudo wget https://apt.puppet.com/puppet-tools-release-bionic.deb && \ + wget https://apt.puppetlabs.com/puppet6-release-bionic.deb && \ + sudo dpkg -i puppet6-release-bionic.deb && \ + sudo dpkg -i puppet-tools-release-bionic.deb && \ + sudo apt-get update && \ + sudo apt-get install -y pdk zsh puppet-agent && \ + sudo apt-get clean && \ + sudo rm -rf /var/lib/apt/lists/* +RUN sudo usermod -s $(which zsh) gitpod && \ + sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" && \ + echo "plugins=(git gitignore github gem pip bundler python ruby docker docker-compose)" >> /home/gitpod/.zshrc && \ + echo 'PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin"' >> /home/gitpod/.zshrc && \ + sudo /opt/puppetlabs/puppet/bin/gem install puppet-debugger hub -N && \ + mkdir -p /home/gitpod/.config/puppet && \ + /opt/puppetlabs/puppet/bin/ruby -r yaml -e "puts ({'disabled' => true}).to_yaml" > /home/gitpod/.config/puppet/analytics.yml +RUN rm -f puppet6-release-bionic.deb puppet-tools-release-bionic.deb +ENTRYPOINT /usr/bin/zsh diff --git a/.gitpod.yml b/.gitpod.yml new file mode 100644 index 0000000000..9d89d9faa2 --- /dev/null +++ b/.gitpod.yml @@ -0,0 +1,9 @@ +image: + file: .gitpod.Dockerfile + +tasks: + - init: pdk bundle install + +vscode: + extensions: + - puppet.puppet-vscode@1.2.0:f5iEPbmOj6FoFTOV6q8LTg== diff --git a/.pdkignore b/.pdkignore new file mode 100644 index 0000000000..84684be63f --- /dev/null +++ b/.pdkignore @@ -0,0 +1,51 @@ +.git/ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/* +/tmp/ +/vendor/ +/.vendor/ +/convert_report.txt +/update_report.txt +.DS_Store +.project +.envrc +/inventory.yaml +/spec/fixtures/litmus_inventory.yaml +.resource_types +.modules +.task_cache.json +.plan_cache.json +.rerun.json +bolt-debug.log +/.fixtures.yml +/Gemfile +/.gitattributes +/.github/ +/.gitignore +/.pdkignore +/.puppet-lint.rc +/Rakefile +/rakelib/ +/.rspec +/..yml +/.yardopts +/spec/ +/.vscode/ +/.sync.yml +/.devcontainer/ diff --git a/.puppet-lint.rc b/.puppet-lint.rc new file mode 100644 index 0000000000..1a73fe3400 --- /dev/null +++ b/.puppet-lint.rc @@ -0,0 +1,3 @@ +--relative +--no-anchor_resource-check +--no-140chars-check diff --git a/.rspec b/.rspec new file mode 100644 index 0000000000..16f9cdb013 --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--color +--format documentation diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000000..439ea84ee8 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,731 @@ +--- +require: +- rubocop-performance +- rubocop-rspec +AllCops: + NewCops: enable + DisplayCopNames: true + TargetRubyVersion: '2.6' + Include: + - "**/*.rb" + Exclude: + - bin/* + - ".vendor/**/*" + - "**/Gemfile" + - "**/Rakefile" + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* + - "**/Puppetfile" + - "**/Vagrantfile" + - "**/Guardfile" +inherit_from: ".rubocop_todo.yml" +Layout/LineLength: + Description: People have wide screens, use them. + Max: 200 +RSpec/BeforeAfterAll: + Description: Beware of using after(:all) as it may cause state to leak between tests. + A necessary evil in acceptance testing. + Exclude: + - spec/acceptance/**/*.rb +RSpec/HookArgument: + Description: Prefer explicit :each argument, matching existing module's style + EnforcedStyle: each +RSpec/DescribeSymbol: + Exclude: + - spec/unit/facter/**/*.rb +Style/BlockDelimiters: + Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to + be consistent then. + EnforcedStyle: braces_for_chaining +Style/ClassAndModuleChildren: + Description: Compact style reduces the required amount of indentation. + EnforcedStyle: compact +Style/EmptyElse: + Description: Enforce against empty else clauses, but allow `nil` for clarity. + EnforcedStyle: empty +Style/FormatString: + Description: Following the main puppet project's style, prefer the % format format. + EnforcedStyle: percent +Style/FormatStringToken: + Description: Following the main puppet project's style, prefer the simpler template + tokens over annotated ones. + EnforcedStyle: template +Style/Lambda: + Description: Prefer the keyword for easier discoverability. + EnforcedStyle: literal +Style/RegexpLiteral: + Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 + EnforcedStyle: percent_r +Style/TernaryParentheses: + Description: Checks for use of parentheses around ternary conditions. Enforce parentheses + on complex expressions for better readability, but seriously consider breaking + it up. + EnforcedStyle: require_parentheses_when_complex +Style/TrailingCommaInArguments: + Description: Prefer always trailing comma on multiline argument lists. This makes + diffs, and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/TrailingCommaInArrayLiteral: + Description: Prefer always trailing comma on multiline literals. This makes diffs, + and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/SymbolArray: + Description: Using percent style obscures symbolic intent of array's contents. + EnforcedStyle: brackets +RSpec/MessageSpies: + EnforcedStyle: receive +Style/Documentation: + Exclude: + - lib/puppet/parser/functions/**/* + - spec/**/* +Style/WordArray: + EnforcedStyle: brackets +Performance/AncestorsInclude: + Enabled: true +Performance/BigDecimalWithNumericArgument: + Enabled: true +Performance/BlockGivenWithExplicitBlock: + Enabled: true +Performance/CaseWhenSplat: + Enabled: true +Performance/ConstantRegexp: + Enabled: true +Performance/MethodObjectAsBlock: + Enabled: true +Performance/RedundantSortBlock: + Enabled: true +Performance/RedundantStringChars: + Enabled: true +Performance/ReverseFirst: + Enabled: true +Performance/SortReverse: + Enabled: true +Performance/Squeeze: + Enabled: true +Performance/StringInclude: + Enabled: true +Performance/Sum: + Enabled: true +Style/CollectionMethods: + Enabled: true +Style/MethodCalledOnDoEndBlock: + Enabled: true +Style/StringMethods: + Enabled: true +Bundler/GemFilename: + Enabled: false +Bundler/InsecureProtocolSource: + Enabled: false +Capybara/CurrentPathExpectation: + Enabled: false +Capybara/VisibilityMatcher: + Enabled: false +Gemspec/DuplicatedAssignment: + Enabled: false +Gemspec/OrderedDependencies: + Enabled: false +Gemspec/RequiredRubyVersion: + Enabled: false +Gemspec/RubyVersionGlobalsUsage: + Enabled: false +Layout/ArgumentAlignment: + Enabled: false +Layout/BeginEndAlignment: + Enabled: false +Layout/ClosingHeredocIndentation: + Enabled: false +Layout/EmptyComment: + Enabled: false +Layout/EmptyLineAfterGuardClause: + Enabled: false +Layout/EmptyLinesAroundArguments: + Enabled: false +Layout/EmptyLinesAroundAttributeAccessor: + Enabled: false +Layout/EndOfLine: + Enabled: false +Layout/FirstArgumentIndentation: + Enabled: false +Layout/HashAlignment: + Enabled: false +Layout/HeredocIndentation: + Enabled: false +Layout/LeadingEmptyLines: + Enabled: false +Layout/SpaceAroundMethodCallOperator: + Enabled: false +Layout/SpaceInsideArrayLiteralBrackets: + Enabled: false +Layout/SpaceInsideReferenceBrackets: + Enabled: false +Lint/BigDecimalNew: + Enabled: false +Lint/BooleanSymbol: + Enabled: false +Lint/ConstantDefinitionInBlock: + Enabled: false +Lint/DeprecatedOpenSSLConstant: + Enabled: false +Lint/DisjunctiveAssignmentInConstructor: + Enabled: false +Lint/DuplicateElsifCondition: + Enabled: false +Lint/DuplicateRequire: + Enabled: false +Lint/DuplicateRescueException: + Enabled: false +Lint/EmptyConditionalBody: + Enabled: false +Lint/EmptyFile: + Enabled: false +Lint/ErbNewArguments: + Enabled: false +Lint/FloatComparison: + Enabled: false +Lint/HashCompareByIdentity: + Enabled: false +Lint/IdentityComparison: + Enabled: false +Lint/InterpolationCheck: + Enabled: false +Lint/MissingCopEnableDirective: + Enabled: false +Lint/MixedRegexpCaptureTypes: + Enabled: false +Lint/NestedPercentLiteral: + Enabled: false +Lint/NonDeterministicRequireOrder: + Enabled: false +Lint/OrderedMagicComments: + Enabled: false +Lint/OutOfRangeRegexpRef: + Enabled: false +Lint/RaiseException: + Enabled: false +Lint/RedundantCopEnableDirective: + Enabled: false +Lint/RedundantRequireStatement: + Enabled: false +Lint/RedundantSafeNavigation: + Enabled: false +Lint/RedundantWithIndex: + Enabled: false +Lint/RedundantWithObject: + Enabled: false +Lint/RegexpAsCondition: + Enabled: false +Lint/ReturnInVoidContext: + Enabled: false +Lint/SafeNavigationConsistency: + Enabled: false +Lint/SafeNavigationWithEmpty: + Enabled: false +Lint/SelfAssignment: + Enabled: false +Lint/SendWithMixinArgument: + Enabled: false +Lint/ShadowedArgument: + Enabled: false +Lint/StructNewOverride: + Enabled: false +Lint/ToJSON: + Enabled: false +Lint/TopLevelReturnWithArgument: + Enabled: false +Lint/TrailingCommaInAttributeDeclaration: + Enabled: false +Lint/UnreachableLoop: + Enabled: false +Lint/UriEscapeUnescape: + Enabled: false +Lint/UriRegexp: + Enabled: false +Lint/UselessMethodDefinition: + Enabled: false +Lint/UselessTimes: + Enabled: false +Metrics/AbcSize: + Enabled: false +Metrics/BlockLength: + Enabled: false +Metrics/BlockNesting: + Enabled: false +Metrics/ClassLength: + Enabled: false +Metrics/CyclomaticComplexity: + Enabled: false +Metrics/MethodLength: + Enabled: false +Metrics/ModuleLength: + Enabled: false +Metrics/ParameterLists: + Enabled: false +Metrics/PerceivedComplexity: + Enabled: false +Migration/DepartmentName: + Enabled: false +Naming/AccessorMethodName: + Enabled: false +Naming/BlockParameterName: + Enabled: false +Naming/HeredocDelimiterCase: + Enabled: false +Naming/HeredocDelimiterNaming: + Enabled: false +Naming/MemoizedInstanceVariableName: + Enabled: false +Naming/MethodParameterName: + Enabled: false +Naming/RescuedExceptionsVariableName: + Enabled: false +Naming/VariableNumber: + Enabled: false +Performance/BindCall: + Enabled: false +Performance/DeletePrefix: + Enabled: false +Performance/DeleteSuffix: + Enabled: false +Performance/InefficientHashSearch: + Enabled: false +Performance/UnfreezeString: + Enabled: false +Performance/UriDefaultParser: + Enabled: false +RSpec/Be: + Enabled: false +RSpec/Capybara/FeatureMethods: + Enabled: false +RSpec/ContainExactly: + Enabled: false +RSpec/ContextMethod: + Enabled: false +RSpec/ContextWording: + Enabled: false +RSpec/DescribeClass: + Enabled: false +RSpec/EmptyHook: + Enabled: false +RSpec/EmptyLineAfterExample: + Enabled: false +RSpec/EmptyLineAfterExampleGroup: + Enabled: false +RSpec/EmptyLineAfterHook: + Enabled: false +RSpec/ExampleLength: + Enabled: false +RSpec/ExampleWithoutDescription: + Enabled: false +RSpec/ExpectChange: + Enabled: false +RSpec/ExpectInHook: + Enabled: false +RSpec/FactoryBot/AttributeDefinedStatically: + Enabled: false +RSpec/FactoryBot/CreateList: + Enabled: false +RSpec/FactoryBot/FactoryClassName: + Enabled: false +RSpec/HooksBeforeExamples: + Enabled: false +RSpec/ImplicitBlockExpectation: + Enabled: false +RSpec/ImplicitSubject: + Enabled: false +RSpec/LeakyConstantDeclaration: + Enabled: false +RSpec/LetBeforeExamples: + Enabled: false +RSpec/MatchArray: + Enabled: false +RSpec/MissingExampleGroupArgument: + Enabled: false +RSpec/MultipleExpectations: + Enabled: false +RSpec/MultipleMemoizedHelpers: + Enabled: false +RSpec/MultipleSubjects: + Enabled: false +RSpec/NestedGroups: + Enabled: false +RSpec/PredicateMatcher: + Enabled: false +RSpec/ReceiveCounts: + Enabled: false +RSpec/ReceiveNever: + Enabled: false +RSpec/RepeatedExampleGroupBody: + Enabled: false +RSpec/RepeatedExampleGroupDescription: + Enabled: false +RSpec/RepeatedIncludeExample: + Enabled: false +RSpec/ReturnFromStub: + Enabled: false +RSpec/SharedExamples: + Enabled: false +RSpec/StubbedMock: + Enabled: false +RSpec/UnspecifiedException: + Enabled: false +RSpec/VariableDefinition: + Enabled: false +RSpec/VoidExpect: + Enabled: false +RSpec/Yield: + Enabled: false +Security/Open: + Enabled: false +Style/AccessModifierDeclarations: + Enabled: false +Style/AccessorGrouping: + Enabled: false +Style/BisectedAttrAccessor: + Enabled: false +Style/CaseLikeIf: + Enabled: false +Style/ClassEqualityComparison: + Enabled: false +Style/ColonMethodDefinition: + Enabled: false +Style/CombinableLoops: + Enabled: false +Style/CommentedKeyword: + Enabled: false +Style/Dir: + Enabled: false +Style/DoubleCopDisableDirective: + Enabled: false +Style/EmptyBlockParameter: + Enabled: false +Style/EmptyLambdaParameter: + Enabled: false +Style/Encoding: + Enabled: false +Style/EvalWithLocation: + Enabled: false +Style/ExpandPathArguments: + Enabled: false +Style/ExplicitBlockArgument: + Enabled: false +Style/ExponentialNotation: + Enabled: false +Style/FloatDivision: + Enabled: false +Style/FrozenStringLiteralComment: + Enabled: false +Style/GlobalStdStream: + Enabled: false +Style/HashAsLastArrayItem: + Enabled: false +Style/HashLikeCase: + Enabled: false +Style/HashTransformKeys: + Enabled: false +Style/HashTransformValues: + Enabled: false +Style/IfUnlessModifier: + Enabled: false +Style/KeywordParametersOrder: + Enabled: false +Style/MinMax: + Enabled: false +Style/MixinUsage: + Enabled: false +Style/MultilineWhenThen: + Enabled: false +Style/NegatedUnless: + Enabled: false +Style/NumericPredicate: + Enabled: false +Style/OptionalBooleanParameter: + Enabled: false +Style/OrAssignment: + Enabled: false +Style/RandomWithOffset: + Enabled: false +Style/RedundantAssignment: + Enabled: false +Style/RedundantCondition: + Enabled: false +Style/RedundantConditional: + Enabled: false +Style/RedundantFetchBlock: + Enabled: false +Style/RedundantFileExtensionInRequire: + Enabled: false +Style/RedundantRegexpCharacterClass: + Enabled: false +Style/RedundantRegexpEscape: + Enabled: false +Style/RedundantSelfAssignment: + Enabled: false +Style/RedundantSort: + Enabled: false +Style/RescueStandardError: + Enabled: false +Style/SingleArgumentDig: + Enabled: false +Style/SlicingWithRange: + Enabled: false +Style/SoleNestedConditional: + Enabled: false +Style/StderrPuts: + Enabled: false +Style/StringConcatenation: + Enabled: false +Style/Strip: + Enabled: false +Style/SymbolProc: + Enabled: false +Style/TrailingBodyOnClass: + Enabled: false +Style/TrailingBodyOnMethodDefinition: + Enabled: false +Style/TrailingBodyOnModule: + Enabled: false +Style/TrailingCommaInHashLiteral: + Enabled: false +Style/TrailingMethodEndStatement: + Enabled: false +Style/UnpackFirst: + Enabled: false +Capybara/MatchStyle: + Enabled: false +Capybara/NegationMatcher: + Enabled: false +Capybara/SpecificActions: + Enabled: false +Capybara/SpecificFinders: + Enabled: false +Capybara/SpecificMatcher: + Enabled: false +Gemspec/DeprecatedAttributeAssignment: + Enabled: false +Gemspec/DevelopmentDependencies: + Enabled: false +Gemspec/RequireMFA: + Enabled: false +Layout/LineContinuationLeadingSpace: + Enabled: false +Layout/LineContinuationSpacing: + Enabled: false +Layout/LineEndStringConcatenationIndentation: + Enabled: false +Layout/SpaceBeforeBrackets: + Enabled: false +Lint/AmbiguousAssignment: + Enabled: false +Lint/AmbiguousOperatorPrecedence: + Enabled: false +Lint/AmbiguousRange: + Enabled: false +Lint/ConstantOverwrittenInRescue: + Enabled: false +Lint/DeprecatedConstants: + Enabled: false +Lint/DuplicateBranch: + Enabled: false +Lint/DuplicateMagicComment: + Enabled: false +Lint/DuplicateMatchPattern: + Enabled: false +Lint/DuplicateRegexpCharacterClassElement: + Enabled: false +Lint/EmptyBlock: + Enabled: false +Lint/EmptyClass: + Enabled: false +Lint/EmptyInPattern: + Enabled: false +Lint/IncompatibleIoSelectWithFiberScheduler: + Enabled: false +Lint/LambdaWithoutLiteralBlock: + Enabled: false +Lint/NoReturnInBeginEndBlocks: + Enabled: false +Lint/NonAtomicFileOperation: + Enabled: false +Lint/NumberedParameterAssignment: + Enabled: false +Lint/OrAssignmentToConstant: + Enabled: false +Lint/RedundantDirGlobSort: + Enabled: false +Lint/RefinementImportMethods: + Enabled: false +Lint/RequireRangeParentheses: + Enabled: false +Lint/RequireRelativeSelfPath: + Enabled: false +Lint/SymbolConversion: + Enabled: false +Lint/ToEnumArguments: + Enabled: false +Lint/TripleQuotes: + Enabled: false +Lint/UnexpectedBlockArity: + Enabled: false +Lint/UnmodifiedReduceAccumulator: + Enabled: false +Lint/UselessRescue: + Enabled: false +Lint/UselessRuby2Keywords: + Enabled: false +Metrics/CollectionLiteralLength: + Enabled: false +Naming/BlockForwarding: + Enabled: false +Performance/CollectionLiteralInLoop: + Enabled: false +Performance/ConcurrentMonotonicTime: + Enabled: false +Performance/MapCompact: + Enabled: false +Performance/RedundantEqualityComparisonBlock: + Enabled: false +Performance/RedundantSplitRegexpArgument: + Enabled: false +Performance/StringIdentifierArgument: + Enabled: false +RSpec/BeEq: + Enabled: false +RSpec/BeNil: + Enabled: false +RSpec/ChangeByZero: + Enabled: false +RSpec/ClassCheck: + Enabled: false +RSpec/DuplicatedMetadata: + Enabled: false +RSpec/ExcessiveDocstringSpacing: + Enabled: false +RSpec/FactoryBot/ConsistentParenthesesStyle: + Enabled: false +RSpec/FactoryBot/FactoryNameStyle: + Enabled: false +RSpec/FactoryBot/SyntaxMethods: + Enabled: false +RSpec/IdenticalEqualityAssertion: + Enabled: false +RSpec/NoExpectationExample: + Enabled: false +RSpec/PendingWithoutReason: + Enabled: false +RSpec/Rails/AvoidSetupHook: + Enabled: false +RSpec/Rails/HaveHttpStatus: + Enabled: false +RSpec/Rails/InferredSpecType: + Enabled: false +RSpec/Rails/MinitestAssertions: + Enabled: false +RSpec/Rails/TravelAround: + Enabled: false +RSpec/RedundantAround: + Enabled: false +RSpec/SkipBlockInsideExample: + Enabled: false +RSpec/SortMetadata: + Enabled: false +RSpec/SubjectDeclaration: + Enabled: false +RSpec/VerifiedDoubleReference: + Enabled: false +Security/CompoundHash: + Enabled: false +Security/IoMethods: + Enabled: false +Style/ArgumentsForwarding: + Enabled: false +Style/ArrayIntersect: + Enabled: false +Style/CollectionCompact: + Enabled: false +Style/ComparableClamp: + Enabled: false +Style/ConcatArrayLiterals: + Enabled: false +Style/DataInheritance: + Enabled: false +Style/DirEmpty: + Enabled: false +Style/DocumentDynamicEvalDefinition: + Enabled: false +Style/EmptyHeredoc: + Enabled: false +Style/EndlessMethod: + Enabled: false +Style/EnvHome: + Enabled: false +Style/FetchEnvVar: + Enabled: false +Style/FileEmpty: + Enabled: false +Style/FileRead: + Enabled: false +Style/FileWrite: + Enabled: false +Style/HashConversion: + Enabled: false +Style/HashExcept: + Enabled: false +Style/IfWithBooleanLiteralBranches: + Enabled: false +Style/InPatternThen: + Enabled: false +Style/MagicCommentFormat: + Enabled: false +Style/MapCompactWithConditionalBlock: + Enabled: false +Style/MapToHash: + Enabled: false +Style/MapToSet: + Enabled: false +Style/MinMaxComparison: + Enabled: false +Style/MultilineInPatternThen: + Enabled: false +Style/NegatedIfElseCondition: + Enabled: false +Style/NestedFileDirname: + Enabled: false +Style/NilLambda: + Enabled: false +Style/NumberedParameters: + Enabled: false +Style/NumberedParametersLimit: + Enabled: false +Style/ObjectThen: + Enabled: false +Style/OpenStructUse: + Enabled: false +Style/OperatorMethodCall: + Enabled: false +Style/QuotedSymbols: + Enabled: false +Style/RedundantArgument: + Enabled: false +Style/RedundantConstantBase: + Enabled: false +Style/RedundantDoubleSplatHashBraces: + Enabled: false +Style/RedundantEach: + Enabled: false +Style/RedundantHeredocDelimiterQuotes: + Enabled: false +Style/RedundantInitialize: + Enabled: false +Style/RedundantLineContinuation: + Enabled: false +Style/RedundantSelfAssignmentBranch: + Enabled: false +Style/RedundantStringEscape: + Enabled: false +Style/SelectByRegexp: + Enabled: false +Style/StringChars: + Enabled: false +Style/SwapValues: + Enabled: false diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml new file mode 100644 index 0000000000..f2945682f6 --- /dev/null +++ b/.rubocop_todo.yml @@ -0,0 +1,35 @@ +# This configuration was generated by +# `rubocop --auto-gen-config` +# on 2023-11-28 08:35:58 UTC using RuboCop version 1.48.1. +# The point is for the user to remove these configuration records +# one by one as the offenses are removed from the code base. +# Note that changes in the inspected code, or installation of new +# versions of RuboCop, may require this file to be generated again. + +# Offense count: 9 +# Configuration parameters: CountAsOne. +RSpec/ExampleLength: + Max: 43 + +# Offense count: 6 +# Configuration parameters: Include, CustomTransform, IgnoreMethods, SpecSuffixOnly. +# Include: **/*_spec*rb*, **/spec/**/* +RSpec/FilePath: + Exclude: + - 'spec/classes/mod/lbmethod_bybusyness.rb' + - 'spec/classes/mod/lbmethod_byrequests.rb' + - 'spec/classes/mod/lbmethod_bytraffic.rb' + - 'spec/classes/mod/lbmethod_heartbeat.rb' + - 'spec/classes/mod/lookup_identity.rb' + - 'spec/classes/mod/proxy_wstunnel.rb' + +# Offense count: 290 +# Configuration parameters: EnforcedStyle, IgnoreSharedExamples. +# SupportedStyles: always, named_only +RSpec/NamedSubject: + Enabled: false + +# Offense count: 8 +RSpec/RepeatedExample: + Exclude: + - 'spec/classes/apache_spec.rb' diff --git a/.sync.yml b/.sync.yml new file mode 100644 index 0000000000..02b5c19ca4 --- /dev/null +++ b/.sync.yml @@ -0,0 +1,34 @@ +--- +".gitlab-ci.yml": + delete: true +".rubocop.yml": + include_todos: true +appveyor.yml: + delete: true + +spec/spec_helper.rb: + mock_with: ":rspec" + coverage_report: true +.gitpod.Dockerfile: + unmanaged: false +.gitpod.yml: + unmanaged: false +.github/workflows/auto_release.yml: + unmanaged: false +.github/workflows/ci.yml: + unmanaged: true +.github/workflows/nightly.yml: + unmanaged: true +.github/workflows/release.yml: + unmanaged: false +Rakefile: + changelog_max_issues: 500 + extras: + "FastGettext.default_text_domain = 'default-text-domain'" +.travis.yml: + delete: true +changelog_since_tag: "3.2.0" +Rakefile: + extra_disabled_lint_checks: + - anchor_resource + - 140chars diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index b885627bfb..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -branches: - only: - - master -language: ruby -bundler_args: --without development -script: "bundle exec rake spec SPEC_OPTS='--format documentation'" -after_success: - - git clone -q git://github.com/puppetlabs/ghpublisher.git .forge-releng - - .forge-releng/publish -rvm: - - 1.8.7 - - 1.9.3 - - 2.0.0 -env: - matrix: - - PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.6.0" - - PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.7.0" - - PUPPET_GEM_VERSION="~> 3.0" - global: - - PUBLISHER_LOGIN=puppetlabs - - secure: |- - MO4pB4bqBQJjm2yFHf3Mgho+y0Qv4GmMxTMhzI02tGy1V0HMtruZbR7EBN0i - n2CiR7V9V0mNR7/ymzDMF9yVBcgqyXMsp/C6u992Dd0U63ZwFpbRWkxuAeEY - ioupWBkiczjVEo+sxn+gVOnx28pcH/X8kDWbr6wFOMIjO03K66Y= -matrix: - exclude: - - rvm: 1.9.3 - env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.6.0" - - rvm: 1.9.3 - env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.7.0" - - rvm: 2.0.0 - env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.6.0" - - rvm: 2.0.0 - env: PUPPET_GEM_VERSION="~> 2.7.0" FACTER_GEM_VERSION="~> 1.7.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.2.0" -notifications: - email: false diff --git a/.vscode/extensions.json b/.vscode/extensions.json new file mode 100644 index 0000000000..6da8d472f8 --- /dev/null +++ b/.vscode/extensions.json @@ -0,0 +1,6 @@ +{ + "recommendations": [ + "puppet.puppet-vscode", + "Shopify.ruby-lsp" + ] +} diff --git a/.yardopts b/.yardopts new file mode 100644 index 0000000000..29c933bcf1 --- /dev/null +++ b/.yardopts @@ -0,0 +1 @@ +--markup markdown diff --git a/CHANGELOG.md b/CHANGELOG.md index c4686ab21e..083cf00f1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,133 +1,1895 @@ -## 2013-09-06 Release 0.9.0 -### Summary: -This release adds more parameters to the base apache class and apache defined -resource to make the module more flexible. It also adds or enhances SuPHP, -WSGI, and Passenger mod support, and support for the ITK mpm module. - -### Backwards-incompatible Changes: -- Remove many default mods that are not normally needed. -- Remove `rewrite_base` `apache::vhost` parameter; did not work anyway. -- Specify dependencies on stdlib >=2.4.0 (this was already the case, but -making explicit) -- Deprecate `a2mod` in favor of the `apache::mod::*` classes and `apache::mod` -defined resource. - -### Features: -- `apache` class - - Add `httpd_dir` parameter to change the location of the configuration - files. - - Add `logroot` parameter to change the logroot - - Add `ports_file` parameter to changes the `ports.conf` file location - - Add `keepalive` parameter to enable persistent connections - - Add `keepalive_timeout` parameter to change the timeout - - Update `default_mods` to be able to take an array of mods to enable. -- `apache::vhost` - - Add `wsgi_daemon_process`, `wsgi_daemon_process_options`, - `wsgi_process_group`, and `wsgi_script_aliases` parameters for per-vhost - WSGI configuration. - - Add `access_log_syslog` parameter to enable syslogging. - - Add `error_log_syslog` parameter to enable syslogging of errors. - - Add `directories` hash parameter. Please see README for documentation. - - Add `sslproxyengine` parameter to enable SSLProxyEngine - - Add `suphp_addhandler`, `suphp_engine`, and `suphp_configpath` for - configuring SuPHP. - - Add `custom_fragment` parameter to allow for arbitrary apache - configuration injection. (Feature pull requests are prefered over using - this, but it is available in a pinch.) -- Add `apache::mod::suphp` class for configuring SuPHP. -- Add `apache::mod::itk` class for configuring ITK mpm module. -- Update `apache::mod::wsgi` class for global WSGI configuration with -`wsgi_socket_prefix` and `wsgi_python_home` parameters. -- Add README.passenger.md to document the `apache::mod::passenger` usage. -Added `passenger_high_performance`, `passenger_pool_idle_time`, -`passenger_max_requests`, `passenger_stat_throttle_rate`, `rack_autodetect`, -and `rails_autodetect` parameters. -- Separate the httpd service resource into a new `apache::service` class for -dependency chaining of `Class['apache'] -> ~> -Class['apache::service']` -- Added `apache::mod::proxy_balancer` class for `apache::balancer` - -### Bugfixes: -- Change dependency to puppetlabs-concat -- Fix ruby 1.9 bug for `a2mod` -- Change servername to be `$::hostname` if there is no `$::fqdn` -- Make `/etc/ssl/certs` the default ssl certs directory for RedHat non-5. -- Make `php` the default php package for RedHat non-5. -- Made `aliases` able to take a single alias hash instead of requiring an -array. - -## 2013-07-26 Release 0.8.1 -### Bugfixes: -- Update `apache::mpm_module` detection for worker/prefork -- Update `apache::mod::cgi` and `apache::mod::cgid` detection for -worker/prefork - -## 2013-07-16 Release 0.8.0 -### Features: -- Add `servername` parameter to `apache` class -- Add `proxy_set` parameter to `apache::balancer` define - -### Bugfixes: -- Fix ordering for multiple `apache::balancer` clusters -- Fix symlinking for sites-available on Debian-based OSs -- Fix dependency ordering for recursive confdir management -- Fix `apache::mod::*` to notify the service on config change -- Documentation updates - -## 2013-07-09 Release 0.7.0 -### Changes: -- Essentially rewrite the module -- too many to list -- `apache::vhost` has many abilities -- see README.md for details -- `apache::mod::*` classes provide httpd mod-loading capabilities -- `apache` base class is much more configurable - -### Bugfixes: -- Many. And many more to come - -## 2013-03-2 Release 0.6.0 -- update travis tests (add more supported versions) -- add access log_parameter -- make purging of vhost dir configurable - -## 2012-08-24 Release 0.4.0 -### Changes: -- `include apache` is now required when using `apache::mod::*` - -### Bugfixes: -- Fix syntax for validate_re -- Fix formatting in vhost template -- Fix spec tests such that they pass - - 2012-05-08 Puppet Labs - 0.0.4 - e62e362 Fix broken tests for ssl, vhost, vhost::* - 42c6363 Changes to match style guide and pass puppet-lint without error - 42bc8ba changed name => path for file resources in order to name namevar by it's name - 72e13de One end too much - 0739641 style guide fixes: 'true' <> true, $operatingsystem needs to be $::operatingsystem, etc. - 273f94d fix tests - a35ede5 (#13860) Make a2enmod/a2dismo commands optional - 98d774e (#13860) Autorequire Package['httpd'] - 05fcec5 (#13073) Add missing puppet spec tests - 541afda (#6899) Remove virtual a2mod definition - 976cb69 (#13072) Move mod python and wsgi package names to params - 323915a (#13060) Add .gitignore to repo - fdf40af (#13060) Remove pkg directory from source tree - fd90015 Add LICENSE file and update the ModuleFile - d3d0d23 Re-enable local php class - d7516c7 Make management of firewalls configurable for vhosts - 60f83ba Explicitly lookup scope of apache_name in templates. - f4d287f (#12581) Add explicit ordering for vdir directory - 88a2ac6 (#11706) puppetlabs-apache depends on puppetlabs-firewall - a776a8b (#11071) Fix to work with latest firewall module - 2b79e8b (#11070) Add support for Scientific Linux - 405b3e9 Fix for a2mod - 57b9048 Commit apache::vhost::redirect Manifest - 8862d01 Commit apache::vhost::proxy Manifest - d5c1fd0 Commit apache::mod::wsgi Manifest - a825ac7 Commit apache::mod::python Manifest - b77062f Commit Templates - 9a51b4a Vhost File Declarations - 6cf7312 Defaults for Parameters - 6a5b11a Ensure installed - f672e46 a2mod fix - 8a56ee9 add pthon support to apache + +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). + +## [v12.3.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.3.1) - 2025-03-31 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v12.3.0...v12.3.1) + +### Fixed + +- Install mod_http2 on EL if required [#2593](https://github.com/puppetlabs/puppetlabs-apache/pull/2593) ([ekohl](https://github.com/ekohl)) + +## [v12.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.3.0) - 2025-03-05 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v12.2.0...v12.3.0) + +### Added + +- Allow configuring RemoteIPProxyProtocol at VHost level [#2582](https://github.com/puppetlabs/puppetlabs-apache/pull/2582) ([smortex](https://github.com/smortex)) +- (CAT-2100) Add Debian 12 support [#2572](https://github.com/puppetlabs/puppetlabs-apache/pull/2572) ([shubhamshinde360](https://github.com/shubhamshinde360)) +- Feature: Allow to set the verbosity of the debug [#2523](https://github.com/puppetlabs/puppetlabs-apache/pull/2523) ([JGodin-C2C](https://github.com/JGodin-C2C)) + +### Fixed + +- (CAT-2158) Upgrade rexml to address CVE-2024-49761 [#2579](https://github.com/puppetlabs/puppetlabs-apache/pull/2579) ([amitkarsale](https://github.com/amitkarsale)) +- Update types/oidcsettings UserInfoRefreshInterval to allow Integers again [#2578](https://github.com/puppetlabs/puppetlabs-apache/pull/2578) ([gcoxmoz](https://github.com/gcoxmoz)) + +### Other + +- Fix mod_headers load for headers in directory #2590 [#2591](https://github.com/puppetlabs/puppetlabs-apache/pull/2591) ([uoe-pjackson](https://github.com/uoe-pjackson)) +- Adding ModSecurity parameter for audit log format. [#2583](https://github.com/puppetlabs/puppetlabs-apache/pull/2583) ([Tamerz](https://github.com/Tamerz)) + +## [v12.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.2.0) - 2024-10-23 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v12.1.0...v12.2.0) + +### Added + +- Update config parameters to match latest OIDC release and fix typos. … [#2569](https://github.com/puppetlabs/puppetlabs-apache/pull/2569) ([uoe-pjackson](https://github.com/uoe-pjackson)) +- add XForwardedHeaders for oidc_settings [#2541](https://github.com/puppetlabs/puppetlabs-apache/pull/2541) ([trefzer](https://github.com/trefzer)) +- Added cache_disk [#2521](https://github.com/puppetlabs/puppetlabs-apache/pull/2521) ([dploeger](https://github.com/dploeger)) + +### Fixed + +- Fix apache2-mod_php7 not found for SLES-15 [#2568](https://github.com/puppetlabs/puppetlabs-apache/pull/2568) ([Harvey2504](https://github.com/Harvey2504)) +- Add missing brackets for function call [#2540](https://github.com/puppetlabs/puppetlabs-apache/pull/2540) ([gerlingsm](https://github.com/gerlingsm)) + +## [v12.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.1.0) - 2024-04-03 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v12.0.3...v12.1.0) + +### Added + +- vhost: Allow customizing show_diff [#2536](https://github.com/puppetlabs/puppetlabs-apache/pull/2536) ([kajinamit](https://github.com/kajinamit)) + +### Fixed + +- Stop managing mime support package on Debian [#2526](https://github.com/puppetlabs/puppetlabs-apache/pull/2526) ([jcharaoui](https://github.com/jcharaoui)) + +## [v12.0.3](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.0.3) - 2024-03-02 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v12.0.2...v12.0.3) + +### Fixed + +- Fix `mod_auth_openidc` parameters [#2525](https://github.com/puppetlabs/puppetlabs-apache/pull/2525) ([smortex](https://github.com/smortex)) + +## [v12.0.2](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.0.2) - 2024-01-10 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v12.0.1...v12.0.2) + +### Fixed + +- Correct handling of $serveraliases as string [#2518](https://github.com/puppetlabs/puppetlabs-apache/pull/2518) ([ekohl](https://github.com/ekohl)) + +## [v12.0.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.0.1) - 2024-01-03 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v12.0.0...v12.0.1) + +### Fixed + +- Fix use_canonical_name directive [#2515](https://github.com/puppetlabs/puppetlabs-apache/pull/2515) ([pebtron](https://github.com/pebtron)) +- Fix extra newline at end of headers [#2514](https://github.com/puppetlabs/puppetlabs-apache/pull/2514) ([smortex](https://github.com/smortex)) + +## [v12.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v12.0.0) - 2024-01-01 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v11.1.0...v12.0.0) + +### Changed + +- Drop EoL Debian 9 and older code [#2479](https://github.com/puppetlabs/puppetlabs-apache/pull/2479) ([bastelfreak](https://github.com/bastelfreak)) + +### Added + +- `apache::vhost::directories`: switch default from `undef` to empty array [#2507](https://github.com/puppetlabs/puppetlabs-apache/pull/2507) ([bastelfreak](https://github.com/bastelfreak)) +- Add `AllowOverrideList` support [#2486](https://github.com/puppetlabs/puppetlabs-apache/pull/2486) ([yakatz](https://github.com/yakatz)) + +### Fixed + +- Remove useless notice [#2494](https://github.com/puppetlabs/puppetlabs-apache/pull/2494) ([smortex](https://github.com/smortex)) + +## [v11.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v11.1.0) - 2023-09-25 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v11.0.0...v11.1.0) + +### Added + +- (CAT-1450) - Added new parameters for passenger mod [#2471](https://github.com/puppetlabs/puppetlabs-apache/pull/2471) ([Ramesh7](https://github.com/Ramesh7)) + +### Fixed + +- (CAT-1451) - Fixing nil check fix for SSL config [#2473](https://github.com/puppetlabs/puppetlabs-apache/pull/2473) ([Ramesh7](https://github.com/Ramesh7)) + +## [v11.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v11.0.0) - 2023-09-23 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v10.1.1...v11.0.0) + +### Changed + +- (CAT-1449) - Remove deprecated parameters for scriptaliases & passenger [#2470](https://github.com/puppetlabs/puppetlabs-apache/pull/2470) ([Ramesh7](https://github.com/Ramesh7)) +- Remove deprecated classes [#2466](https://github.com/puppetlabs/puppetlabs-apache/pull/2466) ([ekohl](https://github.com/ekohl)) +- Remove deprecated parameters from mod::userdir [#2465](https://github.com/puppetlabs/puppetlabs-apache/pull/2465) ([ekohl](https://github.com/ekohl)) +- (CAT-1424)-Removal of redhat/scientific/oraclelinux 6 for apache module [#2462](https://github.com/puppetlabs/puppetlabs-apache/pull/2462) ([praj1001](https://github.com/praj1001)) + +### Added + +- (CAT-1417) Nested require support for authz_core mod [#2460](https://github.com/puppetlabs/puppetlabs-apache/pull/2460) ([Ramesh7](https://github.com/Ramesh7)) +- Simplify data types and array handling [#2457](https://github.com/puppetlabs/puppetlabs-apache/pull/2457) ([ekohl](https://github.com/ekohl)) +- CAT-1285 - RHEL-8 mode security CRS fix [#2452](https://github.com/puppetlabs/puppetlabs-apache/pull/2452) ([Ramesh7](https://github.com/Ramesh7)) +- (CAT-1283) - Enable forensic module [#2442](https://github.com/puppetlabs/puppetlabs-apache/pull/2442) ([Ramesh7](https://github.com/Ramesh7)) +- (CAT-1281) - Support to add cipher with respective ssl protocol [#2440](https://github.com/puppetlabs/puppetlabs-apache/pull/2440) ([Ramesh7](https://github.com/Ramesh7)) +- feat: add Debian12 Compability [#2439](https://github.com/puppetlabs/puppetlabs-apache/pull/2439) ([Robnarok](https://github.com/Robnarok)) +- Add MellonSetEnv support [#2423](https://github.com/puppetlabs/puppetlabs-apache/pull/2423) ([](https://github.com/)) +- Add the missing mod_authnz_ldap parameters [#2404](https://github.com/puppetlabs/puppetlabs-apache/pull/2404) ([chutzimir](https://github.com/chutzimir)) + +### Fixed + +- (CAT-1308) Making mod list more restrictive and minor improvements in documentation for default mods override [#2459](https://github.com/puppetlabs/puppetlabs-apache/pull/2459) ([Ramesh7](https://github.com/Ramesh7)) +- (CAT-1346) erb_to_epp conversion for mod directory [#2453](https://github.com/puppetlabs/puppetlabs-apache/pull/2453) ([praj1001](https://github.com/praj1001)) +- (CAT-1348)-Conversion of erb to epp templates except mod or vhost dir… [#2449](https://github.com/puppetlabs/puppetlabs-apache/pull/2449) ([praj1001](https://github.com/praj1001)) +- Raise Puppet lower bound to >= 7.9.0 [#2444](https://github.com/puppetlabs/puppetlabs-apache/pull/2444) ([ekohl](https://github.com/ekohl)) +- (CAT-1261)-update_SUSE_repo_name [#2437](https://github.com/puppetlabs/puppetlabs-apache/pull/2437) ([praj1001](https://github.com/praj1001)) +- Add required package for kerberos auth on jammy [#2403](https://github.com/puppetlabs/puppetlabs-apache/pull/2403) ([chrisongthb](https://github.com/chrisongthb)) +- strickter loglevel syntax verification [#2397](https://github.com/puppetlabs/puppetlabs-apache/pull/2397) ([igt-marcin-wasilewski](https://github.com/igt-marcin-wasilewski)) + +## [v10.1.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v10.1.1) - 2023-06-30 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v10.1.0...v10.1.1) + +### Added + +- Add mod_proxy_http2 support [#2393](https://github.com/puppetlabs/puppetlabs-apache/pull/2393) ([ekohl](https://github.com/ekohl)) + +### Fixed + +- puppetlabs/concat: Allow 9.x [#2426](https://github.com/puppetlabs/puppetlabs-apache/pull/2426) ([bastelfreak](https://github.com/bastelfreak)) +- fix ssl_ciphers array behavior [#2421](https://github.com/puppetlabs/puppetlabs-apache/pull/2421) ([SimonHoenscheid](https://github.com/SimonHoenscheid)) + +## [v10.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v10.1.0) - 2023-06-15 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v10.0.0...v10.1.0) + +### Added + +- (CONT-577) - allow deferred function for password/secret [#2419](https://github.com/puppetlabs/puppetlabs-apache/pull/2419) ([Ramesh7](https://github.com/Ramesh7)) +- use a dedicated Enum type for On/Off and accept lower case too [#2415](https://github.com/puppetlabs/puppetlabs-apache/pull/2415) ([evgeni](https://github.com/evgeni)) +- pdksync - (MAINT) - Allow Stdlib 9.x [#2413](https://github.com/puppetlabs/puppetlabs-apache/pull/2413) ([LukasAud](https://github.com/LukasAud)) + +### Fixed + +- Remove has_key usage [#2408](https://github.com/puppetlabs/puppetlabs-apache/pull/2408) ([evgeni](https://github.com/evgeni)) + +## [v10.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v10.0.0) - 2023-04-21 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v9.1.3...v10.0.0) + +### Changed + +- (CONT-772) Puppet 8 support / Drop Puppet 6 [#2405](https://github.com/puppetlabs/puppetlabs-apache/pull/2405) ([LukasAud](https://github.com/LukasAud)) + +## [v9.1.3](https://github.com/puppetlabs/puppetlabs-apache/tree/v9.1.3) - 2023-04-20 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v9.1.2...v9.1.3) + +### Fixed + +- #2391 Allow Sensitive type in addition to String type [#2392](https://github.com/puppetlabs/puppetlabs-apache/pull/2392) ([dpavlotzky](https://github.com/dpavlotzky)) + +## [v9.1.2](https://github.com/puppetlabs/puppetlabs-apache/tree/v9.1.2) - 2023-02-10 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v9.1.1...v9.1.2) + +### Fixed + +- (BUGFIX) Update to ensure correct facter comparisons [#2387](https://github.com/puppetlabs/puppetlabs-apache/pull/2387) ([david22swan](https://github.com/david22swan)) +- Fixes mod::proxy allow_from parameter inconsistency #2352 [#2385](https://github.com/puppetlabs/puppetlabs-apache/pull/2385) ([pebtron](https://github.com/pebtron)) +- Fix example code for apache::vhost::php_values [#2384](https://github.com/puppetlabs/puppetlabs-apache/pull/2384) ([gcoxmoz](https://github.com/gcoxmoz)) +- Suppress bad Directory comment when DocumentRoot is not set [#2368](https://github.com/puppetlabs/puppetlabs-apache/pull/2368) ([gcoxmoz](https://github.com/gcoxmoz)) +- fix rewrite rules being ignored [#2330](https://github.com/puppetlabs/puppetlabs-apache/pull/2330) ([trefzer](https://github.com/trefzer)) + +## [v9.1.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v9.1.1) - 2023-02-03 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v9.1.0...v9.1.1) + +### Fixed + +- (BugFix) Update OS Family comparison to correctly match [#2381](https://github.com/puppetlabs/puppetlabs-apache/pull/2381) ([david22swan](https://github.com/david22swan)) +- Adding mod_version module to be activated by default [#2380](https://github.com/puppetlabs/puppetlabs-apache/pull/2380) ([Q-Storm](https://github.com/Q-Storm)) + +## [v9.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v9.1.0) - 2023-01-31 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v9.0.1...v9.1.0) + +### Added + +- vhost: Make ProxyAddHeaders configureable [#2365](https://github.com/puppetlabs/puppetlabs-apache/pull/2365) ([bastelfreak](https://github.com/bastelfreak)) + +### Fixed + +- (#2374) Suse: Switch modsec_default_rules to array [#2375](https://github.com/puppetlabs/puppetlabs-apache/pull/2375) ([bastelfreak](https://github.com/bastelfreak)) +- security{,_crs}.conf: switch to structured facts [#2373](https://github.com/puppetlabs/puppetlabs-apache/pull/2373) ([bastelfreak](https://github.com/bastelfreak)) +- Simplify templates by reusing bool2httpd [#2366](https://github.com/puppetlabs/puppetlabs-apache/pull/2366) ([ekohl](https://github.com/ekohl)) +- Simplify templates by reusing methods [#2344](https://github.com/puppetlabs/puppetlabs-apache/pull/2344) ([ekohl](https://github.com/ekohl)) + +## [v9.0.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v9.0.1) - 2022-12-22 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v9.0.0...v9.0.1) + +### Fixed + +- (CONT-406) Fix for RHEL 7 compatibility [#2362](https://github.com/puppetlabs/puppetlabs-apache/pull/2362) ([david22swan](https://github.com/david22swan)) + +## [v9.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v9.0.0) - 2022-12-15 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.6.0...v9.0.0) + +### Changed + +- (GH-2291) Further refine types [#2359](https://github.com/puppetlabs/puppetlabs-apache/pull/2359) ([david22swan](https://github.com/david22swan)) +- Drop deprecated a2mod type/providers [#2350](https://github.com/puppetlabs/puppetlabs-apache/pull/2350) ([bastelfreak](https://github.com/bastelfreak)) +- Drop Apache 2.2 support [#2329](https://github.com/puppetlabs/puppetlabs-apache/pull/2329) ([ekohl](https://github.com/ekohl)) + +## [v8.6.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.6.0) - 2022-12-14 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.5.0...v8.6.0) + +### Added + +- Parameterize SecRequestBodyLimitAction and SecResponseBodyLimitAction [#2353](https://github.com/puppetlabs/puppetlabs-apache/pull/2353) ([Vincevrp](https://github.com/Vincevrp)) + +### Fixed + +- fix mod_proxy_html on FreeBSD [#2355](https://github.com/puppetlabs/puppetlabs-apache/pull/2355) ([fraenki](https://github.com/fraenki)) +- disable::mpm_event: Fix module deactivation [#2349](https://github.com/puppetlabs/puppetlabs-apache/pull/2349) ([bastelfreak](https://github.com/bastelfreak)) + +## [v8.5.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.5.0) - 2022-12-06 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.4.0...v8.5.0) + +### Added + +- add LimitRequestLine parameter [#2345](https://github.com/puppetlabs/puppetlabs-apache/pull/2345) ([stefan-ahrefs](https://github.com/stefan-ahrefs)) + +### Fixed + +- remove _module from apache::mod::unique_id name. [#2339](https://github.com/puppetlabs/puppetlabs-apache/pull/2339) ([mdklapwijk](https://github.com/mdklapwijk)) + +## [v8.4.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.4.0) - 2022-11-15 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.3.0...v8.4.0) + +### Added + +- add maxrequestworkers parameter for mpm_worker module [#2331](https://github.com/puppetlabs/puppetlabs-apache/pull/2331) ([trefzer](https://github.com/trefzer)) +- support lbmethod modules [#2268](https://github.com/puppetlabs/puppetlabs-apache/pull/2268) ([xorpaul](https://github.com/xorpaul)) + +### Fixed + +- Declare minimum Puppet version to be 6.24.0 [#2342](https://github.com/puppetlabs/puppetlabs-apache/pull/2342) ([ekohl](https://github.com/ekohl)) +- Fix RedHat + PHP 8 libphp file [#2333](https://github.com/puppetlabs/puppetlabs-apache/pull/2333) ([polatsinan](https://github.com/polatsinan)) + +## [v8.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.3.0) - 2022-10-28 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.2.1...v8.3.0) + +### Added + +- Automatically enable mod_http2 if needed [#2337](https://github.com/puppetlabs/puppetlabs-apache/pull/2337) ([ekohl](https://github.com/ekohl)) +- Update EL8+ and Debian SSL defaults [#2336](https://github.com/puppetlabs/puppetlabs-apache/pull/2336) ([ekohl](https://github.com/ekohl)) +- Support setting SSLProxyCipherSuite on mod_ssl [#2335](https://github.com/puppetlabs/puppetlabs-apache/pull/2335) ([ekohl](https://github.com/ekohl)) + +### Fixed + +- Make serveradmin an optional parameter and use it [#2338](https://github.com/puppetlabs/puppetlabs-apache/pull/2338) ([ekohl](https://github.com/ekohl)) +- pdksync - (CONT-189) Remove support for RedHat6 / OracleLinux6 / Scientific6 [#2326](https://github.com/puppetlabs/puppetlabs-apache/pull/2326) ([david22swan](https://github.com/david22swan)) +- pdksync - (CONT-130) Dropping Support for Debian 9 [#2322](https://github.com/puppetlabs/puppetlabs-apache/pull/2322) ([jordanbreen28](https://github.com/jordanbreen28)) +- fix directory empty options if an empty array is being used [#2312](https://github.com/puppetlabs/puppetlabs-apache/pull/2312) ([bovy89](https://github.com/bovy89)) + +## [v8.2.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.2.1) - 2022-09-27 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.2.0...v8.2.1) + +### Fixed + +- (maint) Codebase Hardening [#2313](https://github.com/puppetlabs/puppetlabs-apache/pull/2313) ([david22swan](https://github.com/david22swan)) + +## [v8.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.2.0) - 2022-09-13 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.1.0...v8.2.0) + +### Added + +- Allow RewriteInherit with empty rewrites [#2301](https://github.com/puppetlabs/puppetlabs-apache/pull/2301) ([martin-koerner](https://github.com/martin-koerner)) +- Add support for all proxy schemes, not just https:// [#2289](https://github.com/puppetlabs/puppetlabs-apache/pull/2289) ([canth1](https://github.com/canth1)) +- Parameterize CRS DOS protection [#2280](https://github.com/puppetlabs/puppetlabs-apache/pull/2280) ([Vincevrp](https://github.com/Vincevrp)) +- Allow multiple scopes for Scope in Apache::OIDCSettings [#2265](https://github.com/puppetlabs/puppetlabs-apache/pull/2265) ([jjackzhn](https://github.com/jjackzhn)) + +### Fixed + +- (maint) Add variable manage_vhost_enable_dir [#2309](https://github.com/puppetlabs/puppetlabs-apache/pull/2309) ([david22swan](https://github.com/david22swan)) +- Simplify the logic in _require.erb [#2303](https://github.com/puppetlabs/puppetlabs-apache/pull/2303) ([ekohl](https://github.com/ekohl)) +- Fix deprecation warning about performing a regex comparison on a hash [#2293](https://github.com/puppetlabs/puppetlabs-apache/pull/2293) ([smokris](https://github.com/smokris)) + +## [v8.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.1.0) - 2022-08-18 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v8.0.0...v8.1.0) + +### Added + +- Manage DNF module for mod_auth_openidc [#2283](https://github.com/puppetlabs/puppetlabs-apache/pull/2283) ([ekohl](https://github.com/ekohl)) +- pdksync - (GH-cat-11) Certify Support for Ubuntu 22.04 [#2276](https://github.com/puppetlabs/puppetlabs-apache/pull/2276) ([david22swan](https://github.com/david22swan)) + +### Fixed + +- Allow integers for timeouts [#2294](https://github.com/puppetlabs/puppetlabs-apache/pull/2294) ([traylenator](https://github.com/traylenator)) +- Allow setting icons_path to false so no alias will be set for it [#2292](https://github.com/puppetlabs/puppetlabs-apache/pull/2292) ([Zarne](https://github.com/Zarne)) +- fix duplicate definition of auth_basic-mod [#2287](https://github.com/puppetlabs/puppetlabs-apache/pull/2287) ([sircubbi](https://github.com/sircubbi)) +- Allow custom_config to have a string priority again [#2284](https://github.com/puppetlabs/puppetlabs-apache/pull/2284) ([martin-koerner](https://github.com/martin-koerner)) +- Remove auth_kerb and nss from Debian Bullseye [#2281](https://github.com/puppetlabs/puppetlabs-apache/pull/2281) ([ekohl](https://github.com/ekohl)) + +## [v8.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v8.0.0) - 2022-08-09 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v7.0.0...v8.0.0) + +### Changed + +- Drop mod_fastcgi support [#2267](https://github.com/puppetlabs/puppetlabs-apache/pull/2267) ([ekohl](https://github.com/ekohl)) +- Drop suphp support [#2263](https://github.com/puppetlabs/puppetlabs-apache/pull/2263) ([ekohl](https://github.com/ekohl)) +- Use a stricter data type on apache::vhost::aliases [#2253](https://github.com/puppetlabs/puppetlabs-apache/pull/2253) ([ekohl](https://github.com/ekohl)) +- Narrow down Datatypes [#2245](https://github.com/puppetlabs/puppetlabs-apache/pull/2245) ([cocker-cc](https://github.com/cocker-cc)) +- (GH-cat-9) Update module to match current syntax standard [#2235](https://github.com/puppetlabs/puppetlabs-apache/pull/2235) ([david22swan](https://github.com/david22swan)) +- Drop Apache 2.0 compatibility code [#2226](https://github.com/puppetlabs/puppetlabs-apache/pull/2226) ([ekohl](https://github.com/ekohl)) +- (GH-iac-334) Remove code specific to unsupported OSs [#2223](https://github.com/puppetlabs/puppetlabs-apache/pull/2223) ([david22swan](https://github.com/david22swan)) +- Remove warnings and plans to change vhost default naming [#2202](https://github.com/puppetlabs/puppetlabs-apache/pull/2202) ([ekohl](https://github.com/ekohl)) +- Update modsec crs config and template [#2197](https://github.com/puppetlabs/puppetlabs-apache/pull/2197) ([henkworks](https://github.com/henkworks)) + +### Added + +- Allow overriding CRS allowed HTTP methods per vhost [#2274](https://github.com/puppetlabs/puppetlabs-apache/pull/2274) ([Vincevrp](https://github.com/Vincevrp)) +- Allow overriding CRS anomaly threshold per vhost [#2273](https://github.com/puppetlabs/puppetlabs-apache/pull/2273) ([Vincevrp](https://github.com/Vincevrp)) +- Allow configuring SecRequestBodyAccess and SecResponseBodyAccess [#2272](https://github.com/puppetlabs/puppetlabs-apache/pull/2272) ([Vincevrp](https://github.com/Vincevrp)) +- Allow configuring CRS paranoia level [#2270](https://github.com/puppetlabs/puppetlabs-apache/pull/2270) ([Vincevrp](https://github.com/Vincevrp)) +- Automatically include modules used in vhost directories [#2255](https://github.com/puppetlabs/puppetlabs-apache/pull/2255) ([ekohl](https://github.com/ekohl)) +- Clean up includes and templates in vhost.pp [#2254](https://github.com/puppetlabs/puppetlabs-apache/pull/2254) ([ekohl](https://github.com/ekohl)) +- pdksync - (GH-cat-12) Add Support for Redhat 9 [#2239](https://github.com/puppetlabs/puppetlabs-apache/pull/2239) ([david22swan](https://github.com/david22swan)) +- Add support for PassengerPreloadBundler [#2233](https://github.com/puppetlabs/puppetlabs-apache/pull/2233) ([smortex](https://github.com/smortex)) +- apache::vhost ProxyPassMatch in Location containers [#2222](https://github.com/puppetlabs/puppetlabs-apache/pull/2222) ([skylar2-uw](https://github.com/skylar2-uw)) +- Allow additional settings for GSSAPI in Vhost [#2215](https://github.com/puppetlabs/puppetlabs-apache/pull/2215) ([tuxmea](https://github.com/tuxmea)) +- mod_auth_gssapi: Add support for every configuration directive [#2214](https://github.com/puppetlabs/puppetlabs-apache/pull/2214) ([canth1](https://github.com/canth1)) +- mod_auth_gssapi: Add support for `GssapiBasicAuth`. [#2212](https://github.com/puppetlabs/puppetlabs-apache/pull/2212) ([olifre](https://github.com/olifre)) +- pdksync - (IAC-1753) - Add Support for AlmaLinux 8 [#2200](https://github.com/puppetlabs/puppetlabs-apache/pull/2200) ([david22swan](https://github.com/david22swan)) +- Add support for setting UserDir in Virual Hosts [#2192](https://github.com/puppetlabs/puppetlabs-apache/pull/2192) ([smortex](https://github.com/smortex)) +- Add an apache::vhost::proxy define [#2169](https://github.com/puppetlabs/puppetlabs-apache/pull/2169) ([wbclark](https://github.com/wbclark)) + +### Fixed + +- Disable mod_php on EL9 [#2277](https://github.com/puppetlabs/puppetlabs-apache/pull/2277) ([ekohl](https://github.com/ekohl)) +- Allow vhosts to have a string priority again [#2275](https://github.com/puppetlabs/puppetlabs-apache/pull/2275) ([ekohl](https://github.com/ekohl)) +- Remove duplicate SecDefaultAction in CRS template [#2271](https://github.com/puppetlabs/puppetlabs-apache/pull/2271) ([Vincevrp](https://github.com/Vincevrp)) +- Better data types on apache::vhost parameters [#2252](https://github.com/puppetlabs/puppetlabs-apache/pull/2252) ([ekohl](https://github.com/ekohl)) +- Update $timeout to `Variant[Integer,String]` [#2242](https://github.com/puppetlabs/puppetlabs-apache/pull/2242) ([david22swan](https://github.com/david22swan)) +- Let limitreqfieldsize and limitreqfields be integers [#2240](https://github.com/puppetlabs/puppetlabs-apache/pull/2240) ([traylenator](https://github.com/traylenator)) +- Drop support for Fedora < 18 [#2238](https://github.com/puppetlabs/puppetlabs-apache/pull/2238) ([ekohl](https://github.com/ekohl)) +- Restructure MPM disabling [#2227](https://github.com/puppetlabs/puppetlabs-apache/pull/2227) ([ekohl](https://github.com/ekohl)) +- pdksync - (GH-iac-334) Remove Support for Ubuntu 16.04 [#2220](https://github.com/puppetlabs/puppetlabs-apache/pull/2220) ([david22swan](https://github.com/david22swan)) +- Drop Apache 2.2 support with Gentoo [#2216](https://github.com/puppetlabs/puppetlabs-apache/pull/2216) ([ekohl](https://github.com/ekohl)) +- pdksync - (IAC-1787) Remove Support for CentOS 6 [#2213](https://github.com/puppetlabs/puppetlabs-apache/pull/2213) ([david22swan](https://github.com/david22swan)) + +## [v7.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v7.0.0) - 2021-10-11 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.5.1...v7.0.0) + +### Changed + +- Drop Debian < 8 and Ubuntu < 14.04 code [#2189](https://github.com/puppetlabs/puppetlabs-apache/pull/2189) ([ekohl](https://github.com/ekohl)) +- Drop support and compatibility for Debian < 9 and Ubuntu < 16.04 [#2123](https://github.com/puppetlabs/puppetlabs-apache/pull/2123) ([ekohl](https://github.com/ekohl)) + +### Added + +- pdksync - (IAC-1751) - Add Support for Rocky 8 [#2196](https://github.com/puppetlabs/puppetlabs-apache/pull/2196) ([david22swan](https://github.com/david22swan)) +- Allow `docroot` with `mod_vhost_alias` `virtual_docroot` [#2195](https://github.com/puppetlabs/puppetlabs-apache/pull/2195) ([yakatz](https://github.com/yakatz)) + +### Fixed + +- Restore Ubuntu 14.04 support in suphp [#2193](https://github.com/puppetlabs/puppetlabs-apache/pull/2193) ([ekohl](https://github.com/ekohl)) +- add double quote on scope parameter [#2191](https://github.com/puppetlabs/puppetlabs-apache/pull/2191) ([aba-rechsteiner](https://github.com/aba-rechsteiner)) +- Debian 11: fix typo in `versioncmp()` / set default php to 7.4 [#2186](https://github.com/puppetlabs/puppetlabs-apache/pull/2186) ([bastelfreak](https://github.com/bastelfreak)) + +## [v6.5.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.5.1) - 2021-08-25 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.5.0...v6.5.1) + +### Fixed + +- (maint) Allow stdlib 8.0.0 [#2184](https://github.com/puppetlabs/puppetlabs-apache/pull/2184) ([smortex](https://github.com/smortex)) + +## [v6.5.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.5.0) - 2021-08-24 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.4.0...v6.5.0) + +### Added + +- pdksync - (IAC-1709) - Add Support for Debian 11 [#2180](https://github.com/puppetlabs/puppetlabs-apache/pull/2180) ([david22swan](https://github.com/david22swan)) + +## [v6.4.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.4.0) - 2021-08-02 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.3.1...v6.4.0) + +### Added + +- (MODULES-11075) Improve future version handling for RHEL [#2174](https://github.com/puppetlabs/puppetlabs-apache/pull/2174) ([mwhahaha](https://github.com/mwhahaha)) +- Allow custom userdir directives [#2164](https://github.com/puppetlabs/puppetlabs-apache/pull/2164) ([hunner](https://github.com/hunner)) +- Add feature to reload apache service when content of ssl files has changed [#2157](https://github.com/puppetlabs/puppetlabs-apache/pull/2157) ([timdeluxe](https://github.com/timdeluxe)) + +## [v6.3.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.3.1) - 2021-07-22 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.3.0...v6.3.1) + +### Fixed + +- (MODULES-10899) Load php module with the right libphp file [#2166](https://github.com/puppetlabs/puppetlabs-apache/pull/2166) ([sheenaajay](https://github.com/sheenaajay)) +- (maint) Fix puppet-strings docs on apache::vhost [#2165](https://github.com/puppetlabs/puppetlabs-apache/pull/2165) ([ekohl](https://github.com/ekohl)) + +## [v6.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.3.0) - 2021-06-22 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/kps_ssl_reload_and_cache_disk_combined_tag...v6.3.0) + +### Fixed + +- Update the default version of Apache for Amazon Linux 2 [#2158](https://github.com/puppetlabs/puppetlabs-apache/pull/2158) ([turnopil](https://github.com/turnopil)) +- Only warn about servername logging if relevant [#2154](https://github.com/puppetlabs/puppetlabs-apache/pull/2154) ([ekohl](https://github.com/ekohl)) + +## [kps_ssl_reload_and_cache_disk_combined_tag](https://github.com/puppetlabs/puppetlabs-apache/tree/kps_ssl_reload_and_cache_disk_combined_tag) - 2021-06-14 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.2.0...kps_ssl_reload_and_cache_disk_combined_tag) + +### Added + +- The default disk_cache.conf.erb caches everything. [#2142](https://github.com/puppetlabs/puppetlabs-apache/pull/2142) ([Pawa2NR](https://github.com/Pawa2NR)) + +## [v6.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.2.0) - 2021-05-24 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.1.0...v6.2.0) + +### Added + +- (MODULES-11068) Allow apache::vhost ssl_honorcipherorder to take boolean parameter [#2152](https://github.com/puppetlabs/puppetlabs-apache/pull/2152) ([davidc](https://github.com/davidc)) + +## [v6.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.1.0) - 2021-05-17 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.0.1...v6.1.0) + +### Added + +- support for uri for severname with use_servername_for_filenames [#2150](https://github.com/puppetlabs/puppetlabs-apache/pull/2150) ([Zarne](https://github.com/Zarne)) +- (MODULES-11061) mod_security custom rule functionality [#2145](https://github.com/puppetlabs/puppetlabs-apache/pull/2145) ([k2patel](https://github.com/k2patel)) + +## [v6.0.1](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.0.1) - 2021-05-10 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v6.0.0...v6.0.1) + +### Fixed + +- Fix HEADER* and README* wildcards in IndexIgnore [#2138](https://github.com/puppetlabs/puppetlabs-apache/pull/2138) ([keto](https://github.com/keto)) +- Fix dav_svn for Debian 10 [#2135](https://github.com/puppetlabs/puppetlabs-apache/pull/2135) ([martijndegouw](https://github.com/martijndegouw)) + +## [v6.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v6.0.0) - 2021-03-02 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.10.0...v6.0.0) + +### Changed + +- pdksync - (MAINT) Remove SLES 11 support [#2132](https://github.com/puppetlabs/puppetlabs-apache/pull/2132) ([sanfrancrisko](https://github.com/sanfrancrisko)) +- pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 [#2125](https://github.com/puppetlabs/puppetlabs-apache/pull/2125) ([carabasdaniel](https://github.com/carabasdaniel)) + +## [v5.10.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.10.0) - 2021-02-17 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.9.0...v5.10.0) + +### Added + +- (IAC-1186) Add $use_port_for_filenames parameter [#2122](https://github.com/puppetlabs/puppetlabs-apache/pull/2122) ([smortex](https://github.com/smortex)) + +### Fixed + +- (MODULES-10899) Handle PHP8 MOD package naming convention changes [#2121](https://github.com/puppetlabs/puppetlabs-apache/pull/2121) ([sanfrancrisko](https://github.com/sanfrancrisko)) + +## [v5.9.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.9.0) - 2021-01-25 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.8.0...v5.9.0) + +### Added + +- Add ssl_user_name vhost parameter [#2093](https://github.com/puppetlabs/puppetlabs-apache/pull/2093) ([bodgit](https://github.com/bodgit)) +- Add support for mod_md [#2090](https://github.com/puppetlabs/puppetlabs-apache/pull/2090) ([smortex](https://github.com/smortex)) + +### Fixed + +- (FIX) Correct PHP packages on Ubuntu 16.04 [#2111](https://github.com/puppetlabs/puppetlabs-apache/pull/2111) ([ekohl](https://github.com/ekohl)) + +## [v5.8.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.8.0) - 2020-12-07 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.7.0...v5.8.0) + +### Added + +- (MODULES-10887) Set `use_servername_for_filenames` for defaults [#2103](https://github.com/puppetlabs/puppetlabs-apache/pull/2103) ([towo](https://github.com/towo)) +- pdksync - (feat) Add support for Puppet 7 [#2101](https://github.com/puppetlabs/puppetlabs-apache/pull/2101) ([daianamezdrea](https://github.com/daianamezdrea)) +- (feat) Add support for apreq2 MOD on Debian 9, 10 [#2085](https://github.com/puppetlabs/puppetlabs-apache/pull/2085) ([TigerKriika](https://github.com/TigerKriika)) + +### Fixed + +- (fix) Convert unnecessary multi line warnings to single lines [#2104](https://github.com/puppetlabs/puppetlabs-apache/pull/2104) ([rj667](https://github.com/rj667)) +- Fix bool2httpd function call for older ruby versions [#2102](https://github.com/puppetlabs/puppetlabs-apache/pull/2102) ([carabasdaniel](https://github.com/carabasdaniel)) + +## [v5.7.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.7.0) - 2020-11-24 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.6.0...v5.7.0) + +### Added + +- Add cas_cookie_path in vhosts [#2089](https://github.com/puppetlabs/puppetlabs-apache/pull/2089) ([yakatz](https://github.com/yakatz)) +- (IAC-1186) Add new $use_servername_for_filenames parameter [#2086](https://github.com/puppetlabs/puppetlabs-apache/pull/2086) ([sanfrancrisko](https://github.com/sanfrancrisko)) +- Allow relative paths in oidc_redirect_uri [#2082](https://github.com/puppetlabs/puppetlabs-apache/pull/2082) ([sanfrancrisko](https://github.com/sanfrancrisko)) +- Improve SSLVerify options [#2081](https://github.com/puppetlabs/puppetlabs-apache/pull/2081) ([bovy89](https://github.com/bovy89)) +- Change icon path [#2079](https://github.com/puppetlabs/puppetlabs-apache/pull/2079) ([yakatz](https://github.com/yakatz)) +- Support mod_auth_gssapi parameters [#2078](https://github.com/puppetlabs/puppetlabs-apache/pull/2078) ([traylenator](https://github.com/traylenator)) +- Add ssl_proxy_machine_cert_chain param to vhost class [#2072](https://github.com/puppetlabs/puppetlabs-apache/pull/2072) ([AbelNavarro](https://github.com/AbelNavarro)) + +### Fixed + +- Use Ruby 2.7 compatible string matching [#2074](https://github.com/puppetlabs/puppetlabs-apache/pull/2074) ([sanfrancrisko](https://github.com/sanfrancrisko)) + +## [v5.6.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.6.0) - 2020-10-05 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.5.0...v5.6.0) + +### Added + +- Configure default shared lib path for mod_wsgi on RHEL8 [#2063](https://github.com/puppetlabs/puppetlabs-apache/pull/2063) ([nbarrientos](https://github.com/nbarrientos)) +- Various enhancements to apache::mod::passenger [#2058](https://github.com/puppetlabs/puppetlabs-apache/pull/2058) ([smortex](https://github.com/smortex)) + +### Fixed + +- make apache::mod::fcgid redhat 8 compatible [#2071](https://github.com/puppetlabs/puppetlabs-apache/pull/2071) ([creativefre](https://github.com/creativefre)) +- pdksync - (feat) - Removal of inappropriate terminology [#2062](https://github.com/puppetlabs/puppetlabs-apache/pull/2062) ([pmcmaw](https://github.com/pmcmaw)) +- Use Ruby 2.7 compatible string matching [#2060](https://github.com/puppetlabs/puppetlabs-apache/pull/2060) ([ekohl](https://github.com/ekohl)) +- Use python3-mod_wsgi instead of mod_wsgi on CentOS8 [#2052](https://github.com/puppetlabs/puppetlabs-apache/pull/2052) ([kajinamit](https://github.com/kajinamit)) + +## [v5.5.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.5.0) - 2020-07-03 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.4.0...v5.5.0) + +### Added + +- Allow IPv6 CIDRs for proxy_protocol_exceptions in mod remoteip [#2033](https://github.com/puppetlabs/puppetlabs-apache/pull/2033) ([thechristschn](https://github.com/thechristschn)) +- (IAC-746) - Add ubuntu 20.04 support [#2032](https://github.com/puppetlabs/puppetlabs-apache/pull/2032) ([david22swan](https://github.com/david22swan)) +- Replace legacy `bool2httpd()` function with shim [#2025](https://github.com/puppetlabs/puppetlabs-apache/pull/2025) ([alexjfisher](https://github.com/alexjfisher)) +- Tidy up `pw_hash` function [#2024](https://github.com/puppetlabs/puppetlabs-apache/pull/2024) ([alexjfisher](https://github.com/alexjfisher)) +- Replace validate_apache_loglevel() with data type [#2023](https://github.com/puppetlabs/puppetlabs-apache/pull/2023) ([alexjfisher](https://github.com/alexjfisher)) +- Add ProxyIOBufferSize option [#2014](https://github.com/puppetlabs/puppetlabs-apache/pull/2014) ([jplindquist](https://github.com/jplindquist)) +- Add support for SetInputFilter directive [#2007](https://github.com/puppetlabs/puppetlabs-apache/pull/2007) ([HoucemEddine](https://github.com/HoucemEddine)) +- [MODULES-10530] Add request limiting directives on virtual host level [#1996](https://github.com/puppetlabs/puppetlabs-apache/pull/1996) ([aursu](https://github.com/aursu)) +- [MODULES-10528] Add ErrorLogFormat directive on virtual host level [#1995](https://github.com/puppetlabs/puppetlabs-apache/pull/1995) ([aursu](https://github.com/aursu)) +- Add template variables and parameters for ModSecurity Audit Logs [#1988](https://github.com/puppetlabs/puppetlabs-apache/pull/1988) ([jplindquist](https://github.com/jplindquist)) +- (MODULES-10432) Add mod_auth_openidc support [#1987](https://github.com/puppetlabs/puppetlabs-apache/pull/1987) ([asieraguado](https://github.com/asieraguado)) + +### Fixed + +- (MODULES-10712) Fix mod_ldap on RH/CentOS 5 and 6 [#2041](https://github.com/puppetlabs/puppetlabs-apache/pull/2041) ([h-haaks](https://github.com/h-haaks)) +- Update mod_dir, alias_icons_path, error_documents_path for CentOS 8 [#2038](https://github.com/puppetlabs/puppetlabs-apache/pull/2038) ([initrd](https://github.com/initrd)) +- Ensure switching of thread module works on Debian 10 / Ubuntu 20.04 [#2034](https://github.com/puppetlabs/puppetlabs-apache/pull/2034) ([tuxmea](https://github.com/tuxmea)) +- MODULES-10586 Centos 8: wrong package used to install mod_authnz_ldap [#2021](https://github.com/puppetlabs/puppetlabs-apache/pull/2021) ([farebers](https://github.com/farebers)) +- Re-add package for fcgid on debian/ubuntu machines [#2006](https://github.com/puppetlabs/puppetlabs-apache/pull/2006) ([vStone](https://github.com/vStone)) +- Use ldap_trusted_mode in conditional [#1999](https://github.com/puppetlabs/puppetlabs-apache/pull/1999) ([dacron](https://github.com/dacron)) +- Typo in oidcsettings.pp [#1997](https://github.com/puppetlabs/puppetlabs-apache/pull/1997) ([asieraguado](https://github.com/asieraguado)) +- Fix proxy_html Module to work on Debian 10 [#1994](https://github.com/puppetlabs/puppetlabs-apache/pull/1994) ([buchstabensalat](https://github.com/buchstabensalat)) +- (MODULES-10360) Fix icon paths for RedHat systems [#1991](https://github.com/puppetlabs/puppetlabs-apache/pull/1991) ([2and3makes23](https://github.com/2and3makes23)) +- SSLProxyEngine on has to be set before any Proxydirective using it [#1989](https://github.com/puppetlabs/puppetlabs-apache/pull/1989) ([zivis](https://github.com/zivis)) + +## [v5.4.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.4.0) - 2020-01-23 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.3.0...v5.4.0) + +### Added + +- Add an apache::vhost::fragment define [#1980](https://github.com/puppetlabs/puppetlabs-apache/pull/1980) ([ekohl](https://github.com/ekohl)) + +### Fixed + +- (MODULES-10391) ssl_protocol includes SSLv2 and SSLv3 on all platforms [#1990](https://github.com/puppetlabs/puppetlabs-apache/pull/1990) ([legooolas](https://github.com/legooolas)) + +## [v5.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.3.0) - 2019-12-11 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.2.0...v5.3.0) + +### Added + +- (FM-8672) - Addition of Support for CentOS 8 [#1977](https://github.com/puppetlabs/puppetlabs-apache/pull/1977) ([david22swan](https://github.com/david22swan)) +- (MODULES-9948) Allow switching of thread modules [#1961](https://github.com/puppetlabs/puppetlabs-apache/pull/1961) ([tuxmea](https://github.com/tuxmea)) + +### Fixed + +- Fix newline being added before proxy params [#1984](https://github.com/puppetlabs/puppetlabs-apache/pull/1984) ([oxc](https://github.com/oxc)) +- When using mod jk, we expect the libapache2-mod-jk package to be installed [#1979](https://github.com/puppetlabs/puppetlabs-apache/pull/1979) ([tuxmea](https://github.com/tuxmea)) +- move unless into manage_security_corerules [#1976](https://github.com/puppetlabs/puppetlabs-apache/pull/1976) ([SimonHoenscheid](https://github.com/SimonHoenscheid)) +- Change mod_proxy's ProxyTimeout to follow Apache's global timeout [#1975](https://github.com/puppetlabs/puppetlabs-apache/pull/1975) ([gcoxmoz](https://github.com/gcoxmoz)) +- (FM-8721) fix php version and ssl error on redhat8 [#1973](https://github.com/puppetlabs/puppetlabs-apache/pull/1973) ([sheenaajay](https://github.com/sheenaajay)) + +## [v5.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.2.0) - 2019-11-01 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.1.0...v5.2.0) + +### Added + +- Add parameter version for mod security [#1953](https://github.com/puppetlabs/puppetlabs-apache/pull/1953) ([tuxmea](https://github.com/tuxmea)) +- add possibility to define variables inside VirtualHost definition [#1947](https://github.com/puppetlabs/puppetlabs-apache/pull/1947) ([trefzer](https://github.com/trefzer)) + +### Fixed + +- (FM-8662) Correction in manifests/mod/ssl.pp for SLES 11 [#1963](https://github.com/puppetlabs/puppetlabs-apache/pull/1963) ([sanfrancrisko](https://github.com/sanfrancrisko)) +- always quote ExpiresDefault in vhost::directories [#1958](https://github.com/puppetlabs/puppetlabs-apache/pull/1958) ([evgeni](https://github.com/evgeni)) +- MODULES-9904 Fix lbmethod module load order [#1956](https://github.com/puppetlabs/puppetlabs-apache/pull/1956) ([optiz0r](https://github.com/optiz0r)) +- Add owner, group, file_mode and show_diff to apache::custom_config [#1942](https://github.com/puppetlabs/puppetlabs-apache/pull/1942) ([treydock](https://github.com/treydock)) +- Add shibboleth support for Debian 10 [#1939](https://github.com/puppetlabs/puppetlabs-apache/pull/1939) ([fabbks](https://github.com/fabbks)) + +## [v5.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.1.0) - 2019-09-13 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/v5.0.0...v5.1.0) + +### Added + +- (FM-8393) add support on Debian 10 [#1945](https://github.com/puppetlabs/puppetlabs-apache/pull/1945) ([ThoughtCrhyme](https://github.com/ThoughtCrhyme)) +- FM-8140 Add Redhat 8 support [#1941](https://github.com/puppetlabs/puppetlabs-apache/pull/1941) ([sheenaajay](https://github.com/sheenaajay)) +- (FM-8214) converted to use litmus [#1938](https://github.com/puppetlabs/puppetlabs-apache/pull/1938) ([tphoney](https://github.com/tphoney)) +- (MODULES-9668 ) Please make ProxyRequests setting in vhost.pp configurable [#1935](https://github.com/puppetlabs/puppetlabs-apache/pull/1935) ([aukesj](https://github.com/aukesj)) +- Added unmanaged_path and custom_fragment options to userdir [#1931](https://github.com/puppetlabs/puppetlabs-apache/pull/1931) ([GeorgeCox](https://github.com/GeorgeCox)) +- Add LDAP parameters to httpd.conf [#1930](https://github.com/puppetlabs/puppetlabs-apache/pull/1930) ([daveseff](https://github.com/daveseff)) +- Add LDAPReferrals configuration parameter [#1928](https://github.com/puppetlabs/puppetlabs-apache/pull/1928) ([HT43-bqxFqB](https://github.com/HT43-bqxFqB)) + +### Fixed + +- (MODULES-9104) Add file_mode to config files. [#1922](https://github.com/puppetlabs/puppetlabs-apache/pull/1922) ([stevegarn](https://github.com/stevegarn)) +- (bugfix) Add default package name for mod_ldap [#1913](https://github.com/puppetlabs/puppetlabs-apache/pull/1913) ([turnopil](https://github.com/turnopil)) +- Remove event mpm when using prefork, worker or itk [#1905](https://github.com/puppetlabs/puppetlabs-apache/pull/1905) ([tuxmea](https://github.com/tuxmea)) + +## [v5.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/v5.0.0) - 2019-05-20 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/4.1.0...v5.0.0) + +### Changed + +- pdksync - (MODULES-8444) - Raise lower Puppet bound [#1908](https://github.com/puppetlabs/puppetlabs-apache/pull/1908) ([david22swan](https://github.com/david22swan)) + +### Added + +- (FM-7923) Implement Puppet Strings [#1916](https://github.com/puppetlabs/puppetlabs-apache/pull/1916) ([eimlav](https://github.com/eimlav)) +- Define SCL package name for mod_ldap [#1893](https://github.com/puppetlabs/puppetlabs-apache/pull/1893) ([treydock](https://github.com/treydock)) + +### Fixed + +- (MODULES-9014) Improve SSLSessionTickets handling [#1923](https://github.com/puppetlabs/puppetlabs-apache/pull/1923) ([FredL69](https://github.com/FredL69)) +- (MODULES-8931) Fix stahnma/epel failures [#1914](https://github.com/puppetlabs/puppetlabs-apache/pull/1914) ([eimlav](https://github.com/eimlav)) +- Fix wsgi_daemon_process to support hash data type [#1884](https://github.com/puppetlabs/puppetlabs-apache/pull/1884) ([mdechiaro](https://github.com/mdechiaro)) + +## [4.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/4.1.0) - 2019-04-05 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/4.0.0...4.1.0) + +### Added + +- (MODULES-7196) Allow setting CASRootProxiedAs per virtualhost (replaces #1857) [#1900](https://github.com/puppetlabs/puppetlabs-apache/pull/1900) ([Lavinia-Dan](https://github.com/Lavinia-Dan)) +- (feat) - Amazon Linux 2 compatibility added [#1898](https://github.com/puppetlabs/puppetlabs-apache/pull/1898) ([david22swan](https://github.com/david22swan)) +- (MODULES-8731) Allow CIDRs for proxy_ips/internal_proxy in remoteip [#1891](https://github.com/puppetlabs/puppetlabs-apache/pull/1891) ([JAORMX](https://github.com/JAORMX)) +- Manage all mod_remoteip parameters supported by Apache [#1882](https://github.com/puppetlabs/puppetlabs-apache/pull/1882) ([johanfleury](https://github.com/johanfleury)) +- MODULES-8541 : Allow HostnameLookups to be modified [#1881](https://github.com/puppetlabs/puppetlabs-apache/pull/1881) ([k2patel](https://github.com/k2patel)) +- Add support for mod_http2 [#1867](https://github.com/puppetlabs/puppetlabs-apache/pull/1867) ([smortex](https://github.com/smortex)) +- Added code to paramertize the libphp prefix [#1852](https://github.com/puppetlabs/puppetlabs-apache/pull/1852) ([grahamuk2018](https://github.com/grahamuk2018)) +- Added WSGI Options WSGIApplicationGroup and WSGIPythonOptimize [#1847](https://github.com/puppetlabs/puppetlabs-apache/pull/1847) ([emetriqLikedeeler](https://github.com/emetriqLikedeeler)) + +### Fixed + +- (bugfix) set kernel for facter version test [#1895](https://github.com/puppetlabs/puppetlabs-apache/pull/1895) ([tphoney](https://github.com/tphoney)) +- (MODULES-5990) - Managing conf_enabled [#1875](https://github.com/puppetlabs/puppetlabs-apache/pull/1875) ([david22swan](https://github.com/david22swan)) + +## [4.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/4.0.0) - 2019-01-10 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/3.5.0...4.0.0) + +### Changed + +- default server_tokens to prod - more secure default [#1746](https://github.com/puppetlabs/puppetlabs-apache/pull/1746) ([juju4](https://github.com/juju4)) + +### Added + +- (Modules 8141/Modules 8379) - Addition of support for SLES 15 [#1862](https://github.com/puppetlabs/puppetlabs-apache/pull/1862) ([david22swan](https://github.com/david22swan)) + +### Fixed + +- (MODULES-5990) - conf-enabled defaulted to undef [#1869](https://github.com/puppetlabs/puppetlabs-apache/pull/1869) ([david22swan](https://github.com/david22swan)) +- pdksync - (FM-7655) Fix rubygems-update for ruby < 2.3 [#1866](https://github.com/puppetlabs/puppetlabs-apache/pull/1866) ([tphoney](https://github.com/tphoney)) + +## [3.5.0](https://github.com/puppetlabs/puppetlabs-apache/tree/3.5.0) - 2018-12-17 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/3.4.0...3.5.0) + +### Added + +- (MODULES-5990) Addition of 'IncludeOptional conf-enabled/*.conf' to apache2.conf' on Debian Family OS [#1851](https://github.com/puppetlabs/puppetlabs-apache/pull/1851) ([david22swan](https://github.com/david22swan)) +- (MODULES-8107) - Support added for Ubuntu 18.04. [#1850](https://github.com/puppetlabs/puppetlabs-apache/pull/1850) ([david22swan](https://github.com/david22swan)) +- (MODULES-8108) - Support added for Debian 9 [#1849](https://github.com/puppetlabs/puppetlabs-apache/pull/1849) ([david22swan](https://github.com/david22swan)) +- Add option to add comments to the header of a vhost file [#1841](https://github.com/puppetlabs/puppetlabs-apache/pull/1841) ([jovandeginste](https://github.com/jovandeginste)) +- SCL support for httpd and php7.1 [#1822](https://github.com/puppetlabs/puppetlabs-apache/pull/1822) ([mmoll](https://github.com/mmoll)) + +### Fixed + +- (FM-7605) - Disabling conf_enabled on Ubuntu 18.04 by default as it conflicts with Shibboleth causing errors with apache2. [#1856](https://github.com/puppetlabs/puppetlabs-apache/pull/1856) ([david22swan](https://github.com/david22swan)) +- (MODULES-8429) Update GPG key for phusion passenger [#1848](https://github.com/puppetlabs/puppetlabs-apache/pull/1848) ([abottchen](https://github.com/abottchen)) +- Fix default vhost priority in readme [#1843](https://github.com/puppetlabs/puppetlabs-apache/pull/1843) ([HT43-bqxFqB](https://github.com/HT43-bqxFqB)) +- fix apache::mod::jk example typo and add link for more info [#1812](https://github.com/puppetlabs/puppetlabs-apache/pull/1812) ([xorpaul](https://github.com/xorpaul)) +- MODULES-7379: Fixing syntax by adding newline [#1803](https://github.com/puppetlabs/puppetlabs-apache/pull/1803) ([wimvr](https://github.com/wimvr)) +- ensure mpm_event is disabled under debian 9 if mpm itk is used [#1766](https://github.com/puppetlabs/puppetlabs-apache/pull/1766) ([zivis](https://github.com/zivis)) + +## [3.4.0](https://github.com/puppetlabs/puppetlabs-apache/tree/3.4.0) - 2018-09-28 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/3.3.0...3.4.0) + +### Added + +- pdksync - (FM-7392) - Puppet 6 Testing Changes [#1838](https://github.com/puppetlabs/puppetlabs-apache/pull/1838) ([pmcmaw](https://github.com/pmcmaw)) +- pdksync - (MODULES-6805) metadata.json shows support for puppet 6 [#1836](https://github.com/puppetlabs/puppetlabs-apache/pull/1836) ([tphoney](https://github.com/tphoney)) + +### Fixed + +- Fix "audit_log_relevant_status" typo in README.md [#1830](https://github.com/puppetlabs/puppetlabs-apache/pull/1830) ([smokris](https://github.com/smokris)) + +## [3.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/3.3.0) - 2018-09-12 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/3.2.0...3.3.0) + +### Added + +- pdksync - (MODULES-7705) - Bumping stdlib dependency from < 5.0.0 to < 6.0.0 [#1821](https://github.com/puppetlabs/puppetlabs-apache/pull/1821) ([pmcmaw](https://github.com/pmcmaw)) +- Add support for ProxyTimeout [#1805](https://github.com/puppetlabs/puppetlabs-apache/pull/1805) ([agoodno](https://github.com/agoodno)) +- Rework passenger VHost and Directories [#1778](https://github.com/puppetlabs/puppetlabs-apache/pull/1778) ([smortex](https://github.com/smortex)) + +### Fixed + +- MODULES-7575 reverse sort the aliases [#1808](https://github.com/puppetlabs/puppetlabs-apache/pull/1808) ([k2patel](https://github.com/k2patel)) + +## [3.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/3.2.0) - 2018-06-29 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/3.1.0...3.2.0) + +### Added + +- (MODULES-7343) - Allow overrides by adding mod_libs in apache class [#1800](https://github.com/puppetlabs/puppetlabs-apache/pull/1800) ([karelyatin](https://github.com/karelyatin)) +- Allow `apache::mod::passenger::passenger_pre_start` to accept multiple URIs [#1776](https://github.com/puppetlabs/puppetlabs-apache/pull/1776) ([smortex](https://github.com/smortex)) + +### Fixed + +- fixes for OpenSUSE ans SLES [#1783](https://github.com/puppetlabs/puppetlabs-apache/pull/1783) ([tuxmea](https://github.com/tuxmea)) + +## [3.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/3.1.0) - 2018-03-22 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/3.0.0...3.1.0) + +### Added + +- Allow overriding passenger_group in apache::vhost [#1769](https://github.com/puppetlabs/puppetlabs-apache/pull/1769) ([smortex](https://github.com/smortex)) + +## [3.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/3.0.0) - 2018-02-20 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/2.3.1...3.0.0) + +## [2.3.1](https://github.com/puppetlabs/puppetlabs-apache/tree/2.3.1) - 2018-02-02 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/2.3.0...2.3.1) + +### Added + +- Add LimitRequestFields parameter in main configuration [#1742](https://github.com/puppetlabs/puppetlabs-apache/pull/1742) ([geekix](https://github.com/geekix)) +- Add enable capabilities to itk [#1687](https://github.com/puppetlabs/puppetlabs-apache/pull/1687) ([edestecd](https://github.com/edestecd)) +- updated log formats to include client ip [#1686](https://github.com/puppetlabs/puppetlabs-apache/pull/1686) ([tenajsystems](https://github.com/tenajsystems)) +- MODULES-5452 - add $options to `balancer` type [#1668](https://github.com/puppetlabs/puppetlabs-apache/pull/1668) ([cedef](https://github.com/cedef)) +- [Modules 5385] Include support for Apache 2.4 mod_authz_host directives in apache::mod::status [#1667](https://github.com/puppetlabs/puppetlabs-apache/pull/1667) ([EmersonPrado](https://github.com/EmersonPrado)) +- Expose loadfile_name option to mod::python class [#1663](https://github.com/puppetlabs/puppetlabs-apache/pull/1663) ([traylenator](https://github.com/traylenator)) +- Add ShibCompatValidUser option to vhost config [#1657](https://github.com/puppetlabs/puppetlabs-apache/pull/1657) ([mdechiaro](https://github.com/mdechiaro)) + +### Fixed + +- Fix typos [#1728](https://github.com/puppetlabs/puppetlabs-apache/pull/1728) ([hfm](https://github.com/hfm)) +- [MODULES-5644] Package name is libapache2-mpm-itk for Debian 9 [#1724](https://github.com/puppetlabs/puppetlabs-apache/pull/1724) ([zivis](https://github.com/zivis)) +- Fix case of setting apache::mpm_module to false [#1720](https://github.com/puppetlabs/puppetlabs-apache/pull/1720) ([edestecd](https://github.com/edestecd)) +- remoteip: Notify apache::service instead of service['httpd'] [#1684](https://github.com/puppetlabs/puppetlabs-apache/pull/1684) ([sergiik](https://github.com/sergiik)) + +## [2.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/2.3.0) - 2017-10-11 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/2.2.0...2.3.0) + +## [2.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/2.2.0) - 2017-10-05 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/2.1.0...2.2.0) + +### Added + +- (MODULES-2062) updates prefork.conf params for apache 2.4 [#1685](https://github.com/puppetlabs/puppetlabs-apache/pull/1685) ([eputnam](https://github.com/eputnam)) +- MODULES-5426 : Add support for all mod_passenger server config settings [#1665](https://github.com/puppetlabs/puppetlabs-apache/pull/1665) ([dacat](https://github.com/dacat)) + +### Fixed + +- Wsgi inclusion [#1702](https://github.com/puppetlabs/puppetlabs-apache/pull/1702) ([willmeek](https://github.com/willmeek)) +- MODULES-5649 Do not install mod_fastcgi on el7 [#1701](https://github.com/puppetlabs/puppetlabs-apache/pull/1701) ([tphoney](https://github.com/tphoney)) + +## [2.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/2.1.0) - 2017-09-13 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.11.1...2.1.0) + +## [1.11.1](https://github.com/puppetlabs/puppetlabs-apache/tree/1.11.1) - 2017-09-13 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/2.0.0...1.11.1) + +### Added + +- [Modules 5519] Add port parameter in class mod::jk [#1679](https://github.com/puppetlabs/puppetlabs-apache/pull/1679) ([EmersonPrado](https://github.com/EmersonPrado)) +- (MODULES-3942) make sure mod_alias is loaded with redirectmatch [#1675](https://github.com/puppetlabs/puppetlabs-apache/pull/1675) ([eputnam](https://github.com/eputnam)) +- [Modules 5492] - Include treatment for absolute, relative and pipe paths for JkLogFile and JkShmFile for class mod::jk [#1671](https://github.com/puppetlabs/puppetlabs-apache/pull/1671) ([EmersonPrado](https://github.com/EmersonPrado)) +- Replace deprecated type checking with Puppet 4 types [#1670](https://github.com/puppetlabs/puppetlabs-apache/pull/1670) ([ekohl](https://github.com/ekohl)) +- [Modules 4746] Creates class for managing Apache mod_jk connector [#1630](https://github.com/puppetlabs/puppetlabs-apache/pull/1630) ([EmersonPrado](https://github.com/EmersonPrado)) +- Adds apache::mod::macro [#1590](https://github.com/puppetlabs/puppetlabs-apache/pull/1590) ([kyledecot](https://github.com/kyledecot)) + +### Fixed + +- Setup SSL/TLS client auth without overly broad trusts for client certificates [#1680](https://github.com/puppetlabs/puppetlabs-apache/pull/1680) ([epackorigan](https://github.com/epackorigan)) + +## [2.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/2.0.0) - 2017-07-26 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.11.0...2.0.0) + +### Changed + +- MODULES-4824: Update the version compatibility to >= 4.7.0 < 5.0.0 [#1628](https://github.com/puppetlabs/puppetlabs-apache/pull/1628) ([angrox](https://github.com/angrox)) +- Migrate to puppet4 datatypes [#1621](https://github.com/puppetlabs/puppetlabs-apache/pull/1621) ([bastelfreak](https://github.com/bastelfreak)) +- Set default keepalive to On [#1434](https://github.com/puppetlabs/puppetlabs-apache/pull/1434) ([sathieu](https://github.com/sathieu)) + +### Added + +- (MODULES-4933) Allow custom UserDir string [#1650](https://github.com/puppetlabs/puppetlabs-apache/pull/1650) ([hunner](https://github.com/hunner)) +- Add proxy_pass in directory template for location context [#1644](https://github.com/puppetlabs/puppetlabs-apache/pull/1644) ([toteva](https://github.com/toteva)) +- Don't install proxy_html package in ubuntu xenial [#1643](https://github.com/puppetlabs/puppetlabs-apache/pull/1643) ([amateo](https://github.com/amateo)) +- (MODULES-5121) Allow ssl.conf to have better defaults [#1636](https://github.com/puppetlabs/puppetlabs-apache/pull/1636) ([hunner](https://github.com/hunner)) +- MODULES-3838 Pass mod_packages through init.pp to allow overrides [#1631](https://github.com/puppetlabs/puppetlabs-apache/pull/1631) ([optiz0r](https://github.com/optiz0r)) +- MODULES-4946 Add HTTP protocol options support [#1629](https://github.com/puppetlabs/puppetlabs-apache/pull/1629) ([dspinellis](https://github.com/dspinellis)) +- Use enclose_ipv6 function from stdlib [#1624](https://github.com/puppetlabs/puppetlabs-apache/pull/1624) ([acritox](https://github.com/acritox)) +- (MODULES-4819) remove include_src parameter from vhost_spec [#1617](https://github.com/puppetlabs/puppetlabs-apache/pull/1617) ([eputnam](https://github.com/eputnam)) +- MODULES-4816 - new param for mod::security class [#1616](https://github.com/puppetlabs/puppetlabs-apache/pull/1616) ([cedef](https://github.com/cedef)) +- Add WSGIRestrictEmbedded to apache::mod::wsgi [#1614](https://github.com/puppetlabs/puppetlabs-apache/pull/1614) ([dsavineau](https://github.com/dsavineau)) +- Enable configuring CA file in ssl.conf [#1612](https://github.com/puppetlabs/puppetlabs-apache/pull/1612) ([JAORMX](https://github.com/JAORMX)) +- MODULES-4737 - Additional class params for mod ssl [#1611](https://github.com/puppetlabs/puppetlabs-apache/pull/1611) ([cedef](https://github.com/cedef)) +- Added supplementary_groups to the user resource [#1608](https://github.com/puppetlabs/puppetlabs-apache/pull/1608) ([chgarling](https://github.com/chgarling)) +- [msync] 786266 Implement puppet-module-gems, a45803 Remove metadata.json from locales config [#1606](https://github.com/puppetlabs/puppetlabs-apache/pull/1606) ([wilson208](https://github.com/wilson208)) +- Limit except support [#1605](https://github.com/puppetlabs/puppetlabs-apache/pull/1605) ([ffapitalle](https://github.com/ffapitalle)) +- (FM-6116) - Adding POT file for metadata.json [#1604](https://github.com/puppetlabs/puppetlabs-apache/pull/1604) ([pmcmaw](https://github.com/pmcmaw)) +- [MODULES-4528] Replace Puppet.version.to_f version comparison from spec_helper.rb [#1603](https://github.com/puppetlabs/puppetlabs-apache/pull/1603) ([wilson208](https://github.com/wilson208)) +- Add param for AllowOverride in the userdir.conf template [#1602](https://github.com/puppetlabs/puppetlabs-apache/pull/1602) ([dstepe](https://github.com/dstepe)) +- Modules-4500 Add optional "AdvertiseFrequency" directive in cluster.conf template [#1601](https://github.com/puppetlabs/puppetlabs-apache/pull/1601) ([EmersonPrado](https://github.com/EmersonPrado)) +- The base tag also needs link rewriting [#1599](https://github.com/puppetlabs/puppetlabs-apache/pull/1599) ([tobixen](https://github.com/tobixen)) +- MODULES-4391 add SSLProxyVerifyDepth and SSLProxyCACertificateFile directives [#1596](https://github.com/puppetlabs/puppetlabs-apache/pull/1596) ([hex2a](https://github.com/hex2a)) +- add parser function apache_pw_hash [#1592](https://github.com/puppetlabs/puppetlabs-apache/pull/1592) ([aptituz](https://github.com/aptituz)) +- Add mod_{authnz_pam,intercept_form_submit,lookup_identity} [#1588](https://github.com/puppetlabs/puppetlabs-apache/pull/1588) ([ekohl](https://github.com/ekohl)) +- Allow multiple ports per vhost [#1583](https://github.com/puppetlabs/puppetlabs-apache/pull/1583) ([tjikkun](https://github.com/tjikkun)) +- Feature/add charset [#1582](https://github.com/puppetlabs/puppetlabs-apache/pull/1582) ([harakiri406](https://github.com/harakiri406)) +- Add FileETag [#1581](https://github.com/puppetlabs/puppetlabs-apache/pull/1581) ([kuchosauronad0](https://github.com/kuchosauronad0)) +- (MODULES-4156) adds RequestHeader directive to vhost template #puppethack [#1573](https://github.com/puppetlabs/puppetlabs-apache/pull/1573) ([eputnam](https://github.com/eputnam)) +- add passenger_max_requests option per vhost [#1517](https://github.com/puppetlabs/puppetlabs-apache/pull/1517) ([pulecp](https://github.com/pulecp)) + +### Fixed + +- Ensure that ProxyPreserveHost is set even when ProxyPass (etc) are not. [#1639](https://github.com/puppetlabs/puppetlabs-apache/pull/1639) ([tpdownes](https://github.com/tpdownes)) +- When absolute path is specified for access_log_file/error_log_file, don't prepend logbase [#1633](https://github.com/puppetlabs/puppetlabs-apache/pull/1633) ([ca-asm](https://github.com/ca-asm)) +- Fix single quoted string [#1623](https://github.com/puppetlabs/puppetlabs-apache/pull/1623) ([lordbink](https://github.com/lordbink)) +- fixed apache group for SUSE/SLES Systems (checked for SLES11/12) [#1613](https://github.com/puppetlabs/puppetlabs-apache/pull/1613) ([pseiler](https://github.com/pseiler)) +- the wsgi_script_aliases need to support array type of value [#1609](https://github.com/puppetlabs/puppetlabs-apache/pull/1609) ([netman2k](https://github.com/netman2k)) +- Fix alignement in vhost.conf [#1607](https://github.com/puppetlabs/puppetlabs-apache/pull/1607) ([sathieu](https://github.com/sathieu)) +- [apache::mod::cgi] Fix: ordering constraint for mod_cgi [#1585](https://github.com/puppetlabs/puppetlabs-apache/pull/1585) ([punycode](https://github.com/punycode)) +- Fix vhost template [#1552](https://github.com/puppetlabs/puppetlabs-apache/pull/1552) ([iamspido](https://github.com/iamspido)) + +## [1.11.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.11.0) - 2016-12-19 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.10.0...1.11.0) + +### Added + +- (MODULES-4213) Adds spec test for rewrite_inherit [#1575](https://github.com/puppetlabs/puppetlabs-apache/pull/1575) ([bmjen](https://github.com/bmjen)) +- Add ability to set SSLStaplingReturnResponderErrors on server level [#1571](https://github.com/puppetlabs/puppetlabs-apache/pull/1571) ([tjikkun](https://github.com/tjikkun)) +- (MODULES-4213) Allow global rewrite rules inheritance in vhosts [#1569](https://github.com/puppetlabs/puppetlabs-apache/pull/1569) ([EmersonPrado](https://github.com/EmersonPrado)) +- mod_proxy_balancer manager [#1562](https://github.com/puppetlabs/puppetlabs-apache/pull/1562) ([sathieu](https://github.com/sathieu)) +- Add SSL stapling [#1561](https://github.com/puppetlabs/puppetlabs-apache/pull/1561) ([tjikkun](https://github.com/tjikkun)) +- ModSec debug logs to use apache logroot parameter [#1560](https://github.com/puppetlabs/puppetlabs-apache/pull/1560) ([scottmullaly](https://github.com/scottmullaly)) +- (MODULES-4049) SLES support [#1554](https://github.com/puppetlabs/puppetlabs-apache/pull/1554) ([eputnam](https://github.com/eputnam)) +- Validate wsgi_chunked_request parameter for vhost [#1553](https://github.com/puppetlabs/puppetlabs-apache/pull/1553) ([JAORMX](https://github.com/JAORMX)) +- (MODULES-4048) SLES 10 support [#1551](https://github.com/puppetlabs/puppetlabs-apache/pull/1551) ([eputnam](https://github.com/eputnam)) +- Support Passenger repo on Amazon Linux [#1549](https://github.com/puppetlabs/puppetlabs-apache/pull/1549) ([seefood](https://github.com/seefood)) +- Support parameter PassengerDataBufferDir [#1548](https://github.com/puppetlabs/puppetlabs-apache/pull/1548) ([seefood](https://github.com/seefood)) +- Allow user to specify alternative package and library names for shibboleth module [#1547](https://github.com/puppetlabs/puppetlabs-apache/pull/1547) ([tpdownes](https://github.com/tpdownes)) +- (FM-5739) removes mocha stubbing [#1540](https://github.com/puppetlabs/puppetlabs-apache/pull/1540) ([eputnam](https://github.com/eputnam)) +- Adding requirement for httpd package [#1539](https://github.com/puppetlabs/puppetlabs-apache/pull/1539) ([jplindquist](https://github.com/jplindquist)) +- Update modulesync_config [51f469d] [#1535](https://github.com/puppetlabs/puppetlabs-apache/pull/1535) ([DavidS](https://github.com/DavidS)) +- Allow the proxy_via setting to be configured [#1534](https://github.com/puppetlabs/puppetlabs-apache/pull/1534) ([bmjen](https://github.com/bmjen)) +- The meier move error log to params [#1533](https://github.com/puppetlabs/puppetlabs-apache/pull/1533) ([bmjen](https://github.com/bmjen)) +- Add path to shibboleth lib [#1532](https://github.com/puppetlabs/puppetlabs-apache/pull/1532) ([gvdb1967](https://github.com/gvdb1967)) +- Add rpaf.conf template parameter [#1531](https://github.com/puppetlabs/puppetlabs-apache/pull/1531) ([gvdb1967](https://github.com/gvdb1967)) +- (MODULES-3712) SLES 11 Support [#1528](https://github.com/puppetlabs/puppetlabs-apache/pull/1528) ([eputnam](https://github.com/eputnam)) +- Settings to control modcluster request size [#1527](https://github.com/puppetlabs/puppetlabs-apache/pull/1527) ([lexkastro](https://github.com/lexkastro)) +- Allow no_proxy_uris to be used within proxy_pass [#1524](https://github.com/puppetlabs/puppetlabs-apache/pull/1524) ([df7cb](https://github.com/df7cb)) +- Update modulesync_config [a3fe424] [#1519](https://github.com/puppetlabs/puppetlabs-apache/pull/1519) ([DavidS](https://github.com/DavidS)) +- Update modulesync_config [0d59329] [#1518](https://github.com/puppetlabs/puppetlabs-apache/pull/1518) ([DavidS](https://github.com/DavidS)) +- Add some more passenger params [#1510](https://github.com/puppetlabs/puppetlabs-apache/pull/1510) ([Reamer](https://github.com/Reamer)) +- MODULES-3682 - config of auth_dbd, include dbd, allow AuthnProviderAlias [#1508](https://github.com/puppetlabs/puppetlabs-apache/pull/1508) ([johndixon](https://github.com/johndixon)) +- mod_passenger: PassengerMaxInstancesPerApp option [#1503](https://github.com/puppetlabs/puppetlabs-apache/pull/1503) ([ygt-davidstirling](https://github.com/ygt-davidstirling)) +- add force option to confd file resource [#1502](https://github.com/puppetlabs/puppetlabs-apache/pull/1502) ([martinpfeifer](https://github.com/martinpfeifer)) +- Auto load Apache::Mod[slotmem_shm] and Apache::Mod[lbmethod_byrequest… [#1499](https://github.com/puppetlabs/puppetlabs-apache/pull/1499) ([sathieu](https://github.com/sathieu)) +- Allow to set SecAuditLog [#1490](https://github.com/puppetlabs/puppetlabs-apache/pull/1490) ([sathieu](https://github.com/sathieu)) +- Add wsgi script aliases match [#1485](https://github.com/puppetlabs/puppetlabs-apache/pull/1485) ([tphoney](https://github.com/tphoney)) +- Add cas_cookie_path_mode param [#1475](https://github.com/puppetlabs/puppetlabs-apache/pull/1475) ([edestecd](https://github.com/edestecd)) +- Added support for apache 2.4 on Amazon Linux [#1473](https://github.com/puppetlabs/puppetlabs-apache/pull/1473) ([lotjuh](https://github.com/lotjuh)) +- Add apache::mod::socache_shmcb so it can be included multiple times [#1471](https://github.com/puppetlabs/puppetlabs-apache/pull/1471) ([mpdude](https://github.com/mpdude)) +- Manage default root directory access rights [#1468](https://github.com/puppetlabs/puppetlabs-apache/pull/1468) ([smoeding](https://github.com/smoeding)) +- Add apache::mod::proxy_wstunnel and tests [#1465](https://github.com/puppetlabs/puppetlabs-apache/pull/1465) ([DavidS](https://github.com/DavidS)) +- Add apache::mod::proxy_wstunnel [#1462](https://github.com/puppetlabs/puppetlabs-apache/pull/1462) ([sathieu](https://github.com/sathieu)) +- add additional directories options for LDAP Auth [#1443](https://github.com/puppetlabs/puppetlabs-apache/pull/1443) ([zivis](https://github.com/zivis)) +- Update _block.erb [#1441](https://github.com/puppetlabs/puppetlabs-apache/pull/1441) ([jostmart](https://github.com/jostmart)) +- Support the newer mod_auth_cas config options [#1436](https://github.com/puppetlabs/puppetlabs-apache/pull/1436) ([pcfens](https://github.com/pcfens)) +- Wrap mod_security directives in an IfModule [#1423](https://github.com/puppetlabs/puppetlabs-apache/pull/1423) ([kimor79](https://github.com/kimor79)) + +### Fixed + +- Fix conditional in vhost ssl template [#1574](https://github.com/puppetlabs/puppetlabs-apache/pull/1574) ([bmjen](https://github.com/bmjen)) +- Avoid relative classname inclusion [#1566](https://github.com/puppetlabs/puppetlabs-apache/pull/1566) ([roidelapluie](https://github.com/roidelapluie)) +- custom facts shouldn't break structured facts [#1565](https://github.com/puppetlabs/puppetlabs-apache/pull/1565) ([igalic](https://github.com/igalic)) +- (#MODULES-3744) Process $crs_package before $modsec_dir [#1563](https://github.com/puppetlabs/puppetlabs-apache/pull/1563) ([EmersonPrado](https://github.com/EmersonPrado)) +- (MODULES-3972) fixes version errors and small fix for suse ssl [#1557](https://github.com/puppetlabs/puppetlabs-apache/pull/1557) ([eputnam](https://github.com/eputnam)) +- Don't fail if first element of is not an hash before flattening [#1555](https://github.com/puppetlabs/puppetlabs-apache/pull/1555) ([sathieu](https://github.com/sathieu)) +- [MODULES-3548] SLES 12 fix [#1545](https://github.com/puppetlabs/puppetlabs-apache/pull/1545) ([HelenCampbell](https://github.com/HelenCampbell)) +- Move ssl.conf to main conf directory on EL7 [#1543](https://github.com/puppetlabs/puppetlabs-apache/pull/1543) ([stbenjam](https://github.com/stbenjam)) +- Do not set ssl_certs_dir on FreeBSD [#1538](https://github.com/puppetlabs/puppetlabs-apache/pull/1538) ([smortex](https://github.com/smortex)) +- [MODULES-3882] Don't write empty servername for vhost to template [#1526](https://github.com/puppetlabs/puppetlabs-apache/pull/1526) ([JAORMX](https://github.com/JAORMX)) +- Bug - Port numbers must be quoted [#1525](https://github.com/puppetlabs/puppetlabs-apache/pull/1525) ([blackknight36](https://github.com/blackknight36)) +- Fixes spec tests for apache::mod::disk_cache [#1509](https://github.com/puppetlabs/puppetlabs-apache/pull/1509) ([gerhardsam](https://github.com/gerhardsam)) +- Httpoxy fix [#1506](https://github.com/puppetlabs/puppetlabs-apache/pull/1506) ([simonrondelez](https://github.com/simonrondelez)) +- Fix non breaking space (MODULES-3503) [#1489](https://github.com/puppetlabs/puppetlabs-apache/pull/1489) ([Jeoffreybauvin](https://github.com/Jeoffreybauvin)) +- Fix PassengerRoot under Debian stretch [#1478](https://github.com/puppetlabs/puppetlabs-apache/pull/1478) ([sathieu](https://github.com/sathieu)) +- variety of xenial fixes [#1477](https://github.com/puppetlabs/puppetlabs-apache/pull/1477) ([tphoney](https://github.com/tphoney)) +- fix and make 2.4 require docu more readable [#1466](https://github.com/puppetlabs/puppetlabs-apache/pull/1466) ([HT43-bqxFqB](https://github.com/HT43-bqxFqB)) +- apache::balancer now respects apache::confd_dir [#1463](https://github.com/puppetlabs/puppetlabs-apache/pull/1463) ([traylenator](https://github.com/traylenator)) + +## [1.10.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.10.0) - 2016-05-19 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.9.0...1.10.0) + +### Added + +- Remove duplicate shib2 hash element [#1458](https://github.com/puppetlabs/puppetlabs-apache/pull/1458) ([domcleal](https://github.com/domcleal)) +- mod_event: parameters can be unset [#1455](https://github.com/puppetlabs/puppetlabs-apache/pull/1455) ([timogoebel](https://github.com/timogoebel)) +- Set DAV parameters in a directory block [#1454](https://github.com/puppetlabs/puppetlabs-apache/pull/1454) ([jonnytdevops](https://github.com/jonnytdevops)) +- Add support for mod_cluster, an httpd-based load balancer. [#1453](https://github.com/puppetlabs/puppetlabs-apache/pull/1453) ([jonnytdevops](https://github.com/jonnytdevops)) +- Only set SSLCompression when it is set to true. [#1452](https://github.com/puppetlabs/puppetlabs-apache/pull/1452) ([buzzdeee](https://github.com/buzzdeee)) +- Add class apache::vhosts to create apache::vhost resources [#1450](https://github.com/puppetlabs/puppetlabs-apache/pull/1450) ([gerhardsam](https://github.com/gerhardsam)) +- Allow setting KeepAlive related options per vhost [#1447](https://github.com/puppetlabs/puppetlabs-apache/pull/1447) ([antaflos](https://github.com/antaflos)) + +### Fixed + +- Set actual path to apachectl on FreeBSD. [#1448](https://github.com/puppetlabs/puppetlabs-apache/pull/1448) ([smortex](https://github.com/smortex)) +- Revert "changed rpaf Configuration Directives: RPAF -> RPAF_" [#1446](https://github.com/puppetlabs/puppetlabs-apache/pull/1446) ([antaflos](https://github.com/antaflos)) +- mod_event: do not set parameters twice [#1445](https://github.com/puppetlabs/puppetlabs-apache/pull/1445) ([timogoebel](https://github.com/timogoebel)) +- setting options-hash in proxy_pass or proxy_match leads to syntax errors in Apache [#1444](https://github.com/puppetlabs/puppetlabs-apache/pull/1444) ([zivis](https://github.com/zivis)) +- Fixed trailing slash in lib_path on Suse [#1429](https://github.com/puppetlabs/puppetlabs-apache/pull/1429) ([OpenCoreCH](https://github.com/OpenCoreCH)) +- Add simple support + ProxyAddHeaders [#1427](https://github.com/puppetlabs/puppetlabs-apache/pull/1427) ([costela](https://github.com/costela)) + +## [1.9.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.9.0) - 2016-04-21 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.8.1...1.9.0) + +### Added + +- Expose verify_config in apache::vhost::custom [#1433](https://github.com/puppetlabs/puppetlabs-apache/pull/1433) ([cmurphy](https://github.com/cmurphy)) +- (MODULES-3140) explicitly rely on hasrestart if no restart command is… [#1432](https://github.com/puppetlabs/puppetlabs-apache/pull/1432) ([DavidS](https://github.com/DavidS)) +- (MODULES-3274) mod-info: specify the info_path [#1431](https://github.com/puppetlabs/puppetlabs-apache/pull/1431) ([DavidS](https://github.com/DavidS)) +- Update to newest modulesync_configs [9ca280f] [#1426](https://github.com/puppetlabs/puppetlabs-apache/pull/1426) ([DavidS](https://github.com/DavidS)) +- Allow for pagespeed mod to automatically be updated to the latest version [#1422](https://github.com/puppetlabs/puppetlabs-apache/pull/1422) ([lymichaels](https://github.com/lymichaels)) +- Allow package names to be specified for mod_proxy, mod_ldap, and mod_authnz_ldap [#1421](https://github.com/puppetlabs/puppetlabs-apache/pull/1421) ([MG2R](https://github.com/MG2R)) +- Add parameter passanger_log_level [#1420](https://github.com/puppetlabs/puppetlabs-apache/pull/1420) ([samuelb](https://github.com/samuelb)) +- add passenger_high_performance on the vhost level [#1419](https://github.com/puppetlabs/puppetlabs-apache/pull/1419) ([timogoebel](https://github.com/timogoebel)) +- Adding SSLProxyCheckPeerExpire support [#1418](https://github.com/puppetlabs/puppetlabs-apache/pull/1418) ([jasonhancock](https://github.com/jasonhancock)) +- (MODULES-3218) add auth_merging for directory enteries [#1412](https://github.com/puppetlabs/puppetlabs-apache/pull/1412) ([pyther](https://github.com/pyther)) +- MODULES-3212: add parallel_spec option [#1410](https://github.com/puppetlabs/puppetlabs-apache/pull/1410) ([jlambert121](https://github.com/jlambert121)) +- MODULES-1352 : Better support for Apache 2.4 style require directives implementation [#1408](https://github.com/puppetlabs/puppetlabs-apache/pull/1408) ([witjoh](https://github.com/witjoh)) +- Added vhost options SecRuleRemoveByTag and SecRuleRemoveByMsg [#1407](https://github.com/puppetlabs/puppetlabs-apache/pull/1407) ([FlatKey](https://github.com/FlatKey)) +- Configurability of Collaborative Detection Threshold Levels for OWASP Core Rule Set [#1405](https://github.com/puppetlabs/puppetlabs-apache/pull/1405) ([FlatKey](https://github.com/FlatKey)) +- Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set [#1404](https://github.com/puppetlabs/puppetlabs-apache/pull/1404) ([FlatKey](https://github.com/FlatKey)) +- Configurability of SecDefaultAction for OWASP Core Rule Set [#1403](https://github.com/puppetlabs/puppetlabs-apache/pull/1403) ([FlatKey](https://github.com/FlatKey)) +- MODULES-2179: Implement SetEnvIfNoCase [#1402](https://github.com/puppetlabs/puppetlabs-apache/pull/1402) ([jlambert121](https://github.com/jlambert121)) +- Load mod_xml2enc on Apache >= 2.4 on Debian [#1401](https://github.com/puppetlabs/puppetlabs-apache/pull/1401) ([sathieu](https://github.com/sathieu)) +- Take igalic's suggestion to use bool2httpd [#1400](https://github.com/puppetlabs/puppetlabs-apache/pull/1400) ([tpdownes](https://github.com/tpdownes)) +- Added vhost option fastcgi_idle_timeout [#1399](https://github.com/puppetlabs/puppetlabs-apache/pull/1399) ([michakrause](https://github.com/michakrause)) +- Move all ensure parameters from concat::fragment to concat [#1396](https://github.com/puppetlabs/puppetlabs-apache/pull/1396) ([domcleal](https://github.com/domcleal)) +- mod_ssl requires mod_mime for AddType directives [#1394](https://github.com/puppetlabs/puppetlabs-apache/pull/1394) ([sathieu](https://github.com/sathieu)) +- Allow configuring mod_security's SecAuditLogParts [#1392](https://github.com/puppetlabs/puppetlabs-apache/pull/1392) ([stig](https://github.com/stig)) +- (#3139) Add support for PassengerUser [#1391](https://github.com/puppetlabs/puppetlabs-apache/pull/1391) ([Reamer](https://github.com/Reamer)) +- add support for SSLProxyProtocol directive [#1390](https://github.com/puppetlabs/puppetlabs-apache/pull/1390) ([saimonn](https://github.com/saimonn)) +- Add mellon_sp_metadata_file parameter for directory entries [#1389](https://github.com/puppetlabs/puppetlabs-apache/pull/1389) ([jokajak](https://github.com/jokajak)) +- Manage mod dir before things that depend on mods [#1388](https://github.com/puppetlabs/puppetlabs-apache/pull/1388) ([cmurphy](https://github.com/cmurphy)) +- add support for fcgi [#1387](https://github.com/puppetlabs/puppetlabs-apache/pull/1387) ([mlhess](https://github.com/mlhess)) +- apache::balancer: Add a target parameter to write to a custom path [#1386](https://github.com/puppetlabs/puppetlabs-apache/pull/1386) ([roidelapluie](https://github.com/roidelapluie)) +- Add JkMount/JkUnmount directives to vhost [#1384](https://github.com/puppetlabs/puppetlabs-apache/pull/1384) ([smoeding](https://github.com/smoeding)) +- Remove SSLv3 [#1383](https://github.com/puppetlabs/puppetlabs-apache/pull/1383) ([ghoneycutt](https://github.com/ghoneycutt)) +- include apache, so parsing works [#1380](https://github.com/puppetlabs/puppetlabs-apache/pull/1380) ([tphoney](https://github.com/tphoney)) +- include apache, so parsing works. [#1377](https://github.com/puppetlabs/puppetlabs-apache/pull/1377) ([tphoney](https://github.com/tphoney)) +- mod/ssl: Add option to configure SSL mutex [#1371](https://github.com/puppetlabs/puppetlabs-apache/pull/1371) ([daenney](https://github.com/daenney)) +- support pass-header option in apache::fastcgi::server [#1370](https://github.com/puppetlabs/puppetlabs-apache/pull/1370) ([janschumann](https://github.com/janschumann)) +- Support socket communication option in apache::fastcgi::server [#1368](https://github.com/puppetlabs/puppetlabs-apache/pull/1368) ([janschumann](https://github.com/janschumann)) +- allow include in vhost directory [#1366](https://github.com/puppetlabs/puppetlabs-apache/pull/1366) ([Zarne](https://github.com/Zarne)) +- support Ubuntu xenial (16.04) [#1364](https://github.com/puppetlabs/puppetlabs-apache/pull/1364) ([mmoll](https://github.com/mmoll)) +- changed rpaf Configuration Directives: RPAF -> RPAF_ [#1361](https://github.com/puppetlabs/puppetlabs-apache/pull/1361) ([gvdb1967](https://github.com/gvdb1967)) +- (MODULES-2756) Adding include ::apache so mkdir exec works properly [#1236](https://github.com/puppetlabs/puppetlabs-apache/pull/1236) ([damonconway](https://github.com/damonconway)) + +### Fixed + +- fix incorrect use of .join() with newlines [#1425](https://github.com/puppetlabs/puppetlabs-apache/pull/1425) ([mpeter](https://github.com/mpeter)) +- SSLCompression directive only available with apache 2.4.3 [#1417](https://github.com/puppetlabs/puppetlabs-apache/pull/1417) ([Reamer](https://github.com/Reamer)) +- Fix in custom fact "apache_version" for OracleLinux. [#1416](https://github.com/puppetlabs/puppetlabs-apache/pull/1416) ([Reamer](https://github.com/Reamer)) +- MODULES-3211: fix broken strict_variable tests [#1414](https://github.com/puppetlabs/puppetlabs-apache/pull/1414) ([jonnytdevops](https://github.com/jonnytdevops)) +- MODULES-3211: fix broken strict_variable tests [#1409](https://github.com/puppetlabs/puppetlabs-apache/pull/1409) ([jlambert121](https://github.com/jlambert121)) +- Fix MODULES-3158 (any string interpreted as SSLCompression on) [#1398](https://github.com/puppetlabs/puppetlabs-apache/pull/1398) ([tpdownes](https://github.com/tpdownes)) +- Fix broken internal link for virtual hosts configuration [#1369](https://github.com/puppetlabs/puppetlabs-apache/pull/1369) ([gerhardsam](https://github.com/gerhardsam)) + +## [1.8.1](https://github.com/puppetlabs/puppetlabs-apache/tree/1.8.1) - 2016-02-08 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.8.0...1.8.1) + +### Added + +- allow status code on redirect match to be optional and not a requirement [#1355](https://github.com/puppetlabs/puppetlabs-apache/pull/1355) ([BigAl](https://github.com/BigAl)) +- Ldap parameters [#1352](https://github.com/puppetlabs/puppetlabs-apache/pull/1352) ([tphoney](https://github.com/tphoney)) +- Add apache_version fact [#1347](https://github.com/puppetlabs/puppetlabs-apache/pull/1347) ([jyaworski](https://github.com/jyaworski)) +- (FM-4049) update to modulesync_configs [#1343](https://github.com/puppetlabs/puppetlabs-apache/pull/1343) ([DavidS](https://github.com/DavidS)) +- Specify owning permissions for logroot directory [#1340](https://github.com/puppetlabs/puppetlabs-apache/pull/1340) ([SlavaValAl](https://github.com/SlavaValAl)) +- add file_mode to mod manifests [#1338](https://github.com/puppetlabs/puppetlabs-apache/pull/1338) ([timogoebel](https://github.com/timogoebel)) +- Added support for modsecurity parameter SecPcreMatchLimit and SecPcr… [#1296](https://github.com/puppetlabs/puppetlabs-apache/pull/1296) ([whotwagner](https://github.com/whotwagner)) + +### Fixed + +- Fix in custom fact "apache_version" for RHEL. [#1360](https://github.com/puppetlabs/puppetlabs-apache/pull/1360) ([BobVincentatNCRdotcom](https://github.com/BobVincentatNCRdotcom)) +- Fix passenger on redhat systems [#1354](https://github.com/puppetlabs/puppetlabs-apache/pull/1354) ([hunner](https://github.com/hunner)) +- ThreadLimit needs to be above MaxClients or it is ignored. https://bz… [#1351](https://github.com/puppetlabs/puppetlabs-apache/pull/1351) ([tphoney](https://github.com/tphoney)) +- Bugfix: require concat, not file [#1350](https://github.com/puppetlabs/puppetlabs-apache/pull/1350) ([BobVincentatNCRdotcom](https://github.com/BobVincentatNCRdotcom)) +- (MODULES-3018) Fixes apache to work correctly with concat. [#1348](https://github.com/puppetlabs/puppetlabs-apache/pull/1348) ([bmjen](https://github.com/bmjen)) +- Fix fcgid.conf on Debian [#1331](https://github.com/puppetlabs/puppetlabs-apache/pull/1331) ([sathieu](https://github.com/sathieu)) +- MODULES-2958 : correct CustomLog syslog entry [#1322](https://github.com/puppetlabs/puppetlabs-apache/pull/1322) ([BigAl](https://github.com/BigAl)) + +## [1.8.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.8.0) - 2016-01-25 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.7.1...1.8.0) + +### Added + +- add paramter to set config file permissions [#1333](https://github.com/puppetlabs/puppetlabs-apache/pull/1333) ([timogoebel](https://github.com/timogoebel)) +- (MODULES-2964) Enable PassengerMaxRequestQueueSize to be set [#1323](https://github.com/puppetlabs/puppetlabs-apache/pull/1323) ([traylenator](https://github.com/traylenator)) +- MODULES-2956: Enable options within location block on proxy_match [#1317](https://github.com/puppetlabs/puppetlabs-apache/pull/1317) ([jlambert121](https://github.com/jlambert121)) +- Support itk on redhat [#1316](https://github.com/puppetlabs/puppetlabs-apache/pull/1316) ([edestecd](https://github.com/edestecd)) +- SSLProxyVerify [#1311](https://github.com/puppetlabs/puppetlabs-apache/pull/1311) ([occelebi](https://github.com/occelebi)) +- Support the mod_proxy ProxPassReverseCookieDomain directive [#1309](https://github.com/puppetlabs/puppetlabs-apache/pull/1309) ([occelebi](https://github.com/occelebi)) +- Add X-Forwarded-For into log_formats defaults [#1308](https://github.com/puppetlabs/puppetlabs-apache/pull/1308) ([mpolenchuk](https://github.com/mpolenchuk)) +- Put headers and request headers before proxy [#1306](https://github.com/puppetlabs/puppetlabs-apache/pull/1306) ([quixoten](https://github.com/quixoten)) +- EL7 uses conf.modules.d directory for modules. [#1305](https://github.com/puppetlabs/puppetlabs-apache/pull/1305) ([jasonhancock](https://github.com/jasonhancock)) +- Support proxy provider for vhost directories. [#1304](https://github.com/puppetlabs/puppetlabs-apache/pull/1304) ([roidelapluie](https://github.com/roidelapluie)) + +### Fixed + +- MODULES-2990: Gentoo - fix module includes in portage::makeconf [#1337](https://github.com/puppetlabs/puppetlabs-apache/pull/1337) ([derdanne](https://github.com/derdanne)) +- fix vhosts listen to wildcard ip [#1335](https://github.com/puppetlabs/puppetlabs-apache/pull/1335) ([timogoebel](https://github.com/timogoebel)) +- fixing apache_parameters_spec.rb [#1330](https://github.com/puppetlabs/puppetlabs-apache/pull/1330) ([tphoney](https://github.com/tphoney)) +- a path is needed for ProxyPassReverse [#1327](https://github.com/puppetlabs/puppetlabs-apache/pull/1327) ([tphoney](https://github.com/tphoney)) +- Fixing error in Amazon $operatingsystem comparison [#1321](https://github.com/puppetlabs/puppetlabs-apache/pull/1321) ([ryno75](https://github.com/ryno75)) +- fix ordering of catalogue for redhat 7 [#1319](https://github.com/puppetlabs/puppetlabs-apache/pull/1319) ([tphoney](https://github.com/tphoney)) +- fix validation error when empty array is passed as rewrites parameter [#1301](https://github.com/puppetlabs/puppetlabs-apache/pull/1301) ([timogoebel](https://github.com/timogoebel)) +- Fix typo with versioncmp [#1299](https://github.com/puppetlabs/puppetlabs-apache/pull/1299) ([pabelanger](https://github.com/pabelanger)) +- enable setting LimitRequestFieldSize globally as it does not actually… [#1293](https://github.com/puppetlabs/puppetlabs-apache/pull/1293) ([KlavsKlavsen](https://github.com/KlavsKlavsen)) +- Fixes paths and packages for the shib2 module on Debian [#1292](https://github.com/puppetlabs/puppetlabs-apache/pull/1292) ([cholyoak](https://github.com/cholyoak)) +- Add ::apache::vhost::custom [#1271](https://github.com/puppetlabs/puppetlabs-apache/pull/1271) ([pabelanger](https://github.com/pabelanger)) + +## [1.7.1](https://github.com/puppetlabs/puppetlabs-apache/tree/1.7.1) - 2015-12-04 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.7.0...1.7.1) + +### Added + +- (MODULES-2682, FM-3919) Use more FilesMatch [#1280](https://github.com/puppetlabs/puppetlabs-apache/pull/1280) ([DavidS](https://github.com/DavidS)) +- (MODULES-2682) Update Apache Configuration to use FilesMatch instead … [#1277](https://github.com/puppetlabs/puppetlabs-apache/pull/1277) ([DavidS](https://github.com/DavidS)) +- (MODULES-2703) Allow mod pagespeed to take an array of lines as additional_configuration [#1276](https://github.com/puppetlabs/puppetlabs-apache/pull/1276) ([DavidS](https://github.com/DavidS)) +- add ability to overide file name generation in custom_config [#1270](https://github.com/puppetlabs/puppetlabs-apache/pull/1270) ([karmix](https://github.com/karmix)) +- (MODULES-2834) Support SSLProxyCheckPeerCN and SSLProxyCheckPeerName … [#1268](https://github.com/puppetlabs/puppetlabs-apache/pull/1268) ([traylenator](https://github.com/traylenator)) +- Leave require directive unmanaged [#1267](https://github.com/puppetlabs/puppetlabs-apache/pull/1267) ([robertvargason](https://github.com/robertvargason)) +- Added support for LDAPTrustedGlobalCert option to apache::mod::ldap [#1262](https://github.com/puppetlabs/puppetlabs-apache/pull/1262) ([lukebigum](https://github.com/lukebigum)) + +### Fixed + +- (MODULES-2200, MODULES-2865) fix ITK configuration on Ubuntu [#1288](https://github.com/puppetlabs/puppetlabs-apache/pull/1288) ([bmjen](https://github.com/bmjen)) +- (MODULES-2773) Duplicate Entries in Spec Files [#1278](https://github.com/puppetlabs/puppetlabs-apache/pull/1278) ([DavidS](https://github.com/DavidS)) +- (MODULES-2863) Set SSLProxy directives even if ssl is false [#1274](https://github.com/puppetlabs/puppetlabs-apache/pull/1274) ([ckaenzig](https://github.com/ckaenzig)) + +## [1.7.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.7.0) - 2015-11-17 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.6.0...1.7.0) + +### Added + +- Add support for changing mod_nss listen port (vol 2) [#1260](https://github.com/puppetlabs/puppetlabs-apache/pull/1260) ([rexcze-zz](https://github.com/rexcze-zz)) +- (MODULES-2811) Add missing helper lines to spec files [#1256](https://github.com/puppetlabs/puppetlabs-apache/pull/1256) ([alex-harvey-z3q](https://github.com/alex-harvey-z3q)) +- Add missing parameters in mod_auth_kerb [#1255](https://github.com/puppetlabs/puppetlabs-apache/pull/1255) ([olivierHa](https://github.com/olivierHa)) +- (MODULES-2764) Enclose IPv6 addresses in square brackets [#1248](https://github.com/puppetlabs/puppetlabs-apache/pull/1248) ([Benedikt1992](https://github.com/Benedikt1992)) +- (MODULES-2757) Adding if around ServerName in template [#1237](https://github.com/puppetlabs/puppetlabs-apache/pull/1237) ([damonconway](https://github.com/damonconway)) +- (MODULES-2651) Default document root update for Ubuntu 14.04 and Debian 8 [#1235](https://github.com/puppetlabs/puppetlabs-apache/pull/1235) ([abednarik](https://github.com/abednarik)) +- Update mime.conf.erb to support dynamic AddHandler AddType AddOutputF… [#1232](https://github.com/puppetlabs/puppetlabs-apache/pull/1232) ([prabin5](https://github.com/prabin5)) +- #2544 Allow multiple IP addresses per vhost [#1229](https://github.com/puppetlabs/puppetlabs-apache/pull/1229) ([Benedikt1992](https://github.com/Benedikt1992)) +- RewriteLock support [#1228](https://github.com/puppetlabs/puppetlabs-apache/pull/1228) ([wickedOne](https://github.com/wickedOne)) +- (MODULES-2120) Allow empty docroot [#1224](https://github.com/puppetlabs/puppetlabs-apache/pull/1224) ([DavidS](https://github.com/DavidS)) +- Add option to configure the include pattern for the vhost_enable dir [#1223](https://github.com/puppetlabs/puppetlabs-apache/pull/1223) ([DavidS](https://github.com/DavidS)) +- (MODULES-2120) Allow empty docroot [#1222](https://github.com/puppetlabs/puppetlabs-apache/pull/1222) ([yakatz](https://github.com/yakatz)) +- Install all modules before adding custom configs [#1221](https://github.com/puppetlabs/puppetlabs-apache/pull/1221) ([mpdude](https://github.com/mpdude)) +- (#2673) Adding dev_packages to apache class. Allows use of httpd24u-d… [#1218](https://github.com/puppetlabs/puppetlabs-apache/pull/1218) ([damonconway](https://github.com/damonconway)) +- Change SSLProtocol in apache::vhost to be space separated [#1216](https://github.com/puppetlabs/puppetlabs-apache/pull/1216) ([bmfurtado](https://github.com/bmfurtado)) +- (MODULES-2649) Allow SetOutputFilter to be set on a directory. [#1214](https://github.com/puppetlabs/puppetlabs-apache/pull/1214) ([traylenator](https://github.com/traylenator)) +- (MODULES-2647) Optinally set parameters for mod_ext_filter module [#1213](https://github.com/puppetlabs/puppetlabs-apache/pull/1213) ([traylenator](https://github.com/traylenator)) +- (MODULES-2622) add SecUploadDir parameter to support file uploads with mod_security [#1210](https://github.com/puppetlabs/puppetlabs-apache/pull/1210) ([jlambert121](https://github.com/jlambert121)) +- (MODULES-2616) Optionally set LimitRequestFieldSize on an apache::vhost [#1208](https://github.com/puppetlabs/puppetlabs-apache/pull/1208) ([traylenator](https://github.com/traylenator)) +- also install mod_authn_alias as default mod in debian for apache < 2.4 [#1205](https://github.com/puppetlabs/puppetlabs-apache/pull/1205) ([zivis](https://github.com/zivis)) +- Add an option to configure PassengerLogFile [#1194](https://github.com/puppetlabs/puppetlabs-apache/pull/1194) ([igalic](https://github.com/igalic)) +- (MODULES-2458) Support for mod_auth_mellon. [#1189](https://github.com/puppetlabs/puppetlabs-apache/pull/1189) ([traylenator](https://github.com/traylenator)) +- Client auth for reverse proxy [#1188](https://github.com/puppetlabs/puppetlabs-apache/pull/1188) ([holtwilkins](https://github.com/holtwilkins)) +- Add ListenBacklog for mod worker (MODULES-2432) [#1185](https://github.com/puppetlabs/puppetlabs-apache/pull/1185) ([mwhahaha](https://github.com/mwhahaha)) +- (MODULES-2419) - Add mod_auth_kerb parameters to vhost [#1183](https://github.com/puppetlabs/puppetlabs-apache/pull/1183) ([traylenator](https://github.com/traylenator)) +- Support the mod_proxy ProxyPassReverseCookiePath directive [#1180](https://github.com/puppetlabs/puppetlabs-apache/pull/1180) ([roidelapluie](https://github.com/roidelapluie)) +- Adding use_optional_includes parameter to vhost define. [#1162](https://github.com/puppetlabs/puppetlabs-apache/pull/1162) ([cropalato](https://github.com/cropalato)) +- Add support for user modifiable installation of mod_systemd and pidfile locations: [#1159](https://github.com/puppetlabs/puppetlabs-apache/pull/1159) ([vamegh](https://github.com/vamegh)) +- mod_passenger: Allow setting PassengerSpawnMethod [#1158](https://github.com/puppetlabs/puppetlabs-apache/pull/1158) ([wubr](https://github.com/wubr)) +- Feature/master/passengerbaseuri [#1152](https://github.com/puppetlabs/puppetlabs-apache/pull/1152) ([aronymous](https://github.com/aronymous)) + +### Fixed + +- (MODULES-2813) Fix deprecation warning in spec_helper.rb [#1258](https://github.com/puppetlabs/puppetlabs-apache/pull/1258) ([alex-harvey-z3q](https://github.com/alex-harvey-z3q)) +- (MODULES-2812) Fix deprecation warning in service_spec.rb [#1257](https://github.com/puppetlabs/puppetlabs-apache/pull/1257) ([alex-harvey-z3q](https://github.com/alex-harvey-z3q)) +- Fix typo about dynamic AddHandler/AddType [#1254](https://github.com/puppetlabs/puppetlabs-apache/pull/1254) ([olivierHa](https://github.com/olivierHa)) +- reduce constraints on regex to fix pe tests [#1231](https://github.com/puppetlabs/puppetlabs-apache/pull/1231) ([tphoney](https://github.com/tphoney)) +- Fix ordering issue with conf_file and ports_file [#1230](https://github.com/puppetlabs/puppetlabs-apache/pull/1230) ([MasonM](https://github.com/MasonM)) +- (MODULES-2655) Fix acceptance testing for SSLProtocol behaviour for real [#1226](https://github.com/puppetlabs/puppetlabs-apache/pull/1226) ([DavidS](https://github.com/DavidS)) +- Multiple fixes [#1225](https://github.com/puppetlabs/puppetlabs-apache/pull/1225) ([DavidS](https://github.com/DavidS)) +- Fix typo of MPM_PREFORK for FreeBSD package install [#1200](https://github.com/puppetlabs/puppetlabs-apache/pull/1200) ([edmundcraske](https://github.com/edmundcraske)) +- Deflate "application/json" by default [#1198](https://github.com/puppetlabs/puppetlabs-apache/pull/1198) ([leopoiroux](https://github.com/leopoiroux)) +- MODULES-2513 mod::ssl fails on SLES [#1195](https://github.com/puppetlabs/puppetlabs-apache/pull/1195) ([ngrossmann](https://github.com/ngrossmann)) +- Catch that mod_authz_default has been removed in Apache 2.4 [#1193](https://github.com/puppetlabs/puppetlabs-apache/pull/1193) ([mpdude](https://github.com/mpdude)) +- MODULES-2439 - ProxyPassMatch parameters were ending up on a newline [#1190](https://github.com/puppetlabs/puppetlabs-apache/pull/1190) ([underscorgan](https://github.com/underscorgan)) +- The purge_vhost_configs parameter is actually called purge_vhost_dir [#1184](https://github.com/puppetlabs/puppetlabs-apache/pull/1184) ([mpdude](https://github.com/mpdude)) +- corrects mod_cgid worker/event defaults [#1182](https://github.com/puppetlabs/puppetlabs-apache/pull/1182) ([bmjen](https://github.com/bmjen)) +- fixes conditional in vhost aliases [#1181](https://github.com/puppetlabs/puppetlabs-apache/pull/1181) ([bmjen](https://github.com/bmjen)) +- load unixd before fcgid on all operating systems (see #879) [#1178](https://github.com/puppetlabs/puppetlabs-apache/pull/1178) ([sethlyons](https://github.com/sethlyons)) +- Fix apache::mod::cgid so it can be used with the event MPM [#1175](https://github.com/puppetlabs/puppetlabs-apache/pull/1175) ([MasonM](https://github.com/MasonM)) +- Fix _proxy.erb for SetEnv within ProxyMatch. [#1156](https://github.com/puppetlabs/puppetlabs-apache/pull/1156) ([dconry](https://github.com/dconry)) +- mod::alias should be included when the aliases parameter is used [#1155](https://github.com/puppetlabs/puppetlabs-apache/pull/1155) ([pcfens](https://github.com/pcfens)) +- Fix: missing package for mod_geoip on Debian systems [#1148](https://github.com/puppetlabs/puppetlabs-apache/pull/1148) ([olivierHa](https://github.com/olivierHa)) + +## [1.6.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.6.0) - 2015-07-30 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.5.0...1.6.0) + +### Added + +- [#puppethack] Adding ability to enable/disable the secruleengine through a parameter [#1168](https://github.com/puppetlabs/puppetlabs-apache/pull/1168) ([igalic](https://github.com/igalic)) +- add possibility to set icons_path to false so no alias will be set for it [#1160](https://github.com/puppetlabs/puppetlabs-apache/pull/1160) ([tjikkun](https://github.com/tjikkun)) +- apache::vhost filter support [#1143](https://github.com/puppetlabs/puppetlabs-apache/pull/1143) ([BIAndrews](https://github.com/BIAndrews)) +- Add the ability to specify GeoIPScanProxyHeaderField for mod_geoip [#1128](https://github.com/puppetlabs/puppetlabs-apache/pull/1128) ([dgarbus](https://github.com/dgarbus)) +- Add ssl_openssl_conf_cmd param (apache::mod::ssl and apache::vhost) [#1127](https://github.com/puppetlabs/puppetlabs-apache/pull/1127) ([tmuellerleile](https://github.com/tmuellerleile)) + +### Fixed + +- fixes timing of mod_security tests for aio [#1165](https://github.com/puppetlabs/puppetlabs-apache/pull/1165) ([bmjen](https://github.com/bmjen)) +- Debian 7 acceptance test fix [#1161](https://github.com/puppetlabs/puppetlabs-apache/pull/1161) ([bmjen](https://github.com/bmjen)) +- Fix test condition for proxy directives. [#1145](https://github.com/puppetlabs/puppetlabs-apache/pull/1145) ([jonnytdevops](https://github.com/jonnytdevops)) + +## [1.5.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.5.0) - 2015-06-16 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.4.1...1.5.0) + +### Added + +- Add the helper to install puppet/pe/puppet-agent [#1140](https://github.com/puppetlabs/puppetlabs-apache/pull/1140) ([hunner](https://github.com/hunner)) +- Updated travisci file to remove allow_failures for Puppet 4 [#1135](https://github.com/puppetlabs/puppetlabs-apache/pull/1135) ([jonnytdevops](https://github.com/jonnytdevops)) +- Add changelog for 1.5.0 relesase [#1132](https://github.com/puppetlabs/puppetlabs-apache/pull/1132) ([hunner](https://github.com/hunner)) +- Support puppetlabs-concat 2.x [#1126](https://github.com/puppetlabs/puppetlabs-apache/pull/1126) ([domcleal](https://github.com/domcleal)) +- Added the ability to define the IndexStyleSheet setting for a directory [#1124](https://github.com/puppetlabs/puppetlabs-apache/pull/1124) ([genebean](https://github.com/genebean)) +- Add basic initial support for SLES 11 [#1121](https://github.com/puppetlabs/puppetlabs-apache/pull/1121) ([carroarmato0](https://github.com/carroarmato0)) +- Modulesync updates [#1117](https://github.com/puppetlabs/puppetlabs-apache/pull/1117) ([underscorgan](https://github.com/underscorgan)) +- MODULES-1968 - Update the template to warn if using deprecated options [#1113](https://github.com/puppetlabs/puppetlabs-apache/pull/1113) ([underscorgan](https://github.com/underscorgan)) +- check if ensure present before including alias module [#1102](https://github.com/puppetlabs/puppetlabs-apache/pull/1102) ([maneeshmp](https://github.com/maneeshmp)) + +### Fixed + +- Fixes acceptance tests [#1141](https://github.com/puppetlabs/puppetlabs-apache/pull/1141) ([bmjen](https://github.com/bmjen)) +- Incorrect date in the changelog [#1134](https://github.com/puppetlabs/puppetlabs-apache/pull/1134) ([underscorgan](https://github.com/underscorgan)) +- Do not offload overriding LogFormats to httpd [#1096](https://github.com/puppetlabs/puppetlabs-apache/pull/1096) ([igalic](https://github.com/igalic)) + +## [1.4.1](https://github.com/puppetlabs/puppetlabs-apache/tree/1.4.1) - 2015-04-28 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.4.0...1.4.1) + +### Added + +- (#1971) new $service_restart parameter to influence httpd. [#1107](https://github.com/puppetlabs/puppetlabs-apache/pull/1107) ([traylenator](https://github.com/traylenator)) +- unify log_level checking and allow trace1-8 levels [#1097](https://github.com/puppetlabs/puppetlabs-apache/pull/1097) ([mrgum](https://github.com/mrgum)) +- (BKR-147) add Gemfile setting for BEAKER_VERSION for puppet... [#1085](https://github.com/puppetlabs/puppetlabs-apache/pull/1085) ([anodelman](https://github.com/anodelman)) +- MODULES-1789 add initial mod_geoip support [#1083](https://github.com/puppetlabs/puppetlabs-apache/pull/1083) ([roman-mueller](https://github.com/roman-mueller)) +- Allow settings to be overridden as parameters to apache::mod::ssl [#1079](https://github.com/puppetlabs/puppetlabs-apache/pull/1079) ([roman-mueller](https://github.com/roman-mueller)) +- add section for FreeBSD limitations [#1078](https://github.com/puppetlabs/puppetlabs-apache/pull/1078) ([sethlyons](https://github.com/sethlyons)) +- Make Options directive configurable for mod userdir [#1077](https://github.com/puppetlabs/puppetlabs-apache/pull/1077) ([frenkel](https://github.com/frenkel)) +- allow acess to userdirs again [#1071](https://github.com/puppetlabs/puppetlabs-apache/pull/1071) ([niklas](https://github.com/niklas)) +- add parameters to configure expires globally [#1063](https://github.com/puppetlabs/puppetlabs-apache/pull/1063) ([igalic](https://github.com/igalic)) +- make $lib_path configurable [#1057](https://github.com/puppetlabs/puppetlabs-apache/pull/1057) ([fraenki](https://github.com/fraenki)) + +### Fixed + +- (MODULES-1874) Fix proxy_connect module on apache >= 2.2 [#1093](https://github.com/puppetlabs/puppetlabs-apache/pull/1093) ([ckaenzig](https://github.com/ckaenzig)) +- Fix remoteip unit test for rspec-puppet 2 [#1091](https://github.com/puppetlabs/puppetlabs-apache/pull/1091) ([cmurphy](https://github.com/cmurphy)) +- Fixed setting multiple env_var in a location block for proxy pass. [#1086](https://github.com/puppetlabs/puppetlabs-apache/pull/1086) ([btreecat](https://github.com/btreecat)) +- fix typo [#1082](https://github.com/puppetlabs/puppetlabs-apache/pull/1082) ([kgeis](https://github.com/kgeis)) +- Fixes/apache name [#1070](https://github.com/puppetlabs/puppetlabs-apache/pull/1070) ([stevenpost](https://github.com/stevenpost)) +- Remoteip module [#1065](https://github.com/puppetlabs/puppetlabs-apache/pull/1065) ([igalic](https://github.com/igalic)) + +## [1.4.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.4.0) - 2015-03-17 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.3.0...1.4.0) + +### Added + +- Give a lower priority to mod_passenger [#1072](https://github.com/puppetlabs/puppetlabs-apache/pull/1072) ([underscorgan](https://github.com/underscorgan)) +- Apache - mod_passenger: allow setting PassengerMinInstances [#1067](https://github.com/puppetlabs/puppetlabs-apache/pull/1067) ([stevenpost](https://github.com/stevenpost)) +- Apache: allow setting the default type [#1064](https://github.com/puppetlabs/puppetlabs-apache/pull/1064) ([stevenpost](https://github.com/stevenpost)) +- Allow setting environment variables inside the proxy locations [#1061](https://github.com/puppetlabs/puppetlabs-apache/pull/1061) ([stevenpost](https://github.com/stevenpost)) +- give a lower priority to mod_passenger [#1060](https://github.com/puppetlabs/puppetlabs-apache/pull/1060) ([stevenpost](https://github.com/stevenpost)) +- Added missing comma in the aliases example section [#1058](https://github.com/puppetlabs/puppetlabs-apache/pull/1058) ([jeremycline](https://github.com/jeremycline)) +- Adds the AddDefaultCharset option [#1053](https://github.com/puppetlabs/puppetlabs-apache/pull/1053) ([stevenpost](https://github.com/stevenpost)) +- add proper array support for require [#1047](https://github.com/puppetlabs/puppetlabs-apache/pull/1047) ([underscorgan](https://github.com/underscorgan)) +- make icons directorylisting configurable [#1046](https://github.com/puppetlabs/puppetlabs-apache/pull/1046) ([underscorgan](https://github.com/underscorgan)) +- Allow includes necessary for basic authentication [#1045](https://github.com/puppetlabs/puppetlabs-apache/pull/1045) ([underscorgan](https://github.com/underscorgan)) +- MODULES-1779 install package mod_ldap on CentOS 7 [#1038](https://github.com/puppetlabs/puppetlabs-apache/pull/1038) ([roman-mueller](https://github.com/roman-mueller)) +- Add support for Passenger's PassengerAppEnv setting [#1034](https://github.com/puppetlabs/puppetlabs-apache/pull/1034) ([liff](https://github.com/liff)) +- MODULES-1622: Allow multiple Deny directives in a directory [#985](https://github.com/puppetlabs/puppetlabs-apache/pull/985) ([roman-mueller](https://github.com/roman-mueller)) +- MODULES-1581: Gentoo compatibility [#957](https://github.com/puppetlabs/puppetlabs-apache/pull/957) ([derdanne](https://github.com/derdanne)) + +### Fixed + +- Revert "Supersede ssl_random_seed_bytes with ssl_random_seeds option to ... [#1073](https://github.com/puppetlabs/puppetlabs-apache/pull/1073) ([underscorgan](https://github.com/underscorgan)) +- Apache: add support for the ProxyPassMatch directive [#1069](https://github.com/puppetlabs/puppetlabs-apache/pull/1069) ([stevenpost](https://github.com/stevenpost)) +- Remove Debian workaround as it broke Red Hat systems [#1062](https://github.com/puppetlabs/puppetlabs-apache/pull/1062) ([stevenpost](https://github.com/stevenpost)) +- Fix typo in fallbackresource [#1055](https://github.com/puppetlabs/puppetlabs-apache/pull/1055) ([jbx](https://github.com/jbx)) +- Ensure resources notify Apache::Service class [#1054](https://github.com/puppetlabs/puppetlabs-apache/pull/1054) ([butlern](https://github.com/butlern)) +- Style fix [#1052](https://github.com/puppetlabs/puppetlabs-apache/pull/1052) ([stevenpost](https://github.com/stevenpost)) +- Don't manage docroot when default vhosts are disabled [#1050](https://github.com/puppetlabs/puppetlabs-apache/pull/1050) ([underscorgan](https://github.com/underscorgan)) +- include mod_filter when needed instead of instantiating it [#1049](https://github.com/puppetlabs/puppetlabs-apache/pull/1049) ([sethlyons](https://github.com/sethlyons)) +- Corrected error in documentation for ssl_protocol and ssl_cipher. [#1044](https://github.com/puppetlabs/puppetlabs-apache/pull/1044) ([tdiscuit](https://github.com/tdiscuit)) +- Fixed vhost proxy_pass params documentation [#1043](https://github.com/puppetlabs/puppetlabs-apache/pull/1043) ([grafjo](https://github.com/grafjo)) +- (#1391) Correct Debian jessie mod_prefork dev package name [#1042](https://github.com/puppetlabs/puppetlabs-apache/pull/1042) ([sathieu](https://github.com/sathieu)) +- Fixes #880 - (MODULES-1391) Correct Ubuntu Trusty mod_prefork package name [#1041](https://github.com/puppetlabs/puppetlabs-apache/pull/1041) ([underscorgan](https://github.com/underscorgan)) +- Fixed default mpm_event config warning [#1039](https://github.com/puppetlabs/puppetlabs-apache/pull/1039) ([HT43-bqxFqB](https://github.com/HT43-bqxFqB)) +- MODULES-1784 check for deprecated options and fail when they are unsupported [#1036](https://github.com/puppetlabs/puppetlabs-apache/pull/1036) ([roman-mueller](https://github.com/roman-mueller)) +- fix bug in scriptalias code that keeps scriptalias from beeing included in default vhost [#1035](https://github.com/puppetlabs/puppetlabs-apache/pull/1035) ([haraldsk](https://github.com/haraldsk)) +- Fixed an order of operations issue in the test that caused some weird behavior when apache would delay or not restart and added a check with timeout to ensure proper wait [#1032](https://github.com/puppetlabs/puppetlabs-apache/pull/1032) ([cyberious](https://github.com/cyberious)) +- SuPHP acceptance fixes?, chasing the test bug that is timing [#1031](https://github.com/puppetlabs/puppetlabs-apache/pull/1031) ([cyberious](https://github.com/cyberious)) +- ssl.pp: Fixed indent. [#1026](https://github.com/puppetlabs/puppetlabs-apache/pull/1026) ([jpds-zz](https://github.com/jpds-zz)) +- our templates are horrible, we should fix it [#1025](https://github.com/puppetlabs/puppetlabs-apache/pull/1025) ([igalic](https://github.com/igalic)) + +## [1.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.3.0) - 2015-02-17 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.2.0...1.3.0) + +### Added + +- Concat started using a new fact [#1012](https://github.com/puppetlabs/puppetlabs-apache/pull/1012) ([underscorgan](https://github.com/underscorgan)) +- (MODULES-1719) Add parameter for SSLRandomSeed bytes [#1007](https://github.com/puppetlabs/puppetlabs-apache/pull/1007) ([hunner](https://github.com/hunner)) +- MODULES-1744: use bool2httpd for server_signature and trace_enable [#1006](https://github.com/puppetlabs/puppetlabs-apache/pull/1006) ([jlambert121](https://github.com/jlambert121)) +- ssl.pp: Allow setting of SSLRandomSeed option. [#1001](https://github.com/puppetlabs/puppetlabs-apache/pull/1001) ([jpds-zz](https://github.com/jpds-zz)) +- add configuration options to mod_security [#997](https://github.com/puppetlabs/puppetlabs-apache/pull/997) ([jlambert121](https://github.com/jlambert121)) +- MODULES-1696: ensure mod::setenvif is included if needed [#995](https://github.com/puppetlabs/puppetlabs-apache/pull/995) ([jlambert121](https://github.com/jlambert121)) +- MODULES-1680 - sort php_* hashes for idempotency [#994](https://github.com/puppetlabs/puppetlabs-apache/pull/994) ([underscorgan](https://github.com/underscorgan)) +- modules-1559 Apache module no service refresh [#993](https://github.com/puppetlabs/puppetlabs-apache/pull/993) ([tphoney](https://github.com/tphoney)) +- Add RewriteMap support [#990](https://github.com/puppetlabs/puppetlabs-apache/pull/990) ([soerenbe](https://github.com/soerenbe)) +- add passenger support for Debian/jessie [#976](https://github.com/puppetlabs/puppetlabs-apache/pull/976) ([mmoll](https://github.com/mmoll)) +- Add IntelliJ files to the ignore list [#970](https://github.com/puppetlabs/puppetlabs-apache/pull/970) ([cmurphy](https://github.com/cmurphy)) +- MODULES-1586: Set uid/gid when creating user/group resources [#962](https://github.com/puppetlabs/puppetlabs-apache/pull/962) ([rnelson0](https://github.com/rnelson0)) +- acceptance: add test for actual port [#959](https://github.com/puppetlabs/puppetlabs-apache/pull/959) ([DavidS](https://github.com/DavidS)) +- MODULES-1382: support multiple access log directives [#951](https://github.com/puppetlabs/puppetlabs-apache/pull/951) ([jlambert121](https://github.com/jlambert121)) +- add mod_security apache module [#948](https://github.com/puppetlabs/puppetlabs-apache/pull/948) ([jlambert121](https://github.com/jlambert121)) +- Add metadata summary per FM-1523 [#942](https://github.com/puppetlabs/puppetlabs-apache/pull/942) ([lrnrthr](https://github.com/lrnrthr)) +- Add configurable options for mpm_event [#939](https://github.com/puppetlabs/puppetlabs-apache/pull/939) ([stumped2](https://github.com/stumped2)) +- Add support for SSLPassPhraseDialog [#938](https://github.com/puppetlabs/puppetlabs-apache/pull/938) ([dteirney](https://github.com/dteirney)) +- Updated _directories.erb to add support for 'SetEnv' [#934](https://github.com/puppetlabs/puppetlabs-apache/pull/934) ([muresan](https://github.com/muresan)) +- 'allow_encoded_slashes' vhost parameter was omitted [#931](https://github.com/puppetlabs/puppetlabs-apache/pull/931) ([antoineco](https://github.com/antoineco)) +- Add $status_path parameter to change mod_status url [#930](https://github.com/puppetlabs/puppetlabs-apache/pull/930) ([atxulo](https://github.com/atxulo)) +- Add support for mod_auth_cas module configuration [#923](https://github.com/puppetlabs/puppetlabs-apache/pull/923) ([pcfens](https://github.com/pcfens)) +- Modules-1458 mod_wsgi package and module name/path [#915](https://github.com/puppetlabs/puppetlabs-apache/pull/915) ([jantman](https://github.com/jantman)) +- Implement php_value and php_flag [#906](https://github.com/puppetlabs/puppetlabs-apache/pull/906) ([jweisner](https://github.com/jweisner)) + +### Fixed + +- Fixup 928 - optionally omit priority [#1014](https://github.com/puppetlabs/puppetlabs-apache/pull/1014) ([underscorgan](https://github.com/underscorgan)) +- FM-2140 - Fix for suphp test [#1011](https://github.com/puppetlabs/puppetlabs-apache/pull/1011) ([underscorgan](https://github.com/underscorgan)) +- Fix for PR 845 [#1010](https://github.com/puppetlabs/puppetlabs-apache/pull/1010) ([underscorgan](https://github.com/underscorgan)) +- ssl_protocol expects a string, not an array. [#1009](https://github.com/puppetlabs/puppetlabs-apache/pull/1009) ([sathieu](https://github.com/sathieu)) +- Fix license for forge linting. [#1008](https://github.com/puppetlabs/puppetlabs-apache/pull/1008) ([big-samantha](https://github.com/big-samantha)) +- Symlinks on all distros [#1000](https://github.com/puppetlabs/puppetlabs-apache/pull/1000) ([HT43-bqxFqB](https://github.com/HT43-bqxFqB)) +- MODULES-1684: Specify mod_proxy_connect module for Apache >= 2.3.5 [#987](https://github.com/puppetlabs/puppetlabs-apache/pull/987) ([holser](https://github.com/holser)) +- fix versioncmp test in mod::alias [#984](https://github.com/puppetlabs/puppetlabs-apache/pull/984) ([jlambert121](https://github.com/jlambert121)) +- MODULES-1688: fix indenting in vhost/_directories.erb template [#980](https://github.com/puppetlabs/puppetlabs-apache/pull/980) ([jlambert121](https://github.com/jlambert121)) +- fix apache_version for Debian >7 [#975](https://github.com/puppetlabs/puppetlabs-apache/pull/975) ([mmoll](https://github.com/mmoll)) +- Strict variable fix [#974](https://github.com/puppetlabs/puppetlabs-apache/pull/974) ([underscorgan](https://github.com/underscorgan)) +- $::selinux is a bool, not a string [#971](https://github.com/puppetlabs/puppetlabs-apache/pull/971) ([underscorgan](https://github.com/underscorgan)) +- Even more mod_security test fixes [#969](https://github.com/puppetlabs/puppetlabs-apache/pull/969) ([underscorgan](https://github.com/underscorgan)) +- Paths should be different for all deb based OSes [#965](https://github.com/puppetlabs/puppetlabs-apache/pull/965) ([underscorgan](https://github.com/underscorgan)) +- Fixes version automatic detection for debian jessie; [#964](https://github.com/puppetlabs/puppetlabs-apache/pull/964) ([Zouuup](https://github.com/Zouuup)) +- Fix tests from #948 [#963](https://github.com/puppetlabs/puppetlabs-apache/pull/963) ([underscorgan](https://github.com/underscorgan)) +- Fix apache::mod::version title [#960](https://github.com/puppetlabs/puppetlabs-apache/pull/960) ([sathieu](https://github.com/sathieu)) +- Fix linting errors [#953](https://github.com/puppetlabs/puppetlabs-apache/pull/953) ([nibalizer](https://github.com/nibalizer)) +- Fix uninitialized variable lint [#947](https://github.com/puppetlabs/puppetlabs-apache/pull/947) ([justinstoller](https://github.com/justinstoller)) +- Modules 825 - apache2.4 - mod_itk dependency fix [#944](https://github.com/puppetlabs/puppetlabs-apache/pull/944) ([valeriominetti](https://github.com/valeriominetti)) +- MODULES-1384 - idempotency for wsgi_script_aliases [#936](https://github.com/puppetlabs/puppetlabs-apache/pull/936) ([underscorgan](https://github.com/underscorgan)) +- MODULES-1403 - fix doc bug [#935](https://github.com/puppetlabs/puppetlabs-apache/pull/935) ([underscorgan](https://github.com/underscorgan)) + +## [1.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.2.0) - 2014-11-11 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.1.1...1.2.0) + +### Added + +- Poodle [#917](https://github.com/puppetlabs/puppetlabs-apache/pull/917) ([igalic](https://github.com/igalic)) +- Support parameters along with proxy_pass now w/ tests [#914](https://github.com/puppetlabs/puppetlabs-apache/pull/914) ([tfhartmann](https://github.com/tfhartmann)) +- Add params to proxy_pass in vhost [#910](https://github.com/puppetlabs/puppetlabs-apache/pull/910) ([mkobel](https://github.com/mkobel)) +- allow disabling default vhosts under 2.4 [#909](https://github.com/puppetlabs/puppetlabs-apache/pull/909) ([igalic](https://github.com/igalic)) +- MODULES-1446: mod_version is now builtin [#908](https://github.com/puppetlabs/puppetlabs-apache/pull/908) ([igalic](https://github.com/igalic)) +- Allow specifying all alias directives in `aliases` [#901](https://github.com/puppetlabs/puppetlabs-apache/pull/901) ([antaflos](https://github.com/antaflos)) +- Add parameter for AddDefaultCharset virtual host directive [#898](https://github.com/puppetlabs/puppetlabs-apache/pull/898) ([domcleal](https://github.com/domcleal)) +- Add Passenger related parameters to vhost [#894](https://github.com/puppetlabs/puppetlabs-apache/pull/894) ([domcleal](https://github.com/domcleal)) +- (#1423) Added the WSGIChunkedRequest directive to vhost [#890](https://github.com/puppetlabs/puppetlabs-apache/pull/890) ([retr0h](https://github.com/retr0h)) +- Remove deprecated concat::setup class [#884](https://github.com/puppetlabs/puppetlabs-apache/pull/884) ([blkperl](https://github.com/blkperl)) +- Modules 1396 redirect match rules do not work in the apache module [#881](https://github.com/puppetlabs/puppetlabs-apache/pull/881) ([Matoch](https://github.com/Matoch)) +- Need fcgid to load after unixd on RHEL7 [#879](https://github.com/puppetlabs/puppetlabs-apache/pull/879) ([underscorgan](https://github.com/underscorgan)) +- Add support to set SSLCARevocationCheck on Apache 2.4 [#866](https://github.com/puppetlabs/puppetlabs-apache/pull/866) ([domcleal](https://github.com/domcleal)) +- (PUP-3242) Setting up mod_shib [#850](https://github.com/puppetlabs/puppetlabs-apache/pull/850) ([Aethylred](https://github.com/Aethylred)) +- force class definition checks to use absolute scope [#833](https://github.com/puppetlabs/puppetlabs-apache/pull/833) ([GeoffWilliams](https://github.com/GeoffWilliams)) +- Added missing syntax highlight to 1st apache::mod::php example [#832](https://github.com/puppetlabs/puppetlabs-apache/pull/832) ([thatgraemeguy](https://github.com/thatgraemeguy)) +- Allow multiple balancermember with the same url [#830](https://github.com/puppetlabs/puppetlabs-apache/pull/830) ([roidelapluie](https://github.com/roidelapluie)) +- add sort to LogFormats to ensure consistency between runs [#829](https://github.com/puppetlabs/puppetlabs-apache/pull/829) ([tjikkun](https://github.com/tjikkun)) +- Add missing kernel fact [#827](https://github.com/puppetlabs/puppetlabs-apache/pull/827) ([underscorgan](https://github.com/underscorgan)) +- Add --relative flag [#826](https://github.com/puppetlabs/puppetlabs-apache/pull/826) ([underscorgan](https://github.com/underscorgan)) +- Convert apache::vhost to use concat fragments. [#825](https://github.com/puppetlabs/puppetlabs-apache/pull/825) ([underscorgan](https://github.com/underscorgan)) +- Finish SCL support for RHEL/CentOS 6 [#821](https://github.com/puppetlabs/puppetlabs-apache/pull/821) ([smerrill](https://github.com/smerrill)) +- Allow overriding the detected $apache_name. [#819](https://github.com/puppetlabs/puppetlabs-apache/pull/819) ([smerrill](https://github.com/smerrill)) +- Allow other manifests to define ::apache::mod{ 'ssl': }. [#818](https://github.com/puppetlabs/puppetlabs-apache/pull/818) ([smerrill](https://github.com/smerrill)) +- Call @proxy_set insteat of proxy_set in inline_template [#816](https://github.com/puppetlabs/puppetlabs-apache/pull/816) ([roidelapluie](https://github.com/roidelapluie)) +- Call install_* methods only once in spec_helper_acceptance [#815](https://github.com/puppetlabs/puppetlabs-apache/pull/815) ([justinstoller](https://github.com/justinstoller)) +- Add a validate_string check for custom_fragment. [#812](https://github.com/puppetlabs/puppetlabs-apache/pull/812) ([underscorgan](https://github.com/underscorgan)) +- ssl mutex directory needs to be set for Debian [#810](https://github.com/puppetlabs/puppetlabs-apache/pull/810) ([jtreminio](https://github.com/jtreminio)) +- Support itk with mod php [#808](https://github.com/puppetlabs/puppetlabs-apache/pull/808) ([corvus-ch](https://github.com/corvus-ch)) +- Exposed $logroot_mode in init.pp [#807](https://github.com/puppetlabs/puppetlabs-apache/pull/807) ([Ginja](https://github.com/Ginja)) +- introduce flag to manage the docroot [#802](https://github.com/puppetlabs/puppetlabs-apache/pull/802) ([igalic](https://github.com/igalic)) +- Add authn_core mod to ubuntu trusty defaults [#800](https://github.com/puppetlabs/puppetlabs-apache/pull/800) ([jestallin](https://github.com/jestallin)) +- Allow to set multiple ProxyPassReverse directives [#793](https://github.com/puppetlabs/puppetlabs-apache/pull/793) ([roidelapluie](https://github.com/roidelapluie)) +- configure timeouts for apache::mod::reqtimeout [#792](https://github.com/puppetlabs/puppetlabs-apache/pull/792) ([roidelapluie](https://github.com/roidelapluie)) +- Add deflate params: types, notes [#785](https://github.com/puppetlabs/puppetlabs-apache/pull/785) ([JCotton1123](https://github.com/JCotton1123)) +- Add regex validation to wsgi_pass_authorization [#775](https://github.com/puppetlabs/puppetlabs-apache/pull/775) ([ekohl](https://github.com/ekohl)) +- Add options to mod info [#717](https://github.com/puppetlabs/puppetlabs-apache/pull/717) ([genebean](https://github.com/genebean)) + +### Fixed + +- Update the test to match the fix from yesterday [#924](https://github.com/puppetlabs/puppetlabs-apache/pull/924) ([underscorgan](https://github.com/underscorgan)) +- Fixes indentation of versioncmp [#922](https://github.com/puppetlabs/puppetlabs-apache/pull/922) ([saz](https://github.com/saz)) +- Relying on missing fact [#921](https://github.com/puppetlabs/puppetlabs-apache/pull/921) ([underscorgan](https://github.com/underscorgan)) +- wsgi_chunked_request doesn't work on lucid [#919](https://github.com/puppetlabs/puppetlabs-apache/pull/919) ([underscorgan](https://github.com/underscorgan)) +- (MODULES-1457) apache::vhost: SSLCACertificatePath can't be unset [#913](https://github.com/puppetlabs/puppetlabs-apache/pull/913) ([vinzent](https://github.com/vinzent)) +- passenger concat needs to be wrapped in a check [#912](https://github.com/puppetlabs/puppetlabs-apache/pull/912) ([pdxfixit](https://github.com/pdxfixit)) +- Fix authnz_ldap package name on el7 [#911](https://github.com/puppetlabs/puppetlabs-apache/pull/911) ([mcanevet](https://github.com/mcanevet)) +- Fix misleading error message [#893](https://github.com/puppetlabs/puppetlabs-apache/pull/893) ([DavidS](https://github.com/DavidS)) +- Fix Shib setting rules. [#888](https://github.com/puppetlabs/puppetlabs-apache/pull/888) ([halfninja](https://github.com/halfninja)) +- ScriptAlias needs to come before Alias. [#882](https://github.com/puppetlabs/puppetlabs-apache/pull/882) ([daveseff](https://github.com/daveseff)) +- Fix vhost and mod_passenger tests on deb7 [#876](https://github.com/puppetlabs/puppetlabs-apache/pull/876) ([underscorgan](https://github.com/underscorgan)) +- Fix dav_svn for debian 6 [#874](https://github.com/puppetlabs/puppetlabs-apache/pull/874) ([underscorgan](https://github.com/underscorgan)) +- Fix custom_config check for ubuntu precise. [#873](https://github.com/puppetlabs/puppetlabs-apache/pull/873) ([underscorgan](https://github.com/underscorgan)) +- Revert "Fix duplicate declarations when puppet manages logroot for vhost... [#869](https://github.com/puppetlabs/puppetlabs-apache/pull/869) ([underscorgan](https://github.com/underscorgan)) +- (FM-1913) fix passenger tests on EL derivatives [#861](https://github.com/puppetlabs/puppetlabs-apache/pull/861) ([justinstoller](https://github.com/justinstoller)) +- Change $port to interpolated string "${port}" to fix "Cannot use Fixnu... [#856](https://github.com/puppetlabs/puppetlabs-apache/pull/856) ([misterdorm](https://github.com/misterdorm)) +- Modules-1294 Fix Auth_Require bug with directories [#855](https://github.com/puppetlabs/puppetlabs-apache/pull/855) ([cyberious](https://github.com/cyberious)) +- Fix correct type for php_admin and sort hash [#851](https://github.com/puppetlabs/puppetlabs-apache/pull/851) ([olivierHa](https://github.com/olivierHa)) +- Revert "strict_variables fix" -- accidentally merged onto 1.1.x [#847](https://github.com/puppetlabs/puppetlabs-apache/pull/847) ([igalic](https://github.com/igalic)) +- Fix issue with puppet_module_install, removed and using updated method f... [#846](https://github.com/puppetlabs/puppetlabs-apache/pull/846) ([cyberious](https://github.com/cyberious)) +- Fix formatting of sethandler description [#842](https://github.com/puppetlabs/puppetlabs-apache/pull/842) ([antaflos](https://github.com/antaflos)) +- Fix some Puppet Lint errors [#840](https://github.com/puppetlabs/puppetlabs-apache/pull/840) ([baurmatt](https://github.com/baurmatt)) +- Ensure that mod packages are installed before conf [#837](https://github.com/puppetlabs/puppetlabs-apache/pull/837) ([bodepd](https://github.com/bodepd)) +- Add defined type for handling custom configs [#836](https://github.com/puppetlabs/puppetlabs-apache/pull/836) ([underscorgan](https://github.com/underscorgan)) +- Typefix [#828](https://github.com/puppetlabs/puppetlabs-apache/pull/828) ([setola](https://github.com/setola)) +- Fix dependency loop in vhost [#820](https://github.com/puppetlabs/puppetlabs-apache/pull/820) ([underscorgan](https://github.com/underscorgan)) +- Fixing warning in rake validate [#809](https://github.com/puppetlabs/puppetlabs-apache/pull/809) ([underscorgan](https://github.com/underscorgan)) +- fix for #802: when !manage_docroot, don't require it [#806](https://github.com/puppetlabs/puppetlabs-apache/pull/806) ([igalic](https://github.com/igalic)) +- Fix strict variables [#804](https://github.com/puppetlabs/puppetlabs-apache/pull/804) ([hunner](https://github.com/hunner)) +- Changes $alias to $fcgi_alias to prevent Puppet complaining about using that name [#781](https://github.com/puppetlabs/puppetlabs-apache/pull/781) ([jtreminio](https://github.com/jtreminio)) + +## [1.1.1](https://github.com/puppetlabs/puppetlabs-apache/tree/1.1.1) - 2014-07-18 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.1.0...1.1.1) + +## [1.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.1.0) - 2014-07-09 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.0.1...1.1.0) + +### Added + +- Allow ssl_certs_dir to be unset. [#787](https://github.com/puppetlabs/puppetlabs-apache/pull/787) ([tdb](https://github.com/tdb)) +- Add param to ctrl purging of vhost dir [#786](https://github.com/puppetlabs/puppetlabs-apache/pull/786) ([JCotton1123](https://github.com/JCotton1123)) +- Adds @ to faux_path template variable [#780](https://github.com/puppetlabs/puppetlabs-apache/pull/780) ([jtreminio](https://github.com/jtreminio)) +- Start synchronizing module files [#774](https://github.com/puppetlabs/puppetlabs-apache/pull/774) ([cmurphy](https://github.com/cmurphy)) +- Add DeflateFilterNote directives [#761](https://github.com/puppetlabs/puppetlabs-apache/pull/761) ([bodgit](https://github.com/bodgit)) +- add logroot_mode parameter [#760](https://github.com/puppetlabs/puppetlabs-apache/pull/760) ([nbeernink](https://github.com/nbeernink)) +- MODULES-957: Add more Apache 2.4 conditional blocks to configuration templates [#756](https://github.com/puppetlabs/puppetlabs-apache/pull/756) ([pcfens](https://github.com/pcfens)) +- MODULES-1065: Add ThreadLimit to mod::worker [#755](https://github.com/puppetlabs/puppetlabs-apache/pull/755) ([jlambert121](https://github.com/jlambert121)) +- Add the Satisfy parameter to the directory fragment. [#752](https://github.com/puppetlabs/puppetlabs-apache/pull/752) ([Arakmar](https://github.com/Arakmar)) +- Add package parameters to the dav_svn mod. [#750](https://github.com/puppetlabs/puppetlabs-apache/pull/750) ([Arakmar](https://github.com/Arakmar)) +- Provide configuration file for php module [#744](https://github.com/puppetlabs/puppetlabs-apache/pull/744) ([amateo](https://github.com/amateo)) +- MODULES-956 Added loadfile_name parameter to apache::mod. [#737](https://github.com/puppetlabs/puppetlabs-apache/pull/737) ([underscorgan](https://github.com/underscorgan)) +- Add a nodeset for Ubuntu 14.04. [#719](https://github.com/puppetlabs/puppetlabs-apache/pull/719) ([underscorgan](https://github.com/underscorgan)) +- Add fcgid options [#716](https://github.com/puppetlabs/puppetlabs-apache/pull/716) ([ekohl](https://github.com/ekohl)) +- Add specs for #689 [#715](https://github.com/puppetlabs/puppetlabs-apache/pull/715) ([hunner](https://github.com/hunner)) +- Use access_compat on 2.4, and update pagespeed to load the correct modul... [#714](https://github.com/puppetlabs/puppetlabs-apache/pull/714) ([underscorgan](https://github.com/underscorgan)) +- Add suexec support [#712](https://github.com/puppetlabs/puppetlabs-apache/pull/712) ([ekohl](https://github.com/ekohl)) +- Configure Passenger in separate .conf file on Debian so PassengerRoot isn't lost [#711](https://github.com/puppetlabs/puppetlabs-apache/pull/711) ([GregSutcliffe](https://github.com/GregSutcliffe)) +- Don't include the NameVirtualHost directives in apache >= 2.4, and add t... [#708](https://github.com/puppetlabs/puppetlabs-apache/pull/708) ([underscorgan](https://github.com/underscorgan)) +- Add fastcgi external server defined type [#704](https://github.com/puppetlabs/puppetlabs-apache/pull/704) ([JCotton1123](https://github.com/JCotton1123)) +- turning MaxKeepAliveRequests into a variable [#703](https://github.com/puppetlabs/puppetlabs-apache/pull/703) ([attachmentgenie](https://github.com/attachmentgenie)) +- add docroot_mode parameter to vhost [#697](https://github.com/puppetlabs/puppetlabs-apache/pull/697) ([ckaenzig](https://github.com/ckaenzig)) +- Added support for SVN authentication (mod_authz_svn) [#696](https://github.com/puppetlabs/puppetlabs-apache/pull/696) ([baurmatt](https://github.com/baurmatt)) +- Added WSGIPassAuthorization option to vhost. [#694](https://github.com/puppetlabs/puppetlabs-apache/pull/694) ([Conzar](https://github.com/Conzar)) +- Allow Apache service not to be managed by Puppet [#690](https://github.com/puppetlabs/puppetlabs-apache/pull/690) ([arnoudj](https://github.com/arnoudj)) +- ssl tweaks [#688](https://github.com/puppetlabs/puppetlabs-apache/pull/688) ([sdague](https://github.com/sdague)) +- Enable overriding mod-level parameters for apache::mod::passenger [#687](https://github.com/puppetlabs/puppetlabs-apache/pull/687) ([jonoterc](https://github.com/jonoterc)) +- Add extra parameters to mod::php [#684](https://github.com/puppetlabs/puppetlabs-apache/pull/684) ([nbeernink](https://github.com/nbeernink)) +- A first stab at extending LogFormats [#682](https://github.com/puppetlabs/puppetlabs-apache/pull/682) ([igalic](https://github.com/igalic)) +- Add support for mod_speling [#652](https://github.com/puppetlabs/puppetlabs-apache/pull/652) ([rchouinard](https://github.com/rchouinard)) +- Add support for Google's mod_pagespeed [#650](https://github.com/puppetlabs/puppetlabs-apache/pull/650) ([pcfens](https://github.com/pcfens)) +- Add support for SetHandler directive [#604](https://github.com/puppetlabs/puppetlabs-apache/pull/604) ([bodgit](https://github.com/bodgit)) + +### Fixed + +- Fix passenger repo on Scientific linux [#749](https://github.com/puppetlabs/puppetlabs-apache/pull/749) ([hunner](https://github.com/hunner)) +- Mod pagespeed fix [#740](https://github.com/puppetlabs/puppetlabs-apache/pull/740) ([underscorgan](https://github.com/underscorgan)) +- Mod rewrite duplicate error [#739](https://github.com/puppetlabs/puppetlabs-apache/pull/739) ([xavierleune](https://github.com/xavierleune)) +- Fix lib path for Ubuntu 10.04. [#727](https://github.com/puppetlabs/puppetlabs-apache/pull/727) ([underscorgan](https://github.com/underscorgan)) +- Fix module usage with strict_variables [#721](https://github.com/puppetlabs/puppetlabs-apache/pull/721) ([mcanevet](https://github.com/mcanevet)) +- Fix platform for centos-6.5 [#710](https://github.com/puppetlabs/puppetlabs-apache/pull/710) ([ekohl](https://github.com/ekohl)) +- order proxy_set option so it doesn't change between runs [#701](https://github.com/puppetlabs/puppetlabs-apache/pull/701) ([tjikkun](https://github.com/tjikkun)) +- fix missing comma in sample config [#683](https://github.com/puppetlabs/puppetlabs-apache/pull/683) ([sdague](https://github.com/sdague)) +- fix missing ensure on concat::fragment resources [#681](https://github.com/puppetlabs/puppetlabs-apache/pull/681) ([jfroche](https://github.com/jfroche)) +- mod_proxy_html failing in Debian [#673](https://github.com/puppetlabs/puppetlabs-apache/pull/673) ([carlossg](https://github.com/carlossg)) +- Apache version in Ubuntu 13.10 is 2.4 [#672](https://github.com/puppetlabs/puppetlabs-apache/pull/672) ([carlossg](https://github.com/carlossg)) +- lint fixes [#671](https://github.com/puppetlabs/puppetlabs-apache/pull/671) ([carlossg](https://github.com/carlossg)) +- Include mod wsgi when wsgi_daemon_process is given [#664](https://github.com/puppetlabs/puppetlabs-apache/pull/664) ([ekohl](https://github.com/ekohl)) +- apache::mod::mime does not compile due to wrong file dependency [#627](https://github.com/puppetlabs/puppetlabs-apache/pull/627) ([carlossg](https://github.com/carlossg)) + +## [1.0.1](https://github.com/puppetlabs/puppetlabs-apache/tree/1.0.1) - 2014-03-04 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/1.0.0...1.0.1) + +### Fixed + +- Replace the symlink with the actual file to resolve a PMT issue. [#665](https://github.com/puppetlabs/puppetlabs-apache/pull/665) ([apenney](https://github.com/apenney)) + +## [1.0.0](https://github.com/puppetlabs/puppetlabs-apache/tree/1.0.0) - 2014-03-03 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.11.0...1.0.0) + +### Changed + +- Metadata [#661](https://github.com/puppetlabs/puppetlabs-apache/pull/661) ([apenney](https://github.com/apenney)) +- Apache2.4 support [#552](https://github.com/puppetlabs/puppetlabs-apache/pull/552) ([scottasmith](https://github.com/scottasmith)) + +### Added + +- Modifying hierarchy of the Version/Params to fix AWS AMI [#651](https://github.com/puppetlabs/puppetlabs-apache/pull/651) ([jrnt30](https://github.com/jrnt30)) +- Windows, Suse, Solaris, and AIX are not supported. [#644](https://github.com/puppetlabs/puppetlabs-apache/pull/644) ([hunner](https://github.com/hunner)) +- Add rewrite_base functionality to rewrites [#631](https://github.com/puppetlabs/puppetlabs-apache/pull/631) ([hunner](https://github.com/hunner)) +- Array/Hash mutating operations deprecated [#625](https://github.com/puppetlabs/puppetlabs-apache/pull/625) ([domcleal](https://github.com/domcleal)) +- Create user/group instead of using existing ones [#619](https://github.com/puppetlabs/puppetlabs-apache/pull/619) ([hunner](https://github.com/hunner)) +- Allow custom gemsource [#617](https://github.com/puppetlabs/puppetlabs-apache/pull/617) ([hunner](https://github.com/hunner)) +- Ensure socache_shmcb is enabled on all Apache 2.4 OSes [#612](https://github.com/puppetlabs/puppetlabs-apache/pull/612) ([domcleal](https://github.com/domcleal)) +- Add WSGIApplicationGroup and WSGIImportScript directives [#606](https://github.com/puppetlabs/puppetlabs-apache/pull/606) ([bodgit](https://github.com/bodgit)) + +### Fixed + +- Add in missing fields to work around a Puppet bug. [#663](https://github.com/puppetlabs/puppetlabs-apache/pull/663) ([apenney](https://github.com/apenney)) +- Adds "Release Notes/Known Bugs" to Changelog, updates file format to markdown, standardizes the format of previous entries [#660](https://github.com/puppetlabs/puppetlabs-apache/pull/660) ([lrnrthr](https://github.com/lrnrthr)) +- Checking the stderr wasn't specified correctly [#646](https://github.com/puppetlabs/puppetlabs-apache/pull/646) ([hunner](https://github.com/hunner)) +- Fix WSGI import_script and mod_ssl issues on Lucid [#645](https://github.com/puppetlabs/puppetlabs-apache/pull/645) ([hunner](https://github.com/hunner)) +- The vagrant user doesn't exist on non-vagrant machines [#616](https://github.com/puppetlabs/puppetlabs-apache/pull/616) ([hunner](https://github.com/hunner)) +- Lint fixes [#614](https://github.com/puppetlabs/puppetlabs-apache/pull/614) ([justinstoller](https://github.com/justinstoller)) +- Proxy pass reverse fix [#613](https://github.com/puppetlabs/puppetlabs-apache/pull/613) ([dteirney](https://github.com/dteirney)) +- templates/vhost/_proxy.erb misconfigures ProxyPassReverse [#602](https://github.com/puppetlabs/puppetlabs-apache/pull/602) ([jrwilk01](https://github.com/jrwilk01)) +- Added in mod_actions to the repo so it may be used. [#591](https://github.com/puppetlabs/puppetlabs-apache/pull/591) ([typhonius](https://github.com/typhonius)) + +## [0.11.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.11.0) - 2014-02-05 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.10.0...0.11.0) + +### Added + +- Implement *Match methods for directory providers [#597](https://github.com/puppetlabs/puppetlabs-apache/pull/597) ([scottasmith](https://github.com/scottasmith)) +- allow AuthGroupFile directive for vhosts [#589](https://github.com/puppetlabs/puppetlabs-apache/pull/589) ([doc75](https://github.com/doc75)) +- Support Header directives in vhost context [#575](https://github.com/puppetlabs/puppetlabs-apache/pull/575) ([antaflos](https://github.com/antaflos)) +- quote paths for windows compatability [#567](https://github.com/puppetlabs/puppetlabs-apache/pull/567) ([jlambert121](https://github.com/jlambert121)) +- Update alias.pp to let users of Amazon Linux use the module [#545](https://github.com/puppetlabs/puppetlabs-apache/pull/545) ([mattboston](https://github.com/mattboston)) +- Update init.pp to allow for support for Amazon Linux [#544](https://github.com/puppetlabs/puppetlabs-apache/pull/544) ([mattboston](https://github.com/mattboston)) +- Added support for mod_include [#543](https://github.com/puppetlabs/puppetlabs-apache/pull/543) ([derJD](https://github.com/derJD)) +- Pass this through to directories. [#539](https://github.com/puppetlabs/puppetlabs-apache/pull/539) ([apenney](https://github.com/apenney)) +- Support environment variable control for CustomLog [#527](https://github.com/puppetlabs/puppetlabs-apache/pull/527) ([chieping](https://github.com/chieping)) +- added redirectmatch support [#521](https://github.com/puppetlabs/puppetlabs-apache/pull/521) ([pablokbs](https://github.com/pablokbs)) +- Convert spec tests to beaker [#518](https://github.com/puppetlabs/puppetlabs-apache/pull/518) ([hunner](https://github.com/hunner)) +- Setting up the ability to do multiple rewrites and conditions. Allowing ... [#517](https://github.com/puppetlabs/puppetlabs-apache/pull/517) ([amvapor](https://github.com/amvapor)) +- Support php_admin_(flag|value)s [#481](https://github.com/puppetlabs/puppetlabs-apache/pull/481) ([igalic](https://github.com/igalic)) + +### Fixed + +- Fix typos in templates/vhost/_itk.erb [#601](https://github.com/puppetlabs/puppetlabs-apache/pull/601) ([hunner](https://github.com/hunner)) +- Change serveradmin default to undef [#599](https://github.com/puppetlabs/puppetlabs-apache/pull/599) ([hunner](https://github.com/hunner)) +- Delete this key, mistakenly added. [#582](https://github.com/puppetlabs/puppetlabs-apache/pull/582) ([apenney](https://github.com/apenney)) +- fix puppet-lint errors [#571](https://github.com/puppetlabs/puppetlabs-apache/pull/571) ([robbyt](https://github.com/robbyt)) +- Don't purge mods-available dir when separate enable dir is used [#561](https://github.com/puppetlabs/puppetlabs-apache/pull/561) ([domcleal](https://github.com/domcleal)) +- Fix the servername used in log file name [#547](https://github.com/puppetlabs/puppetlabs-apache/pull/547) ([xcompass](https://github.com/xcompass)) +- make sure that directories are actually a Hash [#536](https://github.com/puppetlabs/puppetlabs-apache/pull/536) ([igalic](https://github.com/igalic)) +- Fix rspec-puppet deprecation warnings [#534](https://github.com/puppetlabs/puppetlabs-apache/pull/534) ([blkperl](https://github.com/blkperl)) +- Fix $ports_file reference in Namevirtualhost. [#532](https://github.com/puppetlabs/puppetlabs-apache/pull/532) ([apenney](https://github.com/apenney)) + +## [0.10.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.10.0) - 2013-12-05 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.9.0...0.10.0) + +### Added + +- Make LogLevel configurable for server [#516](https://github.com/puppetlabs/puppetlabs-apache/pull/516) ([antaflos](https://github.com/antaflos)) +- Make LogLevel configurable for vhost [#513](https://github.com/puppetlabs/puppetlabs-apache/pull/513) ([antaflos](https://github.com/antaflos)) +- Add ability to pass ip (instead of wildcard) in default vhost files [#509](https://github.com/puppetlabs/puppetlabs-apache/pull/509) ([tampakrap](https://github.com/tampakrap)) +- add parameter for TraceEnable [#508](https://github.com/puppetlabs/puppetlabs-apache/pull/508) ([mmoll](https://github.com/mmoll)) +- Add support for ScriptAliasMatch directives [#502](https://github.com/puppetlabs/puppetlabs-apache/pull/502) ([antaflos](https://github.com/antaflos)) +- Remove eronous duplication of ForceType [#501](https://github.com/puppetlabs/puppetlabs-apache/pull/501) ([igalic](https://github.com/igalic)) +- Add support for overriding ErrorDocument [#498](https://github.com/puppetlabs/puppetlabs-apache/pull/498) ([igalic](https://github.com/igalic)) +- Add suPHP_UserGroup directive to directory context [#497](https://github.com/puppetlabs/puppetlabs-apache/pull/497) ([igalic](https://github.com/igalic)) +- Working mod_authnz_ldap support on Debian/Ubuntu [#496](https://github.com/puppetlabs/puppetlabs-apache/pull/496) ([antaflos](https://github.com/antaflos)) +- Set SSLOptions StdEnvVars in server context [#490](https://github.com/puppetlabs/puppetlabs-apache/pull/490) ([igalic](https://github.com/igalic)) +- Mod rpaf support (with FreeBSD support) [#471](https://github.com/puppetlabs/puppetlabs-apache/pull/471) ([ptomulik](https://github.com/ptomulik)) +- Don't listen on port or set NameVirtualHost for non-existent vhost [#470](https://github.com/puppetlabs/puppetlabs-apache/pull/470) ([antaflos](https://github.com/antaflos)) +- Adding support for another mod_wsgi parameter [#458](https://github.com/puppetlabs/puppetlabs-apache/pull/458) ([ksexton](https://github.com/ksexton)) +- Add ability to include additional external configurations in vhost [#457](https://github.com/puppetlabs/puppetlabs-apache/pull/457) ([alnewkirk](https://github.com/alnewkirk)) +- Add new params to apache::mod::mime class [#447](https://github.com/puppetlabs/puppetlabs-apache/pull/447) ([ptomulik](https://github.com/ptomulik)) +- Add Allow and ExtendedStatus support to mod_status (rebase of #419) [#446](https://github.com/puppetlabs/puppetlabs-apache/pull/446) ([dbeckham](https://github.com/dbeckham)) +- Allow apache::mod to specify module id and path [#445](https://github.com/puppetlabs/puppetlabs-apache/pull/445) ([ptomulik](https://github.com/ptomulik)) +- added $server_root parameter [#443](https://github.com/puppetlabs/puppetlabs-apache/pull/443) ([ptomulik](https://github.com/ptomulik)) +- More vhost directives, only add AllowOverride default for directory container [#438](https://github.com/puppetlabs/puppetlabs-apache/pull/438) ([TrevorBramble](https://github.com/TrevorBramble)) +- Peruser event [#437](https://github.com/puppetlabs/puppetlabs-apache/pull/437) ([ptomulik](https://github.com/ptomulik)) +- Added $service_name parameter [#436](https://github.com/puppetlabs/puppetlabs-apache/pull/436) ([ptomulik](https://github.com/ptomulik)) +- add $root_group parameter [#435](https://github.com/puppetlabs/puppetlabs-apache/pull/435) ([ptomulik](https://github.com/ptomulik)) +- ensure default vhost config files are removed when false [#433](https://github.com/puppetlabs/puppetlabs-apache/pull/433) ([jlambert121](https://github.com/jlambert121)) +- allow allow_from to be set for mod_status [#432](https://github.com/puppetlabs/puppetlabs-apache/pull/432) ([jlambert121](https://github.com/jlambert121)) +- Add support for nss module [#426](https://github.com/puppetlabs/puppetlabs-apache/pull/426) ([jonathanunderwood](https://github.com/jonathanunderwood)) +- satisfy mod_php inter-module dependencies [#422](https://github.com/puppetlabs/puppetlabs-apache/pull/422) ([igalic](https://github.com/igalic)) +- Remove AllowOverride header for non-directories [#420](https://github.com/puppetlabs/puppetlabs-apache/pull/420) ([mvschaik](https://github.com/mvschaik)) +- Don't set `Allow from all` by default for apache::vhost::directories [#416](https://github.com/puppetlabs/puppetlabs-apache/pull/416) ([RPDiep](https://github.com/RPDiep)) +- Enable support for mod_authnz_ldap [#404](https://github.com/puppetlabs/puppetlabs-apache/pull/404) ([jlambert121](https://github.com/jlambert121)) +- FM-103: Add metadata.json to all modules. [#401](https://github.com/puppetlabs/puppetlabs-apache/pull/401) ([apenney](https://github.com/apenney)) +- Add basic support for mod_proxy_ajp [#398](https://github.com/puppetlabs/puppetlabs-apache/pull/398) ([croddy](https://github.com/croddy)) +- (#368) Add scriptaliases parameter for multiple script aliases [#394](https://github.com/puppetlabs/puppetlabs-apache/pull/394) ([jlambert121](https://github.com/jlambert121)) +- Add SSLVerifyClient, SSLVerifyDepth, SSLOptions to vhost configuration [#391](https://github.com/puppetlabs/puppetlabs-apache/pull/391) ([mwhahaha](https://github.com/mwhahaha)) +- mod_fastcgi [#390](https://github.com/puppetlabs/puppetlabs-apache/pull/390) ([jlambert121](https://github.com/jlambert121)) +- Add support for DirectoryIndex tag. [#389](https://github.com/puppetlabs/puppetlabs-apache/pull/389) ([arnoudj](https://github.com/arnoudj)) +- Added passenger_use_global_queue option [#388](https://github.com/puppetlabs/puppetlabs-apache/pull/388) ([xorpaul](https://github.com/xorpaul)) +- Ability to define service_enable and service_ensure independently [#387](https://github.com/puppetlabs/puppetlabs-apache/pull/387) ([xorpaul](https://github.com/xorpaul)) +- Support FallbackResource (httpd >= 2.2.16) [#383](https://github.com/puppetlabs/puppetlabs-apache/pull/383) ([igalic](https://github.com/igalic)) +- Added a parameter that allow to precise package ensure [#382](https://github.com/puppetlabs/puppetlabs-apache/pull/382) ([godp1301](https://github.com/godp1301)) +- Added 2 parameters to control the creation of user and group resources [#381](https://github.com/puppetlabs/puppetlabs-apache/pull/381) ([slamont](https://github.com/slamont)) +- Remove vhost symlink if ensure != present. [#380](https://github.com/puppetlabs/puppetlabs-apache/pull/380) ([pataquets](https://github.com/pataquets)) +- Added apache::mod::mime to support SSL module. [#379](https://github.com/puppetlabs/puppetlabs-apache/pull/379) ([blewa](https://github.com/blewa)) +- SSLProtocol, SSLCipherSuite, SSLHonorCipherOrder support in the SSL section [#378](https://github.com/puppetlabs/puppetlabs-apache/pull/378) ([AlexRRR](https://github.com/AlexRRR)) +- Add 'Timeout' core directive. [#367](https://github.com/puppetlabs/puppetlabs-apache/pull/367) ([pataquets](https://github.com/pataquets)) +- Add conditional directive to alias_module template. [#366](https://github.com/puppetlabs/puppetlabs-apache/pull/366) ([pataquets](https://github.com/pataquets)) +- Convert sendfile param to string from bool. [#365](https://github.com/puppetlabs/puppetlabs-apache/pull/365) ([razorsedge](https://github.com/razorsedge)) +- Add support for DirectoryIndex tag described here: [#359](https://github.com/puppetlabs/puppetlabs-apache/pull/359) ([faisal-memon](https://github.com/faisal-memon)) +- Enable support for mod_authnz_ldap [#356](https://github.com/puppetlabs/puppetlabs-apache/pull/356) ([jbartko](https://github.com/jbartko)) +- apache::mod::expires class for easy including [#352](https://github.com/puppetlabs/puppetlabs-apache/pull/352) ([kitchen](https://github.com/kitchen)) +- Remove default block [#345](https://github.com/puppetlabs/puppetlabs-apache/pull/345) ([igalic](https://github.com/igalic)) +- Add configuration options for ServerTokens and ServerSignature [#344](https://github.com/puppetlabs/puppetlabs-apache/pull/344) ([xstasi](https://github.com/xstasi)) +- Support for FreeBSD and few other features (reworked PR #264). [#342](https://github.com/puppetlabs/puppetlabs-apache/pull/342) ([ptomulik](https://github.com/ptomulik)) +- Allow specifying "ensure" parameter in apache::mod::php [#338](https://github.com/puppetlabs/puppetlabs-apache/pull/338) ([MasonM](https://github.com/MasonM)) +- allow to choose the mpm_event mod from the init.pp [#323](https://github.com/puppetlabs/puppetlabs-apache/pull/323) ([mhellmic](https://github.com/mhellmic)) +- adopt a more stable proxy configuration [#306](https://github.com/puppetlabs/puppetlabs-apache/pull/306) ([igalic](https://github.com/igalic)) + +### Fixed + +- No implicit entry for ScriptAlias path [#488](https://github.com/puppetlabs/puppetlabs-apache/pull/488) ([antaflos](https://github.com/antaflos)) +- Add support for AliasMatch directives [#483](https://github.com/puppetlabs/puppetlabs-apache/pull/483) ([antaflos](https://github.com/antaflos)) +- Fix directory fragment not setting AllowOverride [#455](https://github.com/puppetlabs/puppetlabs-apache/pull/455) ([Aethylred](https://github.com/Aethylred)) +- Revert unnecessary `$default_ssl_vhost` validation change. [#453](https://github.com/puppetlabs/puppetlabs-apache/pull/453) ([dbeckham](https://github.com/dbeckham)) +- Workaround for apxs-loaded modules [#444](https://github.com/puppetlabs/puppetlabs-apache/pull/444) ([ptomulik](https://github.com/ptomulik)) +- vhost directories fix [#434](https://github.com/puppetlabs/puppetlabs-apache/pull/434) ([kgeis](https://github.com/kgeis)) +- Checked that Package declaration has not been defined yet. Fixes #424 [#425](https://github.com/puppetlabs/puppetlabs-apache/pull/425) ([jtreminio](https://github.com/jtreminio)) +- Correct broken mime_magic config for Debian - Squashed commit for #418 [#421](https://github.com/puppetlabs/puppetlabs-apache/pull/421) ([dbeckham](https://github.com/dbeckham)) +- default_mods now pulls in mod_rewrite correctly [#415](https://github.com/puppetlabs/puppetlabs-apache/pull/415) ([justinclayton](https://github.com/justinclayton)) +- Calling apache::mod::rewrite instead of Apache::Mod class directly. Fixe... [#412](https://github.com/puppetlabs/puppetlabs-apache/pull/412) ([jtreminio](https://github.com/jtreminio)) +- Correct incorrect expects and init race condition [#405](https://github.com/puppetlabs/puppetlabs-apache/pull/405) ([hunner](https://github.com/hunner)) +- Fix for https://github.com/puppetlabs/puppetlabs-apache/issues/248 [#392](https://github.com/puppetlabs/puppetlabs-apache/pull/392) ([greglarkin](https://github.com/greglarkin)) +- EL5 and EL6 both use /etc/pki/tls/certs. [#384](https://github.com/puppetlabs/puppetlabs-apache/pull/384) ([razorsedge](https://github.com/razorsedge)) +- Fix invalid variable name in itk mod [#362](https://github.com/puppetlabs/puppetlabs-apache/pull/362) ([blkperl](https://github.com/blkperl)) +- Fix for issue #358. Including apache::mod::proxy and apache::mod::proxy_h... [#360](https://github.com/puppetlabs/puppetlabs-apache/pull/360) ([bmurtagh](https://github.com/bmurtagh)) +- fix exception types in some specs [#350](https://github.com/puppetlabs/puppetlabs-apache/pull/350) ([ptomulik](https://github.com/ptomulik)) + +## [0.9.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.9.0) - 2013-09-06 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.8.1...0.9.0) + +### Added + +- Add header support to the apache::vhost::directories parameter [#334](https://github.com/puppetlabs/puppetlabs-apache/pull/334) ([hunner](https://github.com/hunner)) +- Support all kinds of httpd directories. [#331](https://github.com/puppetlabs/puppetlabs-apache/pull/331) ([igalic](https://github.com/igalic)) +- Add wsgi_daemon_process_options parameter to vhost [#330](https://github.com/puppetlabs/puppetlabs-apache/pull/330) ([blkperl](https://github.com/blkperl)) +- Add deprecation warning for a2mod [#329](https://github.com/puppetlabs/puppetlabs-apache/pull/329) ([blkperl](https://github.com/blkperl)) +- Add syslog support for vhosts [#324](https://github.com/puppetlabs/puppetlabs-apache/pull/324) ([mkoderer](https://github.com/mkoderer)) +- Add suphp mod [#322](https://github.com/puppetlabs/puppetlabs-apache/pull/322) ([blkperl](https://github.com/blkperl)) +- Service class [#321](https://github.com/puppetlabs/puppetlabs-apache/pull/321) ([hunner](https://github.com/hunner)) +- remove servername_real [#320](https://github.com/puppetlabs/puppetlabs-apache/pull/320) ([kitchen](https://github.com/kitchen)) +- Add WSGI params to apache::vhost [#319](https://github.com/puppetlabs/puppetlabs-apache/pull/319) ([blkperl](https://github.com/blkperl)) +- Add WSGIPythonHome param to apache::mod::wsgi [#318](https://github.com/puppetlabs/puppetlabs-apache/pull/318) ([blkperl](https://github.com/blkperl)) +- Add build status png [#316](https://github.com/puppetlabs/puppetlabs-apache/pull/316) ([blkperl](https://github.com/blkperl)) +- make default mods configurable [#314](https://github.com/puppetlabs/puppetlabs-apache/pull/314) ([igalic](https://github.com/igalic)) +- Add KeepAliveTimeout parameter [#313](https://github.com/puppetlabs/puppetlabs-apache/pull/313) ([jjtorroglosa](https://github.com/jjtorroglosa)) +- if facter can not determine the fqdn, use the hostname fact [#308](https://github.com/puppetlabs/puppetlabs-apache/pull/308) ([jonmosco](https://github.com/jonmosco)) +- Add stuff to use ITK on Debian [#304](https://github.com/puppetlabs/puppetlabs-apache/pull/304) ([kumy](https://github.com/kumy)) +- Allow configuration of WSGISocketPrefix [#296](https://github.com/puppetlabs/puppetlabs-apache/pull/296) ([stdietrich](https://github.com/stdietrich)) +- Add the custom_fragement to the directories hash [#290](https://github.com/puppetlabs/puppetlabs-apache/pull/290) ([booo](https://github.com/booo)) +- Auth [#289](https://github.com/puppetlabs/puppetlabs-apache/pull/289) ([booo](https://github.com/booo)) +- Update apache::params for Amazon Linux [#288](https://github.com/puppetlabs/puppetlabs-apache/pull/288) ([hunner](https://github.com/hunner)) +- Add `httpd_dir` parameter to the base class for custom builds [#287](https://github.com/puppetlabs/puppetlabs-apache/pull/287) ([hunner](https://github.com/hunner)) +- Add KeepAlive parameter [#280](https://github.com/puppetlabs/puppetlabs-apache/pull/280) ([thegriglat](https://github.com/thegriglat)) +- (#272) Add parameter sslproxyengine to vhost.pp [#273](https://github.com/puppetlabs/puppetlabs-apache/pull/273) ([mattthias](https://github.com/mattthias)) +- Add auth_basic_file and auth_basic_name support to vhost directories [#240](https://github.com/puppetlabs/puppetlabs-apache/pull/240) ([ezheidtmann](https://github.com/ezheidtmann)) +- Passenger tuning with the apache::mod::passenger class [#146](https://github.com/puppetlabs/puppetlabs-apache/pull/146) ([Aethylred](https://github.com/Aethylred)) + +### Fixed + +- Fixed failing itk system spec on RedHat [#351](https://github.com/puppetlabs/puppetlabs-apache/pull/351) ([ptomulik](https://github.com/ptomulik)) +- Fix failing itk system spec on RedHat [#349](https://github.com/puppetlabs/puppetlabs-apache/pull/349) ([blkperl](https://github.com/blkperl)) +- Fix apache::default_mods loading [#348](https://github.com/puppetlabs/puppetlabs-apache/pull/348) ([hunner](https://github.com/hunner)) +- Fix hash ordering on 1.8.7 for #330 [#335](https://github.com/puppetlabs/puppetlabs-apache/pull/335) ([hunner](https://github.com/hunner)) +- Fix parameters that take hash or array of hashes [#327](https://github.com/puppetlabs/puppetlabs-apache/pull/327) ([hunner](https://github.com/hunner)) +- Fix a2mod ruby19 bug [#315](https://github.com/puppetlabs/puppetlabs-apache/pull/315) ([blkperl](https://github.com/blkperl)) +- Fix stdlib requirements [#311](https://github.com/puppetlabs/puppetlabs-apache/pull/311) ([hunner](https://github.com/hunner)) +- The * needs to be escaped for grep to pass [#309](https://github.com/puppetlabs/puppetlabs-apache/pull/309) ([hunner](https://github.com/hunner)) +- Fix rewrite_base [#307](https://github.com/puppetlabs/puppetlabs-apache/pull/307) ([ekohl](https://github.com/ekohl)) +- Fixes Issue #291 - created apache::mod::proxy_balancer [#292](https://github.com/puppetlabs/puppetlabs-apache/pull/292) ([benhocker](https://github.com/benhocker)) +- (#278) Ports file attempted to be created before Apache installed [#279](https://github.com/puppetlabs/puppetlabs-apache/pull/279) ([jtreminio](https://github.com/jtreminio)) + +## [0.8.1](https://github.com/puppetlabs/puppetlabs-apache/tree/0.8.1) - 2013-07-26 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.8.0...0.8.1) + +### Added + +- Use a more specific match for changing worker/prefork [#263](https://github.com/puppetlabs/puppetlabs-apache/pull/263) ([hunner](https://github.com/hunner)) + +## [0.8.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.8.0) - 2013-07-17 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.7.0...0.8.0) + +### Added + +- make directories examples real puppet DSL [#253](https://github.com/puppetlabs/puppetlabs-apache/pull/253) ([richardc](https://github.com/richardc)) +- add proxy_set option to balancer [#252](https://github.com/puppetlabs/puppetlabs-apache/pull/252) ([tjikkun](https://github.com/tjikkun)) +- Add severname parameter to httpd.conf [#251](https://github.com/puppetlabs/puppetlabs-apache/pull/251) ([blkperl](https://github.com/blkperl)) +- make fragment names unique to support multiple balancerclusters [#249](https://github.com/puppetlabs/puppetlabs-apache/pull/249) ([tjikkun](https://github.com/tjikkun)) + +### Fixed + +- Issue 230 specifiy that: The apache::mod::* classes that have .conf file [#250](https://github.com/puppetlabs/puppetlabs-apache/pull/250) ([gehel](https://github.com/gehel)) +- Sites symlinks [#235](https://github.com/puppetlabs/puppetlabs-apache/pull/235) ([hunner](https://github.com/hunner)) + +## [0.7.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.7.0) - 2013-07-09 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.6.0...0.7.0) + +### Changed + +- Refactor module [#182](https://github.com/puppetlabs/puppetlabs-apache/pull/182) ([hunner](https://github.com/hunner)) + +### Added + +- Added an 'h' in a typo on default_ssl_vost [#243](https://github.com/puppetlabs/puppetlabs-apache/pull/243) ([Wesseldr](https://github.com/Wesseldr)) +- Add balancermember define [#238](https://github.com/puppetlabs/puppetlabs-apache/pull/238) ([tjikkun](https://github.com/tjikkun)) +- Updating for puppet lint [#236](https://github.com/puppetlabs/puppetlabs-apache/pull/236) ([hunner](https://github.com/hunner)) +- Add posibility to set VirtualDocumentRoot [#234](https://github.com/puppetlabs/puppetlabs-apache/pull/234) ([hunner](https://github.com/hunner)) +- Remove firewall resource [#229](https://github.com/puppetlabs/puppetlabs-apache/pull/229) ([hunner](https://github.com/hunner)) +- Add @ to cgisock_path [#227](https://github.com/puppetlabs/puppetlabs-apache/pull/227) ([hunner](https://github.com/hunner)) +- Adding extra vhost rspec-server tests [#226](https://github.com/puppetlabs/puppetlabs-apache/pull/226) ([hunner](https://github.com/hunner)) +- Support for mod_xsendfile [#224](https://github.com/puppetlabs/puppetlabs-apache/pull/224) ([bmurtagh](https://github.com/bmurtagh)) +- Adding rspec-system tests for apache::vhost [#217](https://github.com/puppetlabs/puppetlabs-apache/pull/217) ([hunner](https://github.com/hunner)) +- Remove array key assignment [#215](https://github.com/puppetlabs/puppetlabs-apache/pull/215) ([hunner](https://github.com/hunner)) +- Adding support for mod_dav_svn [#214](https://github.com/puppetlabs/puppetlabs-apache/pull/214) ([hunner](https://github.com/hunner)) +- Add vhost Alias and Directory declarations [#212](https://github.com/puppetlabs/puppetlabs-apache/pull/212) ([Aethylred](https://github.com/Aethylred)) +- This allows an override of the default DirectoryIndex directive [#211](https://github.com/puppetlabs/puppetlabs-apache/pull/211) ([Aethylred](https://github.com/Aethylred)) +- Move user and group into class parameters. [#210](https://github.com/puppetlabs/puppetlabs-apache/pull/210) ([sfozz](https://github.com/sfozz)) +- Add $conf_template in order to override the default template. [#200](https://github.com/puppetlabs/puppetlabs-apache/pull/200) ([apenney](https://github.com/apenney)) +- Add proxy_pass parameter [#193](https://github.com/puppetlabs/puppetlabs-apache/pull/193) ([tjikkun](https://github.com/tjikkun)) +- Move 'ServerLimit' line in worker.erb [#191](https://github.com/puppetlabs/puppetlabs-apache/pull/191) ([trlinkin](https://github.com/trlinkin)) +- Add Validation and rspec tests for $error_log [#186](https://github.com/puppetlabs/puppetlabs-apache/pull/186) ([trlinkin](https://github.com/trlinkin)) +- Refactor vhost logformat [#184](https://github.com/puppetlabs/puppetlabs-apache/pull/184) ([trlinkin](https://github.com/trlinkin)) +- Add a2mod instances method on Debian [#133](https://github.com/puppetlabs/puppetlabs-apache/pull/133) ([hunner](https://github.com/hunner)) +- Added apache::mod::rewrite class. [#128](https://github.com/puppetlabs/puppetlabs-apache/pull/128) ([Stubbs](https://github.com/Stubbs)) +- Added apache::mod::shib to configure Shibboleth Service Providers [#96](https://github.com/puppetlabs/puppetlabs-apache/pull/96) ([Aethylred](https://github.com/Aethylred)) + +### Fixed + +- Fix directories template fragment [#233](https://github.com/puppetlabs/puppetlabs-apache/pull/233) ([hunner](https://github.com/hunner)) +- Update apache::mod::php's error message to be correct [#232](https://github.com/puppetlabs/puppetlabs-apache/pull/232) ([hunner](https://github.com/hunner)) +- Incorrect php .so [#225](https://github.com/puppetlabs/puppetlabs-apache/pull/225) ([hunner](https://github.com/hunner)) +- Only 0 (no changes) and 2 (successful) are valid exit codes [#222](https://github.com/puppetlabs/puppetlabs-apache/pull/222) ([hunner](https://github.com/hunner)) +- fix variables for latest puppet [#208](https://github.com/puppetlabs/puppetlabs-apache/pull/208) ([pronix](https://github.com/pronix)) +- Unable to use proxy because of the default deny all [#203](https://github.com/puppetlabs/puppetlabs-apache/pull/203) ([gregswift](https://github.com/gregswift)) +- Fix mod::prefork dependencies [#188](https://github.com/puppetlabs/puppetlabs-apache/pull/188) ([nanliu](https://github.com/nanliu)) + +## [0.6.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.6.0) - 2013-03-28 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.5.0-rc1...0.6.0) + +### Added + +- Restrict the versions and add 3.1 [#159](https://github.com/puppetlabs/puppetlabs-apache/pull/159) ([richardc](https://github.com/richardc)) +- Enable puppet 3.0.1 in travis.yml [#143](https://github.com/puppetlabs/puppetlabs-apache/pull/143) ([blkperl](https://github.com/blkperl)) +- Add parameter for purging vdir [#139](https://github.com/puppetlabs/puppetlabs-apache/pull/139) ([mjanser](https://github.com/mjanser)) + +## [0.5.0-rc1](https://github.com/puppetlabs/puppetlabs-apache/tree/0.5.0-rc1) - 2012-12-01 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.4.0...0.5.0-rc1) + +### Added + +- Passenger support [#112](https://github.com/puppetlabs/puppetlabs-apache/pull/112) ([antaflos](https://github.com/antaflos)) +- Accept service_enable parameter to install without running at boot [#108](https://github.com/puppetlabs/puppetlabs-apache/pull/108) ([rwstauner](https://github.com/rwstauner)) +- Ability to enable/disable "EnableSendFile" from base class call. [#105](https://github.com/puppetlabs/puppetlabs-apache/pull/105) ([obokaman-com](https://github.com/obokaman-com)) +- Include apache::params in apache::mod::php [#102](https://github.com/puppetlabs/puppetlabs-apache/pull/102) ([reidmv](https://github.com/reidmv)) +- Allow overriding servername in apache::vhost::redirect [#101](https://github.com/puppetlabs/puppetlabs-apache/pull/101) ([cdelston](https://github.com/cdelston)) +- Added rspec tests for apache::mod define [#100](https://github.com/puppetlabs/puppetlabs-apache/pull/100) ([knowshan](https://github.com/knowshan)) +- Allow custom library paths and module identifier names [#97](https://github.com/puppetlabs/puppetlabs-apache/pull/97) ([knowshan](https://github.com/knowshan)) + +### Fixed + +- ssl_path is not set for vhost-proxy [#106](https://github.com/puppetlabs/puppetlabs-apache/pull/106) ([carlossg](https://github.com/carlossg)) +- `$servername` is ignored by `apache::vhost::proxy` [#95](https://github.com/puppetlabs/puppetlabs-apache/pull/95) ([hunner](https://github.com/hunner)) +- servername is ignored by apache::vhost::proxy [#94](https://github.com/puppetlabs/puppetlabs-apache/pull/94) ([cyberwolf](https://github.com/cyberwolf)) + +## [0.4.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.4.0) - 2012-08-24 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.3.0...0.4.0) + +### Fixed + +- Fix vhost template [#88](https://github.com/puppetlabs/puppetlabs-apache/pull/88) ([hunner](https://github.com/hunner)) +- Fixed syntax of validate_re function. [#87](https://github.com/puppetlabs/puppetlabs-apache/pull/87) ([martasd](https://github.com/martasd)) +- Fixed formatting in vhost template. [#86](https://github.com/puppetlabs/puppetlabs-apache/pull/86) ([martasd](https://github.com/martasd)) +- Fix failing spec tests [#83](https://github.com/puppetlabs/puppetlabs-apache/pull/83) ([hunner](https://github.com/hunner)) + +## [0.3.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.3.0) - 2012-08-22 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.2.2...0.3.0) + +### Added + +- Update reference to deprecated apache::php [#85](https://github.com/puppetlabs/puppetlabs-apache/pull/85) ([philsturgeon](https://github.com/philsturgeon)) +- (#16064) Make config files RedHat-compatible [#84](https://github.com/puppetlabs/puppetlabs-apache/pull/84) ([hakamadare](https://github.com/hakamadare)) +- Add dependency for package httpd before creating mod.d [#80](https://github.com/puppetlabs/puppetlabs-apache/pull/80) ([hunner](https://github.com/hunner)) +- Docroot owner [#79](https://github.com/puppetlabs/puppetlabs-apache/pull/79) ([hunner](https://github.com/hunner)) +- Add ssl mod [#78](https://github.com/puppetlabs/puppetlabs-apache/pull/78) ([hunner](https://github.com/hunner)) + +## [0.2.2](https://github.com/puppetlabs/puppetlabs-apache/tree/0.2.2) - 2012-08-15 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.2.1...0.2.2) + +### Added + +- Remove apache::mod::mem_cache from apache::mod::default [#76](https://github.com/puppetlabs/puppetlabs-apache/pull/76) ([hunner](https://github.com/hunner)) + +## [0.2.1](https://github.com/puppetlabs/puppetlabs-apache/tree/0.2.1) - 2012-08-15 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.2.0...0.2.1) + +### Added + +- Remove apache::mod::file_cache from apache::mod::default [#75](https://github.com/puppetlabs/puppetlabs-apache/pull/75) ([hunner](https://github.com/hunner)) +- mod.pp: we should make sure the package is present before enabling the module [#73](https://github.com/puppetlabs/puppetlabs-apache/pull/73) ([wulff](https://github.com/wulff)) + +### Fixed + +- mod.pp: we should make sure the package is present before enabling the module [#74](https://github.com/puppetlabs/puppetlabs-apache/pull/74) ([hunner](https://github.com/hunner)) + +## [0.2.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.2.0) - 2012-08-13 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.1.2...0.2.0) + +### Added + +- Add server_admin parameter to the apache base class [#71](https://github.com/puppetlabs/puppetlabs-apache/pull/71) ([hunner](https://github.com/hunner)) +- Add apache::mod::proxy_html [#70](https://github.com/puppetlabs/puppetlabs-apache/pull/70) ([hunner](https://github.com/hunner)) +- Add mod templates [#69](https://github.com/puppetlabs/puppetlabs-apache/pull/69) ([hunner](https://github.com/hunner)) +- Add mod lib parameter [#68](https://github.com/puppetlabs/puppetlabs-apache/pull/68) ([hunner](https://github.com/hunner)) +- Split the userdir module out of the default list and template UserDir [#66](https://github.com/puppetlabs/puppetlabs-apache/pull/66) ([hunner](https://github.com/hunner)) + +### Fixed + +- Bugfix: apache::mod::auth_basic is a class [#67](https://github.com/puppetlabs/puppetlabs-apache/pull/67) ([hunner](https://github.com/hunner)) + +## [0.1.2](https://github.com/puppetlabs/puppetlabs-apache/tree/0.1.2) - 2012-08-09 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.1.1...0.1.2) + +### Added + +- Adding template for httpd.conf and default mods [#62](https://github.com/puppetlabs/puppetlabs-apache/pull/62) ([hunner](https://github.com/hunner)) + +## [0.1.1](https://github.com/puppetlabs/puppetlabs-apache/tree/0.1.1) - 2012-08-07 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.1.0...0.1.1) + +### Added + +- Ensure proxy mods are loaded by vhost::proxy [#61](https://github.com/puppetlabs/puppetlabs-apache/pull/61) ([hunner](https://github.com/hunner)) +- Use $osfamily instead of $operatingsystem [#59](https://github.com/puppetlabs/puppetlabs-apache/pull/59) ([hunner](https://github.com/hunner)) + +## [0.1.0](https://github.com/puppetlabs/puppetlabs-apache/tree/0.1.0) - 2012-08-07 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/0.0.4...0.1.0) + +### Added + +- Make the serveradmin vhost parameter optional [#55](https://github.com/puppetlabs/puppetlabs-apache/pull/55) ([inkblot](https://github.com/inkblot)) +- Modified vhost type to use ensure_resource [#54](https://github.com/puppetlabs/puppetlabs-apache/pull/54) ([jtopjian](https://github.com/jtopjian)) +- Addition of mod_auth_kerb mod, params & tests [#49](https://github.com/puppetlabs/puppetlabs-apache/pull/49) ([bendylan](https://github.com/bendylan)) +- Amazon Linux support [#48](https://github.com/puppetlabs/puppetlabs-apache/pull/48) ([EricKnecht](https://github.com/EricKnecht)) +- Added to enable the user to specify the status of the vhost. [#47](https://github.com/puppetlabs/puppetlabs-apache/pull/47) ([martasd](https://github.com/martasd)) +- Add no_proxy_uris param to apache::vhost::proxy [#46](https://github.com/puppetlabs/puppetlabs-apache/pull/46) ([sorenisanerd](https://github.com/sorenisanerd)) +- Changed to match parameter name 'mod_python_package' [#44](https://github.com/puppetlabs/puppetlabs-apache/pull/44) ([argybarg](https://github.com/argybarg)) +- Add Listen statement to vhost template [#41](https://github.com/puppetlabs/puppetlabs-apache/pull/41) ([glarizza](https://github.com/glarizza)) +- virtualhost logroot location [#32](https://github.com/puppetlabs/puppetlabs-apache/pull/32) ([akumria](https://github.com/akumria)) +- (#15008) enable AllowOverride setting in vhost [#30](https://github.com/puppetlabs/puppetlabs-apache/pull/30) ([hakamadare](https://github.com/hakamadare)) +- (#11816) Added gentoo a2mod provider. [#8](https://github.com/puppetlabs/puppetlabs-apache/pull/8) ([adrienthebo](https://github.com/adrienthebo)) + +### Fixed + +- Remove single quoted variable declaration [#42](https://github.com/puppetlabs/puppetlabs-apache/pull/42) ([glarizza](https://github.com/glarizza)) +- Syntax fixes [#35](https://github.com/puppetlabs/puppetlabs-apache/pull/35) ([akumria](https://github.com/akumria)) +- Fix Modulefile & CHANGELOG [#28](https://github.com/puppetlabs/puppetlabs-apache/pull/28) ([ryanycoleman](https://github.com/ryanycoleman)) + +## [0.0.4](https://github.com/puppetlabs/puppetlabs-apache/tree/0.0.4) - 2012-05-08 + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-apache/compare/35721a3f352531f53264fb08f2d4a7f7bab11712...0.0.4) diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000000..08a57dbb42 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# Setting ownership to the modules team +* @puppetlabs/modules @bastelfreak @ekohl @smortex diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5f0dbf14a5..e7a3a7c3fe 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,292 +1,3 @@ -Checklist (and a short version for the impatient) -================================================= +# Contributing to Puppet modules - * Commits: - - - Make commits of logical units. - - - Check for unnecessary whitespace with "git diff --check" before - committing. - - - Commit using Unix line endings (check the settings around "crlf" in - git-config(1)). - - - Do not check in commented out code or unneeded files. - - - The first line of the commit message should be a short - description (50 characters is the soft limit, excluding ticket - number(s)), and should skip the full stop. - - - Associated the Redmine ticket in the message. The first line - should include the ticket number in the form "(#XXXX) Rest of - message". - - - The body should provide a meaningful commit message, which: - - - uses the imperative, present tense: "change", not "changed" or - "changes". - - - includes motivation for the change, and contrasts its - implementation with the previous behavior. - - - Make sure that you have tests for the bug you are fixing, or - feature you are adding. - - - Make sure the test suite passes after your commit (rake spec unit). - - * Submission: - - * Pre-requisites: - - - Make sure you have a [Redmine account](http://projects.puppetlabs.com) - - - Sign the [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign) - - - [Create a ticket](http://projects.puppetlabs.com/projects/modules/issues/new), or [watch the ticket](http://projects.puppetlabs.com/projects/modules/issues) you are patching for. - - * Preferred method: - - - Fork the repository on GitHub. - - - Push your changes to a topic branch in your fork of the - repository. (the format ticket/1234-short_description_of_change is - usually preferred for this project). - - - Submit a pull request to the repository in the puppetlabs - organization. - -The long version -================ - - 0. Decide what to base your work on. - - In general, you should always base your work on the oldest - branch that your change is relevant to. - - - A bug fix should be based on the current stable series. If the - bug is not present in the current stable release, then base it on - `master`. - - - A new feature should be based on `master`. - - - Security fixes should be based on the current maintenance series - (that is, the previous stable series). If the security issue - was not present in the maintenance series, then it should be - based on the current stable series if it was introduced there, - or on `master` if it is not yet present in a stable release. - - 1. Make separate commits for logically separate changes. - - Please break your commits down into logically consistent units - which include new or changed tests relevent to the rest of the - change. The goal of doing this is to make the diff easier to - read for whoever is reviewing your code. In general, the easier - your diff is to read, the more likely someone will be happy to - review it and get it into the code base. - - If you're going to refactor a piece of code, please do so as a - separate commit from your feature or bug fix changes. - - We also really appreciate changes that include tests to make - sure the bug isn't re-introduced, and that the feature isn't - accidentally broken. - - Describe the technical detail of the change(s). If your - description starts to get too long, that's a good sign that you - probably need to split up your commit into more finely grained - pieces. - - Commits which plainly describe the things which help - reviewers check the patch and future developers understand the - code are much more likely to be merged in with a minimum of - bike-shedding or requested changes. Ideally, the commit message - would include information, and be in a form suitable for - inclusion in the release notes for the version of Puppet that - includes them. - - Please also check that you are not introducing any trailing - whitespaces or other "whitespace errors". You can do this by - running "git diff --check" on your changes before you commit. - - 2. Sign the Contributor License Agreement - - Before we can accept your changes, we do need a signed Puppet - Labs Contributor License Agreement (CLA). - - You can access the CLA via the - [Contributor License Agreement link](https://projects.puppetlabs.com/contributor_licenses/sign) - in the top menu bar of our Redmine instance. Once you've signed - the CLA, a badge will show up next to your name on the - [Puppet Project Overview Page](http://projects.puppetlabs.com/projects/modules?jump=welcome), - and your name will be listed under "Contributor License Signers" - section. - - If you have any questions about the CLA, please feel free to - contact Puppet Labs via email at cla-submissions@puppetlabs.com. - - 3. Sending your patches - - We accept multiple ways of submitting your changes for - inclusion. They are listed below in order of preference. - - Please keep in mind that any method that involves sending email - to the mailing list directly requires you to be subscribed to - the mailing list, and that your first post to the list will be - held in a moderation queue. - - * GitHub Pull Requests - - To submit your changes via a GitHub pull request, we _highly_ - recommend that you have them on a topic branch, instead of - directly on "master" or one of the release, or RC branches. - It makes things much easier to keep track of, especially if - you decide to work on another thing before your first change - is merged in. - - GitHub has some pretty good - [general documentation](http://help.github.com/) on using - their site. They also have documentation on - [creating pull requests](http://help.github.com/send-pull-requests/). - - In general, after pushing your topic branch up to your - repository on GitHub, you'll switch to the branch in the - GitHub UI and click "Pull Request" towards the top of the page - in order to open a pull request. - - You'll want to make sure that you have the appropriate - destination branch in the repository under the puppetlabs - organization. This should be the same branch that you based - your changes off of. - - * Other pull requests - - If you already have a publicly accessible version of the - repository hosted elsewhere, and don't wish to or cannot use - GitHub, you can submit your change by requesting that we pull - the changes from your repository by sending an email to the - puppet-dev Google Groups mailing list. - - `git-request-pull(1)` provides a handy way to generate the text - for the email requesting that we pull your changes (and does - some helpful sanity checks in the process). - - * Mailing patches to the mailing list - - If neither of the previous methods works for you, then you can - also mail the patches inline to the puppet-dev Google Group - using either `rake mail_patches`, or by using - `git-format-patch(1)`, and `git-send-email(1)` directly. - - `rake mail_patches` handles setting the appropriate flags to - `git-format-patch(1)` and `git-send-email(1)` for you, but - doesn't allow adding any commentary between the '---', and the - diffstat in the resulting email. It also requires that you - have created your topic branch in the form - `//`. - - If you decide to use `git-format-patch(1)` and - `git-send-email(1)` directly, please be sure to use the - following flags for `git-format-patch(1)`: -C -M -s -n - --subject-prefix='PATCH/puppet' - - * Attaching patches to Redmine - - As a method of last resort you can also directly attach the - output of `git-format-patch(1)`, or `git-diff(1)` to a Redmine - ticket. - - If you are generating the diff outside of Git, please be sure - to generate a unified diff. - - 4. Update the related Redmine ticket. - - If there's a Redmine ticket associated with the change you - submitted, then you should update the ticket to include the - location of your branch, and change the status to "In Topic - Branch Pending Merge", along with any other commentary you may - wish to make. - -How to track the status of your change after it's been submitted -================================================================ - -Shortly after opening a pull request on GitHub, there should be an -automatic message sent to the puppet-dev Google Groups mailing list -notifying people of this. This notification is used to let the Puppet -development community know about your requested change to give them a -chance to review, test, and comment on the change(s). - -If you submitted your change via manually sending a pull request or -mailing the patches, then we keep track of these using -[patchwork](https://patchwork.puppetlabs.com). When code is merged -into the project it is automatically removed from patchwork, and the -Redmine ticket is manually updated with the commit SHA1. In addition, -the ticket status must be updated by the person who merges the topic -branch to a status of "Merged - Pending Release" - -We do our best to comment on or merge submitted changes within a week. -However, if there hasn't been any commentary on the pull request or -mailed patches, and it hasn't been merged in after a week, then feel -free to ask for an update by replying on the mailing list to the -automatic notification or mailed patches. It probably wasn't -intentional, and probably just slipped through the cracks. - -Additional Resources -==================== - -* [Getting additional help](http://projects.puppetlabs.com/projects/puppet/wiki/Getting_Help) - -* [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests) - -* [Bug tracker (Redmine)](http://projects.puppetlabs.com/projects/modules) - -* [Patchwork](https://patchwork.puppetlabs.com) - -* [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign) - -* [General GitHub documentation](http://help.github.com/) - -* [GitHub pull request documentation](http://help.github.com/send-pull-requests/) - -If you have commit access to the repository -=========================================== - -Even if you have commit access to the repository, you'll still need to -go through the process above, and have someone else review and merge -in your changes. The rule is that all changes must be reviewed by a -developer on the project (that didn't write the code) to ensure that -all changes go through a code review process. - -Having someone other than the author of the topic branch recorded as -performing the merge is the record that they performed the code -review. - - * Merging topic branches - - When merging code from a topic branch into the integration branch - (Ex: master, 2.7.x, 1.6.x, etc.), there should always be a merge - commit. You can accomplish this by always providing the `--no-ff` - flag to `git merge`. - - git merge --no-ff --log ticket/1234-fix-something-broken - - The reason for always forcing this merge commit is that it - provides a consistent way to look up what changes & commits were - in a topic branch, whether that topic branch had one, or 500 - commits. For example, if the merge commit had an abbreviated - SHA-1 of `coffeebad`, then you could use the following `git log` - invocation to show you which commits it brought in: - - git log coffeebad^1..coffeebad^2 - - The following would show you which changes were made on the topic - branch: - - git diff coffeebad^1...coffeebad^2 - - Because we _always_ merge the topic branch into the integration - branch the first parent (`^1`) of a merge commit will be the most - recent commit on the integration branch from just before we merged - in the topic, and the second parent (`^2`) will always be the most - recent commit that was made in the topic branch. This also serves - as the record of who performed the code review, as mentioned - above. +Check out our [Contributing to Supported Modules Blog Post](https://puppetlabs.github.io/iac/docs/contributing_to_a_module.html) to find all the information that you will need. diff --git a/Gemfile b/Gemfile index 7c8ea9e2ce..539f0765d1 100644 --- a/Gemfile +++ b/Gemfile @@ -1,26 +1,78 @@ -source 'https://rubygems.org' - -group :development, :test do - gem 'rake', :require => false - gem 'rspec-puppet', :require => false - gem 'puppetlabs_spec_helper', :require => false - gem 'serverspec', :require => false - gem 'rspec-system', :require => false - gem 'rspec-system-puppet', :require => false - gem 'rspec-system-serverspec', :require => false - gem 'puppet-lint', :require => false +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +def location_for(place_or_version, fake_version = nil) + git_url_regex = %r{\A(?(https?|git)[:@][^#]*)(#(?.*))?} + file_url_regex = %r{\Afile:\/\/(?.*)} + + if place_or_version && (git_url = place_or_version.match(git_url_regex)) + [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact + elsif place_or_version && (file_url = place_or_version.match(file_url_regex)) + ['>= 0', { path: File.expand_path(file_url[:path]), require: false }] + else + [place_or_version, { require: false }] + end end -if facterversion = ENV['FACTER_GEM_VERSION'] - gem 'facter', facterversion, :require => false -else - gem 'facter', :require => false +group :development do + gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "json", '= 2.5.1', require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "json", '= 2.6.1', require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "json", '= 2.6.3', require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "racc", '~> 1.4.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "deep_merge", '~> 1.2.2', require: false + gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false + gem "facterdb", '~> 1.18', require: false + gem "metadata-json-lint", '~> 4.0', require: false + gem "rspec-puppet-facts", '~> 2.0', require: false + gem "dependency_checker", '~> 1.0.0', require: false + gem "parallel_tests", '= 3.12.1', require: false + gem "pry", '~> 0.10', require: false + gem "simplecov-console", '~> 0.9', require: false + gem "puppet-debugger", '~> 1.0', require: false + gem "rubocop", '~> 1.50.0', require: false + gem "rubocop-performance", '= 1.16.0', require: false + gem "rubocop-rspec", '= 2.19.0', require: false + gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "rexml", '>= 3.3.9', require: false +end +group :development, :release_prep do + gem "puppet-strings", '~> 4.0', require: false + gem "puppetlabs_spec_helper", '~> 7.0', require: false end +group :system_tests do + gem "puppet_litmus", '~> 1.0', require: false, platforms: [:ruby, :x64_mingw] + gem "CFPropertyList", '< 3.0.7', require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "serverspec", '~> 2.41', require: false +end + +puppet_version = ENV['PUPPET_GEM_VERSION'] +facter_version = ENV['FACTER_GEM_VERSION'] +hiera_version = ENV['HIERA_GEM_VERSION'] + +gems = {} -if puppetversion = ENV['PUPPET_GEM_VERSION'] - gem 'puppet', puppetversion, :require => false -else - gem 'puppet', :require => false +gems['puppet'] = location_for(puppet_version) + +# If facter or hiera versions have been specified via the environment +# variables + +gems['facter'] = location_for(facter_version) if facter_version +gems['hiera'] = location_for(hiera_version) if hiera_version + +gems.each do |gem_name, gem_params| + gem gem_name, *gem_params end -# vim:ft=ruby +# Evaluate Gemfile.local and ~/.gemfile if they exist +extra_gemfiles = [ + "#{__FILE__}.local", + File.join(Dir.home, '.gemfile'), +] + +extra_gemfiles.each do |gemfile| + if File.file?(gemfile) && File.readable?(gemfile) + eval(File.read(gemfile), binding) + end +end +# vim: syntax=ruby diff --git a/HISTORY.md b/HISTORY.md new file mode 100644 index 0000000000..3d6897f091 --- /dev/null +++ b/HISTORY.md @@ -0,0 +1,1091 @@ +## 3.2.0 +### Summary +This is a clean release to prepare for several planned backwards incompatible changes. + +#### Changed +- Parameter `passenger_pre_start` has been moved outside of ``. +- Apache version fact has been enabled on FreeBSD. +- Parameter `ssl_proxyengine` has had it's default changed to false. + +#### Added +- Parameter `passenger_group` can now be set in `apache::vhost`. +- Multiple `passenger_pre_start` URIs can now be set at once. +- Manifest `mod::auth_gssapi` has been added to allow the deployment of authorisation with kerberos, through GSSAPI. + +#### Removed +- Scientific 5 and Debian 7 are no longer supported on Apache. + +## Supported Release [3.1.0] +### Summary +This release includes the module being converted using version 1.4.1 of the PDK. It also includes a couple of additional parameters added. + +#### Added +- Module has been pdk converted with version 1.4.1 ([MODULES-6331](https://tickets.puppet.com/browse/MODULES-6331)) +- Parameter `ssl_cert` to provide a SSLCertificateFile option for use with SSL, optional of type String. +- Parameter `ssl_key` to provide a SSLCertificateKey option for use with SSL, optional of type String. + +#### Fixed +- Documentation updates. +- Updates to the Japanese translation based on documentation update. + +## Supported Release [3.0.0] +### Summary +This major release changes the default value of `keepalive` to `On`. It also includes many other features and bugfixes. + +#### Changed +- Default `apache::keepalive` from `Off` to `On`. + +#### Added +- Class `apache::mod::data` +- Function `apache::apache_pw_hash` function (puppet 4 port of `apache_pw_hash()`) +- Function `apache::bool2httpd` function (puppet 4 port of `bool2httpd()`) +- Function `apache::validate_apache_log_level` function (puppet 4 port of `validate_apache_log_level()`) +- Parameter `apache::balancer::options` for additional directives. +- Parameter `apache::limitreqfields` setting the LimitRequestFields directive to 100. +- Parameter `apache::use_canonical_name` to control how httpd uses self-referential URLs. +- Parameter `apache::mod::disk_cache::cache_ignore_headers` to ignore cache headers. +- Parameter `apache::mod::itk::enablecapabilities` to manage ITK capabilities. +- Parameter `apache::mod::ldap::ldap_trusted_mode` to manage trusted mode. +- Parameters for `apache::mod::passenger`: + - `passenger_allow_encoded_slashes` + - `passenger_app_group_name` + - `passenger_app_root` + - `passenger_app_type` + - `passenger_base_uri` + - `passenger_buffer_response` + - `passenger_buffer_upload` + - `passenger_concurrency_model` + - `passenger_debug_log_file` + - `passenger_debugger` + - `passenger_default_group` + - `passenger_default_user` + - `passenger_disable_security_update_check` + - `passenger_enabled` + - `passenger_error_override` + - `passenger_file_descriptor_log_file` + - `passenger_fly_with` + - `passenger_force_max_concurrent_requests_per_process` + - `passenger_friendly_error_pages` + - `passenger_group` + - `passenger_installed_version` + - `passenger_instance_registry_dir` + - `passenger_load_shell_envvars` + - `passenger_lve_min_uid` + - `passenger_max_instances` + - `passenger_max_preloader_idle_time` + - `passenger_max_request_time` + - `passenger_memory_limit` + - `passenger_meteor_app_settings` + - `passenger_nodejs` + - `passenger_pre_start` + - `passenger_python` + - `passenger_resist_deployment_errors` + - `passenger_resolve_symlinks_in_document_root` + - `passenger_response_buffer_high_watermark` + - `passenger_restart_dir` + - `passenger_rolling_restarts` + - `passenger_security_update_check_proxy` + - `passenger_show_version_in_header` + - `passenger_socket_backlog` + - `passenger_start_timeout` + - `passenger_startup_file` + - `passenger_sticky_sessions` + - `passenger_sticky_sessions_cookie_name` + - `passenger_thread_count` + - `passenger_user` + - `passenger_user_switching` + - `rack_auto_detect` + - `rack_base_uri` + - `rack_env` + - `rails_allow_mod_rewrite` + - `rails_app_spawner_idle_time` + - `rails_auto_detect` + - `rails_base_uri` + - `rails_default_user` + - `rails_env` + - `rails_framework_spawner_idle_time` + - `rails_ruby` + - `rails_spawn_method` + - `rails_user_switching` + - `wsgi_auto_detect` +- Parameter `apache::mod::prefork::listenbacklog` to set the listen backlog to 511. +- Parameter `apache::mod::python::loadfile_name` to workaround python.load filename conflicts. +- Parameter `apache::mod::ssl::ssl_cert` to manage the client auth cert. +- Parameter `apache::mod::ssl::ssl_key` to manage the client auth key. +- Parameter `apache::mod::status::requires` as an alternative to `apache::mod::status::allow_from` +- Parameter `apache::vhost::ssl_proxy_cipher_suite` to manage that directive. +- Parameter `apache::vhost::shib_compat_valid_user` to manage that directive. +- Parameter `apache::vhost::use_canonical_name` to manage that directive. +- Parameter value `mellon_session_length` for `apache::vhost::directories` + +### Fixed +- `apache_version` is confined to just Linux to avoid erroring on AIX. +- Parameter `apache::mod::jk::workers_file_content` docs typo of "mantain" instead of maintain. +- Deduplicate `apache::mod::ldap` managing `File['ldap.conf']` to avoid resource conflicts. +- ITK package name on Debian 9 +- Dav_svn package for SLES +- Log client IP instead of loadbalancer IP when behind a loadbalancer. +- `apache::mod::remoteip` now notifies the `Class['apache::service']` class instead of `Service['httpd']` to avoid restarting the service when `apache::service_manage` is false. +- `apache::vhost::cas_scrub_request_headers` actually manages the directive. + +## Supported Release [2.3.1] +### Summary +This release fixes CVE-2018-6508 which is a potential arbitrary code execution via tasks. + +### Fixed +- Fix init task for arbitrary remote code + +## Supported Release [2.3.0] +### Summary +This is a feature release. It includes a task that will reload the apache service. + +#### Added +- Add a task that allows the reloading of the Apache service. + +## Supported Release [2.2.0] +### Summary +This is a maintainence and feature release. It will include updates to translations in Japanese, some maintainence and adding `PassengerSpawnMethod` to vhost. + +#### Added +- `PassengerSpawnMethod` added to `vhost`. + +#### Changed +- Improve version match fact for `apache_version` +- Update to prefork.conf params for Apache 2.4 +- Updates to `CONTRIBUTING.md` +- Do not install mod_fastcgi on el7 +- Include mod_wsgi when using wsgi options + +## Supported Release [2.1.0] +### Summary +This is a feature release including a security patch (CVE-2017-2299) + +#### Added +- `apache::mod::jk` class for managing the mod_jk connector +- `apache_pw_hash` function +- the ProxyPass directive in location contexts +- more Puppet 4 type validation +- `apache::mod::macro` class for managing mod_macro + +#### Changed +- $ssl_certs_dir default to `undef` for all platorms +- $ssl_verify_client must now be set to use any of the following: `$ssl_certs_dir`, `$ssl_ca`, `$ssl_crl_path`, `$ssl_crl`, `$ssl_verify_depth`, `$ssl_crl_check` + +#### Fixed +- issue where mod_alias was not being loaded when RedirectMatch* directives were being used ([MODULES-3942](https://tickets.puppet.com/browse/MODULES-3942)) +- issue with `$directories` parameter in `apache::vhost` +- issue in UserDir template where the UserDir path did not match the Directory path +- **Issue where the $ssl_certs_dir default set Apache to implicitly trust all client certificates that were issued by any CA in that directory** + +#### Removed +- support for EOL platforms: Ubuntu 10.04, 12.04 and Debian 6 (Squeeze) + +## Supported Release [2.0.0] +### Summary +Major release **removing Puppet 3 support** and other backwards-incompatible changes. + +#### Added +- support for FileETag directive configurable with the `file_e_tag` parameter +- ability to configure multiple ports per vhost +- RequestHeader directive to vhost template ([MODULES-4156](https://tickets.puppet.com/browse/MODULES-4156)) +- customizability for AllowOverride directive in userdir.conf ([MODULES-4516](https://tickets.puppet.com/browse/MODULES-4516)) +- AdvertiseFrequency directive for cluster.conf ([MODULES-4500](https://tickets.puppet.com/browse/MODULES-4500)) +- `ssl_proxy_protocol` and `ssl_sessioncache` parameters for mod::ssl ([MODULES-4737](https://tickets.puppet.com/browse/MODULES-4737)) +- SSLCACertificateFile directive in ssl.conf configurable with `ssl_ca` parameter +- mod::authnz_pam +- mod::intercept_form_submit +- mod::lookup_identity +- Suse compatibility for mod::proxy_html +- support for AddCharset directive configurable with `add_charset` parameter +- support for SSLProxyVerifyDepth and SSLProxyCACertificateFile directives configurable with `ssl_proxy_verify_depth` and `ssl_proxy_ca_cert` respectively +- `manage_security_crs` parameter for mod::security +- support for LimitExcept directive configurable with `limit_except` parameter +- support for WSGIRestrictEmbedded directive configurable with `wsgi_restrict_embedded` parameter +- support for custom UserDir path ([MODULES-4933](https://tickets.puppet.com/browse/MODULES-4933)) +- support for PassengerMaxRequests directive configurable with `passenger_max_requests` +- option to override module package names with `mod_packages` parameter ([MODULES-3838](https://tickets.puppet.com/browse/MODULES-3838)) + +#### Removed +- enclose_ipv6 as it was added to puppetlabs-stdlib +- deprecated `$verifyServerCert` parameter from the `apache::mod::authnz_ldap` class ([MODULES-4445](https://tickets.puppet.com/browse/MODULES-4445)) + +#### Changed +- `keepalive` default to 'On' from 'Off' +- Puppet version compatibility to ">= 4.7.0 < 6.0.0" +- puppetlabs-stdlib dependency to ">= 4.12.0 < 5.0.0" +- `ssl_cipher` to explicitly disable 3DES because of Sweet32 + +#### Fixed +- various issues in the vhost template +- use of deprecated `include_src` parameter in vhost_spec +- management of ssl.conf on RedHat systems +- various SLES/Suse params +- mod::cgi ordering for FreeBSD +- issue where ProxyPreserveHost could not be set without other Proxy* directives +- the module attempting to install proxy_html on Ubuntu Xenial and Debian Stretch + +## Supported Release [1.11.1] +#### Summary +This is a security patch release (CVE-2017-2299). These changes are also in version 2.1.0 and higher. + +#### Changed +- $ssl_certs_dir default to `undef` for all platorms +- $ssl_verify_client must now be set to use any of the following: `$ssl_certs_dir`, `$ssl_ca`, `$ssl_crl_path`, `$ssl_crl`, `$ssl_verify_depth`, `$ssl_crl_check` + +#### Fixed +- **Issue where the $ssl_certs_dir default set Apache to implicitly trust all client certificates that were issued by any CA in that directory** ([MODULES-5471](https://tickets.puppet.com/browse/MODULES-5471)) + +## Supported Release [1.11.0] +### Summary +This release adds SLES12 Support and many more features and bugfixes. + +#### Features +- (MODULES-4049) Adds SLES 12 Support +- Adds additional directories options for LDAP Auth + - `auth_ldap_url` + - `auth_ldap_bind_dn` + - `auth_ldap_bind_password` + - `auth_ldap_group_attribute` + - `auth_ldap_group_attribute_is_dn` +- Allows `mod_event` parameters to be unset +- Allows management of default root directory access rights +- Adds class `apache::vhosts` to create apache::vhost resources +- Adds class `apache::mod::proxy_wstunnel` +- Adds class `apache::mod::dumpio` +- Adds class `apache::mod::socache_shmcb` +- Adds class `apache::mod::authn_dbd` +- Adds support for apache 2.4 on Amazon Linux +- Support the newer `mod_auth_cas` config options +- Adds `wsgi_script_aliases_match` parameter to `apache::vhost` +- Allow to override all SecDefaultAction attributes +- Add audit_log_relevant_status parameter to apache::mod::security +- Allow absolute path to $apache::mod::security::activated_rules +- Allow setting SecAuditLog +- Adds `passenger_max_instances_per_app` to `mod::passenger` +- Allow the proxy_via setting to be configured +- Allow no_proxy_uris to be used within proxy_pass +- Add rpaf.conf template parameter to `mod::rpaf` +- Allow user to specify alternative package and library names for shibboleth module +- Allows configuration of shibboleth lib path +- Adds parameter `passenger_data_buffer_dir` to `mod::passenger` +- Adds SSL stapling +- Allows use of `balance_manager` with `mod_proxy_balancer` +- Raises lower bound of `stdlib` dependency to version 4.2 +- Adds support for Passenger repo on Amazon Linux +- Add ability to set SSLStaplingReturnResponderErrors on server level +- (MODULES-4213) Allow global rewrite rules inheritance in vhosts +- Moves `mod_env` to its own class and load it when required + +#### Bugfixes +- Deny access to .ht and .hg, which are created by mercurial hg. +- Instead of failing, include apache::mod::prefork in manifests/mod/itk.pp instead. +- Only set SSLCompression when it is set to true. +- Remove duplicate shib2 hash element +- (MODULES-3388) Include mpm_module classes instead of class declaration +- Updates `apache::balancer` to respect `apache::confd_dir` +- Wrap mod_security directives in an IfModule +- Fixes to various mods for Ubuntu Xenial +- Fix /etc/modsecurity perms to match package +- Fix PassengerRoot under Debian stretch +- (MODULES-3476) Updates regex in apache_version custom fact to work with EL5 +- Dont sql_injection_attacks.data +- Add force option to confd file resource to purge directory without warnings +- Patch httpoxy through mod_security +- Fixes config ordering of IncludeOptional +- Fixes bug where port numbers were unquoted +- Fixes bug where empty servername for vhost were written to template +- Auto-load `slotmem_shm` and `lbmethod_byrequests` with `proxy_balancer` on 2.4 +- Simplify MPM setup on FreeBSD +- Adds requirement for httpd package +- Do not set ssl_certs_dir on FreeBSD +- Fixes bug that produces a duplicate `Listen 443` after a package update on EL7 +- Fixes bug where custom facts break structured facts +- Avoid relative classname inclusion +- Fixes a failure in `vhost` if the first element of `$rewrites` is not a hash +- (MODULES-3744) Process $crs_package before $modsec_dir +- (MODULES-1491) Adds `::apache` include to mods that need it + +## Supported Release [1.10.0] +#### Summary +This release fixes backwards compatibility bugs introduced in 1.9.0. Also includes a new mod class and a new vhost feature. + +#### Features +- Allow setting KeepAlive related options per vhost + - `apache::vhost::keepalive` + - `apache::vhost::keepalive_timeout` + - `apache::vhost::max_keepalive_requests` +- Adds new class `apache::mod::cluster` + +#### Bugfixes +- MODULES-2890: Allow php_version != 5 +- MODULES-2890: mod::php: Explicit test on jessie +- MODULES-2890: Fix PHP on Debian stretch and Ubuntu Xenial +- MODULES-2890: Fix mod_php SetHandler and cleanup +- Fixed trailing slash in lib_path on Suse +- Revert "MODULES-2956: Enable options within location block on proxy_match". Bug introduced in release 1.9.0. +- Revert "changed rpaf Configuration Directives: RPAF -> RPAF_". Bug introduced in release 1.9.0. +- Set actual path to apachectl on FreeBSD. Fixes snippets verification. + +## Supported Release [1.9.0] [DELETED] +#### Features +- Added `apache_version` fact +- Added `apache::balancer::target` attribute +- Added `apache::fastcgi::server::pass_header` attribute +- Added ability for `apache::fastcgi::server::host` using sockets +- Added `apache::root_directory_options` attribute +- Added for `apache::mod::ldap`: + - `ldap_shared_cache_size` + - `ldap_cache_entries` + - `ldap_cache_ttl` + - `ldap_opcache_entries` + - `ldap_opcache_ttl` +- Added `apache::mod::pagespeed::package_ensure` attribute +- Added `apache::mod::passenger` attributes: + - `passenger_log_level` + - `manage_repo` +- Added upstream repo for `apache::mod::passenger` +- Added `apache::mod::proxy_fcgi` class +- Added `apache::mod::security` attributes: + - `audit_log_parts` + - `secpcrematchlimit` + - `secpcrematchlimitrecursion` + - `secdefaultaction` + - `anomaly_score_blocking` + - `inbound_anomaly_threshold` + - `outbound_anomaly_threshold` +- Added `apache::mod::ssl` attributes: + - `ssl_mutex` + - `apache_version` +- Added ubuntu 16.04 support +- Added `apache::mod::authnz_ldap::package_name` attribute +- Added `apache::mod::ldap::package_name` attribute +- Added `apache::mod::proxy::package_name` attribute +- Added `apache::vhost` attributes: + - `ssl_proxy_check_peen_expire` + - `ssl_proxy_protocol` + - `logroot_owner` + - `logroot_group` + - `setenvifnocase` + - `passenger_user` + - `passenger_high_performance` + - `jk_mounts` + - `fastcgi_idle_timeout` + - `modsec_disable_msgs` + - `modsec_disable_tags` +- Added ability for 2.4-style `RequireAll|RequireNone|RequireAny` directory permissions +- Added ability for includes in vhost directory +- Added directory values: + - `AuthMerging` + - `MellonSPMetadataFile` +- Adds Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set to `apache::mod::security` class + - `critical_anomaly_score` + - `error_anomaly_score` + - `warning_anomaly_score` + - `notice_anomaly_score` +- Adds ability to configure `info_path` in `apache::mod::info` class +- Adds ability to configure `verify_config` in `apache::vhost::custom` + +#### Bugfixes +- Fixed apache mod setup for event/worker failing syntax +- Fixed concat deprecation warnings +- Fixed pagespeed mod +- Fixed service restart on mod update +- Fixed mod dir purging to happen after package installs +- Fixed various `apache::mod::*` file modes +- Fixed `apache::mod::authnz_ldap` parameter `verifyServerCert` to be `verify_server_cert` +- Fixed loadfile name in `apache::mod::fcgid` +- Fixed `apache::mod::remoteip` to fail on apache < 2.4 (because it is not available) +- Fixed `apache::mod::ssl::ssl_honorcipherorder` interpolation +- Lint fixes +- Strict variable fixes +- Fixed `apache::vhost` attribute `redirectmatch_status` to be optional +- Fixed SSLv3 on by default in mod\_nss +- Fixed mod\_rpaf directive names in template +- Fixed mod\_worker needing MaxClients with ThreadLimit +- Fixed quoting on vhost php\_value +- Fixed xml2enc for proxy\_html on debian +- Fixed a problem where the apache service restarts too fast + +## Supported Release [1.8.1] +### Summary +This release includes bug fixes and a documentation update. + +#### Bugfixes +- Fixes a bug that occurs when using the module in combination with puppetlabs-concat 2.x. +- Fixes a bug where passenger.conf was vulnerable to purging. +- Removes the pin of the concat module dependency. + +## Supported Release [1.8.0] +### Summary +This release includes a lot of bug fixes and feature updates, including support for Debian 8, as well as many test improvements. + +#### Features +- Debian 8 Support. +- Added the 'file_mode' property to allow a custom permission setting for config files. +- Enable 'PassengerMaxRequestQueueSize' to be set for mod_passenger. +- MODULES-2956: Enable options within location block on proxy_match. +- Support itk on redhat. +- Support the mod_ssl SSLProxyVerify directive. +- Support ProxPassReverseCookieDomain directive (mod_proxy). +- Support proxy provider for vhost directories. +- Added new 'apache::vhost::custom' resource. + +#### Bugfixes +- Fixed ProxyPassReverse configuration. +- Fixed error in Amazon operatingsystem detection. +- Fixed mod_security catalog ordering issues for RedHat 7. +- Fixed paths and packages for the shib2 apache module on Debian pre Jessie. +- Fixed EL7 directory path for apache modules. +- Fixed validation error when empty array is passed for the rewrites parameter. +- Idempotency fixes with regards to '::apache::mod_enable_dir'. +- ITK fixes. +- (MODULES-2865) fix $mpm_module logic for 'false'. +- Set SSLProxy directives even if ssl is false, due to issue with RewriteRules and ProxyPass directives. +- Enable setting LimitRequestFieldSize globally, and remove it from vhost. + +#### Improvements +- apache::mod::php now uses FilesMatch to configure the php handler. This is following the recommended upstream configuration guidelines (http://php.net/manual/en/install.unix.apache2.php#example-20) and distribution's default config (e.g.: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/php5/vivid/view/head:/debian/php5.conf). It avoids inadvertently exposing the PHP handler to executing uploads with names like 'file.php.jpg', but might impact setups with unusual requirements. +- Improved compatibility for Gentoo. +- Vhosts can now be supplied with a wildcard listen value. +- Numerous test improvements. +- Removed workarounds for https://bz.apache.org/bugzilla/show_bug.cgi?id=38864 as the issues have been fixed in Apache. +- Documentation updates. +- Ensureed order of ProxyPass and ProxyPassMatch parameters. +- Ensure that ProxyPreserveHost is set to off mode explicitly if not set in manifest. +- Put headers and request headers before proxy with regards to template generation. +- Added X-Forwarded-For into log_formats defaults. +- (MODULES-2703) Allow mod pagespeed to take an array of lines as additional_configuration. + +## Supported Release [1.7.1] +###Summary + +Small release for support of newer PE versions. This increments the version of PE in the metadata.json file. + +## Supported Release [1.7.0] +### Summary +This release includes many new features and bugfixes. There are test, documentation and misc improvements. + +#### Features +- allow groups with - like vhost-users +- ability to enable/disable the secruleengine through a parameter +- add mod_auth_kerb parameters to vhost +- client auth for reverse proxy +- support for mod_auth_mellon +- change SSLProtocol in apache::vhost to be space separated +- RewriteLock support + +#### Bugfixes +- fix apache::mod::cgid so it can be used with the event MPM +- load unixd before fcgid on all operating systems +- fixes conditional in vhost aliases +- corrects mod_cgid worker/event defaults +- ProxyPassMatch parameters were ending up on a newline +- catch that mod_authz_default has been removed in Apache 2.4 +- mod::ssl fails on SLES +- fix typo of MPM_PREFORK for FreeBSD package install +- install all modules before adding custom configs +- fix acceptance testing for SSLProtocol behaviour for real +- fix ordering issue with conf_file and ports_file + +#### Known Issues +- mod_passenger is having issues installing on Redhat/Centos 6, This is due to package dependency issues. + +#### Improvements +- added docs for forcetype directive +- removes ruby 1.8.7 from the travisci test matrix +- readme reorganisation, minor fixups +- support the mod_proxy ProxyPassReverseCookiePath directive +- the purge_vhost_configs parameter is actually called purge_vhost_dir +- add ListenBacklog for mod worker +- deflate application/json by default +- install mod_authn_alias as default mod in debian for apache < 2.4 +- optionally set LimitRequestFieldSize on an apache::vhost +- add SecUploadDir parameter to support file uploads with mod_security +- optionally set parameters for mod_ext_filter module +- allow SetOutputFilter to be set on a directory +- RC4 is deprecated +- allow empty docroot +- add option to configure the include pattern for the vhost_enable dir +- allow multiple IP addresses per vhost +- default document root update for Ubuntu 14.04 and Debian 8 + +## Supported Release [1.6.0] +### Summary +This release includes a couple of new features, along with test and documentation updates, and support for the latest AIO puppet builds. + +#### Features +- Add `scan_proxy_header_field` parameter to `apache::mod::geoip` +- Add `ssl_openssl_conf_cmd` parameter to `apache::vhost` and `apache::mod::ssl` +- Add `filters` parameter to `apache::vhost` + +#### Bugfixes +- Test updates +- Do not use systemd on Amazon Linux +- Add missing docs for `timeout` parameter (MODULES-2148) + +## Supported Release [1.5.0] +### Summary +This release primarily adds Suse compatibility. It also adds a handful of other +parameters for greater configuration control. + +#### Features +- Add `apache::lib_path` parameter +- Add `apache::service_restart` parameter +- Add `apache::vhost::geoip_enable` parameter +- Add `apache::mod::geoip` class +- Add `apache::mod::remoteip` class +- Add parameters to `apache::mod::expires` class +- Add `index_style_sheet` handling to `apache::vhost::directories` +- Add some compatibility for SLES 11 +- Add `apache::mod::ssl::ssl_sessioncachetimeout` parameter +- Add `apache::mod::ssl::ssl_cryptodevice` parameter +- Add `apache::mod::ssl::ssl_honorcipherorder` parameter +- Add `apache::mod::userdir::options` parameter + +#### Bugfixes +- Document `apache::user` parameter +- Document `apache::group` parameter +- Fix apache::dev on FreeBSD +- Fix proxy\_connect on apache >= 2.2 +- Validate log levels better +- Fix `apache::apache_name` for package and vhost +- Fix Debian Jessie mod\_prefork package name +- Fix alias module being declared even when vhost is absent +- Fix proxy\_pass\_match handling in vhost's proxy template +- Fix userdir access permissions +- Fix issue where the module was trying to use systemd on Amazon Linux. + +## Supported Release [1.4.1] + +This release corrects a metadata issue that has been present since release 1.2.0. The refactoring of `apache::vhost` to use `puppetlabs-concat` requires a version of concat newer than the version required in PE. If you are using PE 3.3.0 or earlier you will need to use version 1.1.1 or earlier of the `puppetlabs-apache` module. + +## Supported Release [1.4.0] +###Summary + +This release fixes the issue where the docroot was still managed even if the default vhosts were disabled and has many other features and bugfixes including improved support for 'deny' and 'require' as arrays in the 'directories' parameter under `apache::vhost` + +#### Features +- New parameters to `apache` + - `default_charset` + - `default_type` +- New parameters to `apache::vhost` + - `proxy_error_override` + - `passenger_app_env` (MODULES-1776) + - `proxy_dest_match` + - `proxy_dest_reverse_match` + - `proxy_pass_match` + - `no_proxy_uris_match` +- New parameters to `apache::mod::passenger` + - `passenger_app_env` + - `passenger_min_instances` +- New parameter to `apache::mod::alias` + - `icons_options` +- New classes added under `apache::mod::*` + - `authn_file` + - `authz_default` + - `authz_user` +- Added support for 'deny' as an array in 'directories' under `apache::vhost` +- Added support for RewriteMap +- Improved support for FreeBSD. (Note: If using apache < 2.4.12, see the discussion [here](https://github.com/puppetlabs/puppetlabs-apache/pull/1030)) +- Added check for deprecated options in directories and fail when they are unsupported +- Added gentoo compatibility +- Added proper array support for `require` in the `directories` parameter in `apache::vhost` +- Added support for `setenv` inside proxy locations + +### Bugfixes +- Fix issue in `apache::vhost` that was preventing the scriptalias fragment from being included (MODULES-1784) +- Install required `mod_ldap` package for EL7 (MODULES-1779) +- Change default value of `maxrequestworkers` in `apache::mod::event` to be a multiple of the default `ThreadsPerChild` of 25. +- Use the correct `mod_prefork` package name for trusty and jessie +- Don't manage docroot when default vhosts are disabled +- Ensure resources notify `Class['Apache::Service']` instead of `Service['httpd']` (MODULES-1829) +- Change the loadfile name for `mod_passenger` so `mod_proxy` will load by default before `mod_passenger` +- Remove old Debian work-around that removed `passenger_extra.conf` + +## Supported Release [1.3.0] +### Summary + +This release has many new features and bugfixes, including the ability to optionally not trigger service restarts on config changes. + +#### Features +- New parameters - `apache` + - `service_manage` + - `use_optional_includes` +- New parameters - `apache::service` + - `service_manage` +- New parameters - `apache::vhost` + - `access_logs` + - `php_flags` + - `php_values` + - `modsec_disable_vhost` + - `modsec_disable_ids` + - `modsec_disable_ips` + - `modsec_body_limit` +- Improved FreeBSD support +- Add ability to omit priority prefix if `$priority` is set to false +- Add `apache::security::rule_link` define +- Improvements to `apache::mod::*` + - Add `apache::mod::auth_cas` class + - Add `threadlimit`, `listenbacklog`, `maxrequestworkers`, `maxconnectionsperchild` parameters to `apache::mod::event` + - Add `apache::mod::filter` class + - Add `root_group` to `apache::mod::php` + - Add `apache::mod::proxy_connect` class + - Add `apache::mod::security` class + - Add `ssl_pass_phrase_dialog` and `ssl_random_seed_bytes` parameters to `apache::mod::ssl` (MODULES-1719) + - Add `status_path` parameter to `apache::mod::status` + - Add `apache_version` parameter to `apache::mod::version` + - Add `package_name` and `mod_path` parameters to `apache::mod::wsgi` (MODULES-1458) +- Improved SCL support + - Add support for specifying the docroot +- Updated `_directories.erb` to add support for SetEnv +- Support multiple access log directives (MODULES-1382) +- Add passenger support for Debian Jessie +- Add support for not having puppet restart the apache service (MODULES-1559) + +#### Bugfixes +- For apache 2.4 `mod_itk` requires `mod_prefork` (MODULES-825) +- Allow SSLCACertificatePath to be unset in `apache::vhost` (MODULES-1457) +- Load fcgid after unixd on RHEL7 +- Allow disabling default vhost for Apache 2.4 +- Test fixes +- `mod_version` is now built-in (MODULES-1446) +- Sort LogFormats for idempotency +- `allow_encoded_slashes` was omitted from `apache::vhost` +- Fix documentation bug (MODULES-1403, MODULES-1510) +- Sort `wsgi_script_aliases` for idempotency (MODULES-1384) +- lint fixes +- Fix automatic version detection for Debian Jessie +- Fix error docs and icons path for RHEL7-based systems (MODULES-1554) +- Sort php_* hashes for idempotency (MODULES-1680) +- Ensure `mod::setenvif` is included if needed (MODULES-1696) +- Fix indentation in `vhost/_directories.erb` template (MODULES-1688) +- Create symlinks on all distros if `vhost_enable_dir` is specified + +## Supported Release [1.2.0] +### Summary + +This release features many improvements and bugfixes, including several new defines, a reworking of apache::vhost for more extensibility, and many new parameters for more customization. This release also includes improved support for strict variables and the future parser. + +#### Features +- Convert apache::vhost to use concat for easier extensions +- Test improvements +- Synchronize files with modulesync +- Strict variable and future parser support +- Added apache::custom_config defined type to allow validation of configs before they are created +- Added bool2httpd function to convert true/false to apache 'On' and 'Off'. Intended for internal use in the module. +- Improved SCL support + - allow overriding of the mod_ssl package name +- Add support for reverse_urls/ProxyPassReverse in apache::vhost +- Add satisfy directive in apache::vhost::directories +- Add apache::fastcgi::server defined type +- New parameters - apache + - allow_encoded_slashes + - apache_name + - conf_dir + - default_ssl_crl_check + - docroot + - logroot_mode + - purge_vhost_dir +- New parameters - apache::vhost + - add_default_charset + - allow_encoded_slashes + - logroot_ensure + - logroot_mode + - manage_docroot + - passenger_app_root + - passenger_min_instances + - passenger_pre_start + - passenger_ruby + - passenger_start_timeout + - proxy_preserve_host + - proxy_requests + - redirectmatch_dest + - ssl_crl_check + - wsgi_chunked_request + - wsgi_pass_authorization +- Add support for ScriptAlias and ScriptAliasMatch in the apache::vhost::aliases parameter +- Add support for rewrites in the apache::vhost::directories parameter +- If the service_ensure parameter in apache::service is set to anything other than true, false, running, or stopped, ensure will not be passed to the service resource, allowing for the service to not be managed by puppet +- Turn of SSLv3 by default +- Improvements to apache::mod* + - Add restrict_access parameter to apache::mod::info + - Add force_language_priority and language_priority parameters to apache::mod::negotiation + - Add threadlimit parameter to apache::mod::worker + - Add content, template, and source parameters to apache::mod::php + - Add mod_authz_svn support via the authz_svn_enabled parameter in apache::mod::dav_svn + - Add loadfile_name parameter to apache::mod + - Add apache::mod::deflate class + - Add options parameter to apache::mod::fcgid + - Add timeouts parameter to apache::mod::reqtimeout + - Add apache::mod::shib + - Add apache_version parameter to apache::mod::ldap + - Add magic_file parameter to apache::mod::mime_magic + - Add apache_version parameter to apache::mod::pagespeed + - Add passenger_default_ruby parameter to apache::mod::passenger + - Add content, template, and source parameters to apache::mod::php + - Add apache_version parameter to apache::mod::proxy + - Add loadfiles parameter to apache::mod::proxy_html + - Add ssl_protocol and package_name parameters to apache::mod::ssl + - Add apache_version parameter to apache::mod::status + - Add apache_version parameter to apache::mod::userdir + - Add apache::mod::version class + +#### Bugfixes +- Set osfamily defaults for wsgi_socket_prefix +- Support multiple balancermembers with the same url +- Validate apache::vhost::custom_fragment +- Add support for itk with mod_php +- Allow apache::vhost::ssl_certs_dir to not be set +- Improved passenger support for Debian +- Improved 2.4 support without mod_access_compat +- Support for more than one 'Allow from'-directive in _directories.erb +- Don't load systemd on Amazon linux based on CentOS6 with apache 2.4 +- Fix missing newline in ModPagespeed filter and memcached servers directive +- Use interpolated strings instead of numbers where required by future parser +- Make auth_require take precedence over default with apache 2.4 +- Lint fixes +- Set default for php_admin_flags and php_admin_values to be empty hash instead of empty array +- Correct typo in mod::pagespeed +- spec_helper fixes +- Install mod packages before dealing with the configuration +- Use absolute scope to check class definition in apache::mod::php +- Fix dependency loop in apache::vhost +- Properly scope variables in the inline template in apache::balancer +- Documentation clarification, typos, and formatting +- Set apache::mod::ssl::ssl_mutex to default for debian on apache >= 2.4 +- Strict variables fixes +- Add authn_core mode to Ubuntu trusty defaults +- Keep default loadfile for authz_svn on Debian +- Remove '.conf' from the site-include regexp for better Ubuntu/Debian support +- Load unixd before fcgid for EL7 +- Fix RedirectMatch rules +- Fix misleading error message in apache::version + +#### Known Bugs +* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. +* SLES is unsupported. + +## Supported Release [1.1.1] +### Summary + +This release merely updates metadata.json so the module can be uninstalled and +upgraded via the puppet module command. + +## Supported Release [1.1.0] + +### Summary + +This release primarily focuses on extending the httpd 2.4 support, tested +through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger +4 support, as well as several new modules and important bugfixes. + +#### Features + +- Add support for RHEL7 and Ubuntu 14.04 +- More complete apache24 support +- Passenger 4 support +- Add support for max_keepalive_requests and log_formats parameters +- Add mod_pagespeed support +- Add mod_speling support +- Added several parameters for mod_passenger +- Added ssl_cipher parameter to apache::mod::ssl +- Improved examples in documentation +- Added docroot_mode, action, and suexec_user_group parameters to apache::vhost +- Add support for custom extensions for mod_php +- Improve proxy_html support for Debian + +#### Bugfixes + +- Remove NameVirtualHost directive for apache >= 2.4 +- Order proxy_set option so it doesn't change between runs +- Fix inverted SSL compression +- Fix missing ensure on concat::fragment resources +- Fix bad dependencies in apache::mod and apache::mod::mime + +#### Known Bugs +* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. +* SLES is unsupported. + +## Supported Release [1.0.1] +### Summary + +This is a supported release. This release removes a testing symlink that can +cause trouble on systems where /var is on a seperate filesystem from the +modulepath. + +#### Features +#### Bugfixes +#### Known Bugs +* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. +* SLES is unsupported. + +## Supported Release [1.0.0] +### Summary + +This is a supported release. This release introduces Apache 2.4 support for +Debian and RHEL based osfamilies. + +#### Features + +- Add apache24 support +- Add rewrite_base functionality to rewrites +- Updated README documentation +- Add WSGIApplicationGroup and WSGIImportScript directives + +#### Bugfixes + +- Replace mutating hashes with merge() for Puppet 3.5 +- Fix WSGI import_script and mod_ssl issues on Lucid + +#### Known Bugs +* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`. +* SLES is unsupported. + +--- + +## Supported Release [0.11.0] +### Summary: + +This release adds preliminary support for Windows compatibility and multiple rewrite support. + +#### Backwards-incompatible Changes: + +- The rewrite_rule parameter is deprecated in favor of the new rewrite parameter + and will be removed in a future release. + +#### Features: + +- add Match directive +- quote paths for windows compatibility +- add auth_group_file option to README.md +- allow AuthGroupFile directive for vhosts +- Support Header directives in vhost context +- Don't purge mods-available dir when separate enable dir is used +- Fix the servername used in log file name +- Added support for mod_include +- Remove index parameters. +- Support environment variable control for CustomLog +- added redirectmatch support +- Setting up the ability to do multiple rewrites and conditions. +- Convert spec tests to beaker. +- Support php_admin_(flag|value)s + +#### Bugfixes: + +- directories are either a Hash or an Array of Hashes +- Configure Passenger in separate .conf file on RH so PassengerRoot isn't lost +- (docs) Update list of `apache::mod::[name]` classes +- (docs) Fix apache::namevirtualhost example call style +- Fix $ports_file reference in apache::listen. +- Fix $ports_file reference in Namevirtualhost. + + +## Supported Release [0.10.0] +### Summary: + +This release adds FreeBSD osfamily support and various other improvements to some mods. + +#### Features: + +- Add suPHP_UserGroup directive to directory context +- Add support for ScriptAliasMatch directives +- Set SSLOptions StdEnvVars in server context +- No implicit entry for ScriptAlias path +- Add support for overriding ErrorDocument +- Add support for AliasMatch directives +- Disable default "allow from all" in vhost-directories +- Add WSGIPythonPath as an optional parameter to mod_wsgi. +- Add mod_rpaf support +- Add directives: IndexOptions, IndexOrderDefault +- Add ability to include additional external configurations in vhost +- need to use the provider variable not the provider key value from the directory hash for matches +- Support for FreeBSD and few other features +- Add new params to apache::mod::mime class +- Allow apache::mod to specify module id and path +- added $server_root parameter +- Add Allow and ExtendedStatus support to mod_status +- Expand vhost/_directories.pp directive support +- Add initial support for nss module (no directives in vhost template yet) +- added peruser and event mpms +- added $service_name parameter +- add parameter for TraceEnable +- Make LogLevel configurable for server and vhost +- Add documentation about $ip +- Add ability to pass ip (instead of wildcard) in default vhost files + +#### Bugfixes: + +- Don't listen on port or set NameVirtualHost for non-existent vhost +- only apply Directory defaults when provider is a directory +- Working mod_authnz_ldap support on Debian/Ubuntu + +## Supported Release [0.9.0] +### Summary: +This release adds more parameters to the base apache class and apache defined +resource to make the module more flexible. It also adds or enhances SuPHP, +WSGI, and Passenger mod support, and support for the ITK mpm module. + +#### Backwards-incompatible Changes: +- Remove many default mods that are not normally needed. +- Remove `rewrite_base` `apache::vhost` parameter; did not work anyway. +- Specify dependencies on stdlib >=2.4.0 (this was already the case, but +making explicit) +- Deprecate `a2mod` in favor of the `apache::mod::*` classes and `apache::mod` +defined resource. + +#### Features: +- `apache` class + - Add `httpd_dir` parameter to change the location of the configuration + files. + - Add `logroot` parameter to change the logroot + - Add `ports_file` parameter to changes the `ports.conf` file location + - Add `keepalive` parameter to enable persistent connections + - Add `keepalive_timeout` parameter to change the timeout + - Update `default_mods` to be able to take an array of mods to enable. +- `apache::vhost` + - Add `wsgi_daemon_process`, `wsgi_daemon_process_options`, + `wsgi_process_group`, and `wsgi_script_aliases` parameters for per-vhost + WSGI configuration. + - Add `access_log_syslog` parameter to enable syslogging. + - Add `error_log_syslog` parameter to enable syslogging of errors. + - Add `directories` hash parameter. Please see README for documentation. + - Add `sslproxyengine` parameter to enable SSLProxyEngine + - Add `suphp_addhandler`, `suphp_engine`, and `suphp_configpath` for + configuring SuPHP. + - Add `custom_fragment` parameter to allow for arbitrary apache + configuration injection. (Feature pull requests are prefered over using + this, but it is available in a pinch.) +- Add `apache::mod::suphp` class for configuring SuPHP. +- Add `apache::mod::itk` class for configuring ITK mpm module. +- Update `apache::mod::wsgi` class for global WSGI configuration with +`wsgi_socket_prefix` and `wsgi_python_home` parameters. +- Add README.passenger.md to document the `apache::mod::passenger` usage. +Added `passenger_high_performance`, `passenger_pool_idle_time`, +`passenger_max_requests`, `passenger_stat_throttle_rate`, `rack_autodetect`, +and `rails_autodetect` parameters. +- Separate the httpd service resource into a new `apache::service` class for +dependency chaining of `Class['apache'] -> ~> +Class['apache::service']` +- Added `apache::mod::proxy_balancer` class for `apache::balancer` + +#### Bugfixes: +- Change dependency to puppetlabs-concat +- Fix ruby 1.9 bug for `a2mod` +- Change servername to be `$::hostname` if there is no `$::fqdn` +- Make `/etc/ssl/certs` the default ssl certs directory for RedHat non-5. +- Make `php` the default php package for RedHat non-5. +- Made `aliases` able to take a single alias hash instead of requiring an +array. + +## Supported Release [0.8.1] +#### Bugfixes: +- Update `apache::mpm_module` detection for worker/prefork +- Update `apache::mod::cgi` and `apache::mod::cgid` detection for +worker/prefork + +## Supported Release [0.8.0] +#### Features: +- Add `servername` parameter to `apache` class +- Add `proxy_set` parameter to `apache::balancer` define + +#### Bugfixes: +- Fix ordering for multiple `apache::balancer` clusters +- Fix symlinking for sites-available on Debian-based OSs +- Fix dependency ordering for recursive confdir management +- Fix `apache::mod::*` to notify the service on config change +- Documentation updates + +## Supported Release [0.7.0] +#### Changes: +- Essentially rewrite the module -- too many to list +- `apache::vhost` has many abilities -- see README.md for details +- `apache::mod::*` classes provide httpd mod-loading capabilities +- `apache` base class is much more configurable + +#### Bugfixes: +- Many. And many more to come + +## Supported Release [0.6.0] +- update travis tests (add more supported versions) +- add access log_parameter +- make purging of vhost dir configurable + +## Supported Release [0.4.0] +#### Changes: +- `include apache` is now required when using `apache::mod::*` + +#### Bugfixes: +- Fix syntax for validate_re +- Fix formatting in vhost template +- Fix spec tests such that they pass + +## Supported Release [0.0.4] +* e62e362 Fix broken tests for ssl, vhost, vhost::* +* 42c6363 Changes to match style guide and pass puppet-lint without error +* 42bc8ba changed name => path for file resources in order to name namevar by it's name +* 72e13de One end too much +* 0739641 style guide fixes: 'true' <> true, $operatingsystem needs to be $::operatingsystem, etc. +* 273f94d fix tests +* a35ede5 (#13860) Make a2enmod/a2dismo commands optional +* 98d774e (#13860) Autorequire Package['httpd'] +* 05fcec5 (#13073) Add missing puppet spec tests +* 541afda (#6899) Remove virtual a2mod definition +* 976cb69 (#13072) Move mod python and wsgi package names to params +* 323915a (#13060) Add .gitignore to repo +* fdf40af (#13060) Remove pkg directory from source tree +* fd90015 Add LICENSE file and update the ModuleFile +* d3d0d23 Re-enable local php class +* d7516c7 Make management of firewalls configurable for vhosts +* 60f83ba Explicitly lookup scope of apache_name in templates. +* f4d287f (#12581) Add explicit ordering for vdir directory +* 88a2ac6 (#11706) puppetlabs-apache depends on puppetlabs-firewall +* a776a8b (#11071) Fix to work with latest firewall module +* 2b79e8b (#11070) Add support for Scientific Linux +* 405b3e9 Fix for a2mod +* 57b9048 Commit apache::vhost::redirect Manifest +* 8862d01 Commit apache::vhost::proxy Manifest +* d5c1fd0 Commit apache::mod::wsgi Manifest +* a825ac7 Commit apache::mod::python Manifest +* b77062f Commit Templates +* 9a51b4a Vhost File Declarations +* 6cf7312 Defaults for Parameters +* 6a5b11a Ensure installed +* f672e46 a2mod fix +* 8a56ee9 add pthon support to apache + +[3.2.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/3.1.0...3.2.0 +[3.1.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/3.0.0...3.1.0 +[3.0.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/2.3.1...3.0.0 +[2.3.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/2.3.0...2.3.1 +[2.3.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/2.2.0...2.3.0 +[2.2.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/2.1.0...2.2.0 +[2.1.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/2.0.0...2.1.0 +[2.0.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.11.0...2.0.0 +[1.11.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.11.0...1.11.1 +[1.11.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.10.0...1.11.0 +[1.10.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.9.0...1.10.0 +[1.9.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.8.1...1.9.0 +[1.8.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.8.0...1.8.1 +[1.8.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.7.1...1.8.0 +[1.7.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.7.0...1.7.1 +[1.7.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.6.0...1.7.0 +[1.6.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.5.0...1.6.0 +[1.5.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.4.1...1.5.0 +[1.4.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.4.0...1.4.1 +[1.4.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.3.0...1.4.0 +[1.3.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.2.0...1.3.0 +[1.2.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.1.1...1.2.0 +[1.1.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.1.0...1.1.1 +[1.1.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.0.1...1.1.0 +[1.0.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.0.0...1.0.1 +[1.0.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/0.11.0...1.0.0 +[0.11.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.10.0...0.11.0 +[0.10.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.9.0...0.10.0 +[0.9.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/1.8.1...0.9.0 +[0.8.1]:https://github.com/puppetlabs/puppetlabs-apache/compare/0.8.0...0.8.1 +[0.8.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/0.7.0...0.8.0 +[0.7.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/0.6.0...0.7.0 +[0.6.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/0.5.0-rc1...0.6.0 +[0.5.0-rc1]:https://github.com/puppetlabs/puppetlabs-apache/compare/0.4.0...0.5.0-rc1 +[0.4.0]:https://github.com/puppetlabs/puppetlabs-apache/compare/0.3.0...0.4.0 +[0.0.4]:https://github.com/puppetlabs/puppetlabs-apache/commits/0.0.4 diff --git a/LICENSE b/LICENSE index 8961ce8a6d..d645695673 100644 --- a/LICENSE +++ b/LICENSE @@ -1,15 +1,202 @@ -Copyright (C) 2012 Puppet Labs Inc -Puppet Labs can be contacted at: info@puppetlabs.com + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - http://www.apache.org/licenses/LICENSE-2.0 + 1. Definitions. -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Modulefile b/Modulefile deleted file mode 100644 index 800ccf5504..0000000000 --- a/Modulefile +++ /dev/null @@ -1,12 +0,0 @@ -name 'puppetlabs-apache' -version '0.9.0' -source 'git://github.com/puppetlabs/puppetlabs-apache.git' -author 'puppetlabs' -license 'Apache 2.0' -summary 'Puppet module for Apache' -description 'Module for Apache configuration' -project_page 'https://github.com/puppetlabs/puppetlabs-apache' - -## Add dependencies, if any: -dependency 'puppetlabs/stdlib', '>= 2.4.0' -dependency 'puppetlabs/concat', '>= 1.0.0' diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000000..0bd06041e4 --- /dev/null +++ b/NOTICE @@ -0,0 +1,15 @@ +Puppet Module - puppetlabs-apache + +Copyright 2018 Puppet, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md index fcf48d2406..703fe1a34b 100644 --- a/README.md +++ b/README.md @@ -1,1268 +1,936 @@ -#apache - -[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-apache.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-apache) - -####Table of Contents - -1. [Overview - What is the Apache module?](#overview) -2. [Module Description - What does the module do?](#module-description) -3. [Setup - The basics of getting started with Apache](#setup) - * [Beginning with Apache - Installation](#beginning-with-apache) - * [Configure a Virtual Host - Basic options for getting started](#configure-a-virtual-host) -4. [Usage - The classes, defined types, and their parameters available for configuration](#usage) - * [Classes and Defined Types](#classes-and-defined-types) - * [Class: apache](#class-apache) - * [Classes: apache::mod::*](#classes-apachemodname) - * [Defined Type: apache::vhost](#defined-type-apachevhost) - * [Virtual Host Examples - Demonstrations of some configuration options](#virtual-host-examples) -5. [Implementation - An under-the-hood peek at what the module is doing](#implementation) - * [Classes and Defined Types](#classes-and-defined-types) - * [Templates](#templates) -6. [Limitations - OS compatibility, etc.](#limitations) -7. [Development - Guide for contributing to the module](#development) -8. [Release Notes - Notes on the most recent updates to the module](#release-notes) - -##Overview - -The Apache module allows you to set up virtual hosts and manage web services with minimal effort. - -##Module Description - -Apache is a widely-used web server, and this module provides a simplified way of creating configurations to manage your infrastructure. This includes the ability to configure and manage a range of different virtual host setups, as well as a streamlined way to install and configure Apache modules. - -##Setup - -**What Apache affects:** - -* configuration files and directories (created and written to) - * **NOTE**: Configurations that are *not* managed by Puppet will be purged. -* package/service/configuration files for Apache -* Apache modules -* virtual hosts -* listened-to ports - -###Beginning with Apache - -To install Apache with the default parameters - -```puppet - class { 'apache': } +# apache + +[Module description]: #module-description + +[Setup]: #setup +[Beginning with Apache]: #beginning-with-apache + +[Usage]: #usage +[Configuring virtual hosts]: #configuring-virtual-hosts +[Configuring virtual hosts with SSL]: #configuring-virtual-hosts-with-ssl +[Configuring virtual host port and address bindings]: #configuring-virtual-host-port-and-address-bindings +[Configuring virtual hosts for apps and processors]: #configuring-virtual-hosts-for-apps-and-processors +[Configuring IP-based virtual hosts]: #configuring-ip-based-virtual-hosts +[Installing Apache modules]: #installing-apache-modules +[Installing arbitrary modules]: #installing-arbitrary-modules +[Installing specific modules]: #installing-specific-modules +[Load balancing examples]: #load-balancing-examples +[apache affects]: #what-the-apache-module-affects + +[Reference]: #reference + +[Limitations]: #limitations + +[License]: #license + +[Development]: #development + +[`AddDefaultCharset`]: https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset +[`add_listen`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#add_listen +[`Alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#alias +[`AliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#aliasmatch +[aliased servers]: https://httpd.apache.org/docs/current/urlmapping.html +[`AllowEncodedSlashes`]: https://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes +[`apache`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apache +[`apache::balancer`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachebalancer +[`apache::balancermember`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachebalancermember +[`apache::mod`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemod +[`apache::mod::`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#public-classes +[`apache::mod::alias`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodalias +[`apache::mod::auth_cas`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodauth_cas +[`apache::mod::auth_mellon`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodauth_mellon +[`apache::mod::authn_dbd`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodauthn_dbd +[`apache::mod::authnz_ldap`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodauthnz_ldap +[`apache::mod::authz_core`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodauthz_core +[`apache::mod::cluster`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodcluster +[`apache::mod::data]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemoddata +[`apache::mod::disk_cache`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemoddisk_cache +[`apache::mod::dumpio`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemoddumpio +[`apache::mod::event`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodevent +[`apache::mod::ext_filter`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodext_filter +[`apache::mod::geoip`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodgeoip +[`apache::mod::http2`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodhttp2 +[`apache::mod::itk`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemoditk +[`apache::mod::jk`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodjk +[`apache::mod::ldap`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodldap +[`apache::mod::passenger`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodpassenger +[`apache::mod::peruser`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodperuser +[`apache::mod::prefork`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodprefork +[`apache::mod::proxy`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodproxy +[`apache::mod::proxy_balancer`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodproxybalancer +[`apache::mod::proxy_fcgi`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodproxy_fcgi +[`apache::mod::proxy_html`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodproxy_html +[`apache::mod::python`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodpython +[`apache::mod::security`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodsecurity +[`apache::mod::shib`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodshib +[`apache::mod::ssl`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodssl +[`apache::mod::status`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodstatus +[`apache::mod::userdir`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemoduserdir +[`apache::mod::worker`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodworker +[`apache::mod::wsgi`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachemodwsgi +[`apache::params`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#private-classes +[`apache::version`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#private-classes +[`apache::vhost`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachevhost +[`apache::vhost::custom`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachevhostcustom +[Apache HTTP Server]: https://httpd.apache.org +[Apache modules]: https://httpd.apache.org/docs/current/mod/ +[array]: https://docs.puppet.com/puppet/latest/lang_data_array.html + +[audit log]: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats#audit-log + +[beaker-rspec]: https://github.com/puppetlabs/beaker-rspec + +[certificate revocation list]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile +[certificate revocation list path]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath +[common gateway interface]: https://httpd.apache.org/docs/current/howto/cgi.html +[`conf_dir`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#conf_dir +[custom error documents]: https://httpd.apache.org/docs/current/custom-error.html +[`custom_fragment`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#custom_fragment + +[`default_mods`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#default_mods +[`default_ssl_crl`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#default_ssl_crl +[`default_ssl_crl_path`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#default_ssl_crl_path +[`default_ssl_vhost`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#default_ssl_vhost +[`dev_packages`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#dev_packages +[`directories`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#directories +[`DirectoryIndex`]: https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex +[`docroot`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#docroot +[`docroot_owner`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#docroot_owner +[`docroot_group`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#docroot_group +[`DocumentRoot`]: https://httpd.apache.org/docs/current/mod/core.html#documentroot + +[`EnableSendfile`]: https://httpd.apache.org/docs/current/mod/core.html#enablesendfile +[enforcing mode]: http://selinuxproject.org/page/Guide/Mode +[`ensure`]: https://docs.puppet.com/latest/type.html#package-attribute-ensure +[`error_log_file`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#error_log_file +[`error_log_syslog`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#error_log_syslog +[`error_log_pipe`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#error_log_pipe +[`ExpiresByType`]: https://httpd.apache.org/docs/current/mod/mod_expires.html#expiresbytype +[exported resources]: https://puppet.com/docs/puppet/latest/lang_exported.html +[`ExtendedStatus`]: https://httpd.apache.org/docs/current/mod/core.html#extendedstatus + +[Facter]: http://docs.puppet.com/facter/ +[FallbackResource]: https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource +[`fallbackresource`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#fallbackresource +[`FileETag`]: https://httpd.apache.org/docs/current/mod/core.html#fileetag +[filter rules]: https://httpd.apache.org/docs/current/filter.html +[`filters`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#filters +[`ForceType`]: https://httpd.apache.org/docs/current/mod/core.html#forcetype + +[GeoIPScanProxyHeaders]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives +[`gentoo/puppet-portage`]: https://github.com/gentoo/puppet-portage + +[Hash]: https://docs.puppet.com/puppet/latest/lang_data_hash.html +[`HttpProtocolOptions`]: http://httpd.apache.org/docs/current/mod/core.html#httpprotocoloptions + +[CAT Team]: https://puppetlabs.github.io/content-and-tooling-team/ +[`IncludeOptional`]: https://httpd.apache.org/docs/current/mod/core.html#includeoptional +[`Include`]: https://httpd.apache.org/docs/current/mod/core.html#include +[interval syntax]: https://httpd.apache.org/docs/current/mod/mod_expires.html#AltSyn +[`ip`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ip +[`ip_based`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ip_based +[IP-based virtual hosts]: https://httpd.apache.org/docs/current/vhosts/ip-based.html + +[`limitreqfieldsize`]: https://httpd.apache.org/docs/current/mod/core.html#limitrequestfieldsize +[`limitreqfields`]: http://httpd.apache.org/docs/current/mod/core.html#limitrequestfields + +[`lib`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#lib +[`lib_path`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#lib_path +[`Listen`]: https://httpd.apache.org/docs/current/bind.html +[`ListenBackLog`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#listenbacklog +[`LoadFile`]: https://httpd.apache.org/docs/current/mod/mod_so.html#loadfile +[`LogFormat`]: https://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat +[`logroot`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#logroot +[Log security]: https://httpd.apache.org/docs/current/logs.html#security + +[`manage_docroot`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#manage_docroot +[`manage_user`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#manage_user +[`manage_group`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#manage_group +[`supplementary_groups`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#supplementary_groups +[`MaxConnectionsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxconnectionsperchild +[`max_keepalive_requests`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#max_keepalive_requests +[`MaxRequestWorkers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxrequestworkers +[`MaxSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxsparethreads +[MIME `content-type`]: https://www.iana.org/assignments/media-types/media-types.xhtml +[`MinSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#minsparethreads +[`mod_alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html +[`mod_auth_cas`]: https://github.com/Jasig/mod_auth_cas +[`mod_auth_kerb`]: http://modauthkerb.sourceforge.net/configure.html +[`mod_auth_gssapi`]: https://github.com/modauthgssapi/mod_auth_gssapi +[`mod_authnz_external`]: https://github.com/phokz/mod-auth-external +[`mod_auth_dbd`]: http://httpd.apache.org/docs/current/mod/mod_authn_dbd.html +[`mod_auth_mellon`]: https://github.com/UNINETT/mod_auth_mellon +[`mod_authz_core`]: https://httpd.apache.org/docs/current/mod/mod_authz_core.html +[`mod_dbd`]: http://httpd.apache.org/docs/current/mod/mod_dbd.html +[`mod_disk_cache`]: https://httpd.apache.org/docs/2.2/mod/mod_disk_cache.html +[`mod_dumpio`]: https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html +[`mod_env`]: http://httpd.apache.org/docs/current/mod/mod_env.html +[`mod_expires`]: https://httpd.apache.org/docs/current/mod/mod_expires.html +[`mod_ext_filter`]: https://httpd.apache.org/docs/current/mod/mod_ext_filter.html +[`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html +[`mod_geoip`]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/ +[`mod_http2`]: https://httpd.apache.org/docs/current/mod/mod_http2.html +[`mod_info`]: https://httpd.apache.org/docs/current/mod/mod_info.html +[`mod_ldap`]: https://httpd.apache.org/docs/2.2/mod/mod_ldap.html +[`mod_mpm_event`]: https://httpd.apache.org/docs/current/mod/event.html +[`mod_negotiation`]: https://httpd.apache.org/docs/current/mod/mod_negotiation.html +[`mod_pagespeed`]: https://developers.google.com/speed/pagespeed/module/?hl=en +[`mod_passenger`]: https://www.phusionpassenger.com/library/config/apache/reference/ +[`mod_php`]: http://php.net/manual/en/book.apache.php +[`mod_proxy`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html +[`mod_proxy_balancer`]: https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html +[`mod_reqtimeout`]: https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html +[`mod_python`]: http://modpython.org/ +[`mod_rewrite`]: https://httpd.apache.org/docs/current/mod/mod_rewrite.html +[`mod_security`]: https://www.modsecurity.org/ +[`mod_ssl`]: https://httpd.apache.org/docs/current/mod/mod_ssl.html +[`mod_status`]: https://httpd.apache.org/docs/current/mod/mod_status.html +[`mod_version`]: https://httpd.apache.org/docs/current/mod/mod_version.html +[`mod_wsgi`]: https://modwsgi.readthedocs.org/en/latest/ +[module contribution guide]: https://docs.puppet.com/forge/contributing.html +[`mpm_module`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#mpm_module +[multi-processing module]: https://httpd.apache.org/docs/current/mpm.html + +[name-based virtual hosts]: https://httpd.apache.org/docs/current/vhosts/name-based.html +[`no_proxy_uris`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#no_proxy_uris + +[open source Puppet]: https://docs.puppet.com/puppet/ +[`Options`]: https://httpd.apache.org/docs/current/mod/core.html#options + +[`path`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#path +[`Peruser`]: https://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr +[`port`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#port-3 +[`priority`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#priority +[`proxy_dest`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#proxy_dest +[`proxy_dest_match`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#proxy_dest_match +[`proxy_pass`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#proxy_pass +[`ProxyPass`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass +[`proxy_set`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset +[Puppet Enterprise]: https://docs.puppet.com/pe/ +[Puppet Forge]: https://forge.puppet.com +[Puppet]: https://puppet.com +[Puppet module]: https://docs.puppet.com/puppet/latest/modules_fundamentals.html +[Puppet module's code]: https://github.com/puppetlabs/puppetlabs-apache/blob/main/manifests/default_mods.pp +[`purge_configs`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#purge_configs +[`purge_vhost_dir`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#purge_vhost_dir +[Python]: https://www.python.org/ + +[Rack]: http://rack.github.io/ +[`rack_base_uri`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#rack_base_uri +[RFC 2616]: https://www.ietf.org/rfc/rfc2616.txt +[`RequestReadTimeout`]: https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html#requestreadtimeout +[rspec-puppet]: http://rspec-puppet.com/ + +[`ScriptAlias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptalias +[`ScriptAliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptaliasmatch +[`scriptalias`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#scriptalias +[SELinux]: http://selinuxproject.org/ +[`ServerAdmin`]: https://httpd.apache.org/docs/current/mod/core.html#serveradmin +[`serveraliases`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#serveraliases +[`ServerLimit`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#serverlimit +[`ServerName`]: https://httpd.apache.org/docs/current/mod/core.html#servername +[`ServerRoot`]: https://httpd.apache.org/docs/current/mod/core.html#serverroot +[`ServerTokens`]: https://httpd.apache.org/docs/current/mod/core.html#servertokens +[`ServerSignature`]: https://httpd.apache.org/docs/current/mod/core.html#serversignature +[Service attribute restart]: http://docs.puppet.com/latest/type.html#service-attribute-restart +[`SSLCARevocationCheck`]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck +[SSL certificate key file]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatekeyfile +[SSL chain]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile +[SSL encryption]: https://httpd.apache.org/docs/current/ssl/index.html +[`ssl`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl +[`ssl_cert`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_cert +[`ssl_compression`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_compression +[`ssl_cipher`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_compression +[`ssl_key`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_key +[`StartServers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#startservers +[supported operating system]: https://forge.puppet.com/supported#puppet-supported-modules-compatibility-matrix + +[`ThreadLimit`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#threadlimit +[`ThreadsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#threadsperchild +[`TimeOut`]: https://httpd.apache.org/docs/current/mod/core.html#timeout +[template]: http://docs.puppet.com/puppet/latest/reference/lang_template.html +[`TraceEnable`]: https://httpd.apache.org/docs/current/mod/core.html#traceenable + +[`UseCanonicalName`]: https://httpd.apache.org/docs/current/mod/core.html#usecanonicalname + +[`verify_config`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#verify_config +[`vhost`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#apachevhost +[`vhost_dir`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#vhost_dir +[`virtual_docroot`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#virtual_docroot + +[Web Server Gateway Interface]: https://www.python.org/dev/peps/pep-3333/#abstract +[`WSGIRestrictEmbedded`]: http://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIRestrictEmbedded.html +[`WSGIPythonPath`]: http://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIPythonPath.html +[`WSGIPythonHome`]: http://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIPythonHome.html +[`WSGIApplicationGroup`]: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html +[`WSGIPythonOptimize`]: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIPythonOptimize.html + +#### Table of Contents + +1. [Module description - What is the apache module, and what does it do?][Module description] +2. [Setup - The basics of getting started with apache][Setup] + - [What the apache module affects][apache affects] + - [Beginning with Apache - Installation][Beginning with Apache] +3. [Usage - The classes and defined types available for configuration][Usage] + - [Configuring virtual hosts - Examples to help get started][Configuring virtual hosts] + - [Load balancing with exported and non-exported resources][Load balancing examples] +4. [Reference - An under-the-hood peek at what the module is doing and how][Reference] +5. [Limitations - OS compatibility, etc.][Limitations] +6. [License][License] +7. [Development - Guide for contributing to the module][Development] + + +## Module description + +[Apache HTTP Server][] (also called Apache HTTPD, or simply Apache) is a widely used web server. This [Puppet module][] simplifies the task of creating configurations to manage Apache servers in your infrastructure. It can configure and manage a range of virtual host setups and provides a streamlined way to install and configure [Apache modules][]. + + +## Setup + + +### What the apache module affects: + +- Configuration files and directories (created and written to) + - **WARNING**: Configurations *not* managed by Puppet will be purged. +- Package/service/configuration files for Apache +- Apache modules +- Virtual hosts +- Listened-to ports +- `/etc/make.conf` on FreeBSD and Gentoo + +On Gentoo, this module depends on the [`gentoo/puppet-portage`][] Puppet module. Note that while several options apply or enable certain features and settings for Gentoo, it is not a [supported operating system][] for this module. + +> **Warning**: This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Apache configuration should be managed by Puppet, as unmanaged configuration files can cause unexpected failures. +> +>To temporarily disable full Puppet management, set the [`purge_configs`][] parameter in the [`apache`][] class declaration to false. We recommend this only as a temporary means of saving and relocating customized configurations. + + +### Beginning with Apache + +To have Puppet install Apache with the default parameters, declare the [`apache`][] class: + +``` puppet +class { 'apache': } +``` + +When you declare this class with the default options, the module: + +- Installs the appropriate Apache software package and [required Apache modules][`default_mods`] for your operating system. +- Places the required configuration files in a directory, with the [default location][`conf_dir`] Depends on operating system. +- Configures the server with a default virtual host and standard port (80) and address ('\*') bindings. +- Creates a document root directory Depends on operating system, typically `/var/www`. +- Starts the Apache service. + +Apache defaults depend on your operating system. These defaults work in testing environments but are not suggested for production. We recommend customizing the class's parameters to suit your site. + +For instance, this declaration installs Apache without the apache module's [default virtual host configuration][Configuring virtual hosts], allowing you to customize all Apache virtual hosts: + +``` puppet +class { 'apache': + default_vhost => false, +} ``` -The defaults are determined by your operating system (e.g. Debian systems have one set of defaults, RedHat systems have another). These defaults will work well in a testing environment, but are not suggested for production. To establish customized parameters +> **Note**: When `default_vhost` is set to `false`, you have to add at least one `apache::vhost` resource or Apache will not start. To establish a default virtual host, either set the `default_vhost` in the `apache` class or use the [`apache::vhost`][] defined type. You can also configure additional specific virtual hosts with the [`apache::vhost`][] defined type. -```puppet - class { 'apache': - default_mods => false, - } -``` + +## Usage -###Configure a virtual host + +### Configuring virtual hosts -Declaring the `apache` class will create a default virtual host by setting up a vhost on port 80, listening on all interfaces and serving `$apache::docroot`. +The default [`apache`][] class sets up a virtual host on port 80, listening on all interfaces and serving the [`docroot`][] parameter's default directory of `/var/www`. -```puppet - class { 'apache': } -``` -To configure a very basic, name-based virtual host +To configure basic [name-based virtual hosts][], specify the [`port`][] and [`docroot`][] parameters in the [`apache::vhost`][] defined type: -```puppet - apache::vhost { 'first.example.com': - port => '80', - docroot => '/var/www/first', - } +``` puppet +apache::vhost { 'vhost.example.com': + port => 80, + docroot => '/var/www/vhost', +} ``` -*Note:* The default priority is 15. If nothing matches this priority, the alphabetically first name-based vhost will be used. This is also true if you pass a higher priority and no names match anything else. +See the [`apache::vhost`][] defined type's reference for a list of all virtual host parameters. -A slightly more complicated example, which moves the docroot owner/group - -```puppet - apache::vhost { 'second.example.com': - port => '80', - docroot => '/var/www/second', - docroot_owner => 'third', - docroot_group => 'third', - } -``` +> **Note**: Apache processes virtual hosts in alphabetical order, and server administrators can prioritize Apache's virtual host processing by prefixing a virtual host's configuration file name with a number. The [`apache::vhost`][] defined type applies a default [`priority`][] of 25, which Puppet interprets by prefixing the virtual host's file name with `25-`. This means that if multiple sites have the same priority, or if you disable priority numbers by setting the `priority` parameter's value to false, Apache still processes virtual hosts in alphabetical order. -To set up a virtual host with SSL and default SSL certificates +To configure user and group ownership for `docroot`, use the [`docroot_owner`][] and [`docroot_group`][] parameters: -```puppet - apache::vhost { 'ssl.example.com': - port => '443', - docroot => '/var/www/ssl', - ssl => true, - } +``` puppet +apache::vhost { 'user.example.com': + port => 80, + docroot => '/var/www/user', + docroot_owner => 'www-data', + docroot_group => 'www-data', +} ``` -To set up a virtual host with SSL and specific SSL certificates - -```puppet - apache::vhost { 'fourth.example.com': - port => '443', - docroot => '/var/www/fourth', - ssl => true, - ssl_cert => '/etc/ssl/fourth.example.com.cert', - ssl_key => '/etc/ssl/fourth.example.com.key', - } -``` +#### Configuring virtual hosts with SSL -To set up a virtual host with wildcard alias for subdomain mapped to same named directory -`http://examle.com.loc => /var/www/example.com` +To configure a virtual host to use [SSL encryption][] and default SSL certificates, set the [`ssl`][] parameter. You must also specify the [`port`][] parameter, typically with a value of 443, to accommodate HTTPS requests: -```puppet - apache::vhost { 'subdomain.loc': - vhost_name => '*', - port => '80', - virtual_docroot' => '/var/www/%-2+', - docroot => '/var/www', - serveraliases => ['*.loc',], - } +``` puppet +apache::vhost { 'ssl.example.com': + port => 443, + docroot => '/var/www/ssl', + ssl => true, +} ``` -To set up a virtual host with suPHP +To configure a virtual host to use SSL and specific SSL certificates, use the paths to the certificate and key in the [`ssl_cert`][] and [`ssl_key`][] parameters, respectively: -```puppet - apache::vhost { 'suphp.example.com': - port => '80', - docroot => '/home/appuser/myphpapp', - suphp_addhandler => 'x-httpd-php', - suphp_engine => 'on', - suphp_configpath => '/etc/php5/apache2', - } +``` puppet +apache::vhost { 'cert.example.com': + port => 443, + docroot => '/var/www/cert', + ssl => true, + ssl_cert => '/etc/ssl/fourth.example.com.cert', + ssl_key => '/etc/ssl/fourth.example.com.key', +} ``` -To set up a virtual host with WSGI - -```puppet - apache::vhost { 'wsgi.example.com': - port => '80', - docroot => '/var/www/pythonapp', - wsgi_daemon_process => 'wsgi', - wsgi_daemon_process_options => - { processes => '2', threads => '15', display-name => '%{GROUP}' }, - wsgi_process_group => 'wsgi', - wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, - } -``` +To configure a mix of SSL and unencrypted virtual hosts at the same domain, declare them with separate [`apache::vhost`][] defined types: -Starting 2.2.16, httpd supports [FallbackResource](https://httpd.apache.org/docs/2.2/mod/mod_dir.html#fallbackresource) which is a simple replace for common RewriteRules: +``` puppet +# The non-ssl virtual host +apache::vhost { 'mix.example.com non-ssl': + servername => 'mix.example.com', + port => 80, + docroot => '/var/www/mix', +} -```puppet - apache::vhost { 'wordpress.example.com': - port => '80', - docroot => '/var/www/wordpress', - fallbackresource => '/index.php', - } +# The SSL virtual host at the same domain +apache::vhost { 'mix.example.com ssl': + servername => 'mix.example.com', + port => 443, + docroot => '/var/www/mix', + ssl => true, +} ``` -Please note that the `disabled` argument to FallbackResource is only supported since 2.2.24. - -To see a list of all virtual host parameters, [please go here](#defined-type-apachevhost). To see an extensive list of virtual host examples [please look here](#virtual-host-examples). - -##Usage - -###Classes and Defined Types - -This module modifies Apache configuration files and directories and will purge any configuration not managed by Puppet. Configuration of Apache should be managed by Puppet, as non-puppet configuration files can cause unexpected failures. - -It is possible to temporarily disable full Puppet management by setting the `purge_configs` parameter within the base `apache` class to 'false'. This option should only be used as a temporary means of saving and relocating customized configurations. - -####Class: `apache` - -The Apache module's primary class, `apache`, guides the basic setup of Apache on your system. - -You may establish a default vhost in this class, the `vhost` class, or both. You may add additional vhost configurations for specific virtual hosts using a declaration of the `vhost` type. - -**Parameters within `apache`:** +To configure a virtual host to redirect unencrypted connections to SSL, declare them with separate [`apache::vhost`][] defined types and redirect unencrypted requests to the virtual host with SSL enabled: -#####`default_mods` - -Sets up Apache with default settings based on your OS. Defaults to 'true', set to 'false' for customized configuration. - -#####`default_vhost` - -Sets up a default virtual host. Defaults to 'true', set to 'false' to set up [customized virtual hosts](#configure-a-virtual-host). - -#####`default_ssl_vhost` - -Sets up a default SSL virtual host. Defaults to 'false'. +``` puppet +apache::vhost { 'redirect.example.com non-ssl': + servername => 'redirect.example.com', + port => 80, + docroot => '/var/www/redirect', + redirect_status => 'permanent', + redirect_dest => 'https://redirect.example.com/' +} -```puppet - apache::vhost { 'default-ssl': - port => 443, - ssl => true, - docroot => $docroot, - scriptalias => $scriptalias, - serveradmin => $serveradmin, - access_log_file => "ssl_${access_log_file}", - } +apache::vhost { 'redirect.example.com ssl': + servername => 'redirect.example.com', + port => 443, + docroot => '/var/www/redirect', + ssl => true, +} ``` -SSL vhosts only respond to HTTPS queries. - -#####`default_ssl_cert` - -The default SSL certification, which is automatically set based on your operating system (`/etc/pki/tls/certs/localhost.crt` for RedHat, `/etc/ssl/certs/ssl-cert-snakeoil.pem` for Debian). This default will work out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_key` - -The default SSL key, which is automatically set based on your operating system (`/etc/pki/tls/private/localhost.key` for RedHat, `/etc/ssl/private/ssl-cert-snakeoil.key` for Debian). This default will work out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_chain` - -The default SSL chain, which is automatically set to 'undef'. This default will work out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_ca` - -The default certificate authority, which is automatically set to 'undef'. This default will work out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_crl_path` - -The default certificate revocation list path, which is automatically set to 'undef'. This default will work out of the box but must be updated with your specific certificate information before being used in production. - -#####`default_ssl_crl` - -The default certificate revocation list to use, which is automatically set to 'undef'. This default will work out of the box but must be updated with your specific certificate information before being used in production. - -#####`service_enable` - -Determines whether the 'httpd' service is enabled when the machine is booted. Defaults to 'true'. - -#####`service_ensure` - -Determines whether the service should be running. Can be set to 'undef' which is useful when you want to let the service be managed by some other application like pacemaker. Defaults to 'running'. - -#####`purge_configs` - -Removes all other apache configs and vhosts, which is automatically set to true. Setting this to false is a stopgap measure to allow the apache module to coexist with existing or otherwise managed configuration. It is recommended that you move your configuration entirely to resources within this module. - -#####`serveradmin` - -Sets the server administrator. Defaults to 'root@localhost'. - -#####`servername` - -Sets the servername. Defaults to fqdn provided by facter. - -#####`sendfile` - -Makes Apache use the Linux kernel 'sendfile' to serve static files. Defaults to 'On'. - -#####`error_documents` - -Enables custom error documents. Defaults to 'false'. - -#####`httpd_dir` - -Changes the base location of the configuration directories used for the service. This is useful for specially repackaged HTTPD builds but may have unintended consequences when used in combination with the default distribution packages. Default is based on your OS. - -#####`confd_dir` - -Changes the location of the configuration directory your custom configuration files are placed in. Default is based on your OS. - -#####`vhost_dir` - -Changes the location of the configuration directory your virtual host configuration files are placed in. Default is based on your OS. - -#####`mod_dir` - -Changes the location of the configuration directory your Apache modules configuration files are placed in. Default is based on your OS. - -#####`mpm_module` - -Configures which mpm module is loaded and configured for the httpd process by the `apache::mod::prefork`, `apache::mod::worker` and `apache::mod::itk` classes. Must be set to `false` to explicitly declare `apache::mod::worker`, `apache::mod::worker` or `apache::mod::itk` classes with parameters. Valid values are `worker`, `prefork`, `itk` (Debian), or the boolean `false`. Defaults to `prefork` on RedHat and `worker` on Debian. - -#####`conf_template` - -Setting this allows you to override the template used for the main apache configuration file. This is a potentially risky thing to do as this module has been built around the concept of a minimal configuration file with most of the configuration coming in the form of conf.d/ entries. Defaults to 'apache/httpd.conf.erb'. - -#####`keepalive` +#### Configuring virtual host port and address bindings -Setting this allows you to enable persistent connections. +Virtual hosts listen on all IP addresses ('\*') by default. To configure the virtual host to listen on a specific IP address, use the [`ip`][] parameter: -#####`keepalive_timeout` - -Amount of time the server will wait for subsequent requests on a persistent connection. Defaults to '15'. - -#####`logroot` - -Changes the location of the directory Apache log files are placed in. Defaut is based on your OS. - -#####`ports_file` - -Changes the name of the file containing Apache ports configuration. Default is `${conf_dir}/ports.conf`. - -#####`server_tokens` - -Controls how much information Apache sends to the browser about itself and the operating system. See Apache documentation for 'ServerTokens'. Defaults to 'OS'. - -#####`server_signature` - -Allows the configuration of a trailing footer line under server-generated documents. See Apache documentation for 'ServerSignature'. Defaults to 'On'. - -#####`manage_user` - -Setting this to false will avoid the user resource to be created by this module. This is useful when you already have a user created in another puppet module and that you want to used it to run apache. Without this, it would result in a duplicate resource error. - -#####`manage_group` - -Setting this to false will avoid the group resource to be created by this module. This is useful when you already have a group created in another puppet module and that you want to used it for apache. Without this, it would result in a duplicate resource error. - -#####`package_ensure` - -Allow control over the package ensure statement. This is useful if you want to make sure apache is always at the latest version or whether it is only installed. - -####Class: `apache::default_mods` - -Installs default Apache modules based on what OS you are running - -```puppet - class { 'apache::default_mods': } +``` puppet +apache::vhost { 'ip.example.com': + ip => '127.0.0.1', + port => 80, + docroot => '/var/www/ip', +} ``` -####Defined Type: `apache::mod` - -Used to enable arbitrary Apache httpd modules for which there is no specific `apache::mod::[name]` class. The `apache::mod` defined type will also install the required packages to enable the module, if any. +You can also configure more than one IP address per virtual host by using an array of IP addresses for the [`ip`][] parameter: -```puppet - apache::mod { 'rewrite': } - apache::mod { 'ldap': } +``` puppet +apache::vhost { 'ip.example.com': + ip => ['127.0.0.1','169.254.1.1'], + port => 80, + docroot => '/var/www/ip', +} ``` -####Classes: `apache::mod::[name]` - -There are many `apache::mod::[name]` classes within this module that can be declared using `include`: - -* `alias` -* `auth_basic` -* `auth_kerb` -* `autoindex` -* `cache` -* `cgi` -* `cgid` -* `dav` -* `dav_fs` -* `deflate` -* `dir`* -* `disk_cache` -* `fcgid` -* `info` -* `ldap` -* `mime` -* `mime_magic` -* `mpm_event` -* `negotiation` -* `passenger`* -* `perl` -* `php` (requires [`mpm_module`](#mpm_module) set to `prefork`) -* `prefork`* -* `proxy`* -* `proxy_ajp` -* `proxy_html` -* `proxy_http` -* `python` -* `reqtimeout` -* `setenvif` -* `ssl`* (see [apache::mod::ssl](#class-apachemodssl) below) -* `status` -* `suphp` -* `userdir`* -* `worker`* -* `wsgi` (see [apache::mod::wsgi](#class-apachemodwsgi) below) -* `xsendfile` - -Modules noted with a * indicate that the module has settings and, thus, a template that includes parameters. These parameters control the module's configuration. Most of the time, these parameters will not require any configuration or attention. - -The modules mentioned above, and other Apache modules that have templates, will cause template files to be dropped along with the mod install, and the module will not work without the template. Any mod without a template will install package but drop no files. - -####Class: `apache::mod::ssl` - -Installs Apache SSL capabilities and utilizes `ssl.conf.erb` template +You can configure multiple ports per virtual host by using an array of ports for the [`port`][] parameter: -```puppet - class { 'apache::mod::ssl': } +``` puppet +apache::vhost { 'ip.example.com': + ip => ['127.0.0.1'], + port => [80, 8080] + docroot => '/var/www/ip', +} ``` -To *use* SSL with a virtual host, you must either set the`default_ssl_vhost` parameter in `apache` to 'true' or set the `ssl` parameter in `apache::vhost` to 'true'. - -####Class: `apache::mod::wsgi` +To configure a virtual host with [aliased servers][], refer to the aliases using the [`serveraliases`][] parameter: -```puppet - class { 'apache::mod::wsgi': - wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI", - wsgi_python_home => '/path/to/virtenv', - } +``` puppet +apache::vhost { 'aliases.example.com': + serveraliases => [ + 'aliases.example.org', + 'aliases.example.net', + ], + port => 80, + docroot => '/var/www/aliases', +} ``` -####Defined Type: `apache::vhost` - -The Apache module allows a lot of flexibility in the set up and configuration of virtual hosts. This flexibility is due, in part, to `vhost`'s setup as a defined resource type, which allows it to be evaluated multiple times with different parameters. - -The `vhost` defined type allows you to have specialized configurations for virtual hosts that have requirements outside of the defaults. You can set up a default vhost within the base `apache` class as well as set a customized vhost setup as default. Your customized vhost (priority 10) will be privileged over the base class vhost (15). -If you have a series of specific configurations and do not want a base `apache` class default vhost, make sure to set the base class default host to 'false'. +To set up a virtual host with a wildcard alias for the subdomain mapped to a directory of the same name, such as 'http://example.com.loc' mapped to `/var/www/example.com`, define the wildcard alias using the [`serveraliases`][] parameter and the document root with the [`virtual_docroot`][] parameter: -```puppet - class { 'apache': - default_vhost => false, - } +``` puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => 80, + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} ``` -**Parameters within `apache::vhost`:** - -The default values for each parameter will vary based on operating system and type of virtual host. - -#####`access_log` - -Specifies whether `*_access.log` directives should be configured. Valid values are 'true' and 'false'. Defaults to 'true'. - -#####`access_log_file` - -Points to the `*_access.log` file. Defaults to 'undef'. - -#####`access_log_pipe` - -Specifies a pipe to send access log messages to. Defaults to 'undef'. - -#####`access_log_syslog` - -Sends all access log messages to syslog. Defaults to 'undef'. - -#####`access_log_format` - -Specifies either a LogFormat nickname or custom format string for access log. Defaults to 'undef'. - -#####`add_listen` - -Determines whether the vhost creates a listen statement. The default value is 'true'. - -Setting `add_listen` to 'false' stops the vhost from creating a listen statement, and this is important when you combine vhosts that are not passed an `ip` parameter with vhosts that *are* passed the `ip` parameter. - -#####`aliases` +To configure a virtual host with [filter rules][], pass the filter directives as an [array][] using the [`filters`][] parameter: -Passes a list of hashes to the vhost to create `Alias` statements as per the [`mod_alias` documentation](http://httpd.apache.org/docs/current/mod/mod_alias.html). Each hash is expected to be of the form: - -```puppet -aliases => [ { alias => '/alias', path => '/path/to/directory' } ], +``` puppet +apache::vhost { 'subdomain.loc': + port => 80, + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], + docroot => '/var/www/html', +} ``` -For `Alias` to work, each will need a corresponding `` or `` block. - -**Note:** If `apache::mod::passenger` is loaded and `PassengerHighPerformance true` is set, then `Alias` may have issues honouring the `PassengerEnabled off` statement. See [this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details. - -#####`block` - -Specifies the list of things Apache will block access to. The default is an empty set, '[]'. Currently, the only option is 'scm', which blocks web access to .svn, .git and .bzr directories. To add to this, please see the [Development](#development) section. - -#####`custom_fragment` - -Pass a string of custom configuration directives to be placed at the end of the vhost configuration. - -#####`default_vhost` - -Sets a given `apache::vhost` as the default to serve requests that do not match any other `apache::vhost` definitions. The default value is 'false'. - -#####`directories` - -Passes a list of hashes to the vhost to create `...` directive blocks as per the [Apache core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#directory). The `path` key is required in these hashes. Usage will typically look like: - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ - { path => '/path/to/directory', => }, - { path => '/path/to/another/directory', => }, - ], - } +#### Configuring virtual hosts for apps and processors + +To configure a virtual host to use the [Web Server Gateway Interface][] (WSGI) for [Python][] applications, use the `wsgi` set of parameters: + +``` puppet +apache::vhost { 'wsgi.example.com': + port => 80, + docroot => '/var/www/pythonapp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => { + processes => 2, + threads => 15, + display-name => '%{GROUP}', + }, + wsgi_import_script => '/var/www/demo.wsgi', + wsgi_import_script_options => { + process-group => 'wsgi', + application-group => '%{GLOBAL}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, +} ``` -*Note:* At least one directory should match `docroot` parameter, once you start declaring directories `apache::vhost` assumes that all required `` blocks will be declared. - -*Note:* If not defined a single default `` block will be created that matches the `docroot` parameter. - -The directives will be embedded within the `Directory` directive block, missing directives should be undefined and not be added, resulting in their default vaules in Apache. Currently this is the list of supported directives: - -######`addhandlers` +As of Apache 2.2.16, Apache supports [FallbackResource][], a simple replacement for common RewriteRules. You can set a FallbackResource using the [`fallbackresource`][] parameter: -Sets `AddHandler` directives as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/mod_mime.html#addhandler). Accepts a list of hashes of the form `{ handler => 'handler-name', extensions => ['extension']}`. Note that `extensions` is a list of extenstions being handled by the handler. -An example: - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', - addhandlers => [ { handler => 'cgi-script', extensions => ['.cgi']} ], - } ], - } +``` puppet +apache::vhost { 'wordpress.example.com': + port => 80, + docroot => '/var/www/wordpress', + fallbackresource => '/index.php', +} ``` -######`allow` +> **Note**: The `fallbackresource` parameter only supports the 'disabled' value since Apache 2.2.24. -Sets an `Allow` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow). An example: +To configure a virtual host with a designated directory for [Common Gateway Interface][] (CGI) files, use the [`scriptalias`][] parameter to define the `cgi-bin` path: -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', allow => 'from example.org' } ], - } +``` puppet +apache::vhost { 'cgi.example.com': + port => 80, + docroot => '/var/www/cgi', + scriptalias => '/usr/lib/cgi-bin', +} ``` -######`allow_override` - -Sets the usage of `.htaccess` files as per the [Apache core documentation](http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride). Should accept in the form of a list or a string. An example: +To configure a virtual host for [Rack][], use the [`rack_base_uri`][] parameter: -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', allow_override => ['AuthConfig', 'Indexes'] } ], - } +``` puppet +apache::vhost { 'rack.example.com': + port => 80, + docroot => '/var/www/rack', + rack_base_uri => ['/rackapp1', '/rackapp2'], +} ``` -######`deny` - -Sets an `Deny` directive as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny). An example: - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', deny => 'from example.org' } ], - } -``` +#### Configuring IP-based virtual hosts -######`headers` +You can configure [IP-based virtual hosts][] to listen on any port and have them respond to requests on specific IP addresses. In this example, the server listens on ports 80 and 81, because the example virtual hosts are _not_ declared with a [`port`][] parameter: -Adds lines for `Header` directives as per the [Apache Header documentation](http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header). An example: +``` puppet +apache::listen { '80': } -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => { - path => '/path/to/directory', - headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', - }, - } +apache::listen { '81': } ``` -######`options` - -Lists the options for the given `` block - -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', options => ['Indexes','FollowSymLinks','MultiViews'] }], - } -``` +Configure the IP-based virtual hosts with the [`ip_based`][] parameter: -######`order` -Sets the order of processing `Allow` and `Deny` statements as per [Apache core documentation](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order). An example: +``` puppet +apache::vhost { 'first.example.com': + ip => '10.0.0.10', + docroot => '/var/www/first', + ip_based => true, +} -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', order => 'Allow,Deny' } ], - } +apache::vhost { 'second.example.com': + ip => '10.0.0.11', + docroot => '/var/www/second', + ip_based => true, +} ``` -######`auth_type` - -Sets the value for `AuthType` as per the [Apache AuthType -documentation](https://httpd.apache.org/docs/2.2/mod/core.html#authtype). - -######`auth_name` - -Sets the value for `AuthName` as per the [Apache AuthName -documentation](https://httpd.apache.org/docs/2.2/mod/core.html#authname). - -######`auth_digest_algorithm` - -Sets the value for `AuthDigestAlgorithm` as per the [Apache -AuthDigestAlgorithm -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestalgorithm) - -######`auth_digest_domain` - -Sets the value for `AuthDigestDomain` as per the [Apache AuthDigestDomain -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestdomain). - -######`auth_digest_nonce_lifetime` - -Sets the value for `AuthDigestNonceLifetime` as per the [Apache -AuthDigestNonceLifetime -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestnoncelifetime) +You can also configure a mix of IP- and [name-based virtual hosts][] in any combination of [SSL][SSL encryption] and unencrypted configurations. -######`auth_digest_provider` +In this example, we add two IP-based virtual hosts on an IP address (in this example, 10.0.0.10). One uses SSL and the other is unencrypted: -Sets the value for `AuthDigestProvider` as per the [Apache AuthDigestProvider -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestprovider). - -######`auth_digest_qop` - -Sets the value for `AuthDigestQop` as per the [Apache AuthDigestQop -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestqop). - -######`auth_digest_shmem_size` - -Sets the value for `AuthAuthDigestShmemSize` as per the [Apache AuthDigestShmemSize -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestshmemsize). - -######`auth_basic_authoritative` - -Sets the value for `AuthBasicAuthoritative` as per the [Apache -AuthBasicAuthoritative -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html#authbasicauthoritative). - -######`auth_basic_fake` - -Sets the value for `AuthBasicFake` as per the [Apache AuthBasicFake -documentation](https://httpd.apache.org/docs/trunk/mod/mod_auth_basic.html#authbasicfake). - -######`auth_basic_provider` - -Sets the value for `AuthBasicProvider` as per the [Apache AuthBasicProvider -documentation](https://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html#authbasicprovider). - -######`auth_user_file` - -Sets the value for `AuthUserFile` as per the [Apache AuthUserFile -documentation](https://httpd.apache.org/docs/2.2/mod/mod_authn_file.html#authuserfile). - -######`auth_require` - -Sets the value for `AuthName` as per the [Apache Require -documentation](https://httpd.apache.org/docs/2.2/mod/core.html#require) - - -######`passenger_enabled` - -Sets the value for the `PassengerEnabled` directory to `on` or `off` as per the [Passenger documentation](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled). +``` puppet +apache::vhost { 'The first IP-based virtual host, non-ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => 80, + ip_based => true, + docroot => '/var/www/first', +} -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - directories => [ { path => '/path/to/directory', passenger_enabled => 'off' } ], - } +apache::vhost { 'The first IP-based vhost, ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => 443, + ip_based => true, + docroot => '/var/www/first-ssl', + ssl => true, +} ``` -**Note:** This directive requires `apache::mod::passenger` to be active, Apache may not start with an unrecognised directive without it. - -**Note:** Be aware that there is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the `PassengerEnabled` directive with the `PassengerHighPerformance` directive. - -######`custom_fragment` - -Pass a string of custom configuration directives to be placed at the end of the -directory configuration. - -#####`directoryindex` - -Set a DirectoryIndex directive, to set the list of resources to look for, when the client requests an index of the directory by specifying a / at the end of the directory name.. - -#####`docroot` - -Provides the DocumentRoot directive, identifying the directory Apache serves files from. - -#####`docroot_group` - -Sets group access to the docroot directory. Defaults to 'root'. - -#####`docroot_owner` - -Sets individual user access to the docroot directory. Defaults to 'root'. - -#####`error_log` - -Specifies whether `*_error.log` directives should be configured. Defaults to 'true'. - -#####`error_log_file` - -Points to the `*_error.log` file. Defaults to 'undef'. - -#####`error_log_pipe` - -Specifies a pipe to send error log messages to. Defaults to 'undef'. - -#####`error_log_syslog` - -Sends all error log messages to syslog. Defaults to 'undef'. - -#####`ensure` - -Specifies if the vhost file is present or absent. - -#####`ip` - -The IP address the vhost listens on. Defaults to 'undef'. - -#####`ip_based` - -Enables an IP-based vhost. This parameter inhibits the creation of a NameVirtualHost directive, since those are used to funnel requests to name-based vhosts. Defaults to 'false'. - -#####`logroot` - -Specifies the location of the virtual host's logfiles. Defaults to `/var/log//`. +Next, we add two name-based virtual hosts listening on a second IP address (10.0.0.20): -#####`no_proxy_uris` - -Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with `proxy_dest`. - -#####`options` - -Lists the options for the given virtual host +``` puppet +apache::vhost { 'second.example.com': + ip => '10.0.0.20', + port => 80, + docroot => '/var/www/second', +} -```puppet - apache::vhost { 'site.name.fdqn': - … - options => ['Indexes','FollowSymLinks','MultiViews'], - } +apache::vhost { 'third.example.com': + ip => '10.0.0.20', + port => 80, + docroot => '/var/www/third', +} ``` -#####`override` - -Sets the overrides for the given virtual host. Accepts an array of AllowOverride arguments. - -#####`port` - -Sets the port the host is configured on. - -#####`priority` - -Sets the relative load-order for Apache httpd VirtualHost configuration files. Defaults to '25'. - -If nothing matches the priority, the first name-based vhost will be used. Likewise, passing a higher priority will cause the alphabetically first name-based vhost to be used if no other names match. +To add name-based virtual hosts that answer on either 10.0.0.10 or 10.0.0.20, you **must** disable the Apache default `Listen 80`, as it conflicts with the preceding IP-based virtual hosts. To do this, set the [`add_listen`][] parameter to `false`: -*Note*: You should not need to use this parameter. However, if you do use it, be aware that the `default_vhost` parameter for `apache::vhost` passes a priority of '15'. - -#####`proxy_dest` - -Specifies the destination address of a proxypass configuration. Defaults to 'undef'. - -#####`proxy_pass` - -Specifies an array of path => uri for a proxypass configuration. Defaults to 'undef'. - -Example: +``` puppet +apache::vhost { 'fourth.example.com': + port => 80, + docroot => '/var/www/fourth', + add_listen => false, +} -```puppet -$proxy_pass = [ - { 'path' => '/a', 'url' => 'http://backend-a/' }, - { 'path' => '/b', 'url' => 'http://backend-b/' }, - { 'path' => '/c', 'url' => 'http://backend-a/c' } -] - -apache::vhost { 'site.name.fdqn': - … - proxy_pass => $proxy_pass, +apache::vhost { 'fifth.example.com': + port => 80, + docroot => '/var/www/fifth', + add_listen => false, } ``` -#####`rack_base_uris` +### Installing Apache modules -Specifies the resource identifiers for a rack configuration. The file paths specified will be listed as rack application roots for passenger/rack in the `_rack.erb` template. Defaults to 'undef'. +There are two ways to install [Apache modules][] using the Puppet apache module: -#####`redirect_dest` +- Use the [`apache::mod::`][] classes to [install specific Apache modules with parameters][Installing specific modules]. +- Use the [`apache::mod`][] defined type to [install arbitrary Apache modules][Installing arbitrary modules]. -Specifies the address to redirect to. Defaults to 'undef'. +#### Installing specific modules -#####`redirect_source` +The Puppet apache module supports installing many common [Apache modules][], often with parameterized configuration options. For a list of supported Apache modules, see the [`apache::mod::`][] class references. -Specifies the source items? that will redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent. +For example, you can install the `mod_ssl` Apache module with default settings by declaring the [`apache::mod::ssl`][] class: -```puppet - apache::vhost { 'site.name.fdqn': - … - redirect_source => ['/images','/downloads'], - redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], - } +``` puppet +class { 'apache::mod::ssl': } ``` -#####`redirect_status` - -Specifies the status to append to the redirect. Defaults to 'undef'. - -```puppet - apache::vhost { 'site.name.fdqn': - … - redirect_status => ['temp','permanent'], - } -``` +[`apache::mod::ssl`][] has several parameterized options that you can set when declaring it. For instance, to enable `mod_ssl` with compression enabled, set the [`ssl_compression`][] parameter to true: -#####`request_headers` - -Specifies additional request headers. - -```puppet - apache::vhost { 'site.name.fdqn': - … - request_headers => [ - 'append MirrorID "mirror 12"', - 'unset MirrorID', - ], - } +``` puppet +class { 'apache::mod::ssl': + ssl_compression => true, +} ``` -#####`rewrite_base` - -Limits the `rewrite_rule` to the specified base URL. Defaults to 'undef'. - +You can pass the SSL Ciphers to override the default ciphers. ```puppet - apache::vhost { 'site.name.fdqn': - … - rewrite_rule => '^index\.html$ welcome.html', - rewrite_base => '/blog/', - } +class { 'apache::mod::ssl': + ssl_cipher => 'PROFILE=SYSTEM', +} ``` -The above example would limit the index.html -> welcome.html rewrite to only something inside of http://example.com/blog/. - -#####`rewrite_cond` - -Rewrites a URL via `rewrite_rule` based on the truth of specified conditions. For example - +You can also pass the different [`ssl_cipher`][] for different SSL protocols. This allows you to fine-tune the ciphers based on the specific SSL/TLS protocol version being used. ```puppet - apache::vhost { 'site.name.fdqn': - … - rewrite_cond => '%{HTTP_USER_AGENT} ^MSIE', - } +class { 'apache::mod::ssl': + ssl_cipher => { + 'TLSv1.1' => 'RSA:!EXP:!NULL:+HIGH:+MEDIUM' + }, +} ``` -will rewrite URLs only if the visitor is using IE. Defaults to 'undef'. +Note that some modules have prerequisites, which are documented in their references under [`apache::mod::`][]. -*Note*: At the moment, each vhost is limited to a single list of rewrite conditions. In the future, you will be able to specify multiple `rewrite_cond` and `rewrite_rules` per vhost, so that different conditions get different rewrites. +#### Installing arbitrary modules -#####`rewrite_rule` +You can pass the name of any module that your operating system's package manager can install to the [`apache::mod`][] defined type to install it. Unlike the specific-module classes, the [`apache::mod`][] defined type doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you. -Creates URL rewrite rules. Defaults to 'undef'. This parameter allows you to specify, for example, that anyone trying to access index.html will be served welcome.html. +For example, to install the [`mod_authnz_external`][] Apache module, declare the defined type with the 'mod_authnz_external' name: -```puppet - apache::vhost { 'site.name.fdqn': - … - rewrite_rule => '^index\.html$ welcome.html', - } +``` puppet +apache::mod { 'mod_authnz_external': } ``` -#####`scriptalias` - -Defines a directory of CGI scripts to be aliased to the path '/cgi-bin' - -#####`serveradmin` - -Specifies the email address Apache will display when it renders one of its error pages. - -#####`serveraliases` - -Sets the server aliases of the site. - -#####`servername` - -Sets the primary name of the virtual host. - -#####`setenv` - -Used by HTTPD to set environment variables for vhosts. Defaults to '[]'. - -#####`setenvif` - -Used by HTTPD to conditionally set environment variables for vhosts. Defaults to '[]'. +There are several optional parameters you can specify when defining Apache modules this way. See the [defined type's reference][`apache::mod`] for details. -#####`ssl` + +### Load balancing examples -Enables SSL for the virtual host. SSL vhosts only respond to HTTPS queries. Valid values are 'true' or 'false'. +Apache supports load balancing across groups of servers through the [`mod_proxy`][] Apache module. Puppet supports configuring Apache load balancing groups (also known as balancer clusters) through the [`apache::balancer`][] and [`apache::balancermember`][] defined types. -#####`ssl_ca` +To enable load balancing with [exported resources][], export the [`apache::balancermember`][] defined type from the load balancer member server: -Specifies the certificate authority. - -#####`ssl_cert` - -Specifies the SSL certification. - -#####`ssl_protocol` - -Specifies the SSL Protocol (SSLProtocol). - -#####`ssl_cipher` - -Specifies the SSLCipherSuite. - -#####`ssl_honorcipherorder` - -Sets SSLHonorCipherOrder directive, used to prefer the server's cipher preference order - -#####`ssl_certs_dir` - -Specifies the location of the SSL certification directory. Defaults to `/etc/ssl/certs` on Debian and `/etc/pki/tls/certs` on RedHat. - -#####`ssl_chain` - -Specifies the SSL chain. - -#####`ssl_crl` - -Specifies the certificate revocation list to use. - -#####`ssl_crl_path` - -Specifies the location of the certificate revocation list. - -#####`ssl_key` - -Specifies the SSL key. - -#####`ssl_verify_client` +``` puppet +@@apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} +``` -Sets `SSLVerifyClient` directives as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient). Defaults to undef. -An example: +Then, on the proxy server, create the load balancing group: -```puppet - apache::vhost { 'sample.example.net': - … - ssl_verify_client => 'optional', - } +``` puppet +apache::balancer { 'puppet00': } ``` -#####`ssl_verify_depth` +To enable load balancing without exporting resources, declare the following on the proxy server: -Sets `SSLVerifyDepth` directives as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifydepth). Defaults to undef. -An example: +``` puppet +apache::balancer { 'puppet00': } -```puppet - apache::vhost { 'sample.example.net': - … - ssl_verify_depth => 1, - } +apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} ``` -#####`ssl_options` +Then declare the `apache::balancer` and `apache::balancermember` defined types on the proxy server. -Sets `SSLVerifyOptions` directives as per the [Apache Core documentation](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions). This is the global setting for the vhost and can be a string or an array. Defaults to undef. A single string example: +To use the [ProxySet](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset) directive on the balancer, use the [`proxy_set`](#proxy_set) parameter of `apache::balancer`: -```puppet - apache::vhost { 'sample.example.net': - … - ssl_options => '+StdEnvVars', - } +``` puppet +apache::balancer { 'puppet01': + proxy_set => { + 'stickysession' => 'JSESSIONID', + 'lbmethod' => 'bytraffic', + }, +} ``` -An array of strings example: +Load balancing scheduler algorithms (`lbmethod`) are listed [in mod_proxy_balancer documentation](https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html). -```puppet - apache::vhost { 'sample.example.net': - … - ssl_options => [ '+StdEnvVars', '+ExportCertData' ], - } -``` + +## Reference -#####`sslproxyengine` +For information on classes, types and functions see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-apache/blob/main/REFERENCE.md) -Specifies whether to use `SSLProxyEngine` or not. Defaults to `false`. +### Templates -#####`vhost_name` +The Apache module relies heavily on templates to enable the [`apache::vhost`][] and [`apache::mod`][] defined types. These templates are built based on [Facter][] facts that are specific to your operating system. Unless explicitly called out, most templates are not meant for configuration. -This parameter is for use with name-based virtual hosting. Defaults to '*'. +### Tasks -#####`itk` +The Apache module has a task that allows a user to reload the Apache config without restarting the service. Please refer to to the [PE documentation](https://puppet.com/docs/pe/2017.3/orchestrator/running_tasks.html) or [Bolt documentation](https://puppet.com/docs/bolt/latest/bolt.html) on how to execute a task. -Hash containing infos to configure itk as per the [ITK documentation](http://mpm-itk.sesse.net/). + +## Limitations -Keys could be: -* user + group -* assignuseridexpr -* assigngroupidexpr -* maxclientvhost -* nice -* limituidrange (Linux 3.5.0 or newer) -* limitgidrange (Linux 3.5.0 or newer) +For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-apache/blob/main/metadata.json) -Usage will typically look like: +### FreeBSD -```puppet - apache::vhost { 'sample.example.net': - docroot => '/path/to/directory', - itk => { - user => 'someuser', - group => 'somegroup', - }, - } -``` +In order to use this module on FreeBSD, you _must_ use apache24-2.4.12 (www/apache24) or newer. -###Virtual Host Examples +### Gentoo -The Apache module allows you to set up pretty much any configuration of virtual host you might desire. This section will address some common configurations. Please see the [Tests section](https://github.com/puppetlabs/puppetlabs-apache/tree/master/tests) for even more examples. +On Gentoo, this module depends on the [`gentoo/puppet-portage`][] Puppet module. Although several options apply or enable certain features and settings for Gentoo, it is not a [supported operating system][] for this module. -Configure a vhost with a server administrator +### RHEL/CentOS -```puppet - apache::vhost { 'third.example.com': - port => '80', - docroot => '/var/www/third', - serveradmin => 'admin@example.com', - } -``` +The [`apache::mod::auth_cas`][], [`apache::mod::passenger`][], [`apache::mod::proxy_html`][] and [`apache::mod::shib`][] classes are not functional on RH/CentOS without providing dependency packages from extra repositories. -- - - +See their respective documentation below for related repositories and packages. -Set up a vhost with aliased servers +#### RHEL/CentOS 5 -```puppet - apache::vhost { 'sixth.example.com': - serveraliases => [ - 'sixth.example.org', - 'sixth.example.net', - ], - port => '80', - docroot => '/var/www/fifth', - } -``` +The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are untested because repositories are missing compatible packages. -- - - +#### RHEL/CentOS 6 -Configure a vhost with a cgi-bin +The [`apache::mod::passenger`][] class is not installing, because the EL6 repository is missing compatible packages. -```puppet - apache::vhost { 'eleventh.example.com': - port => '80', - docroot => '/var/www/eleventh', - scriptalias => '/usr/lib/cgi-bin', - } -``` +#### RHEL/CentOS 7 -- - - +The [`apache::mod::passenger`][] and [`apache::mod::proxy_html`][] classes are untested because the EL7 repository is missing compatible packages, which also blocks us from testing the [`apache::vhost`][] defined type's [`rack_base_uri`][] parameter. -Set up a vhost with a rack configuration +### SELinux and custom paths -```puppet - apache::vhost { 'fifteenth.example.com': - port => '80', - docroot => '/var/www/fifteenth', - rack_base_uris => ['/rackapp1', '/rackapp2'], - } -``` +If [SELinux][] is in [enforcing mode][] and you want to use custom paths for `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you need to manage the files' context yourself. -- - - +You can do this with Puppet: -Set up a mix of SSL and non-SSL vhosts at the same domain +``` puppet +exec { 'set_apache_defaults': + command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + require => Package['policycoreutils-python'], +} -```puppet - #The non-ssl vhost - apache::vhost { 'first.example.com non-ssl': - servername => 'first.example.com', - port => '80', - docroot => '/var/www/first', - } - - #The SSL vhost at the same domain - apache::vhost { 'first.example.com ssl': - servername => 'first.example.com', - port => '443', - docroot => '/var/www/first', - ssl => true, - } -``` +package { 'policycoreutils-python': + ensure => installed, +} -- - - +exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Class['Apache::Service'], + require => Class['apache'], +} -Configure a vhost to redirect non-SSL connections to SSL +class { 'apache': } -```puppet - apache::vhost { 'sixteenth.example.com non-ssl': - servername => 'sixteenth.example.com', - port => '80', - docroot => '/var/www/sixteenth', - redirect_status => 'permanent' - redirect_dest => 'https://sixteenth.example.com/' - } - apache::vhost { 'sixteenth.example.com ssl': - servername => 'sixteenth.example.com', - port => '443', - docroot => '/var/www/sixteenth', - ssl => true, - } -``` +host { 'test.server': + ip => '127.0.0.1', +} -- - - +file { '/custom/path': + ensure => directory, +} -Set up IP-based vhosts on any listen port and have them respond to requests on specific IP addresses. In this example, we will set listening on ports 80 and 81. This is required because the example vhosts are not declared with a port parameter. +file { '/custom/path/include': + ensure => present, + content => '#additional_includes', +} -```puppet - apache::listen { '80': } - apache::listen { '81': } +apache::vhost { 'test.server': + docroot => '/custom/path', + additional_includes => '/custom/path/include', +} ``` -Then we will set up the IP-based vhosts - -```puppet - apache::vhost { 'first.example.com': - ip => '10.0.0.10', - docroot => '/var/www/first', - ip_based => true, - } - apache::vhost { 'second.example.com': - ip => '10.0.0.11', - docroot => '/var/www/second', - ip_based => true, - } -``` +**NOTE:** On RHEL 8, the SELinux packages contained in `policycoreutils-python` have been replaced by the `policycoreutils-python-utils` package. +See [here](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#selinux-python3_security) for more details. -- - - +You must set the contexts using `semanage fcontext` instead of `chcon` because Puppet's `file` resources reset the values' context in the database if the resource doesn't specify it. -Configure a mix of name-based and IP-based vhosts. First, we will add two IP-based vhosts on 10.0.0.10, one SSL and one non-SSL + +## Development -```puppet - apache::vhost { 'The first IP-based vhost, non-ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '80', - ip_based => true, - docroot => '/var/www/first', - } - apache::vhost { 'The first IP-based vhost, ssl': - servername => 'first.example.com', - ip => '10.0.0.10', - port => '443', - ip_based => true, - docroot => '/var/www/first-ssl', - ssl => true, - } -``` +### Testing -Then, we will add two name-based vhosts listening on 10.0.0.20 +To run the unit tests, install the necessary gems: -```puppet - apache::vhost { 'second.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/second', - } - apache::vhost { 'third.example.com': - ip => '10.0.0.20', - port => '80', - docroot => '/var/www/third', - } ``` - -If you want to add two name-based vhosts so that they will answer on either 10.0.0.10 or 10.0.0.20, you **MUST** declare `add_listen => 'false'` to disable the otherwise automatic 'Listen 80', as it will conflict with the preceding IP-based vhosts. - -```puppet - apache::vhost { 'fourth.example.com': - port => '80', - docroot => '/var/www/fourth', - add_listen => false, - } - apache::vhost { 'fifth.example.com': - port => '80', - docroot => '/var/www/fifth', - add_listen => false, - } +bundle install ``` -##Implementation +And then execute the command: -###Classes and Defined Types - -####Class: `apache::dev` - -Installs Apache development libraries - -```puppet - class { 'apache::dev': } +``` +bundle exec rake parallel_spec ``` -####Defined Type: `apache::listen` - -Controls which ports Apache binds to for listening based on the title: +To check the code coverage, run: -```puppet - apache::listen { '80': } - apache::listen { '443': } +``` +COVERAGE=yes bundle exec rake parallel_spec ``` -Declaring this defined type will add all `Listen` directives to the `ports.conf` file in the Apache httpd configuration directory. `apache::listen` titles should always take the form of: ``, `:`, or `[]:` - -Apache httpd requires that `Listen` directives must be added for every port. The `apache::vhost` defined type will automatically add `Listen` directives unless the `apache::vhost` is passed `add_listen => false`. -####Defined Type: `apache::namevirtualhost` -Enables named-based hosting of a virtual host +Acceptance tests for this module leverage [puppet_litmus](https://github.com/puppetlabs/puppet_litmus). +To run the acceptance tests follow the instructions [here](https://puppetlabs.github.io/litmus/Running-acceptance-tests.html). You can also find a tutorial and walkthrough of using Litmus and the PDK on [YouTube](https://www.youtube.com/watch?v=FYfR7ZEGHoE). -```puppet - class { 'apache::namevirtualhost`: } -``` + +## License -Declaring this defined type will add all `NameVirtualHost` directives to the `ports.conf` file in the Apache https configuration directory. `apache::namevirtualhost` titles should always take the form of: `*`, `*:`, `_default_:`, ``, or `:`. +This codebase is licensed under the Apache2.0 licensing, however due to the nature of the codebase the open source dependencies may also use a combination of [AGPL](https://opensource.org/license/agpl-v3/), [BSD-2](https://opensource.org/license/bsd-2-clause/), [BSD-3](https://opensource.org/license/bsd-3-clause/), [GPL2.0](https://opensource.org/license/gpl-2-0/), [LGPL](https://opensource.org/license/lgpl-3-0/), [MIT](https://opensource.org/license/mit/) and [MPL](https://opensource.org/license/mpl-2-0/) Licensing. -####Defined Type: `apache::balancermember` +### Development Support +If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://github.com/puppetlabs/puppetlabs-apache/issues). +Every Monday the Puppet IA Content Team has [office hours](https://puppet.com/community/office-hours) in the [Puppet Community Slack](http://slack.puppet.com/), alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC). -Define members of a proxy_balancer set (mod_proxy_balancer). Very useful when using exported resources. +If you have problems getting this module up and running, please [contact Support](http://puppetlabs.com/services/customer-support). -On every app server you can export a balancermember like this: +If you submit a change to this module, be sure to regenerate the reference documentation as follows: -```puppet - @@apache::balancermember { "${::fqdn}-puppet00": - balancer_cluster => 'puppet00', - url => "ajp://${::fqdn}:8009" - options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], - } +```bash +puppet strings generate --format markdown --out REFERENCE.md ``` -And on the proxy itself you create the balancer cluster using the defined type apache::balancer: +### Apache MOD Test & Support Lifecycle +#### Adding Support for a new Apache MOD +Support for new [Apache Modules] can be added under the [`apache::mod`] namespace. +Acceptance tests should be added for each new [Apache Module][Apache Modules] added. +Ideally, the acceptance tests should run on all compatible platforms that this module is supported on (see `metdata.json`), however there are cases when a more niche module is difficult to set up and install on a particular Linux distro. +This could be for one or more of the following reasons: +- Package not available in default repositories of distro +- Package dependencies not available in default repositories of distro +- Package (and/or its dependencies) are only available in a specific version of an OS +In these cases, it is possible to exclude a module from a test platform using a specific tag, defined above the class declaration: ```puppet - apache::balancer { 'puppet00': } +# @note Unsupported platforms: OS: ver, ver; OS: ver, ver, ver; OS: all +class apache::mod::foobar { +... +} ``` - -If you need to use ProxySet in the balncer config you can do as so: - +For example: ```puppet - apache::balancer { 'puppet01': - proxy_set => {'stickysession' => 'JSESSIONID'}, - } +# @note Unsupported platforms: RedHat: 5, 6; Ubuntu: 14.04; SLES: all; Scientific: 11 SP1 +class apache::mod::actions { +... +} ``` - -###Templates - -The Apache module relies heavily on templates to enable the `vhost` and `apache::mod` defined types. These templates are built based on Facter facts around your operating system. Unless explicitly called out, most templates are not meant for configuration. - -##Limitations - -This has been tested on Ubuntu Precise, Debian Wheezy, and CentOS 5.8. - -##Development - -### Overview - -Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve. - -We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. - -You can read the complete module contribution guide [on the Puppet Labs wiki.](http://projects.puppetlabs.com/projects/module-site/wiki/Module_contributing) - -### Running tests - -This project contains tests for both [rspec-puppet](http://rspec-puppet.com/) and [rspec-system](https://github.com/puppetlabs/rspec-system) to verify functionality. For in-depth information please see their respective documentation. - -Quickstart: - - gem install bundler - bundle install - bundle exec rake spec - bundle exec rake spec:system - -##Copyright and License - -Copyright (C) 2012 [Puppet Labs](https://www.puppetlabs.com/) Inc - -Puppet Labs can be contacted at: info@puppetlabs.com - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. +Please be aware of the following format guidelines for the tag: +- All OS/Version declarations must be preceded with `@note Unsupported platforms:` +- The tag must be declared ABOVE the class declaration (i.e. not as footer at the bottom of the file) +- Each OS/Version declaration must be separated by semicolons (`;`) +- Each version must be separated by a comma (`,`) +- Versions CANNOT be declared in ranges (e.g. `RedHat:5-7`), they should be explicitly declared (e.g. `RedHat:5,6,7`) +- However, to declare all versions of an OS as unsupported, use the word `all` (e.g. `SLES:all`) +- OSs with word characters as part of their versions are acceptable (e.g. `Scientific: 11 SP1, 11 SP2, 12, 13`) +- Spaces are permitted between OS/Version declarations and version numbers within a declaration +- Refer to the `operatingsystem_support` values in the `metadata.json` to find the acceptable OS name and version syntax: + - E.g. `OracleLinux` OR `oraclelinux`, not: `Oracle` or `OraLinux` + - E.g. `RedHat` OR `redhat`, not: `Red Hat Enterprise Linux`, `RHEL`, or `Red Hat` + +If the tag is incorrectly formatted, a warning will be printed out at the end of the test run, indicating what tag(s) could not be parsed. +This will not halt the execution of other tests. + +Once the class is tagged, it is possible to exclude a test for that particular [Apache MOD][Apache Modules] using RSpec's filtering and a helper method: +```ruby +describe 'auth_oidc', if: mod_supported_on_platform('apache::mod::auth_openidc') do +``` +The `mod_supported_on_platform` helper method takes the [Apache Module][Apache Modules] class definition as defined in the manifests under `manifest/mod`. + +This functionality can be disabled by setting the `DISABLE_MOD_TEST_EXCLUSION` environment variable. +When set, all exclusions will be ignored. +#### Test Support Lifecycle +The puppetlabs-apache module supports a large number of compatible platforms and [Apache Modules][Apache modules]. +As a result, Apache Module tests can fail because a package or package dependency has been removed from a Linux distribution repository. +The [CAT Team][CAT Team] will try to resolve these issues and keep instructions updated, but due to limited resources this won’t always be possible. +In these cases, we will exclude test(s) from certain platforms. +As always, we welcome help from our community members, and the CAT(Content & Tooling) team is here to assist and answer questions. diff --git a/README.passenger.md b/README.passenger.md deleted file mode 100644 index 4b36149dc2..0000000000 --- a/README.passenger.md +++ /dev/null @@ -1,93 +0,0 @@ -# Passenger - -Just enabling the Passenger module is insufficient for the use of Passenger in production. Passenger should be tunable to better fit the environment in which it is run while being aware of the resources it required. - -To this end the Apache passenger module has been modified to apply system wide Passenger tuning declarations to `passenger.conf`. Declarations specific to a virtual host should be passed through when defining a `vhost` (e.g. `rack_base_uris' parameter on the `apache::vhost` class, check `README.md`). - -# Parameters for `apache::mod::passenger` - -The following declarations are supported and can be passed to `apache::mod::passenger` as parameters, for example: - -``` -class {'apache::mod::passenger': - passenger_high_performance => 'on', - rails_autodetect => 'off', -} -``` - -The general form is using the all lower case version of the declaration. - -If you pass a default value to `apache::mod::passenger` it will be ignored and not passed through to the configuration file. - -## passenger_high_performance - -Default is `off`, when turned `on` Passenger runs in a higher performance mode that can be less compatible with other Apache modules. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerHighPerformance - -## passenger_max_pool_size - -Set's the maximum number of Passenger application processes that may simultaneously run. The default value is 6. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengermaxpoolsize_lt_integer_gt - -## passenger_pool_idle_time - -The maximum number of seconds a Passenger Application process will be allowed to remain idle before being shut down. The default value is 300. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerPoolIdleTime - -## passenger_max_requests - -The maximum number of request a Passenger application will process before being restarted. The default value is 0, which indicates that a process will only shut down if the Pool Idle Time (see above) expires. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMaxRequests - -## passenger_stat_throttle_rate - -Sets how often Passenger performs file system checks, at most once every _x_ seconds. Default is 0, which means the checks are performed with every request. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerstatthrottlerate_lt_integer_gt - -## rack_auto_detect - -Should Passenger automatically detect if the document root of a virtual host is a Rack application. The default is `on` - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_rackautodetect_lt_on_off_gt - -## rails_auto_detect - -Should Passenger automatically detect if the document root of a virtual host is a Rails application. The default is on. - -http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsautodetect_lt_on_off_gt - -## passenger_use_global_queue - -Allows toggling of PassengerUseGlobalQueue. NOTE: PassengerUseGlobalQueue is the default in Passenger 4.x and the versions >= 4.x have disabled this configuration option altogether. Use with caution. - -# Attribution - -The Passenger tuning parameters for the `apache::mod::puppet` Puppet class was modified by Aaron Hicks (hicksa@landcareresearch.co.nz) for work on the NeSI Project and the Tuakiri New Zealand Access Federation as a fork from the PuppetLabs Apache module on GitHub. - -* https://github.com/puppetlabs/puppetlabs-apache -* https://github.com/nesi/puppetlabs-apache -* http://www.nesi.org.nz// -* https://tuakiri.ac.nz/confluence/display/Tuakiri/Home - -# Copyright and License - -Copyright (C) 2012 [Puppet Labs](https://www.puppetlabs.com/) Inc - -Puppet Labs can be contacted at: info@puppetlabs.com - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/REFERENCE.md b/REFERENCE.md new file mode 100644 index 0000000000..76106a38a1 --- /dev/null +++ b/REFERENCE.md @@ -0,0 +1,11849 @@ +# Reference + + + +## Table of Contents + +### Classes + +#### Public Classes + +* [`apache`](#apache): Guides the basic setup and installation of Apache on your system. +* [`apache::dev`](#apache--dev): Installs Apache development libraries. +* [`apache::mod::actions`](#apache--mod--actions): Installs Apache mod_actions +* [`apache::mod::alias`](#apache--mod--alias): Installs and configures `mod_alias`. +* [`apache::mod::apreq2`](#apache--mod--apreq2): Installs `mod_apreq2`. +* [`apache::mod::auth_basic`](#apache--mod--auth_basic): Installs `mod_auth_basic` +* [`apache::mod::auth_cas`](#apache--mod--auth_cas): Installs and configures `mod_auth_cas`. +* [`apache::mod::auth_gssapi`](#apache--mod--auth_gssapi): Installs `mod_auth_gsappi`. +* [`apache::mod::auth_kerb`](#apache--mod--auth_kerb): Installs `mod_auth_kerb` +* [`apache::mod::auth_mellon`](#apache--mod--auth_mellon): Installs and configures `mod_auth_mellon`. +* [`apache::mod::auth_openidc`](#apache--mod--auth_openidc): Installs and configures `mod_auth_openidc`. +* [`apache::mod::authn_core`](#apache--mod--authn_core): Installs `mod_authn_core`. +* [`apache::mod::authn_dbd`](#apache--mod--authn_dbd): Installs `mod_authn_dbd`. +* [`apache::mod::authn_file`](#apache--mod--authn_file): Installs `mod_authn_file`. +* [`apache::mod::authnz_ldap`](#apache--mod--authnz_ldap): Installs `mod_authnz_ldap`. +* [`apache::mod::authnz_pam`](#apache--mod--authnz_pam): Installs `mod_authnz_pam`. +* [`apache::mod::authz_core`](#apache--mod--authz_core): Installs `mod_authz_core`. +* [`apache::mod::authz_groupfile`](#apache--mod--authz_groupfile): Installs `mod_authz_groupfile` +* [`apache::mod::authz_user`](#apache--mod--authz_user): Installs `mod_authz_user` +* [`apache::mod::autoindex`](#apache--mod--autoindex): Installs `mod_autoindex` +* [`apache::mod::cache`](#apache--mod--cache): Installs `mod_cache` +* [`apache::mod::cache_disk`](#apache--mod--cache_disk): Installs and configures `mod_cache_disk`. +* [`apache::mod::cgi`](#apache--mod--cgi): Installs `mod_cgi`. +* [`apache::mod::cgid`](#apache--mod--cgid): Installs `mod_cgid`. +* [`apache::mod::cluster`](#apache--mod--cluster): Installs `mod_cluster`. +* [`apache::mod::data`](#apache--mod--data): Installs and configures `mod_data`. +* [`apache::mod::dav`](#apache--mod--dav): Installs `mod_dav`. +* [`apache::mod::dav_fs`](#apache--mod--dav_fs): Installs `mod_dav_fs`. +* [`apache::mod::dav_svn`](#apache--mod--dav_svn): Installs and configures `mod_dav_svn`. +* [`apache::mod::dbd`](#apache--mod--dbd): Installs `mod_dbd`. +* [`apache::mod::deflate`](#apache--mod--deflate): Installs and configures `mod_deflate`. +* [`apache::mod::dir`](#apache--mod--dir): Installs and configures `mod_dir`. +* [`apache::mod::disk_cache`](#apache--mod--disk_cache): Installs and configures `mod_disk_cache`. +* [`apache::mod::dumpio`](#apache--mod--dumpio): Installs and configures `mod_dumpio`. +* [`apache::mod::env`](#apache--mod--env): Installs `mod_env`. +* [`apache::mod::event`](#apache--mod--event): Installs and configures `mod_event`. +* [`apache::mod::expires`](#apache--mod--expires): Installs and configures `mod_expires`. +* [`apache::mod::ext_filter`](#apache--mod--ext_filter): Installs and configures `mod_ext_filter`. +* [`apache::mod::fcgid`](#apache--mod--fcgid): Installs and configures `mod_fcgid`. +* [`apache::mod::filter`](#apache--mod--filter): Installs `mod_filter`. +* [`apache::mod::geoip`](#apache--mod--geoip): Installs and configures `mod_geoip`. +* [`apache::mod::headers`](#apache--mod--headers): Installs and configures `mod_headers`. +* [`apache::mod::http2`](#apache--mod--http2): Installs and configures `mod_http2`. +* [`apache::mod::include`](#apache--mod--include): Installs `mod_include`. +* [`apache::mod::info`](#apache--mod--info): Installs and configures `mod_info`. +* [`apache::mod::intercept_form_submit`](#apache--mod--intercept_form_submit): Installs `mod_intercept_form_submit`. +* [`apache::mod::itk`](#apache--mod--itk): Installs MPM `mod_itk`. +* [`apache::mod::jk`](#apache--mod--jk): Installs `mod_jk`. +* [`apache::mod::lbmethod_bybusyness`](#apache--mod--lbmethod_bybusyness): Installs `lbmethod_bybusyness`. +* [`apache::mod::lbmethod_byrequests`](#apache--mod--lbmethod_byrequests): Installs `lbmethod_byrequests`. +* [`apache::mod::lbmethod_bytraffic`](#apache--mod--lbmethod_bytraffic): Installs `lbmethod_bytraffic`. +* [`apache::mod::lbmethod_heartbeat`](#apache--mod--lbmethod_heartbeat): Installs `lbmethod_heartbeat`. +* [`apache::mod::ldap`](#apache--mod--ldap): Installs and configures `mod_ldap`. +* [`apache::mod::log_forensic`](#apache--mod--log_forensic): Installs `mod_log_forensic` +* [`apache::mod::lookup_identity`](#apache--mod--lookup_identity): Installs `mod_lookup_identity` +* [`apache::mod::macro`](#apache--mod--macro): Installs `mod_macro`. +* [`apache::mod::md`](#apache--mod--md): Installs and configures `mod_md`. +* [`apache::mod::mime`](#apache--mod--mime): Installs and configures `mod_mime`. +* [`apache::mod::mime_magic`](#apache--mod--mime_magic): Installs and configures `mod_mime_magic`. +* [`apache::mod::negotiation`](#apache--mod--negotiation): Installs and configures `mod_negotiation`. +* [`apache::mod::nss`](#apache--mod--nss): Installs and configures `mod_nss`. +* [`apache::mod::pagespeed`](#apache--mod--pagespeed): Installs and manages mod_pagespeed, which is a Google module that rewrites web pages to reduce latency and bandwidth. + +This module does *not* manage the software repositories needed to automatically install the +mod-pagespeed-stable package. The module does however require that the package be installed, +or be installable using the system's default package provider. You should ensure that this +pre-requisite is met or declaring `apache::mod::pagespeed` will cause the puppet run to fail. +* [`apache::mod::passenger`](#apache--mod--passenger): Installs `mod_pasenger`. +> **Note**: This module support Passenger 4.0.0 and higher. +* [`apache::mod::perl`](#apache--mod--perl): Installs `mod_perl`. +* [`apache::mod::peruser`](#apache--mod--peruser): Installs `mod_peruser`. +* [`apache::mod::php`](#apache--mod--php): Installs `mod_php`. +* [`apache::mod::prefork`](#apache--mod--prefork): Installs and configures MPM `prefork`. +* [`apache::mod::proxy`](#apache--mod--proxy): Installs and configures `mod_proxy`. +* [`apache::mod::proxy_ajp`](#apache--mod--proxy_ajp): Installs `mod_proxy_ajp`. +* [`apache::mod::proxy_balancer`](#apache--mod--proxy_balancer): Installs and configures `mod_proxy_balancer`. +* [`apache::mod::proxy_connect`](#apache--mod--proxy_connect): Installs `mod_proxy_connect`. +* [`apache::mod::proxy_fcgi`](#apache--mod--proxy_fcgi): Installs `mod_proxy_fcgi`. +* [`apache::mod::proxy_html`](#apache--mod--proxy_html): Installs `mod_proxy_html`. +* [`apache::mod::proxy_http`](#apache--mod--proxy_http): Installs `mod_proxy_http`. +* [`apache::mod::proxy_http2`](#apache--mod--proxy_http2): Installs `mod_proxy_http2`. +* [`apache::mod::proxy_wstunnel`](#apache--mod--proxy_wstunnel): Installs `mod_proxy_wstunnel`. +* [`apache::mod::python`](#apache--mod--python): Installs and configures `mod_python`. +* [`apache::mod::remoteip`](#apache--mod--remoteip): Installs and configures `mod_remoteip`. +* [`apache::mod::reqtimeout`](#apache--mod--reqtimeout): Installs and configures `mod_reqtimeout`. +* [`apache::mod::rewrite`](#apache--mod--rewrite): Installs `mod_rewrite`. +* [`apache::mod::rpaf`](#apache--mod--rpaf): Installs and configures `mod_rpaf`. +* [`apache::mod::security`](#apache--mod--security): Installs and configures `mod_security`. +* [`apache::mod::setenvif`](#apache--mod--setenvif): Installs `mod_setenvif`. +* [`apache::mod::shib`](#apache--mod--shib): Installs and configures `mod_shib`. +* [`apache::mod::socache_shmcb`](#apache--mod--socache_shmcb): Installs `mod_socache_shmcb`. +* [`apache::mod::speling`](#apache--mod--speling): Installs `mod_spelling`. +* [`apache::mod::ssl`](#apache--mod--ssl): Installs `mod_ssl`. +* [`apache::mod::status`](#apache--mod--status): Installs and configures `mod_status`. +* [`apache::mod::suexec`](#apache--mod--suexec): Installs `mod_suexec`. +* [`apache::mod::userdir`](#apache--mod--userdir): Installs and configures `mod_userdir`. +* [`apache::mod::version`](#apache--mod--version): Installs `mod_version`. +* [`apache::mod::vhost_alias`](#apache--mod--vhost_alias): Installs Apache `mod_vhost_alias`. +* [`apache::mod::watchdog`](#apache--mod--watchdog): Installs and configures `mod_watchdog`. +* [`apache::mod::worker`](#apache--mod--worker): Installs and manages the MPM `worker`. +* [`apache::mod::wsgi`](#apache--mod--wsgi): Installs and configures `mod_wsgi`. +* [`apache::mod::xsendfile`](#apache--mod--xsendfile): Installs `mod_xsendfile`. +* [`apache::mpm::disable_mpm_event`](#apache--mpm--disable_mpm_event): disable Apache-Module event +* [`apache::mpm::disable_mpm_prefork`](#apache--mpm--disable_mpm_prefork): disable Apache-Module prefork +* [`apache::mpm::disable_mpm_worker`](#apache--mpm--disable_mpm_worker): disable Apache-Module worker +* [`apache::vhosts`](#apache--vhosts): Creates `apache::vhost` defined types. + +#### Private Classes + +* `apache::confd::no_accf`: Manages the `no-accf.conf` file. +* `apache::default_confd_files`: Helper for setting up default conf.d files. +* `apache::default_mods`: Installs and congfigures default mods for Apache +* `apache::mod::ssl::reload`: Manages the puppet_ssl folder for ssl file copies, which is needed to track changes for reloading service on changes +* `apache::package`: Installs an Apache MPM. +* `apache::params`: This class manages Apache parameters +* `apache::service`: Installs and configures Apache service. +* `apache::version`: Try to automatically detect the version by OS + +### Defined types + +#### Public Defined types + +* [`apache::balancer`](#apache--balancer): This type will create an apache balancer cluster file inside the conf.d +directory. +* [`apache::balancermember`](#apache--balancermember): Defines members of `mod_proxy_balancer` +* [`apache::custom_config`](#apache--custom_config): Adds a custom configuration file to the Apache server's `conf.d` directory. +* [`apache::fastcgi::server`](#apache--fastcgi--server): Defines one or more external FastCGI servers to handle specific file types. Use this +defined type with `mod_fastcgi`. +* [`apache::listen`](#apache--listen): Adds `Listen` directives to `ports.conf` that define the +Apache server's or a virtual host's listening address and port. +* [`apache::mod`](#apache--mod): Installs packages for an Apache module that doesn't have a corresponding +`apache::mod::` class. +* [`apache::namevirtualhost`](#apache--namevirtualhost): Enables name-based virtual hosts +* [`apache::vhost`](#apache--vhost): Allows specialised configurations for virtual hosts that possess requirements +outside of the defaults. +* [`apache::vhost::custom`](#apache--vhost--custom): A wrapper around the `apache::custom_config` defined type. +* [`apache::vhost::fragment`](#apache--vhost--fragment): Define a fragment within a vhost +* [`apache::vhost::proxy`](#apache--vhost--proxy): Configure a reverse proxy for a vhost + +#### Private Defined types + +* `apache::default_mods::load`: Helper used by `apache::default_mods` +* `apache::mpm`: Enables the use of Apache MPMs. +* `apache::peruser::multiplexer`: Checks if an Apache module has a class. +* `apache::peruser::processor`: Enables the `Peruser` module for FreeBSD only. +* `apache::security::rule_link`: Links the activated_rules from `apache::mod::security` to the respective CRS rules on disk. + +### Functions + +* [`apache::apache_pw_hash`](#apache--apache_pw_hash): DEPRECATED. Use the function [`apache::pw_hash`](#apachepw_hash) instead. +* [`apache::authz_core_config`](#apache--authz_core_config): Function to generate the authz_core configuration directives. +* [`apache::bool2httpd`](#apache--bool2httpd): Transform a supposed boolean to On or Off. Passes all other values through. +* [`apache::pw_hash`](#apache--pw_hash): Hashes a password in a format suitable for htpasswd files read by apache. +* [`apache_pw_hash`](#apache_pw_hash): DEPRECATED. Use the namespaced function [`apache::pw_hash`](#apachepw_hash) instead. +* [`bool2httpd`](#bool2httpd): DEPRECATED. Use the namespaced function [`apache::bool2httpd`](#apachebool2httpd) instead. + +### Data types + +* [`Apache::LogLevel`](#Apache--LogLevel): A string that conforms to the Apache `LogLevel` syntax. +* [`Apache::ModProxyProtocol`](#Apache--ModProxyProtocol): Supported protocols / schemes by mod_proxy +* [`Apache::OIDCSettings`](#Apache--OIDCSettings): https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf +* [`Apache::OnOff`](#Apache--OnOff): A string that is accepted in Apache config to turn something on or off +* [`Apache::ServerTokens`](#Apache--ServerTokens): A string that conforms to the Apache `ServerTokens` syntax. +* [`Apache::Vhost::Priority`](#Apache--Vhost--Priority): The priority on vhost +* [`Apache::Vhost::ProxyPass`](#Apache--Vhost--ProxyPass): Struct representing reverse proxy configuration for an Apache vhost, used by the Apache::Vhost::Proxy defined resource type. + +### Tasks + +* [`init`](#init): Allows you to perform apache service functions + +## Classes + +### `apache` + +When this class is declared with the default options, Puppet: +- Installs the appropriate Apache software package and [required Apache modules](#default_mods) for your operating system. +- Places the required configuration files in a directory, with the [default location](#conf_dir) determined by your operating system. +- Configures the server with a default virtual host and standard port (`80`) and address (`\*`) bindings. +- Creates a document root directory determined by your operating system, typically `/var/www`. +- Starts the Apache service. + +If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored. + +#### Examples + +##### + +```puppet +class { 'apache': } +``` + +#### Parameters + +The following parameters are available in the `apache` class: + +* [`allow_encoded_slashes`](#-apache--allow_encoded_slashes) +* [`conf_dir`](#-apache--conf_dir) +* [`conf_template`](#-apache--conf_template) +* [`confd_dir`](#-apache--confd_dir) +* [`default_charset`](#-apache--default_charset) +* [`default_confd_files`](#-apache--default_confd_files) +* [`default_mods`](#-apache--default_mods) +* [`default_ssl_ca`](#-apache--default_ssl_ca) +* [`default_ssl_cert`](#-apache--default_ssl_cert) +* [`default_ssl_chain`](#-apache--default_ssl_chain) +* [`default_ssl_crl`](#-apache--default_ssl_crl) +* [`default_ssl_crl_path`](#-apache--default_ssl_crl_path) +* [`default_ssl_crl_check`](#-apache--default_ssl_crl_check) +* [`default_ssl_key`](#-apache--default_ssl_key) +* [`default_ssl_reload_on_change`](#-apache--default_ssl_reload_on_change) +* [`default_ssl_vhost`](#-apache--default_ssl_vhost) +* [`default_vhost`](#-apache--default_vhost) +* [`dev_packages`](#-apache--dev_packages) +* [`docroot`](#-apache--docroot) +* [`error_documents`](#-apache--error_documents) +* [`group`](#-apache--group) +* [`httpd_dir`](#-apache--httpd_dir) +* [`http_protocol_options`](#-apache--http_protocol_options) +* [`keepalive`](#-apache--keepalive) +* [`keepalive_timeout`](#-apache--keepalive_timeout) +* [`max_keepalive_requests`](#-apache--max_keepalive_requests) +* [`hostname_lookups`](#-apache--hostname_lookups) +* [`ldap_trusted_mode`](#-apache--ldap_trusted_mode) +* [`ldap_verify_server_cert`](#-apache--ldap_verify_server_cert) +* [`lib_path`](#-apache--lib_path) +* [`log_level`](#-apache--log_level) +* [`log_formats`](#-apache--log_formats) +* [`logroot`](#-apache--logroot) +* [`logroot_mode`](#-apache--logroot_mode) +* [`manage_group`](#-apache--manage_group) +* [`supplementary_groups`](#-apache--supplementary_groups) +* [`manage_user`](#-apache--manage_user) +* [`mod_dir`](#-apache--mod_dir) +* [`mod_libs`](#-apache--mod_libs) +* [`mod_packages`](#-apache--mod_packages) +* [`mpm_module`](#-apache--mpm_module) +* [`package_ensure`](#-apache--package_ensure) +* [`pidfile`](#-apache--pidfile) +* [`ports_file`](#-apache--ports_file) +* [`protocols`](#-apache--protocols) +* [`protocols_honor_order`](#-apache--protocols_honor_order) +* [`purge_configs`](#-apache--purge_configs) +* [`purge_vhost_dir`](#-apache--purge_vhost_dir) +* [`sendfile`](#-apache--sendfile) +* [`serveradmin`](#-apache--serveradmin) +* [`servername`](#-apache--servername) +* [`server_root`](#-apache--server_root) +* [`server_signature`](#-apache--server_signature) +* [`server_tokens`](#-apache--server_tokens) +* [`service_enable`](#-apache--service_enable) +* [`service_ensure`](#-apache--service_ensure) +* [`service_name`](#-apache--service_name) +* [`service_manage`](#-apache--service_manage) +* [`service_restart`](#-apache--service_restart) +* [`timeout`](#-apache--timeout) +* [`trace_enable`](#-apache--trace_enable) +* [`use_canonical_name`](#-apache--use_canonical_name) +* [`use_systemd`](#-apache--use_systemd) +* [`file_mode`](#-apache--file_mode) +* [`root_directory_options`](#-apache--root_directory_options) +* [`root_directory_secured`](#-apache--root_directory_secured) +* [`vhost_dir`](#-apache--vhost_dir) +* [`vhost_include_pattern`](#-apache--vhost_include_pattern) +* [`user`](#-apache--user) +* [`apache_name`](#-apache--apache_name) +* [`error_log`](#-apache--error_log) +* [`scriptalias`](#-apache--scriptalias) +* [`access_log_file`](#-apache--access_log_file) +* [`limitreqfields`](#-apache--limitreqfields) +* [`limitreqfieldsize`](#-apache--limitreqfieldsize) +* [`limitreqline`](#-apache--limitreqline) +* [`ip`](#-apache--ip) +* [`conf_enabled`](#-apache--conf_enabled) +* [`vhost_enable_dir`](#-apache--vhost_enable_dir) +* [`manage_vhost_enable_dir`](#-apache--manage_vhost_enable_dir) +* [`mod_enable_dir`](#-apache--mod_enable_dir) +* [`ssl_file`](#-apache--ssl_file) +* [`file_e_tag`](#-apache--file_e_tag) +* [`use_optional_includes`](#-apache--use_optional_includes) +* [`mime_types_additional`](#-apache--mime_types_additional) + +##### `allow_encoded_slashes` + +Data type: `Optional[Variant[Apache::OnOff, Enum['nodecode']]]` + +Sets the server default for the `AllowEncodedSlashes` declaration, which modifies the +responses to URLs containing '\' and '/' characters. If not specified, this parameter omits +the declaration from the server's configuration and uses Apache's default setting of 'off'. + +Default value: `undef` + +##### `conf_dir` + +Data type: `Stdlib::Absolutepath` + +Sets the directory where the Apache server's main configuration file is located. + +Default value: `$apache::params::conf_dir` + +##### `conf_template` + +Data type: `String` + +Defines the template used for the main Apache configuration file. Modifying this +parameter is potentially risky, as the apache module is designed to use a minimal +configuration file customized by `conf.d` entries. + +Default value: `$apache::params::conf_template` + +##### `confd_dir` + +Data type: `Stdlib::Absolutepath` + +Sets the location of the Apache server's custom configuration directory. + +Default value: `$apache::params::confd_dir` + +##### `default_charset` + +Data type: `Optional[String]` + +Used as the `AddDefaultCharset` directive in the main configuration file. + +Default value: `undef` + +##### `default_confd_files` + +Data type: `Boolean` + +Determines whether Puppet generates a default set of includable Apache configuration files +in the directory defined by the `confd_dir` parameter. These configuration files +correspond to what is typically installed with the Apache package on the server's +operating system. + +Default value: `true` + +##### `default_mods` + +Data type: `Variant[Array[String[1]], Boolean]` + +Determines whether to configure and enable a set of default Apache modules depending on +your operating system.
+If `false`, Puppet includes only the Apache modules required to make the HTTP daemon work +on your operating system, and you can declare any other modules separately using the +`apache::mod::` class or `apache::mod` defined type.
+If `true`, Puppet installs additional modules, depending on the operating system and +the value of the `mpm_module` parameter. Because these lists of +modules can change frequently, consult the Puppet module's code for up-to-date lists.
+If this parameter contains an array, Puppet instead enables all passed Apache modules. + +Default value: `true` + +##### `default_ssl_ca` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the default certificate authority for the Apache server.
+Although the default value results in a functioning Apache server, you **must** update +this parameter with your certificate authority information before deploying this server in +a production environment. + +Default value: `undef` + +##### `default_ssl_cert` + +Data type: `Stdlib::Absolutepath` + +Sets the SSL encryption certificate location.
+Although the default value results in a functioning Apache server, you **must** update this +parameter with your certificate location before deploying this server in a production environment. + +Default value: `$apache::params::default_ssl_cert` + +##### `default_ssl_chain` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the default SSL chain location.
+Although this default value results in a functioning Apache server, you **must** update +this parameter with your SSL chain before deploying this server in a production environment. + +Default value: `undef` + +##### `default_ssl_crl` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the path of the default certificate revocation list (CRL) file to use.
+Although this default value results in a functioning Apache server, you **must** update +this parameter with the CRL file path before deploying this server in a production +environment. You can use this parameter with or in place of the `default_ssl_crl_path`. + +Default value: `undef` + +##### `default_ssl_crl_path` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the server's certificate revocation list path, which contains your CRLs.
+Although this default value results in a functioning Apache server, you **must** update +this parameter with the CRL file path before deploying this server in a production environment. + +Default value: `undef` + +##### `default_ssl_crl_check` + +Data type: `Optional[String]` + +Sets the default certificate revocation check level via the `SSLCARevocationCheck` directive. +This parameter applies only to Apache 2.4 or higher and is ignored on older versions.
+Although this default value results in a functioning Apache server, you **must** specify +this parameter when using certificate revocation lists in a production environment. + +Default value: `undef` + +##### `default_ssl_key` + +Data type: `Stdlib::Absolutepath` + +Sets the SSL certificate key file location. +Although the default values result in a functioning Apache server, you **must** update +this parameter with your SSL key's location before deploying this server in a production +environment. + +Default value: `$apache::params::default_ssl_key` + +##### `default_ssl_reload_on_change` + +Data type: `Boolean` + +Enable reloading of apache if the content of ssl files have changed. + +Default value: `false` + +##### `default_ssl_vhost` + +Data type: `Boolean` + +Configures a default SSL virtual host. +If `true`, Puppet automatically configures the following virtual host using the +`apache::vhost` defined type: +```puppet +apache::vhost { 'default-ssl': + port => 443, + ssl => true, + docroot => $docroot, + scriptalias => $scriptalias, + serveradmin => $serveradmin, + access_log_file => "ssl_${access_log_file}", +} +``` +**Note**: SSL virtual hosts only respond to HTTPS queries. + +Default value: `false` + +##### `default_vhost` + +Data type: `Boolean` + +Configures a default virtual host when the class is declared.
+To configure customized virtual hosts, set this parameter's +value to `false`.
+> **Note**: Apache will not start without at least one virtual host. If you set this +to `false` you must configure a virtual host elsewhere. + +Default value: `true` + +##### `dev_packages` + +Data type: `Optional[Variant[Array, String]]` + +Configures a specific dev package to use.
+For example, using httpd 2.4 from the IUS yum repo:
+``` puppet +include ::apache::dev +class { 'apache': + apache_name => 'httpd24u', + dev_packages => 'httpd24u-devel', +} +``` + +Default value: `$apache::params::dev_packages` + +##### `docroot` + +Data type: `Stdlib::Absolutepath` + +Sets the default `DocumentRoot` location. + +Default value: `$apache::params::docroot` + +##### `error_documents` + +Data type: `Boolean` + +Determines whether to enable [custom error documents](https://httpd.apache.org/docs/current/custom-error.html) on the Apache server. + +Default value: `false` + +##### `group` + +Data type: `String` + +Sets the group ID that owns any Apache processes spawned to answer requests.
+By default, Puppet attempts to manage this group as a resource under the `apache` +class, determining the group based on the operating system as detected by the +`apache::params` class. To prevent the group resource from being created and use a group +created by another Puppet module, set the `manage_group` parameter's value to `false`.
+> **Note**: Modifying this parameter only changes the group ID that Apache uses to spawn +child processes to access resources. It does not change the user that owns the parent server +process. + +Default value: `$apache::params::group` + +##### `httpd_dir` + +Data type: `Stdlib::Absolutepath` + +Sets the Apache server's base configuration directory. This is useful for specially +repackaged Apache server builds but might have unintended consequences when combined +with the default distribution packages. + +Default value: `$apache::params::httpd_dir` + +##### `http_protocol_options` + +Data type: `Optional[String]` + +Specifies the strictness of HTTP protocol checks.
+Valid options: any sequence of the following alternative values: `Strict` or `Unsafe`, +`RegisteredMethods` or `LenientMethods`, and `Allow0.9` or `Require1.0`. + +Default value: `$apache::params::http_protocol_options` + +##### `keepalive` + +Data type: `Apache::OnOff` + +Determines whether to enable persistent HTTP connections with the `KeepAlive` directive. +If you set this to `On`, use the `keepalive_timeout` and `max_keepalive_requests` parameters +to set relevant options.
+ +Default value: `$apache::params::keepalive` + +##### `keepalive_timeout` + +Data type: `Integer` + +Sets the `KeepAliveTimeout` directive, which determines the amount of time the Apache +server waits for subsequent requests on a persistent HTTP connection. This parameter is +only relevant if the `keepalive` parameter is enabled. + +Default value: `$apache::params::keepalive_timeout` + +##### `max_keepalive_requests` + +Data type: `Integer` + +Limits the number of requests allowed per connection when the `keepalive` parameter is enabled. + +Default value: `$apache::params::max_keepalive_requests` + +##### `hostname_lookups` + +Data type: `Variant[Apache::OnOff, Enum['Double', 'double']]` + +This directive enables DNS lookups so that host names can be logged and passed to +CGIs/SSIs in REMOTE_HOST.
+> **Note**: If enabled, it impacts performance significantly. + +Default value: `$apache::params::hostname_lookups` + +##### `ldap_trusted_mode` + +Data type: `Optional[String]` + +The following modes are supported: + + NONE - no encryption + SSL - ldaps:// encryption on default port 636 + TLS - STARTTLS encryption on default port 389 +Not all LDAP toolkits support all the above modes. An error message will be logged at +runtime if a mode is not supported, and the connection to the LDAP server will fail. + +Default value: `undef` + +##### `ldap_verify_server_cert` + +Data type: `Optional[Apache::OnOff]` + +Specifies whether to force the verification of a server certificate when establishing an SSL +connection to the LDAP server. +On|Off + +Default value: `undef` + +##### `lib_path` + +Data type: `String` + +Specifies the location whereApache module files are stored.
+> **Note**: Do not configure this parameter manually without special reason. + +Default value: `$apache::params::lib_path` + +##### `log_level` + +Data type: `Apache::LogLevel` + +Configures the apache [LogLevel](https://httpd.apache.org/docs/current/mod/core.html#loglevel) directive +which adjusts the verbosity of the messages recorded in the error logs. + +Default value: `$apache::params::log_level` + +##### `log_formats` + +Data type: `Hash` + +Define additional `LogFormat` directives. Values: A hash, such as: +``` puppet +$log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } +``` + There are a number of predefined `LogFormats` in the `httpd.conf` that Puppet creates: +``` httpd + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + LogFormat "%{Referer}i -> %U" referer + LogFormat "%{User-agent}i" agent + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded +``` +If your `log_formats` parameter contains one of those, it will be overwritten with **your** definition. + +Default value: `{}` + +##### `logroot` + +Data type: `Stdlib::Absolutepath` + +Changes the directory of Apache log files for the virtual host. + +Default value: `$apache::params::logroot` + +##### `logroot_mode` + +Data type: `Optional[Stdlib::Filemode]` + +Overrides the default `logroot` directory's mode.
+> **Note**: Do _not_ grant write access to the directory where the logs are stored +without being aware of the consequences. See the [Apache documentation](https://httpd.apache.org/docs/current/logs.html#security) +for details. + +Default value: `$apache::params::logroot_mode` + +##### `manage_group` + +Data type: `Boolean` + +When `false`, stops Puppet from creating the group resource.
+If you have a group created from another Puppet module that you want to use to run Apache, +set this to `false`. Without this parameter, attempting to use a previously established +group results in a duplicate resource error. + +Default value: `true` + +##### `supplementary_groups` + +Data type: `Array` + +A list of groups to which the user belongs. These groups are in addition to the primary group.
+Notice: This option only has an effect when `manage_user` is set to true. + +Default value: `[]` + +##### `manage_user` + +Data type: `Boolean` + +When `false`, stops Puppet from creating the user resource.
+This is for instances when you have a user, created from another Puppet module, you want +to use to run Apache. Without this parameter, attempting to use a previously established +user would result in a duplicate resource error. + +Default value: `true` + +##### `mod_dir` + +Data type: `Stdlib::Absolutepath` + +Sets where Puppet places configuration files for your Apache modules. + +Default value: `$apache::params::mod_dir` + +##### `mod_libs` + +Data type: `Hash` + +Allows the user to override default module library names. +```puppet +include apache::params +class { 'apache': + mod_libs => merge($::apache::params::mod_libs, { + 'wsgi' => 'mod_wsgi_python3.so', + }) +} +``` + +Default value: `$apache::params::mod_libs` + +##### `mod_packages` + +Data type: `Hash` + +Allows the user to override default module package names. +```puppet +include apache::params +class { 'apache': + mod_packages => merge($::apache::params::mod_packages, { + 'auth_kerb' => 'httpd24-mod_auth_kerb', + }) +} +``` + +Default value: `$apache::params::mod_packages` + +##### `mpm_module` + +Data type: `Variant[Boolean, Enum['event', 'itk', 'peruser', 'prefork', 'worker']]` + +Determines which [multi-processing module](https://httpd.apache.org/docs/current/mpm.html) (MPM) is loaded and configured for the +HTTPD process. Valid values are: `event`, `itk`, `peruser`, `prefork`, `worker` or `false`.
+You must set this to `false` to explicitly declare the following classes with custom parameters: +- `apache::mod::event` +- `apache::mod::itk` +- `apache::mod::peruser` +- `apache::mod::prefork` +- `apache::mod::worker` + +Default value: `$apache::params::mpm_module` + +##### `package_ensure` + +Data type: `String` + +Controls the `package` resource's `ensure` attribute. Valid values are: `absent`, `installed` +(or equivalent `present`), or a version string. + +Default value: `'installed'` + +##### `pidfile` + +Data type: `String` + +Allows settting a custom location for the pid file. Useful if using a custom-built Apache rpm. + +Default value: `$apache::params::pidfile` + +##### `ports_file` + +Data type: `Stdlib::Absolutepath` + +Sets the path to the file containing Apache ports configuration. + +Default value: `$apache::params::ports_file` + +##### `protocols` + +Data type: `Array[Enum['h2', 'h2c', 'http/1.1']]` + +Sets the [Protocols](https://httpd.apache.org/docs/current/en/mod/core.html#protocols) +directive, which lists available protocols for the server. + +Default value: `[]` + +##### `protocols_honor_order` + +Data type: `Optional[Boolean]` + +Sets the [ProtocolsHonorOrder](https://httpd.apache.org/docs/current/en/mod/core.html#protocolshonororder) +directive which determines whether the order of Protocols sets precedence during negotiation. + +Default value: `undef` + +##### `purge_configs` + +Data type: `Boolean` + +Removes all other Apache configs and virtual hosts.
+Setting this to `false` is a stopgap measure to allow the apache module to coexist with +existing or unmanaged configurations. We recommend moving your configuration to resources +within this module. For virtual host configurations, see `purge_vhost_dir`. + +Default value: `true` + +##### `purge_vhost_dir` + +Data type: `Optional[Boolean]` + +If the `vhost_dir` parameter's value differs from the `confd_dir` parameter's, this parameter +determines whether Puppet removes any configurations inside `vhost_dir` that are _not_ managed +by Puppet.
+Setting `purge_vhost_dir` to `false` is a stopgap measure to allow the apache module to +coexist with existing or otherwise unmanaged configurations within `vhost_dir`. + +Default value: `undef` + +##### `sendfile` + +Data type: `Apache::OnOff` + +Forces Apache to use the Linux kernel's `sendfile` support to serve static files, via the +`EnableSendfile` directive. + +Default value: `'On'` + +##### `serveradmin` + +Data type: `Optional[String[1]]` + +Sets the Apache server administrator's contact information via Apache's `ServerAdmin` directive. + +Default value: `undef` + +##### `servername` + +Data type: `Optional[String]` + +Sets the Apache server name via Apache's `ServerName` directive. +Setting to `false` will not set ServerName at all. + +Default value: `$apache::params::servername` + +##### `server_root` + +Data type: `Stdlib::Absolutepath` + +Sets the Apache server's root directory via Apache's `ServerRoot` directive. + +Default value: `$apache::params::server_root` + +##### `server_signature` + +Data type: `Variant[Apache::OnOff, String]` + +Configures a trailing footer line to display at the bottom of server-generated documents, +such as error documents and output of certain Apache modules, via Apache's `ServerSignature` +directive. Valid values are: `On` or `Off`. + +Default value: `'On'` + +##### `server_tokens` + +Data type: `Apache::ServerTokens` + +Controls how much information Apache sends to the browser about itself and the operating +system, via Apache's `ServerTokens` directive. + +Default value: `'Prod'` + +##### `service_enable` + +Data type: `Boolean` + +Determines whether Puppet enables the Apache HTTPD service when the system is booted. + +Default value: `true` + +##### `service_ensure` + +Data type: `Variant[Stdlib::Ensure::Service, Boolean]` + +Determines whether Puppet should make sure the service is running. +Valid values are: `true` (or `running`) or `false` (or `stopped`).
+The `false` or `stopped` values set the 'httpd' service resource's `ensure` parameter +to `false`, which is useful when you want to let the service be managed by another +application, such as Pacemaker.
+ +Default value: `'running'` + +##### `service_name` + +Data type: `String` + +Sets the name of the Apache service. + +Default value: `$apache::params::service_name` + +##### `service_manage` + +Data type: `Boolean` + +Determines whether Puppet manages the HTTPD service's state. + +Default value: `true` + +##### `service_restart` + +Data type: `Optional[String]` + +Determines whether Puppet should use a specific command to restart the HTTPD service. +Values: a command to restart the Apache service. + +Default value: `undef` + +##### `timeout` + +Data type: `Integer[0]` + +Sets Apache's `TimeOut` directive, which defines the number of seconds Apache waits for +certain events before failing a request. + +Default value: `60` + +##### `trace_enable` + +Data type: `Variant[Apache::OnOff, Enum['extended']]` + +Controls how Apache handles `TRACE` requests (per RFC 2616) via the `TraceEnable` directive. + +Default value: `'On'` + +##### `use_canonical_name` + +Data type: `Optional[Variant[Apache::OnOff, Enum['DNS', 'dns']]]` + +Controls Apache's `UseCanonicalName` directive which controls how Apache handles +self-referential URLs. If not specified, this parameter omits the declaration from the +server's configuration and uses Apache's default setting of 'off'. + +Default value: `undef` + +##### `use_systemd` + +Data type: `Boolean` + +Controls whether the systemd module should be installed on Centos 7 servers, this is +especially useful if using custom-built RPMs. + +Default value: `$apache::params::use_systemd` + +##### `file_mode` + +Data type: `Stdlib::Filemode` + +Sets the desired permissions mode for config files. +Valid values are: a string, with permissions mode in symbolic or numeric notation. + +Default value: `$apache::params::file_mode` + +##### `root_directory_options` + +Data type: `Array` + +Array of the desired options for the `/` directory in httpd.conf. + +Default value: `$apache::params::root_directory_options` + +##### `root_directory_secured` + +Data type: `Boolean` + +Sets the default access policy for the `/` directory in httpd.conf. A value of `false` +allows access to all resources that are missing a more specific access policy. A value of +`true` denies access to all resources by default. If `true`, more specific rules must be +used to allow access to these resources (for example, in a directory block using the +`directories` parameter). + +Default value: `false` + +##### `vhost_dir` + +Data type: `Stdlib::Absolutepath` + +Changes your virtual host configuration files' location. + +Default value: `$apache::params::vhost_dir` + +##### `vhost_include_pattern` + +Data type: `String` + +Defines the pattern for files included from the `vhost_dir`. +If set to a value like `[^.#]\*.conf[^~]` to make sure that files accidentally created in +this directory (such as files created by version control systems or editor backups) are +*not* included in your server configuration.
+Some operating systems use a value of `*.conf`. By default, this module creates configuration +files ending in `.conf`. + +Default value: `$apache::params::vhost_include_pattern` + +##### `user` + +Data type: `String` + +Changes the user that Apache uses to answer requests. Apache's parent process continues +to run as root, but child processes access resources as the user defined by this parameter. +To prevent Puppet from managing the user, set the `manage_user` parameter to `false`. + +Default value: `$apache::params::user` + +##### `apache_name` + +Data type: `String` + +The name of the Apache package to install. If you are using a non-standard Apache package +you might need to override the default setting.
+For CentOS/RHEL Software Collections (SCL), you can also use `apache::version::scl_httpd_version`. + +Default value: `$apache::params::apache_name` + +##### `error_log` + +Data type: `String` + +The name of the error log file for the main server instance. If the string starts with +`/`, `|`, or `syslog`: the full path is set. Otherwise, the filename is prefixed with +`$logroot`. + +Default value: `$apache::params::error_log` + +##### `scriptalias` + +Data type: `String` + +Directory to use for global script alias + +Default value: `$apache::params::scriptalias` + +##### `access_log_file` + +Data type: `String` + +The name of the access log file for the main server instance. + +Default value: `$apache::params::access_log_file` + +##### `limitreqfields` + +Data type: `Integer` + +The `limitreqfields` parameter sets the maximum number of request header fields in +an HTTP request. This directive gives the server administrator greater control over +abnormal client request behavior, which may be useful for avoiding some forms of +denial-of-service attacks. The value should be increased if normal clients see an error +response from the server that indicates too many fields were sent in the request. + +Default value: `100` + +##### `limitreqfieldsize` + +Data type: `Integer` + +The `limitreqfieldsize` parameter sets the maximum ammount of _bytes_ that will +be allowed within a request header. + +Default value: `8190` + +##### `limitreqline` + +Data type: `Optional[Integer]` + +The 'limitreqline' parameter sets the limit on the allowed size of a client's HTTP request-line + +Default value: `undef` + +##### `ip` + +Data type: `Optional[String]` + +Specifies the ip address + +Default value: `undef` + +##### `conf_enabled` + +Data type: `Optional[Stdlib::Absolutepath]` + +Whether the additional config files in `/etc/apache2/conf-enabled` should be managed. + +Default value: `$apache::params::conf_enabled` + +##### `vhost_enable_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Set's the vhost definitions which will be stored in sites-availible and if +they will be symlinked to and from sites-enabled. + +Default value: `$apache::params::vhost_enable_dir` + +##### `manage_vhost_enable_dir` + +Data type: `Boolean` + +Overides the vhost_enable_dir inherited parameters and allows it to be disabled + +Default value: `true` + +##### `mod_enable_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Set's whether the mods-enabled directory should be managed. + +Default value: `$apache::params::mod_enable_dir` + +##### `ssl_file` + +Data type: `Optional[String]` + +This parameter allows you to set an ssl.conf file to be managed in order to implement +an SSL Certificate. + +Default value: `undef` + +##### `file_e_tag` + +Data type: `Optional[String]` + +Sets the server default for the `FileETag` declaration, which modifies the response header +field for static files. + +Default value: `undef` + +##### `use_optional_includes` + +Data type: `Boolean` + +Specifies whether Apache uses the `IncludeOptional` directive instead of `Include` for +`additional_includes` in Apache 2.4 or newer. + +Default value: `$apache::params::use_optional_includes` + +##### `mime_types_additional` + +Data type: `Hash` + +Specifies any idditional Internet media (mime) types that you wish to be configured. + +Default value: `$apache::params::mime_types_additional` + +### `apache::dev` + +The libraries installed depends on the `dev_packages` parameter of the `apache::params` +class, based on your operating system: +- **Debian** : `libaprutil1-dev`, `libapr1-dev`; `apache2-dev` +- **FreeBSD**: `undef`; on FreeBSD, you must declare the `apache::package` or `apache` classes before declaring `apache::dev`. +- **Gentoo**: `undef`. +- **Red Hat**: `httpd-devel`. + +### `apache::mod::actions` + +Installs Apache mod_actions + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_actions.html + * for additional documentation. + +### `apache::mod::alias` + +Installs and configures `mod_alias`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_alias.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::alias` class: + +* [`icons_options`](#-apache--mod--alias--icons_options) +* [`icons_path`](#-apache--mod--alias--icons_path) +* [`icons_prefix`](#-apache--mod--alias--icons_prefix) + +##### `icons_options` + +Data type: `String` + +Disables directory listings for the icons directory, via Apache [Options](https://httpd.apache.org/docs/current/mod/core.html#options) +directive. + +Default value: `'Indexes MultiViews'` + +##### `icons_path` + +Data type: `Variant[Boolean, Stdlib::Absolutepath]` + +Sets the local path for an /icons/ Alias. Default depends on operating system: +- Debian: /usr/share/apache2/icons +- FreeBSD: /usr/local/www/apache24/icons +- Gentoo: /var/www/icons +- Red Hat: /var/www/icons, except on Apache 2.4, where it's /usr/share/httpd/icons +Set to 'false' to disable the alias + +Default value: `$apache::params::alias_icons_path` + +##### `icons_prefix` + +Data type: `String` + +Change the alias for /icons/. + +Default value: `$apache::params::icons_prefix` + +### `apache::mod::apreq2` + +Installs `mod_apreq2`. + +* **Note** Unsupported platforms: CentOS: all; OracleLinux: all; RedHat: all; Scientific: all; SLES: all; Ubuntu: all + +* **See also** + * http://httpd.apache.org/apreq/docs/libapreq2/group__mod__apreq2.html + * for additional documentation. + +### `apache::mod::auth_basic` + +Installs `mod_auth_basic` + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_auth_basic.html + * for additional documentation. + +### `apache::mod::auth_cas` + +Installs and configures `mod_auth_cas`. + +* **Note** The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. + +* **See also** + * https://github.com/apereo/mod_auth_cas + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::auth_cas` class: + +* [`cas_login_url`](#-apache--mod--auth_cas--cas_login_url) +* [`cas_validate_url`](#-apache--mod--auth_cas--cas_validate_url) +* [`cas_cookie_path`](#-apache--mod--auth_cas--cas_cookie_path) +* [`cas_cookie_path_mode`](#-apache--mod--auth_cas--cas_cookie_path_mode) +* [`cas_version`](#-apache--mod--auth_cas--cas_version) +* [`cas_debug`](#-apache--mod--auth_cas--cas_debug) +* [`cas_validate_server`](#-apache--mod--auth_cas--cas_validate_server) +* [`cas_validate_depth`](#-apache--mod--auth_cas--cas_validate_depth) +* [`cas_certificate_path`](#-apache--mod--auth_cas--cas_certificate_path) +* [`cas_proxy_validate_url`](#-apache--mod--auth_cas--cas_proxy_validate_url) +* [`cas_root_proxied_as`](#-apache--mod--auth_cas--cas_root_proxied_as) +* [`cas_cookie_entropy`](#-apache--mod--auth_cas--cas_cookie_entropy) +* [`cas_timeout`](#-apache--mod--auth_cas--cas_timeout) +* [`cas_idle_timeout`](#-apache--mod--auth_cas--cas_idle_timeout) +* [`cas_cache_clean_interval`](#-apache--mod--auth_cas--cas_cache_clean_interval) +* [`cas_cookie_domain`](#-apache--mod--auth_cas--cas_cookie_domain) +* [`cas_cookie_http_only`](#-apache--mod--auth_cas--cas_cookie_http_only) +* [`cas_authoritative`](#-apache--mod--auth_cas--cas_authoritative) +* [`cas_validate_saml`](#-apache--mod--auth_cas--cas_validate_saml) +* [`cas_sso_enabled`](#-apache--mod--auth_cas--cas_sso_enabled) +* [`cas_attribute_prefix`](#-apache--mod--auth_cas--cas_attribute_prefix) +* [`cas_attribute_delimiter`](#-apache--mod--auth_cas--cas_attribute_delimiter) +* [`cas_scrub_request_headers`](#-apache--mod--auth_cas--cas_scrub_request_headers) +* [`suppress_warning`](#-apache--mod--auth_cas--suppress_warning) + +##### `cas_login_url` + +Data type: `String` + +Sets the URL to which the module redirects users when they attempt to access a +CAS-protected resource and don't have an active session. + +##### `cas_validate_url` + +Data type: `String` + +Sets the URL to use when validating a client-presented ticket in an HTTP query string. + +##### `cas_cookie_path` + +Data type: `String` + +Sets the location where information on the current session should be stored. This should +be writable by the web server only. + +Default value: `$apache::params::cas_cookie_path` + +##### `cas_cookie_path_mode` + +Data type: `Stdlib::Filemode` + +The mode of cas_cookie_path. + +Default value: `'0750'` + +##### `cas_version` + +Data type: `Integer` + +The version of the CAS protocol to adhere to. + +Default value: `2` + +##### `cas_debug` + +Data type: `String` + +Whether to enable or disable debug mode. + +Default value: `'Off'` + +##### `cas_validate_server` + +Data type: `Optional[String]` + +Whether to validate the presented certificate. This has been deprecated and +removed from Version 1.1-RC1 onward. + +Default value: `undef` + +##### `cas_validate_depth` + +Data type: `Optional[String]` + +The maximum depth for chained certificate validation. + +Default value: `undef` + +##### `cas_certificate_path` + +Data type: `Optional[String]` + +The path leading to the certificate + +Default value: `undef` + +##### `cas_proxy_validate_url` + +Data type: `Optional[String]` + +The URL to use when performing a proxy validation. + +Default value: `undef` + +##### `cas_root_proxied_as` + +Data type: `Optional[String]` + +Sets the URL end users see when access to this Apache server is proxied per vhost. +This URL should not include a trailing slash. + +Default value: `undef` + +##### `cas_cookie_entropy` + +Data type: `Optional[String]` + +When creating a local session, this many random bytes are used to create a unique +session identifier. + +Default value: `undef` + +##### `cas_timeout` + +Data type: `Optional[Integer[0]]` + +The hard limit, in seconds, for a mod_auth_cas session. + +Default value: `undef` + +##### `cas_idle_timeout` + +Data type: `Optional[Integer[0]]` + +The limit, in seconds, of how long a mod_auth_cas session can be idle. + +Default value: `undef` + +##### `cas_cache_clean_interval` + +Data type: `Optional[String]` + +The minimum amount of time that must pass inbetween cache cleanings. + +Default value: `undef` + +##### `cas_cookie_domain` + +Data type: `Optional[String]` + +The value for the 'Domain=' parameter in the Set-Cookie header. + +Default value: `undef` + +##### `cas_cookie_http_only` + +Data type: `Optional[String]` + +Setting this flag prevents the mod_auth_cas cookies from being accessed by +client side Javascript. + +Default value: `undef` + +##### `cas_authoritative` + +Data type: `Optional[String]` + +Determines whether an optional authorization directive is authoritative and thus binding. + +Default value: `undef` + +##### `cas_validate_saml` + +Data type: `Optional[String]` + +Parse response from CAS server for SAML. + +Default value: `undef` + +##### `cas_sso_enabled` + +Data type: `Optional[String]` + +Enables experimental support for single sign out (may mangle POST data). + +Default value: `undef` + +##### `cas_attribute_prefix` + +Data type: `Optional[String]` + +Adds a header with the value of this header being the attribute values when SAML +validation is enabled. + +Default value: `undef` + +##### `cas_attribute_delimiter` + +Data type: `Optional[String]` + +Sets the delimiter between attribute values in the header created by `cas_attribute_prefix`. + +Default value: `undef` + +##### `cas_scrub_request_headers` + +Data type: `Optional[String]` + +Remove inbound request headers that may have special meaning within mod_auth_cas. + +Default value: `undef` + +##### `suppress_warning` + +Data type: `Boolean` + +Suppress warning about being on RedHat (mod_auth_cas package is now available in epel-testing repo). + +Default value: `false` + +### `apache::mod::auth_gssapi` + +Installs `mod_auth_gsappi`. + +* **See also** + * https://github.com/modauthgssapi/mod_auth_gssapi + * for additional documentation. + +### `apache::mod::auth_kerb` + +Installs `mod_auth_kerb` + +* **See also** + * http://modauthkerb.sourceforge.net + * for additional documentation. + +### `apache::mod::auth_mellon` + +Installs and configures `mod_auth_mellon`. + +* **See also** + * https://github.com/Uninett/mod_auth_mellon + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::auth_mellon` class: + +* [`mellon_cache_size`](#-apache--mod--auth_mellon--mellon_cache_size) +* [`mellon_lock_file`](#-apache--mod--auth_mellon--mellon_lock_file) +* [`mellon_post_directory`](#-apache--mod--auth_mellon--mellon_post_directory) +* [`mellon_cache_entry_size`](#-apache--mod--auth_mellon--mellon_cache_entry_size) +* [`mellon_post_ttl`](#-apache--mod--auth_mellon--mellon_post_ttl) +* [`mellon_post_size`](#-apache--mod--auth_mellon--mellon_post_size) +* [`mellon_post_count`](#-apache--mod--auth_mellon--mellon_post_count) + +##### `mellon_cache_size` + +Data type: `Optional[Integer]` + +Maximum number of sessions which can be active at once. + +Default value: `$apache::params::mellon_cache_size` + +##### `mellon_lock_file` + +Data type: `Optional[Stdlib::Absolutepath]` + +Full path to a file used for synchronizing access to the session data. + +Default value: `$apache::params::mellon_lock_file` + +##### `mellon_post_directory` + +Data type: `Optional[Stdlib::Absolutepath]` + +Full path of a directory where POST requests are saved during authentication. + +Default value: `$apache::params::mellon_post_directory` + +##### `mellon_cache_entry_size` + +Data type: `Optional[Integer]` + +Maximum size for a single session entry in bytes. + +Default value: `undef` + +##### `mellon_post_ttl` + +Data type: `Optional[Integer]` + +Delay in seconds before a saved POST request can be flushed. + +Default value: `undef` + +##### `mellon_post_size` + +Data type: `Optional[Integer]` + +Maximum size for saved POST requests. + +Default value: `undef` + +##### `mellon_post_count` + +Data type: `Optional[Integer]` + +Maximum amount of saved POST requests. + +Default value: `undef` + +### `apache::mod::auth_openidc` + +Installs and configures `mod_auth_openidc`. + +* **Note** Unsupported platforms: OracleLinux: 6; RedHat: 6; Scientific: 6; SLES: all + +* **See also** + * https://github.com/zmartzone/mod_auth_openidc + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::auth_openidc` class: + +* [`manage_dnf_module`](#-apache--mod--auth_openidc--manage_dnf_module) +* [`dnf_module_ensure`](#-apache--mod--auth_openidc--dnf_module_ensure) +* [`dnf_module_name`](#-apache--mod--auth_openidc--dnf_module_name) + +##### `manage_dnf_module` + +Data type: `Boolean` + +Whether to manage the DNF module + +Default value: `$facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8'` + +##### `dnf_module_ensure` + +Data type: `String[1]` + +The DNF module name to ensure. Only relevant if manage_dnf_module is set to true. + +Default value: `'present'` + +##### `dnf_module_name` + +Data type: `String[1]` + +The DNF module name to manage. Only relevant if manage_dnf_module is set to true. + +Default value: `'mod_auth_openidc'` + +### `apache::mod::authn_core` + +Installs `mod_authn_core`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_authn_core.html + * for additional documentation. + +### `apache::mod::authn_dbd` + +Installs `mod_authn_dbd`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_authn_dbd.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::authn_dbd` class: + +* [`authn_dbd_params`](#-apache--mod--authn_dbd--authn_dbd_params) +* [`authn_dbd_dbdriver`](#-apache--mod--authn_dbd--authn_dbd_dbdriver) +* [`authn_dbd_query`](#-apache--mod--authn_dbd--authn_dbd_query) +* [`authn_dbd_min`](#-apache--mod--authn_dbd--authn_dbd_min) +* [`authn_dbd_max`](#-apache--mod--authn_dbd--authn_dbd_max) +* [`authn_dbd_keep`](#-apache--mod--authn_dbd--authn_dbd_keep) +* [`authn_dbd_exptime`](#-apache--mod--authn_dbd--authn_dbd_exptime) +* [`authn_dbd_alias`](#-apache--mod--authn_dbd--authn_dbd_alias) + +##### `authn_dbd_params` + +Data type: `Optional[String]` + +The params needed for the mod to function. + +##### `authn_dbd_dbdriver` + +Data type: `String` + +Selects an apr_dbd driver by name. + +Default value: `'mysql'` + +##### `authn_dbd_query` + +Data type: `Optional[String]` + + + +Default value: `undef` + +##### `authn_dbd_min` + +Data type: `Integer` + +Set the minimum number of connections per process. + +Default value: `4` + +##### `authn_dbd_max` + +Data type: `Integer` + +Set the maximum number of connections per process. + +Default value: `20` + +##### `authn_dbd_keep` + +Data type: `Integer` + +Set the maximum number of connections per process to be sustained. + +Default value: `8` + +##### `authn_dbd_exptime` + +Data type: `Integer` + +Set the time to keep idle connections alive when the number of +connections specified in DBDKeep has been exceeded. + +Default value: `300` + +##### `authn_dbd_alias` + +Data type: `Optional[String]` + +Sets an alias for `AuthnProvider. + +Default value: `undef` + +### `apache::mod::authn_file` + +Installs `mod_authn_file`. + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html + * for additional documentation. + +### `apache::mod::authnz_ldap` + +Installs `mod_authnz_ldap`. + +* **Note** Unsupported platforms: RedHat: 6, 8, 9; CentOS: 6, 8; OracleLinux: 6, 8; Ubuntu: all; Debian: all; SLES: all + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::authnz_ldap` class: + +* [`verify_server_cert`](#-apache--mod--authnz_ldap--verify_server_cert) +* [`package_name`](#-apache--mod--authnz_ldap--package_name) + +##### `verify_server_cert` + +Data type: `Boolean` + +Whether to force te verification of a server cert or not. + +Default value: `true` + +##### `package_name` + +Data type: `Optional[String]` + +The name of the ldap package. + +Default value: `undef` + +### `apache::mod::authnz_pam` + +Installs `mod_authnz_pam`. + +* **See also** + * https://www.adelton.com/apache/mod_authnz_pam + * for additional documentation. + +### `apache::mod::authz_core` + +Installs `mod_authz_core`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_authz_core.html + * for additional documentation. + +### `apache::mod::authz_groupfile` + +Installs `mod_authz_groupfile` + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_authz_groupfile.html + * for additional documentation. + +### `apache::mod::authz_user` + +Installs `mod_authz_user` + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_authz_user.html + * for additional documentation. + +### `apache::mod::autoindex` + +Installs `mod_autoindex` + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_autoindex.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::autoindex` class: + +* [`icons_prefix`](#-apache--mod--autoindex--icons_prefix) + +##### `icons_prefix` + +Data type: `String` + +Change the alias for /icons/. + +Default value: `$apache::params::icons_prefix` + +### `apache::mod::cache` + +Installs `mod_cache` + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_cache.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::cache` class: + +* [`cache_ignore_headers`](#-apache--mod--cache--cache_ignore_headers) +* [`cache_default_expire`](#-apache--mod--cache--cache_default_expire) +* [`cache_max_expire`](#-apache--mod--cache--cache_max_expire) +* [`cache_ignore_no_lastmod`](#-apache--mod--cache--cache_ignore_no_lastmod) +* [`cache_header`](#-apache--mod--cache--cache_header) +* [`cache_lock`](#-apache--mod--cache--cache_lock) +* [`cache_ignore_cache_control`](#-apache--mod--cache--cache_ignore_cache_control) + +##### `cache_ignore_headers` + +Data type: `Array[String[1]]` + +Specifies HTTP header(s) that should not be stored in the cache. + +Default value: `[]` + +##### `cache_default_expire` + +Data type: `Optional[Integer]` + +The default duration to cache a document when no expiry date is specified. + +Default value: `undef` + +##### `cache_max_expire` + +Data type: `Optional[Integer]` + +The maximum time in seconds to cache a document + +Default value: `undef` + +##### `cache_ignore_no_lastmod` + +Data type: `Optional[Apache::OnOff]` + +Ignore the fact that a response has no Last Modified header. + +Default value: `undef` + +##### `cache_header` + +Data type: `Optional[Apache::OnOff]` + +Add an X-Cache header to the response. + +Default value: `undef` + +##### `cache_lock` + +Data type: `Optional[Apache::OnOff]` + +Enable the thundering herd lock. + +Default value: `undef` + +##### `cache_ignore_cache_control` + +Data type: `Optional[Apache::OnOff]` + +Ignore request to not serve cached content to client + +Default value: `undef` + +### `apache::mod::cache_disk` + +Installs and configures `mod_cache_disk`. + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_cache_disk.html + +#### Parameters + +The following parameters are available in the `apache::mod::cache_disk` class: + +* [`cache_root`](#-apache--mod--cache_disk--cache_root) +* [`cache_enable`](#-apache--mod--cache_disk--cache_enable) +* [`cache_dir_length`](#-apache--mod--cache_disk--cache_dir_length) +* [`cache_dir_levels`](#-apache--mod--cache_disk--cache_dir_levels) +* [`cache_max_filesize`](#-apache--mod--cache_disk--cache_max_filesize) +* [`cache_ignore_headers`](#-apache--mod--cache_disk--cache_ignore_headers) +* [`configuration_file_name`](#-apache--mod--cache_disk--configuration_file_name) + +##### `cache_root` + +Data type: `Optional[Stdlib::Absolutepath]` + +Defines the name of the directory on the disk to contain cache files. +Default depends on the Apache version and operating system: +- Debian: /var/cache/apache2/mod_cache_disk +- FreeBSD: /var/cache/mod_cache_disk +- Red Hat: /var/cache/httpd/proxy + +Default value: `undef` + +##### `cache_enable` + +Data type: `Array[String]` + +Defines an array of directories to cache, the default is none + +Default value: `[]` + +##### `cache_dir_length` + +Data type: `Optional[Integer]` + +The number of characters in subdirectory names + +Default value: `undef` + +##### `cache_dir_levels` + +Data type: `Optional[Integer]` + +The number of levels of subdirectories in the cache. + +Default value: `undef` + +##### `cache_max_filesize` + +Data type: `Optional[Integer]` + +The maximum size (in bytes) of a document to be placed in the cache + +Default value: `undef` + +##### `cache_ignore_headers` + +Data type: `Optional[String]` + +DEPRECATED Ignore request to not serve cached content to client (included for compatibility reasons to support disk_cache) + +Default value: `undef` + +##### `configuration_file_name` + +Data type: `Optional[String]` + +DEPRECATED Name of module configuration file (used for the compatibility layer for disk_cache) + +Default value: `undef` + +### `apache::mod::cgi` + +Installs `mod_cgi`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_cgi.html + * for additional documentation. + +### `apache::mod::cgid` + +Installs `mod_cgid`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_cgid.html + +### `apache::mod::cluster` + +Installs `mod_cluster`. + +* **Note** There is no official package available for mod_cluster, so you must make it available outside of the apache module. +Binaries can be found [here](https://modcluster.io/). + +* **See also** + * https://modcluster.io/ + * for additional documentation. + +#### Examples + +##### + +```puppet +class { '::apache::mod::cluster': + ip => '172.17.0.1', + allowed_network => '172.17.0.', + balancer_name => 'mycluster', + version => '1.3.1' +} +``` + +#### Parameters + +The following parameters are available in the `apache::mod::cluster` class: + +* [`allowed_network`](#-apache--mod--cluster--allowed_network) +* [`balancer_name`](#-apache--mod--cluster--balancer_name) +* [`ip`](#-apache--mod--cluster--ip) +* [`version`](#-apache--mod--cluster--version) +* [`enable_mcpm_receive`](#-apache--mod--cluster--enable_mcpm_receive) +* [`port`](#-apache--mod--cluster--port) +* [`keep_alive_timeout`](#-apache--mod--cluster--keep_alive_timeout) +* [`manager_allowed_network`](#-apache--mod--cluster--manager_allowed_network) +* [`max_keep_alive_requests`](#-apache--mod--cluster--max_keep_alive_requests) +* [`server_advertise`](#-apache--mod--cluster--server_advertise) +* [`advertise_frequency`](#-apache--mod--cluster--advertise_frequency) + +##### `allowed_network` + +Data type: `String` + +Balanced members network. + +##### `balancer_name` + +Data type: `String` + +Name of balancer. + +##### `ip` + +Data type: `Stdlib::IP::Address` + +Specifies the IP address to listen to. + +##### `version` + +Data type: `String` + +Specifies the mod_cluster version. Version 1.3.0 or greater is required for httpd 2.4. + +##### `enable_mcpm_receive` + +Data type: `Boolean` + +Whether MCPM should be enabled. + +Default value: `true` + +##### `port` + +Data type: `Stdlib::Port` + +mod_cluster listen port. + +Default value: `6666` + +##### `keep_alive_timeout` + +Data type: `Integer` + +Specifies how long Apache should wait for a request, in seconds. + +Default value: `60` + +##### `manager_allowed_network` + +Data type: `Stdlib::IP::Address` + +Whether to allow the network to access the mod_cluster_manager. + +Default value: `'127.0.0.1'` + +##### `max_keep_alive_requests` + +Data type: `Integer` + +Maximum number of requests kept alive. + +Default value: `0` + +##### `server_advertise` + +Data type: `Boolean` + +Whether the server should advertise. + +Default value: `true` + +##### `advertise_frequency` + +Data type: `Optional[String]` + +Sets the interval between advertise messages in seconds. + +Default value: `undef` + +### `apache::mod::data` + +Installs and configures `mod_data`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_data.html + * for additional documentation. + +### `apache::mod::dav` + +Installs `mod_dav`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_dav.html + * for additional documentation. + +### `apache::mod::dav_fs` + +Installs `mod_dav_fs`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_dav_fs.html + * for additional documentation. + +### `apache::mod::dav_svn` + +Installs and configures `mod_dav_svn`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_dav_svn.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::dav_svn` class: + +* [`authz_svn_enabled`](#-apache--mod--dav_svn--authz_svn_enabled) + +##### `authz_svn_enabled` + +Data type: `Boolean` + +Specifies whether to install Apache mod_authz_svn + +Default value: `false` + +### `apache::mod::dbd` + +Installs `mod_dbd`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_dbd.html + * for additional documentation. + +### `apache::mod::deflate` + +Installs and configures `mod_deflate`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_deflate.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::deflate` class: + +* [`types`](#-apache--mod--deflate--types) +* [`notes`](#-apache--mod--deflate--notes) + +##### `types` + +Data type: `Array[String]` + +An array of MIME types to be deflated. See https://www.iana.org/assignments/media-types/media-types.xhtml. + +Default value: + +```puppet +[ + 'text/html text/plain text/xml', + 'text/css', + 'application/x-javascript application/javascript application/ecmascript', + 'application/rss+xml', + 'application/json', + ] +``` + +##### `notes` + +Data type: `Hash` + +A Hash where the key represents the type and the value represents the note name. + +Default value: + +```puppet +{ + 'Input' => 'instream', + 'Output' => 'outstream', + 'Ratio' => 'ratio', + } +``` + +### `apache::mod::dir` + +Installs and configures `mod_dir`. + +* **TODO** This sets the global DirectoryIndex directive, so it may be necessary to consider being able to modify the apache::vhost to declare +DirectoryIndex statements in a vhost configuration + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_dir.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::dir` class: + +* [`dir`](#-apache--mod--dir--dir) +* [`indexes`](#-apache--mod--dir--indexes) + +##### `dir` + +Data type: `String` + + + +Default value: `'public_html'` + +##### `indexes` + +Data type: `Array[String]` + +Provides a string for the DirectoryIndex directive + +Default value: + +```puppet +[ + 'index.html', + 'index.html.var', + 'index.cgi', + 'index.pl', + 'index.php', + 'index.xhtml', + ] +``` + +### `apache::mod::disk_cache` + +Installs and configures `mod_disk_cache`. + +* **Note** Apache 2.2, mod_disk_cache installed. On Apache 2.4, mod_cache_disk installed. +This class is deprecated, use mode_cache_disk instead + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_cache_disk.html + * for additional documentation on version 2.4. + +#### Parameters + +The following parameters are available in the `apache::mod::disk_cache` class: + +* [`cache_root`](#-apache--mod--disk_cache--cache_root) +* [`cache_ignore_headers`](#-apache--mod--disk_cache--cache_ignore_headers) +* [`default_cache_enable`](#-apache--mod--disk_cache--default_cache_enable) + +##### `cache_root` + +Data type: `Optional[Stdlib::Absolutepath]` + +Defines the name of the directory on the disk to contain cache files. +Default depends on the Apache version and operating system: +- Debian: /var/cache/apache2/mod_cache_disk +- FreeBSD: /var/cache/mod_cache_disk + +Default value: `undef` + +##### `cache_ignore_headers` + +Data type: `Optional[String]` + +Specifies HTTP header(s) that should not be stored in the cache. + +Default value: `undef` + +##### `default_cache_enable` + +Data type: `Boolean` + +Default value is true, which enables "CacheEnable disk /" in disk_cache.conf for the webserver. This would cache +every request to apache by default for every vhost. If set to false the default cache all behaviour is supressed. +You can then control this behaviour in individual vhosts by explicitly defining CacheEnable. + +Default value: `true` + +### `apache::mod::dumpio` + +Installs and configures `mod_dumpio`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_dumpio.html + * for additional documentation. + +#### Examples + +##### + +```puppet +class{'apache': + default_mods => false, + log_level => 'dumpio:trace7', +} +class{'apache::mod::dumpio': + dump_io_input => 'On', + dump_io_output => 'Off', +} +``` + +#### Parameters + +The following parameters are available in the `apache::mod::dumpio` class: + +* [`dump_io_input`](#-apache--mod--dumpio--dump_io_input) +* [`dump_io_output`](#-apache--mod--dumpio--dump_io_output) + +##### `dump_io_input` + +Data type: `Apache::OnOff` + +Dump all input data to the error log + +Default value: `'Off'` + +##### `dump_io_output` + +Data type: `Apache::OnOff` + +Dump all output data to the error log + +Default value: `'Off'` + +### `apache::mod::env` + +Installs `mod_env`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_env.html + * for additional documentation. + +### `apache::mod::event` + +Installs and configures `mod_event`. + +* **Note** You cannot include apache::mod::event with apache::mod::itk, apache::mod::peruser, apache::mod::prefork, or +apache::mod::worker on the same server. + +* **See also** + * https://httpd.apache.org/docs/current/mod/event.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::event` class: + +* [`startservers`](#-apache--mod--event--startservers) +* [`maxrequestworkers`](#-apache--mod--event--maxrequestworkers) +* [`minsparethreads`](#-apache--mod--event--minsparethreads) +* [`maxsparethreads`](#-apache--mod--event--maxsparethreads) +* [`threadsperchild`](#-apache--mod--event--threadsperchild) +* [`maxconnectionsperchild`](#-apache--mod--event--maxconnectionsperchild) +* [`serverlimit`](#-apache--mod--event--serverlimit) +* [`threadlimit`](#-apache--mod--event--threadlimit) +* [`listenbacklog`](#-apache--mod--event--listenbacklog) + +##### `startservers` + +Data type: `Variant[Integer, Boolean]` + +Sets the number of child server processes created at startup, via the module's `StartServers` directive. Setting this to `false` +removes the parameter. + +Default value: `2` + +##### `maxrequestworkers` + +Data type: `Optional[Variant[Integer, Boolean]]` + +Sets the maximum number of connections Apache can simultaneously process, via the module's `MaxRequestWorkers` directive. Setting +these to `false` removes the parameters. + +Default value: `undef` + +##### `minsparethreads` + +Data type: `Variant[Integer, Boolean]` + +Sets the minimum number of idle threads, via the `MinSpareThreads` directive. Setting this to `false` removes the parameters. + +Default value: `25` + +##### `maxsparethreads` + +Data type: `Variant[Integer, Boolean]` + +Sets the maximum number of idle threads, via the `MaxSpareThreads` directive. Setting this to `false` removes the parameters. + +Default value: `75` + +##### `threadsperchild` + +Data type: `Variant[Integer, Boolean]` + +Number of threads created by each child process. + +Default value: `25` + +##### `maxconnectionsperchild` + +Data type: `Optional[Variant[Integer, Boolean]]` + +Limit on the number of connections that an individual child server will handle during its life. + +Default value: `undef` + +##### `serverlimit` + +Data type: `Variant[Integer, Boolean]` + +Limits the configurable number of processes via the `ServerLimit` directive. Setting this to `false` removes the parameter. + +Default value: `25` + +##### `threadlimit` + +Data type: `Variant[Integer, Boolean]` + +Limits the number of event threads via the module's `ThreadLimit` directive. Setting this to `false` removes the parameter. + +Default value: `64` + +##### `listenbacklog` + +Data type: `Variant[Integer, Boolean]` + +Sets the maximum length of the pending connections queue via the module's `ListenBackLog` directive. Setting this to `false` removes +the parameter. + +Default value: `511` + +### `apache::mod::expires` + +Installs and configures `mod_expires`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_expires.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::expires` class: + +* [`expires_active`](#-apache--mod--expires--expires_active) +* [`expires_default`](#-apache--mod--expires--expires_default) +* [`expires_by_type`](#-apache--mod--expires--expires_by_type) + +##### `expires_active` + +Data type: `Boolean` + +Enables generation of Expires headers. + +Default value: `true` + +##### `expires_default` + +Data type: `Optional[String]` + +Specifies the default algorithm for calculating expiration time using ExpiresByType syntax or interval syntax. + +Default value: `undef` + +##### `expires_by_type` + +Data type: `Optional[Array[Hash]]` + +Describes a set of [MIME content-types](https://www.iana.org/assignments/media-types/media-types.xhtml) and their expiration +times. This should be used as an array of Hashes, with each Hash's key a valid MIME content-type (i.e. 'text/json') and its +value following valid interval syntax. + +Default value: `undef` + +### `apache::mod::ext_filter` + +Installs and configures `mod_ext_filter`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_ext_filter.html + * for additional documentation. + +#### Examples + +##### + +```puppet +class { 'apache::mod::ext_filter': + ext_filter_define => { + 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', + 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', + }, +} +``` + +#### Parameters + +The following parameters are available in the `apache::mod::ext_filter` class: + +* [`ext_filter_define`](#-apache--mod--ext_filter--ext_filter_define) + +##### `ext_filter_define` + +Data type: `Optional[Hash]` + +Hash of filter names and their parameters. + +Default value: `undef` + +### `apache::mod::fcgid` + +loaded first; Puppet will not automatically enable it if you set the fcgiwrapper parameter in apache::vhost. + include apache::mod::fcgid + + apache::vhost { 'example.org': + docroot => '/var/www/html', + directories => { + path => '/var/www/html', + fcgiwrapper => { + command => '/usr/local/bin/fcgiwrapper', + } + }, + } + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_fcgid.html + * for additional documentation. + +#### Examples + +##### The class does not individually parameterize all available options. Instead, configure mod_fcgid using the options hash. + +```puppet +class { 'apache::mod::fcgid': + options => { + 'FcgidIPCDir' => '/var/run/fcgidsock', + 'SharememPath' => '/var/run/fcgid_shm', + 'AddHandler' => 'fcgid-script .fcgi', + }, +} +``` + +##### If you include apache::mod::fcgid, you can set the [FcgidWrapper][] per directory, per virtual host. The module must be + +```puppet + +``` + +#### Parameters + +The following parameters are available in the `apache::mod::fcgid` class: + +* [`options`](#-apache--mod--fcgid--options) + +##### `options` + +Data type: `Hash` + +A hash used to parameterize the availible options: +expires_active + Enables generation of Expires headers. +expires_default + Default algorithm for calculating expiration time. +expires_by_type + Value of the Expires header configured by MIME type. + +Default value: `{}` + +### `apache::mod::filter` + +Installs `mod_filter`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_filter.html + * for additional documentation. + +### `apache::mod::geoip` + +Installs and configures `mod_geoip`. + +* **See also** + * https://dev.maxmind.com/geoip/legacy/mod_geoip2 + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::geoip` class: + +* [`enable`](#-apache--mod--geoip--enable) +* [`db_file`](#-apache--mod--geoip--db_file) +* [`flag`](#-apache--mod--geoip--flag) +* [`output`](#-apache--mod--geoip--output) +* [`enable_utf8`](#-apache--mod--geoip--enable_utf8) +* [`scan_proxy_headers`](#-apache--mod--geoip--scan_proxy_headers) +* [`scan_proxy_header_field`](#-apache--mod--geoip--scan_proxy_header_field) +* [`use_last_xforwarededfor_ip`](#-apache--mod--geoip--use_last_xforwarededfor_ip) + +##### `enable` + +Data type: `Boolean` + +Toggles whether to enable geoip. + +Default value: `false` + +##### `db_file` + +Data type: `Stdlib::Absolutepath` + +Path to database for GeoIP to use. + +Default value: `'/usr/share/GeoIP/GeoIP.dat'` + +##### `flag` + +Data type: `String` + +Caching directive to use. Values: 'CheckCache', 'IndexCache', 'MemoryCache', 'Standard'. + +Default value: `'Standard'` + +##### `output` + +Data type: `String` + +Output variable locations. Values: 'All', 'Env', 'Request', 'Notes'. + +Default value: `'All'` + +##### `enable_utf8` + +Data type: `Optional[String]` + +Changes the output from ISO88591 (Latin1) to UTF8. + +Default value: `undef` + +##### `scan_proxy_headers` + +Data type: `Optional[String]` + +Enables the GeoIPScanProxyHeaders option. + +Default value: `undef` + +##### `scan_proxy_header_field` + +Data type: `Optional[String]` + +Specifies the header mod_geoip uses to determine the client's IP address. + +Default value: `undef` + +##### `use_last_xforwarededfor_ip` + +Data type: `Optional[String]` + +Determines whether to use the first or last IP address for the client's IP in a comma-separated list of IP addresses is found. + +Default value: `undef` + +### `apache::mod::headers` + +Installs and configures `mod_headers`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_headers.html + * for additional documentation. + +### `apache::mod::http2` + +Installs and configures `mod_http2`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_http2.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::http2` class: + +* [`h2_copy_files`](#-apache--mod--http2--h2_copy_files) +* [`h2_direct`](#-apache--mod--http2--h2_direct) +* [`h2_early_hints`](#-apache--mod--http2--h2_early_hints) +* [`h2_max_session_streams`](#-apache--mod--http2--h2_max_session_streams) +* [`h2_max_worker_idle_seconds`](#-apache--mod--http2--h2_max_worker_idle_seconds) +* [`h2_max_workers`](#-apache--mod--http2--h2_max_workers) +* [`h2_min_workers`](#-apache--mod--http2--h2_min_workers) +* [`h2_modern_tls_only`](#-apache--mod--http2--h2_modern_tls_only) +* [`h2_push`](#-apache--mod--http2--h2_push) +* [`h2_push_diary_size`](#-apache--mod--http2--h2_push_diary_size) +* [`h2_push_priority`](#-apache--mod--http2--h2_push_priority) +* [`h2_push_resource`](#-apache--mod--http2--h2_push_resource) +* [`h2_serialize_headers`](#-apache--mod--http2--h2_serialize_headers) +* [`h2_stream_max_mem_size`](#-apache--mod--http2--h2_stream_max_mem_size) +* [`h2_tls_cool_down_secs`](#-apache--mod--http2--h2_tls_cool_down_secs) +* [`h2_tls_warm_up_size`](#-apache--mod--http2--h2_tls_warm_up_size) +* [`h2_upgrade`](#-apache--mod--http2--h2_upgrade) +* [`h2_window_size`](#-apache--mod--http2--h2_window_size) + +##### `h2_copy_files` + +Data type: `Optional[Boolean]` + +Determine file handling in responses. + +Default value: `undef` + +##### `h2_direct` + +Data type: `Optional[Boolean]` + +H2 Direct Protocol Switch. + +Default value: `undef` + +##### `h2_early_hints` + +Data type: `Optional[Boolean]` + +Determine sending of 103 status codes. + +Default value: `undef` + +##### `h2_max_session_streams` + +Data type: `Optional[Integer]` + +Sets maximum number of active streams per HTTP/2 session. + +Default value: `undef` + +##### `h2_max_worker_idle_seconds` + +Data type: `Optional[Integer]` + +Sets maximum number of seconds h2 workers remain idle until shut down. + +Default value: `undef` + +##### `h2_max_workers` + +Data type: `Optional[Integer]` + +Sets maximum number of worker threads to use per child process. + +Default value: `undef` + +##### `h2_min_workers` + +Data type: `Optional[Integer]` + +Sets minimal number of worker threads to use per child process. + +Default value: `undef` + +##### `h2_modern_tls_only` + +Data type: `Optional[Boolean]` + +Toggles the security checks on HTTP/2 connections in TLS mode + +Default value: `undef` + +##### `h2_push` + +Data type: `Optional[Boolean]` + +Toggles the usage of the HTTP/2 server push protocol feature. + +Default value: `undef` + +##### `h2_push_diary_size` + +Data type: `Optional[Integer]` + +Sets maximum number of HTTP/2 server pushes that are remembered per HTTP/2 connection. + +Default value: `undef` + +##### `h2_push_priority` + +Data type: `Array[String]` + +Require HTTP/2 connections to be "modern TLS" only + +Default value: `[]` + +##### `h2_push_resource` + +Data type: `Array[String]` + +When added to a directory/location, HTTP/2 PUSHes will be attempted for all paths added +via this directive + +Default value: `[]` + +##### `h2_serialize_headers` + +Data type: `Optional[Boolean]` + +Toggles if HTTP/2 requests shall be serialized in HTTP/1.1 format for processing by httpd +core or if received binary data shall be passed into the request_recs directly. + +Default value: `undef` + +##### `h2_stream_max_mem_size` + +Data type: `Optional[Integer]` + +Sets the maximum number of outgoing data bytes buffered in memory for an active streams. + +Default value: `undef` + +##### `h2_tls_cool_down_secs` + +Data type: `Optional[Integer]` + +Sets the number of seconds of idle time on a TLS connection before the TLS write size falls +back to small (~1300 bytes) length. + +Default value: `undef` + +##### `h2_tls_warm_up_size` + +Data type: `Optional[Integer]` + +Sets the number of bytes to be sent in small TLS records (~1300 bytes) until doing maximum +sized writes (16k) on https: HTTP/2 connections. + +Default value: `undef` + +##### `h2_upgrade` + +Data type: `Optional[Boolean]` + +Toggles the usage of the HTTP/1.1 Upgrade method for switching to HTTP/2. + +Default value: `undef` + +##### `h2_window_size` + +Data type: `Optional[Integer]` + +Sets the size of the window that is used for flow control from client to server and limits +the amount of data the server has to buffer. + +Default value: `undef` + +### `apache::mod::include` + +Installs `mod_include`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_include.html + * for additional documentation. + +### `apache::mod::info` + +Installs and configures `mod_info`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_info.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::info` class: + +* [`allow_from`](#-apache--mod--info--allow_from) +* [`restrict_access`](#-apache--mod--info--restrict_access) +* [`info_path`](#-apache--mod--info--info_path) + +##### `allow_from` + +Data type: `Array[Stdlib::IP::Address]` + +Allowlist of IPv4 or IPv6 addresses or ranges that can access the info path. + +Default value: `['127.0.0.1', '::1']` + +##### `restrict_access` + +Data type: `Boolean` + +Toggles whether to restrict access to info path. If `false`, the `allow_from` allowlist is ignored and any IP address can +access the info path. + +Default value: `true` + +##### `info_path` + +Data type: `Stdlib::Unixpath` + +Path on server to file containing server configuration information. + +Default value: `'/server-info'` + +### `apache::mod::intercept_form_submit` + +Installs `mod_intercept_form_submit`. + +* **See also** + * https://www.adelton.com/apache/mod_intercept_form_submit + * for additional documentation. + +### `apache::mod::itk` + +Installs MPM `mod_itk`. + +* **Note** Unsupported platforms: CentOS: 8; RedHat: 8, 9; SLES: all + +* **See also** + * http://mpm-itk.sesse.net + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::itk` class: + +* [`startservers`](#-apache--mod--itk--startservers) +* [`minspareservers`](#-apache--mod--itk--minspareservers) +* [`maxspareservers`](#-apache--mod--itk--maxspareservers) +* [`serverlimit`](#-apache--mod--itk--serverlimit) +* [`maxclients`](#-apache--mod--itk--maxclients) +* [`maxrequestsperchild`](#-apache--mod--itk--maxrequestsperchild) +* [`enablecapabilities`](#-apache--mod--itk--enablecapabilities) + +##### `startservers` + +Data type: `Integer` + +Number of child server processes created on startup. + +Default value: `8` + +##### `minspareservers` + +Data type: `Integer` + +Minimum number of idle child server processes. + +Default value: `5` + +##### `maxspareservers` + +Data type: `Integer` + +Maximum number of idle child server processes. + +Default value: `20` + +##### `serverlimit` + +Data type: `Integer` + +Maximum configured value for `MaxRequestWorkers` for the lifetime of the Apache httpd process. + +Default value: `256` + +##### `maxclients` + +Data type: `Integer` + +Limit on the number of simultaneous requests that will be served. + +Default value: `256` + +##### `maxrequestsperchild` + +Data type: `Integer` + +Limit on the number of connections that an individual child server process will handle. + +Default value: `4000` + +##### `enablecapabilities` + +Data type: `Optional[Variant[Boolean, String]]` + +Drop most root capabilities in the parent process, and instead run as the user given by the User/Group directives with some extra +capabilities (in particular setuid). Somewhat more secure, but can cause problems when serving from filesystems that do not honor +capabilities, such as NFS. + +Default value: `undef` + +### `apache::mod::jk` + +Installs `mod_jk`. + +* **Note** shm_file and log_file +Depending on how these files are specified, the class creates their final path differently: + +Relative path: prepends supplied path with logroot (see below) +Absolute path or pipe: uses supplied path as-is + +``` +shm_file => 'shm_file' +# Ends up in +$shm_path = '/var/log/httpd/shm_file' + +shm_file => '/run/shm_file' +# Ends up in +$shm_path = '/run/shm_file' + +shm_file => '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"' +# Ends up in +$shm_path = '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"' +``` + +* **See also** + * https://tomcat.apache.org/connectors-doc/reference/apache.html + * for additional documentation. + +#### Examples + +##### + +```puppet +class { '::apache::mod::jk': + ip => '192.168.2.15', + workers_file => 'conf/workers.properties', + mount_file => 'conf/uriworkermap.properties', + shm_file => 'run/jk.shm', + shm_size => '50M', + workers_file_content => { + + }, +} +``` + +#### Parameters + +The following parameters are available in the `apache::mod::jk` class: + +* [`ip`](#-apache--mod--jk--ip) +* [`port`](#-apache--mod--jk--port) +* [`add_listen`](#-apache--mod--jk--add_listen) +* [`workers_file`](#-apache--mod--jk--workers_file) +* [`worker_property`](#-apache--mod--jk--worker_property) +* [`logroot`](#-apache--mod--jk--logroot) +* [`shm_file`](#-apache--mod--jk--shm_file) +* [`shm_size`](#-apache--mod--jk--shm_size) +* [`mount_file`](#-apache--mod--jk--mount_file) +* [`mount_file_reload`](#-apache--mod--jk--mount_file_reload) +* [`mount`](#-apache--mod--jk--mount) +* [`un_mount`](#-apache--mod--jk--un_mount) +* [`auto_alias`](#-apache--mod--jk--auto_alias) +* [`mount_copy`](#-apache--mod--jk--mount_copy) +* [`worker_indicator`](#-apache--mod--jk--worker_indicator) +* [`watchdog_interval`](#-apache--mod--jk--watchdog_interval) +* [`log_file`](#-apache--mod--jk--log_file) +* [`log_level`](#-apache--mod--jk--log_level) +* [`log_stamp_format`](#-apache--mod--jk--log_stamp_format) +* [`request_log_format`](#-apache--mod--jk--request_log_format) +* [`extract_ssl`](#-apache--mod--jk--extract_ssl) +* [`https_indicator`](#-apache--mod--jk--https_indicator) +* [`sslprotocol_indicator`](#-apache--mod--jk--sslprotocol_indicator) +* [`certs_indicator`](#-apache--mod--jk--certs_indicator) +* [`cipher_indicator`](#-apache--mod--jk--cipher_indicator) +* [`certchain_prefix`](#-apache--mod--jk--certchain_prefix) +* [`session_indicator`](#-apache--mod--jk--session_indicator) +* [`keysize_indicator`](#-apache--mod--jk--keysize_indicator) +* [`local_name_indicator`](#-apache--mod--jk--local_name_indicator) +* [`ignore_cl_indicator`](#-apache--mod--jk--ignore_cl_indicator) +* [`local_addr_indicator`](#-apache--mod--jk--local_addr_indicator) +* [`local_port_indicator`](#-apache--mod--jk--local_port_indicator) +* [`remote_host_indicator`](#-apache--mod--jk--remote_host_indicator) +* [`remote_addr_indicator`](#-apache--mod--jk--remote_addr_indicator) +* [`remote_port_indicator`](#-apache--mod--jk--remote_port_indicator) +* [`remote_user_indicator`](#-apache--mod--jk--remote_user_indicator) +* [`auth_type_indicator`](#-apache--mod--jk--auth_type_indicator) +* [`options`](#-apache--mod--jk--options) +* [`env_var`](#-apache--mod--jk--env_var) +* [`strip_session`](#-apache--mod--jk--strip_session) +* [`location_list`](#-apache--mod--jk--location_list) +* [`workers_file_content`](#-apache--mod--jk--workers_file_content) +* [`mount_file_content`](#-apache--mod--jk--mount_file_content) + +##### `ip` + +Data type: `Optional[Stdlib::IP::Address]` + +IP for binding to mod_jk. Useful when the binding address is not the primary network interface IP. + +Default value: `undef` + +##### `port` + +Data type: `Stdlib::Port` + +Port for binding to mod_jk. Useful when something else, like a reverse proxy or cache, is receiving requests at port 80, then +needs to forward them to Apache at a different port. + +Default value: `80` + +##### `add_listen` + +Data type: `Boolean` + +Defines if a Listen directive according to parameters ip and port (see below), so that Apache listens to the IP/port combination +and redirect to mod_jk. Useful when another Listen directive, like Listen *: or Listen , can conflict with the one +necessary for mod_jk binding. + +Default value: `true` + +##### `workers_file` + +Data type: `Optional[String]` + +The name of a worker file for the Tomcat servlet containers. + +Default value: `undef` + +##### `worker_property` + +Data type: `Hash` + +Enables setting worker properties inside Apache configuration file. + +Default value: `{}` + +##### `logroot` + +Data type: `Optional[Stdlib::Absolutepath]` + +The base directory for shm_file and log_file is determined by the logroot parameter. If unspecified, defaults to +apache::params::logroot. The default logroot is sane enough therefore it is not recommended to override it. + +Default value: `undef` + +##### `shm_file` + +Data type: `String` + +Shared memory file name. + +Default value: `'jk-runtime-status'` + +##### `shm_size` + +Data type: `Optional[String]` + +Size of the shared memory file name. + +Default value: `undef` + +##### `mount_file` + +Data type: `Optional[String]` + +File containing multiple mappings from a context to a Tomcat worker. + +Default value: `undef` + +##### `mount_file_reload` + +Data type: `Optional[String]` + +This directive configures the reload check interval in seconds. + +Default value: `undef` + +##### `mount` + +Data type: `Hash` + +A mount point from a context to a Tomcat worker. + +Default value: `{}` + +##### `un_mount` + +Data type: `Hash` + +An exclusion mount point from a context to a Tomcat worker. + +Default value: `{}` + +##### `auto_alias` + +Data type: `Optional[String]` + +Automatically Alias webapp context directories into the Apache document space + +Default value: `undef` + +##### `mount_copy` + +Data type: `Optional[String]` + +If this directive is set to "On" in some virtual server, the mounts from the global server will be copied +to this virtual server, more precisely all mounts defined by JkMount or JkUnMount. + +Default value: `undef` + +##### `worker_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable that can be used to set worker names in combination with SetHandler +jakarta-servlet. + +Default value: `undef` + +##### `watchdog_interval` + +Data type: `Optional[Integer]` + +This directive configures the watchdog thread interval in seconds. + +Default value: `undef` + +##### `log_file` + +Data type: `String` + +Full or server relative path to the mod_jk log file. + +Default value: `'mod_jk.log'` + +##### `log_level` + +Data type: `Optional[String]` + +The mod_jk log level, can be debug, info, warn error or trace. + +Default value: `undef` + +##### `log_stamp_format` + +Data type: `Optional[String]` + +The mod_jk date log format, using an extended strftime syntax. + +Default value: `undef` + +##### `request_log_format` + +Data type: `Optional[String]` + +Request log format string. + +Default value: `undef` + +##### `extract_ssl` + +Data type: `Optional[String]` + +Turns on SSL processing and information gathering by mod_jk. + +Default value: `undef` + +##### `https_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable that contains SSL indication. + +Default value: `undef` + +##### `sslprotocol_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable that contains the SSL protocol name. + +Default value: `undef` + +##### `certs_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable that contains SSL client certificates. + +Default value: `undef` + +##### `cipher_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable that contains SSL client cipher. + +Default value: `undef` + +##### `certchain_prefix` + +Data type: `Optional[String]` + +Name of the Apache environment (prefix) that contains SSL client chain certificates. + +Default value: `undef` + +##### `session_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable that contains SSL session. + +Default value: `undef` + +##### `keysize_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable that contains SSL key size in use. + +Default value: `undef` + +##### `local_name_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded local name. + +Default value: `undef` + +##### `ignore_cl_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which forces to ignore an existing Content-Length request header. + +Default value: `undef` + +##### `local_addr_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded local IP address. + +Default value: `undef` + +##### `local_port_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded local port. + +Default value: `undef` + +##### `remote_host_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded remote (client) host name. + +Default value: `undef` + +##### `remote_addr_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded remote (client) IP address. + +Default value: `undef` + +##### `remote_port_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded remote (client) IP address. + +Default value: `undef` + +##### `remote_user_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded user name. + +Default value: `undef` + +##### `auth_type_indicator` + +Data type: `Optional[String]` + +Name of the Apache environment variable which can be used to overwrite the forwarded authentication type. + +Default value: `undef` + +##### `options` + +Data type: `Array` + +Set one of more options to configure the mod_jk module. + +Default value: `[]` + +##### `env_var` + +Data type: `Hash` + +Adds a name and an optional default value of environment variable that should be sent to servlet-engine as a request attribute. + +Default value: `{}` + +##### `strip_session` + +Data type: `Optional[String]` + +If this directive is set to On in some virtual server, the session IDs ;jsessionid=... will be removed for URLs which are not +forwarded but instead are handled by the local server. + +Default value: `undef` + +##### `location_list` + +Data type: `Array` + +Global locations for mod_jk are defined in array location_list. +Each array item is a hash with quoted* property name as key and value as value itself. +You can define a comment in a special 'comment' key + +Example: + + # Configures jkstatus + JkMount status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + + +Is defined as: +location_list = [ + { + 'Location' => '/jkstatus/', + 'Comment' => 'Configures jkstatus', + 'JkMount' => 'status', + 'Order' => 'deny,allow', + 'Deny from' => 'all', + 'Allow from' => '127.0.0.1', + }, +] +* Keys must be quoted to allow arbitrary case and/or multi-word keys +(BTW, note the case of 'Location' and 'Comment' keys) + +Default value: `[]` + +##### `workers_file_content` + +Data type: `Hash` + +Each directive has the format worker..=. This maps as a hash of hashes, where the outer hash specifies +workers, and each inner hash specifies each worker properties and values. Plus, there are two global directives, 'worker.list' and +'worker.maintain' For example, the workers file below should be parameterized as follows: + +Worker file: +``` +worker.list = status +worker.list = some_name,other_name + +worker.maintain = 60 + +# Optional comment +worker.some_name.type=ajp13 +worker.some_name.socket_keepalive=true + +# I just like comments +worker.other_name.type=ajp12 (why would you?) +worker.other_name.socket_keepalive=false +``` + +Puppet file: +``` +$workers_file_content = { + worker_lists => ['status', 'some_name, other_name'], + worker_maintain => 60, + some_name => { + comment => 'Optional comment', + type => 'ajp13', + socket_keepalive => 'true', + }, + other_name => { + comment => 'I just like comments', + type => 'ajp12', + socket_keepalive => 'false', + }, +} +``` + +Default value: `{}` + +##### `mount_file_content` + +Data type: `Hash` + +Each directive has the format = . This maps as a hash of hashes, where the outer hash specifies workers, and +each inner hash contains two items: +- uri_list-an array with URIs to be mapped to the worker +- comment-an optional string with a comment for the worker. For example, the mount file below should be parameterized as Figure 2: + +Worker file: +``` +# Worker 1 +/context_1/ = worker_1 +/context_1/* = worker_1 + +# Worker 2 +/ = worker_2 +/context_2/ = worker_2 +/context_2/* = worker_2 +``` + +Puppet file: +``` +$mount_file_content = { + worker_1 => { + uri_list => ['/context_1/', '/context_1/*'], + comment => 'Worker 1', + }, + worker_2 => { + uri_list => ['/context_2/', '/context_2/*'], + comment => 'Worker 2', + }, +}, +``` + +Default value: `{}` + +### `apache::mod::lbmethod_bybusyness` + +Installs `lbmethod_bybusyness`. + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_bybusyness.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::lbmethod_bybusyness` class: + +* [`apache_version`](#-apache--mod--lbmethod_bybusyness--apache_version) + +##### `apache_version` + +Data type: `Optional[String]` + +Version of Apache to install module on. + +Default value: `$apache::apache_version` + +### `apache::mod::lbmethod_byrequests` + +Installs `lbmethod_byrequests`. + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_byrequests.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::lbmethod_byrequests` class: + +* [`apache_version`](#-apache--mod--lbmethod_byrequests--apache_version) + +##### `apache_version` + +Data type: `Optional[String]` + +Version of Apache to install module on. + +Default value: `$apache::apache_version` + +### `apache::mod::lbmethod_bytraffic` + +Installs `lbmethod_bytraffic`. + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_bytraffic.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::lbmethod_bytraffic` class: + +* [`apache_version`](#-apache--mod--lbmethod_bytraffic--apache_version) + +##### `apache_version` + +Data type: `Optional[String]` + +Version of Apache to install module on. + +Default value: `$apache::apache_version` + +### `apache::mod::lbmethod_heartbeat` + +Installs `lbmethod_heartbeat`. + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_heartbeat.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::lbmethod_heartbeat` class: + +* [`apache_version`](#-apache--mod--lbmethod_heartbeat--apache_version) + +##### `apache_version` + +Data type: `Optional[String]` + +Version of Apache to install module on. + +Default value: `$apache::apache_version` + +### `apache::mod::ldap` + +Installs and configures `mod_ldap`. + +* **Note** Unsupported platforms: CentOS: 8; RedHat: 8, 9 + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_ldap.html + * for additional documentation. + +#### Examples + +##### + +```puppet +class { 'apache::mod::ldap': + ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt', + ldap_trusted_global_cert_type => 'CA_DER', + ldap_trusted_mode => 'TLS', + ldap_shared_cache_size => 500000, + ldap_cache_entries => 1024, + ldap_cache_ttl => 600, + ldap_opcache_entries => 1024, + ldap_opcache_ttl => 600, +} +``` + +#### Parameters + +The following parameters are available in the `apache::mod::ldap` class: + +* [`package_name`](#-apache--mod--ldap--package_name) +* [`ldap_trusted_global_cert_file`](#-apache--mod--ldap--ldap_trusted_global_cert_file) +* [`ldap_trusted_global_cert_type`](#-apache--mod--ldap--ldap_trusted_global_cert_type) +* [`ldap_shared_cache_size`](#-apache--mod--ldap--ldap_shared_cache_size) +* [`ldap_cache_entries`](#-apache--mod--ldap--ldap_cache_entries) +* [`ldap_cache_ttl`](#-apache--mod--ldap--ldap_cache_ttl) +* [`ldap_opcache_entries`](#-apache--mod--ldap--ldap_opcache_entries) +* [`ldap_opcache_ttl`](#-apache--mod--ldap--ldap_opcache_ttl) +* [`ldap_trusted_mode`](#-apache--mod--ldap--ldap_trusted_mode) +* [`ldap_path`](#-apache--mod--ldap--ldap_path) + +##### `package_name` + +Data type: `Optional[String]` + +Specifies the custom package name. + +Default value: `undef` + +##### `ldap_trusted_global_cert_file` + +Data type: `Optional[String]` + +Sets the file or database containing global trusted Certificate Authority or global client certificates. + +Default value: `undef` + +##### `ldap_trusted_global_cert_type` + +Data type: `String` + +Sets the certificate parameter of the global trusted Certificate Authority or global client certificates. + +Default value: `'CA_BASE64'` + +##### `ldap_shared_cache_size` + +Data type: `Optional[Integer]` + +Size in bytes of the shared-memory cache + +Default value: `undef` + +##### `ldap_cache_entries` + +Data type: `Optional[Integer]` + +Maximum number of entries in the primary LDAP cache + +Default value: `undef` + +##### `ldap_cache_ttl` + +Data type: `Optional[Integer]` + +Time that cached items remain valid (in seconds). + +Default value: `undef` + +##### `ldap_opcache_entries` + +Data type: `Optional[Integer]` + +Number of entries used to cache LDAP compare operations + +Default value: `undef` + +##### `ldap_opcache_ttl` + +Data type: `Optional[Integer]` + +Time that entries in the operation cache remain valid (in seconds). + +Default value: `undef` + +##### `ldap_trusted_mode` + +Data type: `Optional[String]` + +Specifies the SSL/TLS mode to be used when connecting to an LDAP server. + +Default value: `undef` + +##### `ldap_path` + +Data type: `String` + +The server location of the ldap status page. + +Default value: `'/ldap-status'` + +### `apache::mod::log_forensic` + +Installs `mod_log_forensic` + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_log_forensic.html + * for additional documentation. + +### `apache::mod::lookup_identity` + +Installs `mod_lookup_identity` + +* **See also** + * https://www.adelton.com/apache/mod_lookup_identity + * for additional documentation. + +### `apache::mod::macro` + +Installs `mod_macro`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_macro.html + * for additional documentation. + +### `apache::mod::md` + +Installs and configures `mod_md`. + +* **Note** Unsupported platforms: CentOS: 6, 7; OracleLinux: all; RedHat: 6, 7; Scientific: all; SLES: all; Ubuntu: 18 + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_md.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::md` class: + +* [`md_activation_delay`](#-apache--mod--md--md_activation_delay) +* [`md_base_server`](#-apache--mod--md--md_base_server) +* [`md_ca_challenges`](#-apache--mod--md--md_ca_challenges) +* [`md_certificate_agreement`](#-apache--mod--md--md_certificate_agreement) +* [`md_certificate_authority`](#-apache--mod--md--md_certificate_authority) +* [`md_certificate_check`](#-apache--mod--md--md_certificate_check) +* [`md_certificate_monitor`](#-apache--mod--md--md_certificate_monitor) +* [`md_certificate_protocol`](#-apache--mod--md--md_certificate_protocol) +* [`md_certificate_status`](#-apache--mod--md--md_certificate_status) +* [`md_challenge_dns01`](#-apache--mod--md--md_challenge_dns01) +* [`md_contact_email`](#-apache--mod--md--md_contact_email) +* [`md_http_proxy`](#-apache--mod--md--md_http_proxy) +* [`md_members`](#-apache--mod--md--md_members) +* [`md_message_cmd`](#-apache--mod--md--md_message_cmd) +* [`md_must_staple`](#-apache--mod--md--md_must_staple) +* [`md_notify_cmd`](#-apache--mod--md--md_notify_cmd) +* [`md_port_map`](#-apache--mod--md--md_port_map) +* [`md_private_keys`](#-apache--mod--md--md_private_keys) +* [`md_renew_mode`](#-apache--mod--md--md_renew_mode) +* [`md_renew_window`](#-apache--mod--md--md_renew_window) +* [`md_require_https`](#-apache--mod--md--md_require_https) +* [`md_server_status`](#-apache--mod--md--md_server_status) +* [`md_staple_others`](#-apache--mod--md--md_staple_others) +* [`md_stapling`](#-apache--mod--md--md_stapling) +* [`md_stapling_keep_response`](#-apache--mod--md--md_stapling_keep_response) +* [`md_stapling_renew_window`](#-apache--mod--md--md_stapling_renew_window) +* [`md_store_dir`](#-apache--mod--md--md_store_dir) +* [`md_warn_window`](#-apache--mod--md--md_warn_window) + +##### `md_activation_delay` + +Data type: `Optional[String]` + +- + +Default value: `undef` + +##### `md_base_server` + +Data type: `Optional[Apache::OnOff]` + +Control if base server may be managed or only virtual hosts. + +Default value: `undef` + +##### `md_ca_challenges` + +Data type: `Optional[Array[Enum['dns-01', 'http-01', 'tls-alpn-01']]]` + +Type of ACME challenge used to prove domain ownership. + +Default value: `undef` + +##### `md_certificate_agreement` + +Data type: `Optional[Enum['accepted']]` + +You confirm that you accepted the Terms of Service of the Certificate +Authority. + +Default value: `undef` + +##### `md_certificate_authority` + +Data type: `Optional[Stdlib::HTTPUrl]` + +The URL of the ACME Certificate Authority service. + +Default value: `undef` + +##### `md_certificate_check` + +Data type: `Optional[String]` + +- + +Default value: `undef` + +##### `md_certificate_monitor` + +Data type: `Optional[String]` + +The URL of a certificate log monitor. + +Default value: `undef` + +##### `md_certificate_protocol` + +Data type: `Optional[Enum['ACME']]` + +The protocol to use with the Certificate Authority. + +Default value: `undef` + +##### `md_certificate_status` + +Data type: `Optional[Apache::OnOff]` + +Exposes public certificate information in JSON. + +Default value: `undef` + +##### `md_challenge_dns01` + +Data type: `Optional[Stdlib::Absolutepath]` + +Define a program to be called when the `dns-01` challenge needs to be +setup/torn down. + +Default value: `undef` + +##### `md_contact_email` + +Data type: `Optional[String]` + +The ACME protocol requires you to give a contact url when you sign up. + +Default value: `undef` + +##### `md_http_proxy` + +Data type: `Optional[Stdlib::HTTPUrl]` + +Define a proxy for outgoing connections. + +Default value: `undef` + +##### `md_members` + +Data type: `Optional[Enum['auto', 'manual']]` + +Control if the alias domain names are automatically added. + +Default value: `undef` + +##### `md_message_cmd` + +Data type: `Optional[Stdlib::Absolutepath]` + +Handle events for Manage Domains. + +Default value: `undef` + +##### `md_must_staple` + +Data type: `Optional[Apache::OnOff]` + +Control if new certificates carry the OCSP Must Staple flag. + +Default value: `undef` + +##### `md_notify_cmd` + +Data type: `Optional[Stdlib::Absolutepath]` + +Run a program when a Managed Domain is ready. + +Default value: `undef` + +##### `md_port_map` + +Data type: `Optional[String]` + +Map external to internal ports for domain ownership verification. + +Default value: `undef` + +##### `md_private_keys` + +Data type: `Optional[String]` + +Set type and size of the private keys generated. + +Default value: `undef` + +##### `md_renew_mode` + +Data type: `Optional[Enum['always', 'auto', 'manual']]` + +Controls if certificates shall be renewed. + +Default value: `undef` + +##### `md_renew_window` + +Data type: `Optional[String]` + +Control when a certificate will be renewed. + +Default value: `undef` + +##### `md_require_https` + +Data type: `Optional[Enum['off', 'permanent', 'temporary']]` + +Redirects http: traffic to https: for Managed Domains. +An http: Virtual Host must nevertheless be setup for that domain. + +Default value: `undef` + +##### `md_server_status` + +Data type: `Optional[Apache::OnOff]` + +Control if Managed Domain information is added to server-status. + +Default value: `undef` + +##### `md_staple_others` + +Data type: `Optional[Apache::OnOff]` + +Enable stapling for certificates not managed by mod_md. + +Default value: `undef` + +##### `md_stapling` + +Data type: `Optional[Apache::OnOff]` + +Enable stapling for all or a particular MDomain. + +Default value: `undef` + +##### `md_stapling_keep_response` + +Data type: `Optional[String]` + +Controls when old responses should be removed. + +Default value: `undef` + +##### `md_stapling_renew_window` + +Data type: `Optional[String]` + +Control when the stapling responses will be renewed. + +Default value: `undef` + +##### `md_store_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path on the local file system to store the Managed Domains data. + +Default value: `undef` + +##### `md_warn_window` + +Data type: `Optional[String]` + +Define the time window when you want to be warned about an expiring +certificate. + +Default value: `undef` + +### `apache::mod::mime` + +Installs and configures `mod_mime`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_mime.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::mime` class: + +* [`mime_support_package`](#-apache--mod--mime--mime_support_package) +* [`mime_types_config`](#-apache--mod--mime--mime_types_config) +* [`mime_types_additional`](#-apache--mod--mime--mime_types_additional) + +##### `mime_support_package` + +Data type: `Optional[String]` + +Name of the MIME package to be installed. + +Default value: `$apache::params::mime_support_package` + +##### `mime_types_config` + +Data type: `String` + +The location of the mime.types file. + +Default value: `$apache::params::mime_types_config` + +##### `mime_types_additional` + +Data type: `Optional[Hash]` + +List of additional MIME types to include. + +Default value: `undef` + +### `apache::mod::mime_magic` + +Installs and configures `mod_mime_magic`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_mime_magic.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::mime_magic` class: + +* [`magic_file`](#-apache--mod--mime_magic--magic_file) + +##### `magic_file` + +Data type: `Optional[String]` + +Enable MIME-type determination based on file contents using the specified magic file. + +Default value: `undef` + +### `apache::mod::negotiation` + +Installs and configures `mod_negotiation`. + +* **See also** + * [https://httpd.apache.org/docs/current/mod/mod_negotiation.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::negotiation` class: + +* [`force_language_priority`](#-apache--mod--negotiation--force_language_priority) +* [`language_priority`](#-apache--mod--negotiation--language_priority) + +##### `force_language_priority` + +Data type: `Variant[Array[String], String]` + +Action to take if a single acceptable document is not found. + +Default value: `'Prefer Fallback'` + +##### `language_priority` + +Data type: `Variant[Array[String], String]` + +The precedence of language variants for cases where the client does not express a preference. + +Default value: + +```puppet +['en', 'ca', 'cs', 'da', 'de', 'el', 'eo', 'es', 'et', + 'fr', 'he', 'hr', 'it', 'ja', 'ko', 'ltz', 'nl', 'nn', + 'no', 'pl', 'pt', 'pt-BR', 'ru', 'sv', 'zh-CN', + 'zh-TW'] +``` + +### `apache::mod::nss` + +Installs and configures `mod_nss`. + +* **See also** + * https://pagure.io/mod_nss + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::nss` class: + +* [`transfer_log`](#-apache--mod--nss--transfer_log) +* [`error_log`](#-apache--mod--nss--error_log) +* [`passwd_file`](#-apache--mod--nss--passwd_file) +* [`port`](#-apache--mod--nss--port) + +##### `transfer_log` + +Data type: `Stdlib::Absolutepath` + +Path to `access.log`. + +Default value: `"${apache::params::logroot}/access.log"` + +##### `error_log` + +Data type: `Stdlib::Absolutepath` + +Path to `error.log` + +Default value: `"${apache::params::logroot}/error.log"` + +##### `passwd_file` + +Data type: `Optional[String]` + +Path to file containing token passwords used for NSSPassPhraseDialog. + +Default value: `undef` + +##### `port` + +Data type: `Stdlib::Port` + +Sets the SSL port that should be used by mod_nss. + +Default value: `8443` + +### `apache::mod::pagespeed` + +Installs and manages mod_pagespeed, which is a Google module that rewrites web pages to reduce latency and bandwidth. + +This module does *not* manage the software repositories needed to automatically install the +mod-pagespeed-stable package. The module does however require that the package be installed, +or be installable using the system's default package provider. You should ensure that this +pre-requisite is met or declaring `apache::mod::pagespeed` will cause the puppet run to fail. + +* **Note** Verify that your system is compatible with the latest Google Pagespeed requirements. + +Although this apache module requires the mod-pagespeed-stable package, Puppet does not manage the software repositories required to +automatically install the package. If you declare this class when the package is either not installed or not available to your +package manager, your Puppet run will fail. + +* **See also** + * https://developers.google.com/speed/pagespeed/module/ + * for additional documentation. + +#### Examples + +##### + +```puppet +class { 'apache::mod::pagespeed': + inherit_vhost_config => 'on', + filter_xhtml => false, + cache_path => '/var/cache/mod_pagespeed/', + log_dir => '/var/log/pagespeed', + memache_servers => [], + rewrite_level => 'CoreFilters', + disable_filters => [], + enable_filters => [], + forbid_filters => [], + rewrite_deadline_per_flush_ms => 10, + additional_domains => undef, + file_cache_size_kb => 102400, + file_cache_clean_interval_ms => 3600000, + lru_cache_per_process => 1024, + lru_cache_byte_limit => 16384, + css_flatten_max_bytes => 2048, + css_inline_max_bytes => 2048, + css_image_inline_max_bytes => 2048, + image_inline_max_bytes => 2048, + js_inline_max_bytes => 2048, + css_outline_min_bytes => 3000, + js_outline_min_bytes => 3000, + inode_limit => 500000, + image_max_rewrites_at_once => 8, + num_rewrite_threads => 4, + num_expensive_rewrite_threads => 4, + collect_statistics => 'on', + statistics_logging => 'on', + allow_view_stats => [], + allow_pagespeed_console => [], + allow_pagespeed_message => [], + message_buffer_size => 100000, + additional_configuration => { } +} +``` + +#### Parameters + +The following parameters are available in the `apache::mod::pagespeed` class: + +* [`inherit_vhost_config`](#-apache--mod--pagespeed--inherit_vhost_config) +* [`filter_xhtml`](#-apache--mod--pagespeed--filter_xhtml) +* [`cache_path`](#-apache--mod--pagespeed--cache_path) +* [`log_dir`](#-apache--mod--pagespeed--log_dir) +* [`memcache_servers`](#-apache--mod--pagespeed--memcache_servers) +* [`rewrite_level`](#-apache--mod--pagespeed--rewrite_level) +* [`disable_filters`](#-apache--mod--pagespeed--disable_filters) +* [`enable_filters`](#-apache--mod--pagespeed--enable_filters) +* [`forbid_filters`](#-apache--mod--pagespeed--forbid_filters) +* [`rewrite_deadline_per_flush_ms`](#-apache--mod--pagespeed--rewrite_deadline_per_flush_ms) +* [`additional_domains`](#-apache--mod--pagespeed--additional_domains) +* [`file_cache_size_kb`](#-apache--mod--pagespeed--file_cache_size_kb) +* [`file_cache_clean_interval_ms`](#-apache--mod--pagespeed--file_cache_clean_interval_ms) +* [`lru_cache_per_process`](#-apache--mod--pagespeed--lru_cache_per_process) +* [`lru_cache_byte_limit`](#-apache--mod--pagespeed--lru_cache_byte_limit) +* [`css_flatten_max_bytes`](#-apache--mod--pagespeed--css_flatten_max_bytes) +* [`css_inline_max_bytes`](#-apache--mod--pagespeed--css_inline_max_bytes) +* [`css_image_inline_max_bytes`](#-apache--mod--pagespeed--css_image_inline_max_bytes) +* [`image_inline_max_bytes`](#-apache--mod--pagespeed--image_inline_max_bytes) +* [`js_inline_max_bytes`](#-apache--mod--pagespeed--js_inline_max_bytes) +* [`css_outline_min_bytes`](#-apache--mod--pagespeed--css_outline_min_bytes) +* [`js_outline_min_bytes`](#-apache--mod--pagespeed--js_outline_min_bytes) +* [`inode_limit`](#-apache--mod--pagespeed--inode_limit) +* [`image_max_rewrites_at_once`](#-apache--mod--pagespeed--image_max_rewrites_at_once) +* [`num_rewrite_threads`](#-apache--mod--pagespeed--num_rewrite_threads) +* [`num_expensive_rewrite_threads`](#-apache--mod--pagespeed--num_expensive_rewrite_threads) +* [`collect_statistics`](#-apache--mod--pagespeed--collect_statistics) +* [`statistics_logging`](#-apache--mod--pagespeed--statistics_logging) +* [`allow_view_stats`](#-apache--mod--pagespeed--allow_view_stats) +* [`allow_pagespeed_console`](#-apache--mod--pagespeed--allow_pagespeed_console) +* [`allow_pagespeed_message`](#-apache--mod--pagespeed--allow_pagespeed_message) +* [`message_buffer_size`](#-apache--mod--pagespeed--message_buffer_size) +* [`additional_configuration`](#-apache--mod--pagespeed--additional_configuration) +* [`package_ensure`](#-apache--mod--pagespeed--package_ensure) + +##### `inherit_vhost_config` + +Data type: `String` + +Whether or not to inherit the vhost config + +Default value: `'on'` + +##### `filter_xhtml` + +Data type: `Boolean` + +Whether to filter by xhtml + +Default value: `false` + +##### `cache_path` + +Data type: `Stdlib::Absolutepath` + +Where to cache any files + +Default value: `'/var/cache/mod_pagespeed/'` + +##### `log_dir` + +Data type: `Stdlib::Absolutepath` + +The log directory + +Default value: `'/var/log/pagespeed'` + +##### `memcache_servers` + +Data type: `Array` + + + +Default value: `[]` + +##### `rewrite_level` + +Data type: `String` + +The inbuilt filter level to be used. +Can be `PassThrough`, `CoreFilters` or `OptimizeForBandwidth`. + +Default value: `'CoreFilters'` + +##### `disable_filters` + +Data type: `Array` + +An array of filters that you wish to disable + +Default value: `[]` + +##### `enable_filters` + +Data type: `Array` + +An array of filters that you wish to enable + +Default value: `[]` + +##### `forbid_filters` + +Data type: `Array` + +An array of filters that you wish to forbid + +Default value: `[]` + +##### `rewrite_deadline_per_flush_ms` + +Data type: `Integer` + +How long to wait after attempting to rewrite an uncache/expired resource. + +Default value: `10` + +##### `additional_domains` + +Data type: `Optional[String]` + +Any additional domains that PageSpeed should optimize resources from. + +Default value: `undef` + +##### `file_cache_size_kb` + +Data type: `Integer` + +The maximum size of the cache + +Default value: `102400` + +##### `file_cache_clean_interval_ms` + +Data type: `Integer` + +The interval between which the cache is cleaned + +Default value: `3600000` + +##### `lru_cache_per_process` + +Data type: `Integer` + +The amount of memory dedcated to each process + +Default value: `1024` + +##### `lru_cache_byte_limit` + +Data type: `Integer` + +How large a cache entry the cache will accept + +Default value: `16384` + +##### `css_flatten_max_bytes` + +Data type: `Integer` + +The maximum size in bytes of the flattened CSS + +Default value: `2048` + +##### `css_inline_max_bytes` + +Data type: `Integer` + +The maximum size in bytes of any image that will be inlined into CSS + +Default value: `2048` + +##### `css_image_inline_max_bytes` + +Data type: `Integer` + +The maximum size in bytes of any image that will be inlined into an HTML file + +Default value: `2048` + +##### `image_inline_max_bytes` + +Data type: `Integer` + +The maximum size in bytes of any inlined CSS file + +Default value: `2048` + +##### `js_inline_max_bytes` + +Data type: `Integer` + +The maximum size in bytes of any inlined JavaScript file + +Default value: `2048` + +##### `css_outline_min_bytes` + +Data type: `Integer` + +The minimum size in bytes for a CSS file to qualify as an outline + +Default value: `3000` + +##### `js_outline_min_bytes` + +Data type: `Integer` + +The minimum size in bytes for a JavaScript file to qualify as an outline + +Default value: `3000` + +##### `inode_limit` + +Data type: `Integer` + +The file cache inode limit + +Default value: `500000` + +##### `image_max_rewrites_at_once` + +Data type: `Integer` + +The maximum number of images to optimize concurrently + +Default value: `8` + +##### `num_rewrite_threads` + +Data type: `Integer` + +The amount of threads to use for rewrite at one time +These threads are used for short, latency-sensitive work. + +Default value: `4` + +##### `num_expensive_rewrite_threads` + +Data type: `Integer` + +The amount of threads to use for rewrite at one time +These threads are used for full optimization. + +Default value: `4` + +##### `collect_statistics` + +Data type: `String` + +Whether to collect cross-process statistics + +Default value: `'on'` + +##### `statistics_logging` + +Data type: `String` + +Whether graphs should be drawn from collected statistics + +Default value: `'on'` + +##### `allow_view_stats` + +Data type: `Array` + +What sources should be allowed to view the resultant graph + +Default value: `[]` + +##### `allow_pagespeed_console` + +Data type: `Array` + +What sources to draw the graphs from + +Default value: `[]` + +##### `allow_pagespeed_message` + +Data type: `Array` + + + +Default value: `[]` + +##### `message_buffer_size` + +Data type: `Integer` + +The amount of bytes to allocate as a buffer to hold recent log messages + +Default value: `100000` + +##### `additional_configuration` + +Data type: `Variant[Array, Hash]` + +Any additional configuration no included as it's own option + +Default value: `{}` + +##### `package_ensure` + +Data type: `Optional[String]` + + + +Default value: `undef` + +### `apache::mod::passenger` + +The current set of server configurations settings were taken directly from the Passenger Reference. To enable deprecation warnings +and removal failure messages, set the passenger_installed_version to the version number installed on the server. + +Change Log: + - As of 08/13/2017 there are 84 available/deprecated/removed settings. + - Around 08/20/2017 UnionStation was discontinued options were removed. + - As of 08/20/2017 there are 77 available/deprecated/removed settings. + +* **Note** In Passenger source code you can strip out what are all the available options by looking in + - src/apache2_module/Configuration.cpp + - src/apache2_module/ConfigurationCommands.cpp +There are also several undocumented settings. + +* **See also** + * https://www.phusionpassenger.com/docs/references/config_reference/apache/ + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::passenger` class: + +* [`manage_repo`](#-apache--mod--passenger--manage_repo) +* [`mod_id`](#-apache--mod--passenger--mod_id) +* [`mod_lib`](#-apache--mod--passenger--mod_lib) +* [`mod_lib_path`](#-apache--mod--passenger--mod_lib_path) +* [`mod_package`](#-apache--mod--passenger--mod_package) +* [`mod_package_ensure`](#-apache--mod--passenger--mod_package_ensure) +* [`mod_path`](#-apache--mod--passenger--mod_path) +* [`passenger_admin_panel_url`](#-apache--mod--passenger--passenger_admin_panel_url) +* [`passenger_admin_panel_auth_type`](#-apache--mod--passenger--passenger_admin_panel_auth_type) +* [`passenger_admin_panel_username`](#-apache--mod--passenger--passenger_admin_panel_username) +* [`passenger_admin_panel_password`](#-apache--mod--passenger--passenger_admin_panel_password) +* [`passenger_allow_encoded_slashes`](#-apache--mod--passenger--passenger_allow_encoded_slashes) +* [`passenger_anonymous_telemetry_proxy`](#-apache--mod--passenger--passenger_anonymous_telemetry_proxy) +* [`passenger_app_env`](#-apache--mod--passenger--passenger_app_env) +* [`passenger_app_group_name`](#-apache--mod--passenger--passenger_app_group_name) +* [`passenger_app_log_file`](#-apache--mod--passenger--passenger_app_log_file) +* [`passenger_app_root`](#-apache--mod--passenger--passenger_app_root) +* [`passenger_app_type`](#-apache--mod--passenger--passenger_app_type) +* [`passenger_base_uri`](#-apache--mod--passenger--passenger_base_uri) +* [`passenger_buffer_response`](#-apache--mod--passenger--passenger_buffer_response) +* [`passenger_buffer_upload`](#-apache--mod--passenger--passenger_buffer_upload) +* [`passenger_concurrency_model`](#-apache--mod--passenger--passenger_concurrency_model) +* [`passenger_conf_file`](#-apache--mod--passenger--passenger_conf_file) +* [`passenger_conf_package_file`](#-apache--mod--passenger--passenger_conf_package_file) +* [`passenger_data_buffer_dir`](#-apache--mod--passenger--passenger_data_buffer_dir) +* [`passenger_debug_log_file`](#-apache--mod--passenger--passenger_debug_log_file) +* [`passenger_debugger`](#-apache--mod--passenger--passenger_debugger) +* [`passenger_default_group`](#-apache--mod--passenger--passenger_default_group) +* [`passenger_default_ruby`](#-apache--mod--passenger--passenger_default_ruby) +* [`passenger_default_user`](#-apache--mod--passenger--passenger_default_user) +* [`passenger_disable_anonymous_telemetry`](#-apache--mod--passenger--passenger_disable_anonymous_telemetry) +* [`passenger_disable_log_prefix`](#-apache--mod--passenger--passenger_disable_log_prefix) +* [`passenger_disable_security_update_check`](#-apache--mod--passenger--passenger_disable_security_update_check) +* [`passenger_enabled`](#-apache--mod--passenger--passenger_enabled) +* [`passenger_dump_config_manifest`](#-apache--mod--passenger--passenger_dump_config_manifest) +* [`passenger_error_override`](#-apache--mod--passenger--passenger_error_override) +* [`passenger_file_descriptor_log_file`](#-apache--mod--passenger--passenger_file_descriptor_log_file) +* [`passenger_fly_with`](#-apache--mod--passenger--passenger_fly_with) +* [`passenger_force_max_concurrent_requests_per_process`](#-apache--mod--passenger--passenger_force_max_concurrent_requests_per_process) +* [`passenger_friendly_error_pages`](#-apache--mod--passenger--passenger_friendly_error_pages) +* [`passenger_group`](#-apache--mod--passenger--passenger_group) +* [`passenger_high_performance`](#-apache--mod--passenger--passenger_high_performance) +* [`passenger_installed_version`](#-apache--mod--passenger--passenger_installed_version) +* [`passenger_instance_registry_dir`](#-apache--mod--passenger--passenger_instance_registry_dir) +* [`passenger_load_shell_envvars`](#-apache--mod--passenger--passenger_load_shell_envvars) +* [`passenger_preload_bundler`](#-apache--mod--passenger--passenger_preload_bundler) +* [`passenger_log_file`](#-apache--mod--passenger--passenger_log_file) +* [`passenger_log_level`](#-apache--mod--passenger--passenger_log_level) +* [`passenger_lve_min_uid`](#-apache--mod--passenger--passenger_lve_min_uid) +* [`passenger_max_instances`](#-apache--mod--passenger--passenger_max_instances) +* [`passenger_max_instances_per_app`](#-apache--mod--passenger--passenger_max_instances_per_app) +* [`passenger_max_pool_size`](#-apache--mod--passenger--passenger_max_pool_size) +* [`passenger_max_preloader_idle_time`](#-apache--mod--passenger--passenger_max_preloader_idle_time) +* [`passenger_max_request_queue_size`](#-apache--mod--passenger--passenger_max_request_queue_size) +* [`passenger_max_request_time`](#-apache--mod--passenger--passenger_max_request_time) +* [`passenger_max_requests`](#-apache--mod--passenger--passenger_max_requests) +* [`passenger_max_request_queue_time`](#-apache--mod--passenger--passenger_max_request_queue_time) +* [`passenger_memory_limit`](#-apache--mod--passenger--passenger_memory_limit) +* [`passenger_meteor_app_settings`](#-apache--mod--passenger--passenger_meteor_app_settings) +* [`passenger_min_instances`](#-apache--mod--passenger--passenger_min_instances) +* [`passenger_nodejs`](#-apache--mod--passenger--passenger_nodejs) +* [`passenger_pool_idle_time`](#-apache--mod--passenger--passenger_pool_idle_time) +* [`passenger_pre_start`](#-apache--mod--passenger--passenger_pre_start) +* [`passenger_python`](#-apache--mod--passenger--passenger_python) +* [`passenger_resist_deployment_errors`](#-apache--mod--passenger--passenger_resist_deployment_errors) +* [`passenger_resolve_symlinks_in_document_root`](#-apache--mod--passenger--passenger_resolve_symlinks_in_document_root) +* [`passenger_response_buffer_high_watermark`](#-apache--mod--passenger--passenger_response_buffer_high_watermark) +* [`passenger_restart_dir`](#-apache--mod--passenger--passenger_restart_dir) +* [`passenger_rolling_restarts`](#-apache--mod--passenger--passenger_rolling_restarts) +* [`passenger_root`](#-apache--mod--passenger--passenger_root) +* [`passenger_ruby`](#-apache--mod--passenger--passenger_ruby) +* [`passenger_security_update_check_proxy`](#-apache--mod--passenger--passenger_security_update_check_proxy) +* [`passenger_show_version_in_header`](#-apache--mod--passenger--passenger_show_version_in_header) +* [`passenger_socket_backlog`](#-apache--mod--passenger--passenger_socket_backlog) +* [`passenger_spawn_dir`](#-apache--mod--passenger--passenger_spawn_dir) +* [`passenger_spawn_method`](#-apache--mod--passenger--passenger_spawn_method) +* [`passenger_start_timeout`](#-apache--mod--passenger--passenger_start_timeout) +* [`passenger_startup_file`](#-apache--mod--passenger--passenger_startup_file) +* [`passenger_stat_throttle_rate`](#-apache--mod--passenger--passenger_stat_throttle_rate) +* [`passenger_sticky_sessions`](#-apache--mod--passenger--passenger_sticky_sessions) +* [`passenger_sticky_sessions_cookie_name`](#-apache--mod--passenger--passenger_sticky_sessions_cookie_name) +* [`passenger_sticky_sessions_cookie_attributes`](#-apache--mod--passenger--passenger_sticky_sessions_cookie_attributes) +* [`passenger_thread_count`](#-apache--mod--passenger--passenger_thread_count) +* [`passenger_use_global_queue`](#-apache--mod--passenger--passenger_use_global_queue) +* [`passenger_user`](#-apache--mod--passenger--passenger_user) +* [`passenger_user_switching`](#-apache--mod--passenger--passenger_user_switching) +* [`rack_env`](#-apache--mod--passenger--rack_env) +* [`rails_env`](#-apache--mod--passenger--rails_env) +* [`rails_framework_spawner_idle_time`](#-apache--mod--passenger--rails_framework_spawner_idle_time) + +##### `manage_repo` + +Data type: `Boolean` + +Toggle whether to manage yum repo if on a RedHat node. + +Default value: `true` + +##### `mod_id` + +Data type: `Optional[String]` + +Specifies the package id. + +Default value: `undef` + +##### `mod_lib` + +Data type: `Optional[String]` + +Defines the module's shared object name. Do not configure manually without special reason. + +Default value: `undef` + +##### `mod_lib_path` + +Data type: `Optional[String]` + +Specifies a path to the module's libraries. Do not manually set this parameter without special reason. The `path` parameter overrides +this value. + +Default value: `undef` + +##### `mod_package` + +Data type: `Optional[String]` + +Name of the module package to install. + +Default value: `undef` + +##### `mod_package_ensure` + +Data type: `Optional[String]` + +Determines whether Puppet ensures the module should be installed. + +Default value: `undef` + +##### `mod_path` + +Data type: `Optional[String]` + +Specifies a path to the module. Do not manually set this parameter without a special reason. + +Default value: `undef` + +##### `passenger_admin_panel_url` + +Data type: `Optional[String]` + +Specifies a Fuse Panel URL that the Passenger to to enable monitoring, administering, analysis and troubleshooting of this Passenger instance and apps. + +Default value: `undef` + +##### `passenger_admin_panel_auth_type` + +Data type: `Optional[Enum['basic']]` + +Specifies the authentication type to use for the Fuse Panel. Currently it support only basic type of authentiction. +Ref : https://www.phusionpassenger.com/library/config/apache/reference/#passengeradminpanelauthtype + +Default value: `undef` + +##### `passenger_admin_panel_username` + +Data type: `Optional[String]` + +The username that Passenger should use when connecting to the Fuse Panel with basic authentication. + +Default value: `undef` + +##### `passenger_admin_panel_password` + +Data type: `Optional[String]` + +The password that Passenger should use when connecting to the Fuse Panel with basic authentication. + +Default value: `undef` + +##### `passenger_allow_encoded_slashes` + +Data type: `Optional[Apache::OnOff]` + +Toggle whether URLs with encoded slashes (%2f) can be used (by default Apache does not support this). + +Default value: `undef` + +##### `passenger_anonymous_telemetry_proxy` + +Data type: `Optional[String]` + +Set an intermediate proxy for the Passenger anonymous telemetry reporting. + +Default value: `undef` + +##### `passenger_app_env` + +Data type: `Optional[String]` + +This option sets, for the current application, the value of the following environment variables: +- RAILS_ENV +- RACK_ENV +- WSGI_ENV +- NODE_ENV +- PASSENGER_APP_ENV + +Default value: `undef` + +##### `passenger_app_group_name` + +Data type: `Optional[String]` + +Sets the name of the application group that the current application should belong to. + +Default value: `undef` + +##### `passenger_app_log_file` + +Data type: `Optional[String]` + +File path to application specifile log file. By default passenger will write all application log messages to the Passenger log file. + +Default value: `undef` + +##### `passenger_app_root` + +Data type: `Optional[String]` + +Path to the application root which allows access independent from the DocumentRoot. + +Default value: `undef` + +##### `passenger_app_type` + +Data type: `Optional[String]` + +Specifies the type of the application. If you set this option, then you must also set PassengerAppRoot, otherwise Passenger will +not properly recognize your application. + +Default value: `undef` + +##### `passenger_base_uri` + +Data type: `Optional[String]` + +Used to specify that the given URI is an distinct application that should be served by Passenger. + +Default value: `undef` + +##### `passenger_buffer_response` + +Data type: `Optional[Apache::OnOff]` + +Toggle whether application-generated responses are buffered by Apache. Buffering will happen in memory. + +Default value: `undef` + +##### `passenger_buffer_upload` + +Data type: `Optional[Apache::OnOff]` + +Toggle whether HTTP client request bodies are buffered before they are sent to the application. + +Default value: `undef` + +##### `passenger_concurrency_model` + +Data type: `Optional[String]` + +Specifies the I/O concurrency model that should be used for Ruby application processes. + +Default value: `undef` + +##### `passenger_conf_file` + +Data type: `String` + + + +Default value: `$apache::params::passenger_conf_file` + +##### `passenger_conf_package_file` + +Data type: `Optional[String]` + + + +Default value: `$apache::params::passenger_conf_package_file` + +##### `passenger_data_buffer_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the directory in which to store data buffers. + +Default value: `undef` + +##### `passenger_debug_log_file` + +Data type: `Optional[String]` + + + +Default value: `undef` + +##### `passenger_debugger` + +Data type: `Optional[Apache::OnOff]` + +Turns support for Ruby application debugging on or off. + +Default value: `undef` + +##### `passenger_default_group` + +Data type: `Optional[String]` + +Allows you to specify the group that applications must run as, if user switching fails or is disabled. + +Default value: `undef` + +##### `passenger_default_ruby` + +Data type: `Optional[String]` + +File path to desired ruby interpreter to use by default. + +Default value: `$apache::params::passenger_default_ruby` + +##### `passenger_default_user` + +Data type: `Optional[String]` + +Allows you to specify the user that applications must run as, if user switching fails or is disabled. + +Default value: `undef` + +##### `passenger_disable_anonymous_telemetry` + +Data type: `Optional[Boolean]` + +Whether or not to disable the Passenger anonymous telemetry reporting. + +Default value: `undef` + +##### `passenger_disable_log_prefix` + +Data type: `Optional[Boolean]` + +Whether to stop Passenger from prefixing logs when they are written to a log file. + +Default value: `undef` + +##### `passenger_disable_security_update_check` + +Data type: `Optional[Apache::OnOff]` + +Allows disabling the Passenger security update check, a daily check with https://securitycheck.phusionpassenger.com for important +security updates that might be available. + +Default value: `undef` + +##### `passenger_enabled` + +Data type: `Optional[Apache::OnOff]` + +Toggles whether Passenger should be enabled for that particular context. + +Default value: `undef` + +##### `passenger_dump_config_manifest` + +Data type: `Optional[String]` + +Dumps the configuration manifest to the given file. + +Default value: `undef` + +##### `passenger_error_override` + +Data type: `Optional[Apache::OnOff]` + +Toggles whether Apache will intercept and handle responses with HTTP status codes of 400 and higher. + +Default value: `undef` + +##### `passenger_file_descriptor_log_file` + +Data type: `Optional[String]` + +Log file descriptor debug tracing messages to the given file. + +Default value: `undef` + +##### `passenger_fly_with` + +Data type: `Optional[String]` + +Enables the Flying Passenger mode, and configures Apache to connect to the Flying Passenger daemon that's listening on the +given socket filename. + +Default value: `undef` + +##### `passenger_force_max_concurrent_requests_per_process` + +Data type: `Optional[Variant[Integer, String]]` + +Use this option to tell Passenger how many concurrent requests the application can handle per process. + +Default value: `undef` + +##### `passenger_friendly_error_pages` + +Data type: `Optional[Apache::OnOff]` + +Toggles whether Passenger should display friendly error pages whenever an application fails to start. + +Default value: `undef` + +##### `passenger_group` + +Data type: `Optional[String]` + +Allows you to override that behavior and explicitly set a group to run the web application as, regardless of the ownership of the +startup file. + +Default value: `undef` + +##### `passenger_high_performance` + +Data type: `Optional[Apache::OnOff]` + +Toggles whether to enable PassengerHighPerformance which will make Passenger will be a little faster, in return for reduced +compatibility with other Apache modules. + +Default value: `undef` + +##### `passenger_installed_version` + +Data type: `Optional[String]` + + + +Default value: `undef` + +##### `passenger_instance_registry_dir` + +Data type: `Optional[String]` + +Specifies the directory that Passenger should use for registering its current instance. + +Default value: `undef` + +##### `passenger_load_shell_envvars` + +Data type: `Optional[Apache::OnOff]` + +Enables or disables the loading of shell environment variables before spawning the application. + +Default value: `undef` + +##### `passenger_preload_bundler` + +Data type: `Optional[Boolean]` + +Enables or disables loading bundler before loading your Ruby app. + +Default value: `undef` + +##### `passenger_log_file` + +Data type: `Optional[Stdlib::Absolutepath]` + +File path to log file. By default Passenger log messages are written to the Apache global error log. + +Default value: `undef` + +##### `passenger_log_level` + +Data type: `Optional[Integer]` + +Specifies how much information Passenger should log to its log file. A higher log level value means that more +information will be logged. + +Default value: `undef` + +##### `passenger_lve_min_uid` + +Data type: `Optional[Integer]` + +When using Passenger on a LVE-enabled kernel, a security check (enter) is run for spawning application processes. This options +tells the check to only allow processes with UIDs equal to, or higher than, the specified value. + +Default value: `undef` + +##### `passenger_max_instances` + +Data type: `Optional[Integer]` + +The maximum number of application processes that may simultaneously exist for an application. + +Default value: `undef` + +##### `passenger_max_instances_per_app` + +Data type: `Optional[Integer]` + +The maximum number of application processes that may simultaneously exist for a single application. + +Default value: `undef` + +##### `passenger_max_pool_size` + +Data type: `Optional[Integer]` + +The maximum number of application processes that may simultaneously exist. + +Default value: `undef` + +##### `passenger_max_preloader_idle_time` + +Data type: `Optional[Integer]` + +Set the preloader's idle timeout, in seconds. A value of 0 means that it should never idle timeout. + +Default value: `undef` + +##### `passenger_max_request_queue_size` + +Data type: `Optional[Integer]` + +Specifies the maximum size for the queue of all incoming requests. + +Default value: `undef` + +##### `passenger_max_request_time` + +Data type: `Optional[Integer]` + +The maximum amount of time, in seconds, that an application process may take to process a request. + +Default value: `undef` + +##### `passenger_max_requests` + +Data type: `Optional[Integer]` + +The maximum number of requests an application process will process. + +Default value: `undef` + +##### `passenger_max_request_queue_time` + +Data type: `Optional[Integer]` + +The maximum amount of time, in seconds, that a request may be queued before Passenger will return an error. +This option specifies the maximum time a request may spend in that queue. If a request in the queue reaches this specified limit, then Passenger will send a "504 Gateway Timeout" error for that request. + +Default value: `undef` + +##### `passenger_memory_limit` + +Data type: `Optional[Integer]` + +The maximum amount of memory that an application process may use, in megabytes. + +Default value: `undef` + +##### `passenger_meteor_app_settings` + +Data type: `Optional[String]` + +When using a Meteor application in non-bundled mode, use this option to specify a JSON file with settings for the application. + +Default value: `undef` + +##### `passenger_min_instances` + +Data type: `Optional[Integer]` + +Specifies the minimum number of application processes that should exist for a given application. + +Default value: `undef` + +##### `passenger_nodejs` + +Data type: `Optional[String]` + +Specifies the Node.js command to use for serving Node.js web applications. + +Default value: `undef` + +##### `passenger_pool_idle_time` + +Data type: `Optional[Integer]` + +The maximum number of seconds that an application process may be idle. + +Default value: `undef` + +##### `passenger_pre_start` + +Data type: `Optional[Variant[String, Array[String]]]` + +URL of the web application you want to pre-start. + +Default value: `undef` + +##### `passenger_python` + +Data type: `Optional[String]` + +Specifies the Python interpreter to use for serving Python web applications. + +Default value: `undef` + +##### `passenger_resist_deployment_errors` + +Data type: `Optional[Apache::OnOff]` + +Enables or disables resistance against deployment errors. + +Default value: `undef` + +##### `passenger_resolve_symlinks_in_document_root` + +Data type: `Optional[Apache::OnOff]` + +This option is no longer available in version 5.2.0. Switch to PassengerAppRoot if you are setting the application root via a +document root containing symlinks. + +Default value: `undef` + +##### `passenger_response_buffer_high_watermark` + +Data type: `Optional[Variant[Integer, String]]` + +Configures the maximum size of the real-time disk-backed response buffering system. + +Default value: `undef` + +##### `passenger_restart_dir` + +Data type: `Optional[String]` + +Path to directory containing restart.txt file. Can be either absolute or relative. + +Default value: `undef` + +##### `passenger_rolling_restarts` + +Data type: `Optional[Apache::OnOff]` + +Enables or disables support for zero-downtime application restarts through restart.txt. + +Default value: `undef` + +##### `passenger_root` + +Data type: `Optional[String]` + +Refers to the location to the Passenger root directory, or to a location configuration file. + +Default value: `$apache::params::passenger_root` + +##### `passenger_ruby` + +Data type: `Optional[String]` + +Specifies the Ruby interpreter to use for serving Ruby web applications. + +Default value: `$apache::params::passenger_ruby` + +##### `passenger_security_update_check_proxy` + +Data type: `Optional[String]` + +Allows use of an intermediate proxy for the Passenger security update check. + +Default value: `undef` + +##### `passenger_show_version_in_header` + +Data type: `Optional[Apache::OnOff]` + +Toggle whether Passenger will output its version number in the X-Powered-By header in all Passenger-served requests: + +Default value: `undef` + +##### `passenger_socket_backlog` + +Data type: `Optional[Variant[Integer, String]]` + +This option can be raised if Apache manages to overflow the backlog queue. + +Default value: `undef` + +##### `passenger_spawn_dir` + +Data type: `Optional[String]` + +The directory in which Passenger will record progress during startup + +Default value: `undef` + +##### `passenger_spawn_method` + +Data type: `Optional[Enum['smart', 'direct', 'smart-lv2', 'conservative']]` + +Controls whether Passenger spawns applications directly, or using a prefork copy-on-write mechanism. + +Default value: `undef` + +##### `passenger_start_timeout` + +Data type: `Optional[Integer]` + +Specifies a timeout for the startup of application processes. + +Default value: `undef` + +##### `passenger_startup_file` + +Data type: `Optional[String]` + +Specifies the startup file that Passenger should use when loading the application. + +Default value: `undef` + +##### `passenger_stat_throttle_rate` + +Data type: `Optional[Integer]` + +Setting this option to a value of x means that certain filesystem checks will be performed at most once every x seconds. + +Default value: `undef` + +##### `passenger_sticky_sessions` + +Data type: `Optional[Apache::OnOff]` + +Toggles whether all requests that a client sends will be routed to the same originating application process, whenever possible. + +Default value: `undef` + +##### `passenger_sticky_sessions_cookie_name` + +Data type: `Optional[String]` + +Sets the name of the sticky sessions cookie. + +Default value: `undef` + +##### `passenger_sticky_sessions_cookie_attributes` + +Data type: `Optional[String]` + +Sets the attributes of the sticky sessions cookie. + +Default value: `undef` + +##### `passenger_thread_count` + +Data type: `Optional[Integer]` + +Specifies the number of threads that Passenger should spawn per Ruby application process. + +Default value: `undef` + +##### `passenger_use_global_queue` + +Data type: `Optional[String]` + +N/A. + +Default value: `undef` + +##### `passenger_user` + +Data type: `Optional[String]` + +Allows you to override that behavior and explicitly set a user to run the web application as, regardless of the ownership of the +startup file. + +Default value: `undef` + +##### `passenger_user_switching` + +Data type: `Optional[Apache::OnOff]` + +Toggles whether to attempt to enable user account sandboxing, also known as user switching. + +Default value: `undef` + +##### `rack_env` + +Data type: `Optional[String]` + +Alias for PassengerAppEnv. + +Default value: `undef` + +##### `rails_env` + +Data type: `Optional[String]` + +Alias for PassengerAppEnv. + +Default value: `undef` + +##### `rails_framework_spawner_idle_time` + +Data type: `Optional[String]` + +This option is no longer available in version 4.0.0. There is no alternative because framework spawning has been removed +altogether. You should use smart spawning instead. + +Default value: `undef` + +### `apache::mod::perl` + +Installs `mod_perl`. + +* **See also** + * https://perl.apache.org + * for additional documentation. + +### `apache::mod::peruser` + +Installs `mod_peruser`. + +#### Parameters + +The following parameters are available in the `apache::mod::peruser` class: + +* [`minspareprocessors`](#-apache--mod--peruser--minspareprocessors) +* [`minprocessors`](#-apache--mod--peruser--minprocessors) +* [`maxprocessors`](#-apache--mod--peruser--maxprocessors) +* [`maxclients`](#-apache--mod--peruser--maxclients) +* [`maxrequestsperchild`](#-apache--mod--peruser--maxrequestsperchild) +* [`idletimeout`](#-apache--mod--peruser--idletimeout) +* [`expiretimeout`](#-apache--mod--peruser--expiretimeout) +* [`keepalive`](#-apache--mod--peruser--keepalive) + +##### `minspareprocessors` + +Data type: `Integer` + + + +Default value: `2` + +##### `minprocessors` + +Data type: `Integer` + +The minimum amount of processors + +Default value: `2` + +##### `maxprocessors` + +Data type: `Integer` + +The maximum amount of processors + +Default value: `10` + +##### `maxclients` + +Data type: `Integer` + +The maximum amount of clients + +Default value: `150` + +##### `maxrequestsperchild` + +Data type: `Integer` + +The maximum amount of requests per child + +Default value: `1000` + +##### `idletimeout` + +Data type: `Integer` + + + +Default value: `120` + +##### `expiretimeout` + +Data type: `Integer` + + + +Default value: `120` + +##### `keepalive` + +Data type: `Apache::OnOff` + + + +Default value: `'Off'` + +### `apache::mod::php` + +Installs `mod_php`. + +* **Note** Unsupported platforms: RedHat: 9 + +#### Parameters + +The following parameters are available in the `apache::mod::php` class: + +* [`package_name`](#-apache--mod--php--package_name) +* [`package_ensure`](#-apache--mod--php--package_ensure) +* [`path`](#-apache--mod--php--path) +* [`extensions`](#-apache--mod--php--extensions) +* [`content`](#-apache--mod--php--content) +* [`template`](#-apache--mod--php--template) +* [`source`](#-apache--mod--php--source) +* [`root_group`](#-apache--mod--php--root_group) +* [`php_version`](#-apache--mod--php--php_version) +* [`libphp_prefix`](#-apache--mod--php--libphp_prefix) + +##### `package_name` + +Data type: `Optional[String]` + +The package name + +Default value: `undef` + +##### `package_ensure` + +Data type: `String` + +Whether the package is `present` or `absent` + +Default value: `'present'` + +##### `path` + +Data type: `Optional[String]` + + + +Default value: `undef` + +##### `extensions` + +Data type: `Array` + + + +Default value: `['.php']` + +##### `content` + +Data type: `Optional[String]` + + + +Default value: `undef` + +##### `template` + +Data type: `String` + + + +Default value: `'apache/mod/php.conf.erb'` + +##### `source` + +Data type: `Optional[String]` + + + +Default value: `undef` + +##### `root_group` + +Data type: `Optional[String]` + +UNIX group of the root user + +Default value: `$apache::params::root_group` + +##### `php_version` + +Data type: `Optional[String]` + +The php version. This is a required parameter, but optional allows showing a clear error message + +Default value: `$apache::params::php_version` + +##### `libphp_prefix` + +Data type: `String` + + + +Default value: `'libphp'` + +### `apache::mod::prefork` + +Installs and configures MPM `prefork`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/prefork.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::prefork` class: + +* [`startservers`](#-apache--mod--prefork--startservers) +* [`minspareservers`](#-apache--mod--prefork--minspareservers) +* [`maxspareservers`](#-apache--mod--prefork--maxspareservers) +* [`serverlimit`](#-apache--mod--prefork--serverlimit) +* [`maxclients`](#-apache--mod--prefork--maxclients) +* [`maxrequestworkers`](#-apache--mod--prefork--maxrequestworkers) +* [`maxrequestsperchild`](#-apache--mod--prefork--maxrequestsperchild) +* [`maxconnectionsperchild`](#-apache--mod--prefork--maxconnectionsperchild) +* [`listenbacklog`](#-apache--mod--prefork--listenbacklog) + +##### `startservers` + +Data type: `Integer` + +Number of child server processes created at startup. + +Default value: `8` + +##### `minspareservers` + +Data type: `Integer` + +Minimum number of idle child server processes. + +Default value: `5` + +##### `maxspareservers` + +Data type: `Integer` + +Maximum number of idle child server processes. + +Default value: `20` + +##### `serverlimit` + +Data type: `Integer` + +Upper limit on configurable number of processes. + +Default value: `256` + +##### `maxclients` + +Data type: `Integer` + +Old alias for MaxRequestWorkers. + +Default value: `256` + +##### `maxrequestworkers` + +Data type: `Optional[Integer]` + +Maximum number of connections that will be processed simultaneously. + +Default value: `undef` + +##### `maxrequestsperchild` + +Data type: `Integer` + +Old alias for MaxConnectionsPerChild. + +Default value: `4000` + +##### `maxconnectionsperchild` + +Data type: `Optional[Integer]` + +Limit on the number of connections that an individual child server will handle during its life. + +Default value: `undef` + +##### `listenbacklog` + +Data type: `Integer` + +Maximum length of the queue of pending connections. + +Default value: `511` + +### `apache::mod::proxy` + +Installs and configures `mod_proxy`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::proxy` class: + +* [`proxy_requests`](#-apache--mod--proxy--proxy_requests) +* [`allow_from`](#-apache--mod--proxy--allow_from) +* [`package_name`](#-apache--mod--proxy--package_name) +* [`proxy_via`](#-apache--mod--proxy--proxy_via) +* [`proxy_timeout`](#-apache--mod--proxy--proxy_timeout) +* [`proxy_iobuffersize`](#-apache--mod--proxy--proxy_iobuffersize) + +##### `proxy_requests` + +Data type: `String` + +Enables forward (standard) proxy requests. + +Default value: `'Off'` + +##### `allow_from` + +Data type: `Optional[Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]]]` + +IP address or list of IPs allowed to access proxy. + +Default value: `undef` + +##### `package_name` + +Data type: `Optional[String]` + +Name of the proxy package to install. + +Default value: `undef` + +##### `proxy_via` + +Data type: `String` + +Set local IP address for outgoing proxy connections. + +Default value: `'On'` + +##### `proxy_timeout` + +Data type: `Optional[Integer[0]]` + +Network timeout for proxied requests. + +Default value: `undef` + +##### `proxy_iobuffersize` + +Data type: `Optional[String]` + +Set the size of internal data throughput buffer + +Default value: `undef` + +### `apache::mod::proxy_ajp` + +Installs `mod_proxy_ajp`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_ajp.html + * for additional documentation. + +### `apache::mod::proxy_balancer` + +Installs and configures `mod_proxy_balancer`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::proxy_balancer` class: + +* [`manager`](#-apache--mod--proxy_balancer--manager) +* [`manager_path`](#-apache--mod--proxy_balancer--manager_path) +* [`allow_from`](#-apache--mod--proxy_balancer--allow_from) + +##### `manager` + +Data type: `Boolean` + +Toggle whether to enable balancer manager support. + +Default value: `false` + +##### `manager_path` + +Data type: `Stdlib::Unixpath` + +Server relative path to balancer manager. + +Default value: `'/balancer-manager'` + +##### `allow_from` + +Data type: `Array[Stdlib::IP::Address]` + +List of IPs from which the balancer manager can be accessed. + +Default value: `['127.0.0.1', '::1']` + +### `apache::mod::proxy_connect` + +Installs `mod_proxy_connect`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_connect.html + * for additional documentation. + +### `apache::mod::proxy_fcgi` + +Installs `mod_proxy_fcgi`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_fcgi.html + * for additional documentation. + +### `apache::mod::proxy_html` + +Installs `mod_proxy_html`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_html.html + * for additional documentation. + +### `apache::mod::proxy_http` + +Installs `mod_proxy_http`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_http.html + * for additional documentation. + +### `apache::mod::proxy_http2` + +Installs `mod_proxy_http2`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_http2.html + * for additional documentation. + +### `apache::mod::proxy_wstunnel` + +Installs `mod_proxy_wstunnel`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html + * for additional documentation. + +### `apache::mod::python` + +Installs and configures `mod_python`. + +* **See also** + * https://github.com/grisha/mod_python + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::python` class: + +* [`loadfile_name`](#-apache--mod--python--loadfile_name) + +##### `loadfile_name` + +Data type: `Optional[String]` + +Sets the name of the configuration file that is used to load the python module. + +Default value: `undef` + +### `apache::mod::remoteip` + +Installs and configures `mod_remoteip`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_remoteip.html + * https://httpd.apache.org/docs/current/mod/mod_remoteip.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::remoteip` class: + +* [`header`](#-apache--mod--remoteip--header) +* [`internal_proxy`](#-apache--mod--remoteip--internal_proxy) +* [`proxy_ips`](#-apache--mod--remoteip--proxy_ips) +* [`internal_proxy_list`](#-apache--mod--remoteip--internal_proxy_list) +* [`proxies_header`](#-apache--mod--remoteip--proxies_header) +* [`proxy_protocol`](#-apache--mod--remoteip--proxy_protocol) +* [`proxy_protocol_exceptions`](#-apache--mod--remoteip--proxy_protocol_exceptions) +* [`trusted_proxy`](#-apache--mod--remoteip--trusted_proxy) +* [`trusted_proxy_ips`](#-apache--mod--remoteip--trusted_proxy_ips) +* [`trusted_proxy_list`](#-apache--mod--remoteip--trusted_proxy_list) + +##### `header` + +Data type: `String` + +The header field in which `mod_remoteip` will look for the useragent IP. + +Default value: `'X-Forwarded-For'` + +##### `internal_proxy` + +Data type: `Optional[Array[Stdlib::Host]]` + +A list of IP addresses, IP blocks or hostname that are trusted to set a +valid value inside specified header. Unlike the `$trusted_proxy_ips` +parameter, any IP address (including private addresses) presented by these +proxies will trusted by `mod_remoteip`. + +Default value: `undef` + +##### `proxy_ips` + +Data type: `Optional[Array[Stdlib::Host]]` + +*Deprecated*: use `$internal_proxy` instead. + +Default value: `undef` + +##### `internal_proxy_list` + +Data type: `Optional[Stdlib::Absolutepath]` + +The path to a file containing a list of IP addresses, IP blocks or hostname +that are trusted to set a valid value inside the specified header. See +`$internal_proxy` for details. + +Default value: `undef` + +##### `proxies_header` + +Data type: `Optional[String]` + +A header into which `mod_remoteip` will collect a list of all of the +intermediate client IP addresses trusted to resolve the useragent IP of the +request (e.g. `X-Forwarded-By`). + +Default value: `undef` + +##### `proxy_protocol` + +Data type: `Boolean` + +Wether or not to enable the PROXY protocol header handling. If enabled +upstream clients must set the header every time they open a connection. + +Default value: `false` + +##### `proxy_protocol_exceptions` + +Data type: `Optional[Array[Stdlib::Host]]` + +A list of IP address or IP blocks that are not required to use the PROXY +protocol. + +Default value: `undef` + +##### `trusted_proxy` + +Data type: `Optional[Array[Stdlib::Host]]` + +A list of IP addresses, IP blocks or hostname that are trusted to set a +valid value inside the specified header. Unlike the `$proxy_ips` parameter, +any private IP presented by these proxies will be disgarded by +`mod_remoteip`. + +Default value: `undef` + +##### `trusted_proxy_ips` + +Data type: `Optional[Array[Stdlib::Host]]` + +*Deprecated*: use `$trusted_proxy` instead. + +Default value: `undef` + +##### `trusted_proxy_list` + +Data type: `Optional[Stdlib::Absolutepath]` + +The path to a file containing a list of IP addresses, IP blocks or hostname +that are trusted to set a valid value inside the specified header. See +`$trusted_proxy` for details. + +Default value: `undef` + +### `apache::mod::reqtimeout` + +Installs and configures `mod_reqtimeout`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::reqtimeout` class: + +* [`timeouts`](#-apache--mod--reqtimeout--timeouts) + +##### `timeouts` + +Data type: `Variant[Array[String], String]` + +List of timeouts and data rates for receiving requests. + +Default value: `['header=20-40,minrate=500', 'body=10,minrate=500']` + +### `apache::mod::rewrite` + +Installs `mod_rewrite`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_rewrite.html + * for additional documentation. + +### `apache::mod::rpaf` + +Installs and configures `mod_rpaf`. + +* **See also** + * https://github.com/gnif/mod_rpaf + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::rpaf` class: + +* [`sethostname`](#-apache--mod--rpaf--sethostname) +* [`proxy_ips`](#-apache--mod--rpaf--proxy_ips) +* [`header`](#-apache--mod--rpaf--header) +* [`template`](#-apache--mod--rpaf--template) + +##### `sethostname` + +Data type: `Variant[Boolean, String]` + +Toggles whether to update vhost name so ServerName and ServerAlias work. + +Default value: `true` + +##### `proxy_ips` + +Data type: `Array[Stdlib::IP::Address]` + +List of IPs & bitmasked subnets to adjust requests for + +Default value: `['127.0.0.1']` + +##### `header` + +Data type: `String` + +Header to use for the real IP address. + +Default value: `'X-Forwarded-For'` + +##### `template` + +Data type: `String` + +Path to template to use for configuring mod_rpaf. + +Default value: `'apache/mod/rpaf.conf.epp'` + +### `apache::mod::security` + +Installs and configures `mod_security`. + +* **See also** + * https://github.com/SpiderLabs/ModSecurity/wiki + * for additional documentation. + * https://coreruleset.org/docs/ + * for addional documentation + +#### Parameters + +The following parameters are available in the `apache::mod::security` class: + +* [`version`](#-apache--mod--security--version) +* [`logroot`](#-apache--mod--security--logroot) +* [`crs_package`](#-apache--mod--security--crs_package) +* [`activated_rules`](#-apache--mod--security--activated_rules) +* [`custom_rules`](#-apache--mod--security--custom_rules) +* [`custom_rules_set`](#-apache--mod--security--custom_rules_set) +* [`modsec_dir`](#-apache--mod--security--modsec_dir) +* [`modsec_secruleengine`](#-apache--mod--security--modsec_secruleengine) +* [`debug_log_level`](#-apache--mod--security--debug_log_level) +* [`audit_log_relevant_status`](#-apache--mod--security--audit_log_relevant_status) +* [`audit_log_parts`](#-apache--mod--security--audit_log_parts) +* [`audit_log_type`](#-apache--mod--security--audit_log_type) +* [`audit_log_format`](#-apache--mod--security--audit_log_format) +* [`audit_log_storage_dir`](#-apache--mod--security--audit_log_storage_dir) +* [`secpcrematchlimit`](#-apache--mod--security--secpcrematchlimit) +* [`secpcrematchlimitrecursion`](#-apache--mod--security--secpcrematchlimitrecursion) +* [`allowed_methods`](#-apache--mod--security--allowed_methods) +* [`content_types`](#-apache--mod--security--content_types) +* [`restricted_extensions`](#-apache--mod--security--restricted_extensions) +* [`restricted_headers`](#-apache--mod--security--restricted_headers) +* [`secdefaultaction`](#-apache--mod--security--secdefaultaction) +* [`inbound_anomaly_threshold`](#-apache--mod--security--inbound_anomaly_threshold) +* [`outbound_anomaly_threshold`](#-apache--mod--security--outbound_anomaly_threshold) +* [`critical_anomaly_score`](#-apache--mod--security--critical_anomaly_score) +* [`error_anomaly_score`](#-apache--mod--security--error_anomaly_score) +* [`warning_anomaly_score`](#-apache--mod--security--warning_anomaly_score) +* [`notice_anomaly_score`](#-apache--mod--security--notice_anomaly_score) +* [`paranoia_level`](#-apache--mod--security--paranoia_level) +* [`executing_paranoia_level`](#-apache--mod--security--executing_paranoia_level) +* [`secrequestmaxnumargs`](#-apache--mod--security--secrequestmaxnumargs) +* [`secrequestbodylimit`](#-apache--mod--security--secrequestbodylimit) +* [`secrequestbodynofileslimit`](#-apache--mod--security--secrequestbodynofileslimit) +* [`secrequestbodyinmemorylimit`](#-apache--mod--security--secrequestbodyinmemorylimit) +* [`secrequestbodyaccess`](#-apache--mod--security--secrequestbodyaccess) +* [`secrequestbodylimitaction`](#-apache--mod--security--secrequestbodylimitaction) +* [`secresponsebodyaccess`](#-apache--mod--security--secresponsebodyaccess) +* [`secresponsebodylimitaction`](#-apache--mod--security--secresponsebodylimitaction) +* [`manage_security_crs`](#-apache--mod--security--manage_security_crs) +* [`enable_dos_protection`](#-apache--mod--security--enable_dos_protection) +* [`dos_burst_time_slice`](#-apache--mod--security--dos_burst_time_slice) +* [`dos_counter_threshold`](#-apache--mod--security--dos_counter_threshold) +* [`dos_block_timeout`](#-apache--mod--security--dos_block_timeout) + +##### `version` + +Data type: `Integer` + +Manage mod_security or mod_security2 + +Default value: `$apache::params::modsec_version` + +##### `logroot` + +Data type: `Stdlib::Absolutepath` + +Configures the location of audit and debug logs. + +Default value: `$apache::params::logroot` + +##### `crs_package` + +Data type: `Optional[String]` + +Name of package that installs CRS rules. + +Default value: `$apache::params::modsec_crs_package` + +##### `activated_rules` + +Data type: `Array[String]` + +An array of rules from the modsec_crs_path or absolute to activate via symlinks. + +Default value: `$apache::params::modsec_default_rules` + +##### `custom_rules` + +Data type: `Boolean` + + + +Default value: `$apache::params::modsec_custom_rules` + +##### `custom_rules_set` + +Data type: `Optional[Array[String]]` + + + +Default value: `$apache::params::modsec_custom_rules_set` + +##### `modsec_dir` + +Data type: `Stdlib::Absolutepath` + +Defines the path where Puppet installs the modsec configuration and activated rules links. + +Default value: `$apache::params::modsec_dir` + +##### `modsec_secruleengine` + +Data type: `String` + +Configures the rules engine. + +Default value: `$apache::params::modsec_secruleengine` + +##### `debug_log_level` + +Data type: `Integer[0, 9]` + +Configures the debug log level. + +Default value: `0` + +##### `audit_log_relevant_status` + +Data type: `String` + +Configures which response status code is to be considered relevant for the purpose of audit logging. + +Default value: `'^(?:5|4(?!04))'` + +##### `audit_log_parts` + +Data type: `String` + +Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a +letter appears in the list then the equivalent part will be recorded. + +Default value: `$apache::params::modsec_audit_log_parts` + +##### `audit_log_type` + +Data type: `String` + +Defines the type of audit logging mechanism to be used. + +Default value: `$apache::params::modsec_audit_log_type` + +##### `audit_log_format` + +Data type: `Enum['Native', 'JSON']` + +Defines what format the logs should be written in. + +Default value: `'Native'` + +##### `audit_log_storage_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used. + +Default value: `undef` + +##### `secpcrematchlimit` + +Data type: `Integer` + +Sets the match limit in the PCRE library. + +Default value: `$apache::params::secpcrematchlimit` + +##### `secpcrematchlimitrecursion` + +Data type: `Integer` + +Sets the match limit recursion in the PCRE library. + +Default value: `$apache::params::secpcrematchlimitrecursion` + +##### `allowed_methods` + +Data type: `String` + +A space-separated list of allowed HTTP methods. + +Default value: `'GET HEAD POST OPTIONS'` + +##### `content_types` + +Data type: `String` + +A list of one or more allowed MIME types. + +Default value: `'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'` + +##### `restricted_extensions` + +Data type: `String` + +A space-sparated list of prohibited file extensions. + +Default value: `'.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'` + +##### `restricted_headers` + +Data type: `String` + +A list of restricted headers separated by slashes and spaces. + +Default value: `'/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'` + +##### `secdefaultaction` + +Data type: `String` + +Defines the default list of actions, which will be inherited by the rules in the same configuration context. + +Default value: `'deny'` + +##### `inbound_anomaly_threshold` + +Data type: `Integer` + +Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. + +Default value: `5` + +##### `outbound_anomaly_threshold` + +Data type: `Integer` + +Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. + +Default value: `4` + +##### `critical_anomaly_score` + +Data type: `Integer` + +Sets the Anomaly Score for rules assigned with a critical severity. + +Default value: `5` + +##### `error_anomaly_score` + +Data type: `Integer` + +Sets the Anomaly Score for rules assigned with a error severity. + +Default value: `4` + +##### `warning_anomaly_score` + +Data type: `Integer` + +Sets the Anomaly Score for rules assigned with a warning severity. + +Default value: `3` + +##### `notice_anomaly_score` + +Data type: `Integer` + +Sets the Anomaly Score for rules assigned with a notice severity. + +Default value: `2` + +##### `paranoia_level` + +Data type: `Integer[1,4]` + +Sets the paranoia level in the OWASP ModSecurity Core Rule Set. + +Default value: `1` + +##### `executing_paranoia_level` + +Data type: `Integer[1,4]` + +Sets the executing paranoia level in the OWASP ModSecurity Core Rule Set. +The default is equal to, and cannot be lower than, $paranoia_level. + +Default value: `$paranoia_level` + +##### `secrequestmaxnumargs` + +Data type: `Integer` + +Sets the maximum number of arguments in the request. + +Default value: `255` + +##### `secrequestbodylimit` + +Data type: `Integer` + +Sets the maximum request body size ModSecurity will accept for buffering. + +Default value: `13107200` + +##### `secrequestbodynofileslimit` + +Data type: `Integer` + +Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported +in the request. + +Default value: `131072` + +##### `secrequestbodyinmemorylimit` + +Data type: `Integer` + +Configures the maximum request body size that ModSecurity will store in memory. + +Default value: `131072` + +##### `secrequestbodyaccess` + +Data type: `Apache::OnOff` + +Toggle SecRequestBodyAccess On or Off + +Default value: `'On'` + +##### `secrequestbodylimitaction` + +Data type: `Enum['Reject', 'ProcessPartial']` + +Controls what happens once a request body limit, configured with +SecRequestBodyLimit, is encountered + +Default value: `'Reject'` + +##### `secresponsebodyaccess` + +Data type: `Apache::OnOff` + +Toggle SecResponseBodyAccess On or Off + +Default value: `'Off'` + +##### `secresponsebodylimitaction` + +Data type: `Enum['Reject', 'ProcessPartial']` + +Controls what happens once a response body limit, configured with +SecResponseBodyLimitAction, is encountered. + +Default value: `'ProcessPartial'` + +##### `manage_security_crs` + +Data type: `Boolean` + +Toggles whether to manage ModSecurity Core Rule Set + +Default value: `true` + +##### `enable_dos_protection` + +Data type: `Boolean` + +Toggles the optional OWASP ModSecurity Core Rule Set DOS protection rule +(rule id 900700) + +Default value: `true` + +##### `dos_burst_time_slice` + +Data type: `Integer[1, default]` + +Configures time in which a burst is measured for the OWASP ModSecurity Core Rule Set DOS protection rule +(rule id 900700) + +Default value: `60` + +##### `dos_counter_threshold` + +Data type: `Integer[1, default]` + +Configures the amount of requests that can be made within dos_burst_time_slice before it is considered a burst in +the OWASP ModSecurity Core Rule Set DOS protection rule (rule id 900700) + +Default value: `100` + +##### `dos_block_timeout` + +Data type: `Integer[1, default]` + +Configures how long the client should be blocked when the dos_counter_threshold is exceeded in the OWASP +ModSecurity Core Rule Set DOS protection rule (rule id 900700) + +Default value: `600` + +### `apache::mod::setenvif` + +Installs `mod_setenvif`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_setenvif.html + * for additional documentation. + +### `apache::mod::shib` + +This class installs and configures only the Apache components of a web application that consumes Shibboleth SSO identities. You +can manage the Shibboleth configuration manually, with Puppet, or using a [Shibboleth Puppet Module](https://github.com/aethylred/puppet-shibboleth). + +* **Note** The Shibboleth module isn't available on RH/CentOS without providing dependency packages provided by Shibboleth's repositories. +See the [Shibboleth Service Provider Installation Guide](http://wiki.aaf.edu.au/tech-info/sp-install-guide). + +* **See also** + * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::shib` class: + +* [`suppress_warning`](#-apache--mod--shib--suppress_warning) +* [`mod_full_path`](#-apache--mod--shib--mod_full_path) +* [`package_name`](#-apache--mod--shib--package_name) +* [`mod_lib`](#-apache--mod--shib--mod_lib) + +##### `suppress_warning` + +Data type: `Boolean` + +Toggles whether to trigger warning on RedHat nodes. + +Default value: `false` + +##### `mod_full_path` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies a path to the module. Do not manually set this parameter without a special reason. + +Default value: `undef` + +##### `package_name` + +Data type: `Optional[String]` + +Name of the Shibboleth package to be installed. + +Default value: `undef` + +##### `mod_lib` + +Data type: `Optional[String]` + +Specifies a path to the module's libraries. Do not manually set this parameter without special reason. The `path` parameter +overrides this value. + +Default value: `undef` + +### `apache::mod::socache_shmcb` + +Installs `mod_socache_shmcb`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_socache_shmcb.html + * for additional documentation. + +### `apache::mod::speling` + +Installs `mod_spelling`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_speling.html + * for additional documentation. + +### `apache::mod::ssl` + +On most operating systems, the ssl.conf is placed in the module configuration directory. On Red Hat based operating systems, this +file is placed in /etc/httpd/conf.d, the same location in which the RPM stores the configuration. + +To use SSL with a virtual host, you must either set the default_ssl_vhost parameter in ::apache to true or the ssl parameter in +apache::vhost to true. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_ssl.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::ssl` class: + +* [`ssl_compression`](#-apache--mod--ssl--ssl_compression) +* [`ssl_sessiontickets`](#-apache--mod--ssl--ssl_sessiontickets) +* [`ssl_cryptodevice`](#-apache--mod--ssl--ssl_cryptodevice) +* [`ssl_options`](#-apache--mod--ssl--ssl_options) +* [`ssl_openssl_conf_cmd`](#-apache--mod--ssl--ssl_openssl_conf_cmd) +* [`ssl_cert`](#-apache--mod--ssl--ssl_cert) +* [`ssl_key`](#-apache--mod--ssl--ssl_key) +* [`ssl_ca`](#-apache--mod--ssl--ssl_ca) +* [`ssl_cipher`](#-apache--mod--ssl--ssl_cipher) +* [`ssl_honorcipherorder`](#-apache--mod--ssl--ssl_honorcipherorder) +* [`ssl_protocol`](#-apache--mod--ssl--ssl_protocol) +* [`ssl_proxy_protocol`](#-apache--mod--ssl--ssl_proxy_protocol) +* [`ssl_proxy_cipher_suite`](#-apache--mod--ssl--ssl_proxy_cipher_suite) +* [`ssl_pass_phrase_dialog`](#-apache--mod--ssl--ssl_pass_phrase_dialog) +* [`ssl_random_seed_bytes`](#-apache--mod--ssl--ssl_random_seed_bytes) +* [`ssl_sessioncache`](#-apache--mod--ssl--ssl_sessioncache) +* [`ssl_sessioncachetimeout`](#-apache--mod--ssl--ssl_sessioncachetimeout) +* [`ssl_stapling`](#-apache--mod--ssl--ssl_stapling) +* [`stapling_cache`](#-apache--mod--ssl--stapling_cache) +* [`ssl_stapling_return_errors`](#-apache--mod--ssl--ssl_stapling_return_errors) +* [`ssl_mutex`](#-apache--mod--ssl--ssl_mutex) +* [`ssl_reload_on_change`](#-apache--mod--ssl--ssl_reload_on_change) +* [`package_name`](#-apache--mod--ssl--package_name) + +##### `ssl_compression` + +Data type: `Boolean` + +Enable compression on the SSL level. + +Default value: `false` + +##### `ssl_sessiontickets` + +Data type: `Optional[Boolean]` + +Enable or disable use of TLS session tickets + +Default value: `undef` + +##### `ssl_cryptodevice` + +Data type: `String` + +Enable use of a cryptographic hardware accelerator. + +Default value: `'builtin'` + +##### `ssl_options` + +Data type: `Array[String]` + +Configure various SSL engine run-time options. + +Default value: `['StdEnvVars']` + +##### `ssl_openssl_conf_cmd` + +Data type: `Optional[String]` + +Configure OpenSSL parameters through its SSL_CONF API. + +Default value: `undef` + +##### `ssl_cert` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path to server PEM-encoded X.509 certificate data file. + +Default value: `undef` + +##### `ssl_key` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path to server PEM-encoded private key file + +Default value: `undef` + +##### `ssl_ca` + +Data type: `Optional[Stdlib::Absolutepath]` + +File of concatenated PEM-encoded CA Certificates for Client Auth. + +Default value: `undef` + +##### `ssl_cipher` + +Data type: `Variant[String[1], Hash[String[1], String[1]]]` + +Cipher Suite available for negotiation in SSL handshake. + +Default value: `$apache::params::ssl_cipher` + +##### `ssl_honorcipherorder` + +Data type: `Variant[Boolean, Apache::OnOff]` + +Option to prefer the server's cipher preference order. + +Default value: `true` + +##### `ssl_protocol` + +Data type: `Array[String]` + +Configure usable SSL/TLS protocol versions. +Default based on the OS: +- RedHat 8: [ 'all' ]. +- Other Platforms: [ 'all', '-SSLv2', '-SSLv3' ]. + +Default value: `$apache::params::ssl_protocol` + +##### `ssl_proxy_protocol` + +Data type: `Array` + +Configure usable SSL protocol flavors for proxy usage. + +Default value: `[]` + +##### `ssl_proxy_cipher_suite` + +Data type: `Optional[String[1]]` + +Configure usable SSL ciphers for proxy usage. Equivalent to ssl_cipher but for proxy connections. + +Default value: `$apache::params::ssl_proxy_cipher_suite` + +##### `ssl_pass_phrase_dialog` + +Data type: `String` + +Type of pass phrase dialog for encrypted private keys. + +Default value: `'builtin'` + +##### `ssl_random_seed_bytes` + +Data type: `Integer` + +Pseudo Random Number Generator (PRNG) seeding source. + +Default value: `512` + +##### `ssl_sessioncache` + +Data type: `String` + +Configures the storage type of the global/inter-process SSL Session Cache + +Default value: `$apache::params::ssl_sessioncache` + +##### `ssl_sessioncachetimeout` + +Data type: `Integer` + +Number of seconds before an SSL session expires in the Session Cache. + +Default value: `300` + +##### `ssl_stapling` + +Data type: `Boolean` + +Enable stapling of OCSP responses in the TLS handshake. + +Default value: `false` + +##### `stapling_cache` + +Data type: `Optional[String]` + +Configures the cache used to store OCSP responses which get included in +the TLS handshake if SSLUseStapling is enabled. + +Default value: `undef` + +##### `ssl_stapling_return_errors` + +Data type: `Optional[Boolean]` + +Pass stapling related OCSP errors on to client. + +Default value: `undef` + +##### `ssl_mutex` + +Data type: `String` + +Configures mutex mechanism and lock file directory for all or specified mutexes. + +Default value: `'default'` + +##### `ssl_reload_on_change` + +Data type: `Boolean` + +Enable reloading of apache if the content of ssl files have changed. It only affects ssl files configured here and not vhost ones. + +Default value: `false` + +##### `package_name` + +Data type: `Optional[String]` + +Name of ssl package to install. + +Default value: `undef` + +### `apache::mod::status` + +Installs and configures `mod_status`. + +* **See also** + * http://httpd.apache.org/docs/current/mod/mod_status.html + * for additional documentation. + +#### Examples + +##### + +```puppet +# Simple usage allowing access from localhost and a private subnet +class { 'apache::mod::status': + requires => 'ip 127.0.0.1 ::1 10.10.10.10/24', +} +``` + +#### Parameters + +The following parameters are available in the `apache::mod::status` class: + +* [`requires`](#-apache--mod--status--requires) +* [`extended_status`](#-apache--mod--status--extended_status) +* [`status_path`](#-apache--mod--status--status_path) + +##### `requires` + +Data type: `Optional[Variant[String, Array, Hash]]` + +A Variant type that can be: +- String with: + - '' or 'unmanaged' - Host auth control done elsewhere + - 'ip ' - Allowed IPs/ranges + - 'host ' - Allowed names/domains + - 'all [granted|denied]' +- Array of strings with ip or host as above +- Hash with following keys: + - 'requires' - Value => Array as above + - 'enforce' - Value => String 'Any', 'All' or 'None' + This encloses "Require" directives in "" block + Optional - If unspecified, "Require" directives follow current flow + +Default value: `undef` + +##### `extended_status` + +Data type: `Apache::OnOff` + +Determines whether to track extended status information for each request, via the ExtendedStatus directive. + +Default value: `'On'` + +##### `status_path` + +Data type: `String` + +Path assigned to the Location directive which defines the URL to access the server status. + +Default value: `'/server-status'` + +### `apache::mod::suexec` + +Installs `mod_suexec`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_suexec.html + * for additional documentation. + +### `apache::mod::userdir` + +Installs and configures `mod_userdir`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_userdir.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::userdir` class: + +* [`userdir`](#-apache--mod--userdir--userdir) +* [`disable_root`](#-apache--mod--userdir--disable_root) +* [`path`](#-apache--mod--userdir--path) +* [`overrides`](#-apache--mod--userdir--overrides) +* [`options`](#-apache--mod--userdir--options) +* [`unmanaged_path`](#-apache--mod--userdir--unmanaged_path) +* [`custom_fragment`](#-apache--mod--userdir--custom_fragment) + +##### `userdir` + +Data type: `Optional[String[1]]` + +Path or directory name to be used as the UserDir. + +Default value: `undef` + +##### `disable_root` + +Data type: `Boolean` + +Toggles whether to allow use of root directory. + +Default value: `true` + +##### `path` + +Data type: `String` + +Path to directory or pattern from which to find user-specific directories. + +Default value: `'/home/*/public_html'` + +##### `overrides` + +Data type: `Array[String]` + +Array of directives that are allowed in .htaccess files. + +Default value: `['FileInfo', 'AuthConfig', 'Limit', 'Indexes']` + +##### `options` + +Data type: `Array[String]` + +Configures what features are available in a particular directory. + +Default value: `['MultiViews', 'Indexes', 'SymLinksIfOwnerMatch', 'IncludesNoExec']` + +##### `unmanaged_path` + +Data type: `Boolean` + +Toggles whether to manage path in userdir.conf + +Default value: `false` + +##### `custom_fragment` + +Data type: `Optional[String]` + +Custom configuration to be added to userdir.conf + +Default value: `undef` + +### `apache::mod::version` + +Installs `mod_version`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_version.html + * for additional documentation. + +### `apache::mod::vhost_alias` + +Installs Apache `mod_vhost_alias`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_vhost_alias.html + * for additional documentation. + +### `apache::mod::watchdog` + +Installs and configures `mod_watchdog`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_watchdog.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::watchdog` class: + +* [`watchdog_interval`](#-apache--mod--watchdog--watchdog_interval) + +##### `watchdog_interval` + +Data type: `Optional[Integer]` + +Sets the interval at which the watchdog_step hook runs. + +Default value: `undef` + +### `apache::mod::worker` + +Installs and manages the MPM `worker`. + +* **See also** + * https://httpd.apache.org/docs/current/mod/worker.html + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::worker` class: + +* [`startservers`](#-apache--mod--worker--startservers) +* [`minsparethreads`](#-apache--mod--worker--minsparethreads) +* [`maxsparethreads`](#-apache--mod--worker--maxsparethreads) +* [`threadsperchild`](#-apache--mod--worker--threadsperchild) +* [`maxrequestsperchild`](#-apache--mod--worker--maxrequestsperchild) +* [`serverlimit`](#-apache--mod--worker--serverlimit) +* [`threadlimit`](#-apache--mod--worker--threadlimit) +* [`listenbacklog`](#-apache--mod--worker--listenbacklog) +* [`maxrequestworkers`](#-apache--mod--worker--maxrequestworkers) + +##### `startservers` + +Data type: `Integer` + +The number of child server processes created on startup + +Default value: `2` + +##### `minsparethreads` + +Data type: `Integer` + +Minimum number of idle threads to handle request spikes. + +Default value: `25` + +##### `maxsparethreads` + +Data type: `Integer` + +Maximum number of idle threads. + +Default value: `75` + +##### `threadsperchild` + +Data type: `Integer` + +The number of threads created by each child process. + +Default value: `25` + +##### `maxrequestsperchild` + +Data type: `Integer` + +Limit on the number of connectiojns an individual child server +process will handle. This is the old name and is still supported. The new +name is MaxConnectionsPerChild as of 2.3.9+. + +Default value: `0` + +##### `serverlimit` + +Data type: `Integer` + +With worker, use this directive only if your MaxRequestWorkers +and ThreadsPerChild settings require more than 16 server processes +(default). Do not set the value of this directive any higher than the +number of server processes required by what you may want for +MaxRequestWorkers and ThreadsPerChild. + +Default value: `25` + +##### `threadlimit` + +Data type: `Integer` + +This directive sets the maximum configured value for +ThreadsPerChild for the lifetime of the Apache httpd process. + +Default value: `64` + +##### `listenbacklog` + +Data type: `Integer` + +Maximum length of the queue of pending connections. + +Default value: `511` + +##### `maxrequestworkers` + +Data type: `Integer` + +Maximum number of connections that will be processed simultaneously + +Default value: `150` + +### `apache::mod::wsgi` + +Installs and configures `mod_wsgi`. + +* **Note** Unsupported platforms: SLES: all; RedHat: all; CentOS: all; OracleLinux: all; Scientific: all + +* **See also** + * https://github.com/GrahamDumpleton/mod_wsgi + * for additional documentation. + +#### Parameters + +The following parameters are available in the `apache::mod::wsgi` class: + +* [`wsgi_restrict_embedded`](#-apache--mod--wsgi--wsgi_restrict_embedded) +* [`wsgi_socket_prefix`](#-apache--mod--wsgi--wsgi_socket_prefix) +* [`wsgi_python_path`](#-apache--mod--wsgi--wsgi_python_path) +* [`wsgi_python_home`](#-apache--mod--wsgi--wsgi_python_home) +* [`wsgi_python_optimize`](#-apache--mod--wsgi--wsgi_python_optimize) +* [`wsgi_application_group`](#-apache--mod--wsgi--wsgi_application_group) +* [`package_name`](#-apache--mod--wsgi--package_name) +* [`mod_path`](#-apache--mod--wsgi--mod_path) + +##### `wsgi_restrict_embedded` + +Data type: `Optional[String]` + +Enable restrictions on use of embedded mode. + +Default value: `undef` + +##### `wsgi_socket_prefix` + +Data type: `Optional[String]` + +Configure directory to use for daemon sockets. + +Default value: `$apache::params::wsgi_socket_prefix` + +##### `wsgi_python_path` + +Data type: `Optional[Stdlib::Absolutepath]` + +Additional directories to search for Python modules. + +Default value: `undef` + +##### `wsgi_python_home` + +Data type: `Optional[Stdlib::Absolutepath]` + +Absolute path to Python prefix/exec_prefix directories. + +Default value: `undef` + +##### `wsgi_python_optimize` + +Data type: `Optional[Integer]` + +Enables basic Python optimisation features. + +Default value: `undef` + +##### `wsgi_application_group` + +Data type: `Optional[String]` + +Sets which application group WSGI application belongs to. + +Default value: `undef` + +##### `package_name` + +Data type: `Optional[String]` + +Names of package that installs mod_wsgi. + +Default value: `undef` + +##### `mod_path` + +Data type: `Optional[String]` + +Defines the path to the mod_wsgi shared object (.so) file. + +Default value: `undef` + +### `apache::mod::xsendfile` + +Installs `mod_xsendfile`. + +* **See also** + * https://tn123.org/mod_xsendfile/ + * for additional documentation. + +### `apache::mpm::disable_mpm_event` + +disable Apache-Module event + +### `apache::mpm::disable_mpm_prefork` + +disable Apache-Module prefork + +### `apache::mpm::disable_mpm_worker` + +disable Apache-Module worker + +### `apache::vhosts` + +host parameters or Configuring virtual hosts in the README section. + +* **Note** See the `apache::vhost` defined type's reference for a list of all virtual + +#### Examples + +##### To create a [name-based virtual host](https://httpd.apache.org/docs/current/vhosts/name-based.html) `custom_vhost_1` + +```puppet +class { 'apache::vhosts': + vhosts => { + 'custom_vhost_1' => { + 'docroot' => '/var/www/custom_vhost_1', + 'port' => 81, + }, + }, +} +``` + +#### Parameters + +The following parameters are available in the `apache::vhosts` class: + +* [`vhosts`](#-apache--vhosts--vhosts) + +##### `vhosts` + +Data type: `Hash` + +A hash, where the key represents the name and the value represents a hash of +`apache::vhost` defined type's parameters. + +Default value: `{}` + +## Defined types + +### `apache::balancer` + +Each balancer cluster needs one or more balancer members (that can +be declared with the apache::balancermember defined resource type). Using +storeconfigs, you can export the apache::balancermember resources on all +balancer members, and then collect them on a single apache load balancer +server. + +* **Note** Currently requires the puppetlabs/concat module on the Puppet Forge and uses +storeconfigs on the Puppet Server to export/collect resources from all +balancer members. + +#### Examples + +##### + +```puppet +apache::balancer { 'puppet00': } +``` + +#### Parameters + +The following parameters are available in the `apache::balancer` defined type: + +* [`name`](#-apache--balancer--name) +* [`proxy_set`](#-apache--balancer--proxy_set) +* [`target`](#-apache--balancer--target) +* [`collect_exported`](#-apache--balancer--collect_exported) +* [`options`](#-apache--balancer--options) + +##### `name` + +The namevar of the defined resource type is the balancer clusters name.
+This name is also used in the name of the conf.d file + +##### `proxy_set` + +Data type: `Hash` + +Configures key-value pairs to be used as a ProxySet lines in the configuration. + +Default value: `{}` + +##### `target` + +Data type: `Optional[String]` + +The path to the file the balancer definition will be written in. + +Default value: `undef` + +##### `collect_exported` + +Data type: `Boolean` + +Determines whether to use exported resources.
+If you statically declare all of your backend servers, set this parameter to false to rely +on existing, declared balancer member resources. Also, use apache::balancermember with array +arguments.
+To dynamically declare backend servers via exported resources collected on a central node, +set this parameter to true to collect the balancer member resources exported by the balancer +member nodes.
+If you don't use exported resources, a single Puppet run configures all balancer members. If +you use exported resources, Puppet has to run on the balanced nodes first, then run on the +balancer. + +Default value: `true` + +##### `options` + +Data type: `Array[Pattern[/=/]]` + +Specifies an array of [options](https://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember) +after the balancer URL, and accepts any key-value pairs available to `ProxyPass`. + +Default value: `[]` + +### `apache::balancermember` + +Sets up a balancer member inside a listening service configuration block in +the load balancer's `apache.cfg`. + +This type will setup a balancer member inside a listening service +configuration block in /etc/apache/apache.cfg on the load balancer. +Currently it only has the ability to specify the instance name, url and an +array of options. More features can be added as needed. The best way to +implement this is to export this resource for all apache balancer member +servers, and then collect them on the main apache load balancer. + +* **Note** Currently requires the puppetlabs/concat module on the Puppet Forge and +uses storeconfigs on the Puppet Server to export/collect resources +from all balancer members. + +#### Examples + +##### + +```puppet +@@apache::balancermember { 'apache': + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009" + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} +``` + +#### Parameters + +The following parameters are available in the `apache::balancermember` defined type: + +* [`name`](#-apache--balancermember--name) +* [`balancer_cluster`](#-apache--balancermember--balancer_cluster) +* [`url`](#-apache--balancermember--url) +* [`options`](#-apache--balancermember--options) + +##### `name` + +The title of the resource is arbitrary and only utilized in the concat +fragment name. + +##### `balancer_cluster` + +Data type: `String` + +The apache service's instance name (or, the title of the apache::balancer +resource). This must match up with a declared apache::balancer resource. + +##### `url` + +Data type: `Apache::ModProxyProtocol` + +The url used to contact the balancer member server. + +Default value: `"http://${$facts['networking']['fqdn']}/"` + +##### `options` + +Data type: `Array` + +Specifies an array of [options](https://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember) +after the URL, and accepts any key-value pairs available to `ProxyPass`. + +Default value: `[]` + +### `apache::custom_config` + +If the file is invalid and this defined type's `verify_config` parameter's value is +`true`, Puppet throws an error during a Puppet run. + +#### Parameters + +The following parameters are available in the `apache::custom_config` defined type: + +* [`ensure`](#-apache--custom_config--ensure) +* [`confdir`](#-apache--custom_config--confdir) +* [`content`](#-apache--custom_config--content) +* [`filename`](#-apache--custom_config--filename) +* [`priority`](#-apache--custom_config--priority) +* [`source`](#-apache--custom_config--source) +* [`verify_command`](#-apache--custom_config--verify_command) +* [`verify_config`](#-apache--custom_config--verify_config) +* [`owner`](#-apache--custom_config--owner) +* [`group`](#-apache--custom_config--group) +* [`file_mode`](#-apache--custom_config--file_mode) +* [`show_diff`](#-apache--custom_config--show_diff) + +##### `ensure` + +Data type: `Enum['absent', 'present']` + +Specifies whether the configuration file should be present. + +Default value: `'present'` + +##### `confdir` + +Data type: `Stdlib::Absolutepath` + +Sets the directory in which Puppet places configuration files. + +Default value: `$apache::confd_dir` + +##### `content` + +Data type: `Optional[Variant[Sensitive, String]]` + +Sets the configuration file's content. The `content` and `source` parameters are exclusive +of each other. + +Default value: `undef` + +##### `filename` + +Data type: `Optional[String]` + +Sets the name of the file under `confdir` in which Puppet stores the configuration. + +Default value: `undef` + +##### `priority` + +Data type: `Apache::Vhost::Priority` + +Sets the configuration file's priority by prefixing its filename with this parameter's +numeric value, as Apache processes configuration files in alphanumeric order.
+To omit the priority prefix in the configuration file's name, set this parameter to `false`. + +Default value: `25` + +##### `source` + +Data type: `Optional[String]` + +Points to the configuration file's source. The `content` and `source` parameters are +exclusive of each other. + +Default value: `undef` + +##### `verify_command` + +Data type: `Variant[String, Array[String], Array[Array[String]]]` + +Specifies the command Puppet uses to verify the configuration file. Use a fully qualified +command.
+This parameter is used only if the `verify_config` parameter's value is `true`. If the +`verify_command` fails, the Puppet run deletes the configuration file and raises an error, +but does not notify the Apache service. +Command can be passed through as either a String, i.e. `'/usr/sbin/apache2ctl -t'` +An array, i.e. `['/usr/sbin/apache2ctl', '-t']` +Or an array of arrays with each one having to pass succesfully, i.e. `[['/usr/sbin/apache2ctl', '-t'], '/usr/sbin/apache2ctl -t']` + +Default value: `$apache::params::verify_command` + +##### `verify_config` + +Data type: `Boolean` + +Specifies whether to validate the configuration file before notifying the Apache service. + +Default value: `true` + +##### `owner` + +Data type: `Optional[String]` + +File owner of configuration file + +Default value: `undef` + +##### `group` + +Data type: `Optional[String]` + +File group of configuration file + +Default value: `undef` + +##### `file_mode` + +Data type: `Optional[Stdlib::Filemode]` + +File mode of configuration file + +Default value: `undef` + +##### `show_diff` + +Data type: `Boolean` + +show_diff property for configuration file resource + +Default value: `true` + +### `apache::fastcgi::server` + +Defines one or more external FastCGI servers to handle specific file types. Use this +defined type with `mod_fastcgi`. + +#### Parameters + +The following parameters are available in the `apache::fastcgi::server` defined type: + +* [`host`](#-apache--fastcgi--server--host) +* [`timeout`](#-apache--fastcgi--server--timeout) +* [`flush`](#-apache--fastcgi--server--flush) +* [`faux_path`](#-apache--fastcgi--server--faux_path) +* [`fcgi_alias`](#-apache--fastcgi--server--fcgi_alias) +* [`file_type`](#-apache--fastcgi--server--file_type) +* [`pass_header`](#-apache--fastcgi--server--pass_header) + +##### `host` + +Data type: `String` + +Determines the FastCGI's hostname or IP address and TCP port number (1-65535). + +Default value: `'127.0.0.1:9000'` + +##### `timeout` + +Data type: `Integer` + +Sets the number of seconds a [FastCGI](http://www.fastcgi.com/) application can be inactive before aborting the +request and logging the event at the error LogLevel. The inactivity timer applies only as +long as a connection is pending with the FastCGI application. If a request is queued to an +application, but the application doesn't respond by writing and flushing within this period, +the request is aborted. If communication is complete with the application but incomplete with +the client (the response is buffered), the timeout does not apply. + +Default value: `15` + +##### `flush` + +Data type: `Boolean` + +Forces `mod_fastcgi` to write to the client as data is received from the +application. By default, `mod_fastcgi` buffers data in order to free the application +as quickly as possible. + +Default value: `false` + +##### `faux_path` + +Data type: `Stdlib::Absolutepath` + +Apache has FastCGI handle URIs that resolve to this filename. The path set in this +parameter does not have to exist in the local filesystem. + +Default value: `"/var/www/${name}.fcgi"` + +##### `fcgi_alias` + +Data type: `Stdlib::Unixpath` + +Internally links actions with the FastCGI server. This alias must be unique. + +Default value: `"/${name}.fcgi"` + +##### `file_type` + +Data type: `String` + +Sets the MIME `content-type` of the file to be processed by the FastCGI server. + +Default value: `'application/x-httpd-php'` + +##### `pass_header` + +Data type: `Optional[String]` + +Sets a header for the server + +Default value: `undef` + +### `apache::listen` + +The `apache::vhost` class uses this defined type, and titles take the form +``, `:`, or `:`. + +### `apache::mod` + +Checks for or places the module's default configuration files in the Apache server's +`module` and `enable` directories. The default locations depend on your operating system. + +#### Parameters + +The following parameters are available in the `apache::mod` defined type: + +* [`package`](#-apache--mod--package) +* [`package_ensure`](#-apache--mod--package_ensure) +* [`lib`](#-apache--mod--lib) +* [`lib_path`](#-apache--mod--lib_path) +* [`loadfile_name`](#-apache--mod--loadfile_name) +* [`id`](#-apache--mod--id) +* [`loadfiles`](#-apache--mod--loadfiles) +* [`path`](#-apache--mod--path) + +##### `package` + +Data type: `Optional[String]` + +**Required**.
+Names the package Puppet uses to install the Apache module. + +Default value: `undef` + +##### `package_ensure` + +Data type: `String` + +Determines whether Puppet ensures the Apache module should be installed. + +Default value: `'present'` + +##### `lib` + +Data type: `Optional[String]` + +Defines the module's shared object name. Do not configure manually without special reason. + +Default value: `undef` + +##### `lib_path` + +Data type: `String` + +Specifies a path to the module's libraries. Do not manually set this parameter +without special reason. The `path` parameter overrides this value. + +Default value: `$apache::lib_path` + +##### `loadfile_name` + +Data type: `Optional[String]` + +Sets the filename for the module's `LoadFile` directive, which can also set +the module load order as Apache processes them in alphanumeric order. + +Default value: `undef` + +##### `id` + +Data type: `Optional[String]` + +Specifies the package id + +Default value: `undef` + +##### `loadfiles` + +Data type: `Optional[Array]` + +Specifies an array of `LoadFile` directives. + +Default value: `undef` + +##### `path` + +Data type: `Optional[String]` + +Specifies a path to the module. Do not manually set this parameter without a special reason. + +Default value: `undef` + +### `apache::namevirtualhost` + +Adds all related directives to the `ports.conf` file in the Apache HTTPD configuration +directory. Titles can take the forms `\*`, `\*:\`, `\_default\_:\`, +`\`, or `\:\`. + +### `apache::vhost` + +The apache module allows a lot of flexibility in the setup and configuration of virtual hosts. +This flexibility is due, in part, to `vhost` being a defined resource type, which allows Apache +to evaluate it multiple times with different parameters.
+The `apache::vhost` defined type allows you to have specialized configurations for virtual hosts +that have requirements outside the defaults. You can set up a default virtual host within +the base `::apache` class, as well as set a customized virtual host as the default. +Customized virtual hosts have a lower numeric `priority` than the base class's, causing +Apache to process the customized virtual host first.
+The `apache::vhost` defined type uses `concat::fragment` to build the configuration file. To +inject custom fragments for pieces of the configuration that the defined type doesn't +inherently support, add a custom fragment.
+For the custom fragment's `order` parameter, the `apache::vhost` defined type uses multiples +of 10, so any `order` that isn't a multiple of 10 should work.
+> **Note:** When creating an `apache::vhost`, it cannot be named `default` or `default-ssl`, +because vhosts with these titles are always managed by the module. This means that you cannot +override `Apache::Vhost['default']` or `Apache::Vhost['default-ssl]` resources. An optional +workaround is to create a vhost named something else, such as `my default`, and ensure that the +`default` and `default_ssl` vhosts are set to `false`: + +#### Examples + +##### + +```puppet +class { 'apache': + default_vhost => false, + default_ssl_vhost => false, +} +``` + +#### Parameters + +The following parameters are available in the `apache::vhost` defined type: + +* [`access_log`](#-apache--vhost--access_log) +* [`access_log_env_var`](#-apache--vhost--access_log_env_var) +* [`access_log_file`](#-apache--vhost--access_log_file) +* [`access_log_format`](#-apache--vhost--access_log_format) +* [`access_log_pipe`](#-apache--vhost--access_log_pipe) +* [`access_log_syslog`](#-apache--vhost--access_log_syslog) +* [`access_logs`](#-apache--vhost--access_logs) +* [`add_default_charset`](#-apache--vhost--add_default_charset) +* [`add_listen`](#-apache--vhost--add_listen) +* [`use_optional_includes`](#-apache--vhost--use_optional_includes) +* [`aliases`](#-apache--vhost--aliases) +* [`allow_encoded_slashes`](#-apache--vhost--allow_encoded_slashes) +* [`block`](#-apache--vhost--block) +* [`cas_attribute_prefix`](#-apache--vhost--cas_attribute_prefix) +* [`cas_attribute_delimiter`](#-apache--vhost--cas_attribute_delimiter) +* [`cas_login_url`](#-apache--vhost--cas_login_url) +* [`cas_root_proxied_as`](#-apache--vhost--cas_root_proxied_as) +* [`cas_scrub_request_headers`](#-apache--vhost--cas_scrub_request_headers) +* [`cas_sso_enabled`](#-apache--vhost--cas_sso_enabled) +* [`cas_validate_saml`](#-apache--vhost--cas_validate_saml) +* [`cas_validate_url`](#-apache--vhost--cas_validate_url) +* [`cas_cookie_path`](#-apache--vhost--cas_cookie_path) +* [`comment`](#-apache--vhost--comment) +* [`default_vhost`](#-apache--vhost--default_vhost) +* [`directoryindex`](#-apache--vhost--directoryindex) +* [`docroot`](#-apache--vhost--docroot) +* [`docroot_group`](#-apache--vhost--docroot_group) +* [`docroot_owner`](#-apache--vhost--docroot_owner) +* [`docroot_mode`](#-apache--vhost--docroot_mode) +* [`manage_docroot`](#-apache--vhost--manage_docroot) +* [`error_log`](#-apache--vhost--error_log) +* [`error_log_file`](#-apache--vhost--error_log_file) +* [`error_log_pipe`](#-apache--vhost--error_log_pipe) +* [`error_log_syslog`](#-apache--vhost--error_log_syslog) +* [`error_log_format`](#-apache--vhost--error_log_format) +* [`error_documents`](#-apache--vhost--error_documents) +* [`ensure`](#-apache--vhost--ensure) +* [`show_diff`](#-apache--vhost--show_diff) +* [`fallbackresource`](#-apache--vhost--fallbackresource) +* [`filters`](#-apache--vhost--filters) +* [`h2_copy_files`](#-apache--vhost--h2_copy_files) +* [`h2_direct`](#-apache--vhost--h2_direct) +* [`h2_early_hints`](#-apache--vhost--h2_early_hints) +* [`h2_max_session_streams`](#-apache--vhost--h2_max_session_streams) +* [`h2_modern_tls_only`](#-apache--vhost--h2_modern_tls_only) +* [`h2_push`](#-apache--vhost--h2_push) +* [`h2_push_diary_size`](#-apache--vhost--h2_push_diary_size) +* [`h2_push_priority`](#-apache--vhost--h2_push_priority) +* [`h2_push_resource`](#-apache--vhost--h2_push_resource) +* [`h2_serialize_headers`](#-apache--vhost--h2_serialize_headers) +* [`h2_stream_max_mem_size`](#-apache--vhost--h2_stream_max_mem_size) +* [`h2_tls_cool_down_secs`](#-apache--vhost--h2_tls_cool_down_secs) +* [`h2_tls_warm_up_size`](#-apache--vhost--h2_tls_warm_up_size) +* [`h2_upgrade`](#-apache--vhost--h2_upgrade) +* [`h2_window_size`](#-apache--vhost--h2_window_size) +* [`ip`](#-apache--vhost--ip) +* [`ip_based`](#-apache--vhost--ip_based) +* [`itk`](#-apache--vhost--itk) +* [`action`](#-apache--vhost--action) +* [`jk_mounts`](#-apache--vhost--jk_mounts) +* [`http_protocol_options`](#-apache--vhost--http_protocol_options) +* [`keepalive`](#-apache--vhost--keepalive) +* [`keepalive_timeout`](#-apache--vhost--keepalive_timeout) +* [`max_keepalive_requests`](#-apache--vhost--max_keepalive_requests) +* [`auth_kerb`](#-apache--vhost--auth_kerb) +* [`krb_method_negotiate`](#-apache--vhost--krb_method_negotiate) +* [`krb_method_k5passwd`](#-apache--vhost--krb_method_k5passwd) +* [`krb_authoritative`](#-apache--vhost--krb_authoritative) +* [`krb_auth_realms`](#-apache--vhost--krb_auth_realms) +* [`krb_5keytab`](#-apache--vhost--krb_5keytab) +* [`krb_local_user_mapping`](#-apache--vhost--krb_local_user_mapping) +* [`krb_verify_kdc`](#-apache--vhost--krb_verify_kdc) +* [`krb_servicename`](#-apache--vhost--krb_servicename) +* [`krb_save_credentials`](#-apache--vhost--krb_save_credentials) +* [`logroot`](#-apache--vhost--logroot) +* [`logroot_ensure`](#-apache--vhost--logroot_ensure) +* [`logroot_mode`](#-apache--vhost--logroot_mode) +* [`logroot_owner`](#-apache--vhost--logroot_owner) +* [`logroot_group`](#-apache--vhost--logroot_group) +* [`log_level`](#-apache--vhost--log_level) +* [`modsec_body_limit`](#-apache--vhost--modsec_body_limit) +* [`modsec_disable_vhost`](#-apache--vhost--modsec_disable_vhost) +* [`modsec_disable_ids`](#-apache--vhost--modsec_disable_ids) +* [`modsec_disable_ips`](#-apache--vhost--modsec_disable_ips) +* [`modsec_disable_msgs`](#-apache--vhost--modsec_disable_msgs) +* [`modsec_disable_tags`](#-apache--vhost--modsec_disable_tags) +* [`modsec_audit_log_file`](#-apache--vhost--modsec_audit_log_file) +* [`modsec_audit_log_pipe`](#-apache--vhost--modsec_audit_log_pipe) +* [`modsec_audit_log`](#-apache--vhost--modsec_audit_log) +* [`modsec_inbound_anomaly_threshold`](#-apache--vhost--modsec_inbound_anomaly_threshold) +* [`modsec_outbound_anomaly_threshold`](#-apache--vhost--modsec_outbound_anomaly_threshold) +* [`modsec_allowed_methods`](#-apache--vhost--modsec_allowed_methods) +* [`no_proxy_uris`](#-apache--vhost--no_proxy_uris) +* [`no_proxy_uris_match`](#-apache--vhost--no_proxy_uris_match) +* [`proxy_preserve_host`](#-apache--vhost--proxy_preserve_host) +* [`proxy_add_headers`](#-apache--vhost--proxy_add_headers) +* [`proxy_error_override`](#-apache--vhost--proxy_error_override) +* [`options`](#-apache--vhost--options) +* [`override`](#-apache--vhost--override) +* [`passenger_enabled`](#-apache--vhost--passenger_enabled) +* [`passenger_base_uri`](#-apache--vhost--passenger_base_uri) +* [`passenger_ruby`](#-apache--vhost--passenger_ruby) +* [`passenger_python`](#-apache--vhost--passenger_python) +* [`passenger_nodejs`](#-apache--vhost--passenger_nodejs) +* [`passenger_meteor_app_settings`](#-apache--vhost--passenger_meteor_app_settings) +* [`passenger_app_env`](#-apache--vhost--passenger_app_env) +* [`passenger_app_root`](#-apache--vhost--passenger_app_root) +* [`passenger_app_group_name`](#-apache--vhost--passenger_app_group_name) +* [`passenger_app_start_command`](#-apache--vhost--passenger_app_start_command) +* [`passenger_app_type`](#-apache--vhost--passenger_app_type) +* [`passenger_startup_file`](#-apache--vhost--passenger_startup_file) +* [`passenger_restart_dir`](#-apache--vhost--passenger_restart_dir) +* [`passenger_spawn_method`](#-apache--vhost--passenger_spawn_method) +* [`passenger_load_shell_envvars`](#-apache--vhost--passenger_load_shell_envvars) +* [`passenger_preload_bundler`](#-apache--vhost--passenger_preload_bundler) +* [`passenger_rolling_restarts`](#-apache--vhost--passenger_rolling_restarts) +* [`passenger_resist_deployment_errors`](#-apache--vhost--passenger_resist_deployment_errors) +* [`passenger_user`](#-apache--vhost--passenger_user) +* [`passenger_group`](#-apache--vhost--passenger_group) +* [`passenger_friendly_error_pages`](#-apache--vhost--passenger_friendly_error_pages) +* [`passenger_min_instances`](#-apache--vhost--passenger_min_instances) +* [`passenger_max_instances`](#-apache--vhost--passenger_max_instances) +* [`passenger_max_preloader_idle_time`](#-apache--vhost--passenger_max_preloader_idle_time) +* [`passenger_force_max_concurrent_requests_per_process`](#-apache--vhost--passenger_force_max_concurrent_requests_per_process) +* [`passenger_start_timeout`](#-apache--vhost--passenger_start_timeout) +* [`passenger_concurrency_model`](#-apache--vhost--passenger_concurrency_model) +* [`passenger_thread_count`](#-apache--vhost--passenger_thread_count) +* [`passenger_max_requests`](#-apache--vhost--passenger_max_requests) +* [`passenger_max_request_time`](#-apache--vhost--passenger_max_request_time) +* [`passenger_memory_limit`](#-apache--vhost--passenger_memory_limit) +* [`passenger_stat_throttle_rate`](#-apache--vhost--passenger_stat_throttle_rate) +* [`passenger_pre_start`](#-apache--vhost--passenger_pre_start) +* [`passenger_high_performance`](#-apache--vhost--passenger_high_performance) +* [`passenger_buffer_upload`](#-apache--vhost--passenger_buffer_upload) +* [`passenger_buffer_response`](#-apache--vhost--passenger_buffer_response) +* [`passenger_error_override`](#-apache--vhost--passenger_error_override) +* [`passenger_max_request_queue_size`](#-apache--vhost--passenger_max_request_queue_size) +* [`passenger_max_request_queue_time`](#-apache--vhost--passenger_max_request_queue_time) +* [`passenger_sticky_sessions`](#-apache--vhost--passenger_sticky_sessions) +* [`passenger_sticky_sessions_cookie_name`](#-apache--vhost--passenger_sticky_sessions_cookie_name) +* [`passenger_sticky_sessions_cookie_attributes`](#-apache--vhost--passenger_sticky_sessions_cookie_attributes) +* [`passenger_allow_encoded_slashes`](#-apache--vhost--passenger_allow_encoded_slashes) +* [`passenger_app_log_file`](#-apache--vhost--passenger_app_log_file) +* [`passenger_debugger`](#-apache--vhost--passenger_debugger) +* [`passenger_lve_min_uid`](#-apache--vhost--passenger_lve_min_uid) +* [`passenger_dump_config_manifest`](#-apache--vhost--passenger_dump_config_manifest) +* [`passenger_admin_panel_url`](#-apache--vhost--passenger_admin_panel_url) +* [`passenger_admin_panel_auth_type`](#-apache--vhost--passenger_admin_panel_auth_type) +* [`passenger_admin_panel_username`](#-apache--vhost--passenger_admin_panel_username) +* [`passenger_admin_panel_password`](#-apache--vhost--passenger_admin_panel_password) +* [`php_values`](#-apache--vhost--php_values) +* [`php_flags`](#-apache--vhost--php_flags) +* [`php_admin_values`](#-apache--vhost--php_admin_values) +* [`php_admin_flags`](#-apache--vhost--php_admin_flags) +* [`port`](#-apache--vhost--port) +* [`priority`](#-apache--vhost--priority) +* [`protocols`](#-apache--vhost--protocols) +* [`protocols_honor_order`](#-apache--vhost--protocols_honor_order) +* [`proxy_dest`](#-apache--vhost--proxy_dest) +* [`proxy_pass`](#-apache--vhost--proxy_pass) +* [`proxy_dest_match`](#-apache--vhost--proxy_dest_match) +* [`proxy_dest_reverse_match`](#-apache--vhost--proxy_dest_reverse_match) +* [`proxy_pass_match`](#-apache--vhost--proxy_pass_match) +* [`redirect_dest`](#-apache--vhost--redirect_dest) +* [`redirect_source`](#-apache--vhost--redirect_source) +* [`redirect_status`](#-apache--vhost--redirect_status) +* [`redirectmatch_regexp`](#-apache--vhost--redirectmatch_regexp) +* [`redirectmatch_status`](#-apache--vhost--redirectmatch_status) +* [`redirectmatch_dest`](#-apache--vhost--redirectmatch_dest) +* [`request_headers`](#-apache--vhost--request_headers) +* [`rewrites`](#-apache--vhost--rewrites) +* [`rewrite_base`](#-apache--vhost--rewrite_base) +* [`rewrite_rule`](#-apache--vhost--rewrite_rule) +* [`rewrite_cond`](#-apache--vhost--rewrite_cond) +* [`rewrite_inherit`](#-apache--vhost--rewrite_inherit) +* [`scriptalias`](#-apache--vhost--scriptalias) +* [`serveradmin`](#-apache--vhost--serveradmin) +* [`serveraliases`](#-apache--vhost--serveraliases) +* [`servername`](#-apache--vhost--servername) +* [`setenv`](#-apache--vhost--setenv) +* [`setenvif`](#-apache--vhost--setenvif) +* [`setenvifnocase`](#-apache--vhost--setenvifnocase) +* [`suexec_user_group`](#-apache--vhost--suexec_user_group) +* [`vhost_name`](#-apache--vhost--vhost_name) +* [`virtual_docroot`](#-apache--vhost--virtual_docroot) +* [`virtual_use_default_docroot`](#-apache--vhost--virtual_use_default_docroot) +* [`wsgi_daemon_process`](#-apache--vhost--wsgi_daemon_process) +* [`wsgi_daemon_process_options`](#-apache--vhost--wsgi_daemon_process_options) +* [`wsgi_application_group`](#-apache--vhost--wsgi_application_group) +* [`wsgi_import_script`](#-apache--vhost--wsgi_import_script) +* [`wsgi_import_script_options`](#-apache--vhost--wsgi_import_script_options) +* [`wsgi_chunked_request`](#-apache--vhost--wsgi_chunked_request) +* [`wsgi_process_group`](#-apache--vhost--wsgi_process_group) +* [`wsgi_script_aliases`](#-apache--vhost--wsgi_script_aliases) +* [`wsgi_script_aliases_match`](#-apache--vhost--wsgi_script_aliases_match) +* [`wsgi_pass_authorization`](#-apache--vhost--wsgi_pass_authorization) +* [`directories`](#-apache--vhost--directories) +* [`custom_fragment`](#-apache--vhost--custom_fragment) +* [`headers`](#-apache--vhost--headers) +* [`shib_compat_valid_user`](#-apache--vhost--shib_compat_valid_user) +* [`ssl_options`](#-apache--vhost--ssl_options) +* [`additional_includes`](#-apache--vhost--additional_includes) +* [`ssl`](#-apache--vhost--ssl) +* [`ssl_ca`](#-apache--vhost--ssl_ca) +* [`ssl_cert`](#-apache--vhost--ssl_cert) +* [`ssl_protocol`](#-apache--vhost--ssl_protocol) +* [`ssl_cipher`](#-apache--vhost--ssl_cipher) +* [`ssl_honorcipherorder`](#-apache--vhost--ssl_honorcipherorder) +* [`ssl_certs_dir`](#-apache--vhost--ssl_certs_dir) +* [`ssl_chain`](#-apache--vhost--ssl_chain) +* [`ssl_crl`](#-apache--vhost--ssl_crl) +* [`ssl_crl_path`](#-apache--vhost--ssl_crl_path) +* [`ssl_crl_check`](#-apache--vhost--ssl_crl_check) +* [`ssl_key`](#-apache--vhost--ssl_key) +* [`ssl_verify_client`](#-apache--vhost--ssl_verify_client) +* [`ssl_verify_depth`](#-apache--vhost--ssl_verify_depth) +* [`ssl_proxy_protocol`](#-apache--vhost--ssl_proxy_protocol) +* [`ssl_proxy_verify`](#-apache--vhost--ssl_proxy_verify) +* [`ssl_proxy_verify_depth`](#-apache--vhost--ssl_proxy_verify_depth) +* [`ssl_proxy_cipher_suite`](#-apache--vhost--ssl_proxy_cipher_suite) +* [`ssl_proxy_ca_cert`](#-apache--vhost--ssl_proxy_ca_cert) +* [`ssl_proxy_machine_cert`](#-apache--vhost--ssl_proxy_machine_cert) +* [`ssl_proxy_machine_cert_chain`](#-apache--vhost--ssl_proxy_machine_cert_chain) +* [`ssl_proxy_check_peer_cn`](#-apache--vhost--ssl_proxy_check_peer_cn) +* [`ssl_proxy_check_peer_name`](#-apache--vhost--ssl_proxy_check_peer_name) +* [`ssl_proxy_check_peer_expire`](#-apache--vhost--ssl_proxy_check_peer_expire) +* [`ssl_openssl_conf_cmd`](#-apache--vhost--ssl_openssl_conf_cmd) +* [`ssl_proxyengine`](#-apache--vhost--ssl_proxyengine) +* [`ssl_stapling`](#-apache--vhost--ssl_stapling) +* [`ssl_stapling_timeout`](#-apache--vhost--ssl_stapling_timeout) +* [`ssl_stapling_return_errors`](#-apache--vhost--ssl_stapling_return_errors) +* [`ssl_user_name`](#-apache--vhost--ssl_user_name) +* [`ssl_reload_on_change`](#-apache--vhost--ssl_reload_on_change) +* [`use_canonical_name`](#-apache--vhost--use_canonical_name) +* [`define`](#-apache--vhost--define) +* [`auth_oidc`](#-apache--vhost--auth_oidc) +* [`oidc_settings`](#-apache--vhost--oidc_settings) +* [`limitreqfields`](#-apache--vhost--limitreqfields) +* [`limitreqfieldsize`](#-apache--vhost--limitreqfieldsize) +* [`limitreqline`](#-apache--vhost--limitreqline) +* [`limitreqbody`](#-apache--vhost--limitreqbody) +* [`use_servername_for_filenames`](#-apache--vhost--use_servername_for_filenames) +* [`use_port_for_filenames`](#-apache--vhost--use_port_for_filenames) +* [`mdomain`](#-apache--vhost--mdomain) +* [`proxy_requests`](#-apache--vhost--proxy_requests) +* [`userdir`](#-apache--vhost--userdir) +* [`proxy_protocol`](#-apache--vhost--proxy_protocol) +* [`proxy_protocol_exceptions`](#-apache--vhost--proxy_protocol_exceptions) + +##### `access_log` + +Data type: `Boolean` + +Determines whether to configure `*_access.log` directives (`*_file`, `*_pipe`, or `*_syslog`). + +Default value: `true` + +##### `access_log_env_var` + +Data type: `Optional[Variant[Boolean, String]]` + +Specifies that only requests with particular environment variables be logged. + +Default value: `undef` + +##### `access_log_file` + +Data type: `Optional[String[1]]` + +Sets the filename of the `*_access.log` placed in `logroot`. Given a virtual host ---for +instance, example.com--- it defaults to 'example.com_ssl.log' for +[SSL-encrypted](https://httpd.apache.org/docs/current/ssl/index.html) virtual hosts and +`example.com_access.log` for unencrypted virtual hosts. + +Default value: `undef` + +##### `access_log_format` + +Data type: `Optional[String[1]]` + +Specifies the use of either a `LogFormat` nickname or a custom-formatted string for the +access log. + +Default value: `undef` + +##### `access_log_pipe` + +Data type: `Optional[String[1]]` + +Specifies a pipe where Apache sends access log messages. + +Default value: `undef` + +##### `access_log_syslog` + +Data type: `Optional[Variant[String, Boolean]]` + +Sends all access log messages to syslog. + +Default value: `undef` + +##### `access_logs` + +Data type: `Optional[Array[Hash]]` + +Allows you to give a hash that specifies the state of each of the `access_log_*` +directives shown above, i.e. `access_log_pipe` and `access_log_syslog`. + +Default value: `undef` + +##### `add_default_charset` + +Data type: `Optional[String]` + +Sets a default media charset value for the `AddDefaultCharset` directive, which is +added to `text/plain` and `text/html` responses. + +Default value: `undef` + +##### `add_listen` + +Data type: `Boolean` + +Determines whether the virtual host creates a `Listen` statement.
+Setting `add_listen` to `false` prevents the virtual host from creating a `Listen` +statement. This is important when combining virtual hosts that aren't passed an `ip` +parameter with those that are. + +Default value: `true` + +##### `use_optional_includes` + +Data type: `Boolean` + +Specifies whether Apache uses the `IncludeOptional` directive instead of `Include` for +`additional_includes` in Apache 2.4 or newer. + +Default value: `$apache::use_optional_includes` + +##### `aliases` + +Data type: `Array[Hash[String[1], String[1]]]` + +Passes a list of [hashes][hash] to the virtual host to create `Alias`, `AliasMatch`, +`ScriptAlias` or `ScriptAliasMatch` directives as per the `mod_alias` documentation.
+For example: +``` puppet +aliases => [ + { aliasmatch => '^/image/(.*)\.jpg$', + path => '/files/jpg.images/$1.jpg', + }, + { alias => '/image', + path => '/ftp/pub/image', + }, + { scriptaliasmatch => '^/cgi-bin(.*)', + path => '/usr/local/share/cgi-bin$1', + }, + { scriptalias => '/nagios/cgi-bin/', + path => '/usr/lib/nagios/cgi-bin/', + }, + { alias => '/nagios', + path => '/usr/share/nagios/html', + }, +], +``` +For the `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` keys to work, each needs +a corresponding context, such as `` or +``. Puppet creates the directives in the order specified in +the `aliases` parameter. As described in the `mod_alias` documentation, add more specific +`alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters before the more +general ones to avoid shadowing.
+If `apache::mod::passenger` is loaded and `PassengerHighPerformance` is `true`, the `Alias` +directive might not be able to honor the `PassengerEnabled => off` statement. See +[this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details. + +Default value: `[]` + +##### `allow_encoded_slashes` + +Data type: `Optional[Variant[Apache::OnOff, Enum['nodecode']]]` + +Sets the `AllowEncodedSlashes` declaration for the virtual host, overriding the server +default. This modifies the virtual host responses to URLs with `\` and `/` characters. The +default setting omits the declaration from the server configuration and selects the +Apache default setting of `Off`. + +Default value: `undef` + +##### `block` + +Data type: `Variant[Array[String], String]` + +Specifies the list of things to which Apache blocks access. Valid options are: `scm` (which +blocks web access to `.svn`), `.git`, and `.bzr` directories. + +Default value: `[]` + +##### `cas_attribute_prefix` + +Data type: `Optional[String]` + +Adds a header with the value of this header being the attribute values when SAML +validation is enabled. + +Default value: `undef` + +##### `cas_attribute_delimiter` + +Data type: `Optional[String]` + +Sets the delimiter between attribute values in the header created by `cas_attribute_prefix`. + +Default value: `undef` + +##### `cas_login_url` + +Data type: `Optional[String]` + +Sets the URL to which the module redirects users when they attempt to access a +CAS-protected resource and don't have an active session. + +Default value: `undef` + +##### `cas_root_proxied_as` + +Data type: `Optional[String]` + +Sets the URL end users see when access to this Apache server is proxied per vhost. +This URL should not include a trailing slash. + +Default value: `undef` + +##### `cas_scrub_request_headers` + +Data type: `Boolean` + +Remove inbound request headers that may have special meaning within mod_auth_cas. + +Default value: `false` + +##### `cas_sso_enabled` + +Data type: `Boolean` + +Enables experimental support for single sign out (may mangle POST data). + +Default value: `false` + +##### `cas_validate_saml` + +Data type: `Boolean` + +Parse response from CAS server for SAML. + +Default value: `false` + +##### `cas_validate_url` + +Data type: `Optional[String]` + +Sets the URL to use when validating a client-presented ticket in an HTTP query string. + +Default value: `undef` + +##### `cas_cookie_path` + +Data type: `Optional[String]` + +Sets the location where information on the current session should be stored. This should +be writable by the web server only. + +Default value: `undef` + +##### `comment` + +Data type: `Optional[Variant[String, Array[String]]]` + +Adds comments to the header of the configuration file. Pass as string or an array of strings. +For example: +``` puppet +comment => "Account number: 123B", +``` +Or: +``` puppet +comment => [ + "Customer: X", + "Frontend domain: x.example.org", +] +``` + +Default value: `undef` + +##### `default_vhost` + +Data type: `Boolean` + +Sets a given `apache::vhost` defined type as the default to serve requests that do not +match any other `apache::vhost` defined types. + +Default value: `false` + +##### `directoryindex` + +Data type: `Optional[String]` + +Sets the list of resources to look for when a client requests an index of the directory +by specifying a '/' at the end of the directory name. See the `DirectoryIndex` directive +documentation for details. + +Default value: `undef` + +##### `docroot` + +Data type: `Variant[Stdlib::Absolutepath, Boolean]` + +**Required**.
+Sets the `DocumentRoot` location, from which Apache serves files.
+If `docroot` and `manage_docroot` are both set to `false`, no `DocumentRoot` will be set +and the accompanying `` block will not be created. + +##### `docroot_group` + +Data type: `String` + +Sets group access to the `docroot` directory. + +Default value: `$apache::params::root_group` + +##### `docroot_owner` + +Data type: `String` + +Sets individual user access to the `docroot` directory. + +Default value: `'root'` + +##### `docroot_mode` + +Data type: `Optional[Stdlib::Filemode]` + +Sets access permissions for the `docroot` directory, in numeric notation. + +Default value: `undef` + +##### `manage_docroot` + +Data type: `Boolean` + +Determines whether Puppet manages the `docroot` directory. + +Default value: `true` + +##### `error_log` + +Data type: `Boolean` + +Specifies whether `*_error.log` directives should be configured. + +Default value: `true` + +##### `error_log_file` + +Data type: `Optional[String]` + +Points the virtual host's error logs to a `*_error.log` file. If this parameter is +undefined, Puppet checks for values in `error_log_pipe`, then `error_log_syslog`.
+If none of these parameters is set, given a virtual host `example.com`, Puppet defaults +to `$logroot/example.com_error_ssl.log` for SSL virtual hosts and +`$logroot/example.com_error.log` for non-SSL virtual hosts. + +Default value: `undef` + +##### `error_log_pipe` + +Data type: `Optional[String]` + +Specifies a pipe to send error log messages to.
+This parameter has no effect if the `error_log_file` parameter has a value. If neither +this parameter nor `error_log_file` has a value, Puppet then checks `error_log_syslog`. + +Default value: `undef` + +##### `error_log_syslog` + +Data type: `Optional[Variant[String, Boolean]]` + +Determines whether to send all error log messages to syslog. +This parameter has no effect if either of the `error_log_file` or `error_log_pipe` +parameters has a value. If none of these parameters has a value, given a virtual host +`example.com`, Puppet defaults to `$logroot/example.com_error_ssl.log` for SSL virtual +hosts and `$logroot/example.com_error.log` for non-SSL virtual hosts. + +Default value: `undef` + +##### `error_log_format` + +Data type: + +```puppet +Optional[ + Array[ + Variant[ + String, + Hash[String, Enum['connection', 'request']] + ] + ] + ] +``` + +Sets the [ErrorLogFormat](https://httpd.apache.org/docs/current/mod/core.html#errorlogformat) +format specification for error log entries inside virtual host +For example: +``` puppet +apache::vhost { 'site.name.fdqn': + ... + error_log_format => [ + '[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M', + { '[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T' => 'request' }, + { "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" => 'request' }, + { "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" => 'request' }, + { '[%{uc}t] [C:%{c}L] local\ %a remote\ %A' => 'connection' }, + ], +} +``` + +Default value: `undef` + +##### `error_documents` + +Data type: `Variant[Array[Hash], String]` + +A list of hashes which can be used to override the +[ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) +settings for this virtual host.
+For example: +``` puppet +apache::vhost { 'sample.example.net': + error_documents => [ + { 'error_code' => '503', 'document' => '/service-unavail' }, + { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' }, + ], +} +``` + +Default value: `[]` + +##### `ensure` + +Data type: `Enum['absent', 'present']` + +Specifies if the virtual host is present or absent.
+ +Default value: `'present'` + +##### `show_diff` + +Data type: `Boolean` + +Specifies whether to set the show_diff parameter for the file resource. + +Default value: `true` + +##### `fallbackresource` + +Data type: `Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]]` + +Sets the [FallbackResource](https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) +directive, which specifies an action to take for any URL that doesn't map to anything in +your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Values must either begin +with a `/` or be `disabled`. + +Default value: `undef` + +##### `filters` + +Data type: `Array[String[1]]` + +[Filters](https://httpd.apache.org/docs/current/mod/mod_filter.html) enable smart, +context-sensitive configuration of output content filters. +``` puppet +apache::vhost { "$::fqdn": + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], +} +``` + +Default value: `[]` + +##### `h2_copy_files` + +Data type: `Optional[Boolean]` + +Sets the [H2CopyFiles](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2copyfiles) +directive which influences how the requestion process pass files to the main connection. + +Default value: `undef` + +##### `h2_direct` + +Data type: `Optional[Boolean]` + +Sets the [H2Direct](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2direct) +directive which toggles the usage of the HTTP/2 Direct Mode. + +Default value: `undef` + +##### `h2_early_hints` + +Data type: `Optional[Boolean]` + +Sets the [H2EarlyHints](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2earlyhints) +directive which controls if HTTP status 103 interim responses are forwarded to +the client or not. + +Default value: `undef` + +##### `h2_max_session_streams` + +Data type: `Optional[Integer]` + +Sets the [H2MaxSessionStreams](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2maxsessionstreams) +directive which sets the maximum number of active streams per HTTP/2 session +that the server allows. + +Default value: `undef` + +##### `h2_modern_tls_only` + +Data type: `Optional[Boolean]` + +Sets the [H2ModernTLSOnly](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2moderntlsonly) +directive which toggles the security checks on HTTP/2 connections in TLS mode. + +Default value: `undef` + +##### `h2_push` + +Data type: `Optional[Boolean]` + +Sets the [H2Push](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2push) +directive which toggles the usage of the HTTP/2 server push protocol feature. + +Default value: `undef` + +##### `h2_push_diary_size` + +Data type: `Optional[Integer]` + +Sets the [H2PushDiarySize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2pushdiarysize) +directive which toggles the maximum number of HTTP/2 server pushes that are +remembered per HTTP/2 connection. + +Default value: `undef` + +##### `h2_push_priority` + +Data type: `Array[String]` + +Sets the [H2PushPriority](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2pushpriority) +directive which defines the priority handling of pushed responses based on the +content-type of the response. + +Default value: `[]` + +##### `h2_push_resource` + +Data type: `Array[String]` + +Sets the [H2PushResource](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2pushresource) +directive which declares resources for early pushing to the client. + +Default value: `[]` + +##### `h2_serialize_headers` + +Data type: `Optional[Boolean]` + +Sets the [H2SerializeHeaders](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2serializeheaders) +directive which toggles if HTTP/2 requests are serialized in HTTP/1.1 +format for processing by httpd core. + +Default value: `undef` + +##### `h2_stream_max_mem_size` + +Data type: `Optional[Integer]` + +Sets the [H2StreamMaxMemSize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2streammaxmemsize) +directive which sets the maximum number of outgoing data bytes buffered in +memory for an active stream. + +Default value: `undef` + +##### `h2_tls_cool_down_secs` + +Data type: `Optional[Integer]` + +Sets the [H2TLSCoolDownSecs](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2tlscooldownsecs) +directive which sets the number of seconds of idle time on a TLS connection +before the TLS write size falls back to a small (~1300 bytes) length. + +Default value: `undef` + +##### `h2_tls_warm_up_size` + +Data type: `Optional[Integer]` + +Sets the [H2TLSWarmUpSize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2tlswarmupsize) +directive which sets the number of bytes to be sent in small TLS records (~1300 +bytes) until doing maximum sized writes (16k) on https: HTTP/2 connections. + +Default value: `undef` + +##### `h2_upgrade` + +Data type: `Optional[Boolean]` + +Sets the [H2Upgrade](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2upgrade) +directive which toggles the usage of the HTTP/1.1 Upgrade method for switching +to HTTP/2. + +Default value: `undef` + +##### `h2_window_size` + +Data type: `Optional[Integer]` + +Sets the [H2WindowSize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2windowsize) +directive which sets the size of the window that is used for flow control from +client to server and limits the amount of data the server has to buffer. + +Default value: `undef` + +##### `ip` + +Data type: + +```puppet +Optional[ + Variant[ + Array[Variant[Stdlib::IP::Address, Enum['*']]], + Variant[Stdlib::IP::Address, Enum['*']] + ] + ] +``` + +Sets the IP address the virtual host listens on. By default, uses Apache's default behavior +of listening on all IPs. + +Default value: `undef` + +##### `ip_based` + +Data type: `Boolean` + +Enables an [IP-based](https://httpd.apache.org/docs/current/vhosts/ip-based.html) virtual +host. This parameter inhibits the creation of a NameVirtualHost directive, since those are +used to funnel requests to name-based virtual hosts. + +Default value: `false` + +##### `itk` + +Data type: `Optional[Hash]` + +Configures [ITK](http://mpm-itk.sesse.net/) in a hash.
+Usage typically looks something like: +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + itk => { + user => 'someuser', + group => 'somegroup', + }, +} +``` +Valid values are: a hash, which can include the keys: +* `user` + `group` +* `assignuseridexpr` +* `assigngroupidexpr` +* `maxclientvhost` +* `nice` +* `limituidrange` (Linux 3.5.0 or newer) +* `limitgidrange` (Linux 3.5.0 or newer) + +Default value: `undef` + +##### `action` + +Data type: `Optional[String]` + +Specifies whether you wish to configure mod_actions action directive which will +activate cgi-script when triggered by a request. + +Default value: `undef` + +##### `jk_mounts` + +Data type: `Array[Hash]` + +Sets up a virtual host with `JkMount` and `JkUnMount` directives to handle the paths +for URL mapping between Tomcat and Apache.
+The parameter must be an array of hashes where each hash must contain the `worker` +and either the `mount` or `unmount` keys.
+Usage typically looks like: +``` puppet +apache::vhost { 'sample.example.net': + jk_mounts => [ + { mount => '/*', worker => 'tcnode1', }, + { unmount => '/*.jpg', worker => 'tcnode1', }, + ], +} +``` + +Default value: `[]` + +##### `http_protocol_options` + +Data type: `Optional[Pattern[/^((Strict|Unsafe)?\s*(\b(Registered|Lenient)Methods)?\s*(\b(Allow0\.9|Require1\.0))?)$/]]` + +Specifies the strictness of HTTP protocol checks. + +Default value: `undef` + +##### `keepalive` + +Data type: `Optional[Apache::OnOff]` + +Determines whether to enable persistent HTTP connections with the `KeepAlive` directive +for the virtual host. By default, the global, server-wide `KeepAlive` setting is in effect.
+Use the `keepalive_timeout` and `max_keepalive_requests` parameters to set relevant options +for the virtual host. + +Default value: `undef` + +##### `keepalive_timeout` + +Data type: `Optional[Variant[Integer, String]]` + +Sets the `KeepAliveTimeout` directive for the virtual host, which determines the amount +of time to wait for subsequent requests on a persistent HTTP connection. By default, the +global, server-wide `KeepAlive` setting is in effect.
+This parameter is only relevant if either the global, server-wide `keepalive` parameter or +the per-vhost `keepalive` parameter is enabled. + +Default value: `undef` + +##### `max_keepalive_requests` + +Data type: `Optional[Variant[Integer, String]]` + +Limits the number of requests allowed per connection to the virtual host. By default, +the global, server-wide `KeepAlive` setting is in effect.
+This parameter is only relevant if either the global, server-wide `keepalive` parameter or +the per-vhost `keepalive` parameter is enabled. + +Default value: `undef` + +##### `auth_kerb` + +Data type: `Boolean` + +Enable `mod_auth_kerb` parameters for a virtual host.
+Usage typically looks like: +``` puppet +apache::vhost { 'sample.example.net': + auth_kerb => `true`, + krb_method_negotiate => 'on', + krb_auth_realms => ['EXAMPLE.ORG'], + krb_local_user_mapping => 'on', + directories => [ + { + path => '/var/www/html', + auth_name => 'Kerberos Login', + auth_type => 'Kerberos', + auth_require => 'valid-user', + }, + ], +} +``` + +Default value: `false` + +##### `krb_method_negotiate` + +Data type: `Apache::OnOff` + +Determines whether to use the Negotiate method. + +Default value: `'on'` + +##### `krb_method_k5passwd` + +Data type: `Apache::OnOff` + +Determines whether to use password-based authentication for Kerberos v5. + +Default value: `'on'` + +##### `krb_authoritative` + +Data type: `Apache::OnOff` + +If set to `off`, authentication controls can be passed on to another module. + +Default value: `'on'` + +##### `krb_auth_realms` + +Data type: `Array[String]` + +Specifies an array of Kerberos realms to use for authentication. + +Default value: `[]` + +##### `krb_5keytab` + +Data type: `Optional[String]` + +Specifies the Kerberos v5 keytab file's location. + +Default value: `undef` + +##### `krb_local_user_mapping` + +Data type: `Optional[Apache::OnOff]` + +Strips @REALM from usernames for further use. + +Default value: `undef` + +##### `krb_verify_kdc` + +Data type: `Apache::OnOff` + +This option can be used to disable the verification tickets against local keytab to prevent +KDC spoofing attacks. + +Default value: `'on'` + +##### `krb_servicename` + +Data type: `String` + +Specifies the service name that will be used by Apache for authentication. Corresponding +key of this name must be stored in the keytab. + +Default value: `'HTTP'` + +##### `krb_save_credentials` + +Data type: `Apache::OnOff` + +This option enables credential saving functionality. + +Default value: `'off'` + +##### `logroot` + +Data type: `Stdlib::Absolutepath` + +Specifies the location of the virtual host's logfiles. + +Default value: `$apache::logroot` + +##### `logroot_ensure` + +Data type: `Enum['directory', 'absent']` + +Determines whether or not to remove the logroot directory for a virtual host. + +Default value: `'directory'` + +##### `logroot_mode` + +Data type: `Optional[Stdlib::Filemode]` + +Overrides the mode the logroot directory is set to. Do *not* grant write access to the +directory the logs are stored in without being aware of the consequences; for more +information, see [Apache's log security documentation](https://httpd.apache.org/docs/2.4/logs.html#security). + +Default value: `undef` + +##### `logroot_owner` + +Data type: `Optional[String]` + +Sets individual user access to the logroot directory. + +Default value: `undef` + +##### `logroot_group` + +Data type: `Optional[String]` + +Sets group access to the `logroot` directory. + +Default value: `undef` + +##### `log_level` + +Data type: `Optional[Apache::LogLevel]` + +Specifies the verbosity of the error log. + +Default value: `undef` + +##### `modsec_body_limit` + +Data type: `Optional[String]` + +Configures the maximum request body size (in bytes) ModSecurity accepts for buffering. + +Default value: `undef` + +##### `modsec_disable_vhost` + +Data type: `Boolean` + +Disables `mod_security` on a virtual host. Only valid if `apache::mod::security` is included. + +Default value: `false` + +##### `modsec_disable_ids` + +Data type: `Optional[Variant[Hash, Array]]` + +Removes `mod_security` IDs from the virtual host.
+Also takes a hash allowing removal of an ID from a specific location. +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_ids => [ 90015, 90016 ], +} +``` + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_ids => { '/location1' => [ 90015, 90016 ] }, +} +``` + +Default value: `undef` + +##### `modsec_disable_ips` + +Data type: `Array[String[1]]` + +Specifies an array of IP addresses to exclude from `mod_security` rule matching. + +Default value: `[]` + +##### `modsec_disable_msgs` + +Data type: `Optional[Variant[Hash, Array]]` + +Array of mod_security Msgs to remove from the virtual host. Also takes a hash allowing +removal of an Msg from a specific location. +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => ['Blind SQL Injection Attack', 'Session Fixation Attack'], +} +``` +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => { '/location1' => ['Blind SQL Injection Attack', 'Session Fixation Attack'] }, +} +``` + +Default value: `undef` + +##### `modsec_disable_tags` + +Data type: `Optional[Variant[Hash, Array]]` + +Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing +removal of an Tag from a specific location. +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'], +} +``` +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => { '/location1' => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'] }, +} +``` + +Default value: `undef` + +##### `modsec_audit_log_file` + +Data type: `Optional[String]` + +If set, it is relative to `logroot`.
+One of the parameters that determines how to send `mod_security` audit +log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). +If none of those parameters are set, the global audit log is used +(`/var/log/httpd/modsec\_audit.log`; Debian and derivatives: `/var/log/apache2/modsec\_audit.log`; others: ). + +Default value: `undef` + +##### `modsec_audit_log_pipe` + +Data type: `Optional[String]` + +If `modsec_audit_log_pipe` is set, it should start with a pipe. Example +`|/path/to/mlogc /path/to/mlogc.conf`.
+One of the parameters that determines how to send `mod_security` audit +log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). +If none of those parameters are set, the global audit log is used +(`/var/log/httpd/modsec\_audit.log`; Debian and derivatives: `/var/log/apache2/modsec\_audit.log`; others: ). + +Default value: `undef` + +##### `modsec_audit_log` + +Data type: `Optional[Variant[String, Boolean]]` + +If `modsec_audit_log` is `true`, given a virtual host ---for instance, example.com--- it +defaults to `example.com\_security\_ssl.log` for SSL-encrypted virtual hosts +and `example.com\_security.log` for unencrypted virtual hosts.
+One of the parameters that determines how to send `mod_security` audit +log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)).
+If none of those parameters are set, the global audit log is used +(`/var/log/httpd/modsec\_audit.log`; Debian and derivatives: `/var/log/apache2/modsec\_audit.log`; others: ). + +Default value: `undef` + +##### `modsec_inbound_anomaly_threshold` + +Data type: `Optional[Integer[1, default]]` + +Override the global scoring threshold level of the inbound blocking rules +for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule +Set. + +Default value: `undef` + +##### `modsec_outbound_anomaly_threshold` + +Data type: `Optional[Integer[1, default]]` + +Override the global scoring threshold level of the outbound blocking rules +for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule +Set. + +Default value: `undef` + +##### `modsec_allowed_methods` + +Data type: `Optional[String]` + +Override global allowed methods. A space-separated list of allowed HTTP methods. + +Default value: `undef` + +##### `no_proxy_uris` + +Data type: `Variant[Array[String], String]` + +Specifies URLs you do not want to proxy. This parameter is meant to be used in combination +with [`proxy_dest`](#proxy_dest). + +Default value: `[]` + +##### `no_proxy_uris_match` + +Data type: `Variant[Array[String], String]` + +This directive is equivalent to `no_proxy_uris`, but takes regular expressions. + +Default value: `[]` + +##### `proxy_preserve_host` + +Data type: `Boolean` + +Sets the [ProxyPreserveHost Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost).
+Setting this parameter to `true` enables the `Host:` line from an incoming request to be +proxied to the host instead of hostname. Setting it to `false` sets this directive to 'Off'. + +Default value: `false` + +##### `proxy_add_headers` + +Data type: `Optional[Variant[String, Boolean]]` + +Sets the [ProxyAddHeaders Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders).
+This parameter controlls whether proxy-related HTTP headers (X-Forwarded-For, +X-Forwarded-Host and X-Forwarded-Server) get sent to the backend server. + +Default value: `undef` + +##### `proxy_error_override` + +Data type: `Boolean` + +Sets the [ProxyErrorOverride Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride). +This directive controls whether Apache should override error pages for proxied content. + +Default value: `false` + +##### `options` + +Data type: `Array[String]` + +Sets the [`Options`](https://httpd.apache.org/docs/current/mod/core.html#options) for the specified virtual host. For example: +``` puppet +apache::vhost { 'site.name.fdqn': + ... + options => ['Indexes', 'FollowSymLinks', 'MultiViews'], +} +``` +> **Note**: If you use the `directories` parameter of `apache::vhost`, 'Options', +'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. + +Default value: `['Indexes', 'FollowSymLinks', 'MultiViews']` + +##### `override` + +Data type: `Array[String]` + +Sets the overrides for the specified virtual host. Accepts an array of +[AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) arguments. + +Default value: `['None']` + +##### `passenger_enabled` + +Data type: `Optional[Boolean]` + +Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) +directive to `on` or `off`. Requires `apache::mod::passenger` to be included. +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + passenger_enabled => 'on', + }, + ], +} +``` +> **Note:** There is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) +using the PassengerEnabled directive with the PassengerHighPerformance directive. + +Default value: `undef` + +##### `passenger_base_uri` + +Data type: `Optional[String]` + +Sets [PassengerBaseURI](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbase_rui), + to specify that the given URI is a distinct application served by Passenger. + +Default value: `undef` + +##### `passenger_ruby` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets [PassengerRuby](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerruby), +specifying the Ruby interpreter to use when serving the relevant web applications. + +Default value: `undef` + +##### `passenger_python` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets [PassengerPython](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpython), +specifying the Python interpreter to use when serving the relevant web applications. + +Default value: `undef` + +##### `passenger_nodejs` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the [`PassengerNodejs`](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengernodejs), +specifying Node.js command to use when serving the relevant web applications. + +Default value: `undef` + +##### `passenger_meteor_app_settings` + +Data type: `Optional[String]` + +Sets [PassengerMeteorAppSettings](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermeteorappsettings), +specifying a JSON file with settings for the application when using a Meteor +application in non-bundled mode. + +Default value: `undef` + +##### `passenger_app_env` + +Data type: `Optional[String]` + +Sets [PassengerAppEnv](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappenv), +the environment for the Passenger application. If not specified, defaults to the global +setting or 'production'. + +Default value: `undef` + +##### `passenger_app_root` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets [PassengerRoot](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapproot), +the location of the Passenger application root if different from the DocumentRoot. + +Default value: `undef` + +##### `passenger_app_group_name` + +Data type: `Optional[String]` + +Sets [PassengerAppGroupName](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappgroupname), + the name of the application group that the current application should belong to. + +Default value: `undef` + +##### `passenger_app_start_command` + +Data type: `Optional[String]` + +Sets [PassengerAppStartCommand](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappstartcommand), + how Passenger should start your app on a specific port. + +Default value: `undef` + +##### `passenger_app_type` + +Data type: `Optional[Enum['meteor', 'node', 'rack', 'wsgi']]` + +Sets [PassengerAppType](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapptype), + to force Passenger to recognize the application as a specific type. + +Default value: `undef` + +##### `passenger_startup_file` + +Data type: `Optional[String]` + +Sets the [PassengerStartupFile](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstartupfile), +path. This path is relative to the application root. + +Default value: `undef` + +##### `passenger_restart_dir` + +Data type: `Optional[String]` + +Sets the [PassengerRestartDir](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrestartdir), + to customize the directory in which `restart.txt` is searched for. + +Default value: `undef` + +##### `passenger_spawn_method` + +Data type: `Optional[Enum['direct', 'smart']]` + +Sets [PassengerSpawnMethod](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerspawnmethod), +whether Passenger spawns applications directly, or using a prefork copy-on-write mechanism. + +Default value: `undef` + +##### `passenger_load_shell_envvars` + +Data type: `Optional[Boolean]` + +Sets [PassengerLoadShellEnvvars](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerloadshellenvvars), +to enable or disable the loading of shell environment variables before spawning the application. + +Default value: `undef` + +##### `passenger_preload_bundler` + +Data type: `Optional[Boolean]` + +Sets [PassengerPreloadBundler](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpreloadbundler), +to enable or disable the loading of bundler before loading the application. + +Default value: `undef` + +##### `passenger_rolling_restarts` + +Data type: `Optional[Boolean]` + +Sets [PassengerRollingRestarts](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrollingrestarts), +to enable or disable support for zero-downtime application restarts through `restart.txt`. + +Default value: `undef` + +##### `passenger_resist_deployment_errors` + +Data type: `Optional[Boolean]` + +Sets [PassengerResistDeploymentErrors](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerresistdeploymenterrors), +to enable or disable resistance against deployment errors. + +Default value: `undef` + +##### `passenger_user` + +Data type: `Optional[String]` + +Sets [PassengerUser](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeruser), +the running user for sandboxing applications. + +Default value: `undef` + +##### `passenger_group` + +Data type: `Optional[String]` + +Sets [PassengerGroup](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengergroup), +the running group for sandboxing applications. + +Default value: `undef` + +##### `passenger_friendly_error_pages` + +Data type: `Optional[Boolean]` + +Sets [PassengerFriendlyErrorPages](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerfriendlyerrorpages), +which can display friendly error pages whenever an application fails to start. This +friendly error page presents the startup error message, some suggestions for solving +the problem, a backtrace and a dump of the environment variables. + +Default value: `undef` + +##### `passenger_min_instances` + +Data type: `Optional[Integer]` + +Sets [PassengerMinInstances](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermininstances), +the minimum number of application processes to run. + +Default value: `undef` + +##### `passenger_max_instances` + +Data type: `Optional[Integer]` + +Sets [PassengerMaxInstances](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxinstances), +the maximum number of application processes to run. + +Default value: `undef` + +##### `passenger_max_preloader_idle_time` + +Data type: `Optional[Integer]` + +Sets [PassengerMaxPreloaderIdleTime](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxpreloaderidletime), +the maximum amount of time the preloader waits before shutting down an idle process. + +Default value: `undef` + +##### `passenger_force_max_concurrent_requests_per_process` + +Data type: `Optional[Integer]` + +Sets [PassengerForceMaxConcurrentRequestsPerProcess](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerforcemaxconcurrentrequestsperprocess), +the maximum amount of concurrent requests the application can handle per process. + +Default value: `undef` + +##### `passenger_start_timeout` + +Data type: `Optional[Integer]` + +Sets [PassengerStartTimeout](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstarttimeout), +the timeout for the application startup. + +Default value: `undef` + +##### `passenger_concurrency_model` + +Data type: `Optional[Enum['process', 'thread']]` + +Sets [PassengerConcurrencyModel](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerconcurrencyodel), +to specify the I/O concurrency model that should be used for Ruby application processes. +Passenger supports two concurrency models:
+* `process` - single-threaded, multi-processed I/O concurrency. +* `thread` - multi-threaded, multi-processed I/O concurrency. + +Default value: `undef` + +##### `passenger_thread_count` + +Data type: `Optional[Integer]` + +Sets [PassengerThreadCount](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerthreadcount), +the number of threads that Passenger should spawn per Ruby application process.
+This option only has effect if PassengerConcurrencyModel is `thread`. + +Default value: `undef` + +##### `passenger_max_requests` + +Data type: `Optional[Integer]` + +Sets [PassengerMaxRequests](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequests), +the maximum number of requests an application process will process. + +Default value: `undef` + +##### `passenger_max_request_time` + +Data type: `Optional[Integer]` + +Sets [PassengerMaxRequestTime](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequesttime), +the maximum amount of time, in seconds, that an application process may take to +process a request. + +Default value: `undef` + +##### `passenger_memory_limit` + +Data type: `Optional[Integer]` + +Sets [PassengerMemoryLimit](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermemorylimit), +the maximum amount of memory that an application process may use, in megabytes. + +Default value: `undef` + +##### `passenger_stat_throttle_rate` + +Data type: `Optional[Integer]` + +Sets [PassengerStatThrottleRate](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstatthrottlerate), +to set a limit, in seconds, on how often Passenger will perform it's filesystem checks. + +Default value: `undef` + +##### `passenger_pre_start` + +Data type: `Optional[Variant[String, Array[String]]]` + +Sets [PassengerPreStart](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerprestart), +the URL of the application if pre-starting is required. + +Default value: `undef` + +##### `passenger_high_performance` + +Data type: `Optional[Boolean]` + +Sets [PassengerHighPerformance](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerhighperformance), +to enhance performance in return for reduced compatibility. + +Default value: `undef` + +##### `passenger_buffer_upload` + +Data type: `Optional[Boolean]` + +Sets [PassengerBufferUpload](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferupload), +to buffer HTTP client request bodies before they are sent to the application. + +Default value: `undef` + +##### `passenger_buffer_response` + +Data type: `Optional[Boolean]` + +Sets [PassengerBufferResponse](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferresponse), +to buffer Happlication-generated responses. + +Default value: `undef` + +##### `passenger_error_override` + +Data type: `Optional[Boolean]` + +Sets [PassengerErrorOverride](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengererroroverride), +to specify whether Apache will intercept and handle response with HTTP status codes of +400 and higher. + +Default value: `undef` + +##### `passenger_max_request_queue_size` + +Data type: `Optional[Integer]` + +Sets [PassengerMaxRequestQueueSize](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuesize), +to specify the maximum amount of requests that are allowed to queue whenever the maximum +concurrent request limit is reached. If the queue is already at this specified limit, then +Passenger immediately sends a "503 Service Unavailable" error to any incoming requests.
+A value of 0 means that the queue size is unbounded. + +Default value: `undef` + +##### `passenger_max_request_queue_time` + +Data type: `Optional[Integer]` + +Sets [PassengerMaxRequestQueueTime](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuetime), +to specify the maximum amount of time that requests are allowed to stay in the queue +whenever the maximum concurrent request limit is reached. If a request reaches this specified +limit, then Passenger immeaditly sends a "504 Gateway Timeout" error for that request.
+A value of 0 means that the queue time is unbounded. + +Default value: `undef` + +##### `passenger_sticky_sessions` + +Data type: `Optional[Boolean]` + +Sets [PassengerStickySessions](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessions), +to specify that, whenever possible, all requests sent by a client will be routed to the same +originating application process. + +Default value: `undef` + +##### `passenger_sticky_sessions_cookie_name` + +Data type: `Optional[String]` + +Sets [PassengerStickySessionsCookieName](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookiename), +to specify the name of the sticky sessions cookie. + +Default value: `undef` + +##### `passenger_sticky_sessions_cookie_attributes` + +Data type: `Optional[String]` + +Sets [PassengerStickySessionsCookieAttributes](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookieattributes), +the attributes of the sticky sessions cookie. + +Default value: `undef` + +##### `passenger_allow_encoded_slashes` + +Data type: `Optional[Boolean]` + +Sets [PassengerAllowEncodedSlashes](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerallowencodedslashes), +to allow URLs with encoded slashes. Please note that this feature will not work properly +unless Apache's `AllowEncodedSlashes` is also enabled. + +Default value: `undef` + +##### `passenger_app_log_file` + +Data type: `Optional[String]` + +Sets [PassengerAppLogFile](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapplogfile), +app specific messages logged to a different file in addition to Passenger log file. + +Default value: `undef` + +##### `passenger_debugger` + +Data type: `Optional[Boolean]` + +Sets [PassengerDebugger](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerdebugger), +to turn support for Ruby application debugging on or off. + +Default value: `undef` + +##### `passenger_lve_min_uid` + +Data type: `Optional[Integer]` + +Sets [PassengerLveMinUid](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerlveminuid), +to only allow the spawning of application processes with UIDs equal to, or higher than, this +specified value on LVE-enabled kernels. + +Default value: `undef` + +##### `passenger_dump_config_manifest` + +Data type: `Optional[String]` + +Sets [PassengerLveMinUid](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerlveminuid), +to dump the configuration manifest to a file. + +Default value: `undef` + +##### `passenger_admin_panel_url` + +Data type: `Optional[String]` + +Sets [PassengerAdminPanelUrl](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelurl), +to specify the URL of the Passenger admin panel. + +Default value: `undef` + +##### `passenger_admin_panel_auth_type` + +Data type: `Optional[Enum['basic']]` + +Sets [PassengerAdminPanelAuthType](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelauthtype), +to specify the authentication type for the Passenger admin panel. + +Default value: `undef` + +##### `passenger_admin_panel_username` + +Data type: `Optional[String]` + +Sets [PassengerAdminPanelUsername](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelusername), +to specify the username for the Passenger admin panel. + +Default value: `undef` + +##### `passenger_admin_panel_password` + +Data type: `Optional[String]` + +Sets [PassengerAdminPanelPassword](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelpassword), +to specify the password for the Passenger admin panel. + +Default value: `undef` + +##### `php_values` + +Data type: `Hash` + +Allows per-virtual host setting [`php_value`s](http://php.net/manual/en/configuration.changes.php). +These flags or values can be overwritten by a user or an application. +Within a vhost declaration: +``` puppet + php_values => { 'include_path' => '.:/usr/local/example-app/include' }, +``` + +Default value: `{}` + +##### `php_flags` + +Data type: `Hash` + +Allows per-virtual host setting [`php_flags\``](http://php.net/manual/en/configuration.changes.php). +These flags or values can be overwritten by a user or an application. + +Default value: `{}` + +##### `php_admin_values` + +Data type: `Variant[Array[String], Hash]` + +Allows per-virtual host setting [`php_admin_value`](http://php.net/manual/en/configuration.changes.php). +These flags or values cannot be overwritten by a user or an application. + +Default value: `{}` + +##### `php_admin_flags` + +Data type: `Variant[Array[String], Hash]` + +Allows per-virtual host setting [`php_admin_flag`](http://php.net/manual/en/configuration.changes.php). +These flags or values cannot be overwritten by a user or an application. + +Default value: `{}` + +##### `port` + +Data type: `Optional[Variant[Array[Stdlib::Port], Stdlib::Port]]` + +Sets the port the host is configured on. The module's defaults ensure the host listens +on port 80 for non-SSL virtual hosts and port 443 for SSL virtual hosts. The host only +listens on the port set in this parameter. + +Default value: `undef` + +##### `priority` + +Data type: `Optional[Apache::Vhost::Priority]` + +Sets the relative load-order for Apache HTTPD VirtualHost configuration files.
+If nothing matches the priority, the first name-based virtual host is used. Likewise, +passing a higher priority causes the alphabetically first name-based virtual host to be +used if no other names match.
+> **Note:** You should not need to use this parameter. However, if you do use it, be +aware that the `default_vhost` parameter for `apache::vhost` passes a priority of 15.
+To omit the priority prefix in file names, pass a priority of `false`. + +Default value: `undef` + +##### `protocols` + +Data type: `Array[Enum['h2', 'h2c', 'http/1.1']]` + +Sets the [Protocols](https://httpd.apache.org/docs/current/en/mod/core.html#protocols) +directive, which lists available protocols for the virutal host. + +Default value: `[]` + +##### `protocols_honor_order` + +Data type: `Optional[Boolean]` + +Sets the [ProtocolsHonorOrder](https://httpd.apache.org/docs/current/en/mod/core.html#protocolshonororder) +directive which determines wether the order of Protocols sets precedence during negotiation. + +Default value: `undef` + +##### `proxy_dest` + +Data type: `Optional[String]` + +Specifies the destination address of a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. + +Default value: `undef` + +##### `proxy_pass` + +Data type: `Optional[Variant[Array[Hash], Hash]]` + +Specifies an array of `path => URI` values for a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) +configuration. Optionally, parameters can be added as an array. +``` puppet +apache::vhost { 'site.name.fdqn': + ... + proxy_pass => [ + { 'path' => '/a', 'url' => 'http://backend-a/' }, + { 'path' => '/b', 'url' => 'http://backend-b/' }, + { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}}, + { 'path' => '/l', 'url' => 'http://backend-xy', + 'reverse_urls' => ['http://backend-x', 'http://backend-y'] }, + { 'path' => '/d', 'url' => 'http://backend-a/d', + 'params' => { 'retry' => 0, 'timeout' => 5 }, }, + { 'path' => '/e', 'url' => 'http://backend-a/e', + 'keywords' => ['nocanon', 'interpolate'] }, + { 'path' => '/f', 'url' => 'http://backend-f/', + 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1']}, + { 'path' => '/g', 'url' => 'http://backend-g/', + 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, + { 'path' => '/h', 'url' => 'http://backend-h/h', + 'no_proxy_uris' => ['/h/admin', '/h/server-status'] }, + ], +} +``` +* `reverse_urls`. *Optional.* This setting is useful when used with `mod_proxy_balancer`. Values: an array or string. +* `reverse_cookies`. *Optional.* Sets `ProxyPassReverseCookiePath` and `ProxyPassReverseCookieDomain`. +* `params`. *Optional.* Allows for ProxyPass key-value parameters, such as connection settings. +* `setenv`. *Optional.* Sets [environment variables](https://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings) for the proxy directive. Values: array. + +Default value: `undef` + +##### `proxy_dest_match` + +Data type: `Optional[String]` + +This directive is equivalent to `proxy_dest`, but takes regular expressions, see +[ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +for details. + +Default value: `undef` + +##### `proxy_dest_reverse_match` + +Data type: `Optional[String]` + +Allows you to pass a ProxyPassReverse if `proxy_dest_match` is specified. See +[ProxyPassReverse](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) +for details. + +Default value: `undef` + +##### `proxy_pass_match` + +Data type: `Optional[Variant[Array[Hash], Hash]]` + +This directive is equivalent to `proxy_pass`, but takes regular expressions, see +[ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +for details. + +Default value: `undef` + +##### `redirect_dest` + +Data type: `Optional[Variant[Array[String], String]]` + +Specifies the address to redirect to. + +Default value: `undef` + +##### `redirect_source` + +Data type: `Variant[String, Array[String]]` + +Specifies the source URIs that redirect to the destination specified in `redirect_dest`. +If more than one item for redirect is supplied, the source and destination must be the same +length, and the items are order-dependent. +``` puppet +apache::vhost { 'site.name.fdqn': + ... + redirect_source => ['/images', '/downloads'], + redirect_dest => ['http://img.example.com/', 'http://downloads.example.com/'], +} +``` + +Default value: `'/'` + +##### `redirect_status` + +Data type: `Optional[Variant[Array[String], String]]` + +Specifies the status to append to the redirect. +``` puppet + apache::vhost { 'site.name.fdqn': + ... + redirect_status => ['temp', 'permanent'], +} +``` + +Default value: `undef` + +##### `redirectmatch_regexp` + +Data type: `Optional[Variant[Array[String], String]]` + +Determines which server status should be raised for a given regular expression +and where to forward the user to. Entered as an array alongside redirectmatch_status +and redirectmatch_dest. +``` puppet +apache::vhost { 'site.name.fdqn': + ... + redirectmatch_status => ['404', '404'], + redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'], + redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'], +} +``` + +Default value: `undef` + +##### `redirectmatch_status` + +Data type: `Optional[Variant[Array[String], String]]` + +Determines which server status should be raised for a given regular expression +and where to forward the user to. Entered as an array alongside redirectmatch_regexp +and redirectmatch_dest. +``` puppet +apache::vhost { 'site.name.fdqn': + ... + redirectmatch_status => ['404', '404'], + redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'], + redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'], +} +``` + +Default value: `undef` + +##### `redirectmatch_dest` + +Data type: `Optional[Variant[Array[String], String]]` + +Determines which server status should be raised for a given regular expression +and where to forward the user to. Entered as an array alongside redirectmatch_status +and redirectmatch_regexp. +``` puppet +apache::vhost { 'site.name.fdqn': + ... + redirectmatch_status => ['404', '404'], + redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'], + redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'], +} +``` + +Default value: `undef` + +##### `request_headers` + +Data type: `Array[String[1]]` + +Modifies collected [request headers](https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) +in various ways, including adding additional request headers, removing request headers, +and so on. +``` puppet +apache::vhost { 'site.name.fdqn': + ... + request_headers => [ + 'append MirrorID "mirror 12"', + 'unset MirrorID', + ], +} +``` + +Default value: `[]` + +##### `rewrites` + +Data type: `Array[Hash]` + +Creates URL rewrite rules. Expects an array of hashes.
+Valid Hash keys include `comment`, `rewrite_base`, `rewrite_cond`, `rewrite_rule` +or `rewrite_map`.
+For example, you can specify that anyone trying to access index.html is served welcome.html +``` puppet +apache::vhost { 'site.name.fdqn': + ... + rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] +} +``` +The parameter allows rewrite conditions that, when `true`, execute the associated rule. +For instance, if you wanted to rewrite URLs only if the visitor is using IE +``` puppet +apache::vhost { 'site.name.fdqn': + ... + rewrites => [ + { + comment => 'redirect IE', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} +``` +You can also apply multiple conditions. For instance, rewrite index.html to welcome.html +only when the browser is Lynx or Mozilla (version 1 or 2) +``` puppet +apache::vhost { 'site.name.fdqn': + ... + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} +``` +Multiple rewrites and conditions are also possible +``` puppet +apache::vhost { 'site.name.fdqn': + ... + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + { + comment => 'Internet Explorer', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ /index.IE.html [L]'], + }, + { + rewrite_base => /apps/, + rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'], + }, + { comment => 'Rewrite to lower case', + rewrite_cond => ['%{REQUEST_URI} [A-Z]'], + rewrite_map => ['lc int:tolower'], + rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'], + }, + ], +} +``` +Refer to the [`mod_rewrite` documentation](https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html) +for more details on what is possible with rewrite rules and conditions.
+> **Note**: If you include rewrites in your directories, also include `apache::mod::rewrite` +and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather +than setting the rewrites in the virtual host's directories. + +Default value: `[]` + +##### `rewrite_base` + +Data type: `Optional[String[1]]` + +The parameter [`rewrite_base`](https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase) +specifies the URL prefix to be used for per-directory (htaccess) RewriteRule directives +that substitue a relative path. + +Default value: `undef` + +##### `rewrite_rule` + +Data type: `Optional[Variant[Array[String[1]], String[1]]]` + +The parameter [`rewrite_rile`](https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule) +allows the user to define the rules that will be used by the rewrite engine. + +Default value: `undef` + +##### `rewrite_cond` + +Data type: `Array[String[1]]` + +The parameter [`rewrite_cond`](https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond) +defines a rule condition, that when satisfied will implement that rule within the +rewrite engine. + +Default value: `[]` + +##### `rewrite_inherit` + +Data type: `Boolean` + +Determines whether the virtual host inherits global rewrite rules.
+Rewrite rules may be specified globally (in `$conf_file` or `$confd_dir`) or +inside the virtual host `.conf` file. By default, virtual hosts do not inherit +global settings. To activate inheritance, specify the `rewrites` parameter and set +`rewrite_inherit` parameter to `true`: +``` puppet +apache::vhost { 'site.name.fdqn': + ... + rewrites => [ + , + ], + rewrite_inherit => `true`, +} +``` +> **Note**: The `rewrites` parameter is **required** for this to have effect
+Apache activates global `Rewrite` rules inheritance if the virtual host files contains +the following directives: +``` ApacheConf +RewriteEngine On +RewriteOptions Inherit +``` +Refer to the official [`mod_rewrite`](https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html) +documentation, section "Rewriting in Virtual Hosts". + +Default value: `false` + +##### `scriptalias` + +Data type: `Optional[String]` + +Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', such as +'/usr/scripts'. + +Default value: `undef` + +##### `serveradmin` + +Data type: `Optional[String]` + +Specifies the email address Apache displays when it renders one of its error pages. + +Default value: `undef` + +##### `serveraliases` + +Data type: `Variant[Array[String], String]` + +Sets the [ServerAliases](https://httpd.apache.org/docs/current/mod/core.html#serveralias) +of the site. + +Default value: `[]` + +##### `servername` + +Data type: `Optional[String]` + +Sets the servername corresponding to the hostname you connect to the virtual host at. + +Default value: `$name` + +##### `setenv` + +Data type: `Variant[Array[String], String]` + +Used by HTTPD to set environment variables for virtual hosts.
+Example: +``` puppet +apache::vhost { 'setenv.example.com': + setenv => ['SPECIAL_PATH /foo/bin'], +} +``` + +Default value: `[]` + +##### `setenvif` + +Data type: `Variant[Array[String], String]` + +Used by HTTPD to conditionally set environment variables for virtual hosts. + +Default value: `[]` + +##### `setenvifnocase` + +Data type: `Variant[Array[String], String]` + +Used by HTTPD to conditionally set environment variables for virtual hosts (caseless matching). + +Default value: `[]` + +##### `suexec_user_group` + +Data type: `Optional[Pattern[/^[\w-]+ [\w-]+$/]]` + +Allows the spcification of user and group execution privileges for CGI programs through +inclusion of the `mod_suexec` module. + +Default value: `undef` + +##### `vhost_name` + +Data type: `String` + +Enables name-based virtual hosting. If no IP is passed to the virtual host, but the +virtual host is assigned a port, then the virtual host name is `vhost_name:port`. +If the virtual host has no assigned IP or port, the virtual host name is set to the +title of the resource. + +Default value: `'*'` + +##### `virtual_docroot` + +Data type: `Variant[Stdlib::Absolutepath, Boolean]` + +Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the +same name. For example, `http://example.com` would map to `/var/www/example.com`. +Note that the `DocumentRoot` directive will not be present even though there is a value +set for `docroot` in the manifest. See [`virtual_use_default_docroot`](#virtual_use_default_docroot) to change this behavior. +``` puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => 80, + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} +``` + +Default value: `false` + +##### `virtual_use_default_docroot` + +Data type: `Boolean` + +By default, when using `virtual_docroot`, the value of `docroot` is ignored. Setting this +to `true` will mean both directives will be added to the configuration. +``` puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => 80, + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + virtual_use_default_docroot => true, + serveraliases => ['*.loc',], +} +``` + +Default value: `false` + +##### `wsgi_daemon_process` + +Data type: `Optional[Variant[String, Hash]]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process_options, wsgi_process_group, +wsgi_script_aliases and wsgi_pass_authorization.
+A hash that sets the name of the WSGI daemon, accepting +[certain keys](http://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIDaemonProcess.html).
+An example virtual host configuration with WSGI: +``` puppet +apache::vhost { 'wsgi.example.com': + port => 80, + docroot => '/var/www/pythonapp', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => + { processes => 2, + threads => 15, + display-name => '%{GROUP}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, + wsgi_chunked_request => 'On', +} +``` + +Default value: `undef` + +##### `wsgi_daemon_process_options` + +Data type: `Optional[Hash]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_process_group, +wsgi_script_aliases and wsgi_pass_authorization.
+Sets the group ID that the virtual host runs under. + +Default value: `undef` + +##### `wsgi_application_group` + +Data type: `Optional[String]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +and wsgi_pass_authorization.
+This parameter defines the [`WSGIApplicationGroup directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html), +thus allowing you to specify which application group the WSGI application belongs to, +with all WSGI applications within the same group executing within the context of the +same Python sub interpreter. + +Default value: `undef` + +##### `wsgi_import_script` + +Data type: `Optional[String]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +and wsgi_pass_authorization.
+This parameter defines the [`WSGIImportScript directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), +which can be used in order to specify a script file to be loaded upon a process starting. + +Default value: `undef` + +##### `wsgi_import_script_options` + +Data type: `Optional[Hash]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +and wsgi_pass_authorization.
+This parameter defines the [`WSGIImportScript directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), +which can be used in order to specify a script file to be loaded upon a process starting.
+Specifies the process and aplication groups of the script. + +Default value: `undef` + +##### `wsgi_chunked_request` + +Data type: `Optional[Apache::OnOff]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +and wsgi_pass_authorization.
+This parameter defines the [`WSGIChunkedRequest directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIChunkedRequest.html), +allowing you to enable support for chunked request content.
+WSGI is technically incapable of supporting chunked request content without all chunked +request content having first been read in and buffered. + +Default value: `undef` + +##### `wsgi_process_group` + +Data type: `Optional[String]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, +wsgi_script_aliases and wsgi_pass_authorization.
+Requires a hash of web paths to filesystem `.wsgi paths/`. + +Default value: `undef` + +##### `wsgi_script_aliases` + +Data type: `Optional[Hash]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +and wsgi_pass_authorization.
+Uses the WSGI application to handle authorization instead of Apache when set to `On`.
+For more information, see mod_wsgi's [WSGIPassAuthorization documentation](https://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html). + +Default value: `undef` + +##### `wsgi_script_aliases_match` + +Data type: `Optional[Hash]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +and wsgi_pass_authorization.
+Uses the WSGI application to handle authorization instead of Apache when set to `On`.
+This directive is similar to `wsgi_script_aliases`, but makes use of regular expressions +in place of simple prefix matching.
+For more information, see mod_wsgi's [WSGIPassAuthorization documentation](https://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html). + +Default value: `undef` + +##### `wsgi_pass_authorization` + +Data type: `Optional[Apache::OnOff]` + +Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group and +wsgi_script_aliases.
+Enables support for chunked requests. + +Default value: `undef` + +##### `directories` + +Data type: `Array[Hash]` + +The `directories` parameter within the `apache::vhost` class passes an array of hashes +to the virtual host to create [Directory](https://httpd.apache.org/docs/current/mod/core.html#directory), +[File](https://httpd.apache.org/docs/current/mod/core.html#files), and +[Location](https://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. +These blocks take the form, `< Directory /path/to/directory>...< /Directory>`.
+The `path` key sets the path for the directory, files, and location blocks. Its value +must be a path for the `directory`, `files`, and `location` providers, or a regex for +the `directorymatch`, `filesmatch`, or `locationmatch` providers. Each hash passed to +`directories` **must** contain `path` as one of the keys.
+The `provider` key is optional. If missing, this key defaults to `directory`. + Values: `directory`, `files`, `proxy`, `location`, `directorymatch`, `filesmatch`, +`proxymatch` or `locationmatch`. If you set `provider` to `directorymatch`, it +uses the keyword `DirectoryMatch` in the Apache config file.
+proxy_pass and proxy_pass_match are supported like their parameters to apache::vhost, and will +be rendered without their path parameter as this will be inherited from the Location/LocationMatch container. +An example use of `directories`: +``` puppet +apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => [ + { 'path' => '/var/www/files', + 'provider' => 'files', + 'deny' => 'from all', + }, + { 'path' => '/var/www/html', + 'provider' => 'directory', + 'options' => ['-Indexes'], + 'allow_override' => ['All'], + }, + ], +} +``` +> **Note:** At least one directory should match the `docroot` parameter. After you +start declaring directories, `apache::vhost` assumes that all required Directory blocks +will be declared. If not defined, a single default Directory block is created that matches +the `docroot` parameter.
+Available handlers, represented as keys, should be placed within the `directory`, +`files`, or `location` hashes. This looks like +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ { path => '/path/to/directory', handler => value } ], +} +``` +Any handlers you do not set in these hashes are considered `undefined` within Puppet and +are not added to the virtual host, resulting in the module using their default values. + +The `directories` param can accepts the different authentication ways, including `gssapi`, `Basic (authz_core)`, +and others. + + * `gssapi` - Specifies mod_auth_gssapi parameters for particular directories in a virtual host directory + TODO: check, if this Documentation is obsolete + + ```puppet + apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/different/dir', + gssapi => { + acceptor_name => '{HOSTNAME}', + allowed_mech => ['krb5', 'iakerb', 'ntlmssp'], + authname => 'Kerberos 5', + authtype => 'GSSAPI', + basic_auth => true, + basic_auth_mech => ['krb5', 'iakerb', 'ntlmssp'], + basic_ticket_timeout => 300, + connection_bound => true, + cred_store => { + ccache => ['/path/to/directory'], + client_keytab => ['/path/to/example.keytab'], + keytab => ['/path/to/example.keytab'], + }, + deleg_ccache_dir => '/path/to/directory', + deleg_ccache_env_var => 'KRB5CCNAME', + deleg_ccache_perms => { + mode => '0600', + uid => 'example-user', + gid => 'example-group', + }, + deleg_ccache_unique => true, + impersonate => true, + local_name => true, + name_attributes => 'json', + negotiate_once => true, + publish_errors => true, + publish_mech => true, + required_name_attributes => 'auth-indicators=high', + session_key => 'file:/path/to/example.key', + signal_persistent_auth => true, + ssl_only => true, + use_s4u2_proxy => true, + use_sessions => true, + } + }, + ], + } + ``` + + * `Basic` - Specifies mod_authz_core parameters for particular directories in a virtual host directory + ```puppet + apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { + path => '/path/to/different/dir', + auth_type => 'Basic', + authz_core => { + require_all => { + 'require_any' => { + 'require' => ['user superadmin'], + 'require_all' => { + 'require' => ['group admins', 'ldap-group "cn=Administrators,o=Airius"'], + }, + }, + 'require_none' => { + 'require' => ['group temps', 'ldap-group "cn=Temporary Employees,o=Airius"'] + } + } + } + }, + ], + } + ``` + +Default value: `[]` + +##### `custom_fragment` + +Data type: `Optional[String]` + +Pass a string of custom configuration directives to be placed at the end of the directory +configuration. +``` puppet +apache::vhost { 'monitor': + ... + directories => [ + { + path => '/path/to/directory', + custom_fragment => ' + + SetHandler balancer-manager + Order allow,deny + Allow from all + + + SetHandler server-status + Order allow,deny + Allow from all + +ProxyStatus On', + }, + ] +} +``` + +Default value: `undef` + +##### `headers` + +Data type: `Array[String[1]]` + +Adds lines for [Header](https://httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { + path => '/path/to/directory', + headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', + }, + ], +} +``` + +Default value: `[]` + +##### `shib_compat_valid_user` + +Data type: `Optional[String]` + +Default is Off, matching the behavior prior to this command's existence. Addresses a conflict +when using Shibboleth in conjunction with other auth/auth modules by restoring `standard` +Apache behavior when processing the `valid-user` and `user` Require rules. See the +[`mod_shib`documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions), +and [NativeSPhtaccess](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess) +topic for more details. This key is disabled if `apache::mod::shib` is not defined. + +Default value: `undef` + +##### `ssl_options` + +Data type: `Optional[Variant[Array[String], String]]` + +String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), +which configure SSL engine run-time options. This handler takes precedence over SSLOptions +set in the parent block of the virtual host. +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + ssl_options => '+ExportCertData', + }, + { path => '/path/to/different/dir', + ssl_options => ['-StdEnvVars', '+ExportCertData'], + }, + ], +} +``` + +Default value: `undef` + +##### `additional_includes` + +Data type: `Variant[Array[String], String]` + +Specifies paths to additional static, specific Apache configuration files in virtual +host directories. +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/different/dir', + additional_includes => ['/custom/path/includes', '/custom/path/another_includes',], + }, + ], +} +``` + +Default value: `[]` + +##### `ssl` + +Data type: `Boolean` + +Enables SSL for the virtual host. SSL virtual hosts only respond to HTTPS queries. + +Default value: `false` + +##### `ssl_ca` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the SSL certificate authority to be used to verify client certificates used +for authentication. + +Default value: `$apache::default_ssl_ca` + +##### `ssl_cert` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the SSL certification. + +Default value: `$apache::default_ssl_cert` + +##### `ssl_protocol` + +Data type: `Optional[Variant[Array[String], String]]` + +Specifies [SSLProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). +Expects an array or space separated string of accepted protocols. + +Default value: `undef` + +##### `ssl_cipher` + +Data type: `Optional[Variant[Array[String[1]], String[1], Hash[String[1], String[1]]]]` + +Specifies [SSLCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite). + +Default value: `undef` + +##### `ssl_honorcipherorder` + +Data type: `Variant[Boolean, Apache::OnOff, Undef]` + +Sets [SSLHonorCipherOrder](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), +to cause Apache to use the server's preferred order of ciphers rather than the client's +preferred order. + +Default value: `undef` + +##### `ssl_certs_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the location of the SSL certification directory to verify client certs. + +Default value: `$apache::params::ssl_certs_dir` + +##### `ssl_chain` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the SSL chain. This default works out of the box, but it must be updated in +the base `apache` class with your specific certificate information before being used in +production. + +Default value: `$apache::default_ssl_chain` + +##### `ssl_crl` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the certificate revocation list to use. (This default works out of the box but +must be updated in the base `apache` class with your specific certificate information +before being used in production.) + +Default value: `$apache::default_ssl_crl` + +##### `ssl_crl_path` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the location of the certificate revocation list to verify certificates for +client authentication with. (This default works out of the box but must be updated in +the base `apache` class with your specific certificate information before being used in +production.) + +Default value: `$apache::default_ssl_crl_path` + +##### `ssl_crl_check` + +Data type: `Optional[String]` + +Sets the certificate revocation check level via the [SSLCARevocationCheck directive](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck) +for ssl client authentication. The default works out of the box but must be specified when +using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on +older versions. + +Default value: `$apache::default_ssl_crl_check` + +##### `ssl_key` + +Data type: `Optional[Stdlib::Absolutepath]` + +Specifies the SSL key.
+Defaults are based on your operating system. Default work out of the box but must be +updated in the base `apache` class with your specific certificate information before +being used in production. + +Default value: `$apache::default_ssl_key` + +##### `ssl_verify_client` + +Data type: `Optional[Enum['none', 'optional', 'require', 'optional_no_ca']]` + +Sets the [SSLVerifyClient](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) +directive, which sets the certificate verification level for client authentication. +``` puppet +apache::vhost { 'sample.example.net': + ... + ssl_verify_client => 'optional', +} +``` + +Default value: `undef` + +##### `ssl_verify_depth` + +Data type: `Optional[Integer]` + +Sets the [SSLVerifyDepth](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) +directive, which specifies the maximum depth of CA certificates in client certificate +verification. You must set `ssl_verify_client` for it to take effect. +``` puppet +apache::vhost { 'sample.example.net': + ... + ssl_verify_client => 'require', + ssl_verify_depth => 1, +} +``` + +Default value: `undef` + +##### `ssl_proxy_protocol` + +Data type: `Optional[String]` + +Sets the [SSLProxyProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyprotocol) +directive, which controls which SSL protocol flavors `mod_ssl` should use when establishing +its server environment for proxy. It connects to servers using only one of the provided +protocols. + +Default value: `undef` + +##### `ssl_proxy_verify` + +Data type: `Optional[Enum['none', 'optional', 'require', 'optional_no_ca']]` + +Sets the [SSLProxyVerify](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify) +directive, which configures certificate verification of the remote server when a proxy is +configured to forward requests to a remote SSL server. + +Default value: `undef` + +##### `ssl_proxy_verify_depth` + +Data type: `Optional[Integer[0]]` + +Sets the [SSLProxyVerifyDepth](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverifydepth) +directive, which configures how deeply mod_ssl should verify before deciding that the +remote server does not have a valid certificate.
+A depth of 0 means that only self-signed remote server certificates are accepted, +the default depth of 1 means the remote server certificate can be self-signed or +signed by a CA that is directly known to the server. + +Default value: `undef` + +##### `ssl_proxy_cipher_suite` + +Data type: `Optional[String]` + +Sets the [SSLProxyCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite) +directive, which controls cipher suites supported for ssl proxy traffic. + +Default value: `undef` + +##### `ssl_proxy_ca_cert` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the [SSLProxyCACertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycacertificatefile) +directive, which specifies an all-in-one file where you can assemble the Certificates +of Certification Authorities (CA) whose remote servers you deal with. These are used +for Remote Server Authentication. This file should be a concatenation of the PEM-encoded +certificate files in order of preference. + +Default value: `undef` + +##### `ssl_proxy_machine_cert` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the [SSLProxyMachineCertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) +directive, which specifies an all-in-one file where you keep the certs and keys used +for this server to authenticate itself to remote servers. This file should be a +concatenation of the PEM-encoded certificate files in order of preference. +``` puppet +apache::vhost { 'sample.example.net': + ... + ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem', +} +``` + +Default value: `undef` + +##### `ssl_proxy_machine_cert_chain` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the [SSLProxyMachineCertificateChainFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatechainfile) +directive, which specifies an all-in-one file where you keep the certificate chain for +all of the client certs in use. This directive will be needed if the remote server +presents a list of CA certificates that are not direct signers of one of the configured +client certificates. This referenced file is simply the concatenation of the various +PEM-encoded certificate files. Upon startup, each client certificate configured will be +examined and a chain of trust will be constructed. + +Default value: `undef` + +##### `ssl_proxy_check_peer_cn` + +Data type: `Optional[Apache::OnOff]` + +Sets the [SSLProxyCheckPeerCN](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn) +directive, which specifies whether the remote server certificate's CN field is compared +against the hostname of the request URL. + +Default value: `undef` + +##### `ssl_proxy_check_peer_name` + +Data type: `Optional[Apache::OnOff]` + +Sets the [SSLProxyCheckPeerName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) +directive, which specifies whether the remote server certificate's CN field is compared +against the hostname of the request URL. + +Default value: `undef` + +##### `ssl_proxy_check_peer_expire` + +Data type: `Optional[Apache::OnOff]` + +Sets the [SSLProxyCheckPeerExpire](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeerexpire) +directive, which specifies whether the remote server certificate is checked for expiration +or not. + +Default value: `undef` + +##### `ssl_openssl_conf_cmd` + +Data type: `Optional[String]` + +Sets the [SSLOpenSSLConfCmd](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) +directive, which provides direct configuration of OpenSSL parameters. + +Default value: `undef` + +##### `ssl_proxyengine` + +Data type: `Boolean` + +Specifies whether or not to use [SSLProxyEngine](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). + +Default value: `false` + +##### `ssl_stapling` + +Data type: `Optional[Boolean]` + +Specifies whether or not to use [SSLUseStapling](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling). +By default, uses what is set globally.
+This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +Default value: `undef` + +##### `ssl_stapling_timeout` + +Data type: `Optional[Integer]` + +Can be used to set the [SSLStaplingResponderTimeout](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingrespondertimeout) directive.
+This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +Default value: `undef` + +##### `ssl_stapling_return_errors` + +Data type: `Optional[Apache::OnOff]` + +Can be used to set the [SSLStaplingReturnResponderErrors](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive.
+This parameter only applies to Apache 2.4 or higher and is ignored on older versions. + +Default value: `undef` + +##### `ssl_user_name` + +Data type: `Optional[String]` + +Sets the [SSLUserName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusername) directive. + +Default value: `undef` + +##### `ssl_reload_on_change` + +Data type: `Boolean` + +Enable reloading of apache if the content of ssl files have changed. + +Default value: `$apache::default_ssl_reload_on_change` + +##### `use_canonical_name` + +Data type: `Optional[Variant[Apache::OnOff, Enum['DNS', 'dns']]]` + +Specifies whether to use the [`UseCanonicalName directive`](https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname), +which allows you to configure how the server determines it's own name and port. + +Default value: `undef` + +##### `define` + +Data type: `Hash` + +this lets you define configuration variables inside a vhost using [`Define`](https://httpd.apache.org/docs/2.4/mod/core.html#define), +these can then be used to replace configuration values. All Defines are Undefined at the end of the VirtualHost. + +Default value: `{}` + +##### `auth_oidc` + +Data type: `Boolean` + +Enable `mod_auth_openidc` parameters for OpenID Connect authentication. + +Default value: `false` + +##### `oidc_settings` + +Data type: `Apache::OIDCSettings` + +An Apache::OIDCSettings Struct containing (mod_auth_openidc settings)[https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf]. + +Default value: `{}` + +##### `limitreqfields` + +Data type: `Optional[Integer]` + +The `limitreqfields` parameter sets the maximum number of request header fields in +an HTTP request. This directive gives the server administrator greater control over +abnormal client request behavior, which may be useful for avoiding some forms of +denial-of-service attacks. The value should be increased if normal clients see an error +response from the server that indicates too many fields were sent in the request. + +Default value: `undef` + +##### `limitreqfieldsize` + +Data type: `Optional[Integer]` + +The `limitreqfieldsize` parameter sets the maximum ammount of _bytes_ that will +be allowed within a request header. + +Default value: `undef` + +##### `limitreqline` + +Data type: `Optional[Integer]` + +Limit the size of the HTTP request line that will be accepted from the client +This directive sets the number of bytes that will be allowed on the HTTP +request-line. The LimitRequestLine directive allows the server administrator +to set the limit on the allowed size of a client's HTTP request-line. Since +the request-line consists of the HTTP method, URI, and protocol version, the +LimitRequestLine directive places a restriction on the length of a request-URI +allowed for a request on the server. A server needs this value to be large +enough to hold any of its resource names, including any information that might +be passed in the query part of a GET request. + +Default value: `undef` + +##### `limitreqbody` + +Data type: `Optional[Integer]` + +Restricts the total size of the HTTP request body sent from the client +The LimitRequestBody directive allows the user to set a limit on the allowed +size of an HTTP request message body within the context in which the +directive is given (server, per-directory, per-file or per-location). If the +client request exceeds that limit, the server will return an error response +instead of servicing the request. + +Default value: `undef` + +##### `use_servername_for_filenames` + +Data type: `Boolean` + +When set to true, default log / config file names will be derived from the sanitized +value of the $servername parameter. +When set to false (default), the existing behaviour of using the $name parameter +will remain. + +Default value: `false` + +##### `use_port_for_filenames` + +Data type: `Boolean` + +When set to true and use_servername_for_filenames is also set to true, default log / +config file names will be derived from the sanitized value of both the $servername and +$port parameters. +When set to false (default), the port is not included in the file names and may lead to +duplicate declarations if two virtual hosts use the same domain. + +Default value: `false` + +##### `mdomain` + +Data type: `Optional[Variant[Boolean, String]]` + +All the names in the list are managed as one Managed Domain (MD). mod_md will request +one single certificate that is valid for all these names. + +Default value: `undef` + +##### `proxy_requests` + +Data type: `Boolean` + +Whether to accept proxy requests + +Default value: `false` + +##### `userdir` + +Data type: `Optional[Variant[String[1], Array[String[1]]]]` + +Instances of apache::mod::userdir + +Default value: `undef` + +##### `proxy_protocol` + +Data type: `Optional[Boolean]` + +Enable or disable PROXY protocol handling + +Default value: `undef` + +##### `proxy_protocol_exceptions` + +Data type: `Array[Stdlib::Host]` + +Disable processing of PROXY header for certain hosts or networks + +Default value: `[]` + +### `apache::vhost::custom` + +The `apache::vhost::custom` defined type is a thin wrapper around the `apache::custom_config` defined type, and simply overrides some of its default settings specific to the virtual host directory in Apache. + +#### Parameters + +The following parameters are available in the `apache::vhost::custom` defined type: + +* [`content`](#-apache--vhost--custom--content) +* [`ensure`](#-apache--vhost--custom--ensure) +* [`priority`](#-apache--vhost--custom--priority) +* [`verify_config`](#-apache--vhost--custom--verify_config) + +##### `content` + +Data type: `String` + +Sets the configuration file's content. + +##### `ensure` + +Data type: `String` + +Specifies if the virtual host file is present or absent. + +Default value: `'present'` + +##### `priority` + +Data type: `Apache::Vhost::Priority` + +Sets the relative load order for Apache HTTPD VirtualHost configuration files. + +Default value: `25` + +##### `verify_config` + +Data type: `Boolean` + +Specifies whether to validate the configuration file before notifying the Apache service. + +Default value: `true` + +### `apache::vhost::fragment` + +Define a fragment within a vhost + +#### Examples + +##### With a vhost without priority + +```puppet +include apache +apache::vhost { 'myvhost': +} +apache::vhost::fragment { 'myfragment': + vhost => 'myvhost', + content => '# Foo', +} +``` + +##### With a vhost with priority + +```puppet +include apache +apache::vhost { 'myvhost': + priority => 42, +} +apache::vhost::fragment { 'myfragment': + vhost => 'myvhost', + priority => 42, + content => '# Foo', +} +``` + +##### With a vhost with default vhost + +```puppet +include apache +apache::vhost { 'myvhost': + default_vhost => true, +} +apache::vhost::fragment { 'myfragment': + vhost => 'myvhost', + priority => 10, # default_vhost implies priority 10 + content => '# Foo', +} +``` + +##### Adding a fragment to the built in default vhost + +```puppet +include apache +apache::vhost::fragment { 'myfragment': + vhost => 'default', + priority => 15, + content => '# Foo', +} +``` + +#### Parameters + +The following parameters are available in the `apache::vhost::fragment` defined type: + +* [`vhost`](#-apache--vhost--fragment--vhost) +* [`priority`](#-apache--vhost--fragment--priority) +* [`content`](#-apache--vhost--fragment--content) +* [`order`](#-apache--vhost--fragment--order) +* [`port`](#-apache--vhost--fragment--port) + +##### `vhost` + +Data type: `String[1]` + +The title of the vhost resource to append to + +##### `priority` + +Data type: `Optional[Apache::Vhost::Priority]` + +Set the priority to match the one `apache::vhost` sets. This must match the +one `apache::vhost` sets or else the concat fragment won't be found. + +Default value: `undef` + +##### `content` + +Data type: `Optional[String]` + +The content to put in the fragment. Only when it's non-empty the actual +fragment will be created. + +Default value: `undef` + +##### `order` + +Data type: `Integer[0]` + +The order to insert the fragment at + +Default value: `900` + +##### `port` + +Data type: `Optional[Stdlib::Port]` + +The port to use + +Default value: `undef` + +### `apache::vhost::proxy` + +Configure a reverse proxy for a vhost + +#### Examples + +##### Simple configuration proxying "/" but not "/admin" + +```puppet +include apache +apache::vhost { 'basic-proxy-vhost': +} +apache::vhost::proxy { 'proxy-to-backend-server': + vhost => 'basic-proxy-vhost', + proxy_dest => 'http://backend-server/', + no_proxy_uris => '/admin', +} +``` + +##### Granular configuration using `Apache::Vhost::ProxyPass` data type + +```puppet +include apache +apache::vhost { 'myvhost': +} +apache::vhost::proxy { 'myvhost-proxy': + vhost => 'myvhost', + proxy_pass => [ + { 'path' => '/a', 'url' => 'http://backend-a/' }, + { 'path' => '/b', 'url' => 'http://backend-b/' }, + { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}}, + { 'path' => '/l', 'url' => 'http://backend-xy', + 'reverse_urls' => ['http://backend-x', 'http://backend-y'] }, + { 'path' => '/d', 'url' => 'http://backend-a/d', + 'params' => { 'retry' => 0, 'timeout' => 5 }, }, + { 'path' => '/e', 'url' => 'http://backend-a/e', + 'keywords' => ['nocanon', 'interpolate'] }, + { 'path' => '/f', 'url' => 'http://backend-f/', + 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1']}, + { 'path' => '/g', 'url' => 'http://backend-g/', + 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, + { 'path' => '/h', 'url' => 'http://backend-h/h', + 'no_proxy_uris' => ['/h/admin', '/h/server-status'] }, + ], +} +``` + +#### Parameters + +The following parameters are available in the `apache::vhost::proxy` defined type: + +* [`vhost`](#-apache--vhost--proxy--vhost) +* [`priority`](#-apache--vhost--proxy--priority) +* [`order`](#-apache--vhost--proxy--order) +* [`port`](#-apache--vhost--proxy--port) +* [`proxy_dest`](#-apache--vhost--proxy--proxy_dest) +* [`proxy_dest_match`](#-apache--vhost--proxy--proxy_dest_match) +* [`proxy_dest_reverse_match`](#-apache--vhost--proxy--proxy_dest_reverse_match) +* [`no_proxy_uris`](#-apache--vhost--proxy--no_proxy_uris) +* [`no_proxy_uris_match`](#-apache--vhost--proxy--no_proxy_uris_match) +* [`proxy_pass`](#-apache--vhost--proxy--proxy_pass) +* [`proxy_pass_match`](#-apache--vhost--proxy--proxy_pass_match) +* [`proxy_requests`](#-apache--vhost--proxy--proxy_requests) +* [`proxy_preserve_host`](#-apache--vhost--proxy--proxy_preserve_host) +* [`proxy_add_headers`](#-apache--vhost--proxy--proxy_add_headers) +* [`proxy_error_override`](#-apache--vhost--proxy--proxy_error_override) + +##### `vhost` + +Data type: `String[1]` + +The title of the vhost resource to which reverse proxy configuration will +be appended. + +##### `priority` + +Data type: `Optional[Apache::Vhost::Priority]` + +Set the priority to match the one `apache::vhost` sets. This must match the +one `apache::vhost` sets or else the vhost's `concat` resource won't be found. + +Default value: `undef` + +##### `order` + +Data type: `Integer[0]` + +The order in which the `concat::fragment` containing the proxy configuration +will be inserted. Useful when multiple fragments will be attached to a single +vhost's configuration. + +Default value: `170` + +##### `port` + +Data type: `Optional[Stdlib::Port]` + +Set the port to match the one `apache::vhost` sets. This must match the one +`apache::vhost` sets or else the vhost's `concat` resource won't be found. + +Default value: `undef` + +##### `proxy_dest` + +Data type: `Optional[String[1]]` + +Specifies the destination address of a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration for the `/` path. + +Default value: `undef` + +##### `proxy_dest_match` + +Data type: `Optional[String[1]]` + +This directive is equivalent to `proxy_dest`, but takes regular expressions, see +[ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +for details. + +Default value: `undef` + +##### `proxy_dest_reverse_match` + +Data type: `Optional[String[1]]` + +Allows you to pass a ProxyPassReverse if `proxy_dest_match` is specified. See +[ProxyPassReverse](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) +for details. + +Default value: `undef` + +##### `no_proxy_uris` + +Data type: `Variant[Array[String[1]], String[1]]` + +Paths to be excluded from reverse proxying. Only valid when already using `proxy_dest` +or `proxy_dest_match` to map the `/` path, otherwise it will be absent in the final +vhost configuration file. In that case, instead add `no_proxy_uris => [uri1, uri2, ...]` +to the `Apache::Vhost::ProxyPass` definitions passed via the `proxy_pass` parameter. +See examples for this class, or refer to documentation for the `Apache::Vhost::ProxyPass` +data type. This configuration uses the [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) directive with `!`. + +Default value: `[]` + +##### `no_proxy_uris_match` + +Data type: `Variant[Array[String[1]], String[1]]` + +This directive is equivalent to `no_proxy_uris` but takes regular expressions, +as it instead uses [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch). + +Default value: `[]` + +##### `proxy_pass` + +Data type: `Optional[Array[Apache::Vhost::ProxyPass]]` + +Specifies an array of `path => URI` values for a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) +configuration. +See the documentation for the Apache::Vhost::ProxyPass data type for a detailed +description of the structure including optional parameters. + +Default value: `undef` + +##### `proxy_pass_match` + +Data type: `Optional[Array[Apache::Vhost::ProxyPass]]` + +This directive is equivalent to `proxy_pass`, but takes regular expressions, see +[ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +for details. + +Default value: `undef` + +##### `proxy_requests` + +Data type: `Boolean` + +Enables forward (standard) proxy requests. See [ProxyRequests](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyrequests) for details. + +Default value: `false` + +##### `proxy_preserve_host` + +Data type: `Boolean` + +When enabled, pass the `Host:` line from the incoming request to the proxied host. +See [ProxyPreserveHost](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost) for details. + +Default value: `false` + +##### `proxy_add_headers` + +Data type: `Optional[Boolean]` + +Add X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server HTTP headers. +See [ProxyAddHeaders](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders) for details. + +Default value: `undef` + +##### `proxy_error_override` + +Data type: `Boolean` + +Override error pages from the proxied host. The current Puppet implementation +supports enabling or disabling the directive, but not specifying a custom list +of status codes. See [ProxyErrorOverride](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride) for details. + +Default value: `false` + +## Functions + +### `apache::apache_pw_hash` + +Type: Ruby 4.x API + +DEPRECATED. Use the function [`apache::pw_hash`](#apachepw_hash) instead. + +#### `apache::apache_pw_hash(Any *$args)` + +The apache::apache_pw_hash function. + +Returns: `Any` + +##### `*args` + +Data type: `Any` + + + +### `apache::authz_core_config` + +Type: Ruby 4.x API + +Function to generate the authz_core configuration directives. + +#### Examples + +##### + +```puppet + +arg = { + require_all => { + 'require_any' => { + 'require' => ['user superadmin'], + 'require_all' => { + 'require' => ['group admins'], + }, + }, + 'require_none' => { + 'require' => ['group temps'] + } + } +} + +apache::bool2httpd(arg) +returns : +[ + " ", + " ", + " Require user superadmin", + " ", + " Require group admins", + " Require ldap-group \"cn=Administrators,o=Airius\"", + " ", + " ", + " ", + " Require group temps", + " Require ldap-group \"cn=Temporary Employees,o=Airius\"", + " ", + " " +] +``` + +#### `apache::authz_core_config(Hash $config)` + +The apache::authz_core_config function. + +Returns: `Array` Returns the authz_core config directives in array. + +##### Examples + +###### + +```puppet + +arg = { + require_all => { + 'require_any' => { + 'require' => ['user superadmin'], + 'require_all' => { + 'require' => ['group admins'], + }, + }, + 'require_none' => { + 'require' => ['group temps'] + } + } +} + +apache::bool2httpd(arg) +returns : +[ + " ", + " ", + " Require user superadmin", + " ", + " Require group admins", + " Require ldap-group \"cn=Administrators,o=Airius\"", + " ", + " ", + " ", + " Require group temps", + " Require ldap-group \"cn=Temporary Employees,o=Airius\"", + " ", + " " +] +``` + +##### `config` + +Data type: `Hash` + +The input as JSON format. + +### `apache::bool2httpd` + +Type: Ruby 4.x API + +Transform a supposed boolean to On or Off. Passes all other values through. + +#### Examples + +##### + +```puppet +$trace_enable = false +$server_signature = 'mail' + +apache::bool2httpd($trace_enable) # returns 'Off' +apache::bool2httpd($server_signature) # returns 'mail' +apache::bool2httpd(undef) # returns 'Off' +``` + +#### `apache::bool2httpd(Any $arg)` + +The apache::bool2httpd function. + +Returns: `Any` Will return either `On` or `Off` if given a boolean value. Returns a string of any +other given value. + +##### Examples + +###### + +```puppet +$trace_enable = false +$server_signature = 'mail' + +apache::bool2httpd($trace_enable) # returns 'Off' +apache::bool2httpd($server_signature) # returns 'mail' +apache::bool2httpd(undef) # returns 'Off' +``` + +##### `arg` + +Data type: `Any` + +The value to be converted into a string. + +### `apache::pw_hash` + +Type: Ruby 4.x API + +Currently uses SHA-hashes, because although this format is considered insecure, it's the +most secure format supported by the most platforms. + +#### `apache::pw_hash(String[1] $password)` + +Currently uses SHA-hashes, because although this format is considered insecure, it's the +most secure format supported by the most platforms. + +Returns: `String` Returns the hash of the input that was given. + +##### `password` + +Data type: `String[1]` + +The input that is to be hashed. + +### `apache_pw_hash` + +Type: Ruby 4.x API + +DEPRECATED. Use the namespaced function [`apache::pw_hash`](#apachepw_hash) instead. + +#### `apache_pw_hash(Any *$args)` + +The apache_pw_hash function. + +Returns: `Any` + +##### `*args` + +Data type: `Any` + + + +### `bool2httpd` + +Type: Ruby 4.x API + +DEPRECATED. Use the namespaced function [`apache::bool2httpd`](#apachebool2httpd) instead. + +#### `bool2httpd(Any *$args)` + +The bool2httpd function. + +Returns: `Any` + +##### `*args` + +Data type: `Any` + + + +## Data types + +### `Apache::LogLevel` + +A string that conforms to the Apache `LogLevel` syntax. +Different levels can be specified for individual apache modules. + +ie. `[module:]level [module:level] ...` + +The levels are (in order of decreasing significance): +* `emerg` +* `alert` +* `crit` +* `error` +* `warn` +* `notice` +* `info` +* `debug` +* `trace1` +* `trace2` +* `trace3` +* `trace4` +* `trace5` +* `trace6` +* `trace7` +* `trace8` + +* **See also** + * https://httpd.apache.org/docs/current/mod/core.html#loglevel + +Alias of `Pattern[/\A([a-z_\.]+:)?(emerg|alert|crit|error|warn|notice|info|debug|trace[1-8])(\s+([a-z_\.]+:)?(emerg|alert|crit|error|warn|notice|info|debug|trace[1-8]))*\Z/]` + +### `Apache::ModProxyProtocol` + +Supported protocols / schemes by mod_proxy + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/mod_proxy.html + +Alias of `Pattern[/(\A(ajp|fcgi|ftp|h2c?|https?|scgi|uwsgi|wss?):\/\/.+\z)/, /(\Aunix:\/([^\n\/\0]+\/*)*\z)/]` + +### `Apache::OIDCSettings` + +https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf + +Alias of + +```puppet +Struct[{ + Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl, Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]], + Optional['CryptoPassphrase'] => String[1], + Optional['MetadataDir'] => String[1], + Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl, + Optional['ProviderIssuer'] => String[1], + Optional['ProviderAuthorizationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderJwksUri'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderTokenEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'none'], + Optional['ProviderTokenEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['ProviderUserInfoEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderCheckSessionIFrame'] => Stdlib::HTTPSUrl, + Optional['ProviderEndSessionEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderRevocationEndpoint'] => Stdlib::HTTPSUrl, + Optional['ProviderBackChannelLogoutSupported'] => Apache::OnOff, + Optional['ProviderRegistrationEndpointJson'] => String[1], + Optional['Scope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], + Optional['AuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['SSLValidateServer'] => Apache::OnOff , + Optional['UserInfoRefreshInterval'] => Variant[Integer[-1], Pattern[/^[0-9]+(\s+(logout_on_error|authenticate_on_error|502_on_error))?$/]], + Optional['JWKSRefreshInterval'] => Integer[-1], + Optional['UserInfoTokenMethod'] => Enum['authz_header', 'post_param'], + Optional['ProviderAuthRequestMethod'] => Enum['GET', 'POST', 'PAR'], + Optional['PublicKeyFiles'] => String[1], + Optional['PrivateKeyFiles'] => String[1], + Optional['ResponseType'] => Enum['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], + Optional['ResponseMode'] => Enum['fragment', 'query', 'form_post'], + Optional['ClientID'] => String[1], + Optional['ClientSecret'] => String[1], + Optional['ClientTokenEndpointCert'] => String[1], + Optional['ClientTokenEndpointKey'] => String[1], + Optional['ClientTokenEndpointKeyPassword'] => String[1], + Optional['ClientName'] => String[1], + Optional['ClientContact'] => String[1], + Optional['PKCEMethod'] => Enum['plain', 'S256', 'referred_tb', 'none'], + Optional['TokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], + Optional['ClientJwksUri'] => Stdlib::HTTPSUrl, + Optional['IDTokenSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], + Optional['IDTokenEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], + Optional['IDTokenEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], + Optional['UserInfoSignedResponseAlg'] => Enum['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512'], + Optional['UserInfoEncryptedResponseAlg'] => Enum['RSA1_5', 'A128KW', 'A256KW', 'RSA-OAEP'], + Optional['UserInfoEncryptedResponseEnc'] => Enum['A128CBC-HS256', 'A256CBC-HS512', 'A256GCM'], + Optional['OAuthServerMetadataURL'] => Stdlib::HTTPSUrl, + Optional['AuthIntrospectionEndpoint'] => Stdlib::HTTPSUrl, + Optional['OAuthClientID'] => String[1], + Optional['OAuthClientSecret'] => String[1], + Optional['OAuthIntrospectionEndpoint'] => String[1], + Optional['OAuthIntrospectionEndpointAuth'] => Enum['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'bearer_access_token', 'none'], + Optional['OAuthIntrospectionClientAuthBearerToken'] => String[1], + Optional['OAuthIntrospectionEndpointCert'] => String[1], + Optional['OAuthIntrospectionEndpointKey'] => String[1], + Optional['OAuthIntrospectionEndpointKeyPassword'] => String[1], + Optional['OAuthIntrospectionEndpointMethod'] => Enum['POST', 'GET'], + Optional['OAuthIntrospectionEndpointParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['OAuthIntrospectionTokenParamName'] => String[1], + Optional['OAuthTokenExpiryClaim'] => Pattern[/^[A-Za-z0-9\-\._]+(\s(absolute|relative))?(\s(mandatory|optional))?$/], + Optional['OAuthTokenIntrospectionInterval'] => Integer[-1], + Optional['OAuthSSLValidateServer'] => Apache::OnOff, + Optional['OAuthVerifySharedKeys'] => String[1], + Optional['OAuthVerifyCertFiles'] => String[1], + Optional['OAuthVerifyJwksUri'] => Stdlib::HTTPSUrl, + Optional['OAuthRemoteUserClaim'] => String[1], + Optional['OAuthAcceptTokenAs'] => Pattern[/^((header|post|query|cookie\:[A-Za-z0-9\-\._]+|basic)\s?)+$/], + Optional['OAuthAccessTokenBindingPolicy'] => Enum['disabled', 'optional', 'required', 'enforced'], + Optional['Cookie'] => String[1], + Optional['CookieDomain'] => String[1], + Optional['CookiePath'] => String[1], + Optional['SessionCookieChunkSize'] => Integer[-1], + Optional['CookieHTTPOnly'] => Apache::OnOff, + Optional['CookieSameSite'] => Apache::OnOff, + Optional['PassCookies'] => String[1], + Optional['StripCookies'] => String[1], + Optional['StateMaxNumberOfCookies'] => Pattern[/^[0-9]+(\s(false|true))?$/], + Optional['SessionInactivityTimeout'] => Integer[-1], + Optional['SessionMaxDuration'] => Integer[-1], + Optional['SessionType'] => Pattern[/^(server-cache(:persistent)?|client-cookie(:persistent|:store_id_token|:persistent:store_id_token)?)$/], + Optional['SessionCacheFallbackToCookie'] => Apache::OnOff, + Optional['CacheType'] => Enum['shm', 'memcache', 'file', 'redis'], + Optional['CacheDir'] => String[1], + Optional['CacheEncrypt'] => Apache::OnOff, + Optional['CacheShmMax'] => Integer[-1], + Optional['CacheShmEntrySizeMax'] => Integer[-1], + Optional['CacheFileCleanInterval'] => Integer[-1], + Optional['MemCacheServers'] => String[1], + Optional['MemCacheConnectionsHMax'] => Integer[-1], + Optional['MemCacheConnectionsMin'] => Integer[-1], + Optional['MemCacheConnectionsSMax'] => Integer[-1], + Optional['MemCacheConnectionsTTL'] => Integer[-1], + Optional['RedisCacheServer'] => String[1], + Optional['RedisCachePassword'] => String, + Optional['RedisCacheConnectTimeout'] => Pattern[/^[0-9]+(\s[0-9]+)?$/], + Optional['RedisCacheDatabase'] => Integer[-1], + Optional['RedisCacheTimeout'] => Integer[-1], + Optional['RedisCacheUsername'] => String[1], + Optional['DiscoverURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['HTMLErrorTemplate'] => String[1], + Optional['DefaultURL'] => Variant[Stdlib::HTTPSUrl, Stdlib::HttpUrl], + Optional['PathScope'] => Pattern[/^\"?[A-Za-z0-9\-\._\s]+\"?$/], + Optional['PathAuthRequestParams'] => Pattern[/^[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+(&[A-Za-z0-9\-\._%]+=[A-Za-z0-9\-\._%]+)*$/], + Optional['IDTokenIatSlack'] => Integer[-1], + Optional['ClaimPrefix'] => String, + Optional['ClaimDelimiter'] => Pattern[/^.$/], + Optional['RemoteUserClaim'] => String[1], + Optional['PassIDTokenAs'] => Pattern[/^((claims|payload|serialized)\s?)+$/], + Optional['PassUserInfoAs'] => Pattern[/^((claims|json(:([A-Za-z0-9\-\._])+)?|(signed_)?jwt(:([A-Za-z0-9\-\._])+)?)\s?)+$/], + Optional['PassClaimsAs'] => Pattern[/^(none|headers|environment|both)?\s?(latin1|base64url|none)?$/], + Optional['AuthNHeader'] => String[1], + Optional['HTTPTimeoutLong'] => Integer[-1], + Optional['HTTPTimeoutShort'] => Integer[-1], + Optional['StateTimeout'] => Integer[-1], + Optional['ScrubRequestHeaders'] => Apache::OnOff, + Optional['OutgoingProxy'] => String[1], + Optional['UnAuthAction'] => Pattern[/^(auth|pass|401|407|410)(\s.*)?$/], + Optional['UnAutzAction'] => Pattern[/^(401|403|302|auth)(\s.*)?$/], + Optional['PreservePost'] => Apache::OnOff, + Optional['PreservePostTemplates'] => String[1], + Optional['PassRefreshToken'] => Apache::OnOff, + Optional['RequestObject'] => String[1], + Optional['ProviderMetadataRefreshInterval'] => Integer[-1], + Optional['InfoHook'] => Pattern[/^((iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session)\s?)+$/], + Optional['BlackListedClaims'] => String[1], + Optional['WhiteListedClaims'] => String[1], + Optional['RefreshAccessTokenBeforeExpiry'] => Pattern[/^[0-9]+(\s(logout_on_error|authenticate_on_error|502_on_error))?$/], + Optional['XForwardedHeaders'] => String[1], + Optional['CABundlePath'] => String[1], + Optional['DefaultLoggedOutURL'] => String[1], + Optional['DPoPMode'] => String[1], + Optional['FilterClaimsExpr'] => String[1], + Optional['LogoutRequestParams'] => Pattern[/^[^=]+=[^&]+(&[^=]+=[^&]+)*$/], + Optional['LogoutXFrameOptions'] => String[1], + Optional['MetricsData'] => String[1], + Optional['MetricsPublish'] => String[1], + Optional['PassAccessToken'] => Apache::OnOff, + Optional['ProviderPushedAuthorizationRequestEndpoint'] => Stdlib::HttpUrl, + Optional['ProviderSignedJwksUri'] => String[1], + Optional['ProviderVerifyCertFiles'] => String[1], + Optional['RedirectURLsAllowed'] => String[1], + Optional['StateCookiePrefix'] => String, + Optional['StateInputHeaders'] => Enum['user-agent', 'x-forwarded-for', 'both', 'none'], + Optional['TraceParent'] => Enum['off', 'generate', 'propagate'], + Optional['UserInfoClaimsExpr'] => String[1], + Optional['ValidateIssuer'] => Apache::OnOff, + }] +``` + +### `Apache::OnOff` + +A string that is accepted in Apache config to turn something on or off + +Alias of `Enum['On', 'on', 'Off', 'off']` + +### `Apache::ServerTokens` + +A string that conforms to the Apache `ServerTokens` syntax. + +* **See also** + * https://httpd.apache.org/docs/2.4/mod/core.html#servertokens + +Alias of `Enum['Major', 'Minor', 'Min', 'Minimal', 'Prod', 'ProductOnly', 'OS', 'Full']` + +### `Apache::Vhost::Priority` + +The priority on vhost + +Alias of `Variant[Pattern[/^\d+$/], Integer, Boolean]` + +### `Apache::Vhost::ProxyPass` + +host context. Because the implementation uses SetEnv, you must `include apache::mod::env`; +for the same reason, this cannot set the newer `no-proxy` environment variable, which +would require an implementation using SetEnvIf. + +* **See also** + * https://httpd.apache.org/docs/current/mod/mod_proxy.html + * for additional documentation. + +#### Examples + +##### Basic example + +```puppet +{ 'path' => '/a', 'url' => 'http://backend-a/', } +``` + +##### With parameters + +```puppet +{ 'path' => '/b', 'url' => 'http://backend-a/b', + 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300,}, } +``` + +##### With ProxyPassReverse + +```puppet +{ 'path' => '/l', 'url' => 'http://backend-xy', + 'reverse_urls' => ['http://backend-x', 'http://backend-y'], } +``` + +##### With additional keywords + +```puppet +{ 'path' => '/e', 'url' => 'http://backend-a/e', + 'keywords' => ['nocanon', 'interpolate'], } +``` + +##### With mod_proxy environment variables + +```puppet +{ 'path' => '/f', 'url' => 'http://backend-f/', + 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1'], } +``` + +##### With ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath + +```puppet +{ 'path' => '/g', 'url' => 'http://backend-g/', + 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',}], } +``` + +##### With exclusions + +```puppet +{ 'path' => '/h', 'url' => 'http://backend-h/h', + 'no_proxy_uris' => ['/h/admin', '/h/server-status'], } +``` + +Alias of + +```puppet +Struct[{ + path => String[1], + url => String[1], + Optional[params] => Hash[String[1], Variant[String[1], Integer]], + Optional[keywords] => Array[String[1]], + Optional[reverse_cookies] => Array[ + Struct[ + { + url => String[1], + path => Optional[String[1]], + domain => Optional[String[1]], + } + ] + ], + Optional[reverse_urls] => Array[String[1]], + Optional[setenv] => Array[String[1]], + Optional[no_proxy_uris] => Array[String[1]], + Optional[no_proxy_uris_match] => Array[String[1]], + }] +``` + +#### Parameters + +The following parameters are available in the `Apache::Vhost::ProxyPass` data type: + +* [`path`](#-Apache--Vhost--ProxyPass--path) +* [`url`](#-Apache--Vhost--ProxyPass--url) +* [`params`](#-Apache--Vhost--ProxyPass--params) +* [`reverse_urls`](#-Apache--Vhost--ProxyPass--reverse_urls) +* [`reverse_cookies`](#-Apache--Vhost--ProxyPass--reverse_cookies) +* [`keywords`](#-Apache--Vhost--ProxyPass--keywords) +* [`setenv`](#-Apache--Vhost--ProxyPass--setenv) +* [`no_proxy_uris`](#-Apache--Vhost--ProxyPass--no_proxy_uris) +* [`no_proxy_uris_match`](#-Apache--Vhost--ProxyPass--no_proxy_uris_match) + +##### `path` + +Data type: `String[1]` + +The virtual path on the local server to map. + +##### `url` + +Data type: `String[1]` + +The URL to which the path and its children will be mapped. + +##### `params` + +Data type: `Optional[Hash]` + +Optional [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) key-value parameters, such as connection settings. + +##### `reverse_urls` + +Data type: `Array[String[1]]` + +Optional (but usually recommended) URLs for [ProxyPassReverse](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) configuration. +Allows Apache to adjust certain headers on HTTP redirect responses, to prevent +redirects on the back-end from bypassing the reverse proxy. + +##### `reverse_cookies` + +Data type: `Optional[Array[Hash]]` + +Optional Array of Hashes, each representing a ProxyPassReverseCookieDomain or +ProxyPassReverseCookiePath configuration. These are similar to ProxyPassReverse but +operate on Domain or Path strings respectively in Set-Cookie headers. Each Hash +must contain one `url => value` pair, and exactly one `path => value` or `domain => value` +pair, representing the internal domain or internal path. + +Options: + +* **:url** `String[1]`: Required partial URL representing public domain or public path. +* **:path** `Optional[String[1]]`: Internal path for [ProxyPassReverseCookiePath](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreversecookiepath) configuration. +* **:domain** `Optional[String[1]]`: Internal domain for [ProxyPassReverseCookieDomain](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreversecookiedomain) configuration. + +##### `keywords` + +Data type: `Optional[Array[String[1]]]` + +Array of optional keywords such as `nocanon`, `interpolate`, or `noquery` supported +by [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) (refer +to subsection under heading "Additional ProxyPass Keywords"). + +##### `setenv` + +Data type: `Optional[Array[String[1]]]` + +Optional Array of Strings of the form "${env_var_name} ${value}". +Uses [SetEnv](https://httpd.apache.org/docs/current/mod/mod_env.html#setenv) to make [Protocol Adjustments](https://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings) to mod_proxy in the virtual + +##### `no_proxy_uris` + +Data type: `Optional[Array[String[1]]]` + +Optional Array of paths to exclude from proxying, using the `!` directive to [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass). + +##### `no_proxy_uris_match` + +Data type: `Optional[Array[String[1]]]` + +Similar to `no_proxy_uris` but uses [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) to allow regular +expressions. + +## Tasks + +### `init` + +Allows you to perform apache service functions + +**Supports noop?** false + +#### Parameters + +##### `action` + +Data type: `Enum[reload]` + +Action to perform + +##### `service_name` + +Data type: `Optional[String[1]]` + +The name of the apache service + diff --git a/Rakefile b/Rakefile index bb60173e57..2df73113cd 100644 --- a/Rakefile +++ b/Rakefile @@ -1,2 +1,11 @@ +# frozen_string_literal: true + +require 'bundler' +require 'puppet_litmus/rake_tasks' if Gem.loaded_specs.key? 'puppet_litmus' require 'puppetlabs_spec_helper/rake_tasks' -require 'rspec-system/rake_task' +require 'puppet-syntax/tasks/puppet-syntax' +require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings' + +PuppetLint.configuration.send('disable_relative') +PuppetLint.configuration.send('disable_anchor_resource') +PuppetLint.configuration.send('disable_140chars') diff --git a/data/common.yaml b/data/common.yaml new file mode 100644 index 0000000000..2fbf0ffd71 --- /dev/null +++ b/data/common.yaml @@ -0,0 +1 @@ +--- {} diff --git a/tests/apache.pp b/examples/apache.pp similarity index 100% rename from tests/apache.pp rename to examples/apache.pp diff --git a/examples/dev.pp b/examples/dev.pp new file mode 100644 index 0000000000..6c4f95571d --- /dev/null +++ b/examples/dev.pp @@ -0,0 +1 @@ +include apache::mod::dev diff --git a/tests/init.pp b/examples/init.pp similarity index 100% rename from tests/init.pp rename to examples/init.pp diff --git a/examples/mod_load_params.pp b/examples/mod_load_params.pp new file mode 100644 index 0000000000..879f2cfe55 --- /dev/null +++ b/examples/mod_load_params.pp @@ -0,0 +1,10 @@ +# Tests the path and identifier parameters for the apache::mod class + +# Base class for clarity: +class { 'apache': } + +# Exaple parameter usage: +apache::mod { 'testmod': + path => '/usr/some/path/mod_testmod.so', + id => 'testmod_custom_name', +} diff --git a/tests/mods.pp b/examples/mods.pp similarity index 99% rename from tests/mods.pp rename to examples/mods.pp index 59362bd9a0..dd64e3b233 100644 --- a/tests/mods.pp +++ b/examples/mods.pp @@ -6,4 +6,3 @@ class { 'apache': default_mods => true, } - diff --git a/tests/mods_custom.pp b/examples/mods_custom.pp similarity index 99% rename from tests/mods_custom.pp rename to examples/mods_custom.pp index 0ae699c73d..103e52a4f0 100644 --- a/tests/mods_custom.pp +++ b/examples/mods_custom.pp @@ -13,4 +13,3 @@ 'expires', ], } - diff --git a/examples/php.pp b/examples/php.pp new file mode 100644 index 0000000000..1d926bfb46 --- /dev/null +++ b/examples/php.pp @@ -0,0 +1,4 @@ +class { 'apache': + mpm_module => 'prefork', +} +include apache::mod::php diff --git a/tests/vhost.pp b/examples/vhost.pp similarity index 61% rename from tests/vhost.pp rename to examples/vhost.pp index 173316e034..306866b6ba 100644 --- a/tests/vhost.pp +++ b/examples/vhost.pp @@ -9,35 +9,36 @@ # Most basic vhost apache::vhost { 'first.example.com': - port => '80', + port => 80, docroot => '/var/www/first', } -# Vhost with different docroot owner/group +# Vhost with different docroot owner/group/mode apache::vhost { 'second.example.com': - port => '80', + port => 80, docroot => '/var/www/second', docroot_owner => 'third', docroot_group => 'third', + docroot_mode => '0770', } # Vhost with serveradmin apache::vhost { 'third.example.com': - port => '80', + port => 80, docroot => '/var/www/third', serveradmin => 'admin@example.com', } # Vhost with ssl (uses default ssl certs) apache::vhost { 'ssl.example.com': - port => '443', + port => 443, docroot => '/var/www/ssl', ssl => true, } # Vhost with ssl and specific ssl certs apache::vhost { 'fourth.example.com': - port => '443', + port => 443, docroot => '/var/www/fourth', ssl => true, ssl_cert => '/etc/ssl/fourth.example.com.cert', @@ -47,7 +48,7 @@ # Vhost with english title and servername parameter apache::vhost { 'The fifth vhost': servername => 'fifth.example.com', - port => '80', + port => 80, docroot => '/var/www/fifth', } @@ -57,13 +58,13 @@ 'sixth.example.org', 'sixth.example.net', ], - port => '80', + port => 80, docroot => '/var/www/fifth', } # Vhost with alternate options apache::vhost { 'seventh.example.com': - port => '80', + port => 80, docroot => '/var/www/seventh', options => [ 'Indexes', @@ -73,14 +74,14 @@ # Vhost with AllowOverride for .htaccess apache::vhost { 'eighth.example.com': - port => '80', + port => 80, docroot => '/var/www/eighth', override => 'All', } # Vhost with access and error logs disabled apache::vhost { 'ninth.example.com': - port => '80', + port => 80, docroot => '/var/www/ninth', access_log => false, error_log => false, @@ -88,7 +89,7 @@ # Vhost with custom access and error logs and logroot apache::vhost { 'tenth.example.com': - port => '80', + port => 80, docroot => '/var/www/tenth', access_log_file => 'tenth_vhost.log', error_log_file => 'tenth_vhost_error.log', @@ -97,14 +98,14 @@ # Vhost with a cgi-bin apache::vhost { 'eleventh.example.com': - port => '80', + port => 80, docroot => '/var/www/eleventh', scriptalias => '/usr/lib/cgi-bin', } # Vhost with a proxypass configuration apache::vhost { 'twelfth.example.com': - port => '80', + port => 80, docroot => '/var/www/twelfth', proxy_dest => 'http://internal.example.com:8080/twelfth', no_proxy_uris => ['/login','/logout'], @@ -112,7 +113,7 @@ # Vhost to redirect /login and /logout apache::vhost { 'thirteenth.example.com': - port => '80', + port => 80, docroot => '/var/www/thirteenth', redirect_source => [ '/login', @@ -126,7 +127,7 @@ # Vhost to permamently redirect apache::vhost { 'fourteenth.example.com': - port => '80', + port => 80, docroot => '/var/www/fourteenth', redirect_source => '/blog', redirect_dest => 'http://blog.example.com', @@ -135,68 +136,121 @@ # Vhost with a rack configuration apache::vhost { 'fifteenth.example.com': - port => '80', + port => 80, docroot => '/var/www/fifteenth', rack_base_uris => ['/rackapp1', '/rackapp2'], } # Vhost to redirect non-ssl to ssl apache::vhost { 'sixteenth.example.com non-ssl': + servername => 'sixteenth.example.com', + port => 80, + docroot => '/var/www/sixteenth', + rewrites => [ + { + comment => 'redirect non-SSL traffic to SSL site', + rewrite_cond => ['%{HTTPS} off'], + rewrite_rule => ['(.*) https://%{HTTP_HOST}%{REQUEST_URI}'], + } + ], +} + +# Rewrite a URL to lower case +apache::vhost { 'sixteenth.example.com non-ssl': + servername => 'sixteenth.example.com', + port => 80, + docroot => '/var/www/sixteenth', + rewrites => [ + { comment => 'Rewrite to lower case', + rewrite_cond => ['%{REQUEST_URI} [A-Z]'], + rewrite_map => ['lc int:tolower'], + rewrite_rule => ["(.*) \${lc:\$1} [R=301,L]"], + } + ], +} + +apache::vhost { 'sixteenth.example.com ssl': + servername => 'sixteenth.example.com', + port => 443, + docroot => '/var/www/sixteenth', + ssl => true, +} + +# Vhost to redirect non-ssl to ssl using old rewrite method +apache::vhost { 'sixteenth.example.com non-ssl old rewrite': servername => 'sixteenth.example.com', - port => '80', + port => 80, docroot => '/var/www/sixteenth', rewrite_cond => '%{HTTPS} off', - rewrite_rule => '(.*) https://%{HTTPS_HOST}%{REQUEST_URI}', + rewrite_rule => '(.*) https://%{HTTP_HOST}%{REQUEST_URI}', } -apache::vhost { 'sixteenth.example.com ssl': +apache::vhost { 'sixteenth.example.com ssl old rewrite': servername => 'sixteenth.example.com', - port => '443', + port => 443, docroot => '/var/www/sixteenth', ssl => true, } # Vhost to block repository files apache::vhost { 'seventeenth.example.com': - port => '80', + port => 80, docroot => '/var/www/seventeenth', block => 'scm', } # Vhost with special environment variables apache::vhost { 'eighteenth.example.com': - port => '80', + port => 80, docroot => '/var/www/eighteenth', setenv => ['SPECIAL_PATH /foo/bin','KILROY was_here'], } + apache::vhost { 'nineteenth.example.com': - port => '80', + port => 80, docroot => '/var/www/nineteenth', setenvif => 'Host "^([^\.]*)\.website\.com$" CLIENT_NAME=$1', } +# Vhost with additional include files +apache::vhost { 'twentyieth.example.com': + port => 80, + docroot => '/var/www/twelfth', + additional_includes => ['/tmp/proxy_group_a','/tmp/proxy_group_b'], +} + # Vhost with alias for subdomain mapped to same named directory # http://example.com.loc => /var/www/example.com apache::vhost { 'subdomain.loc': vhost_name => '*', - port => '80', + port => 80, virtual_docroot => '/var/www/%-2+', docroot => '/var/www', serveraliases => ['*.loc',], } -# Vhost with SSLProtocol,SSLCipherSuite, SSLHonorCipherOrder +# Vhost with SSL (SSLProtocol, SSLCipherSuite & SSLHonorCipherOrder from default) apache::vhost { 'securedomain.com': - priority => '10', - vhost_name => 'www.securedomain.com', - port => '443', - docroot => '/var/www/secure', - ssl => true, - ssl_cert => '/etc/ssl/securedomain.cert', - ssl_key => '/etc/ssl/securedomain.key', - ssl_chain => '/etc/ssl/securedomain.crt', - ssl_protocol => '-ALL +SSLv3 +TLSv1', - ssl_cipher => 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM', - ssl_honorcipherorder => 'On', - add_listen => 'false', + priority => 10, + vhost_name => 'www.securedomain.com', + port => 443, + docroot => '/var/www/secure', + ssl => true, + ssl_cert => '/etc/ssl/securedomain.cert', + ssl_key => '/etc/ssl/securedomain.key', + ssl_chain => '/etc/ssl/securedomain.crt', + add_listen => false, } +# Vhost with access log environment variables writing control +apache::vhost { 'twentyfirst.example.com': + port => 80, + docroot => '/var/www/twentyfirst', + access_log_env_var => 'admin', +} + +# Vhost with a passenger_base configuration +apache::vhost { 'twentysecond.example.com': + port => 80, + docroot => '/var/www/twentysecond', + rack_base_uris => ['/passengerapp1', '/passengerapp2'], +} diff --git a/tests/vhost_directories.pp b/examples/vhost_directories.pp similarity index 59% rename from tests/vhost_directories.pp rename to examples/vhost_directories.pp index d8fcc0f8f8..f02734d029 100644 --- a/tests/vhost_directories.pp +++ b/examples/vhost_directories.pp @@ -7,8 +7,14 @@ apache::vhost { 'readme.example.net': docroot => '/var/www/readme', directories => [ - { path => '/var/www/readme', 'ServerTokens' => 'prod' }, - { path => '/usr/share/empty', 'allow' => 'from all' }, + { + 'path' => '/var/www/readme', + 'ServerTokens' => 'prod' , + }, + { + 'path' => '/usr/share/empty', + 'allow' => 'from all', + }, ], } @@ -16,7 +22,11 @@ apache::vhost { 'location.example.net': docroot => '/var/www/location', directories => [ - { path => '/location', 'provider' => 'location', 'ServerTokens' => 'prod' }, + { + 'path' => '/location', + 'provider' => 'location', + 'ServerTokens' => 'prod' + }, ], } @@ -24,7 +34,10 @@ apache::vhost { 'files.example.net': docroot => '/var/www/files', directories => [ - { path => '~ (\.swp|\.bak|~)$', 'provider' => 'files', 'deny' => 'from all' }, + { + 'path' => '(\.swp|\.bak|~)$', + 'provider' => 'filesmatch', + 'deny' => 'from all' + }, ], } - diff --git a/examples/vhost_filter.pp b/examples/vhost_filter.pp new file mode 100644 index 0000000000..ef27639c9c --- /dev/null +++ b/examples/vhost_filter.pp @@ -0,0 +1,16 @@ +# Base class. Declares default vhost on port 80 with filters. +class { 'apache': } + +# Example from README adapted. +apache::vhost { 'readme.example.net': + docroot => '/var/www/html', + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], +} diff --git a/tests/vhost_ip_based.pp b/examples/vhost_ip_based.pp similarity index 100% rename from tests/vhost_ip_based.pp rename to examples/vhost_ip_based.pp diff --git a/examples/vhost_proxypass.pp b/examples/vhost_proxypass.pp new file mode 100644 index 0000000000..9cd0a18559 --- /dev/null +++ b/examples/vhost_proxypass.pp @@ -0,0 +1,66 @@ +## vhost with proxyPass directive +# NB: Please see the other vhost_*.pp example files for further +# examples. + +# Base class. Declares default vhost on port 80 and default ssl +# vhost on port 443 listening on all interfaces and serving +# $apache::docroot +class { 'apache': } + +# Most basic vhost with proxy_pass +apache::vhost { 'first.example.com': + port => 80, + docroot => '/var/www/first', + proxy_pass => [ + { + 'path' => '/first', + 'url' => 'http://localhost:8080/first' + }, + ], +} + +# vhost with proxy_pass and parameters +apache::vhost { 'second.example.com': + port => 80, + docroot => '/var/www/second', + proxy_pass => [ + { + 'path' => '/second', + 'url' => 'http://localhost:8080/second', + 'params' => { + 'retry' => 0, + 'timeout' => 5, + } + }, + ], +} + +# vhost with proxy_pass and keywords +apache::vhost { 'third.example.com': + port => 80, + docroot => '/var/www/third', + proxy_pass => [ + { + 'path' => '/third', + 'url' => 'http://localhost:8080/third', + 'keywords' => ['noquery', 'interpolate'] + }, + ], +} + +# vhost with proxy_pass, parameters and keywords +apache::vhost { 'fourth.example.com': + port => 80, + docroot => '/var/www/fourth', + proxy_pass => [ + { + 'path' => '/fourth', + 'url' => 'http://localhost:8080/fourth', + 'params' => { + 'retry' => 0, + 'timeout' => 5, + }, + 'keywords' => ['noquery', 'interpolate'] + }, + ], +} diff --git a/tests/vhost_ssl.pp b/examples/vhost_ssl.pp similarity index 91% rename from tests/vhost_ssl.pp rename to examples/vhost_ssl.pp index 8e7a2b279e..83584e73ce 100644 --- a/tests/vhost_ssl.pp +++ b/examples/vhost_ssl.pp @@ -10,14 +10,14 @@ # Non-ssl vhost apache::vhost { 'first.example.com non-ssl': servername => 'first.example.com', - port => '80', + port => 80, docroot => '/var/www/first', } # SSL vhost at the same domain apache::vhost { 'first.example.com ssl': servername => 'first.example.com', - port => '443', + port => 443, docroot => '/var/www/first', ssl => true, } diff --git a/tests/vhosts_without_listen.pp b/examples/vhosts_without_listen.pp similarity index 91% rename from tests/vhosts_without_listen.pp rename to examples/vhosts_without_listen.pp index e7d6cc036c..1ccb7f41ae 100644 --- a/tests/vhosts_without_listen.pp +++ b/examples/vhosts_without_listen.pp @@ -8,19 +8,18 @@ default_vhost => false, } - # Add two an IP-based vhost on 10.0.0.10, ssl and non-ssl apache::vhost { 'The first IP-based vhost, non-ssl': servername => 'first.example.com', ip => '10.0.0.10', - port => '80', + port => 80, ip_based => true, docroot => '/var/www/first', } apache::vhost { 'The first IP-based vhost, ssl': servername => 'first.example.com', ip => '10.0.0.10', - port => '443', + port => 443, ip_based => true, docroot => '/var/www/first-ssl', ssl => true, @@ -29,12 +28,12 @@ # Two name-based vhost listening on 10.0.0.20 apache::vhost { 'second.example.com': ip => '10.0.0.20', - port => '80', + port => 80, docroot => '/var/www/second', } apache::vhost { 'third.example.com': ip => '10.0.0.20', - port => '80', + port => 80, docroot => '/var/www/third', } @@ -42,12 +41,12 @@ # `add_listen => 'false'` to disable declaring "Listen 80" which will conflict # with the IP-based preceeding vhosts. apache::vhost { 'fourth.example.com': - port => '80', + port => 80, docroot => '/var/www/fourth', add_listen => false, } apache::vhost { 'fifth.example.com': - port => '80', + port => 80, docroot => '/var/www/fifth', add_listen => false, } diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 0000000000..545fff3272 --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,21 @@ +--- +version: 5 + +defaults: # Used for any hierarchy level that omits these keys. + datadir: data # This path is relative to hiera.yaml's directory. + data_hash: yaml_data # Use the built-in YAML backend. + +hierarchy: + - name: "osfamily/major release" + paths: + # Used to distinguish between Debian and Ubuntu + - "os/%{facts.os.name}/%{facts.os.release.major}.yaml" + - "os/%{facts.os.family}/%{facts.os.release.major}.yaml" + # Used for Solaris + - "os/%{facts.os.family}/%{facts.kernelrelease}.yaml" + - name: "osfamily" + paths: + - "os/%{facts.os.name}.yaml" + - "os/%{facts.os.family}.yaml" + - name: 'common' + path: 'common.yaml' diff --git a/lib/puppet/functions/apache/apache_pw_hash.rb b/lib/puppet/functions/apache/apache_pw_hash.rb new file mode 100644 index 0000000000..4606ac7312 --- /dev/null +++ b/lib/puppet/functions/apache/apache_pw_hash.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +# @summary DEPRECATED. Use the function [`apache::pw_hash`](#apachepw_hash) instead. +Puppet::Functions.create_function(:'apache::apache_pw_hash') do + dispatch :deprecation_gen do + repeated_param 'Any', :args + end + def deprecation_gen(*args) + call_function('deprecation', 'apache::apache_pw_hash', 'This function is deprecated, please use apache::pw_hash instead.') + call_function('apache::pw_hash', *args) + end +end diff --git a/lib/puppet/functions/apache/authz_core_config.rb b/lib/puppet/functions/apache/authz_core_config.rb new file mode 100644 index 0000000000..304ab9d739 --- /dev/null +++ b/lib/puppet/functions/apache/authz_core_config.rb @@ -0,0 +1,78 @@ +# frozen_string_literal: true + +# @summary +# Function to generate the authz_core configuration directives. +# +Puppet::Functions.create_function(:'apache::authz_core_config') do + # @param config + # The input as JSON format. + # + # @return + # Returns the authz_core config directives in array. + # + # @example + # + # arg = { + # require_all => { + # 'require_any' => { + # 'require' => ['user superadmin'], + # 'require_all' => { + # 'require' => ['group admins'], + # }, + # }, + # 'require_none' => { + # 'require' => ['group temps'] + # } + # } + # } + # + # apache::bool2httpd(arg) + # returns : + # [ + # " ", + # " ", + # " Require user superadmin", + # " ", + # " Require group admins", + # " Require ldap-group \"cn=Administrators,o=Airius\"", + # " ", + # " ", + # " ", + # " Require group temps", + # " Require ldap-group \"cn=Temporary Employees,o=Airius\"", + # " ", + # " " + # ] + # + dispatch :authz_core_config do + param 'Hash', :config + return_type 'Array' + end + + private + + def build_directive(value) + value.split('_').map(&:capitalize).join + end + + def authz_core_config(config, count = 1) + result_string = [] + config.map do |key, value| + directive = build_directive(key) + if value.is_a?(Hash) + result_string << spacing("<#{directive}>", count) + result_string << authz_core_config(value, count + 1) + result_string << spacing("", count) + else + value.map do |v| + result_string << spacing("#{directive} #{v}", count) + end + end + end + result_string.flatten + end + + def spacing(string, count) + (' ' * count) + string + end +end diff --git a/lib/puppet/functions/apache/bool2httpd.rb b/lib/puppet/functions/apache/bool2httpd.rb new file mode 100644 index 0000000000..b864c8675f --- /dev/null +++ b/lib/puppet/functions/apache/bool2httpd.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +# @summary +# Transform a supposed boolean to On or Off. Passes all other values through. +# +Puppet::Functions.create_function(:'apache::bool2httpd') do + # @param arg + # The value to be converted into a string. + # + # @return + # Will return either `On` or `Off` if given a boolean value. Returns a string of any + # other given value. + # @example + # $trace_enable = false + # $server_signature = 'mail' + # + # apache::bool2httpd($trace_enable) # returns 'Off' + # apache::bool2httpd($server_signature) # returns 'mail' + # apache::bool2httpd(undef) # returns 'Off' + # + def bool2httpd(arg) + return 'Off' if arg.nil? || arg == false || matches_string?(arg, %r{false}i) || arg == :undef + return 'On' if arg == true || matches_string?(arg, %r{true}i) + + arg.to_s + end + + private + + def matches_string?(value, matcher) + if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.4.0') + value =~ matcher + else + value.is_a?(String) && value.match?(matcher) + end + end +end diff --git a/lib/puppet/functions/apache/pw_hash.rb b/lib/puppet/functions/apache/pw_hash.rb new file mode 100644 index 0000000000..6a1630b546 --- /dev/null +++ b/lib/puppet/functions/apache/pw_hash.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +# @summary +# Hashes a password in a format suitable for htpasswd files read by apache. +# +# Currently uses SHA-hashes, because although this format is considered insecure, it's the +# most secure format supported by the most platforms. +Puppet::Functions.create_function(:'apache::pw_hash') do + # @param password + # The input that is to be hashed. + # + # @return + # Returns the hash of the input that was given. + dispatch :apache_pw_hash do + required_param 'String[1]', :password + return_type 'String' + end + + def apache_pw_hash(password) + require 'base64' + "{SHA}#{Base64.strict_encode64(Digest::SHA1.digest(password))}" + end +end diff --git a/lib/puppet/functions/apache_pw_hash.rb b/lib/puppet/functions/apache_pw_hash.rb new file mode 100644 index 0000000000..7aad4400df --- /dev/null +++ b/lib/puppet/functions/apache_pw_hash.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +# @summary DEPRECATED. Use the namespaced function [`apache::pw_hash`](#apachepw_hash) instead. +Puppet::Functions.create_function(:apache_pw_hash) do + dispatch :deprecation_gen do + repeated_param 'Any', :args + end + def deprecation_gen(*args) + call_function('deprecation', 'apache_pw_hash', 'This function is deprecated, please use apache::pw_hash instead.') + call_function('apache::pw_hash', *args) + end +end diff --git a/lib/puppet/functions/bool2httpd.rb b/lib/puppet/functions/bool2httpd.rb new file mode 100644 index 0000000000..62569f7bb4 --- /dev/null +++ b/lib/puppet/functions/bool2httpd.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +# @summary DEPRECATED. Use the namespaced function [`apache::bool2httpd`](#apachebool2httpd) instead. +Puppet::Functions.create_function(:bool2httpd) do + dispatch :deprecation_gen do + repeated_param 'Any', :args + end + def deprecation_gen(*args) + call_function('deprecation', 'bool2httpd', 'This function is deprecated, please use apache::bool2httpd instead.') + call_function('apache::bool2httpd', *args) + end +end diff --git a/lib/puppet/provider/a2mod.rb b/lib/puppet/provider/a2mod.rb index 670aca3d03..bc0899e2d5 100644 --- a/lib/puppet/provider/a2mod.rb +++ b/lib/puppet/provider/a2mod.rb @@ -1,33 +1,38 @@ +# frozen_string_literal: true + +# a2mod.rb class Puppet::Provider::A2mod < Puppet::Provider + # Fetches the mod provider def self.prefetch(mods) instances.each do |prov| - if mod = mods[prov.name] - mod.provider = prov - end + mod = mods[prov.name] + mod.provider = prov if mod end end + # Clear's the property_hash def flush @property_hash.clear end + # Returns a copy of the property_hash def properties if @property_hash.empty? - @property_hash = query || {:ensure => :absent} + @property_hash = query || { ensure: :absent } @property_hash[:ensure] = :absent if @property_hash.empty? end @property_hash.dup end + # Returns the properties of the given mod if it exists. def query self.class.instances.each do |mod| - if mod.name == self.name or mod.name.downcase == self.name - return mod.properties - end + return mod.properties if mod.name == name || mod.name.downcase == name end nil end + # Return's if the ensure property is absent or not def exists? properties[:ensure] != :absent end diff --git a/lib/puppet/provider/a2mod/a2mod.rb b/lib/puppet/provider/a2mod/a2mod.rb deleted file mode 100644 index e257a579e8..0000000000 --- a/lib/puppet/provider/a2mod/a2mod.rb +++ /dev/null @@ -1,35 +0,0 @@ -require 'puppet/provider/a2mod' - -Puppet::Type.type(:a2mod).provide(:a2mod, :parent => Puppet::Provider::A2mod) do - desc "Manage Apache 2 modules on Debian and Ubuntu" - - optional_commands :encmd => "a2enmod" - optional_commands :discmd => "a2dismod" - commands :apache2ctl => "apache2ctl" - - confine :osfamily => :debian - defaultfor :operatingsystem => [:debian, :ubuntu] - - def self.instances - modules = apache2ctl("-M").lines.collect { |line| - m = line.match(/(\w+)_module \(shared\)$/) - m[1] if m - }.compact - - modules.map do |mod| - new( - :name => mod, - :ensure => :present, - :provider => :a2mod - ) - end - end - - def create - encmd resource[:name] - end - - def destroy - discmd resource[:name] - end -end diff --git a/lib/puppet/provider/a2mod/gentoo.rb b/lib/puppet/provider/a2mod/gentoo.rb deleted file mode 100644 index 07319dfdc8..0000000000 --- a/lib/puppet/provider/a2mod/gentoo.rb +++ /dev/null @@ -1,116 +0,0 @@ -require 'puppet/util/filetype' -Puppet::Type.type(:a2mod).provide(:gentoo, :parent => Puppet::Provider) do - desc "Manage Apache 2 modules on Gentoo" - - confine :operatingsystem => :gentoo - defaultfor :operatingsystem => :gentoo - - attr_accessor :property_hash - - def create - @property_hash[:ensure] = :present - end - - def exists? - (!(@property_hash[:ensure].nil?) and @property_hash[:ensure] == :present) - end - - def destroy - @property_hash[:ensure] = :absent - end - - def flush - self.class.flush - end - - class << self - attr_reader :conf_file - end - - def self.clear - @mod_resources = [] - @modules = [] - @other_args = "" - end - - def self.initvars - @conf_file = "/etc/conf.d/apache2" - @filetype = Puppet::Util::FileType.filetype(:flat).new(conf_file) - @mod_resources = [] - @modules = [] - @other_args = "" - end - - self.initvars - - # Retrieve an array of all existing modules - def self.modules - if @modules.length <= 0 - # Locate the APACHE_OPTS variable - records = filetype.read.split(/\n/) - apache2_opts = records.grep(/^\s*APACHE2_OPTS=/).first - - # Extract all defines - while apache2_opts.sub!(/-D\s+(\w+)/, '') - @modules << $1.downcase - end - - # Hang on to any remaining options. - if apache2_opts.match(/APACHE2_OPTS="(.+)"/) - @other_args = $1.strip - end - - @modules.sort!.uniq! - end - - @modules - end - - def self.prefetch(resources={}) - # Match resources with existing providers - instances.each do |provider| - if resource = resources[provider.name] - resource.provider = provider - end - end - - # Store all resources using this provider for flushing - resources.each do |name, resource| - @mod_resources << resource - end - end - - def self.instances - modules.map {|mod| new(:name => mod, :provider => :gentoo, :ensure => :present)} - end - - def self.flush - - mod_list = modules - mods_to_remove = @mod_resources.select {|mod| mod.should(:ensure) == :absent}.map {|mod| mod[:name]} - mods_to_add = @mod_resources.select {|mod| mod.should(:ensure) == :present}.map {|mod| mod[:name]} - - mod_list -= mods_to_remove - mod_list += mods_to_add - mod_list.sort!.uniq! - - if modules != mod_list - opts = @other_args + " " - opts << mod_list.map {|mod| "-D #{mod.upcase}"}.join(" ") - opts.strip! - opts.gsub!(/\s+/, ' ') - - apache2_opts = %Q{APACHE2_OPTS="#{opts}"} - Puppet.debug("Writing back \"#{apache2_opts}\" to #{conf_file}") - - records = filetype.read.split(/\n/) - - opts_index = records.find_index {|i| i.match(/^\s*APACHE2_OPTS/)} - records[opts_index] = apache2_opts - - filetype.backup - filetype.write(records.join("\n")) - @modules = mod_list - end - end -end diff --git a/lib/puppet/provider/a2mod/modfix.rb b/lib/puppet/provider/a2mod/modfix.rb deleted file mode 100644 index 8f35b2e4a1..0000000000 --- a/lib/puppet/provider/a2mod/modfix.rb +++ /dev/null @@ -1,12 +0,0 @@ -Puppet::Type.type(:a2mod).provide :modfix do - desc "Dummy provider for A2mod. - - Fake nil resources when there is no crontab binary available. Allows - puppetd to run on a bootstrapped machine before a Cron package has been - installed. Workaround for: http://projects.puppetlabs.com/issues/2384 - " - - def self.instances - [] - end -end \ No newline at end of file diff --git a/lib/puppet/provider/a2mod/redhat.rb b/lib/puppet/provider/a2mod/redhat.rb deleted file mode 100644 index ea5494cb48..0000000000 --- a/lib/puppet/provider/a2mod/redhat.rb +++ /dev/null @@ -1,60 +0,0 @@ -require 'puppet/provider/a2mod' - -Puppet::Type.type(:a2mod).provide(:redhat, :parent => Puppet::Provider::A2mod) do - desc "Manage Apache 2 modules on RedHat family OSs" - - commands :apachectl => "apachectl" - - confine :osfamily => :redhat - defaultfor :osfamily => :redhat - - require 'pathname' - - # modpath: Path to default apache modules directory /etc/httpd/mod.d - # modfile: Path to module load configuration file; Default: resides under modpath directory - # libfile: Path to actual apache module library. Added in modfile LoadModule - - attr_accessor :modfile, :libfile - class << self - attr_accessor :modpath - def preinit - @modpath = "/etc/httpd/mod.d" - end - end - - self.preinit - - def create - File.open(modfile,'w') do |f| - f.puts "LoadModule #{resource[:identifier]} #{libfile}" - end - end - - def destroy - File.delete(modfile) - end - - def self.instances - modules = apachectl("-M").lines.collect { |line| - m = line.match(/(\w+)_module \(shared\)$/) - m[1] if m - }.compact - - modules.map do |mod| - new( - :name => mod, - :ensure => :present, - :provider => :redhat - ) - end - end - - def modfile - modfile ||= "#{self.class.modpath}/#{resource[:name]}.load" - end - - # Set libfile path: If absolute path is passed, then maintain it. Else, make it default from 'modules' dir. - def libfile - libfile = Pathname.new(resource[:lib]).absolute? ? resource[:lib] : "modules/#{resource[:lib]}" - end -end diff --git a/lib/puppet/type/a2mod.rb b/lib/puppet/type/a2mod.rb deleted file mode 100644 index 07a911e5ee..0000000000 --- a/lib/puppet/type/a2mod.rb +++ /dev/null @@ -1,30 +0,0 @@ -Puppet::Type.newtype(:a2mod) do - @doc = "Manage Apache 2 modules" - - ensurable - - newparam(:name) do - Puppet.warning "The a2mod provider is deprecated, please use apache::mod instead" - desc "The name of the module to be managed" - - isnamevar - - end - - newparam(:lib) do - desc "The name of the .so library to be loaded" - - defaultto { "mod_#{@resource[:name]}.so" } - end - - newparam(:identifier) do - desc "Module identifier string used by LoadModule. Default: module-name_module" - - # http://httpd.apache.org/docs/2.2/mod/module-dict.html#ModuleIdentifier - - defaultto { "#{resource[:name]}_module" } - end - - autorequire(:package) { catalog.resource(:package, 'httpd')} - -end diff --git a/manifests/balancer.pp b/manifests/balancer.pp index 1e4130fa35..fdaf7b23cc 100644 --- a/manifests/balancer.pp +++ b/manifests/balancer.pp @@ -1,63 +1,87 @@ -# == Define Resource Type: apache::balancer +# @summary +# This type will create an apache balancer cluster file inside the conf.d +# directory. # -# This type will create an apache balancer cluster file inside the conf.d -# directory. Each balancer cluster needs one or more balancer members (that can +# Each balancer cluster needs one or more balancer members (that can # be declared with the apache::balancermember defined resource type). Using # storeconfigs, you can export the apache::balancermember resources on all # balancer members, and then collect them on a single apache load balancer # server. # -# === Requirement/Dependencies: +# @note +# Currently requires the puppetlabs/concat module on the Puppet Forge and uses +# storeconfigs on the Puppet Server to export/collect resources from all +# balancer members. # -# Currently requires the puppetlabs/concat module on the Puppet Forge and uses -# storeconfigs on the Puppet Master to export/collect resources from all -# balancer members. +# @param name +# The namevar of the defined resource type is the balancer clusters name.
+# This name is also used in the name of the conf.d file # -# === Parameters +# @param proxy_set +# Configures key-value pairs to be used as a ProxySet lines in the configuration. # -# [*name*] -# The namevar of the defined resource type is the balancer clusters name. -# This name is also used in the name of the conf.d file +# @param target +# The path to the file the balancer definition will be written in. # -# [*proxy_set*] -# Hash, default empty. If given, each key-value pair will be used as a ProxySet -# line in the configuration. +# @param collect_exported +# Determines whether to use exported resources.
+# If you statically declare all of your backend servers, set this parameter to false to rely +# on existing, declared balancer member resources. Also, use apache::balancermember with array +# arguments.
+# To dynamically declare backend servers via exported resources collected on a central node, +# set this parameter to true to collect the balancer member resources exported by the balancer +# member nodes.
+# If you don't use exported resources, a single Puppet run configures all balancer members. If +# you use exported resources, Puppet has to run on the balanced nodes first, then run on the +# balancer. # -# [*collect_exported*] -# Boolean, default 'true'. True means 'collect exported @@balancermember -# resources' (for the case when every balancermember node exports itself), -# false means 'rely on the existing declared balancermember resources' (for the -# case when you know the full set of balancermembers in advance and use -# apache::balancermember with array arguments, which allows you to deploy -# everything in 1 run) +# @param options +# Specifies an array of [options](https://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember) +# after the balancer URL, and accepts any key-value pairs available to `ProxyPass`. # -# -# === Examples -# -# Exporting the resource for a balancer member: -# -# apache::balancer { 'puppet00': } +# @example +# apache::balancer { 'puppet00': } # define apache::balancer ( - $proxy_set = {}, - $collect_exported = true, + Hash $proxy_set = {}, + Boolean $collect_exported = true, + Optional[String] $target = undef, + Array[Pattern[/=/]] $options = [], ) { - include concat::setup include apache::mod::proxy_balancer - $target = "${::apache::params::confd_dir}/balancer_${name}.conf" + $lbmethod = $proxy_set['lbmethod'] ? { + undef => 'byrequests', + default => $proxy_set['lbmethod'], + } + ensure_resource('apache::mod', "lbmethod_${lbmethod}", { + 'loadfile_name' => "proxy_balancer_lbmethod_${lbmethod}.load" + }) + + if $target { + $_target = $target + } else { + $_target = "${apache::confd_dir}/balancer_${name}.conf" + } + + if !empty($options) { + $_options = " ${join($options, ' ')}" + } else { + $_options = '' + } - concat { $target: - owner => '0', - group => '0', - mode => '0644', - notify => Service['httpd'], + concat { "apache_balancer_${name}": + owner => 0, + group => 0, + path => $_target, + mode => $apache::file_mode, + notify => Class['Apache::Service'], } concat::fragment { "00-${name}-header": - target => $target, + target => "apache_balancer_${name}", order => '01', - content => "\n", + content => "\n", } if $collect_exported { @@ -67,13 +91,13 @@ # concat fragments. We don't have to do anything about them. concat::fragment { "01-${name}-proxyset": - target => $target, + target => "apache_balancer_${name}", order => '19', - content => inline_template("<% proxy_set.each do |key, value| %> Proxyset <%= key %>=<%= value %>\n<% end %>"), + content => inline_template("<% @proxy_set.keys.sort.each do |key| %> Proxyset <%= key %>=<%= @proxy_set[key] %>\n<% end %>"), } concat::fragment { "01-${name}-footer": - target => $target, + target => "apache_balancer_${name}", order => '20', content => "\n", } diff --git a/manifests/balancermember.pp b/manifests/balancermember.pp index c48cb1ebbf..efafd3b53a 100644 --- a/manifests/balancermember.pp +++ b/manifests/balancermember.pp @@ -1,52 +1,50 @@ -# == Define Resource Type: apache::balancermember -# +# @summary +# Defines members of `mod_proxy_balancer` +# +# Sets up a balancer member inside a listening service configuration block in +# the load balancer's `apache.cfg`. +# # This type will setup a balancer member inside a listening service # configuration block in /etc/apache/apache.cfg on the load balancer. -# currently it only has the ability to specify the instance name, url and an +# Currently it only has the ability to specify the instance name, url and an # array of options. More features can be added as needed. The best way to # implement this is to export this resource for all apache balancer member # servers, and then collect them on the main apache load balancer. # -# === Requirement/Dependencies: -# -# Currently requires the puppetlabs/concat module on the Puppet Forge and -# uses storeconfigs on the Puppet Master to export/collect resources -# from all balancer members. -# -# === Parameters -# -# [*name*] -# The title of the resource is arbitrary and only utilized in the concat -# fragment name. -# -# [*balancer_cluster*] -# The apache service's instance name (or, the title of the apache::balancer -# resource). This must match up with a declared apache::balancer resource. -# -# [*url*] -# The url used to contact the balancer member server. -# -# [*options*] -# An array of options to be specified after the url. -# -# === Examples -# -# Exporting the resource for a balancer member: -# -# @@apache::balancermember { 'apache': -# balancer_cluster => 'puppet00', -# url => "ajp://${::fqdn}:8009" -# options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], -# } -# -define apache::balancermember( - $balancer_cluster, - $url = "http://${::fqdn}/", - $options = [], +# @note +# Currently requires the puppetlabs/concat module on the Puppet Forge and +# uses storeconfigs on the Puppet Server to export/collect resources +# from all balancer members. +# +# @param name +# The title of the resource is arbitrary and only utilized in the concat +# fragment name. +# +# @param balancer_cluster +# The apache service's instance name (or, the title of the apache::balancer +# resource). This must match up with a declared apache::balancer resource. +# +# @param url +# The url used to contact the balancer member server. +# +# @param options +# Specifies an array of [options](https://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember) +# after the URL, and accepts any key-value pairs available to `ProxyPass`. +# +# @example +# @@apache::balancermember { 'apache': +# balancer_cluster => 'puppet00', +# url => "ajp://${::fqdn}:8009" +# options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +# } +# +define apache::balancermember ( + String $balancer_cluster, + Apache::ModProxyProtocol $url = "http://${$facts['networking']['fqdn']}/", + Array $options = [], ) { - - concat::fragment { "BalancerMember ${url}": - target => "${::apache::params::confd_dir}/balancer_${balancer_cluster}.conf", + concat::fragment { "BalancerMember ${name}": + target => "apache_balancer_${balancer_cluster}", content => inline_template(" BalancerMember ${url} <%= @options.join ' ' %>\n"), } } diff --git a/manifests/confd/no_accf.pp b/manifests/confd/no_accf.pp new file mode 100644 index 0000000000..d4436e3b53 --- /dev/null +++ b/manifests/confd/no_accf.pp @@ -0,0 +1,14 @@ +# @summary +# Manages the `no-accf.conf` file. +# +# @api private +class apache::confd::no_accf { + # Template uses no variables + file { 'no-accf.conf': + ensure => 'file', + path => "${apache::confd_dir}/no-accf.conf", + content => epp('apache/confd/no-accf.conf.epp'), + require => Exec["mkdir ${apache::confd_dir}"], + before => File[$apache::confd_dir], + } +} diff --git a/manifests/custom_config.pp b/manifests/custom_config.pp new file mode 100644 index 0000000000..b138a01a9b --- /dev/null +++ b/manifests/custom_config.pp @@ -0,0 +1,130 @@ +# @summary +# Adds a custom configuration file to the Apache server's `conf.d` directory. +# +# If the file is invalid and this defined type's `verify_config` parameter's value is +# `true`, Puppet throws an error during a Puppet run. +# +# @param ensure +# Specifies whether the configuration file should be present. +# +# @param confdir +# Sets the directory in which Puppet places configuration files. +# +# @param content +# Sets the configuration file's content. The `content` and `source` parameters are exclusive +# of each other. +# +# @param filename +# Sets the name of the file under `confdir` in which Puppet stores the configuration. +# +# @param priority +# Sets the configuration file's priority by prefixing its filename with this parameter's +# numeric value, as Apache processes configuration files in alphanumeric order.
+# To omit the priority prefix in the configuration file's name, set this parameter to `false`. +# +# @param source +# Points to the configuration file's source. The `content` and `source` parameters are +# exclusive of each other. +# +# @param verify_command +# Specifies the command Puppet uses to verify the configuration file. Use a fully qualified +# command.
+# This parameter is used only if the `verify_config` parameter's value is `true`. If the +# `verify_command` fails, the Puppet run deletes the configuration file and raises an error, +# but does not notify the Apache service. +# Command can be passed through as either a String, i.e. `'/usr/sbin/apache2ctl -t'` +# An array, i.e. `['/usr/sbin/apache2ctl', '-t']` +# Or an array of arrays with each one having to pass succesfully, i.e. `[['/usr/sbin/apache2ctl', '-t'], '/usr/sbin/apache2ctl -t']` +# +# @param verify_config +# Specifies whether to validate the configuration file before notifying the Apache service. +# +# @param owner +# File owner of configuration file +# +# @param group +# File group of configuration file +# +# @param file_mode +# File mode of configuration file +# +# @param show_diff +# show_diff property for configuration file resource +# +define apache::custom_config ( + Enum['absent', 'present'] $ensure = 'present', + Stdlib::Absolutepath $confdir = $apache::confd_dir, + Optional[Variant[Sensitive, String]] $content = undef, + Apache::Vhost::Priority $priority = 25, + Optional[String] $source = undef, + Variant[String, Array[String], Array[Array[String]]] $verify_command = $apache::params::verify_command, + Boolean $verify_config = true, + Optional[String] $filename = undef, + Optional[String] $owner = undef, + Optional[String] $group = undef, + Optional[Stdlib::Filemode] $file_mode = undef, + Boolean $show_diff = true, +) { + if $content and $source { + fail('Only one of $content and $source can be specified.') + } + + if $ensure == 'present' and ! $content and ! $source { + fail('One of $content and $source must be specified.') + } + + if $filename { + $_filename = $filename + } else { + if $priority { + $priority_prefix = "${priority}-" + } else { + $priority_prefix = '' + } + + ## Apache include does not always work with spaces in the filename + $filename_middle = regsubst($name, ' ', '_', 'G') + $_filename = "${priority_prefix}${filename_middle}.conf" + } + + if ! $verify_config or $ensure == 'absent' { + $notifies = Class['Apache::Service'] + } else { + $notifies = undef + } + + $_file_path = "${confdir}/${_filename}" + $_file_mode = pick($file_mode, $apache::file_mode) + + file { "apache_${name}": + ensure => $ensure, + path => $_file_path, + owner => $owner, + group => $group, + mode => $_file_mode, + content => $content, + source => $source, + show_diff => $show_diff, + require => Package['httpd'], + notify => $notifies, + } + + if $ensure == 'present' and $verify_config { + exec { "syntax verification for ${name}": + command => $verify_command, + subscribe => File["apache_${name}"], + refreshonly => true, + notify => Class['Apache::Service'], + before => Exec["remove ${name} if invalid"], + require => Anchor['::apache::modules_set_up'], + } + + $remove_command = ['/bin/rm', $_file_path] + exec { "remove ${name} if invalid": + command => $remove_command, + unless => [$verify_command], + subscribe => File["apache_${name}"], + refreshonly => true, + } + } +} diff --git a/manifests/default_confd_files.pp b/manifests/default_confd_files.pp new file mode 100644 index 0000000000..08808b35c4 --- /dev/null +++ b/manifests/default_confd_files.pp @@ -0,0 +1,19 @@ +# @summary +# Helper for setting up default conf.d files. +# +# @api private +class apache::default_confd_files ( + Boolean $all = true, +) { + # The rest of the conf.d/* files only get loaded if we want them + if $all { + case $facts['os']['family'] { + 'FreeBSD': { + include apache::confd::no_accf + } + default: { + # do nothing + } + } + } +} diff --git a/manifests/default_mods.pp b/manifests/default_mods.pp index fc0006a09d..50f04ba26e 100644 --- a/manifests/default_mods.pp +++ b/manifests/default_mods.pp @@ -1,47 +1,100 @@ +# @summary +# Installs and congfigures default mods for Apache +# +# @api private class apache::default_mods ( - $all = true, - $mods = undef, + Boolean $all = true, + Optional[Variant[Array[String[1]], String[1]]] $mods = undef, + Boolean $use_systemd = $apache::use_systemd, ) { # These are modules required to run the default configuration. # They are not configurable at this time, so we just include # them to make sure it works. - case $::osfamily { - 'redhat': { - apache::mod { 'log_config': } + case $facts['os']['family'] { + 'RedHat': { + ::apache::mod { 'log_config': } + if $use_systemd { + ::apache::mod { 'systemd': } + } + ::apache::mod { 'unixd': } + } + 'FreeBSD': { + ::apache::mod { 'log_config': } + ::apache::mod { 'unixd': } + } + 'Suse': { + ::apache::mod { 'log_config': } } default: {} } - apache::mod { 'authz_host': } - + case $facts['os']['family'] { + 'Gentoo': {} + default: { + ::apache::mod { 'authz_host': } + } + } # The rest of the modules only get loaded if we want all modules enabled if $all { - case $::osfamily { - 'debian': { + case $facts['os']['family'] { + 'Debian': { + include apache::mod::authn_core include apache::mod::reqtimeout } - 'redhat': { + 'RedHat': { + include apache::mod::actions + include apache::mod::authn_core include apache::mod::cache + include apache::mod::ext_filter include apache::mod::mime include apache::mod::mime_magic + include apache::mod::rewrite + include apache::mod::speling + include apache::mod::suexec + include apache::mod::version include apache::mod::vhost_alias - apache::mod { 'actions': } - apache::mod { 'auth_digest': } - apache::mod { 'authn_alias': } - apache::mod { 'authn_anon': } - apache::mod { 'authn_dbm': } - apache::mod { 'authn_default': } - apache::mod { 'authz_dbm': } - apache::mod { 'authz_owner': } - apache::mod { 'expires': } - apache::mod { 'ext_filter': } - apache::mod { 'include': } - apache::mod { 'logio': } - apache::mod { 'rewrite': } - apache::mod { 'speling': } - apache::mod { 'substitute': } - apache::mod { 'suexec': } - apache::mod { 'usertrack': } - apache::mod { 'version': } + ::apache::mod { 'auth_digest': } + ::apache::mod { 'authn_anon': } + ::apache::mod { 'authn_dbm': } + ::apache::mod { 'authz_dbm': } + ::apache::mod { 'authz_owner': } + ::apache::mod { 'expires': } + ::apache::mod { 'include': } + ::apache::mod { 'logio': } + ::apache::mod { 'substitute': } + ::apache::mod { 'usertrack': } + } + 'FreeBSD': { + include apache::mod::actions + include apache::mod::authn_core + include apache::mod::filter + include apache::mod::headers + include apache::mod::info + include apache::mod::mime_magic + include apache::mod::reqtimeout + include apache::mod::rewrite + include apache::mod::speling + include apache::mod::userdir + include apache::mod::version + include apache::mod::vhost_alias + + ::apache::mod { 'asis': } + ::apache::mod { 'auth_digest': } + ::apache::mod { 'auth_form': } + ::apache::mod { 'authn_anon': } + ::apache::mod { 'authn_dbm': } + ::apache::mod { 'authn_socache': } + ::apache::mod { 'authz_dbd': } + ::apache::mod { 'authz_dbm': } + ::apache::mod { 'authz_owner': } + ::apache::mod { 'dumpio': } + ::apache::mod { 'expires': } + ::apache::mod { 'file_cache': } + ::apache::mod { 'imagemap': } + ::apache::mod { 'include': } + ::apache::mod { 'logio': } + ::apache::mod { 'request': } + ::apache::mod { 'session': } + ::apache::mod { 'unique_id': } } default: {} } @@ -52,8 +105,12 @@ 'worker': { include apache::mod::cgid } + default: { + # do nothing + } } include apache::mod::alias + include apache::mod::authn_file include apache::mod::autoindex include apache::mod::dav include apache::mod::dav_fs @@ -62,13 +119,34 @@ include apache::mod::mime include apache::mod::negotiation include apache::mod::setenvif - apache::mod { 'auth_basic': } - apache::mod { 'authn_file': } - apache::mod { 'authz_default': } - apache::mod { 'authz_groupfile': } - apache::mod { 'authz_user': } - apache::mod { 'env': } + include apache::mod::auth_basic + include apache::mod::log_forensic + + # filter is needed by mod_deflate + include apache::mod::filter + + # authz_core is needed for 'Require' directive + include apache::mod::authz_core + + # lots of stuff seems to break without access_compat + ::apache::mod { 'access_compat': } + + include apache::mod::authz_user + include apache::mod::authz_groupfile + include apache::mod::env } elsif $mods { - apache::default_mods::load { $mods: } + ::apache::default_mods::load { $mods: } + + # authz_core is needed for 'Require' directive + include apache::mod::authz_core + + # filter is needed by mod_deflate + include apache::mod::filter + } else { + # authz_core is needed for 'Require' directive + include apache::mod::authz_core + + # filter is needed by mod_deflate + include apache::mod::filter } } diff --git a/manifests/default_mods/load.pp b/manifests/default_mods/load.pp index ae2f76e64c..2203f8279f 100644 --- a/manifests/default_mods/load.pp +++ b/manifests/default_mods/load.pp @@ -1,8 +1,11 @@ -# private define -define apache::default_mods::load ($module = $title) { +# @summary +# Helper used by `apache::default_mods` +# +# @api private +define apache::default_mods::load (String $module = $title) { if defined("apache::mod::${module}") { - include "apache::mod::${module}" + include "::apache::mod::${module}" } else { - apache::mod { $module: } + ::apache::mod { $module: } } } diff --git a/manifests/dev.pp b/manifests/dev.pp index ea86adae44..106541032a 100644 --- a/manifests/dev.pp +++ b/manifests/dev.pp @@ -1,8 +1,22 @@ +# @summary +# Installs Apache development libraries. +# +# The libraries installed depends on the `dev_packages` parameter of the `apache::params` +# class, based on your operating system: +# - **Debian** : `libaprutil1-dev`, `libapr1-dev`; `apache2-dev` +# - **FreeBSD**: `undef`; on FreeBSD, you must declare the `apache::package` or `apache` classes before declaring `apache::dev`. +# - **Gentoo**: `undef`. +# - **Red Hat**: `httpd-devel`. class apache::dev { - include apache::params - $packages = $apache::params::dev_packages - package { $packages: - ensure => present, - require => Package['httpd'], + if ! defined(Class['apache']) { + fail('You must include the apache base class before using any apache defined resources') + } + + $packages = $apache::dev_packages + if $packages { # FreeBSD doesn't have dev packages to install + package { $packages: + ensure => present, + require => Package['httpd'], + } } } diff --git a/manifests/fastcgi/server.pp b/manifests/fastcgi/server.pp new file mode 100644 index 0000000000..7f7900b328 --- /dev/null +++ b/manifests/fastcgi/server.pp @@ -0,0 +1,73 @@ +# @summary +# Defines one or more external FastCGI servers to handle specific file types. Use this +# defined type with `mod_fastcgi`. +# +# @param host +# Determines the FastCGI's hostname or IP address and TCP port number (1-65535). +# +# @param timeout +# Sets the number of seconds a [FastCGI](http://www.fastcgi.com/) application can be inactive before aborting the +# request and logging the event at the error LogLevel. The inactivity timer applies only as +# long as a connection is pending with the FastCGI application. If a request is queued to an +# application, but the application doesn't respond by writing and flushing within this period, +# the request is aborted. If communication is complete with the application but incomplete with +# the client (the response is buffered), the timeout does not apply. +# +# @param flush +# Forces `mod_fastcgi` to write to the client as data is received from the +# application. By default, `mod_fastcgi` buffers data in order to free the application +# as quickly as possible. +# +# @param faux_path +# Apache has FastCGI handle URIs that resolve to this filename. The path set in this +# parameter does not have to exist in the local filesystem. +# +# @param fcgi_alias +# Internally links actions with the FastCGI server. This alias must be unique. +# +# @param file_type +# Sets the MIME `content-type` of the file to be processed by the FastCGI server. +# +# @param pass_header +# Sets a header for the server +# +define apache::fastcgi::server ( + String $host = '127.0.0.1:9000', + Integer $timeout = 15, + Boolean $flush = false, + Stdlib::Absolutepath $faux_path = "/var/www/${name}.fcgi", + Stdlib::Unixpath $fcgi_alias = "/${name}.fcgi", + String $file_type = 'application/x-httpd-php', + Optional[String] $pass_header = undef, +) { + include apache::mod::fastcgi + + Apache::Mod['fastcgi'] -> Apache::Fastcgi::Server[$title] + + if $host =~ Stdlib::Absolutepath { + $socket = $host + } + + $parameters = { + 'timeout' => $timeout, + 'flush' => $flush, + 'socket' => $socket, + 'host' => $host, + 'pass_header' => $pass_header, + 'faux_path' => $faux_path, + 'fcgi_alias' => $fcgi_alias, + 'file_type' => $file_type, + } + + file { "fastcgi-pool-${name}.conf": + ensure => file, + path => "${apache::confd_dir}/fastcgi-pool-${name}.conf", + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + content => epp('apache/fastcgi/server.epp', $parameters), + require => Exec["mkdir ${apache::confd_dir}"], + before => File[$apache::confd_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 3d7f368bab..162cfdde9d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,135 +1,654 @@ -# Class: apache +# @summary +# Guides the basic setup and installation of Apache on your system. # -# This class installs Apache +# When this class is declared with the default options, Puppet: +# - Installs the appropriate Apache software package and [required Apache modules](#default_mods) for your operating system. +# - Places the required configuration files in a directory, with the [default location](#conf_dir) determined by your operating system. +# - Configures the server with a default virtual host and standard port (`80`) and address (`\*`) bindings. +# - Creates a document root directory determined by your operating system, typically `/var/www`. +# - Starts the Apache service. # -# Parameters: +# @example +# class { 'apache': } # -# Actions: -# - Install Apache -# - Manage Apache service +# @param allow_encoded_slashes +# Sets the server default for the `AllowEncodedSlashes` declaration, which modifies the +# responses to URLs containing '\' and '/' characters. If not specified, this parameter omits +# the declaration from the server's configuration and uses Apache's default setting of 'off'. # -# Requires: +# @param conf_dir +# Sets the directory where the Apache server's main configuration file is located. # -# Sample Usage: +# @param conf_template +# Defines the template used for the main Apache configuration file. Modifying this +# parameter is potentially risky, as the apache module is designed to use a minimal +# configuration file customized by `conf.d` entries. # +# @param confd_dir +# Sets the location of the Apache server's custom configuration directory. +# +# @param default_charset +# Used as the `AddDefaultCharset` directive in the main configuration file. +# +# @param default_confd_files +# Determines whether Puppet generates a default set of includable Apache configuration files +# in the directory defined by the `confd_dir` parameter. These configuration files +# correspond to what is typically installed with the Apache package on the server's +# operating system. +# +# @param default_mods +# Determines whether to configure and enable a set of default Apache modules depending on +# your operating system.
+# If `false`, Puppet includes only the Apache modules required to make the HTTP daemon work +# on your operating system, and you can declare any other modules separately using the +# `apache::mod::` class or `apache::mod` defined type.
+# If `true`, Puppet installs additional modules, depending on the operating system and +# the value of the `mpm_module` parameter. Because these lists of +# modules can change frequently, consult the Puppet module's code for up-to-date lists.
+# If this parameter contains an array, Puppet instead enables all passed Apache modules. +# +# @param default_ssl_ca +# Sets the default certificate authority for the Apache server.
+# Although the default value results in a functioning Apache server, you **must** update +# this parameter with your certificate authority information before deploying this server in +# a production environment. +# +# @param default_ssl_cert +# Sets the SSL encryption certificate location.
+# Although the default value results in a functioning Apache server, you **must** update this +# parameter with your certificate location before deploying this server in a production environment. +# +# @param default_ssl_chain +# Sets the default SSL chain location.
+# Although this default value results in a functioning Apache server, you **must** update +# this parameter with your SSL chain before deploying this server in a production environment. +# +# @param default_ssl_crl +# Sets the path of the default certificate revocation list (CRL) file to use.
+# Although this default value results in a functioning Apache server, you **must** update +# this parameter with the CRL file path before deploying this server in a production +# environment. You can use this parameter with or in place of the `default_ssl_crl_path`. +# +# @param default_ssl_crl_path +# Sets the server's certificate revocation list path, which contains your CRLs.
+# Although this default value results in a functioning Apache server, you **must** update +# this parameter with the CRL file path before deploying this server in a production environment. +# +# @param default_ssl_crl_check +# Sets the default certificate revocation check level via the `SSLCARevocationCheck` directive. +# This parameter applies only to Apache 2.4 or higher and is ignored on older versions.
+# Although this default value results in a functioning Apache server, you **must** specify +# this parameter when using certificate revocation lists in a production environment. +# +# @param default_ssl_key +# Sets the SSL certificate key file location. +# Although the default values result in a functioning Apache server, you **must** update +# this parameter with your SSL key's location before deploying this server in a production +# environment. +# +# @param default_ssl_reload_on_change +# Enable reloading of apache if the content of ssl files have changed. +# +# @param default_ssl_vhost +# Configures a default SSL virtual host. +# If `true`, Puppet automatically configures the following virtual host using the +# `apache::vhost` defined type: +# ```puppet +# apache::vhost { 'default-ssl': +# port => 443, +# ssl => true, +# docroot => $docroot, +# scriptalias => $scriptalias, +# serveradmin => $serveradmin, +# access_log_file => "ssl_${access_log_file}", +# } +# ``` +# **Note**: SSL virtual hosts only respond to HTTPS queries. +# +# @param default_vhost +# Configures a default virtual host when the class is declared.
+# To configure customized virtual hosts, set this parameter's +# value to `false`.
+# > **Note**: Apache will not start without at least one virtual host. If you set this +# to `false` you must configure a virtual host elsewhere. +# +# @param dev_packages +# Configures a specific dev package to use.
+# For example, using httpd 2.4 from the IUS yum repo:
+# ``` puppet +# include ::apache::dev +# class { 'apache': +# apache_name => 'httpd24u', +# dev_packages => 'httpd24u-devel', +# } +# ``` +# +# @param docroot +# Sets the default `DocumentRoot` location. +# +# @param error_documents +# Determines whether to enable [custom error documents](https://httpd.apache.org/docs/current/custom-error.html) on the Apache server. +# +# @param group +# Sets the group ID that owns any Apache processes spawned to answer requests.
+# By default, Puppet attempts to manage this group as a resource under the `apache` +# class, determining the group based on the operating system as detected by the +# `apache::params` class. To prevent the group resource from being created and use a group +# created by another Puppet module, set the `manage_group` parameter's value to `false`.
+# > **Note**: Modifying this parameter only changes the group ID that Apache uses to spawn +# child processes to access resources. It does not change the user that owns the parent server +# process. +# +# @param httpd_dir +# Sets the Apache server's base configuration directory. This is useful for specially +# repackaged Apache server builds but might have unintended consequences when combined +# with the default distribution packages. +# +# @param http_protocol_options +# Specifies the strictness of HTTP protocol checks.
+# Valid options: any sequence of the following alternative values: `Strict` or `Unsafe`, +# `RegisteredMethods` or `LenientMethods`, and `Allow0.9` or `Require1.0`. +# +# @param keepalive +# Determines whether to enable persistent HTTP connections with the `KeepAlive` directive. +# If you set this to `On`, use the `keepalive_timeout` and `max_keepalive_requests` parameters +# to set relevant options.
+# +# @param keepalive_timeout +# Sets the `KeepAliveTimeout` directive, which determines the amount of time the Apache +# server waits for subsequent requests on a persistent HTTP connection. This parameter is +# only relevant if the `keepalive` parameter is enabled. +# +# @param max_keepalive_requests +# Limits the number of requests allowed per connection when the `keepalive` parameter is enabled. +# +# @param hostname_lookups +# This directive enables DNS lookups so that host names can be logged and passed to +# CGIs/SSIs in REMOTE_HOST.
+# > **Note**: If enabled, it impacts performance significantly. +# +# @param ldap_trusted_mode +# The following modes are supported: +# +# NONE - no encryption +# SSL - ldaps:// encryption on default port 636 +# TLS - STARTTLS encryption on default port 389 +# Not all LDAP toolkits support all the above modes. An error message will be logged at +# runtime if a mode is not supported, and the connection to the LDAP server will fail. +# +#If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored. +# +# @param ldap_verify_server_cert +# Specifies whether to force the verification of a server certificate when establishing an SSL +# connection to the LDAP server. +# On|Off +# +# @param lib_path +# Specifies the location whereApache module files are stored.
+# > **Note**: Do not configure this parameter manually without special reason. +# +# @param log_level +# Configures the apache [LogLevel](https://httpd.apache.org/docs/current/mod/core.html#loglevel) directive +# which adjusts the verbosity of the messages recorded in the error logs. +# +# @param log_formats +# Define additional `LogFormat` directives. Values: A hash, such as: +# ``` puppet +# $log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } +# ``` +# There are a number of predefined `LogFormats` in the `httpd.conf` that Puppet creates: +# ``` httpd +# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +# LogFormat "%h %l %u %t \"%r\" %>s %b" common +# LogFormat "%{Referer}i -> %U" referer +# LogFormat "%{User-agent}i" agent +# LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded +# ``` +# If your `log_formats` parameter contains one of those, it will be overwritten with **your** definition. +# +# @param logroot +# Changes the directory of Apache log files for the virtual host. +# +# @param logroot_mode +# Overrides the default `logroot` directory's mode.
+# > **Note**: Do _not_ grant write access to the directory where the logs are stored +# without being aware of the consequences. See the [Apache documentation](https://httpd.apache.org/docs/current/logs.html#security) +# for details. +# +# @param manage_group +# When `false`, stops Puppet from creating the group resource.
+# If you have a group created from another Puppet module that you want to use to run Apache, +# set this to `false`. Without this parameter, attempting to use a previously established +# group results in a duplicate resource error. +# +# @param supplementary_groups +# A list of groups to which the user belongs. These groups are in addition to the primary group.
+# Notice: This option only has an effect when `manage_user` is set to true. +# +# @param manage_user +# When `false`, stops Puppet from creating the user resource.
+# This is for instances when you have a user, created from another Puppet module, you want +# to use to run Apache. Without this parameter, attempting to use a previously established +# user would result in a duplicate resource error. +# +# @param mod_dir +# Sets where Puppet places configuration files for your Apache modules. +# +# @param mod_libs +# Allows the user to override default module library names. +# ```puppet +# include apache::params +# class { 'apache': +# mod_libs => merge($::apache::params::mod_libs, { +# 'wsgi' => 'mod_wsgi_python3.so', +# }) +# } +# ``` +# +# @param mod_packages +# Allows the user to override default module package names. +# ```puppet +# include apache::params +# class { 'apache': +# mod_packages => merge($::apache::params::mod_packages, { +# 'auth_kerb' => 'httpd24-mod_auth_kerb', +# }) +# } +# ``` +# +# @param mpm_module +# Determines which [multi-processing module](https://httpd.apache.org/docs/current/mpm.html) (MPM) is loaded and configured for the +# HTTPD process. Valid values are: `event`, `itk`, `peruser`, `prefork`, `worker` or `false`.
+# You must set this to `false` to explicitly declare the following classes with custom parameters: +# - `apache::mod::event` +# - `apache::mod::itk` +# - `apache::mod::peruser` +# - `apache::mod::prefork` +# - `apache::mod::worker` +# +# @param package_ensure +# Controls the `package` resource's `ensure` attribute. Valid values are: `absent`, `installed` +# (or equivalent `present`), or a version string. +# +# @param pidfile +# Allows settting a custom location for the pid file. Useful if using a custom-built Apache rpm. +# +# @param ports_file +# Sets the path to the file containing Apache ports configuration. +# +# @param protocols +# Sets the [Protocols](https://httpd.apache.org/docs/current/en/mod/core.html#protocols) +# directive, which lists available protocols for the server. +# +# @param protocols_honor_order +# Sets the [ProtocolsHonorOrder](https://httpd.apache.org/docs/current/en/mod/core.html#protocolshonororder) +# directive which determines whether the order of Protocols sets precedence during negotiation. +# +# @param purge_configs +# Removes all other Apache configs and virtual hosts.
+# Setting this to `false` is a stopgap measure to allow the apache module to coexist with +# existing or unmanaged configurations. We recommend moving your configuration to resources +# within this module. For virtual host configurations, see `purge_vhost_dir`. +# +# @param purge_vhost_dir +# If the `vhost_dir` parameter's value differs from the `confd_dir` parameter's, this parameter +# determines whether Puppet removes any configurations inside `vhost_dir` that are _not_ managed +# by Puppet.
+# Setting `purge_vhost_dir` to `false` is a stopgap measure to allow the apache module to +# coexist with existing or otherwise unmanaged configurations within `vhost_dir`. +# +# @param sendfile +# Forces Apache to use the Linux kernel's `sendfile` support to serve static files, via the +# `EnableSendfile` directive. +# +# @param serveradmin +# Sets the Apache server administrator's contact information via Apache's `ServerAdmin` directive. +# +# @param servername +# Sets the Apache server name via Apache's `ServerName` directive. +# Setting to `false` will not set ServerName at all. +# +# @param server_root +# Sets the Apache server's root directory via Apache's `ServerRoot` directive. +# +# @param server_signature +# Configures a trailing footer line to display at the bottom of server-generated documents, +# such as error documents and output of certain Apache modules, via Apache's `ServerSignature` +# directive. Valid values are: `On` or `Off`. +# +# @param server_tokens +# Controls how much information Apache sends to the browser about itself and the operating +# system, via Apache's `ServerTokens` directive. +# +# @param service_enable +# Determines whether Puppet enables the Apache HTTPD service when the system is booted. +# +# @param service_ensure +# Determines whether Puppet should make sure the service is running. +# Valid values are: `true` (or `running`) or `false` (or `stopped`).
+# The `false` or `stopped` values set the 'httpd' service resource's `ensure` parameter +# to `false`, which is useful when you want to let the service be managed by another +# application, such as Pacemaker.
+# +# @param service_name +# Sets the name of the Apache service. +# +# @param service_manage +# Determines whether Puppet manages the HTTPD service's state. +# +# @param service_restart +# Determines whether Puppet should use a specific command to restart the HTTPD service. +# Values: a command to restart the Apache service. +# +# @param timeout +# Sets Apache's `TimeOut` directive, which defines the number of seconds Apache waits for +# certain events before failing a request. +# +# @param trace_enable +# Controls how Apache handles `TRACE` requests (per RFC 2616) via the `TraceEnable` directive. +# +# @param use_canonical_name +# Controls Apache's `UseCanonicalName` directive which controls how Apache handles +# self-referential URLs. If not specified, this parameter omits the declaration from the +# server's configuration and uses Apache's default setting of 'off'. +# +# @param use_systemd +# Controls whether the systemd module should be installed on Centos 7 servers, this is +# especially useful if using custom-built RPMs. +# +# @param file_mode +# Sets the desired permissions mode for config files. +# Valid values are: a string, with permissions mode in symbolic or numeric notation. +# +# @param root_directory_options +# Array of the desired options for the `/` directory in httpd.conf. +# +# @param root_directory_secured +# Sets the default access policy for the `/` directory in httpd.conf. A value of `false` +# allows access to all resources that are missing a more specific access policy. A value of +# `true` denies access to all resources by default. If `true`, more specific rules must be +# used to allow access to these resources (for example, in a directory block using the +# `directories` parameter). +# +# @param vhost_dir +# Changes your virtual host configuration files' location. +# +# @param vhost_include_pattern +# Defines the pattern for files included from the `vhost_dir`. +# If set to a value like `[^.#]\*.conf[^~]` to make sure that files accidentally created in +# this directory (such as files created by version control systems or editor backups) are +# *not* included in your server configuration.
+# Some operating systems use a value of `*.conf`. By default, this module creates configuration +# files ending in `.conf`. +# +# @param user +# Changes the user that Apache uses to answer requests. Apache's parent process continues +# to run as root, but child processes access resources as the user defined by this parameter. +# To prevent Puppet from managing the user, set the `manage_user` parameter to `false`. +# +# @param apache_name +# The name of the Apache package to install. If you are using a non-standard Apache package +# you might need to override the default setting.
+# For CentOS/RHEL Software Collections (SCL), you can also use `apache::version::scl_httpd_version`. +# +# @param error_log +# The name of the error log file for the main server instance. If the string starts with +# `/`, `|`, or `syslog`: the full path is set. Otherwise, the filename is prefixed with +# `$logroot`. +# +# @param scriptalias +# Directory to use for global script alias +# +# @param access_log_file +# The name of the access log file for the main server instance. +# +# @param limitreqfields +# The `limitreqfields` parameter sets the maximum number of request header fields in +# an HTTP request. This directive gives the server administrator greater control over +# abnormal client request behavior, which may be useful for avoiding some forms of +# denial-of-service attacks. The value should be increased if normal clients see an error +# response from the server that indicates too many fields were sent in the request. +# +# @param limitreqfieldsize +# The `limitreqfieldsize` parameter sets the maximum ammount of _bytes_ that will +# be allowed within a request header. +# +# @param limitreqline +# The 'limitreqline' parameter sets the limit on the allowed size of a client's HTTP request-line +# +# @param ip +# Specifies the ip address +# +# @param conf_enabled +# Whether the additional config files in `/etc/apache2/conf-enabled` should be managed. +# +# @param vhost_enable_dir +# Set's the vhost definitions which will be stored in sites-availible and if +# they will be symlinked to and from sites-enabled. +# +# @param manage_vhost_enable_dir +# Overides the vhost_enable_dir inherited parameters and allows it to be disabled +# +# @param mod_enable_dir +# Set's whether the mods-enabled directory should be managed. +# +# @param ssl_file +# This parameter allows you to set an ssl.conf file to be managed in order to implement +# an SSL Certificate. +# +# @param file_e_tag +# Sets the server default for the `FileETag` declaration, which modifies the response header +# field for static files. +# +# @param use_optional_includes +# Specifies whether Apache uses the `IncludeOptional` directive instead of `Include` for +# `additional_includes` in Apache 2.4 or newer. +# +# @param mime_types_additional +# Specifies any idditional Internet media (mime) types that you wish to be configured. +# class apache ( - $default_mods = true, - $default_vhost = true, - $default_ssl_vhost = false, - $default_ssl_cert = $apache::params::default_ssl_cert, - $default_ssl_key = $apache::params::default_ssl_key, - $default_ssl_chain = undef, - $default_ssl_ca = undef, - $default_ssl_crl_path = undef, - $default_ssl_crl = undef, - $service_enable = true, - $service_ensure = 'running', - $purge_configs = true, - $purge_vdir = false, - $serveradmin = 'root@localhost', - $sendfile = 'On', - $error_documents = false, - $timeout = '120', - $httpd_dir = $apache::params::httpd_dir, - $confd_dir = $apache::params::confd_dir, - $vhost_dir = $apache::params::vhost_dir, - $vhost_enable_dir = $apache::params::vhost_enable_dir, - $mod_dir = $apache::params::mod_dir, - $mod_enable_dir = $apache::params::mod_enable_dir, - $mpm_module = $apache::params::mpm_module, - $conf_template = $apache::params::conf_template, - $servername = $apache::params::servername, - $manage_user = true, - $manage_group = true, - $user = $apache::params::user, - $group = $apache::params::group, - $keepalive = $apache::params::keepalive, - $keepalive_timeout = $apache::params::keepalive_timeout, - $logroot = $apache::params::logroot, - $ports_file = $apache::params::ports_file, - $server_tokens = 'OS', - $server_signature = 'On', - $package_ensure = 'installed', + String $apache_name = $apache::params::apache_name, + String $service_name = $apache::params::service_name, + Variant[Array[String[1]], Boolean] $default_mods = true, + Boolean $default_vhost = true, + Optional[String] $default_charset = undef, + Boolean $default_confd_files = true, + Boolean $default_ssl_vhost = false, + Stdlib::Absolutepath $default_ssl_cert = $apache::params::default_ssl_cert, + Stdlib::Absolutepath $default_ssl_key = $apache::params::default_ssl_key, + Optional[Stdlib::Absolutepath] $default_ssl_chain = undef, + Optional[Stdlib::Absolutepath] $default_ssl_ca = undef, + Optional[Stdlib::Absolutepath] $default_ssl_crl_path = undef, + Optional[Stdlib::Absolutepath] $default_ssl_crl = undef, + Optional[String] $default_ssl_crl_check = undef, + Boolean $default_ssl_reload_on_change = false, + Optional[Variant[Array, String]] $dev_packages = $apache::params::dev_packages, + Optional[String] $ip = undef, + Boolean $service_enable = true, + Boolean $service_manage = true, + Variant[Stdlib::Ensure::Service, Boolean] $service_ensure = 'running', + Optional[String] $service_restart = undef, + Boolean $purge_configs = true, + Optional[Boolean] $purge_vhost_dir = undef, + Optional[String[1]] $serveradmin = undef, + Apache::OnOff $sendfile = 'On', + Optional[Apache::OnOff] $ldap_verify_server_cert = undef, + Optional[String] $ldap_trusted_mode = undef, + Boolean $error_documents = false, + Integer[0] $timeout = 60, + Stdlib::Absolutepath $httpd_dir = $apache::params::httpd_dir, + Stdlib::Absolutepath $server_root = $apache::params::server_root, + Stdlib::Absolutepath $conf_dir = $apache::params::conf_dir, + Stdlib::Absolutepath $confd_dir = $apache::params::confd_dir, + Variant[Apache::OnOff, Enum['Double', 'double']] $hostname_lookups = $apache::params::hostname_lookups, + Optional[Stdlib::Absolutepath] $conf_enabled = $apache::params::conf_enabled, + Stdlib::Absolutepath $vhost_dir = $apache::params::vhost_dir, + Optional[Stdlib::Absolutepath] $vhost_enable_dir = $apache::params::vhost_enable_dir, + Boolean $manage_vhost_enable_dir = true, + Hash $mod_libs = $apache::params::mod_libs, + Hash $mod_packages = $apache::params::mod_packages, + String $vhost_include_pattern = $apache::params::vhost_include_pattern, + Stdlib::Absolutepath $mod_dir = $apache::params::mod_dir, + Optional[Stdlib::Absolutepath] $mod_enable_dir = $apache::params::mod_enable_dir, + Variant[Boolean, Enum['event', 'itk', 'peruser', 'prefork', 'worker']] $mpm_module = $apache::params::mpm_module, + String $lib_path = $apache::params::lib_path, + String $conf_template = $apache::params::conf_template, + Optional[String] $servername = $apache::params::servername, + String $pidfile = $apache::params::pidfile, + Boolean $manage_user = true, + Boolean $manage_group = true, + String $user = $apache::params::user, + String $group = $apache::params::group, + Optional[String] $http_protocol_options = $apache::params::http_protocol_options, + Array $supplementary_groups = [], + Apache::OnOff $keepalive = $apache::params::keepalive, + Integer $keepalive_timeout = $apache::params::keepalive_timeout, + Integer $max_keepalive_requests = $apache::params::max_keepalive_requests, + Integer $limitreqfieldsize = 8190, + Integer $limitreqfields = 100, + Optional[Integer] $limitreqline = undef, + Stdlib::Absolutepath $logroot = $apache::params::logroot, + Optional[Stdlib::Filemode] $logroot_mode = $apache::params::logroot_mode, + Apache::LogLevel $log_level = $apache::params::log_level, + Hash $log_formats = {}, + Optional[String] $ssl_file = undef, + Stdlib::Absolutepath $ports_file = $apache::params::ports_file, + Stdlib::Absolutepath $docroot = $apache::params::docroot, + Apache::ServerTokens $server_tokens = 'Prod', + Variant[Apache::OnOff, String] $server_signature = 'On', + Variant[Apache::OnOff, Enum['extended']] $trace_enable = 'On', + Optional[Variant[Apache::OnOff, Enum['nodecode']]] $allow_encoded_slashes = undef, + Optional[String] $file_e_tag = undef, + Optional[Variant[Apache::OnOff, Enum['DNS', 'dns']]] $use_canonical_name = undef, + String $package_ensure = 'installed', + Boolean $use_optional_includes = $apache::params::use_optional_includes, + Boolean $use_systemd = $apache::params::use_systemd, + Hash $mime_types_additional = $apache::params::mime_types_additional, + Stdlib::Filemode $file_mode = $apache::params::file_mode, + Array $root_directory_options = $apache::params::root_directory_options, + Boolean $root_directory_secured = false, + String $error_log = $apache::params::error_log, + String $scriptalias = $apache::params::scriptalias, + String $access_log_file = $apache::params::access_log_file, + Array[Enum['h2', 'h2c', 'http/1.1']] $protocols = [], + Optional[Boolean] $protocols_honor_order = undef, ) inherits apache::params { - - package { 'httpd': - ensure => $package_ensure, - name => $apache::params::apache_name, - notify => Class['Apache::Service'], + if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '7' { + # On RedHat 7 the ssl.conf lives in /etc/httpd/conf.d (the confd_dir) + # when all other module configs live in /etc/httpd/conf.modules.d (the + # mod_dir). On all other platforms and versions, ssl.conf lives in the + # mod_dir. This should maintain the expected location of ssl.conf + $_ssl_file = $ssl_file ? { + undef => "${apache::confd_dir}/ssl.conf", + default => $ssl_file + } + } else { + $_ssl_file = $ssl_file ? { + undef => "${apache::mod_dir}/ssl.conf", + default => $ssl_file + } } - validate_bool($default_vhost) - # true/false is sufficient for both ensure and enable - validate_bool($service_enable) - if $mpm_module { - validate_re($mpm_module, '(prefork|worker|itk)') + # NOTE: on FreeBSD it's mpm module's responsibility to install httpd package. + # NOTE: the same strategy may be introduced for other OSes. For this, you + # should delete the 'if' block below and modify all MPM modules' manifests + # such that they include apache::package class (currently event.pp, itk.pp, + # peruser.pp, prefork.pp, worker.pp). + if $facts['os']['family'] != 'FreeBSD' { + package { 'httpd': + ensure => $package_ensure, + name => $apache_name, + notify => Class['Apache::Service'], + } } - validate_re($sendfile, [ '^[oO]n$' , '^[oO]ff$' ]) # declare the web server user and group # Note: requiring the package means the package ought to create them and not puppet - validate_bool($manage_user) if $manage_user { user { $user: ensure => present, gid => $group, + groups => $supplementary_groups, require => Package['httpd'], } } - validate_bool($manage_group) if $manage_group { group { $group: ensure => present, - require => Package['httpd'] + require => Package['httpd'], } } class { 'apache::service': - service_enable => $service_enable, - service_ensure => $service_ensure, + service_name => $service_name, + service_enable => $service_enable, + service_manage => $service_manage, + service_ensure => $service_ensure, + service_restart => $service_restart, } - # Deprecated backwards-compatibility - if $purge_vdir { - warning('Class[\'apache\'] parameter purge_vdir is deprecated in favor of purge_configs') - $purge_confd = $purge_vdir + # Set purge vhostd appropriately + if $purge_vhost_dir == undef { + $purge_vhostd = $purge_configs } else { - $purge_confd = $purge_configs + $purge_vhostd = $purge_vhost_dir } Exec { path => '/bin:/sbin:/usr/bin:/usr/sbin', } + $confd_command = ['mkdir', $confd_dir] exec { "mkdir ${confd_dir}": + command => $confd_command, creates => $confd_dir, require => Package['httpd'], } file { $confd_dir: ensure => directory, recurse => true, - purge => $purge_confd, + purge => $purge_configs, + force => $purge_configs, notify => Class['Apache::Service'], require => Package['httpd'], } + if $conf_enabled and ! defined(File[$conf_enabled]) { + file { $conf_enabled: + ensure => directory, + recurse => true, + purge => $purge_configs, + force => $purge_configs, + notify => Class['Apache::Service'], + require => Package['httpd'], + } + } + if ! defined(File[$mod_dir]) { + $mod_command = ['mkdir', $mod_dir] exec { "mkdir ${mod_dir}": + command => $mod_command, creates => $mod_dir, require => Package['httpd'], } + # Don't purge available modules if an enable dir is used + $purge_mod_dir = $purge_configs and !$mod_enable_dir file { $mod_dir: ensure => directory, recurse => true, - purge => $purge_configs, + purge => $purge_mod_dir, notify => Class['Apache::Service'], require => Package['httpd'], + before => Anchor['::apache::modules_set_up'], } } if $mod_enable_dir and ! defined(File[$mod_enable_dir]) { $mod_load_dir = $mod_enable_dir + $mod_enable_command = ['mkdir', $mod_enable_dir] exec { "mkdir ${mod_enable_dir}": + command => $mod_enable_command, creates => $mod_enable_dir, require => Package['httpd'], } @@ -145,29 +664,33 @@ } if ! defined(File[$vhost_dir]) { + $vhost_command = ['mkdir', $vhost_dir] exec { "mkdir ${vhost_dir}": + command => $vhost_command, creates => $vhost_dir, require => Package['httpd'], } file { $vhost_dir: ensure => directory, recurse => true, - purge => $purge_configs, + purge => $purge_vhostd, notify => Class['Apache::Service'], require => Package['httpd'], } } - if $vhost_enable_dir and ! defined(File[$vhost_enable_dir]) { + if $vhost_enable_dir and ! defined(File[$vhost_enable_dir]) and $manage_vhost_enable_dir { $vhost_load_dir = $vhost_enable_dir + $vhost_load_command = ['mkdir', $vhost_load_dir] exec { "mkdir ${vhost_load_dir}": + command => $vhost_load_command, creates => $vhost_load_dir, require => Package['httpd'], } file { $vhost_enable_dir: ensure => directory, recurse => true, - purge => $purge_configs, + purge => $purge_vhostd, notify => Class['Apache::Service'], require => Package['httpd'], } @@ -176,41 +699,48 @@ } concat { $ports_file: + ensure => present, owner => 'root', - group => 'root', - mode => '0644', + group => $apache::params::root_group, + mode => $apache::file_mode, notify => Class['Apache::Service'], require => Package['httpd'], } concat::fragment { 'Apache ports header': target => $ports_file, - content => template('apache/ports_header.erb') + content => epp('apache/ports_header.epp'), } - if $apache::params::conf_dir and $apache::params::conf_file { - case $::osfamily { - 'debian': { - $docroot = '/var/www' - $pidfile = '${APACHE_PID_FILE}' - $error_log = 'error.log' - $error_documents_path = '/usr/share/apache2/error' - $scriptalias = '/usr/lib/cgi-bin' - $access_log_file = 'access.log' - } - 'redhat': { - $docroot = '/var/www/html' - $pidfile = 'run/httpd.pid' - $error_log = 'error_log' - $error_documents_path = '/var/www/error' - $scriptalias = '/var/www/cgi-bin' - $access_log_file = 'access_log' + if $apache::conf_dir and $apache::params::conf_file { + if $facts['os']['family'] == 'Gentoo' { + $error_documents_path = '/usr/share/apache2/error' + if $default_mods =~ Array { + if defined('apache::mod::ssl') { + ::portage::makeconf { 'apache2_modules': + content => concat($default_mods, ['authz_core', 'socache_shmcb']), + } + } else { + ::portage::makeconf { 'apache2_modules': + content => concat($default_mods, 'authz_core'), + } + } } - default: { - fail("Unsupported osfamily ${::osfamily}") + + file { [ + '/etc/apache2/modules.d/.keep_www-servers_apache-2', + '/etc/apache2/vhosts.d/.keep_www-servers_apache-2', + ]: + ensure => absent, + require => Package['httpd'], } } + + $apxs_workaround = $facts['os']['family'] ? { + 'FreeBSD' => true, + default => false + } + # Template uses: - # - $httpd_dir # - $pidfile # - $user # - $group @@ -223,18 +753,72 @@ # - $vhost_dir # - $error_documents # - $error_documents_path + # - $apxs_workaround + # - $http_protocol_options # - $keepalive # - $keepalive_timeout - file { "${apache::params::conf_dir}/${apache::params::conf_file}": + # - $max_keepalive_requests + # - $server_root + # - $server_tokens + # - $server_signature + # - $trace_enable + # - $root_directory_secured + $parameters = { + 'server_tokens' => $server_tokens, + 'server_signature' => $server_signature, + 'trace_enable' => $trace_enable, + 'servername' => $servername, + 'server_root' => $server_root, + 'serveradmin' => $serveradmin, + 'pidfile' => $pidfile, + 'timeout' => $timeout, + 'keepalive' => $keepalive, + 'max_keepalive_requests' => $max_keepalive_requests, + 'keepalive_timeout' => $keepalive_timeout, + 'limitreqfieldsize' => $limitreqfieldsize, + 'limitreqfields' => $limitreqfields, + 'limitreqline' => $limitreqline, + 'http_protocol_options' => $http_protocol_options, + 'protocols' => $protocols, + 'protocols_honor_order' => $protocols_honor_order, + 'user' => $user, + 'group' => $group, + 'root_directory_options' => $root_directory_options, + 'root_directory_secured' => $root_directory_secured, + 'default_charset' => $default_charset, + 'hostname_lookups' => $hostname_lookups, + 'error_log' => $error_log, + 'logroot' => $logroot, + 'log_level' => $log_level, + 'sendfile' => $sendfile, + 'allow_encoded_slashes' => $allow_encoded_slashes, + 'file_e_tag' => $file_e_tag, + 'use_canonical_name' => $use_canonical_name, + 'apxs_workaround' => $apxs_workaround, + 'mod_load_dir' => $mod_load_dir, + 'confd_dir' => $confd_dir, + 'vhost_load_dir' => $vhost_load_dir, + 'vhost_include_pattern' => $vhost_include_pattern, + 'ports_file' => $ports_file, + 'log_formats' => $log_formats, + 'conf_enabled' => $conf_enabled, + 'ldap_verify_server_cert' => $ldap_verify_server_cert, + 'ldap_trusted_mode' => $ldap_trusted_mode, + 'error_documents' => $error_documents, + 'error_documents_path' => $error_documents_path, + } + + file { "${apache::conf_dir}/${apache::params::conf_file}": ensure => file, - content => template($conf_template), + mode => $apache::file_mode, + content => epp($conf_template, $parameters), notify => Class['Apache::Service'], - require => Package['httpd'], + require => [Package['httpd'], Concat[$ports_file]], } # preserve back-wards compatibility to the times when default_mods was # only a boolean value. Now it can be an array (too) - if is_array($default_mods) { + if $default_mods =~ Array { class { 'apache::default_mods': all => false, mods => $default_mods, @@ -244,29 +828,62 @@ all => $default_mods, } } - if $mpm_module { - class { "apache::mod::${mpm_module}": } + class { 'apache::default_confd_files': + all => $default_confd_files, } - if $default_vhost { - apache::vhost { 'default': - port => 80, - docroot => $docroot, - scriptalias => $scriptalias, - serveradmin => $serveradmin, - access_log_file => $access_log_file, - priority => '15', - } + if $mpm_module and $mpm_module != 'false' { # lint:ignore:quoted_booleans + include "::apache::mod::${mpm_module}" } - if $default_ssl_vhost { - apache::vhost { 'default-ssl': - port => 443, - ssl => true, - docroot => $docroot, - scriptalias => $scriptalias, - serveradmin => $serveradmin, - access_log_file => "ssl_${access_log_file}", - priority => '15', - } + + if 'h2' in $protocols or 'h2c' in $protocols { + include apache::mod::http2 + } + + $default_vhost_ensure = $default_vhost ? { + true => 'present', + false => 'absent' + } + $default_ssl_vhost_ensure = $default_ssl_vhost ? { + true => 'present', + false => 'absent' + } + + ::apache::vhost { 'default': + ensure => $default_vhost_ensure, + port => 80, + docroot => $docroot, + scriptalias => $scriptalias, + serveradmin => $serveradmin, + access_log_file => $access_log_file, + priority => 15, + ip => $ip, + logroot_mode => $logroot_mode, + manage_docroot => $default_vhost, + use_servername_for_filenames => true, + use_port_for_filenames => true, + } + $ssl_access_log_file = $facts['os']['family'] ? { + 'FreeBSD' => $access_log_file, + default => "ssl_${access_log_file}", + } + ::apache::vhost { 'default-ssl': + ensure => $default_ssl_vhost_ensure, + port => 443, + ssl => true, + docroot => $docroot, + scriptalias => $scriptalias, + serveradmin => $serveradmin, + access_log_file => $ssl_access_log_file, + priority => 15, + ip => $ip, + logroot_mode => $logroot_mode, + manage_docroot => $default_ssl_vhost, + use_servername_for_filenames => true, + use_port_for_filenames => true, } } + + # This anchor can be used as a reference point for things that need to happen *after* + # all modules have been put in place. + anchor { '::apache::modules_set_up': } } diff --git a/manifests/listen.pp b/manifests/listen.pp index 57982ba269..ad9844a09d 100644 --- a/manifests/listen.pp +++ b/manifests/listen.pp @@ -1,10 +1,15 @@ +# @summary +# Adds `Listen` directives to `ports.conf` that define the +# Apache server's or a virtual host's listening address and port. +# +# The `apache::vhost` class uses this defined type, and titles take the form +# ``, `:`, or `:`. define apache::listen { $listen_addr_port = $name - include apache::params # Template uses: $listen_addr_port concat::fragment { "Listen ${listen_addr_port}": - target => $apache::params::ports_file, - content => template('apache/listen.erb'), + target => $apache::ports_file, + content => epp('apache/listen.epp', { 'listen_addr_port' => $listen_addr_port }), } } diff --git a/manifests/mod.pp b/manifests/mod.pp index f8f564dc9c..2a38ee2fdb 100644 --- a/manifests/mod.pp +++ b/manifests/mod.pp @@ -1,7 +1,46 @@ +# @summary +# Installs packages for an Apache module that doesn't have a corresponding +# `apache::mod::` class. +# +# Checks for or places the module's default configuration files in the Apache server's +# `module` and `enable` directories. The default locations depend on your operating system. +# +# @param package +# **Required**.
+# Names the package Puppet uses to install the Apache module. +# +# @param package_ensure +# Determines whether Puppet ensures the Apache module should be installed. +# +# @param lib +# Defines the module's shared object name. Do not configure manually without special reason. +# +# @param lib_path +# Specifies a path to the module's libraries. Do not manually set this parameter +# without special reason. The `path` parameter overrides this value. +# +# @param loadfile_name +# Sets the filename for the module's `LoadFile` directive, which can also set +# the module load order as Apache processes them in alphanumeric order. +# +# @param id +# Specifies the package id +# +# @param loadfiles +# Specifies an array of `LoadFile` directives. +# +# @param path +# Specifies a path to the module. Do not manually set this parameter without a special reason. +# define apache::mod ( - $package = undef, - $package_ensure = 'present', - $lib = undef + Optional[String] $package = undef, + String $package_ensure = 'present', + Optional[String] $lib = undef, + String $lib_path = $apache::lib_path, + Optional[String] $id = undef, + Optional[String] $path = undef, + Optional[String] $loadfile_name = undef, + Optional[Array] $loadfiles = undef, ) { if ! defined(Class['apache']) { fail('You must include the apache base class before using any apache defined resources') @@ -9,86 +48,164 @@ $mod = $name #include apache #This creates duplicate resources in rspec-puppet - $lib_path = $apache::params::lib_path $mod_dir = $apache::mod_dir # Determine if we have special lib - $mod_libs = $apache::params::mod_libs - $mod_lib = $mod_libs[$mod] # 2.6 compatibility hack + $mod_libs = $apache::mod_libs if $lib { - $lib_REAL = $lib - } elsif "${mod_lib}" { - $lib_REAL = $mod_lib + $_lib = $lib + } elsif $mod in $mod_libs { # 2.6 compatibility hack + $_lib = $mod_libs[$mod] } else { - $lib_REAL = "mod_${mod}.so" + $_lib = "mod_${mod}.so" + } + + # Determine if declaration specified a path to the module + if $path { + $_path = $path + } else { + $_path = "${lib_path}/${_lib}" + } + + if $id { + $_id = $id + } else { + $_id = "${mod}_module" + } + + if $loadfile_name { + $_loadfile_name = $loadfile_name + } else { + $_loadfile_name = "${mod}.load" } # Determine if we have a package - $mod_packages = $apache::params::mod_packages - $mod_package = $mod_packages[$mod] # 2.6 compatibility hack + $mod_packages = $apache::mod_packages if $package { - $package_REAL = $package - } elsif "${mod_package}" { - $package_REAL = $mod_package + $_package = $package + } elsif $mod in $mod_packages { # 2.6 compatibility hack + $_package = $mod_packages[$mod] + } else { + $_package = undef } - if $package_REAL { - # $package_REAL may be an array - package { $package_REAL: + if $_package and ! defined(Package[$_package]) { + # note: FreeBSD/ports uses apxs tool to activate modules; apxs clutters + # httpd.conf with 'LoadModule' directives; here, by proper resource + # ordering, we ensure that our version of httpd.conf is reverted after + # the module gets installed. + $package_before = $facts['os']['family'] ? { + 'FreeBSD' => [ + File[$_loadfile_name], + File["${apache::conf_dir}/${apache::params::conf_file}"] + ], + default => [ + File[$_loadfile_name], + File[$apache::confd_dir], + ], + } + # if there are any packages, they should be installed before the associated conf file + Package[$_package] -> File<| title == "${mod}.conf" |> + # $_package may be an array + package { $_package: ensure => $package_ensure, require => Package['httpd'], - before => File["${mod_dir}/${mod}.load"], + before => $package_before, + notify => Class['apache::service'], } } - file { "${mod}.load": + $parameters = { + 'loadfiles' => $loadfiles, + '_id' => $_id, + '_path' => $_path, + } + + file { $_loadfile_name: ensure => file, - path => "${mod_dir}/${mod}.load", + path => "${mod_dir}/${_loadfile_name}", owner => 'root', - group => 'root', - mode => '0644', - content => "LoadModule ${mod}_module ${lib_path}/${lib_REAL}\n", + group => $apache::params::root_group, + mode => $apache::file_mode, + content => epp('apache/mod/load.epp', $parameters), require => [ Package['httpd'], Exec["mkdir ${mod_dir}"], ], before => File[$mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } - if $::osfamily == 'Debian' { + if $facts['os']['family'] == 'Debian' { $enable_dir = $apache::mod_enable_dir - file{ "${mod}.load symlink": + file { "${_loadfile_name} symlink": ensure => link, - path => "${enable_dir}/${mod}.load", - target => "${mod_dir}/${mod}.load", + path => "${enable_dir}/${_loadfile_name}", + target => "${mod_dir}/${_loadfile_name}", owner => 'root', - group => 'root', - mode => '0644', + group => $apache::params::root_group, + mode => $apache::file_mode, require => [ - File["${mod}.load"], + File[$_loadfile_name], Exec["mkdir ${enable_dir}"], ], before => File[$enable_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } # Each module may have a .conf file as well, which should be # defined in the class apache::mod::module # Some modules do not require this file. if defined(File["${mod}.conf"]) { - file{ "${mod}.conf symlink": + file { "${mod}.conf symlink": ensure => link, path => "${enable_dir}/${mod}.conf", target => "${mod_dir}/${mod}.conf", owner => 'root', - group => 'root', - mode => '0644', + group => $apache::params::root_group, + mode => $apache::file_mode, require => [ File["${mod}.conf"], Exec["mkdir ${enable_dir}"], ], before => File[$enable_dir], - notify => Service['httpd'], + notify => Class['apache::service'], + } + } + } elsif $facts['os']['family'] == 'Suse' { + $enable_dir = $apache::mod_enable_dir + file { "${_loadfile_name} symlink": + ensure => link, + path => "${enable_dir}/${_loadfile_name}", + target => "${mod_dir}/${_loadfile_name}", + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + require => [ + File[$_loadfile_name], + Exec["mkdir ${enable_dir}"], + ], + before => File[$enable_dir], + notify => Class['apache::service'], + } + # Each module may have a .conf file as well, which should be + # defined in the class apache::mod::module + # Some modules do not require this file. + if defined(File["${mod}.conf"]) { + file { "${mod}.conf symlink": + ensure => link, + path => "${enable_dir}/${mod}.conf", + target => "${mod_dir}/${mod}.conf", + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + require => [ + File["${mod}.conf"], + Exec["mkdir ${enable_dir}"], + ], + before => File[$enable_dir], + notify => Class['apache::service'], } } } + + Apache::Mod[$name] -> Anchor['::apache::modules_set_up'] } diff --git a/manifests/mod/actions.pp b/manifests/mod/actions.pp new file mode 100644 index 0000000000..c9b7d15d69 --- /dev/null +++ b/manifests/mod/actions.pp @@ -0,0 +1,8 @@ +# @summary +# Installs Apache mod_actions +# +# @see https://httpd.apache.org/docs/current/mod/mod_actions.html for additional documentation. +# +class apache::mod::actions { + apache::mod { 'actions': } +} diff --git a/manifests/mod/alias.pp b/manifests/mod/alias.pp index 2af73725b0..d3bc167dac 100644 --- a/manifests/mod/alias.pp +++ b/manifests/mod/alias.pp @@ -1,16 +1,48 @@ -class apache::mod::alias { - $icons_path = $::osfamily ? { - 'debian' => '/usr/share/apache2/icons', - 'redhat' => '/var/www/icons', - } +# @summary +# Installs and configures `mod_alias`. +# +# @param icons_options +# Disables directory listings for the icons directory, via Apache [Options](https://httpd.apache.org/docs/current/mod/core.html#options) +# directive. +# +# @param icons_path +# Sets the local path for an /icons/ Alias. Default depends on operating system: +# - Debian: /usr/share/apache2/icons +# - FreeBSD: /usr/local/www/apache24/icons +# - Gentoo: /var/www/icons +# - Red Hat: /var/www/icons, except on Apache 2.4, where it's /usr/share/httpd/icons +# Set to 'false' to disable the alias +# +# @param icons_prefix +# Change the alias for /icons/. +# +# @see https://httpd.apache.org/docs/current/mod/mod_alias.html for additional documentation. +# +class apache::mod::alias ( + String $icons_options = 'Indexes MultiViews', + # set icons_path to false to disable the alias + Variant[Boolean, Stdlib::Absolutepath] $icons_path = $apache::params::alias_icons_path, + String $icons_prefix = $apache::params::icons_prefix +) inherits apache::params { + include apache apache::mod { 'alias': } + # Template uses $icons_path - file { 'alias.conf': - ensure => file, - path => "${apache::mod_dir}/alias.conf", - content => template('apache/mod/alias.conf.erb'), - require => Exec["mkdir ${apache::mod_dir}"], - before => File[$apache::mod_dir], - notify => Service['httpd'], + $parameters = { + 'icons_prefix' => $icons_prefix, + 'icons_path' => $icons_path, + 'icons_options' => $icons_options, + } + + if $icons_path { + file { 'alias.conf': + ensure => file, + path => "${apache::mod_dir}/alias.conf", + mode => $apache::file_mode, + content => epp('apache/mod/alias.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } } } diff --git a/manifests/mod/apreq2.pp b/manifests/mod/apreq2.pp new file mode 100644 index 0000000000..15575e7034 --- /dev/null +++ b/manifests/mod/apreq2.pp @@ -0,0 +1,11 @@ +# @summary +# Installs `mod_apreq2`. +# +# @see http://httpd.apache.org/apreq/docs/libapreq2/group__mod__apreq2.html for additional documentation. +# +# @note Unsupported platforms: CentOS: all; OracleLinux: all; RedHat: all; Scientific: all; SLES: all; Ubuntu: all +class apache::mod::apreq2 { + ::apache::mod { 'apreq2': + id => 'apreq_module', + } +} diff --git a/manifests/mod/auth_basic.pp b/manifests/mod/auth_basic.pp index 8c613eef7e..d247929394 100644 --- a/manifests/mod/auth_basic.pp +++ b/manifests/mod/auth_basic.pp @@ -1,3 +1,9 @@ +# @summary +# Installs `mod_auth_basic` +# +# @see https://httpd.apache.org/docs/current/mod/mod_auth_basic.html for additional documentation. +# class apache::mod::auth_basic { - apache::mod { 'auth_basic': } + include apache::mod::authn_core + ::apache::mod { 'auth_basic': } } diff --git a/manifests/mod/auth_cas.pp b/manifests/mod/auth_cas.pp new file mode 100644 index 0000000000..656b9dd579 --- /dev/null +++ b/manifests/mod/auth_cas.pp @@ -0,0 +1,165 @@ +# @summary +# Installs and configures `mod_auth_cas`. +# +# @param cas_login_url +# Sets the URL to which the module redirects users when they attempt to access a +# CAS-protected resource and don't have an active session. +# +# @param cas_validate_url +# Sets the URL to use when validating a client-presented ticket in an HTTP query string. +# +# @param cas_cookie_path +# Sets the location where information on the current session should be stored. This should +# be writable by the web server only. +# +# @param cas_cookie_path_mode +# The mode of cas_cookie_path. +# +# @param cas_version +# The version of the CAS protocol to adhere to. +# +# @param cas_debug +# Whether to enable or disable debug mode. +# +# @param cas_validate_server +# Whether to validate the presented certificate. This has been deprecated and +# removed from Version 1.1-RC1 onward. +# +# @param cas_validate_depth +# The maximum depth for chained certificate validation. +# +# @param cas_certificate_path +# The path leading to the certificate +# +# @param cas_proxy_validate_url +# The URL to use when performing a proxy validation. +# +# @param cas_root_proxied_as +# Sets the URL end users see when access to this Apache server is proxied per vhost. +# This URL should not include a trailing slash. +# +# @param cas_cookie_entropy +# When creating a local session, this many random bytes are used to create a unique +# session identifier. +# +# @param cas_timeout +# The hard limit, in seconds, for a mod_auth_cas session. +# +# @param cas_idle_timeout +# The limit, in seconds, of how long a mod_auth_cas session can be idle. +# +# @param cas_cache_clean_interval +# The minimum amount of time that must pass inbetween cache cleanings. +# +# @param cas_cookie_domain +# The value for the 'Domain=' parameter in the Set-Cookie header. +# +# @param cas_cookie_http_only +# Setting this flag prevents the mod_auth_cas cookies from being accessed by +# client side Javascript. +# +# @param cas_authoritative +# Determines whether an optional authorization directive is authoritative and thus binding. +# +# @param cas_validate_saml +# Parse response from CAS server for SAML. +# +# @param cas_sso_enabled +# Enables experimental support for single sign out (may mangle POST data). +# +# @param cas_attribute_prefix +# Adds a header with the value of this header being the attribute values when SAML +# validation is enabled. +# +# @param cas_attribute_delimiter +# Sets the delimiter between attribute values in the header created by `cas_attribute_prefix`. +# +# @param cas_scrub_request_headers +# Remove inbound request headers that may have special meaning within mod_auth_cas. +# +# @param suppress_warning +# Suppress warning about being on RedHat (mod_auth_cas package is now available in epel-testing repo). +# +# @note The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. +# +# @see https://github.com/apereo/mod_auth_cas for additional documentation. +# +class apache::mod::auth_cas ( + String $cas_login_url, + String $cas_validate_url, + String $cas_cookie_path = $apache::params::cas_cookie_path, + Stdlib::Filemode $cas_cookie_path_mode = '0750', + Integer $cas_version = 2, + String $cas_debug = 'Off', + Optional[String] $cas_validate_server = undef, + Optional[String] $cas_validate_depth = undef, + Optional[String] $cas_certificate_path = undef, + Optional[String] $cas_proxy_validate_url = undef, + Optional[String] $cas_root_proxied_as = undef, + Optional[String] $cas_cookie_entropy = undef, + Optional[Integer[0]] $cas_timeout = undef, + Optional[Integer[0]] $cas_idle_timeout = undef, + Optional[String] $cas_cache_clean_interval = undef, + Optional[String] $cas_cookie_domain = undef, + Optional[String] $cas_cookie_http_only = undef, + Optional[String] $cas_authoritative = undef, + Optional[String] $cas_validate_saml = undef, + Optional[String] $cas_sso_enabled = undef, + Optional[String] $cas_attribute_prefix = undef, + Optional[String] $cas_attribute_delimiter = undef, + Optional[String] $cas_scrub_request_headers = undef, + Boolean $suppress_warning = false, +) inherits apache::params { + if $facts['os']['family'] == 'RedHat' and ! $suppress_warning { + warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.') + } + + include apache + include apache::mod::authn_core + ::apache::mod { 'auth_cas': } + + file { $cas_cookie_path: + ensure => directory, + before => File['auth_cas.conf'], + mode => $cas_cookie_path_mode, + owner => $apache::user, + group => $apache::group, + } + + $parameters = { + 'cas_cookie_path' => $cas_cookie_path, + 'cas_login_url' => $cas_login_url, + 'cas_validate_url' => $cas_validate_url, + 'cas_version' => $cas_version, + 'cas_debug' => $cas_debug, + 'cas_certificate_path' => $cas_certificate_path, + 'cas_proxy_validate_url' => $cas_proxy_validate_url, + 'cas_validate_server' => $cas_validate_server, + 'cas_validate_depth' => $cas_validate_depth, + 'cas_root_proxied_as' => $cas_root_proxied_as, + 'cas_cookie_entropy' => $cas_cookie_entropy, + 'cas_timeout' => $cas_timeout, + 'cas_idle_timeout' => $cas_idle_timeout, + 'cas_cache_clean_interval' => $cas_cache_clean_interval, + 'cas_cookie_domain' => $cas_cookie_domain, + 'cas_cookie_http_only' => $cas_cookie_http_only, + 'cas_authoritative' => $cas_authoritative, + 'cas_sso_enabled' => $cas_sso_enabled, + 'cas_validate_saml' => $cas_validate_saml, + 'cas_attribute_prefix' => $cas_attribute_prefix, + 'cas_attribute_delimiter' => $cas_attribute_delimiter, + 'cas_scrub_request_headers' => $cas_scrub_request_headers, + } + + # Template uses + # - All variables beginning with cas_ + file { 'auth_cas.conf': + ensure => file, + path => "${apache::mod_dir}/auth_cas.conf", + mode => $apache::file_mode, + content => epp('apache/mod/auth_cas.conf.epp', $parameters), + require => [Exec["mkdir ${apache::mod_dir}"],], + before => File[$apache::mod_dir], + notify => Class['Apache::Service'], + } +} diff --git a/manifests/mod/auth_gssapi.pp b/manifests/mod/auth_gssapi.pp new file mode 100644 index 0000000000..226e6061c1 --- /dev/null +++ b/manifests/mod/auth_gssapi.pp @@ -0,0 +1,10 @@ +# @summary +# Installs `mod_auth_gsappi`. +# +# @see https://github.com/modauthgssapi/mod_auth_gssapi for additional documentation. +# +class apache::mod::auth_gssapi { + include apache + include apache::mod::authn_core + apache::mod { 'auth_gssapi': } +} diff --git a/manifests/mod/auth_kerb.pp b/manifests/mod/auth_kerb.pp index 76c2de5b7b..093c26d227 100644 --- a/manifests/mod/auth_kerb.pp +++ b/manifests/mod/auth_kerb.pp @@ -1,5 +1,9 @@ +# @summary +# Installs `mod_auth_kerb` +# +# @see http://modauthkerb.sourceforge.net for additional documentation. class apache::mod::auth_kerb { - apache::mod { 'auth_kerb': } + include apache + include apache::mod::authn_core + ::apache::mod { 'auth_kerb': } } - - diff --git a/manifests/mod/auth_mellon.pp b/manifests/mod/auth_mellon.pp new file mode 100644 index 0000000000..5dcb76154b --- /dev/null +++ b/manifests/mod/auth_mellon.pp @@ -0,0 +1,61 @@ +# @summary +# Installs and configures `mod_auth_mellon`. +# +# @param mellon_cache_size +# Maximum number of sessions which can be active at once. +# +# @param mellon_lock_file +# Full path to a file used for synchronizing access to the session data. +# +# @param mellon_post_directory +# Full path of a directory where POST requests are saved during authentication. +# +# @param mellon_cache_entry_size +# Maximum size for a single session entry in bytes. +# +# @param mellon_post_ttl +# Delay in seconds before a saved POST request can be flushed. +# +# @param mellon_post_size +# Maximum size for saved POST requests. +# +# @param mellon_post_count +# Maximum amount of saved POST requests. +# +# @see https://github.com/Uninett/mod_auth_mellon for additional documentation. +# +class apache::mod::auth_mellon ( + Optional[Integer] $mellon_cache_size = $apache::params::mellon_cache_size, + Optional[Stdlib::Absolutepath] $mellon_lock_file = $apache::params::mellon_lock_file, + Optional[Stdlib::Absolutepath] $mellon_post_directory = $apache::params::mellon_post_directory, + Optional[Integer] $mellon_cache_entry_size = undef, + Optional[Integer] $mellon_post_ttl = undef, + Optional[Integer] $mellon_post_size = undef, + Optional[Integer] $mellon_post_count = undef +) inherits apache::params { + include apache + include apache::mod::authn_core + ::apache::mod { 'auth_mellon': } + + # Template uses + # - All variables beginning with mellon_ + $parameters = { + 'mellon_cache_size' => $mellon_cache_size, + 'mellon_cache_entry_size' => $mellon_cache_entry_size, + 'mellon_lock_file' => $mellon_lock_file, + 'mellon_post_directory' => $mellon_post_directory, + 'mellon_post_ttl' => $mellon_post_ttl, + 'mellon_post_size' => $mellon_post_size, + 'mellon_post_count' => $mellon_post_count, + } + + file { 'auth_mellon.conf': + ensure => file, + path => "${apache::mod_dir}/auth_mellon.conf", + mode => $apache::file_mode, + content => epp('apache/mod/auth_mellon.conf.epp', $parameters), + require => [Exec["mkdir ${apache::mod_dir}"],], + before => File[$apache::mod_dir], + notify => Class['Apache::Service'], + } +} diff --git a/manifests/mod/auth_openidc.pp b/manifests/mod/auth_openidc.pp new file mode 100644 index 0000000000..341360bdaf --- /dev/null +++ b/manifests/mod/auth_openidc.pp @@ -0,0 +1,30 @@ +# @summary +# Installs and configures `mod_auth_openidc`. +# +# @param manage_dnf_module Whether to manage the DNF module +# @param dnf_module_ensure The DNF module name to ensure. Only relevant if manage_dnf_module is set to true. +# @param dnf_module_name The DNF module name to manage. Only relevant if manage_dnf_module is set to true. +# +# @see https://github.com/zmartzone/mod_auth_openidc for additional documentation. +# @note Unsupported platforms: OracleLinux: 6; RedHat: 6; Scientific: 6; SLES: all +# +class apache::mod::auth_openidc ( + Boolean $manage_dnf_module = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8', + String[1] $dnf_module_ensure = 'present', + String[1] $dnf_module_name = 'mod_auth_openidc', +) { + include apache + include apache::mod::authn_core + include apache::mod::authz_user + + apache::mod { 'auth_openidc': } + + if $manage_dnf_module { + package { 'dnf-module-mod_auth_openidc': + ensure => $dnf_module_ensure, + name => $dnf_module_name, + provider => 'dnfmodule', + before => Apache::Mod['auth_openidc'], + } + } +} diff --git a/manifests/mod/authn_core.pp b/manifests/mod/authn_core.pp new file mode 100644 index 0000000000..06977ea6f0 --- /dev/null +++ b/manifests/mod/authn_core.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_authn_core`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_authn_core.html for additional documentation. +# +class apache::mod::authn_core { + ::apache::mod { 'authn_core': } +} diff --git a/manifests/mod/authn_dbd.pp b/manifests/mod/authn_dbd.pp new file mode 100644 index 0000000000..78e6df2d01 --- /dev/null +++ b/manifests/mod/authn_dbd.pp @@ -0,0 +1,70 @@ +# @summary +# Installs `mod_authn_dbd`. +# +# @param authn_dbd_params +# The params needed for the mod to function. +# +# @param authn_dbd_dbdriver +# Selects an apr_dbd driver by name. +# +# @param authn_dbd_query +# +# @param authn_dbd_min +# Set the minimum number of connections per process. +# +# @param authn_dbd_max +# Set the maximum number of connections per process. +# +# @param authn_dbd_keep +# Set the maximum number of connections per process to be sustained. +# +# @param authn_dbd_exptime +# Set the time to keep idle connections alive when the number of +# connections specified in DBDKeep has been exceeded. +# +# @param authn_dbd_alias +# Sets an alias for `AuthnProvider. +# +# @see https://httpd.apache.org/docs/current/mod/mod_authn_dbd.html for additional documentation. +# +class apache::mod::authn_dbd ( + Optional[String] $authn_dbd_params, + String $authn_dbd_dbdriver = 'mysql', + Optional[String] $authn_dbd_query = undef, + Integer $authn_dbd_min = 4, + Integer $authn_dbd_max = 20, + Integer $authn_dbd_keep = 8, + Integer $authn_dbd_exptime = 300, + Optional[String] $authn_dbd_alias = undef, +) inherits apache::params { + include apache + include apache::mod::dbd + ::apache::mod { 'authn_dbd': } + + if $authn_dbd_alias { + include apache::mod::authn_core + } + + $parameters = { + 'authn_dbd_dbdriver' => $authn_dbd_dbdriver, + 'authn_dbd_params' => $authn_dbd_params, + 'authn_dbd_min' => $authn_dbd_min, + 'authn_dbd_max' => $authn_dbd_max, + 'authn_dbd_keep' => $authn_dbd_keep, + 'authn_dbd_exptime' => $authn_dbd_exptime, + 'authn_dbd_alias' => $authn_dbd_alias, + 'authn_dbd_query' => $authn_dbd_query, + } + + # Template uses + # - All variables beginning with authn_dbd + file { 'authn_dbd.conf': + ensure => file, + path => "${apache::mod_dir}/authn_dbd.conf", + mode => $apache::file_mode, + content => epp('apache/mod/authn_dbd.conf.epp', $parameters), + require => [Exec["mkdir ${apache::mod_dir}"],], + before => File[$apache::mod_dir], + notify => Class['Apache::Service'], + } +} diff --git a/manifests/mod/authn_file.pp b/manifests/mod/authn_file.pp new file mode 100644 index 0000000000..1418045078 --- /dev/null +++ b/manifests/mod/authn_file.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_authn_file`. +# +# @see https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html for additional documentation. +# +class apache::mod::authn_file { + ::apache::mod { 'authn_file': } +} diff --git a/manifests/mod/authnz_ldap.pp b/manifests/mod/authnz_ldap.pp new file mode 100644 index 0000000000..9343cfe437 --- /dev/null +++ b/manifests/mod/authnz_ldap.pp @@ -0,0 +1,33 @@ +# @summary +# Installs `mod_authnz_ldap`. +# +# @param verify_server_cert +# Whether to force te verification of a server cert or not. +# +# @param package_name +# The name of the ldap package. +# +# @see https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html for additional documentation. +# @note Unsupported platforms: RedHat: 6, 8, 9; CentOS: 6, 8; OracleLinux: 6, 8; Ubuntu: all; Debian: all; SLES: all +class apache::mod::authnz_ldap ( + Boolean $verify_server_cert = true, + Optional[String] $package_name = undef, +) { + include apache + include 'apache::mod::ldap' + ::apache::mod { 'authnz_ldap': + package => $package_name, + } + + # Template uses: + # - $verify_server_cert + file { 'authnz_ldap.conf': + ensure => file, + path => "${apache::mod_dir}/authnz_ldap.conf", + mode => $apache::file_mode, + content => epp('apache/mod/authnz_ldap.conf.epp', { 'verify_server_cert' => $verify_server_cert, }), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/authnz_pam.pp b/manifests/mod/authnz_pam.pp new file mode 100644 index 0000000000..35ddb779e1 --- /dev/null +++ b/manifests/mod/authnz_pam.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_authnz_pam`. +# +# @see https://www.adelton.com/apache/mod_authnz_pam for additional documentation. +# +class apache::mod::authnz_pam { + include apache + ::apache::mod { 'authnz_pam': } +} diff --git a/manifests/mod/authz_core.pp b/manifests/mod/authz_core.pp new file mode 100644 index 0000000000..26fcb55c9a --- /dev/null +++ b/manifests/mod/authz_core.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_authz_core`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_authz_core.html for additional documentation. +# +class apache::mod::authz_core { + apache::mod { 'authz_core': } +} diff --git a/manifests/mod/authz_groupfile.pp b/manifests/mod/authz_groupfile.pp new file mode 100644 index 0000000000..7bf0e795fd --- /dev/null +++ b/manifests/mod/authz_groupfile.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_authz_groupfile` +# +# @see https://httpd.apache.org/docs/current/mod/mod_authz_groupfile.html for additional documentation. +# +class apache::mod::authz_groupfile { + include apache + apache::mod { 'authz_groupfile': } +} diff --git a/manifests/mod/authz_user.pp b/manifests/mod/authz_user.pp new file mode 100644 index 0000000000..81bdf5f314 --- /dev/null +++ b/manifests/mod/authz_user.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_authz_user` +# +# @see https://httpd.apache.org/docs/current/mod/mod_authz_user.html for additional documentation. +# +class apache::mod::authz_user { + ::apache::mod { 'authz_user': } +} diff --git a/manifests/mod/autoindex.pp b/manifests/mod/autoindex.pp index 85b4278ef7..e00d8da96f 100644 --- a/manifests/mod/autoindex.pp +++ b/manifests/mod/autoindex.pp @@ -1,12 +1,34 @@ -class apache::mod::autoindex { - apache::mod { 'autoindex': } - # Template uses no variables +# @summary +# Installs `mod_autoindex` +# +# @param icons_prefix +# Change the alias for /icons/. +# +# @see https://httpd.apache.org/docs/current/mod/mod_autoindex.html for additional documentation. +# +class apache::mod::autoindex ( + String $icons_prefix = $apache::params::icons_prefix +) inherits apache::params { + include apache + ::apache::mod { 'autoindex': } + + # Determine icon filename suffix for autoindex.conf.epp + case $facts['os']['name'] { + 'Debian', 'Ubuntu': { + $icon_suffix = '-20x22' + } + default: { + $icon_suffix = '' + } + } + file { 'autoindex.conf': ensure => file, path => "${apache::mod_dir}/autoindex.conf", - content => template('apache/mod/autoindex.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/autoindex.conf.epp', { 'icons_prefix' => $icons_prefix, 'icon_suffix' => $icon_suffix, }), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/cache.pp b/manifests/mod/cache.pp index 26d71bd06a..d31cebd3f0 100644 --- a/manifests/mod/cache.pp +++ b/manifests/mod/cache.pp @@ -1,3 +1,58 @@ -class apache::mod::cache { +# @summary +# Installs `mod_cache` +# +# @param cache_ignore_headers +# Specifies HTTP header(s) that should not be stored in the cache. +# +# @param cache_default_expire +# The default duration to cache a document when no expiry date is specified. +# +# @param cache_max_expire +# The maximum time in seconds to cache a document +# +# @param cache_ignore_no_lastmod +# Ignore the fact that a response has no Last Modified header. +# +# @param cache_header +# Add an X-Cache header to the response. +# +# @param cache_lock +# Enable the thundering herd lock. +# +# @param cache_ignore_cache_control +# Ignore request to not serve cached content to client +# +# @see https://httpd.apache.org/docs/current/mod/mod_cache.html for additional documentation. +# +class apache::mod::cache ( + Array[String[1]] $cache_ignore_headers = [], + Optional[Integer] $cache_default_expire = undef, + Optional[Integer] $cache_max_expire = undef, + Optional[Apache::OnOff] $cache_ignore_no_lastmod = undef, + Optional[Apache::OnOff] $cache_header = undef, + Optional[Apache::OnOff] $cache_lock = undef, + Optional[Apache::OnOff] $cache_ignore_cache_control = undef, +) { + include apache apache::mod { 'cache': } + + $_configuration_file_name = 'cache.conf' + + file { $_configuration_file_name: + ensure => file, + path => "${apache::mod_dir}/${_configuration_file_name}", + mode => $apache::file_mode, + content => epp('apache/mod/cache.conf.epp', { + cache_ignore_headers => $cache_ignore_headers, + cache_default_expire => $cache_default_expire, + cache_max_expire => $cache_max_expire, + cache_ignore_no_lastmod => $cache_ignore_no_lastmod, + cache_header => $cache_header, + cache_lock => $cache_lock, + cache_ignore_cache_control => $cache_ignore_cache_control, + }), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } } diff --git a/manifests/mod/cache_disk.pp b/manifests/mod/cache_disk.pp new file mode 100644 index 0000000000..c8752fc4f3 --- /dev/null +++ b/manifests/mod/cache_disk.pp @@ -0,0 +1,85 @@ +# @summary +# Installs and configures `mod_cache_disk`. +# +# @description +# This will install an configure the proper module depending on the used apache version, so +# - mod_cache_disk for apache version >= 2.4 +# - mod_disk_cache for older apache versions +# +# @param cache_root +# Defines the name of the directory on the disk to contain cache files. +# Default depends on the Apache version and operating system: +# - Debian: /var/cache/apache2/mod_cache_disk +# - FreeBSD: /var/cache/mod_cache_disk +# - Red Hat: /var/cache/httpd/proxy +# +# @param cache_enable +# Defines an array of directories to cache, the default is none +# +# @param cache_dir_length +# The number of characters in subdirectory names +# +# @param cache_dir_levels +# The number of levels of subdirectories in the cache. +# +# @param cache_max_filesize +# The maximum size (in bytes) of a document to be placed in the cache +# +# @param cache_ignore_headers +# DEPRECATED Ignore request to not serve cached content to client (included for compatibility reasons to support disk_cache) +# +# @param configuration_file_name +# DEPRECATED Name of module configuration file (used for the compatibility layer for disk_cache) +# +# @see https://httpd.apache.org/docs/2.4/mod/mod_cache_disk.html +# +class apache::mod::cache_disk ( + Optional[Stdlib::Absolutepath] $cache_root = undef, + Array[String] $cache_enable = [], + Optional[Integer] $cache_dir_length = undef, + Optional[Integer] $cache_dir_levels = undef, + Optional[Integer] $cache_max_filesize = undef, + Optional[String] $cache_ignore_headers = undef, + Optional[String] $configuration_file_name = undef, +) { + include apache + + if $cache_ignore_headers { + deprecation( + 'apache::mod::cache_disk', + 'The parameter cache_ignore_headers is deprecated. Please use apache::mod::cache::cache_ignore_headers instead.' + ) + } + + $_cache_root = $cache_root ? { + undef => $facts['os']['family'] ? { + 'debian' => '/var/cache/apache2/mod_cache_disk', + 'redhat' => '/var/cache/httpd/proxy', + 'freebsd' => '/var/cache/mod_cache_disk', + }, + default => $cache_root, + } + $_configuration_file_name = pick($configuration_file_name, 'cache_disk.conf') + $_class_name = 'apache::mod::cache_disk' + + apache::mod { 'cache_disk': } + + Class['apache::mod::cache'] -> Class[$_class_name] + + file { $_configuration_file_name: + ensure => file, + path => "${apache::mod_dir}/${_configuration_file_name}", + mode => $apache::file_mode, + content => epp('apache/mod/cache_disk.conf.epp', { + cache_root => $_cache_root, + cache_enable => $cache_enable, + cache_dir_length => $cache_dir_length, + cache_dir_levels => $cache_dir_levels, + cache_max_filesize => $cache_max_filesize, + cache_ignore_headers => $cache_ignore_headers, + }), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/cgi.pp b/manifests/mod/cgi.pp index 2ad368a0ef..862e8f0543 100644 --- a/manifests/mod/cgi.pp +++ b/manifests/mod/cgi.pp @@ -1,4 +1,28 @@ +# @summary +# Installs `mod_cgi`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_cgi.html for additional documentation. +# class apache::mod::cgi { - Class['apache::mod::prefork'] -> Class['apache::mod::cgi'] - apache::mod { 'cgi': } + include apache + case $facts['os']['family'] { + 'FreeBSD': {} + default: { + if defined(Class['apache::mod::itk']) { + Class['apache::mod::itk'] -> Class['apache::mod::cgi'] + } elsif defined(Class['apache::mod::peruser']) { + Class['apache::mod::peruser'] -> Class['apache::mod::cgi'] + } else { + Class['apache::mod::prefork'] -> Class['apache::mod::cgi'] + } + } + } + + if $facts['os']['family'] == 'Suse' { + ::apache::mod { 'cgi': + lib_path => '/usr/lib64/apache2-prefork', + } + } else { + ::apache::mod { 'cgi': } + } } diff --git a/manifests/mod/cgid.pp b/manifests/mod/cgid.pp index 1a0a082494..fc27bf5158 100644 --- a/manifests/mod/cgid.pp +++ b/manifests/mod/cgid.pp @@ -1,22 +1,47 @@ +# @summary +# Installs `mod_cgid`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_cgid.html +# class apache::mod::cgid { - Class['apache::mod::worker'] -> Class['apache::mod::cgid'] + include apache + case $facts['os']['family'] { + 'FreeBSD': {} + default: { + if defined(Class['apache::mod::event']) { + Class['apache::mod::event'] -> Class['apache::mod::cgid'] + } else { + Class['apache::mod::worker'] -> Class['apache::mod::cgid'] + } + } + } # Debian specifies it's cgid sock path, but RedHat uses the default value # with no config file - $cgisock_path = $::osfamily ? { - 'debian' => '${APACHE_RUN_DIR}/cgisock', - default => undef, + $cgisock_path = $facts['os']['family'] ? { + 'Debian' => "\${APACHE_RUN_DIR}/cgisock", + 'FreeBSD' => 'cgisock', + default => undef, + } + + if $facts['os']['family'] == 'Suse' { + ::apache::mod { 'cgid': + lib_path => '/usr/lib64/apache2-worker', + } + } else { + ::apache::mod { 'cgid': } } - apache::mod { 'cgid': } + if $cgisock_path { # Template uses $cgisock_path file { 'cgid.conf': ensure => file, path => "${apache::mod_dir}/cgid.conf", - content => template('apache/mod/cgid.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/cgid.conf.epp', { 'cgisock_path' => $cgisock_path }), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } } diff --git a/manifests/mod/cluster.pp b/manifests/mod/cluster.pp new file mode 100644 index 0000000000..81f7109965 --- /dev/null +++ b/manifests/mod/cluster.pp @@ -0,0 +1,100 @@ +# @summary +# Installs `mod_cluster`. +# +# @param allowed_network +# Balanced members network. +# +# @param balancer_name +# Name of balancer. +# +# @param ip +# Specifies the IP address to listen to. +# +# @param version +# Specifies the mod_cluster version. Version 1.3.0 or greater is required for httpd 2.4. +# +# @param enable_mcpm_receive +# Whether MCPM should be enabled. +# +# @param port +# mod_cluster listen port. +# +# @param keep_alive_timeout +# Specifies how long Apache should wait for a request, in seconds. +# +# @param manager_allowed_network +# Whether to allow the network to access the mod_cluster_manager. +# +# @param max_keep_alive_requests +# Maximum number of requests kept alive. +# +# @param server_advertise +# Whether the server should advertise. +# +# @param advertise_frequency +# Sets the interval between advertise messages in seconds. +# +# @example +# class { '::apache::mod::cluster': +# ip => '172.17.0.1', +# allowed_network => '172.17.0.', +# balancer_name => 'mycluster', +# version => '1.3.1' +# } +# +# @note +# There is no official package available for mod_cluster, so you must make it available outside of the apache module. +# Binaries can be found [here](https://modcluster.io/). +# +# @see https://modcluster.io/ for additional documentation. +# +class apache::mod::cluster ( + String $allowed_network, + String $balancer_name, + Stdlib::IP::Address $ip, + String $version, + Boolean $enable_mcpm_receive = true, + Stdlib::Port $port = 6666, + Integer $keep_alive_timeout = 60, + Stdlib::IP::Address $manager_allowed_network = '127.0.0.1', + Integer $max_keep_alive_requests = 0, + Boolean $server_advertise = true, + Optional[String] $advertise_frequency = undef, +) { + include apache + + ::apache::mod { 'proxy': } + ::apache::mod { 'proxy_ajp': } + ::apache::mod { 'manager': } + ::apache::mod { 'proxy_cluster': } + ::apache::mod { 'advertise': } + + if (versioncmp($version, '1.3.0') >= 0 ) { + ::apache::mod { 'cluster_slotmem': } + } else { + ::apache::mod { 'slotmem': } + } + + $parameters = { + 'ip' => $ip, + 'port' => $port, + 'allowed_network' => $allowed_network, + 'keep_alive_timeout' => $keep_alive_timeout, + 'max_keep_alive_requests' => $max_keep_alive_requests, + 'enable_mcpm_receive' => $enable_mcpm_receive, + 'balancer_name' => $balancer_name, + 'server_advertise' => $server_advertise, + 'advertise_frequency' => $advertise_frequency, + 'manager_allowed_network' => $manager_allowed_network, + } + + file { 'cluster.conf': + ensure => file, + path => "${apache::mod_dir}/cluster.conf", + mode => $apache::file_mode, + content => epp('apache/mod/cluster.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/data.pp b/manifests/mod/data.pp new file mode 100644 index 0000000000..7cff7d8f09 --- /dev/null +++ b/manifests/mod/data.pp @@ -0,0 +1,9 @@ +# @summary +# Installs and configures `mod_data`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_data.html for additional documentation. +# +class apache::mod::data { + include apache + ::apache::mod { 'data': } +} diff --git a/manifests/mod/dav.pp b/manifests/mod/dav.pp index 06aa087e30..616492705f 100644 --- a/manifests/mod/dav.pp +++ b/manifests/mod/dav.pp @@ -1,3 +1,8 @@ +# @summary +# Installs `mod_dav`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_dav.html for additional documentation. +# class apache::mod::dav { - apache::mod { 'dav': } + ::apache::mod { 'dav': } } diff --git a/manifests/mod/dav_fs.pp b/manifests/mod/dav_fs.pp index ab78408f70..3e725efb7b 100644 --- a/manifests/mod/dav_fs.pp +++ b/manifests/mod/dav_fs.pp @@ -1,19 +1,27 @@ +# @summary +# Installs `mod_dav_fs`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_dav_fs.html for additional documentation. +# class apache::mod::dav_fs { - $dav_lock = $::osfamily ? { - 'debian' => '${APACHE_LOCK_DIR}/DAVLock', - default => '/var/lib/dav/lockdb', + include apache + $dav_lock = $facts['os']['family'] ? { + 'Debian' => "\${APACHE_LOCK_DIR}/DAVLock", + 'FreeBSD' => '/usr/local/var/DavLock', + default => '/var/lib/dav/lockdb', } Class['apache::mod::dav'] -> Class['apache::mod::dav_fs'] - apache::mod { 'dav_fs': } + ::apache::mod { 'dav_fs': } # Template uses: $dav_lock file { 'dav_fs.conf': ensure => file, path => "${apache::mod_dir}/dav_fs.conf", - content => template('apache/mod/dav_fs.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/dav_fs.conf.epp', { 'dav_lock' => $dav_lock }), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/dav_svn.pp b/manifests/mod/dav_svn.pp index 76e0d885ea..ae9d4b0a54 100644 --- a/manifests/mod/dav_svn.pp +++ b/manifests/mod/dav_svn.pp @@ -1,4 +1,32 @@ -class apache::mod::dav_svn { +# @summary +# Installs and configures `mod_dav_svn`. +# +# @param authz_svn_enabled +# Specifies whether to install Apache mod_authz_svn +# +# @see https://httpd.apache.org/docs/current/mod/mod_dav_svn.html for additional documentation. +# +class apache::mod::dav_svn ( + Boolean $authz_svn_enabled = false, +) { + Class['apache::mod::dav'] -> Class['apache::mod::dav_svn'] + include apache include apache::mod::dav - apache::mod { 'dav_svn': } + if($facts['os']['name'] == 'SLES' and versioncmp($facts['os']['release']['major'], '12') < 0) { + package { 'subversion-server': + ensure => 'installed', + provider => 'zypper', + } + } + + ::apache::mod { 'dav_svn': } + + if $authz_svn_enabled { + ::apache::mod { 'authz_svn': + # authz_svn depends on symbols from the dav_svn module, + # therefore, make sure authz_svn is loaded after dav_svn. + loadfile_name => 'dav_svn_authz_svn.load', + require => Apache::Mod['dav_svn'], + } + } } diff --git a/manifests/mod/dbd.pp b/manifests/mod/dbd.pp new file mode 100644 index 0000000000..5e9492f35b --- /dev/null +++ b/manifests/mod/dbd.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_dbd`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_dbd.html for additional documentation. +# +class apache::mod::dbd { + ::apache::mod { 'dbd': } +} diff --git a/manifests/mod/deflate.pp b/manifests/mod/deflate.pp index 97d1fdd8a1..6912595984 100644 --- a/manifests/mod/deflate.pp +++ b/manifests/mod/deflate.pp @@ -1,12 +1,38 @@ -class apache::mod::deflate { - apache::mod { 'deflate': } - # Template uses no variables +# @summary +# Installs and configures `mod_deflate`. +# +# @param types +# An array of MIME types to be deflated. See https://www.iana.org/assignments/media-types/media-types.xhtml. +# +# @param notes +# A Hash where the key represents the type and the value represents the note name. +# +# @see https://httpd.apache.org/docs/current/mod/mod_deflate.html for additional documentation. +# +class apache::mod::deflate ( + Array[String] $types = [ + 'text/html text/plain text/xml', + 'text/css', + 'application/x-javascript application/javascript application/ecmascript', + 'application/rss+xml', + 'application/json', + ], + Hash $notes = { + 'Input' => 'instream', + 'Output' => 'outstream', + 'Ratio' => 'ratio', + } +) { + include apache + ::apache::mod { 'deflate': } + file { 'deflate.conf': ensure => file, path => "${apache::mod_dir}/deflate.conf", - content => template('apache/mod/deflate.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/deflate.conf.epp', { 'types' => $types, 'notes' => $notes, }), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/dev.pp b/manifests/mod/dev.pp deleted file mode 100644 index b5d146fbe4..0000000000 --- a/manifests/mod/dev.pp +++ /dev/null @@ -1,5 +0,0 @@ -class apache::mod::dev { - # Development packages are not apache modules - warning('apache::mod::dev is deprecated; please use apache::dev') - include apache::dev -} diff --git a/manifests/mod/dir.pp b/manifests/mod/dir.pp index 39543e1167..6de940d21c 100644 --- a/manifests/mod/dir.pp +++ b/manifests/mod/dir.pp @@ -1,21 +1,40 @@ -# Note: this sets the global DirectoryIndex directive, it may be necessary to consider being able to modify the apache::vhost to declare DirectoryIndex statements in a vhost configuration -# Parameters: -# - $indexes provides a string for the DirectoryIndex directive http://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex +# @summary +# Installs and configures `mod_dir`. +# +# @param dir +# +# @param indexes +# Provides a string for the DirectoryIndex directive +# +# @todo +# This sets the global DirectoryIndex directive, so it may be necessary to consider being able to modify the apache::vhost to declare +# DirectoryIndex statements in a vhost configuration +# +# @see https://httpd.apache.org/docs/current/mod/mod_dir.html for additional documentation. +# class apache::mod::dir ( - $dir = 'public_html', - $indexes = ['index.html','index.html.var','index.cgi','index.pl','index.php','index.xhtml'], + String $dir = 'public_html', + Array[String] $indexes = [ + 'index.html', + 'index.html.var', + 'index.cgi', + 'index.pl', + 'index.php', + 'index.xhtml', + ], ) { - validate_array($indexes) - apache::mod { 'dir': } + include apache + ::apache::mod { 'dir': } # Template uses # - $indexes file { 'dir.conf': ensure => file, path => "${apache::mod_dir}/dir.conf", - content => template('apache/mod/dir.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/dir.conf.epp', { 'indexes' => $indexes }), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/disk_cache.pp b/manifests/mod/disk_cache.pp index dd3e0f0938..92e56e23f3 100644 --- a/manifests/mod/disk_cache.pp +++ b/manifests/mod/disk_cache.pp @@ -1,19 +1,39 @@ -class apache::mod::disk_cache { - $cache_root = $::osfamily ? { - 'debian' => '/var/cache/apache2/mod_disk_cache', - 'redhat' => '/var/cache/mod_proxy', - } - Class['apache::mod::proxy'] -> Class['apache::mod::disk_cache'] - Class['apache::mod::cache'] -> Class['apache::mod::disk_cache'] +# @summary +# Installs and configures `mod_disk_cache`. +# +# @param cache_root +# Defines the name of the directory on the disk to contain cache files. +# Default depends on the Apache version and operating system: +# - Debian: /var/cache/apache2/mod_cache_disk +# - FreeBSD: /var/cache/mod_cache_disk +# +# @param cache_ignore_headers +# Specifies HTTP header(s) that should not be stored in the cache. +# +# @param default_cache_enable +# Default value is true, which enables "CacheEnable disk /" in disk_cache.conf for the webserver. This would cache +# every request to apache by default for every vhost. If set to false the default cache all behaviour is supressed. +# You can then control this behaviour in individual vhosts by explicitly defining CacheEnable. +# +# @note +# Apache 2.2, mod_disk_cache installed. On Apache 2.4, mod_cache_disk installed. +# This class is deprecated, use mode_cache_disk instead +# +# @see https://httpd.apache.org/docs/2.4/mod/mod_cache_disk.html for additional documentation on version 2.4. +# +class apache::mod::disk_cache ( + Optional[Stdlib::Absolutepath] $cache_root = undef, + Optional[String] $cache_ignore_headers = undef, + Boolean $default_cache_enable = true, +) { + deprecation('apache::mod::disk_cache', 'This class is deprecated; please use apache::mod::cache_disk') - apache::mod { 'disk_cache': } - # Template uses $cache_proxy - file { 'disk_cache.conf': - ensure => file, - path => "${apache::mod_dir}/disk_cache.conf", - content => template('apache/mod/disk_cache.conf.erb'), - require => Exec["mkdir ${apache::mod_dir}"], - before => File[$apache::mod_dir], - notify => Service['httpd'], + class { 'apache::mod::cache_disk': + cache_root => $cache_root, + cache_enable => ['/'], + cache_ignore_headers => $cache_ignore_headers, + cache_dir_length => 1, + cache_dir_levels => 2, + configuration_file_name => 'cache_disk.conf' } } diff --git a/manifests/mod/dumpio.pp b/manifests/mod/dumpio.pp new file mode 100644 index 0000000000..0b5523c622 --- /dev/null +++ b/manifests/mod/dumpio.pp @@ -0,0 +1,38 @@ +# @summary +# Installs and configures `mod_dumpio`. +# +# @param dump_io_input +# Dump all input data to the error log +# +# @param dump_io_output +# Dump all output data to the error log +# +# @example +# class{'apache': +# default_mods => false, +# log_level => 'dumpio:trace7', +# } +# class{'apache::mod::dumpio': +# dump_io_input => 'On', +# dump_io_output => 'Off', +# } +# +# @see https://httpd.apache.org/docs/current/mod/mod_dumpio.html for additional documentation. +# +class apache::mod::dumpio ( + Apache::OnOff $dump_io_input = 'Off', + Apache::OnOff $dump_io_output = 'Off', +) { + include apache + + ::apache::mod { 'dumpio': } + file { 'dumpio.conf': + ensure => file, + path => "${apache::mod_dir}/dumpio.conf", + mode => $apache::file_mode, + content => epp('apache/mod/dumpio.conf.epp', { 'dump_io_input' => $dump_io_input, 'dump_io_output' => $dump_io_output, }), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/env.pp b/manifests/mod/env.pp new file mode 100644 index 0000000000..2ca17a5e79 --- /dev/null +++ b/manifests/mod/env.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_env`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_env.html for additional documentation. +# +class apache::mod::env { + ::apache::mod { 'env': } +} diff --git a/manifests/mod/event.pp b/manifests/mod/event.pp new file mode 100644 index 0000000000..42d646866c --- /dev/null +++ b/manifests/mod/event.pp @@ -0,0 +1,112 @@ +# @summary +# Installs and configures `mod_event`. +# +# @param startservers +# Sets the number of child server processes created at startup, via the module's `StartServers` directive. Setting this to `false` +# removes the parameter. +# +# @param maxrequestworkers +# Sets the maximum number of connections Apache can simultaneously process, via the module's `MaxRequestWorkers` directive. Setting +# these to `false` removes the parameters. +# +# @param minsparethreads +# Sets the minimum number of idle threads, via the `MinSpareThreads` directive. Setting this to `false` removes the parameters. +# +# @param maxsparethreads +# Sets the maximum number of idle threads, via the `MaxSpareThreads` directive. Setting this to `false` removes the parameters. +# +# @param threadsperchild +# Number of threads created by each child process. +# +# @param maxconnectionsperchild +# Limit on the number of connections that an individual child server will handle during its life. +# +# @param serverlimit +# Limits the configurable number of processes via the `ServerLimit` directive. Setting this to `false` removes the parameter. +# +# @param threadlimit +# Limits the number of event threads via the module's `ThreadLimit` directive. Setting this to `false` removes the parameter. +# +# @param listenbacklog +# Sets the maximum length of the pending connections queue via the module's `ListenBackLog` directive. Setting this to `false` removes +# the parameter. +# +# @note +# You cannot include apache::mod::event with apache::mod::itk, apache::mod::peruser, apache::mod::prefork, or +# apache::mod::worker on the same server. +# +# @see https://httpd.apache.org/docs/current/mod/event.html for additional documentation. +# @note Unsupported platforms: SLES: all +class apache::mod::event ( + Variant[Integer, Boolean] $startservers = 2, + Optional[Variant[Integer, Boolean]] $maxrequestworkers = undef, + Variant[Integer, Boolean] $minsparethreads = 25, + Variant[Integer, Boolean] $maxsparethreads = 75, + Variant[Integer, Boolean] $threadsperchild = 25, + Optional[Variant[Integer, Boolean]] $maxconnectionsperchild = undef, + Variant[Integer, Boolean] $serverlimit = 25, + Variant[Integer, Boolean] $threadlimit = 64, + Variant[Integer, Boolean] $listenbacklog = 511, +) { + include apache + + if defined(Class['apache::mod::itk']) { + fail('May not include both apache::mod::event and apache::mod::itk on the same node') + } + if defined(Class['apache::mod::peruser']) { + fail('May not include both apache::mod::event and apache::mod::peruser on the same node') + } + if defined(Class['apache::mod::prefork']) { + fail('May not include both apache::mod::event and apache::mod::prefork on the same node') + } + if defined(Class['apache::mod::worker']) { + fail('May not include both apache::mod::event and apache::mod::worker on the same node') + } + File { + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + } + + # Template uses: + # - $startservers + # - $minsparethreads + # - $maxsparethreads + # - $threadsperchild + # - $serverlimit + $parameters = { + 'serverlimit' => $serverlimit, + 'startservers' => $startservers, + 'maxrequestworkers' => $maxrequestworkers, + 'minsparethreads' => $minsparethreads, + 'maxsparethreads' => $maxsparethreads, + 'threadsperchild' => $threadsperchild, + 'maxconnectionsperchild' => $maxconnectionsperchild, + 'threadlimit' => $threadlimit, + 'listenbacklog' => $listenbacklog, + } + + file { "${apache::mod_dir}/event.conf": + ensure => file, + mode => $apache::file_mode, + content => epp('apache/mod/event.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } + + case $facts['os']['family'] { + 'RedHat', 'Debian', 'FreeBSD' : { + apache::mpm { 'event': + } + } + 'Gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'event', + } + } + default: { + fail("Unsupported osfamily ${$facts['os']['family']}") + } + } +} diff --git a/manifests/mod/expires.pp b/manifests/mod/expires.pp index 6c4b30aca9..152cfdbd16 100644 --- a/manifests/mod/expires.pp +++ b/manifests/mod/expires.pp @@ -1,3 +1,44 @@ -class apache::mod::expires { - apache::mod { 'expires': } +# @summary +# Installs and configures `mod_expires`. +# +# @param expires_active +# Enables generation of Expires headers. +# +# @param expires_default +# Specifies the default algorithm for calculating expiration time using ExpiresByType syntax or interval syntax. +# +# @param expires_by_type +# Describes a set of [MIME content-types](https://www.iana.org/assignments/media-types/media-types.xhtml) and their expiration +# times. This should be used as an array of Hashes, with each Hash's key a valid MIME content-type (i.e. 'text/json') and its +# value following valid interval syntax. +# +# @see https://httpd.apache.org/docs/current/mod/mod_expires.html for additional documentation. +# +class apache::mod::expires ( + Boolean $expires_active = true, + Optional[String] $expires_default = undef, + Optional[Array[Hash]] $expires_by_type = undef, +) { + include apache + ::apache::mod { 'expires': } + + # Template uses + # $expires_active + # $expires_default + # $expires_by_type + $parameters = { + 'expires_active' => $expires_active, + 'expires_default' => $expires_default, + 'expires_by_type' => $expires_by_type, + } + + file { 'expires.conf': + ensure => file, + path => "${apache::mod_dir}/expires.conf", + mode => $apache::file_mode, + content => epp('apache/mod/expires.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } } diff --git a/manifests/mod/ext_filter.pp b/manifests/mod/ext_filter.pp new file mode 100644 index 0000000000..714b5b648d --- /dev/null +++ b/manifests/mod/ext_filter.pp @@ -0,0 +1,38 @@ +# @summary +# Installs and configures `mod_ext_filter`. +# +# @param ext_filter_define +# Hash of filter names and their parameters. +# +# @example +# class { 'apache::mod::ext_filter': +# ext_filter_define => { +# 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', +# 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', +# }, +# } +# +# @see https://httpd.apache.org/docs/current/mod/mod_ext_filter.html for additional documentation. +# +class apache::mod::ext_filter ( + Optional[Hash] $ext_filter_define = undef +) { + include apache + + ::apache::mod { 'ext_filter': } + + # Template uses + # -$ext_filter_define + + if $ext_filter_define { + file { 'ext_filter.conf': + ensure => file, + path => "${apache::mod_dir}/ext_filter.conf", + mode => $apache::file_mode, + content => epp('apache/mod/ext_filter.conf.epp', { 'ext_filter_define' => $ext_filter_define, }), + require => [Exec["mkdir ${apache::mod_dir}"],], + before => File[$apache::mod_dir], + notify => Class['Apache::Service'], + } + } +} diff --git a/manifests/mod/fcgid.pp b/manifests/mod/fcgid.pp index 4c777701e9..7f1559cec2 100644 --- a/manifests/mod/fcgid.pp +++ b/manifests/mod/fcgid.pp @@ -1,3 +1,65 @@ -class apache::mod::fcgid { - apache::mod { 'fcgid': } +# @summary +# Installs and configures `mod_fcgid`. +# +# @param options +# A hash used to parameterize the availible options: +# expires_active +# Enables generation of Expires headers. +# expires_default +# Default algorithm for calculating expiration time. +# expires_by_type +# Value of the Expires header configured by MIME type. +# +# @example The class does not individually parameterize all available options. Instead, configure mod_fcgid using the options hash. +# class { 'apache::mod::fcgid': +# options => { +# 'FcgidIPCDir' => '/var/run/fcgidsock', +# 'SharememPath' => '/var/run/fcgid_shm', +# 'AddHandler' => 'fcgid-script .fcgi', +# }, +# } +# +# @example If you include apache::mod::fcgid, you can set the [FcgidWrapper][] per directory, per virtual host. The module must be +# loaded first; Puppet will not automatically enable it if you set the fcgiwrapper parameter in apache::vhost. +# include apache::mod::fcgid +# +# apache::vhost { 'example.org': +# docroot => '/var/www/html', +# directories => { +# path => '/var/www/html', +# fcgiwrapper => { +# command => '/usr/local/bin/fcgiwrapper', +# } +# }, +# } +# +# @see https://httpd.apache.org/docs/current/mod/mod_fcgid.html for additional documentation. +# +class apache::mod::fcgid ( + Hash $options = {}, +) { + include apache + if ($facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') >= 0) or $facts['os']['family'] == 'FreeBSD' { + $loadfile_name = 'unixd_fcgid.load' + $conf_name = 'unixd_fcgid.conf' + } else { + $loadfile_name = undef + $conf_name = 'fcgid.conf' + } + + ::apache::mod { 'fcgid': + loadfile_name => $loadfile_name, + } + + # Template uses: + # - $options + file { $conf_name: + ensure => file, + path => "${apache::mod_dir}/${conf_name}", + mode => $apache::file_mode, + content => epp('apache/mod/fcgid.conf.epp', { 'options' => $options, }), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } } diff --git a/manifests/mod/filter.pp b/manifests/mod/filter.pp new file mode 100644 index 0000000000..5cee277187 --- /dev/null +++ b/manifests/mod/filter.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_filter`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_filter.html for additional documentation. +# +class apache::mod::filter { + ::apache::mod { 'filter': } +} diff --git a/manifests/mod/geoip.pp b/manifests/mod/geoip.pp new file mode 100644 index 0000000000..9c7262bd55 --- /dev/null +++ b/manifests/mod/geoip.pp @@ -0,0 +1,72 @@ +# @summary +# Installs and configures `mod_geoip`. +# +# @param enable +# Toggles whether to enable geoip. +# +# @param db_file +# Path to database for GeoIP to use. +# +# @param flag +# Caching directive to use. Values: 'CheckCache', 'IndexCache', 'MemoryCache', 'Standard'. +# +# @param output +# Output variable locations. Values: 'All', 'Env', 'Request', 'Notes'. +# +# @param enable_utf8 +# Changes the output from ISO88591 (Latin1) to UTF8. +# +# @param scan_proxy_headers +# Enables the GeoIPScanProxyHeaders option. +# +# @param scan_proxy_header_field +# Specifies the header mod_geoip uses to determine the client's IP address. +# +# @param use_last_xforwarededfor_ip +# Determines whether to use the first or last IP address for the client's IP in a comma-separated list of IP addresses is found. +# +# @see https://dev.maxmind.com/geoip/legacy/mod_geoip2 for additional documentation. +# +class apache::mod::geoip ( + Boolean $enable = false, + Stdlib::Absolutepath $db_file = '/usr/share/GeoIP/GeoIP.dat', + String $flag = 'Standard', + String $output = 'All', + Optional[String] $enable_utf8 = undef, + Optional[String] $scan_proxy_headers = undef, + Optional[String] $scan_proxy_header_field = undef, + Optional[String] $use_last_xforwarededfor_ip = undef, +) { + include apache + ::apache::mod { 'geoip': } + + # Template uses: + # - enable + # - db_file + # - flag + # - output + # - enable_utf8 + # - scan_proxy_headers + # - scan_proxy_header_field + # - use_last_xforwarededfor_ip + $parameters = { + 'enable' => $enable, + 'db_file' => $db_file, + 'flag' => $flag, + 'output' => $output, + 'enable_utf8' => $enable_utf8, + 'scan_proxy_headers' => $scan_proxy_headers, + 'scan_proxy_header_field' => $scan_proxy_header_field, + 'use_last_xforwarededfor_ip' => $use_last_xforwarededfor_ip, + } + + file { 'geoip.conf': + ensure => file, + path => "${apache::mod_dir}/geoip.conf", + mode => $apache::file_mode, + content => epp('apache/mod/geoip.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/headers.pp b/manifests/mod/headers.pp index 5ff9887b15..8f7b466915 100644 --- a/manifests/mod/headers.pp +++ b/manifests/mod/headers.pp @@ -1,3 +1,8 @@ +# @summary +# Installs and configures `mod_headers`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_headers.html for additional documentation. +# class apache::mod::headers { - apache::mod { 'headers': } -} \ No newline at end of file + ::apache::mod { 'headers': } +} diff --git a/manifests/mod/http2.pp b/manifests/mod/http2.pp new file mode 100644 index 0000000000..83bc86dba8 --- /dev/null +++ b/manifests/mod/http2.pp @@ -0,0 +1,120 @@ +# @summary +# Installs and configures `mod_http2`. +# +# @param h2_copy_files +# Determine file handling in responses. +# +# @param h2_direct +# H2 Direct Protocol Switch. +# +# @param h2_early_hints +# Determine sending of 103 status codes. +# +# @param h2_max_session_streams +# Sets maximum number of active streams per HTTP/2 session. +# +# @param h2_max_worker_idle_seconds +# Sets maximum number of seconds h2 workers remain idle until shut down. +# +# @param h2_max_workers +# Sets maximum number of worker threads to use per child process. +# +# @param h2_min_workers +# Sets minimal number of worker threads to use per child process. +# +# @param h2_modern_tls_only +# Toggles the security checks on HTTP/2 connections in TLS mode +# +# @param h2_push +# Toggles the usage of the HTTP/2 server push protocol feature. +# +# @param h2_push_diary_size +# Sets maximum number of HTTP/2 server pushes that are remembered per HTTP/2 connection. +# +# @param h2_push_priority +# Require HTTP/2 connections to be "modern TLS" only +# +# @param h2_push_resource +# When added to a directory/location, HTTP/2 PUSHes will be attempted for all paths added +# via this directive +# +# @param h2_serialize_headers +# Toggles if HTTP/2 requests shall be serialized in HTTP/1.1 format for processing by httpd +# core or if received binary data shall be passed into the request_recs directly. +# +# @param h2_stream_max_mem_size +# Sets the maximum number of outgoing data bytes buffered in memory for an active streams. +# +# @param h2_tls_cool_down_secs +# Sets the number of seconds of idle time on a TLS connection before the TLS write size falls +# back to small (~1300 bytes) length. +# +# @param h2_tls_warm_up_size +# Sets the number of bytes to be sent in small TLS records (~1300 bytes) until doing maximum +# sized writes (16k) on https: HTTP/2 connections. +# +# @param h2_upgrade +# Toggles the usage of the HTTP/1.1 Upgrade method for switching to HTTP/2. +# +# @param h2_window_size +# Sets the size of the window that is used for flow control from client to server and limits +# the amount of data the server has to buffer. +# +# @see https://httpd.apache.org/docs/current/mod/mod_http2.html for additional documentation. +# +class apache::mod::http2 ( + Optional[Boolean] $h2_copy_files = undef, + Optional[Boolean] $h2_direct = undef, + Optional[Boolean] $h2_early_hints = undef, + Optional[Integer] $h2_max_session_streams = undef, + Optional[Integer] $h2_max_worker_idle_seconds = undef, + Optional[Integer] $h2_max_workers = undef, + Optional[Integer] $h2_min_workers = undef, + Optional[Boolean] $h2_modern_tls_only = undef, + Optional[Boolean] $h2_push = undef, + Optional[Integer] $h2_push_diary_size = undef, + Array[String] $h2_push_priority = [], + Array[String] $h2_push_resource = [], + Optional[Boolean] $h2_serialize_headers = undef, + Optional[Integer] $h2_stream_max_mem_size = undef, + Optional[Integer] $h2_tls_cool_down_secs = undef, + Optional[Integer] $h2_tls_warm_up_size = undef, + Optional[Boolean] $h2_upgrade = undef, + Optional[Integer] $h2_window_size = undef, +) { + include apache + apache::mod { 'http2': } + + $parameters = { + 'h2_copy_files' => $h2_copy_files, + 'h2_direct' => $h2_direct, + 'h2_early_hints' => $h2_early_hints, + 'h2_max_session_streams' => $h2_max_session_streams, + 'h2_max_worker_idle_seconds' => $h2_max_worker_idle_seconds, + 'h2_max_workers' => $h2_max_workers, + 'h2_min_workers' => $h2_min_workers, + 'h2_modern_tls_only' => $h2_modern_tls_only, + 'h2_push' => $h2_push, + 'h2_push_diary_size' => $h2_push_diary_size, + 'h2_push_priority' => $h2_push_priority, + 'h2_push_resource' => $h2_push_resource, + 'h2_serialize_headers' => $h2_serialize_headers, + 'h2_stream_max_mem_size' => $h2_stream_max_mem_size, + 'h2_tls_cool_down_secs' => $h2_tls_cool_down_secs, + 'h2_tls_warm_up_size' => $h2_tls_warm_up_size, + 'h2_upgrade' => $h2_upgrade, + 'h2_window_size' => $h2_window_size, + } + + file { 'http2.conf': + ensure => file, + content => epp('apache/mod/http2.conf.epp', $parameters), + mode => $apache::file_mode, + path => "${apache::mod_dir}/http2.conf", + owner => $apache::params::user, + group => $apache::params::group, + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/include.pp b/manifests/mod/include.pp new file mode 100644 index 0000000000..af9675a959 --- /dev/null +++ b/manifests/mod/include.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_include`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_include.html for additional documentation. +# +class apache::mod::include { + ::apache::mod { 'include': } +} diff --git a/manifests/mod/info.pp b/manifests/mod/info.pp index b76e1efb2a..42d1569683 100644 --- a/manifests/mod/info.pp +++ b/manifests/mod/info.pp @@ -1,14 +1,52 @@ +# @summary +# Installs and configures `mod_info`. +# +# @param allow_from +# Allowlist of IPv4 or IPv6 addresses or ranges that can access the info path. +# +# @param restrict_access +# Toggles whether to restrict access to info path. If `false`, the `allow_from` allowlist is ignored and any IP address can +# access the info path. +# +# @param info_path +# Path on server to file containing server configuration information. +# +# @see https://httpd.apache.org/docs/current/mod/mod_info.html for additional documentation. +# class apache::mod::info ( - $allow_from = ['127.0.0.1','::1'], -){ - apache::mod { 'info': } + Array[Stdlib::IP::Address] $allow_from = ['127.0.0.1', '::1'], + Boolean $restrict_access = true, + Stdlib::Unixpath $info_path = '/server-info', +) { + include apache + + if $facts['os']['family'] == 'Suse' { + if defined(Class['apache::mod::worker']) { + $suse_path = '/usr/lib64/apache2-worker' + } else { + $suse_path = '/usr/lib64/apache2-prefork' + } + ::apache::mod { 'info': + lib_path => $suse_path, + } + } else { + ::apache::mod { 'info': } + } + + $parameters = { + 'info_path' => $info_path, + 'restrict_access' => $restrict_access, + 'allow_from' => $allow_from, + } + # Template uses $allow_from file { 'info.conf': ensure => file, path => "${apache::mod_dir}/info.conf", - content => template('apache/mod/info.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/info.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/intercept_form_submit.pp b/manifests/mod/intercept_form_submit.pp new file mode 100644 index 0000000000..f6ccf653b8 --- /dev/null +++ b/manifests/mod/intercept_form_submit.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_intercept_form_submit`. +# +# @see https://www.adelton.com/apache/mod_intercept_form_submit for additional documentation. +# +class apache::mod::intercept_form_submit { + include apache + ::apache::mod { 'intercept_form_submit': } +} diff --git a/manifests/mod/itk.pp b/manifests/mod/itk.pp index ba61bd9001..96940d8593 100644 --- a/manifests/mod/itk.pp +++ b/manifests/mod/itk.pp @@ -1,21 +1,65 @@ +# @summary +# Installs MPM `mod_itk`. +# +# @param startservers +# Number of child server processes created on startup. +# +# @param minspareservers +# Minimum number of idle child server processes. +# +# @param maxspareservers +# Maximum number of idle child server processes. +# +# @param serverlimit +# Maximum configured value for `MaxRequestWorkers` for the lifetime of the Apache httpd process. +# +# @param maxclients +# Limit on the number of simultaneous requests that will be served. +# +# @param maxrequestsperchild +# Limit on the number of connections that an individual child server process will handle. +# +# @param enablecapabilities +# Drop most root capabilities in the parent process, and instead run as the user given by the User/Group directives with some extra +# capabilities (in particular setuid). Somewhat more secure, but can cause problems when serving from filesystems that do not honor +# capabilities, such as NFS. +# +# @see http://mpm-itk.sesse.net for additional documentation. +# @note Unsupported platforms: CentOS: 8; RedHat: 8, 9; SLES: all class apache::mod::itk ( - $startservers = '8', - $minspareservers = '5', - $maxspareservers = '20', - $serverlimit = '256', - $maxclients = '256', - $maxrequestsperchild = '4000', + Integer $startservers = 8, + Integer $minspareservers = 5, + Integer $maxspareservers = 20, + Integer $serverlimit = 256, + Integer $maxclients = 256, + Integer $maxrequestsperchild = 4000, + Optional[Variant[Boolean, String]] $enablecapabilities = undef, ) { - if defined(Class['apache::mod::prefork']) { - fail('May not include both apache::mod::itk and apache::mod::prefork on the same node') + include apache + + if defined(Class['apache::mod::event']) { + fail('May not include both apache::mod::itk and apache::mod::event on the same node') + } + if defined(Class['apache::mod::peruser']) { + fail('May not include both apache::mod::itk and apache::mod::peruser on the same node') + } + # prefork is a requirement for itk in 2.4; except on FreeBSD and Gentoo, which are special + if $facts['os']['family'] =~ /^(FreeBSD|Gentoo)/ { + if defined(Class['apache::mod::prefork']) { + fail('May not include both apache::mod::itk and apache::mod::prefork on the same node') + } + } else { + if ! defined(Class['apache::mod::prefork']) { + include apache::mod::prefork + } } if defined(Class['apache::mod::worker']) { fail('May not include both apache::mod::itk and apache::mod::worker on the same node') } File { owner => 'root', - group => 'root', - mode => '0644', + group => $apache::params::root_group, + mode => $apache::file_mode, } # Template uses: @@ -25,29 +69,44 @@ # - $serverlimit # - $maxclients # - $maxrequestsperchild + $parameters = { + 'startservers' => $startservers, + 'minspareservers' => $minspareservers, + 'maxspareservers' => $maxspareservers, + 'serverlimit' => $serverlimit, + 'maxclients' => $maxclients, + 'maxrequestsperchild' => $maxrequestsperchild, + 'enablecapabilities' => $enablecapabilities, + } + file { "${apache::mod_dir}/itk.conf": ensure => file, - content => template('apache/mod/itk.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/itk.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } - case $::osfamily { - 'debian' : { - file { "${apache::mod_enable_dir}/itk.conf": - ensure => link, - target => "${apache::mod_dir}/itk.conf", - require => Exec["mkdir ${apache::mod_enable_dir}"], - before => File[$apache::mod_enable_dir], - notify => Service['httpd'], - } - package { 'apache2-mpm-itk': + case $facts['os']['family'] { + 'RedHat': { + package { 'httpd-itk': ensure => present, } + ::apache::mpm { 'itk': + } + } + 'Debian', 'FreeBSD': { + apache::mpm { 'itk': + } + } + 'Gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'itk', + } } default: { - fail("Unsupported osfamily ${::osfamily}") + fail("Unsupported osfamily ${$facts['os']['family']}") } } } diff --git a/manifests/mod/jk.pp b/manifests/mod/jk.pp new file mode 100644 index 0000000000..65ed394a30 --- /dev/null +++ b/manifests/mod/jk.pp @@ -0,0 +1,446 @@ +# @summary +# Installs `mod_jk`. +# +# @param ip +# IP for binding to mod_jk. Useful when the binding address is not the primary network interface IP. +# +# @param port +# Port for binding to mod_jk. Useful when something else, like a reverse proxy or cache, is receiving requests at port 80, then +# needs to forward them to Apache at a different port. +# +# @param add_listen +# Defines if a Listen directive according to parameters ip and port (see below), so that Apache listens to the IP/port combination +# and redirect to mod_jk. Useful when another Listen directive, like Listen *: or Listen , can conflict with the one +# necessary for mod_jk binding. +# +# @param workers_file +# The name of a worker file for the Tomcat servlet containers. +# +# @param worker_property +# Enables setting worker properties inside Apache configuration file. +# +# @param logroot +# The base directory for shm_file and log_file is determined by the logroot parameter. If unspecified, defaults to +# apache::params::logroot. The default logroot is sane enough therefore it is not recommended to override it. +# +# @param shm_file +# Shared memory file name. +# +# @param shm_size +# Size of the shared memory file name. +# +# @param mount_file +# File containing multiple mappings from a context to a Tomcat worker. +# +# @param mount_file_reload +# This directive configures the reload check interval in seconds. +# +# @param mount +# A mount point from a context to a Tomcat worker. +# +# @param un_mount +# An exclusion mount point from a context to a Tomcat worker. +# +# @param auto_alias +# Automatically Alias webapp context directories into the Apache document space +# +# @param mount_copy +# If this directive is set to "On" in some virtual server, the mounts from the global server will be copied +# to this virtual server, more precisely all mounts defined by JkMount or JkUnMount. +# +# @param worker_indicator +# Name of the Apache environment variable that can be used to set worker names in combination with SetHandler +# jakarta-servlet. +# +# @param watchdog_interval +# This directive configures the watchdog thread interval in seconds. +# +# @param log_file +# Full or server relative path to the mod_jk log file. +# +# @param log_level +# The mod_jk log level, can be debug, info, warn error or trace. +# +# @param log_stamp_format +# The mod_jk date log format, using an extended strftime syntax. +# +# @param request_log_format +# Request log format string. +# +# @param extract_ssl +# Turns on SSL processing and information gathering by mod_jk. +# +# @param https_indicator +# Name of the Apache environment variable that contains SSL indication. +# +# @param sslprotocol_indicator +# Name of the Apache environment variable that contains the SSL protocol name. +# +# @param certs_indicator +# Name of the Apache environment variable that contains SSL client certificates. +# +# @param cipher_indicator +# Name of the Apache environment variable that contains SSL client cipher. +# +# @param certchain_prefix +# Name of the Apache environment (prefix) that contains SSL client chain certificates. +# +# @param session_indicator +# Name of the Apache environment variable that contains SSL session. +# +# @param keysize_indicator +# Name of the Apache environment variable that contains SSL key size in use. +# +# @param local_name_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded local name. +# +# @param ignore_cl_indicator +# Name of the Apache environment variable which forces to ignore an existing Content-Length request header. +# +# @param local_addr_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded local IP address. +# +# @param local_port_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded local port. +# +# @param remote_host_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded remote (client) host name. +# +# @param remote_addr_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded remote (client) IP address. +# +# @param remote_port_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded remote (client) IP address. +# +# @param remote_user_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded user name. +# +# @param auth_type_indicator +# Name of the Apache environment variable which can be used to overwrite the forwarded authentication type. +# +# @param options +# Set one of more options to configure the mod_jk module. +# +# @param env_var +# Adds a name and an optional default value of environment variable that should be sent to servlet-engine as a request attribute. +# +# @param strip_session +# If this directive is set to On in some virtual server, the session IDs ;jsessionid=... will be removed for URLs which are not +# forwarded but instead are handled by the local server. +# +# @param location_list +# Global locations for mod_jk are defined in array location_list. +# Each array item is a hash with quoted* property name as key and value as value itself. +# You can define a comment in a special 'comment' key +# +# Example: +# +# # Configures jkstatus +# JkMount status +# Order deny,allow +# Deny from all +# Allow from 127.0.0.1 +# +# +# Is defined as: +# location_list = [ +# { +# 'Location' => '/jkstatus/', +# 'Comment' => 'Configures jkstatus', +# 'JkMount' => 'status', +# 'Order' => 'deny,allow', +# 'Deny from' => 'all', +# 'Allow from' => '127.0.0.1', +# }, +# ] +# * Keys must be quoted to allow arbitrary case and/or multi-word keys +# (BTW, note the case of 'Location' and 'Comment' keys) +# +# @param workers_file_content +# Each directive has the format worker..=. This maps as a hash of hashes, where the outer hash specifies +# workers, and each inner hash specifies each worker properties and values. Plus, there are two global directives, 'worker.list' and +# 'worker.maintain' For example, the workers file below should be parameterized as follows: +# +# Worker file: +# ``` +# worker.list = status +# worker.list = some_name,other_name +# +# worker.maintain = 60 +# +# # Optional comment +# worker.some_name.type=ajp13 +# worker.some_name.socket_keepalive=true +# +# # I just like comments +# worker.other_name.type=ajp12 (why would you?) +# worker.other_name.socket_keepalive=false +# ``` +# +# Puppet file: +# ``` +# $workers_file_content = { +# worker_lists => ['status', 'some_name, other_name'], +# worker_maintain => 60, +# some_name => { +# comment => 'Optional comment', +# type => 'ajp13', +# socket_keepalive => 'true', +# }, +# other_name => { +# comment => 'I just like comments', +# type => 'ajp12', +# socket_keepalive => 'false', +# }, +# } +# ``` +# +# @param mount_file_content +# Each directive has the format = . This maps as a hash of hashes, where the outer hash specifies workers, and +# each inner hash contains two items: +# - uri_list-an array with URIs to be mapped to the worker +# - comment-an optional string with a comment for the worker. For example, the mount file below should be parameterized as Figure 2: +# +# Worker file: +# ``` +# # Worker 1 +# /context_1/ = worker_1 +# /context_1/* = worker_1 +# +# # Worker 2 +# / = worker_2 +# /context_2/ = worker_2 +# /context_2/* = worker_2 +# ``` +# +# Puppet file: +# ``` +# $mount_file_content = { +# worker_1 => { +# uri_list => ['/context_1/', '/context_1/*'], +# comment => 'Worker 1', +# }, +# worker_2 => { +# uri_list => ['/context_2/', '/context_2/*'], +# comment => 'Worker 2', +# }, +# }, +# ``` +# +# @example +# class { '::apache::mod::jk': +# ip => '192.168.2.15', +# workers_file => 'conf/workers.properties', +# mount_file => 'conf/uriworkermap.properties', +# shm_file => 'run/jk.shm', +# shm_size => '50M', +# workers_file_content => { +# +# }, +# } +# +# @note +# shm_file and log_file +# Depending on how these files are specified, the class creates their final path differently: +# +# Relative path: prepends supplied path with logroot (see below) +# Absolute path or pipe: uses supplied path as-is +# +# ``` +# shm_file => 'shm_file' +# # Ends up in +# $shm_path = '/var/log/httpd/shm_file' +# +# shm_file => '/run/shm_file' +# # Ends up in +# $shm_path = '/run/shm_file' +# +# shm_file => '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"' +# # Ends up in +# $shm_path = '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"' +# ``` +# +# @note +# All parameters are optional. When undefined, some receive default values, while others cause an optional +# directive to be absent +# +# Additionally, There is no official package available for mod_jk and thus it must be made available by means outside of the control of the +# apache module. Binaries can be found at Apache Tomcat Connectors download page +# +# @see https://tomcat.apache.org/connectors-doc/reference/apache.html for additional documentation. +# +class apache::mod::jk ( + # Binding to mod_jk + Optional[Stdlib::IP::Address] $ip = undef, + Stdlib::Port $port = 80, + Boolean $add_listen = true, + # Conf file content + Optional[String] $workers_file = undef, + Hash $worker_property = {}, + Optional[Stdlib::Absolutepath] $logroot = undef, + String $shm_file = 'jk-runtime-status', + Optional[String] $shm_size = undef, + Optional[String] $mount_file = undef, + Optional[String] $mount_file_reload = undef, + Hash $mount = {}, + Hash $un_mount = {}, + Optional[String] $auto_alias = undef, + Optional[String] $mount_copy = undef, + Optional[String] $worker_indicator = undef, + Optional[Integer] $watchdog_interval = undef, + String $log_file = 'mod_jk.log', + Optional[String] $log_level = undef, + Optional[String] $log_stamp_format = undef, + Optional[String] $request_log_format = undef, + Optional[String] $extract_ssl = undef, + Optional[String] $https_indicator = undef, + Optional[String] $sslprotocol_indicator = undef, + Optional[String] $certs_indicator = undef, + Optional[String] $cipher_indicator = undef, + Optional[String] $certchain_prefix = undef, + Optional[String] $session_indicator = undef, + Optional[String] $keysize_indicator = undef, + Optional[String] $local_name_indicator = undef, + Optional[String] $ignore_cl_indicator = undef, + Optional[String] $local_addr_indicator = undef, + Optional[String] $local_port_indicator = undef, + Optional[String] $remote_host_indicator = undef, + Optional[String] $remote_addr_indicator = undef, + Optional[String] $remote_port_indicator = undef, + Optional[String] $remote_user_indicator = undef, + Optional[String] $auth_type_indicator = undef, + Array $options = [], + Hash $env_var = {}, + Optional[String] $strip_session = undef, + # Location list + # See comments in template mod/jk.conf.epp + Array $location_list = [], + # Workers file content + # See comments in template mod/jk/workers.properties.epp + Hash $workers_file_content = {}, + # Mount file content + # See comments in template mod/jk/uriworkermap.properties.epp + Hash $mount_file_content = {}, +) { + # Provides important variables + include apache + # Manages basic module config + ::apache::mod { 'jk': } + + # Ensure that we are not using variables with the typo fixed by MODULES-6225 + # anymore: + if !empty($workers_file_content) and 'worker_mantain' in $workers_file_content { + fail('Please replace $workers_file_content[\'worker_mantain\'] by $workers_file_content[\'worker_maintain\']. See MODULES-6225 for details.') + } + + # Binding to mod_jk + if $add_listen { + $_ip = $ip ? { + undef => $facts['networking']['ip'], + default => $ip, + } + ensure_resource('apache::listen', "${_ip}:${port}", {}) + } + + # File resource common parameters + File { + ensure => file, + mode => $apache::file_mode, + notify => Class['apache::service'], + } + + # Shared memory and log paths + # If logroot unspecified, use default + $log_dir = $logroot ? { + undef => $apache::logroot, + default => $logroot, + } + # If absolute path or pipe, use as-is + # If relative path, prepend with log directory + # If unspecified, use default + $shm_path = $shm_file ? { + undef => "${log_dir}/jk-runtime-status", + /^\"?[|\/]/ => $shm_file, + default => "${log_dir}/${shm_file}", + } + $log_path = $log_file ? { + undef => "${log_dir}/mod_jk.log", + /^\"?[|\/]/ => $log_file, + default => "${log_dir}/${log_file}", + } + + $parameters = { + 'workers_file' => $workers_file, + 'worker_property' => $worker_property, + 'shm_path' => $shm_path, + 'shm_size' => $shm_size, + 'mount_file' => $mount_file, + 'mount_file_reload' => $mount_file_reload, + 'mount' => $mount, + 'un_mount' => $un_mount, + 'auto_alias' => $auto_alias, + 'mount_copy' => $mount_copy, + 'worker_indicator' => $worker_indicator, + 'watchdog_interval' => $watchdog_interval, + 'log_path' => $log_path, + 'log_level' => $log_level, + 'log_stamp_format' => $log_stamp_format, + 'request_log_format' => $request_log_format, + 'extract_ssl' => $extract_ssl, + 'https_indicator' => $https_indicator, + 'sslprotocol_indicator' => $sslprotocol_indicator, + 'certs_indicator' => $certs_indicator, + 'cipher_indicator' => $cipher_indicator, + 'certchain_prefix' => $certchain_prefix, + 'session_indicator' => $session_indicator, + 'keysize_indicator' => $keysize_indicator, + 'local_name_indicator' => $local_name_indicator, + 'ignore_cl_indicator' => $ignore_cl_indicator, + 'local_addr_indicator' => $local_addr_indicator, + 'local_port_indicator' => $local_port_indicator, + 'remote_host_indicator' => $remote_host_indicator, + 'remote_addr_indicator' => $remote_addr_indicator, + 'remote_port_indicator' => $remote_port_indicator, + 'remote_user_indicator' => $remote_user_indicator, + 'auth_type_indicator' => $auth_type_indicator, + 'options' => $options, + 'env_var' => $env_var, + 'strip_session' => $strip_session, + 'location_list' => $location_list, + } + + # Main config file + $mod_dir = $apache::mod_dir + file { 'jk.conf': + path => "${mod_dir}/jk.conf", + content => epp('apache/mod/jk.conf.epp', $parameters), + require => [ + Exec["mkdir ${mod_dir}"], + File[$mod_dir], + ], + } + + # Workers file + if $workers_file != undef { + $workers_path = $workers_file ? { + /^\// => $workers_file, + default => "${apache::httpd_dir}/${workers_file}", + } + file { $workers_path: + content => epp('apache/mod/jk/workers.properties.epp', { 'workers_file_content' => $workers_file_content, }), + require => Package['httpd'], + } + } + + # Mount file + if $mount_file != undef { + $mount_path = $mount_file ? { + /^\// => $mount_file, + default => "${apache::httpd_dir}/${mount_file}", + } + file { $mount_path: + content => epp('apache/mod/jk/uriworkermap.properties.epp', { 'mount_file_content' => $mount_file_content, }), + require => Package['httpd'], + } + } +} diff --git a/manifests/mod/lbmethod_bybusyness.pp b/manifests/mod/lbmethod_bybusyness.pp new file mode 100644 index 0000000000..8578e95111 --- /dev/null +++ b/manifests/mod/lbmethod_bybusyness.pp @@ -0,0 +1,19 @@ +# @summary +# Installs `lbmethod_bybusyness`. +# +# @param apache_version +# Version of Apache to install module on. +# +# @see https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_bybusyness.html for additional documentation. +# +class apache::mod::lbmethod_bybusyness ( + Optional[String] $apache_version = $apache::apache_version, +) { + require apache::mod::proxy_balancer + + if versioncmp($apache_version, '2.3') >= 0 { + apache::mod { 'lbmethod_bybusyness': } + } else { + fail('Unsuported version for mod lbmethod_bybusyness') + } +} diff --git a/manifests/mod/lbmethod_byrequests.pp b/manifests/mod/lbmethod_byrequests.pp new file mode 100644 index 0000000000..012df4fbcb --- /dev/null +++ b/manifests/mod/lbmethod_byrequests.pp @@ -0,0 +1,19 @@ +# @summary +# Installs `lbmethod_byrequests`. +# +# @param apache_version +# Version of Apache to install module on. +# +# @see https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_byrequests.html for additional documentation. +# +class apache::mod::lbmethod_byrequests ( + Optional[String] $apache_version = $apache::apache_version, +) { + require apache::mod::proxy_balancer + + if versioncmp($apache_version, '2.3') >= 0 { + apache::mod { 'lbmethod_byrequests': } + } else { + fail('Unsuported version for mod lbmethod_byrequests') + } +} diff --git a/manifests/mod/lbmethod_bytraffic.pp b/manifests/mod/lbmethod_bytraffic.pp new file mode 100644 index 0000000000..058c630aef --- /dev/null +++ b/manifests/mod/lbmethod_bytraffic.pp @@ -0,0 +1,19 @@ +# @summary +# Installs `lbmethod_bytraffic`. +# +# @param apache_version +# Version of Apache to install module on. +# +# @see https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_bytraffic.html for additional documentation. +# +class apache::mod::lbmethod_bytraffic ( + Optional[String] $apache_version = $apache::apache_version, +) { + require apache::mod::proxy_balancer + + if versioncmp($apache_version, '2.3') >= 0 { + apache::mod { 'lbmethod_bytraffic': } + } else { + fail('Unsuported version for mod lbmethod_bytraffic') + } +} diff --git a/manifests/mod/lbmethod_heartbeat.pp b/manifests/mod/lbmethod_heartbeat.pp new file mode 100644 index 0000000000..aa859d3a57 --- /dev/null +++ b/manifests/mod/lbmethod_heartbeat.pp @@ -0,0 +1,19 @@ +# @summary +# Installs `lbmethod_heartbeat`. +# +# @param apache_version +# Version of Apache to install module on. +# +# @see https://httpd.apache.org/docs/2.4/mod/mod_lbmethod_heartbeat.html for additional documentation. +# +class apache::mod::lbmethod_heartbeat ( + Optional[String] $apache_version = $apache::apache_version, +) { + require apache::mod::proxy_balancer + + if versioncmp($apache_version, '2.3') >= 0 { + apache::mod { 'lbmethod_heartbeat': } + } else { + fail('Unsuported version for mod lbmethod_heartbeat') + } +} diff --git a/manifests/mod/ldap.pp b/manifests/mod/ldap.pp index 097622c51e..5297eca5fe 100644 --- a/manifests/mod/ldap.pp +++ b/manifests/mod/ldap.pp @@ -1,12 +1,86 @@ -class apache::mod::ldap { - apache::mod { 'ldap': } - # Template uses no variables +# @summary +# Installs and configures `mod_ldap`. +# +# @param package_name +# Specifies the custom package name. +# +# @param ldap_trusted_global_cert_file +# Sets the file or database containing global trusted Certificate Authority or global client certificates. +# +# @param ldap_trusted_global_cert_type +# Sets the certificate parameter of the global trusted Certificate Authority or global client certificates. +# +# @param ldap_shared_cache_size +# Size in bytes of the shared-memory cache +# +# @param ldap_cache_entries +# Maximum number of entries in the primary LDAP cache +# +# @param ldap_cache_ttl +# Time that cached items remain valid (in seconds). +# +# @param ldap_opcache_entries +# Number of entries used to cache LDAP compare operations +# +# @param ldap_opcache_ttl +# Time that entries in the operation cache remain valid (in seconds). +# +# @param ldap_trusted_mode +# Specifies the SSL/TLS mode to be used when connecting to an LDAP server. +# +# @param ldap_path +# The server location of the ldap status page. +# +# @example +# class { 'apache::mod::ldap': +# ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt', +# ldap_trusted_global_cert_type => 'CA_DER', +# ldap_trusted_mode => 'TLS', +# ldap_shared_cache_size => 500000, +# ldap_cache_entries => 1024, +# ldap_cache_ttl => 600, +# ldap_opcache_entries => 1024, +# ldap_opcache_ttl => 600, +# } +# +# @see https://httpd.apache.org/docs/current/mod/mod_ldap.html for additional documentation. +# @note Unsupported platforms: CentOS: 8; RedHat: 8, 9 +class apache::mod::ldap ( + Optional[String] $package_name = undef, + Optional[String] $ldap_trusted_global_cert_file = undef, + String $ldap_trusted_global_cert_type = 'CA_BASE64', + Optional[Integer] $ldap_shared_cache_size = undef, + Optional[Integer] $ldap_cache_entries = undef, + Optional[Integer] $ldap_cache_ttl = undef, + Optional[Integer] $ldap_opcache_entries = undef, + Optional[Integer] $ldap_opcache_ttl = undef, + Optional[String] $ldap_trusted_mode = undef, + String $ldap_path = '/ldap-status', +) { + include apache + ::apache::mod { 'ldap': + package => $package_name, + } + + $parameters = { + 'ldap_path' => $ldap_path, + 'ldap_trusted_global_cert_file' => $ldap_trusted_global_cert_file, + 'ldap_trusted_global_cert_type' => $ldap_trusted_global_cert_type, + 'ldap_trusted_mode' => $ldap_trusted_mode, + 'ldap_shared_cache_size' => $ldap_shared_cache_size, + 'ldap_cache_entries' => $ldap_cache_entries, + 'ldap_cache_ttl' => $ldap_cache_ttl, + 'ldap_opcache_entries' => $ldap_opcache_entries, + 'ldap_opcache_ttl' => $ldap_opcache_ttl, + } + file { 'ldap.conf': ensure => file, path => "${apache::mod_dir}/ldap.conf", - content => template('apache/mod/ldap.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/ldap.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/log_forensic.pp b/manifests/mod/log_forensic.pp new file mode 100644 index 0000000000..df0f0dbddf --- /dev/null +++ b/manifests/mod/log_forensic.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_log_forensic` +# +# @see https://httpd.apache.org/docs/current/mod/mod_log_forensic.html for additional documentation. +# +class apache::mod::log_forensic { + include apache + apache::mod { 'log_forensic': } +} diff --git a/manifests/mod/lookup_identity.pp b/manifests/mod/lookup_identity.pp new file mode 100644 index 0000000000..3161ec329f --- /dev/null +++ b/manifests/mod/lookup_identity.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_lookup_identity` +# +# @see https://www.adelton.com/apache/mod_lookup_identity for additional documentation. +# +class apache::mod::lookup_identity { + include apache + ::apache::mod { 'lookup_identity': } +} diff --git a/manifests/mod/macro.pp b/manifests/mod/macro.pp new file mode 100644 index 0000000000..c4d2af0033 --- /dev/null +++ b/manifests/mod/macro.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_macro`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_macro.html for additional documentation. +# +class apache::mod::macro { + include apache + ::apache::mod { 'macro': } +} diff --git a/manifests/mod/md.pp b/manifests/mod/md.pp new file mode 100644 index 0000000000..7cb12f5888 --- /dev/null +++ b/manifests/mod/md.pp @@ -0,0 +1,140 @@ +# @summary +# Installs and configures `mod_md`. +# +# @param md_activation_delay +# - +# +# @param md_base_server +# Control if base server may be managed or only virtual hosts. +# +# @param md_ca_challenges +# Type of ACME challenge used to prove domain ownership. +# +# @param md_certificate_agreement +# You confirm that you accepted the Terms of Service of the Certificate +# Authority. +# +# @param md_certificate_authority +# The URL of the ACME Certificate Authority service. +# +# @param md_certificate_check +# - +# +# @param md_certificate_monitor +# The URL of a certificate log monitor. +# +# @param md_certificate_protocol +# The protocol to use with the Certificate Authority. +# +# @param md_certificate_status +# Exposes public certificate information in JSON. +# +# @param md_challenge_dns01 +# Define a program to be called when the `dns-01` challenge needs to be +# setup/torn down. +# +# @param md_contact_email +# The ACME protocol requires you to give a contact url when you sign up. +# +# @param md_http_proxy +# Define a proxy for outgoing connections. +# +# @param md_members +# Control if the alias domain names are automatically added. +# +# @param md_message_cmd +# Handle events for Manage Domains. +# +# @param md_must_staple +# Control if new certificates carry the OCSP Must Staple flag. +# +# @param md_notify_cmd +# Run a program when a Managed Domain is ready. +# +# @param md_port_map +# Map external to internal ports for domain ownership verification. +# +# @param md_private_keys +# Set type and size of the private keys generated. +# +# @param md_renew_mode +# Controls if certificates shall be renewed. +# +# @param md_renew_window +# Control when a certificate will be renewed. +# +# @param md_require_https +# Redirects http: traffic to https: for Managed Domains. +# An http: Virtual Host must nevertheless be setup for that domain. +# +# @param md_server_status +# Control if Managed Domain information is added to server-status. +# +# @param md_staple_others +# Enable stapling for certificates not managed by mod_md. +# +# @param md_stapling +# Enable stapling for all or a particular MDomain. +# +# @param md_stapling_keep_response +# Controls when old responses should be removed. +# +# @param md_stapling_renew_window +# Control when the stapling responses will be renewed. +# +# @param md_store_dir +# Path on the local file system to store the Managed Domains data. +# +# @param md_warn_window +# Define the time window when you want to be warned about an expiring +# certificate. +# +# @see https://httpd.apache.org/docs/current/mod/mod_md.html for additional documentation. +# +# @note Unsupported platforms: CentOS: 6, 7; OracleLinux: all; RedHat: 6, 7; Scientific: all; SLES: all; Ubuntu: 18 +class apache::mod::md ( + Optional[String] $md_activation_delay = undef, + Optional[Apache::OnOff] $md_base_server = undef, + Optional[Array[Enum['dns-01', 'http-01', 'tls-alpn-01']]] $md_ca_challenges = undef, + Optional[Enum['accepted']] $md_certificate_agreement = undef, + Optional[Stdlib::HTTPUrl] $md_certificate_authority = undef, + Optional[String] $md_certificate_check = undef, # undocumented + Optional[String] $md_certificate_monitor = undef, + Optional[Enum['ACME']] $md_certificate_protocol = undef, + Optional[Apache::OnOff] $md_certificate_status = undef, + Optional[Stdlib::Absolutepath] $md_challenge_dns01 = undef, + Optional[String] $md_contact_email = undef, + Optional[Stdlib::HTTPUrl] $md_http_proxy = undef, + Optional[Enum['auto', 'manual']] $md_members = undef, + Optional[Stdlib::Absolutepath] $md_message_cmd = undef, + Optional[Apache::OnOff] $md_must_staple = undef, + Optional[Stdlib::Absolutepath] $md_notify_cmd = undef, + Optional[String] $md_port_map = undef, + Optional[String] $md_private_keys = undef, + Optional[Enum['always', 'auto', 'manual']] $md_renew_mode = undef, + Optional[String] $md_renew_window = undef, + Optional[Enum['off', 'permanent', 'temporary']] $md_require_https = undef, + Optional[Apache::OnOff] $md_server_status = undef, + Optional[Apache::OnOff] $md_staple_others = undef, + Optional[Apache::OnOff] $md_stapling = undef, + Optional[String] $md_stapling_keep_response = undef, + Optional[String] $md_stapling_renew_window = undef, + Optional[Stdlib::Absolutepath] $md_store_dir = undef, + Optional[String] $md_warn_window = undef, +) { + include apache + include apache::mod::watchdog + + apache::mod { 'md': + } + + file { 'md.conf': + ensure => file, + path => "${apache::mod_dir}/md.conf", + mode => $apache::file_mode, + content => epp('apache/mod/md.conf.epp'), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/mime.pp b/manifests/mod/mime.pp index ba62ebc638..36312e3abb 100644 --- a/manifests/mod/mime.pp +++ b/manifests/mod/mime.pp @@ -1,12 +1,44 @@ -class apache::mod::mime { +# @summary +# Installs and configures `mod_mime`. +# +# @param mime_support_package +# Name of the MIME package to be installed. +# +# @param mime_types_config +# The location of the mime.types file. +# +# @param mime_types_additional +# List of additional MIME types to include. +# +# @see https://httpd.apache.org/docs/current/mod/mod_mime.html for additional documentation. +# +class apache::mod::mime ( + Optional[String] $mime_support_package = $apache::params::mime_support_package, + String $mime_types_config = $apache::params::mime_types_config, + Optional[Hash] $mime_types_additional = undef, +) inherits apache::params { + include apache + $_mime_types_additional = pick($mime_types_additional, $apache::mime_types_additional) apache::mod { 'mime': } - # Template uses no variables + # Template uses $_mime_types_config + $parameters = { + 'mime_types_config' => $mime_types_config, + '_mime_types_additional' => $_mime_types_additional, + } + file { 'mime.conf': ensure => file, path => "${apache::mod_dir}/mime.conf", - content => template('apache/mod/mime.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/mime.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], + } + if $mime_support_package { + package { $mime_support_package: + ensure => 'installed', + before => File['mime.conf'], + } } } diff --git a/manifests/mod/mime_magic.pp b/manifests/mod/mime_magic.pp index c0ff0a7f67..9e2d1787e3 100644 --- a/manifests/mod/mime_magic.pp +++ b/manifests/mod/mime_magic.pp @@ -1,12 +1,25 @@ -class apache::mod::mime_magic { +# @summary +# Installs and configures `mod_mime_magic`. +# +# @param magic_file +# Enable MIME-type determination based on file contents using the specified magic file. +# +# @see https://httpd.apache.org/docs/current/mod/mod_mime_magic.html for additional documentation. +# +class apache::mod::mime_magic ( + Optional[String] $magic_file = undef, +) { + include apache + $_magic_file = pick($magic_file, "${apache::conf_dir}/magic") apache::mod { 'mime_magic': } - # Template uses no variables + # Template uses $magic_file file { 'mime_magic.conf': ensure => file, path => "${apache::mod_dir}/mime_magic.conf", - content => template('apache/mod/mime_magic.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/mime_magic.conf.epp', { '_magic_file' => $_magic_file, }), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/mpm_event.pp b/manifests/mod/mpm_event.pp deleted file mode 100644 index 92e558e17f..0000000000 --- a/manifests/mod/mpm_event.pp +++ /dev/null @@ -1,11 +0,0 @@ -class apache::mod::mpm_event { - # Template uses no variables - file { 'mpm_event.conf': - ensure => file, - path => "${apache::mod_dir}/mpm_event.conf", - content => template('apache/mod/mpm_event.conf.erb'), - require => Exec["mkdir ${apache::mod_dir}"], - before => File[$apache::mod_dir], - notify => Service['httpd'], - } -} diff --git a/manifests/mod/negotiation.pp b/manifests/mod/negotiation.pp index e10c4921de..7b18540bda 100644 --- a/manifests/mod/negotiation.pp +++ b/manifests/mod/negotiation.pp @@ -1,12 +1,37 @@ -class apache::mod::negotiation { - apache::mod { 'negotiation': } +# @summary +# Installs and configures `mod_negotiation`. +# +# @param force_language_priority +# Action to take if a single acceptable document is not found. +# +# @param language_priority +# The precedence of language variants for cases where the client does not express a preference. +# +# @see [https://httpd.apache.org/docs/current/mod/mod_negotiation.html for additional documentation. +# +class apache::mod::negotiation ( + Variant[Array[String], String] $force_language_priority = 'Prefer Fallback', + Variant[Array[String], String] $language_priority = ['en', 'ca', 'cs', 'da', 'de', 'el', 'eo', 'es', 'et', + 'fr', 'he', 'hr', 'it', 'ja', 'ko', 'ltz', 'nl', 'nn', + 'no', 'pl', 'pt', 'pt-BR', 'ru', 'sv', 'zh-CN', + 'zh-TW'], +) { + include apache + + ::apache::mod { 'negotiation': } # Template uses no variables + $parameters = { + 'language_priority' => $language_priority, + 'force_language_priority' => $force_language_priority, + } + file { 'negotiation.conf': ensure => file, + mode => $apache::file_mode, path => "${apache::mod_dir}/negotiation.conf", - content => template('apache/mod/negotiation.conf.erb'), + content => epp('apache/mod/negotiation.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/nss.pp b/manifests/mod/nss.pp new file mode 100644 index 0000000000..f8c0467716 --- /dev/null +++ b/manifests/mod/nss.pp @@ -0,0 +1,53 @@ +# @summary +# Installs and configures `mod_nss`. +# +# @param transfer_log +# Path to `access.log`. +# +# @param error_log +# Path to `error.log` +# +# @param passwd_file +# Path to file containing token passwords used for NSSPassPhraseDialog. +# +# @param port +# Sets the SSL port that should be used by mod_nss. +# +# @see https://pagure.io/mod_nss for additional documentation. +# +class apache::mod::nss ( + Stdlib::Absolutepath $transfer_log = "${apache::params::logroot}/access.log", + Stdlib::Absolutepath $error_log = "${apache::params::logroot}/error.log", + Optional[String] $passwd_file = undef, + Stdlib::Port $port = 8443, +) { + include apache + include apache::mod::mime + + apache::mod { 'nss': } + + $httpd_dir = $apache::httpd_dir + + # Template uses: + # $transfer_log + # $error_log + # $http_dir + # passwd_file + $parameters = { + 'port' => $port, + 'passwd_file' => $passwd_file, + 'error_log' => $error_log, + 'transfer_log' => $transfer_log, + 'httpd_dir' => $httpd_dir, + } + + file { 'nss.conf': + ensure => file, + path => "${apache::mod_dir}/nss.conf", + mode => $apache::file_mode, + content => epp('apache/mod/nss.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/pagespeed.pp b/manifests/mod/pagespeed.pp new file mode 100644 index 0000000000..045420da46 --- /dev/null +++ b/manifests/mod/pagespeed.pp @@ -0,0 +1,245 @@ +# @summary +# Installs and manages mod_pagespeed, which is a Google module that rewrites web pages to reduce latency and bandwidth. +# +# This module does *not* manage the software repositories needed to automatically install the +# mod-pagespeed-stable package. The module does however require that the package be installed, +# or be installable using the system's default package provider. You should ensure that this +# pre-requisite is met or declaring `apache::mod::pagespeed` will cause the puppet run to fail. +# +# @param inherit_vhost_config +# Whether or not to inherit the vhost config +# +# @param filter_xhtml +# Whether to filter by xhtml +# +# @param cache_path +# Where to cache any files +# +# @param log_dir +# The log directory +# +# @param memcache_servers +# +# @param rewrite_level +# The inbuilt filter level to be used. +# Can be `PassThrough`, `CoreFilters` or `OptimizeForBandwidth`. +# +# @param disable_filters +# An array of filters that you wish to disable +# +# @param enable_filters +# An array of filters that you wish to enable +# +# @param forbid_filters +# An array of filters that you wish to forbid +# +# @param rewrite_deadline_per_flush_ms +# How long to wait after attempting to rewrite an uncache/expired resource. +# +# @param additional_domains +# Any additional domains that PageSpeed should optimize resources from. +# +# @param file_cache_size_kb +# The maximum size of the cache +# +# @param file_cache_clean_interval_ms +# The interval between which the cache is cleaned +# +# @param lru_cache_per_process +# The amount of memory dedcated to each process +# +# @param lru_cache_byte_limit +# How large a cache entry the cache will accept +# +# @param css_flatten_max_bytes +# The maximum size in bytes of the flattened CSS +# +# @param css_inline_max_bytes +# The maximum size in bytes of any image that will be inlined into CSS +# +# @param css_image_inline_max_bytes +# The maximum size in bytes of any image that will be inlined into an HTML file +# +# @param image_inline_max_bytes +# The maximum size in bytes of any inlined CSS file +# +# @param js_inline_max_bytes +# The maximum size in bytes of any inlined JavaScript file +# +# @param css_outline_min_bytes +# The minimum size in bytes for a CSS file to qualify as an outline +# +# @param js_outline_min_bytes +# The minimum size in bytes for a JavaScript file to qualify as an outline +# +# @param inode_limit +# The file cache inode limit +# +# @param image_max_rewrites_at_once +# The maximum number of images to optimize concurrently +# +# @param num_rewrite_threads +# The amount of threads to use for rewrite at one time +# These threads are used for short, latency-sensitive work. +# +# @param num_expensive_rewrite_threads +# The amount of threads to use for rewrite at one time +# These threads are used for full optimization. +# +# @param collect_statistics +# Whether to collect cross-process statistics +# +# @param statistics_logging +# Whether graphs should be drawn from collected statistics +# +# @param allow_view_stats +# What sources should be allowed to view the resultant graph +# +# @param allow_pagespeed_console +# What sources to draw the graphs from +# +# @param allow_pagespeed_message +# +# @param message_buffer_size +# The amount of bytes to allocate as a buffer to hold recent log messages +# +# @param additional_configuration +# Any additional configuration no included as it's own option +# +# @param package_ensure +# +# @example +# class { 'apache::mod::pagespeed': +# inherit_vhost_config => 'on', +# filter_xhtml => false, +# cache_path => '/var/cache/mod_pagespeed/', +# log_dir => '/var/log/pagespeed', +# memache_servers => [], +# rewrite_level => 'CoreFilters', +# disable_filters => [], +# enable_filters => [], +# forbid_filters => [], +# rewrite_deadline_per_flush_ms => 10, +# additional_domains => undef, +# file_cache_size_kb => 102400, +# file_cache_clean_interval_ms => 3600000, +# lru_cache_per_process => 1024, +# lru_cache_byte_limit => 16384, +# css_flatten_max_bytes => 2048, +# css_inline_max_bytes => 2048, +# css_image_inline_max_bytes => 2048, +# image_inline_max_bytes => 2048, +# js_inline_max_bytes => 2048, +# css_outline_min_bytes => 3000, +# js_outline_min_bytes => 3000, +# inode_limit => 500000, +# image_max_rewrites_at_once => 8, +# num_rewrite_threads => 4, +# num_expensive_rewrite_threads => 4, +# collect_statistics => 'on', +# statistics_logging => 'on', +# allow_view_stats => [], +# allow_pagespeed_console => [], +# allow_pagespeed_message => [], +# message_buffer_size => 100000, +# additional_configuration => { } +# } +# +# @note +# Verify that your system is compatible with the latest Google Pagespeed requirements. +# +# Although this apache module requires the mod-pagespeed-stable package, Puppet does not manage the software repositories required to +# automatically install the package. If you declare this class when the package is either not installed or not available to your +# package manager, your Puppet run will fail. +# +# @see https://developers.google.com/speed/pagespeed/module/ for additional documentation. +# +class apache::mod::pagespeed ( + String $inherit_vhost_config = 'on', + Boolean $filter_xhtml = false, + Stdlib::Absolutepath $cache_path = '/var/cache/mod_pagespeed/', + Stdlib::Absolutepath $log_dir = '/var/log/pagespeed', + Array $memcache_servers = [], + String $rewrite_level = 'CoreFilters', + Array $disable_filters = [], + Array $enable_filters = [], + Array $forbid_filters = [], + Integer $rewrite_deadline_per_flush_ms = 10, + Optional[String] $additional_domains = undef, + Integer $file_cache_size_kb = 102400, + Integer $file_cache_clean_interval_ms = 3600000, + Integer $lru_cache_per_process = 1024, + Integer $lru_cache_byte_limit = 16384, + Integer $css_flatten_max_bytes = 2048, + Integer $css_inline_max_bytes = 2048, + Integer $css_image_inline_max_bytes = 2048, + Integer $image_inline_max_bytes = 2048, + Integer $js_inline_max_bytes = 2048, + Integer $css_outline_min_bytes = 3000, + Integer $js_outline_min_bytes = 3000, + Integer $inode_limit = 500000, + Integer $image_max_rewrites_at_once = 8, + Integer $num_rewrite_threads = 4, + Integer $num_expensive_rewrite_threads = 4, + String $collect_statistics = 'on', + String $statistics_logging = 'on', + Array $allow_view_stats = [], + Array $allow_pagespeed_console = [], + Array $allow_pagespeed_message = [], + Integer $message_buffer_size = 100000, + Variant[Array, Hash] $additional_configuration = {}, + Optional[String] $package_ensure = undef, +) { + include apache + + apache::mod { 'pagespeed': + lib => 'mod_pagespeed_ap24.so', + package_ensure => $package_ensure, + } + + $parameters = { + 'inherit_vhost_config' => $inherit_vhost_config, + 'filter_xhtml' => $filter_xhtml, + 'cache_path' => $cache_path, + 'log_dir' => $log_dir, + 'memcache_servers' => $memcache_servers, + 'rewrite_level' => $rewrite_level, + 'disable_filters' => $disable_filters, + 'enable_filters' => $enable_filters, + 'forbid_filters' => $forbid_filters, + 'rewrite_deadline_per_flush_ms' => $rewrite_deadline_per_flush_ms, + 'additional_domains' => $additional_domains, + 'file_cache_size_kb' => $file_cache_size_kb, + 'file_cache_clean_interval_ms' => $file_cache_clean_interval_ms, + 'lru_cache_per_process' => $lru_cache_per_process, + 'lru_cache_byte_limit' => $lru_cache_byte_limit, + 'css_flatten_max_bytes' => $css_flatten_max_bytes, + 'css_inline_max_bytes' => $css_inline_max_bytes, + 'css_image_inline_max_bytes' => $css_image_inline_max_bytes, + 'image_inline_max_bytes' => $image_inline_max_bytes, + 'js_inline_max_bytes' => $js_inline_max_bytes, + 'css_outline_min_bytes' => $css_outline_min_bytes, + 'js_outline_min_bytes' => $js_outline_min_bytes, + 'inode_limit' => $inode_limit, + 'image_max_rewrites_at_once' => $image_max_rewrites_at_once, + 'num_rewrite_threads' => $num_rewrite_threads, + 'num_expensive_rewrite_threads' => $num_expensive_rewrite_threads, + 'collect_statistics' => $collect_statistics, + 'allow_view_stats' => $allow_view_stats, + 'statistics_logging' => $statistics_logging, + 'allow_pagespeed_console' => $allow_pagespeed_console, + 'message_buffer_size' => $message_buffer_size, + 'allow_pagespeed_message' => $allow_pagespeed_message, + 'additional_configuration' => $additional_configuration, + } + + file { 'pagespeed.conf': + ensure => file, + path => "${apache::mod_dir}/pagespeed.conf", + mode => $apache::file_mode, + content => epp('apache/mod/pagespeed.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/passenger.pp b/manifests/mod/passenger.pp index 004f128fd7..0c5ab76435 100644 --- a/manifests/mod/passenger.pp +++ b/manifests/mod/passenger.pp @@ -1,32 +1,819 @@ +# @summary +# Installs `mod_pasenger`. +# > **Note**: This module support Passenger 4.0.0 and higher. +# +# @param manage_repo +# Toggle whether to manage yum repo if on a RedHat node. +# +# @param mod_id +# Specifies the package id. +# +# @param mod_lib +# Defines the module's shared object name. Do not configure manually without special reason. +# +# @param mod_lib_path +# Specifies a path to the module's libraries. Do not manually set this parameter without special reason. The `path` parameter overrides +# this value. +# +# @param mod_package +# Name of the module package to install. +# +# @param mod_package_ensure +# Determines whether Puppet ensures the module should be installed. +# +# @param mod_path +# Specifies a path to the module. Do not manually set this parameter without a special reason. +# +# @param passenger_admin_panel_url +# Specifies a Fuse Panel URL that the Passenger to to enable monitoring, administering, analysis and troubleshooting of this Passenger instance and apps. +# +# @param passenger_admin_panel_auth_type +# Specifies the authentication type to use for the Fuse Panel. Currently it support only basic type of authentiction. +# Ref : https://www.phusionpassenger.com/library/config/apache/reference/#passengeradminpanelauthtype +# +# @param passenger_admin_panel_username +# The username that Passenger should use when connecting to the Fuse Panel with basic authentication. +# +# @param passenger_admin_panel_password +# The password that Passenger should use when connecting to the Fuse Panel with basic authentication. +# +# @param passenger_allow_encoded_slashes +# Toggle whether URLs with encoded slashes (%2f) can be used (by default Apache does not support this). +# +# @param passenger_anonymous_telemetry_proxy +# Set an intermediate proxy for the Passenger anonymous telemetry reporting. +# +# @param passenger_app_env +# This option sets, for the current application, the value of the following environment variables: +# - RAILS_ENV +# - RACK_ENV +# - WSGI_ENV +# - NODE_ENV +# - PASSENGER_APP_ENV +# +# @param passenger_app_group_name +# Sets the name of the application group that the current application should belong to. +# +# @param passenger_app_log_file +# File path to application specifile log file. By default passenger will write all application log messages to the Passenger log file. +# +# @param passenger_app_root +# Path to the application root which allows access independent from the DocumentRoot. +# +# @param passenger_app_type +# Specifies the type of the application. If you set this option, then you must also set PassengerAppRoot, otherwise Passenger will +# not properly recognize your application. +# +# @param passenger_base_uri +# Used to specify that the given URI is an distinct application that should be served by Passenger. +# +# @param passenger_buffer_response +# Toggle whether application-generated responses are buffered by Apache. Buffering will happen in memory. +# +# @param passenger_buffer_upload +# Toggle whether HTTP client request bodies are buffered before they are sent to the application. +# +# @param passenger_concurrency_model +# Specifies the I/O concurrency model that should be used for Ruby application processes. +# +# @param passenger_conf_file +# +# +# @param passenger_conf_package_file +# +# +# @param passenger_data_buffer_dir +# Specifies the directory in which to store data buffers. +# +# @param passenger_debug_log_file +# +# +# @param passenger_debugger +# Turns support for Ruby application debugging on or off. +# +# @param passenger_default_group +# Allows you to specify the group that applications must run as, if user switching fails or is disabled. +# +# @param passenger_default_ruby +# File path to desired ruby interpreter to use by default. +# +# @param passenger_default_user +# Allows you to specify the user that applications must run as, if user switching fails or is disabled. +# +# @param passenger_disable_anonymous_telemetry +# Whether or not to disable the Passenger anonymous telemetry reporting. +# +# @param passenger_disable_log_prefix +# Whether to stop Passenger from prefixing logs when they are written to a log file. +# +# @param passenger_disable_security_update_check +# Allows disabling the Passenger security update check, a daily check with https://securitycheck.phusionpassenger.com for important +# security updates that might be available. +# +# @param passenger_enabled +# Toggles whether Passenger should be enabled for that particular context. +# +# @param passenger_dump_config_manifest +# Dumps the configuration manifest to the given file. +# +# @param passenger_error_override +# Toggles whether Apache will intercept and handle responses with HTTP status codes of 400 and higher. +# +# @param passenger_file_descriptor_log_file +# Log file descriptor debug tracing messages to the given file. +# +# @param passenger_fly_with +# Enables the Flying Passenger mode, and configures Apache to connect to the Flying Passenger daemon that's listening on the +# given socket filename. +# +# @param passenger_force_max_concurrent_requests_per_process +# Use this option to tell Passenger how many concurrent requests the application can handle per process. +# +# @param passenger_friendly_error_pages +# Toggles whether Passenger should display friendly error pages whenever an application fails to start. +# +# @param passenger_group +# Allows you to override that behavior and explicitly set a group to run the web application as, regardless of the ownership of the +# startup file. +# +# @param passenger_high_performance +# Toggles whether to enable PassengerHighPerformance which will make Passenger will be a little faster, in return for reduced +# compatibility with other Apache modules. +# +# @param passenger_installed_version +# +# +# @param passenger_instance_registry_dir +# Specifies the directory that Passenger should use for registering its current instance. +# +# @param passenger_load_shell_envvars +# Enables or disables the loading of shell environment variables before spawning the application. +# +# @param passenger_preload_bundler +# Enables or disables loading bundler before loading your Ruby app. +# +# @param passenger_log_file +# File path to log file. By default Passenger log messages are written to the Apache global error log. +# +# @param passenger_log_level +# Specifies how much information Passenger should log to its log file. A higher log level value means that more +# information will be logged. +# +# @param passenger_lve_min_uid +# When using Passenger on a LVE-enabled kernel, a security check (enter) is run for spawning application processes. This options +# tells the check to only allow processes with UIDs equal to, or higher than, the specified value. +# +# @param passenger_max_instances +# The maximum number of application processes that may simultaneously exist for an application. +# +# @param passenger_max_instances_per_app +# The maximum number of application processes that may simultaneously exist for a single application. +# +# @param passenger_max_pool_size +# The maximum number of application processes that may simultaneously exist. +# +# @param passenger_max_preloader_idle_time +# Set the preloader's idle timeout, in seconds. A value of 0 means that it should never idle timeout. +# +# @param passenger_max_request_queue_size +# Specifies the maximum size for the queue of all incoming requests. +# +# @param passenger_max_request_time +# The maximum amount of time, in seconds, that an application process may take to process a request. +# +# @param passenger_max_requests +# The maximum number of requests an application process will process. +# +# @param passenger_max_request_queue_time +# The maximum amount of time, in seconds, that a request may be queued before Passenger will return an error. +# This option specifies the maximum time a request may spend in that queue. If a request in the queue reaches this specified limit, then Passenger will send a "504 Gateway Timeout" error for that request. +# +# @param passenger_memory_limit +# The maximum amount of memory that an application process may use, in megabytes. +# +# @param passenger_meteor_app_settings +# When using a Meteor application in non-bundled mode, use this option to specify a JSON file with settings for the application. +# +# @param passenger_min_instances +# Specifies the minimum number of application processes that should exist for a given application. +# +# @param passenger_nodejs +# Specifies the Node.js command to use for serving Node.js web applications. +# +# @param passenger_pool_idle_time +# The maximum number of seconds that an application process may be idle. +# +# @param passenger_pre_start +# URL of the web application you want to pre-start. +# +# @param passenger_python +# Specifies the Python interpreter to use for serving Python web applications. +# +# @param passenger_resist_deployment_errors +# Enables or disables resistance against deployment errors. +# +# @param passenger_resolve_symlinks_in_document_root +# This option is no longer available in version 5.2.0. Switch to PassengerAppRoot if you are setting the application root via a +# document root containing symlinks. +# +# @param passenger_response_buffer_high_watermark +# Configures the maximum size of the real-time disk-backed response buffering system. +# +# @param passenger_restart_dir +# Path to directory containing restart.txt file. Can be either absolute or relative. +# +# @param passenger_rolling_restarts +# Enables or disables support for zero-downtime application restarts through restart.txt. +# +# @param passenger_root +# Refers to the location to the Passenger root directory, or to a location configuration file. +# +# @param passenger_ruby +# Specifies the Ruby interpreter to use for serving Ruby web applications. +# +# @param passenger_security_update_check_proxy +# Allows use of an intermediate proxy for the Passenger security update check. +# +# @param passenger_show_version_in_header +# Toggle whether Passenger will output its version number in the X-Powered-By header in all Passenger-served requests: +# +# @param passenger_socket_backlog +# This option can be raised if Apache manages to overflow the backlog queue. +# +# @param passenger_spawn_dir +# The directory in which Passenger will record progress during startup +# +# @param passenger_spawn_method +# Controls whether Passenger spawns applications directly, or using a prefork copy-on-write mechanism. +# +# @param passenger_start_timeout +# Specifies a timeout for the startup of application processes. +# +# @param passenger_startup_file +# Specifies the startup file that Passenger should use when loading the application. +# +# @param passenger_stat_throttle_rate +# Setting this option to a value of x means that certain filesystem checks will be performed at most once every x seconds. +# +# @param passenger_sticky_sessions +# Toggles whether all requests that a client sends will be routed to the same originating application process, whenever possible. +# +# @param passenger_sticky_sessions_cookie_name +# Sets the name of the sticky sessions cookie. +# +# @param passenger_sticky_sessions_cookie_attributes +# Sets the attributes of the sticky sessions cookie. +# +# @param passenger_thread_count +# Specifies the number of threads that Passenger should spawn per Ruby application process. +# +# @param passenger_use_global_queue +# N/A. +# +# @param passenger_user +# Allows you to override that behavior and explicitly set a user to run the web application as, regardless of the ownership of the +# startup file. +# +# @param passenger_user_switching +# Toggles whether to attempt to enable user account sandboxing, also known as user switching. +# +# @param rack_env +# Alias for PassengerAppEnv. +# +# @param rails_env +# Alias for PassengerAppEnv. +# +# @param rails_framework_spawner_idle_time +# This option is no longer available in version 4.0.0. There is no alternative because framework spawning has been removed +# altogether. You should use smart spawning instead. +# +# @note +# In Passenger source code you can strip out what are all the available options by looking in +# - src/apache2_module/Configuration.cpp +# - src/apache2_module/ConfigurationCommands.cpp +# There are also several undocumented settings. +# +# @note +# For Red Hat based systems, ensure that you meet the minimum requirements described in the passenger docs. +# +# The current set of server configurations settings were taken directly from the Passenger Reference. To enable deprecation warnings +# and removal failure messages, set the passenger_installed_version to the version number installed on the server. +# +# Change Log: +# - As of 08/13/2017 there are 84 available/deprecated/removed settings. +# - Around 08/20/2017 UnionStation was discontinued options were removed. +# - As of 08/20/2017 there are 77 available/deprecated/removed settings. +# +# @see https://www.phusionpassenger.com/docs/references/config_reference/apache/ for additional documentation. +# class apache::mod::passenger ( - $passenger_high_performance = undef, - $passenger_pool_idle_time = undef, - $passenger_max_requests = undef, - $passenger_stat_throttle_rate = undef, - $rack_autodetect = undef, - $rails_autodetect = undef, - $passenger_root = $apache::params::passenger_root, - $passenger_ruby = $apache::params::passenger_ruby, - $passenger_max_pool_size = undef, - $passenger_use_global_queue = undef, -) { - apache::mod { 'passenger': } + Boolean $manage_repo = true, + Optional[String] $mod_id = undef, + Optional[String] $mod_lib = undef, + Optional[String] $mod_lib_path = undef, + Optional[String] $mod_package = undef, + Optional[String] $mod_package_ensure = undef, + Optional[String] $mod_path = undef, + Optional[Integer] $passenger_max_request_queue_time = undef, + Optional[String] $passenger_admin_panel_url = undef, + Optional[Enum['basic']] $passenger_admin_panel_auth_type = undef, + Optional[String] $passenger_admin_panel_username = undef, + Optional[String] $passenger_admin_panel_password = undef, + Optional[String] $passenger_app_log_file = undef, + Optional[Apache::OnOff] $passenger_allow_encoded_slashes = undef, + Optional[String] $passenger_anonymous_telemetry_proxy = undef, + Optional[String] $passenger_app_env = undef, + Optional[String] $passenger_app_group_name = undef, + Optional[String] $passenger_app_root = undef, + Optional[String] $passenger_app_type = undef, + Optional[String] $passenger_base_uri = undef, + Optional[Apache::OnOff] $passenger_buffer_response = undef, + Optional[Apache::OnOff] $passenger_buffer_upload = undef, + Optional[String] $passenger_concurrency_model = undef, + String $passenger_conf_file = $apache::params::passenger_conf_file, + Optional[String] $passenger_conf_package_file = $apache::params::passenger_conf_package_file, + Optional[Stdlib::Absolutepath] $passenger_data_buffer_dir = undef, + Optional[String] $passenger_debug_log_file = undef, + Optional[Apache::OnOff] $passenger_debugger = undef, + Optional[String] $passenger_default_group = undef, + Optional[String] $passenger_default_ruby = $apache::params::passenger_default_ruby, + Optional[String] $passenger_default_user = undef, + Optional[Boolean] $passenger_disable_anonymous_telemetry = undef, + Optional[Boolean] $passenger_disable_log_prefix = undef, + Optional[Apache::OnOff] $passenger_disable_security_update_check = undef, + Optional[Apache::OnOff] $passenger_enabled = undef, + Optional[String] $passenger_dump_config_manifest = undef, + Optional[Apache::OnOff] $passenger_error_override = undef, + Optional[String] $passenger_file_descriptor_log_file = undef, + Optional[String] $passenger_fly_with = undef, + Optional[Variant[Integer, String]] $passenger_force_max_concurrent_requests_per_process = undef, + Optional[Apache::OnOff] $passenger_friendly_error_pages = undef, + Optional[String] $passenger_group = undef, + Optional[Apache::OnOff] $passenger_high_performance = undef, + Optional[String] $passenger_installed_version = undef, + Optional[String] $passenger_instance_registry_dir = undef, + Optional[Apache::OnOff] $passenger_load_shell_envvars = undef, + Optional[Boolean] $passenger_preload_bundler = undef, + Optional[Stdlib::Absolutepath] $passenger_log_file = undef, + Optional[Integer] $passenger_log_level = undef, + Optional[Integer] $passenger_lve_min_uid = undef, + Optional[Integer] $passenger_max_instances = undef, + Optional[Integer] $passenger_max_instances_per_app = undef, + Optional[Integer] $passenger_max_pool_size = undef, + Optional[Integer] $passenger_max_preloader_idle_time = undef, + Optional[Integer] $passenger_max_request_queue_size = undef, + Optional[Integer] $passenger_max_request_time = undef, + Optional[Integer] $passenger_max_requests = undef, + Optional[Integer] $passenger_memory_limit = undef, + Optional[String] $passenger_meteor_app_settings = undef, + Optional[Integer] $passenger_min_instances = undef, + Optional[String] $passenger_nodejs = undef, + Optional[Integer] $passenger_pool_idle_time = undef, + Optional[Variant[String, Array[String]]] $passenger_pre_start = undef, + Optional[String] $passenger_python = undef, + Optional[Apache::OnOff] $passenger_resist_deployment_errors = undef, + Optional[Apache::OnOff] $passenger_resolve_symlinks_in_document_root = undef, + Optional[Variant[Integer, String]] $passenger_response_buffer_high_watermark = undef, + Optional[String] $passenger_restart_dir = undef, + Optional[Apache::OnOff] $passenger_rolling_restarts = undef, + Optional[String] $passenger_root = $apache::params::passenger_root, + Optional[String] $passenger_ruby = $apache::params::passenger_ruby, + Optional[String] $passenger_security_update_check_proxy = undef, + Optional[Apache::OnOff] $passenger_show_version_in_header = undef, + Optional[Variant[Integer, String]] $passenger_socket_backlog = undef, + Optional[String] $passenger_spawn_dir = undef, + Optional[Enum['smart', 'direct', 'smart-lv2', 'conservative']] $passenger_spawn_method = undef, + Optional[Integer] $passenger_start_timeout = undef, + Optional[String] $passenger_startup_file = undef, + Optional[Integer] $passenger_stat_throttle_rate = undef, + Optional[Apache::OnOff] $passenger_sticky_sessions = undef, + Optional[String] $passenger_sticky_sessions_cookie_name = undef, + Optional[String] $passenger_sticky_sessions_cookie_attributes = undef, + Optional[Integer] $passenger_thread_count = undef, + Optional[String] $passenger_use_global_queue = undef, + Optional[String] $passenger_user = undef, + Optional[Apache::OnOff] $passenger_user_switching = undef, + Optional[String] $rack_env = undef, + Optional[String] $rails_env = undef, + Optional[String] $rails_framework_spawner_idle_time = undef, +) inherits apache::params { + include apache + if $passenger_installed_version { + if $passenger_anonymous_telemetry_proxy { + if (versioncmp($passenger_installed_version, '6.0.0') < 0) { + fail("Passenger config option :: passenger_anonymous_telemetry_proxy is not introduced until version 6.0.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_app_type { + if (versioncmp($passenger_installed_version, '4.0.25') < 0) { + fail("Passenger config option :: passenger_app_type is not introduced until version 4.0.25 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_buffer_upload { + if (versioncmp($passenger_installed_version, '4.0.26') < 0) { + fail("Passenger config option :: passenger_buffer_upload is not introduced until version 4.0.26 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_data_buffer_dir { + if (versioncmp($passenger_installed_version, '5.0.0') < 0) { + fail("Passenger config option :: passenger_data_buffer_dir is not introduced until version 5.0.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_debug_log_file { + if (versioncmp($passenger_installed_version, '5.0.5') > 0) { + warning('DEPRECATED PASSENGER OPTION :: passenger_debug_log_file :: This option has been renamed in version 5.0.5 to PassengerLogFile.') + } + } + if $passenger_disable_anonymous_telemetry { + if (versioncmp($passenger_installed_version, '6.0.0') < 0) { + fail("Passenger config option :: passenger_disable_anonymous_telemetry is not introduced until version 6.0.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_disable_log_prefix { + if (versioncmp($passenger_installed_version, '6.0.2') < 0) { + fail("Passenger config option :: passenger_disable_log_prefix is not introduced until version 6.0.2 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_disable_security_update_check { + if (versioncmp($passenger_installed_version, '5.1.0') < 0) { + fail("Passenger config option :: passenger_disable_security_update_check is not introduced until version 5.1.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_error_override { + if (versioncmp($passenger_installed_version, '4.0.24') < 0) { + fail("Passenger config option :: passenger_error_override is not introduced until version 4.0.24 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_file_descriptor_log_file { + if (versioncmp($passenger_installed_version, '5.0.5') < 0) { + fail("Passenger config option :: passenger_file_descriptor_log_file is not introduced until version 5.0.5 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_fly_with { + if (versioncmp($passenger_installed_version, '4.0.45') < 0) { + fail("Passenger config option :: passenger_fly_with is not introduced until version 4.0.45 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_force_max_concurrent_requests_per_process { + if (versioncmp($passenger_installed_version, '5.0.22') < 0) { + fail("Passenger config option :: passenger_force_max_concurrent_requests_per_process is not introduced until version 5.0.22 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_friendly_error_pages { + if (versioncmp($passenger_installed_version, '4.0.42') < 0) { + fail("Passenger config option :: passenger_friendly_error_pages is not introduced until version 4.0.42 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_instance_registry_dir { + if (versioncmp($passenger_installed_version, '5.0.0') < 0) { + fail("Passenger config option :: passenger_instance_registry_dir is not introduced until version 5.0.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_load_shell_envvars { + if (versioncmp($passenger_installed_version, '4.0.20') < 0) { + fail("Passenger config option :: passenger_load_shell_envvars is not introduced until version 4.0.20 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_preload_bundler { + if (versioncmp($passenger_installed_version, '6.0.13') < 0) { + fail("Passenger config option :: passenger_preload_bundler is not introduced until version 6.0.13 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_log_file { + if (versioncmp($passenger_installed_version, '5.0.5') < 0) { + fail("Passenger config option :: passenger_log_file is not introduced until version 5.0.5 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_lve_min_uid { + if (versioncmp($passenger_installed_version, '5.0.28') < 0) { + fail("Passenger config option :: passenger_lve_min_uid is not introduced until version 5.0.28 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_max_request_queue_size { + if (versioncmp($passenger_installed_version, '4.0.15') < 0) { + fail("Passenger config option :: passenger_max_request_queue_size is not introduced until version 4.0.15 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_meteor_app_settings { + if (versioncmp($passenger_installed_version, '5.0.7') < 0) { + fail("Passenger config option :: passenger_meteor_app_settings is not introduced until version 5.0.7 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_nodejs { + if (versioncmp($passenger_installed_version, '4.0.24') < 0) { + fail("Passenger config option :: passenger_nodejs is not introduced until version 4.0.24 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_response_buffer_high_watermark { + if (versioncmp($passenger_installed_version, '5.0.0') < 0) { + fail("Passenger config option :: passenger_response_buffer_high_watermark is not introduced until version 5.0.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_security_update_check_proxy { + if (versioncmp($passenger_installed_version, '5.1.0') < 0) { + fail("Passenger config option :: passenger_security_update_check_proxy is not introduced until version 5.1.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_show_version_in_header { + if (versioncmp($passenger_installed_version, '5.1.0') < 0) { + fail("Passenger config option :: passenger_show_version_in_header is not introduced until version 5.1.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_socket_backlog { + if (versioncmp($passenger_installed_version, '5.0.24') < 0) { + fail("Passenger config option :: passenger_socket_backlog is not introduced until version 5.0.24 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_spawn_dir { + if (versioncmp($passenger_installed_version, '6.0.3') < 0) { + fail("Passenger config option :: passenger_spawn_dir is not introduced until version 6.0.3 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_start_timeout { + if (versioncmp($passenger_installed_version, '4.0.15') < 0) { + fail("Passenger config option :: passenger_start_timeout is not introduced until version 4.0.15 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_startup_file { + if (versioncmp($passenger_installed_version, '4.0.25') < 0) { + fail("Passenger config option :: passenger_startup_file is not introduced until version 4.0.25 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_sticky_sessions { + if (versioncmp($passenger_installed_version, '4.0.45') < 0) { + fail("Passenger config option :: passenger_sticky_sessions is not introduced until version 4.0.45 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_sticky_sessions_cookie_name { + if (versioncmp($passenger_installed_version, '4.0.45') < 0) { + fail("Passenger config option :: passenger_sticky_sessions_cookie_name is not introduced until version 4.0.45 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_sticky_sessions_cookie_attributes { + if (versioncmp($passenger_installed_version, '6.0.5') < 0) { + fail("Passenger config option :: passenger_sticky_sessions_cookie_attributes is not introduced until version 6.0.5 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_max_request_queue_time { + if (versioncmp($passenger_installed_version, '5.1.12') < 0) { + fail("Passenger config option :: passenger_base_uri is not introduced until version 5.1.12 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_admin_panel_url { + if (versioncmp($passenger_installed_version, '5.2.2') < 0) { + fail("Passenger config option :: passenger_admin_panel_url is not introduced until version 5.2.2 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_admin_panel_auth_type { + if (versioncmp($passenger_installed_version, '5.2.2') < 0) { + fail("Passenger config option :: passenger_admin_panel_auth_type is not introduced until version 5.2.2 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_admin_panel_username { + if (versioncmp($passenger_installed_version, '5.2.2') < 0) { + fail("Passenger config option :: passenger_admin_panel_username is not introduced until version 5.2.2 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_admin_panel_password { + if (versioncmp($passenger_installed_version, '5.2.2') < 0) { + fail("Passenger config option :: passenger_admin_panel_password is not introduced until version 5.2.2 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_dump_config_manifest { + if (versioncmp($passenger_installed_version, '5.2.2') < 0) { + fail("Passenger config option :: passenger_dump_config_manifest is not introduced until version 5.2.2 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_app_log_file { + if (versioncmp($passenger_installed_version, '5.3.0') < 0) { + fail("Passenger config option :: passenger_app_log_file is not introduced until version 5.3.0 :: ${passenger_installed_version} is the version reported") + } + } + if $passenger_resist_deployment_errors { + if (versioncmp($passenger_installed_version, '5.2.0') > 0) { + fail('REMOVED PASSENGER OPTION :: passenger_resist_deployment_errors :: -- no message on the current passenger reference webpage -- ') + } + } + } + # Managed by the package, but declare it to avoid purging + if $passenger_conf_package_file { + file { 'passenger_package.conf': + path => "${apache::confd_dir}/${passenger_conf_package_file}", + } + } + + $_package = $mod_package + $_package_ensure = $mod_package_ensure + $_lib = $mod_lib + if $facts['os']['family'] == 'FreeBSD' { + if $mod_lib_path { + $_lib_path = $mod_lib_path + } else { + $_lib_path = "${passenger_root}/buildout/apache2" + } + } else { + $_lib_path = $mod_lib_path + } + + if $facts['os']['family'] == 'RedHat' and $manage_repo { + if $facts['os']['name'] == 'Amazon' { + if $facts['os']['release']['major'] == '2' { + $baseurl = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/7/$basearch' + } else { + $baseurl = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/6/$basearch' + } + } else { + $baseurl = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch' + } + + yumrepo { 'passenger': + ensure => 'present', + baseurl => $baseurl, + descr => 'passenger', + enabled => '1', + gpgcheck => '0', + gpgkey => 'https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt', + repo_gpgcheck => '1', + sslcacert => '/etc/pki/tls/certs/ca-bundle.crt', + sslverify => '1', + before => Apache::Mod['passenger'], + } + } + + unless ($facts['os']['name'] == 'SLES') { + $_id = $mod_id + $_path = $mod_path + ::apache::mod { 'passenger': + package => $_package, + package_ensure => $_package_ensure, + lib => $_lib, + lib_path => $_lib_path, + id => $_id, + path => $_path, + loadfile_name => 'zpassenger.load', + } + } + # Template uses: - # - $passenger_root - # - $passenger_ruby - # - $passenger_max_pool_size - # - $passenger_high_performance - # - $passenger_max_requests - # - $passenger_stat_throttle_rate - # - $passenger_use_global_queue - # - $rack_autodetect - # - $rails_autodetect + # - $passenger_allow_encoded_slashes : since 4.0.0. + # - $passenger_app_env : since 4.0.0. + # - $passenger_app_group_name : since 4.0.0. + # - $passenger_app_root : since 4.0.0. + # - $passenger_app_type : since 4.0.25. + # - $passenger_base_uri : since 4.0.0. + # - $passenger_buffer_response : since 4.0.0. + # - $passenger_buffer_upload : since 4.0.26. + # - $passenger_concurrency_model : since 4.0.0. + # - $passenger_data_buffer_dir : since 5.0.0. + # - $passenger_debug_log_file : since unkown. Deprecated in 5.0.5. + # - $passenger_debugger : since 3.0.0. + # - $passenger_default_group : since 3.0.0. + # - $passenger_default_ruby : since 4.0.0. + # - $passenger_default_user : since 3.0.0. + # - $passenger_disable_security_update_check : since 5.1.0. + # - $passenger_enabled : since 4.0.0. + # - $passenger_error_override : since 4.0.24. + # - $passenger_file_descriptor_log_file : since 5.0.5. + # - $passenger_fly_with : since 4.0.45. + # - $passenger_force_max_concurrent_requests_per_process : since 5.0.22. + # - $passenger_friendly_error_pages : since 4.0.42. + # - $passenger_group : since 4.0.0. + # - $passenger_high_performance : since 2.0.0. + # - $passenger_instance_registry_dir : since 5.0.0. + # - $passenger_load_shell_envvars : since 4.0.20. + # - $passenger_preload_bundler : since 6.0.13 + # - $passenger_log_file : since 5.0.5. + # - $passenger_log_level : since 3.0.0. + # - $passenger_lve_min_uid : since 5.0.28. + # - $passenger_max_instances : since 3.0.0. + # - $passenger_max_instances_per_app : since 3.0.0. + # - $passenger_max_pool_size : since 1.0.0. + # - $passenger_max_preloader_idle_time : since 4.0.0. + # - $passenger_max_request_queue_size : since 4.0.15. + # - $passenger_max_request_time : since 3.0.0. + # - $passenger_max_requests : since 3.0.0. + # - $passenger_memory_limit : since 3.0.0. + # - $passenger_meteor_app_settings : since 5.0.7. + # - $passenger_min_instances : since 3.0.0. + # - $passenger_nodejs : since 4.0.24. + # - $passenger_pool_idle_time : since 1.0.0. + # - $passenger_pre_start : since 3.0.0. + # - $passenger_python : since 4.0.0. + # - $passenger_resist_deployment_errors : since 3.0.0. + # - $passenger_resolve_symlinks_in_document_root : since 3.0.0. + # - $passenger_response_buffer_high_watermark : since 5.0.0. + # - $passenger_restart_dir : since 3.0.0. + # - $passenger_rolling_restarts : since 3.0.0. + # - $passenger_root : since 1.0.0. + # - $passenger_ruby : since 4.0.0. + # - $passenger_security_update_check_proxy : since 5.1.0. + # - $passenger_show_version_in_header : since 5.1.0. + # - $passenger_socket_backlog : since 5.0.24. + # - $passenger_spawn_method : since 2.0.0. + # - $passenger_start_timeout : since 4.0.15. + # - $passenger_startup_file : since 4.0.25. + # - $passenger_stat_throttle_rate : since 2.2.0. + # - $passenger_sticky_sessions : since 4.0.45. + # - $passenger_sticky_sessions_cookie_name : since 4.0.45. + # - $passenger_thread_count : since 4.0.0. + # - $passenger_user : since 4.0.0. + # - $passenger_user_switching : since 3.0.0. + # - $passenger_dump_config_manifest : since 5.2.2 + # - $passenger_admin_panel_url : since 5.2.2 + # - $passenger_admin_panel_auth_type : since 5.2.2 + # - $passenger_admin_panel_username : since 5.2.2 + # - $passenger_admin_panel_password : since 5.2.2 + # - $passenger_app_log_file : since 5.3.0 + # - $passenger_max_request_queue_time : since 5.1.12 + + $parameters = { + 'passenger_admin_panel_url' => $passenger_admin_panel_url, + 'passenger_admin_panel_auth_type' => $passenger_admin_panel_auth_type, + 'passenger_admin_panel_username' => $passenger_admin_panel_username, + 'passenger_admin_panel_password' => $passenger_admin_panel_password, + 'passenger_allow_encoded_slashes' => $passenger_allow_encoded_slashes, + 'passenger_anonymous_telemetry_proxy' => $passenger_anonymous_telemetry_proxy, + 'passenger_app_env' => $passenger_app_env, + 'passenger_app_group_name' => $passenger_app_group_name, + 'passenger_app_log_file' => $passenger_app_log_file, + 'passenger_app_root' => $passenger_app_root, + 'passenger_app_type' => $passenger_app_type, + 'passenger_base_uri' => $passenger_base_uri, + 'passenger_buffer_response' => $passenger_buffer_response, + 'passenger_buffer_upload' => $passenger_buffer_upload, + 'passenger_concurrency_model' => $passenger_concurrency_model, + 'passenger_data_buffer_dir' => $passenger_data_buffer_dir, + 'passenger_debug_log_file' => $passenger_debug_log_file, + 'passenger_debugger' => $passenger_debugger, + 'passenger_default_group' => $passenger_default_group, + 'passenger_default_ruby' => $passenger_default_ruby, + 'passenger_default_user' => $passenger_default_user, + 'passenger_disable_anonymous_telemetry' => $passenger_disable_anonymous_telemetry, + 'passenger_disable_log_prefix' => $passenger_disable_log_prefix, + 'passenger_disable_security_update_check' => $passenger_disable_security_update_check, + 'passenger_enabled' => $passenger_enabled, + 'passenger_error_override' => $passenger_error_override, + 'passenger_file_descriptor_log_file' => $passenger_file_descriptor_log_file, + 'passenger_fly_with' => $passenger_fly_with, + 'passenger_force_max_concurrent_requests_per_process' => $passenger_force_max_concurrent_requests_per_process, + 'passenger_friendly_error_pages' => $passenger_friendly_error_pages, + 'passenger_group' => $passenger_group, + 'passenger_high_performance' => $passenger_high_performance, + 'passenger_instance_registry_dir' => $passenger_instance_registry_dir, + 'passenger_load_shell_envvars' => $passenger_load_shell_envvars, + 'passenger_preload_bundler' => $passenger_preload_bundler, + 'passenger_log_file' => $passenger_log_file, + 'passenger_dump_config_manifest' => $passenger_dump_config_manifest, + 'passenger_log_level' => $passenger_log_level, + 'passenger_lve_min_uid' => $passenger_lve_min_uid, + 'passenger_max_instances' => $passenger_max_instances, + 'passenger_max_instances_per_app' => $passenger_max_instances_per_app, + 'passenger_max_pool_size' => $passenger_max_pool_size, + 'passenger_max_preloader_idle_time' => $passenger_max_preloader_idle_time, + 'passenger_max_request_queue_size' => $passenger_max_request_queue_size, + 'passenger_max_request_queue_time' => $passenger_max_request_queue_time, + 'passenger_max_request_time' => $passenger_max_request_time, + 'passenger_max_requests' => $passenger_max_requests, + 'passenger_memory_limit' => $passenger_memory_limit, + 'passenger_meteor_app_settings' => $passenger_meteor_app_settings, + 'passenger_min_instances' => $passenger_min_instances, + 'passenger_nodejs' => $passenger_nodejs, + 'passenger_pool_idle_time' => $passenger_pool_idle_time, + 'passenger_pre_start' => $passenger_pre_start, + 'passenger_python' => $passenger_python, + 'passenger_resist_deployment_errors' => $passenger_resist_deployment_errors, + 'passenger_resolve_symlinks_in_document_root' => $passenger_resolve_symlinks_in_document_root, + 'passenger_response_buffer_high_watermark' => $passenger_response_buffer_high_watermark, + 'passenger_restart_dir' => $passenger_restart_dir, + 'passenger_rolling_restarts' => $passenger_rolling_restarts, + 'passenger_root' => $passenger_root, + 'passenger_ruby' => $passenger_ruby, + 'passenger_security_update_check_proxy' => $passenger_security_update_check_proxy, + 'passenger_show_version_in_header' => $passenger_show_version_in_header, + 'passenger_socket_backlog' => $passenger_socket_backlog, + 'passenger_spawn_dir' => $passenger_spawn_dir, + 'passenger_spawn_method' => $passenger_spawn_method, + 'passenger_start_timeout' => $passenger_start_timeout, + 'passenger_startup_file' => $passenger_startup_file, + 'passenger_stat_throttle_rate' => $passenger_stat_throttle_rate, + 'passenger_sticky_sessions' => $passenger_sticky_sessions, + 'passenger_sticky_sessions_cookie_name' => $passenger_sticky_sessions_cookie_name, + 'passenger_sticky_sessions_cookie_attributes' => $passenger_sticky_sessions_cookie_attributes, + 'passenger_thread_count' => $passenger_thread_count, + 'passenger_use_global_queue' => $passenger_use_global_queue, + 'passenger_user' => $passenger_user, + 'passenger_user_switching' => $passenger_user_switching, + 'rack_env' => $rack_env, + 'rails_env' => $rails_env, + 'rails_framework_spawner_idle_time' => $rails_framework_spawner_idle_time, + } + file { 'passenger.conf': ensure => file, - path => "${apache::mod_dir}/passenger.conf", - content => template('apache/mod/passenger.conf.erb'), + path => "${apache::mod_dir}/${passenger_conf_file}", + content => epp('apache/mod/passenger.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/perl.pp b/manifests/mod/perl.pp index 65832a0342..f883305ea7 100644 --- a/manifests/mod/perl.pp +++ b/manifests/mod/perl.pp @@ -1,3 +1,9 @@ +# @summary +# Installs `mod_perl`. +# +# @see https://perl.apache.org for additional documentation. +# class apache::mod::perl { - apache::mod { 'perl': } + include apache + ::apache::mod { 'perl': } } diff --git a/manifests/mod/peruser.pp b/manifests/mod/peruser.pp new file mode 100644 index 0000000000..c9b364acdf --- /dev/null +++ b/manifests/mod/peruser.pp @@ -0,0 +1,112 @@ +# @summary +# Installs `mod_peruser`. +# +# @param minspareprocessors +# +# @param minprocessors +# The minimum amount of processors +# +# @param maxprocessors +# The maximum amount of processors +# +# @param maxclients +# The maximum amount of clients +# +# @param maxrequestsperchild +# The maximum amount of requests per child +# +# @param idletimeout +# +# @param expiretimeout +# +# @param keepalive +# +class apache::mod::peruser ( + Integer $minspareprocessors = 2, + Integer $minprocessors = 2, + Integer $maxprocessors = 10, + Integer $maxclients = 150, + Integer $maxrequestsperchild = 1000, + Integer $idletimeout = 120, + Integer $expiretimeout = 120, + Apache::OnOff $keepalive = 'Off', +) { + include apache + case $facts['os']['family'] { + 'FreeBSD' : { + fail("Unsupported osfamily ${$facts['os']['family']}") + } + default: { + if $facts['os']['family'] == 'Gentoo' { + ::portage::makeconf { 'apache2_mpms': + content => 'peruser', + } + } + + if defined(Class['apache::mod::event']) { + fail('May not include both apache::mod::peruser and apache::mod::event on the same node') + } + if defined(Class['apache::mod::itk']) { + fail('May not include both apache::mod::peruser and apache::mod::itk on the same node') + } + if defined(Class['apache::mod::prefork']) { + fail('May not include both apache::mod::peruser and apache::mod::prefork on the same node') + } + if defined(Class['apache::mod::worker']) { + fail('May not include both apache::mod::peruser and apache::mod::worker on the same node') + } + File { + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + } + + $mod_dir = $apache::mod_dir + + # Template uses: + # - $minspareprocessors + # - $minprocessors + # - $maxprocessors + # - $maxclients + # - $maxrequestsperchild + # - $idletimeout + # - $expiretimeout + # - $keepalive + # - $mod_dir + $parameters = { + 'minspareprocessors' => $minspareprocessors, + 'minprocessors' => $minprocessors, + 'maxprocessors' => $maxprocessors, + 'maxclients' => $maxclients, + 'maxrequestsperchild' => $maxrequestsperchild, + 'idletimeout' => $idletimeout, + 'expiretimeout' => $expiretimeout, + 'keepalive' => $keepalive, + 'mod_dir' => $mod_dir, + } + + file { "${apache::mod_dir}/peruser.conf": + ensure => file, + mode => $apache::file_mode, + content => epp('apache/mod/peruser.conf.epp', $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } + file { "${apache::mod_dir}/peruser": + ensure => directory, + require => File[$apache::mod_dir], + } + file { "${apache::mod_dir}/peruser/multiplexers": + ensure => directory, + require => File["${apache::mod_dir}/peruser"], + } + file { "${apache::mod_dir}/peruser/processors": + ensure => directory, + require => File["${apache::mod_dir}/peruser"], + } + + ::apache::peruser::multiplexer { '01-default': } + } + } +} diff --git a/manifests/mod/php.pp b/manifests/mod/php.pp index 690cb01b91..62b0eca2ea 100644 --- a/manifests/mod/php.pp +++ b/manifests/mod/php.pp @@ -1,21 +1,155 @@ +# @summary +# Installs `mod_php`. +# +# @param package_name +# The package name +# +# @param package_ensure +# Whether the package is `present` or `absent` +# +# @param path +# +# @param extensions +# +# @param content +# +# @param template +# +# @param source +# +# @param root_group +# UNIX group of the root user +# +# @param php_version +# The php version. This is a required parameter, but optional allows showing a clear error message +# +# @param libphp_prefix +# +# @note Unsupported platforms: RedHat: 9 class apache::mod::php ( - $package_ensure = 'present', -) { - if ! defined(Class['apache::mod::prefork']) { - fail('apache::mod::php requires apache::mod::prefork; please enable mpm_module => \'prefork\' on Class[\'apache\']') + Optional[String] $package_name = undef, + String $package_ensure = 'present', + Optional[String] $path = undef, + Array $extensions = ['.php'], + Optional[String] $content = undef, + String $template = 'apache/mod/php.conf.erb', + Optional[String] $source = undef, + Optional[String] $root_group = $apache::params::root_group, + Optional[String] $php_version = $apache::params::php_version, + String $libphp_prefix = 'libphp' +) inherits apache::params { + unless $php_version { + fail("${facts['os']['name']} ${facts['os']['release']['major']} does not support mod_php") } - apache::mod { 'php5': - package_ensure => $package_ensure, + + include apache + # RedHat + PHP 8 drop the major version in apache module name. + if ($facts['os']['family'] == 'RedHat') and (versioncmp($php_version, '8') >= 0) { + $mod = 'php' + } else { + $mod = "php${php_version}" } - file { 'php5.conf': + + if $apache::version::scl_httpd_version == undef and $apache::version::scl_php_version != undef { + fail('If you define apache::version::scl_php_version, you also need to specify apache::version::scl_httpd_version') + } + if defined(Class['apache::mod::prefork']) { + Class['apache::mod::prefork'] ->File["${mod}.conf"] + } + elsif defined(Class['apache::mod::itk']) { + Class['apache::mod::itk'] ->File["${mod}.conf"] + } + else { + fail('apache::mod::php requires apache::mod::prefork or apache::mod::itk; please enable mpm_module => \'prefork\' or mpm_module => \'itk\' on Class[\'apache\']') + } + + if $source and ($content or $template != 'apache/mod/php.conf.erb') { + warning('source and content or template parameters are provided. source parameter will be used') + } elsif $content and $template != 'apache/mod/php.conf.erb' { + warning('content and template parameters are provided. content parameter will be used') + } + + $manage_content = $source ? { + undef => $content ? { + undef => template($template), + default => $content, + }, + default => undef, + } + + # Determine if we have a package + $mod_packages = $apache::mod_packages + if $package_name { + $_package_name = $package_name + } elsif $mod in $mod_packages { # 2.6 compatibility hack + $_package_name = $mod_packages[$mod] + } elsif 'phpXXX' in $mod_packages { # 2.6 compatibility hack + $_package_name = regsubst($mod_packages['phpXXX'], 'XXX', $php_version) + } else { + $_package_name = undef + } + + $_php_major = regsubst($php_version, '^(\d+)\..*$', '\1') + $_php_version_no_dot = regsubst($php_version, '\.', '') + if $apache::version::scl_httpd_version { + $_lib = "librh-php${_php_version_no_dot}-php${_php_major}.so" + } elsif ($facts['os']['family'] == 'RedHat') and (versioncmp($php_version, '8') >= 0) { + # RedHat + PHP 8 drop the major version in apache module name. + $_lib = "${libphp_prefix}.so" + } else { + $_lib = "${libphp_prefix}${php_version}.so" + } + $_module_id = $_php_major ? { + '5' => 'php5_module', + '7' => 'php7_module', + default => 'php_module', + } + + if $facts['os']['name'] == 'SLES' { + # Enable legacy repo to install apache2-mod_php7 package + # if SUSE OS major version is >= 15 and minor version is > 3 + if ($_package_name == 'apache2-mod_php7' and versioncmp($facts['os']['release']['major'], '15') >= 0 and versioncmp($facts['os']['release']['minor'], '3') == 1) { + exec { 'enable legacy repos': + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + command => "SUSEConnect --product sle-module-legacy/${facts['os']['release']['major']}.${facts['os']['release']['minor']}/x86_64", + unless => "SUSEConnect --status-text | grep sle-module-legacy/${facts['os']['release']['major']}.${facts['os']['release']['minor']}/x86_64", + } + } + + ::apache::mod { $mod: + package => $_package_name, + package_ensure => $package_ensure, + lib => "mod_${mod}.so", + id => $_module_id, + path => "${apache::lib_path}/mod_${mod}.so", + } + } else { + ::apache::mod { $mod: + package => $_package_name, + package_ensure => $package_ensure, + lib => $_lib, + id => $_module_id, + path => $path, + } + } + + include apache::mod::mime + include apache::mod::dir + Class['apache::mod::mime'] -> Class['apache::mod::dir'] -> Class['apache::mod::php'] + + # Template uses $extensions + file { "${mod}.conf": ensure => file, - path => "${apache::mod_dir}/php5.conf", - content => template('apache/mod/php5.conf.erb'), + path => "${apache::mod_dir}/${mod}.conf", + owner => 'root', + group => $root_group, + mode => $apache::file_mode, + content => $manage_content, + source => $source, require => [ - Class['apache::mod::prefork'], Exec["mkdir ${apache::mod_dir}"], ], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/prefork.pp b/manifests/mod/prefork.pp index 5c6a7def97..24cf217f43 100644 --- a/manifests/mod/prefork.pp +++ b/manifests/mod/prefork.pp @@ -1,21 +1,61 @@ +# @summary +# Installs and configures MPM `prefork`. +# +# @param startservers +# Number of child server processes created at startup. +# +# @param minspareservers +# Minimum number of idle child server processes. +# +# @param maxspareservers +# Maximum number of idle child server processes. +# +# @param serverlimit +# Upper limit on configurable number of processes. +# +# @param maxclients +# Old alias for MaxRequestWorkers. +# +# @param maxrequestworkers +# Maximum number of connections that will be processed simultaneously. +# +# @param maxrequestsperchild +# Old alias for MaxConnectionsPerChild. +# +# @param maxconnectionsperchild +# Limit on the number of connections that an individual child server will handle during its life. +# +# @param listenbacklog +# Maximum length of the queue of pending connections. +# +# @see https://httpd.apache.org/docs/current/mod/prefork.html for additional documentation. +# class apache::mod::prefork ( - $startservers = '8', - $minspareservers = '5', - $maxspareservers = '20', - $serverlimit = '256', - $maxclients = '256', - $maxrequestsperchild = '4000', + Integer $startservers = 8, + Integer $minspareservers = 5, + Integer $maxspareservers = 20, + Integer $serverlimit = 256, + Integer $maxclients = 256, + Optional[Integer] $maxrequestworkers = undef, + Integer $maxrequestsperchild = 4000, + Optional[Integer] $maxconnectionsperchild = undef, + Integer $listenbacklog = 511 ) { - if defined(Class['apache::mod::itk']) { - fail('May not include both apache::mod::itk and apache::mod::prefork on the same node') + include apache + if defined(Class['apache::mod::event']) { + fail('May not include both apache::mod::prefork and apache::mod::event on the same node') + } + if defined(Class['apache::mod::peruser']) { + fail('May not include both apache::mod::prefork and apache::mod::peruser on the same node') } if defined(Class['apache::mod::worker']) { - fail('May not include both apache::mod::worker and apache::mod::prefork on the same node') + fail('May not include both apache::mod::prefork and apache::mod::worker on the same node') } + File { owner => 'root', - group => 'root', - mode => '0644', + group => $apache::params::root_group, + mode => $apache::file_mode, } # Template uses: @@ -24,40 +64,46 @@ # - $maxspareservers # - $serverlimit # - $maxclients + # - $maxrequestworkers # - $maxrequestsperchild + # - $maxconnectionsperchild + $parameters = { + 'startservers' => $startservers, + 'minspareservers' => $minspareservers, + 'maxspareservers' => $maxspareservers, + 'serverlimit' => $serverlimit, + 'maxrequestworkers' => $maxrequestworkers, + 'maxclients' => $maxclients, + 'maxconnectionsperchild' => $maxconnectionsperchild, + 'maxrequestsperchild' => $maxrequestsperchild, + 'listenbacklog' => $listenbacklog, + } + file { "${apache::mod_dir}/prefork.conf": ensure => file, - content => template('apache/mod/prefork.conf.erb'), + content => epp('apache/mod/prefork.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } - case $::osfamily { - 'redhat': { - file_line { '/etc/sysconfig/httpd prefork enable': - ensure => present, - path => '/etc/sysconfig/httpd', - line => '#HTTPD=/usr/sbin/httpd.worker', - match => '#?HTTPD=/usr/sbin/httpd.worker', - require => Package['httpd'], - notify => Service['httpd'], + case $facts['os']['family'] { + 'RedHat', 'Debian', 'FreeBSD': { + ::apache::mpm { 'prefork': } } - 'debian': { - file { "${apache::mod_enable_dir}/prefork.conf": - ensure => link, - target => "${apache::mod_dir}/prefork.conf", - require => Exec["mkdir ${apache::mod_enable_dir}"], - before => File[$apache::mod_enable_dir], - notify => Service['httpd'], + 'Suse': { + ::apache::mpm { 'prefork': + lib_path => '/usr/lib64/apache2-prefork', } - package { 'apache2-mpm-prefork': - ensure => present, + } + 'Gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'prefork', } } default: { - fail("Unsupported osfamily ${::osfamily}") + fail("Unsupported osfamily ${$facts['os']['family']}") } } } diff --git a/manifests/mod/proxy.pp b/manifests/mod/proxy.pp index f916734304..c07ebfb26e 100644 --- a/manifests/mod/proxy.pp +++ b/manifests/mod/proxy.pp @@ -1,15 +1,56 @@ +# @summary +# Installs and configures `mod_proxy`. +# +# @param proxy_requests +# Enables forward (standard) proxy requests. +# +# @param allow_from +# IP address or list of IPs allowed to access proxy. +# +# @param package_name +# Name of the proxy package to install. +# +# @param proxy_via +# Set local IP address for outgoing proxy connections. +# +# @param proxy_timeout +# Network timeout for proxied requests. +# +# @param proxy_iobuffersize +# Set the size of internal data throughput buffer +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy.html for additional documentation. +# class apache::mod::proxy ( - $proxy_requests = 'Off', - $allow_from = undef, + String $proxy_requests = 'Off', + Optional[Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]]] $allow_from = undef, + Optional[String] $package_name = undef, + String $proxy_via = 'On', + Optional[Integer[0]] $proxy_timeout = undef, + Optional[String] $proxy_iobuffersize = undef, ) { - apache::mod { 'proxy': } + include apache + $_proxy_timeout = $apache::timeout + ::apache::mod { 'proxy': + package => $package_name, + } + + $parameters = { + 'proxy_requests' => $proxy_requests, + 'allow_from' => $allow_from, + 'proxy_via' => $proxy_via, + 'proxy_timeout' => $proxy_timeout, + 'proxy_iobuffersize' => $proxy_iobuffersize, + } + # Template uses $proxy_requests file { 'proxy.conf': ensure => file, path => "${apache::mod_dir}/proxy.conf", - content => template('apache/mod/proxy.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/proxy.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/proxy_ajp.pp b/manifests/mod/proxy_ajp.pp index b366cb1df6..66b520c397 100644 --- a/manifests/mod/proxy_ajp.pp +++ b/manifests/mod/proxy_ajp.pp @@ -1,4 +1,9 @@ +# @summary +# Installs `mod_proxy_ajp`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_ajp.html for additional documentation. +# class apache::mod::proxy_ajp { - Class['apache::mod::proxy'] -> Class['apache::mod::proxy_ajp'] - apache::mod { 'proxy_ajp': } + require apache::mod::proxy + ::apache::mod { 'proxy_ajp': } } diff --git a/manifests/mod/proxy_balancer.pp b/manifests/mod/proxy_balancer.pp index 2d5a450bf0..c898b22b80 100644 --- a/manifests/mod/proxy_balancer.pp +++ b/manifests/mod/proxy_balancer.pp @@ -1,10 +1,36 @@ -class apache::mod::proxy_balancer { - - include apache::mod::proxy - include apache::mod::proxy_http - - Class['apache::mod::proxy'] -> Class['apache::mod::proxy_balancer'] - Class['apache::mod::proxy_http'] -> Class['apache::mod::proxy_balancer'] - apache::mod { 'proxy_balancer': } - +# @summary +# Installs and configures `mod_proxy_balancer`. +# +# @param manager +# Toggle whether to enable balancer manager support. +# +# @param manager_path +# Server relative path to balancer manager. +# +# @param allow_from +# List of IPs from which the balancer manager can be accessed. +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html for additional documentation. +# +class apache::mod::proxy_balancer ( + Boolean $manager = false, + Stdlib::Unixpath $manager_path = '/balancer-manager', + Array[Stdlib::IP::Address] $allow_from = ['127.0.0.1', '::1'], +) { + require apache::mod::proxy + require apache::mod::proxy_http + ::apache::mod { 'slotmem_shm': } + ::apache::mod { 'proxy_balancer': } + if $manager { + include apache::mod::status + file { 'proxy_balancer.conf': + ensure => file, + path => "${apache::mod_dir}/proxy_balancer.conf", + mode => $apache::file_mode, + content => epp('apache/mod/proxy_balancer.conf.epp', { 'manager_path' => $manager_path, 'allow_from' => $allow_from, }), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } + } } diff --git a/manifests/mod/proxy_connect.pp b/manifests/mod/proxy_connect.pp new file mode 100644 index 0000000000..5134639700 --- /dev/null +++ b/manifests/mod/proxy_connect.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_proxy_connect`. +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_connect.html for additional documentation. +# +class apache::mod::proxy_connect { + include apache + require apache::mod::proxy + apache::mod { 'proxy_connect': } +} diff --git a/manifests/mod/proxy_fcgi.pp b/manifests/mod/proxy_fcgi.pp new file mode 100644 index 0000000000..467bdbef3e --- /dev/null +++ b/manifests/mod/proxy_fcgi.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_proxy_fcgi`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_fcgi.html for additional documentation. +# +class apache::mod::proxy_fcgi { + require apache::mod::proxy + ::apache::mod { 'proxy_fcgi': } +} diff --git a/manifests/mod/proxy_html.pp b/manifests/mod/proxy_html.pp index ab2575731a..6740caaf36 100644 --- a/manifests/mod/proxy_html.pp +++ b/manifests/mod/proxy_html.pp @@ -1,25 +1,58 @@ +# @summary +# Installs `mod_proxy_html`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_html.html for additional documentation. +# class apache::mod::proxy_html { - Class['apache::mod::proxy'] -> Class['apache::mod::proxy_html'] - Class['apache::mod::proxy_http'] -> Class['apache::mod::proxy_html'] - apache::mod { 'proxy_html': } - case $::osfamily { - 'RedHat': { - apache::mod { 'xml2enc': } + include apache + require apache::mod::proxy + require apache::mod::proxy_http + + # Add libxml2 + case $facts['os']['family'] { + /RedHat|FreeBSD|Gentoo|Suse/: { + ::apache::mod { 'xml2enc': } + $loadfiles = undef } 'Debian': { - $proxy_html_loadfiles = $apache::params::distrelease ? { - '6' => '/usr/lib/libxml2.so.2', - default => "/usr/lib/${::hardwaremodel}-linux-gnu/libxml2.so.2", + $gnu_path = $facts['os']['hardware'] ? { + 'i686' => 'i386', + default => $facts['os']['hardware'], } + case $facts['os']['name'] { + 'Ubuntu': { + $loadfiles = $facts['os']['release']['major'] ? { + '10' => ['/usr/lib/libxml2.so.2'], + default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"], + } + } + 'Debian': { + $loadfiles = $facts['os']['release']['major'] ? { + '6' => ['/usr/lib/libxml2.so.2'], + default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"], + } + } + default: { + $loadfiles = ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"] + } + } + ::apache::mod { 'xml2enc': } } + default: {} + } + + ::apache::mod { 'proxy_html': + loadfiles => $loadfiles, } + # Template uses $icons_path file { 'proxy_html.conf': ensure => file, path => "${apache::mod_dir}/proxy_html.conf", - content => template('apache/mod/proxy_html.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/proxy_html.conf.epp'), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/proxy_http.pp b/manifests/mod/proxy_http.pp index 5b83df2c59..54ad8af43c 100644 --- a/manifests/mod/proxy_http.pp +++ b/manifests/mod/proxy_http.pp @@ -1,4 +1,9 @@ +# @summary +# Installs `mod_proxy_http`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_http.html for additional documentation. +# class apache::mod::proxy_http { - Class['apache::mod::proxy'] -> Class['apache::mod::proxy_http'] - apache::mod { 'proxy_http': } + require apache::mod::proxy + ::apache::mod { 'proxy_http': } } diff --git a/manifests/mod/proxy_http2.pp b/manifests/mod/proxy_http2.pp new file mode 100644 index 0000000000..a5368004bb --- /dev/null +++ b/manifests/mod/proxy_http2.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_proxy_http2`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_http2.html for additional documentation. +# +class apache::mod::proxy_http2 { + require apache::mod::proxy + apache::mod { 'proxy_http2': } +} diff --git a/manifests/mod/proxy_wstunnel.pp b/manifests/mod/proxy_wstunnel.pp new file mode 100644 index 0000000000..c57db79387 --- /dev/null +++ b/manifests/mod/proxy_wstunnel.pp @@ -0,0 +1,10 @@ +# @summary +# Installs `mod_proxy_wstunnel`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html for additional documentation. +# +class apache::mod::proxy_wstunnel { + include apache + require apache::mod::proxy + ::apache::mod { 'proxy_wstunnel': } +} diff --git a/manifests/mod/python.pp b/manifests/mod/python.pp index 8158b7e8ad..91f1d38181 100644 --- a/manifests/mod/python.pp +++ b/manifests/mod/python.pp @@ -1,5 +1,16 @@ -class apache::mod::python { - apache::mod { 'python': } +# @summary +# Installs and configures `mod_python`. +# +# @param loadfile_name +# Sets the name of the configuration file that is used to load the python module. +# +# @see https://github.com/grisha/mod_python for additional documentation. +# +class apache::mod::python ( + Optional[String] $loadfile_name = undef, +) { + include apache + ::apache::mod { 'python': + loadfile_name => $loadfile_name, + } } - - diff --git a/manifests/mod/remoteip.pp b/manifests/mod/remoteip.pp new file mode 100644 index 0000000000..9435e00f20 --- /dev/null +++ b/manifests/mod/remoteip.pp @@ -0,0 +1,104 @@ +# @summary +# Installs and configures `mod_remoteip`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_remoteip.html +# +# @param header +# The header field in which `mod_remoteip` will look for the useragent IP. +# +# @param internal_proxy +# A list of IP addresses, IP blocks or hostname that are trusted to set a +# valid value inside specified header. Unlike the `$trusted_proxy_ips` +# parameter, any IP address (including private addresses) presented by these +# proxies will trusted by `mod_remoteip`. +# +# @param proxy_ips +# *Deprecated*: use `$internal_proxy` instead. +# +# @param internal_proxy_list +# The path to a file containing a list of IP addresses, IP blocks or hostname +# that are trusted to set a valid value inside the specified header. See +# `$internal_proxy` for details. +# +# @param proxies_header +# A header into which `mod_remoteip` will collect a list of all of the +# intermediate client IP addresses trusted to resolve the useragent IP of the +# request (e.g. `X-Forwarded-By`). +# +# @param proxy_protocol +# Wether or not to enable the PROXY protocol header handling. If enabled +# upstream clients must set the header every time they open a connection. +# +# @param proxy_protocol_exceptions +# A list of IP address or IP blocks that are not required to use the PROXY +# protocol. +# +# @param trusted_proxy +# A list of IP addresses, IP blocks or hostname that are trusted to set a +# valid value inside the specified header. Unlike the `$proxy_ips` parameter, +# any private IP presented by these proxies will be disgarded by +# `mod_remoteip`. +# +# @param trusted_proxy_ips +# *Deprecated*: use `$trusted_proxy` instead. +# +# @param trusted_proxy_list +# The path to a file containing a list of IP addresses, IP blocks or hostname +# that are trusted to set a valid value inside the specified header. See +# `$trusted_proxy` for details. +# +# @see https://httpd.apache.org/docs/current/mod/mod_remoteip.html for additional documentation. +# +class apache::mod::remoteip ( + String $header = 'X-Forwarded-For', + Optional[Array[Stdlib::Host]] $internal_proxy = undef, + Optional[Array[Stdlib::Host]] $proxy_ips = undef, + Optional[Stdlib::Absolutepath] $internal_proxy_list = undef, + Optional[String] $proxies_header = undef, + Boolean $proxy_protocol = false, + Optional[Array[Stdlib::Host]] $proxy_protocol_exceptions = undef, + Optional[Array[Stdlib::Host]] $trusted_proxy = undef, + Optional[Array[Stdlib::Host]] $trusted_proxy_ips = undef, + Optional[Stdlib::Absolutepath] $trusted_proxy_list = undef, +) { + include apache + + if $proxy_ips { + deprecation('apache::mod::remoteip::proxy_ips', 'This parameter is deprecated, please use `internal_proxy`.') + $_internal_proxy = $proxy_ips + } elsif $internal_proxy { + $_internal_proxy = $internal_proxy + } else { + $_internal_proxy = ['127.0.0.1'] + } + + if $trusted_proxy_ips { + deprecation('apache::mod::remoteip::trusted_proxy_ips', 'This parameter is deprecated, please use `trusted_proxy`.') + $_trusted_proxy = $trusted_proxy_ips + } else { + $_trusted_proxy = $trusted_proxy + } + + ::apache::mod { 'remoteip': } + + $template_parameters = { + header => $header, + internal_proxy => $_internal_proxy, + internal_proxy_list => $internal_proxy_list, + proxies_header => $proxies_header, + proxy_protocol => $proxy_protocol, + proxy_protocol_exceptions => $proxy_protocol_exceptions, + trusted_proxy => $_trusted_proxy, + trusted_proxy_list => $trusted_proxy_list, + } + + file { 'remoteip.conf': + ensure => file, + path => "${apache::mod_dir}/remoteip.conf", + mode => $apache::file_mode, + content => epp('apache/mod/remoteip.conf.epp', $template_parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/reqtimeout.pp b/manifests/mod/reqtimeout.pp index b763b37850..f6c1b21dbd 100644 --- a/manifests/mod/reqtimeout.pp +++ b/manifests/mod/reqtimeout.pp @@ -1,12 +1,24 @@ -class apache::mod::reqtimeout { - apache::mod { 'reqtimeout': } +# @summary +# Installs and configures `mod_reqtimeout`. +# +# @param timeouts +# List of timeouts and data rates for receiving requests. +# +# @see https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html for additional documentation. +# +class apache::mod::reqtimeout ( + Variant[Array[String], String] $timeouts = ['header=20-40,minrate=500', 'body=10,minrate=500'] +) { + include apache + ::apache::mod { 'reqtimeout': } # Template uses no variables file { 'reqtimeout.conf': ensure => file, path => "${apache::mod_dir}/reqtimeout.conf", - content => template('apache/mod/reqtimeout.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/reqtimeout.conf.epp', { 'timeouts' => $timeouts, }), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/rewrite.pp b/manifests/mod/rewrite.pp index 147faab998..06986d1e89 100644 --- a/manifests/mod/rewrite.pp +++ b/manifests/mod/rewrite.pp @@ -1,4 +1,9 @@ +# @summary +# Installs `mod_rewrite`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_rewrite.html for additional documentation. +# class apache::mod::rewrite { include apache::params - apache::mod { 'rewrite': } + ::apache::mod { 'rewrite': } } diff --git a/manifests/mod/rpaf.pp b/manifests/mod/rpaf.pp new file mode 100644 index 0000000000..c38839bf0c --- /dev/null +++ b/manifests/mod/rpaf.pp @@ -0,0 +1,46 @@ +# @summary +# Installs and configures `mod_rpaf`. +# +# @param sethostname +# Toggles whether to update vhost name so ServerName and ServerAlias work. +# +# @param proxy_ips +# List of IPs & bitmasked subnets to adjust requests for +# +# @param header +# Header to use for the real IP address. +# +# @param template +# Path to template to use for configuring mod_rpaf. +# +# @see https://github.com/gnif/mod_rpaf for additional documentation. +# +class apache::mod::rpaf ( + Variant[Boolean, String] $sethostname = true, + Array[Stdlib::IP::Address] $proxy_ips = ['127.0.0.1'], + String $header = 'X-Forwarded-For', + String $template = 'apache/mod/rpaf.conf.epp' +) { + include apache + ::apache::mod { 'rpaf': } + + # Template uses: + # - $sethostname + # - $proxy_ips + # - $header + $parameters = { + 'sethostname' => $sethostname, + 'proxy_ips' => $proxy_ips, + 'header' => $header, + } + + file { 'rpaf.conf': + ensure => file, + path => "${apache::mod_dir}/rpaf.conf", + mode => $apache::file_mode, + content => epp($template, $parameters), + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } +} diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp new file mode 100644 index 0000000000..27de2e8a42 --- /dev/null +++ b/manifests/mod/security.pp @@ -0,0 +1,380 @@ +# @summary +# Installs and configures `mod_security`. +# +# @param version +# Manage mod_security or mod_security2 +# +# @param logroot +# Configures the location of audit and debug logs. +# +# @param crs_package +# Name of package that installs CRS rules. +# +# @param activated_rules +# An array of rules from the modsec_crs_path or absolute to activate via symlinks. +# +# @param custom_rules +# +# @param custom_rules_set +# +# @param modsec_dir +# Defines the path where Puppet installs the modsec configuration and activated rules links. +# +# @param modsec_secruleengine +# Configures the rules engine. +# +# @param debug_log_level +# Configures the debug log level. +# +# @param audit_log_relevant_status +# Configures which response status code is to be considered relevant for the purpose of audit logging. +# +# @param audit_log_parts +# Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a +# letter appears in the list then the equivalent part will be recorded. +# +# @param audit_log_type +# Defines the type of audit logging mechanism to be used. +# +# @param audit_log_format +# Defines what format the logs should be written in. +# +# @param audit_log_storage_dir +# Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used. +# +# @param secpcrematchlimit +# Sets the match limit in the PCRE library. +# +# @param secpcrematchlimitrecursion +# Sets the match limit recursion in the PCRE library. +# +# @param allowed_methods +# A space-separated list of allowed HTTP methods. +# +# @param content_types +# A list of one or more allowed MIME types. +# +# @param restricted_extensions +# A space-sparated list of prohibited file extensions. +# +# @param restricted_headers +# A list of restricted headers separated by slashes and spaces. +# +# @param secdefaultaction +# Defines the default list of actions, which will be inherited by the rules in the same configuration context. +# +# @param inbound_anomaly_threshold +# Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. +# +# @param outbound_anomaly_threshold +# Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. +# +# @param critical_anomaly_score +# Sets the Anomaly Score for rules assigned with a critical severity. +# +# @param error_anomaly_score +# Sets the Anomaly Score for rules assigned with a error severity. +# +# @param warning_anomaly_score +# Sets the Anomaly Score for rules assigned with a warning severity. +# +# @param notice_anomaly_score +# Sets the Anomaly Score for rules assigned with a notice severity. +# +# @param paranoia_level +# Sets the paranoia level in the OWASP ModSecurity Core Rule Set. +# +# @param executing_paranoia_level +# Sets the executing paranoia level in the OWASP ModSecurity Core Rule Set. +# The default is equal to, and cannot be lower than, $paranoia_level. +# +# @param secrequestmaxnumargs +# Sets the maximum number of arguments in the request. +# +# @param secrequestbodylimit +# Sets the maximum request body size ModSecurity will accept for buffering. +# +# @param secrequestbodynofileslimit +# Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported +# in the request. +# +# @param secrequestbodyinmemorylimit +# Configures the maximum request body size that ModSecurity will store in memory. +# +# @param secrequestbodyaccess +# Toggle SecRequestBodyAccess On or Off +# +# @param secrequestbodylimitaction +# Controls what happens once a request body limit, configured with +# SecRequestBodyLimit, is encountered +# +# @param secresponsebodyaccess +# Toggle SecResponseBodyAccess On or Off +# +# @param secresponsebodylimitaction +# Controls what happens once a response body limit, configured with +# SecResponseBodyLimitAction, is encountered. +# +# @param manage_security_crs +# Toggles whether to manage ModSecurity Core Rule Set +# +# @param enable_dos_protection +# Toggles the optional OWASP ModSecurity Core Rule Set DOS protection rule +# (rule id 900700) +# +# @param dos_burst_time_slice +# Configures time in which a burst is measured for the OWASP ModSecurity Core Rule Set DOS protection rule +# (rule id 900700) +# +# @param dos_counter_threshold +# Configures the amount of requests that can be made within dos_burst_time_slice before it is considered a burst in +# the OWASP ModSecurity Core Rule Set DOS protection rule (rule id 900700) +# +# @param dos_block_timeout +# Configures how long the client should be blocked when the dos_counter_threshold is exceeded in the OWASP +# ModSecurity Core Rule Set DOS protection rule (rule id 900700) +# +# @see https://github.com/SpiderLabs/ModSecurity/wiki for additional documentation. +# @see https://coreruleset.org/docs/ for addional documentation +# +class apache::mod::security ( + Stdlib::Absolutepath $logroot = $apache::params::logroot, + Integer $version = $apache::params::modsec_version, + Optional[String] $crs_package = $apache::params::modsec_crs_package, + Array[String] $activated_rules = $apache::params::modsec_default_rules, + Boolean $custom_rules = $apache::params::modsec_custom_rules, + Optional[Array[String]] $custom_rules_set = $apache::params::modsec_custom_rules_set, + Stdlib::Absolutepath $modsec_dir = $apache::params::modsec_dir, + String $modsec_secruleengine = $apache::params::modsec_secruleengine, + Integer[0, 9] $debug_log_level = 0, + String $audit_log_relevant_status = '^(?:5|4(?!04))', + String $audit_log_parts = $apache::params::modsec_audit_log_parts, + String $audit_log_type = $apache::params::modsec_audit_log_type, + Enum['Native', 'JSON'] $audit_log_format = 'Native', + Optional[Stdlib::Absolutepath] $audit_log_storage_dir = undef, + Integer $secpcrematchlimit = $apache::params::secpcrematchlimit, + Integer $secpcrematchlimitrecursion = $apache::params::secpcrematchlimitrecursion, + String $allowed_methods = 'GET HEAD POST OPTIONS', + String $content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', + String $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', + String $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', + String $secdefaultaction = 'deny', + Integer $inbound_anomaly_threshold = 5, + Integer $outbound_anomaly_threshold = 4, + Integer $critical_anomaly_score = 5, + Integer $error_anomaly_score = 4, + Integer $warning_anomaly_score = 3, + Integer $notice_anomaly_score = 2, + Integer $secrequestmaxnumargs = 255, + Integer $secrequestbodylimit = 13107200, + Integer $secrequestbodynofileslimit = 131072, + Integer $secrequestbodyinmemorylimit = 131072, + Integer[1,4] $paranoia_level = 1, + Integer[1,4] $executing_paranoia_level = $paranoia_level, + Apache::OnOff $secrequestbodyaccess = 'On', + Apache::OnOff $secresponsebodyaccess = 'Off', + Enum['Reject', 'ProcessPartial'] $secrequestbodylimitaction = 'Reject', + Enum['Reject', 'ProcessPartial'] $secresponsebodylimitaction = 'ProcessPartial', + Boolean $manage_security_crs = true, + Boolean $enable_dos_protection = true, + Integer[1, default] $dos_burst_time_slice = 60, + Integer[1, default] $dos_counter_threshold = 100, + Integer[1, default] $dos_block_timeout = 600, +) inherits apache::params { + include apache + + $_secdefaultaction = $secdefaultaction ? { + /log/ => $secdefaultaction, # it has log or nolog,auditlog or log,noauditlog + default => "${secdefaultaction},log", + } + + if $facts['os']['family'] == 'FreeBSD' { + fail('FreeBSD is not currently supported') + } + + if ($facts['os']['family'] == 'Suse' and versioncmp($facts['os']['release']['major'], '11') < 0) { + fail('SLES 10 is not currently supported.') + } + + if ($executing_paranoia_level < $paranoia_level) { + fail('Executing paranoia level cannot be lower than paranoia level') + } + + case $version { + 1: { + $mod_name = 'security' + $mod_conf_name = 'security.conf' + } + 2: { + $mod_name = 'security2' + $mod_conf_name = 'security2.conf' + } + default: { + fail('Unsuported version for mod security') + } + } + ::apache::mod { $mod_name: + id => 'security2_module', + lib => 'mod_security2.so', + } + + ::apache::mod { 'unique_id': + id => 'unique_id_module', + lib => 'mod_unique_id.so', + } + + if $crs_package { + package { $crs_package: + ensure => 'installed', + before => [ + File[$apache::confd_dir], + File[$modsec_dir], + ], + } + } + + # Template uses: + # - logroot + # - $modsec_dir + # - $audit_log_parts + # - $audit_log_type + # - $audit_log_storage_dir + # - secpcrematchlimit + # - secpcrematchlimitrecursion + # - secrequestbodylimit + # - secrequestbodynofileslimit + # - secrequestbodyinmemorylimit + # - secrequestbodyaccess + # - secresponsebodyaccess + # - secrequestbodylimitaction + # - secresponsebodylimitaction + $security_conf_parameters = { + 'modsec_secruleengine' => $modsec_secruleengine, + 'secrequestbodyaccess' => $secrequestbodyaccess, + 'custom_rules' => $custom_rules, + 'modsec_dir' => $modsec_dir, + 'secrequestbodylimit' => $secrequestbodylimit, + 'secrequestbodynofileslimit' => $secrequestbodynofileslimit, + 'secrequestbodyinmemorylimit' => $secrequestbodyinmemorylimit, + 'secrequestbodylimitaction' => $secrequestbodylimitaction, + 'secpcrematchlimit' => $secpcrematchlimit, + 'secpcrematchlimitrecursion' => $secpcrematchlimitrecursion, + 'secresponsebodyaccess' => $secresponsebodyaccess, + 'secresponsebodylimitaction' => $secresponsebodylimitaction, + 'audit_log_relevant_status' => $audit_log_relevant_status, + 'audit_log_parts' => $audit_log_parts, + 'audit_log_type' => $audit_log_type, + 'audit_log_format' => $audit_log_format, + 'audit_log_storage_dir' => $audit_log_storage_dir, + 'debug_log_level' => $debug_log_level, + 'logroot' => $logroot, + } + + file { 'security.conf': + ensure => file, + content => epp('apache/mod/security.conf.epp', $security_conf_parameters), + mode => $apache::file_mode, + path => "${apache::mod_dir}/${mod_conf_name}", + owner => $apache::params::user, + group => $apache::params::group, + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } + + file { $modsec_dir: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + purge => true, + force => true, + recurse => true, + require => Package['httpd'], + } + + file { "${modsec_dir}/activated_rules": + ensure => directory, + owner => $apache::params::user, + group => $apache::params::group, + mode => '0555', + purge => true, + force => true, + recurse => true, + notify => Class['apache::service'], + } + + if $custom_rules { + # Template to add custom rule and included in security configuration + file { "${modsec_dir}/custom_rules": + ensure => directory, + owner => $apache::params::user, + group => $apache::params::group, + mode => $apache::file_mode, + require => File[$modsec_dir], + } + + file { "${modsec_dir}/custom_rules/custom_01_rules.conf": + ensure => file, + owner => $apache::params::user, + group => $apache::params::group, + mode => $apache::file_mode, + content => epp('apache/mod/security_custom.conf.epp', { 'custom_rules_set' => $custom_rules_set, }), + require => File["${modsec_dir}/custom_rules"], + notify => Class['apache::service'], + } + } + + if $manage_security_crs { + # Template uses: + # - $_secdefaultaction + # - $critical_anomaly_score + # - $error_anomaly_score + # - $warning_anomaly_score + # - $notice_anomaly_score + # - $inbound_anomaly_threshold + # - $outbound_anomaly_threshold + # - $paranoia_level + # - $executing_paranoia_level + # - $allowed_methods + # - $content_types + # - $restricted_extensions + # - $restricted_headers + # - $secrequestmaxnumargs + # - $enable_dos_protection + # - $dos_burst_time_slice + # - $dos_counter_threshold + # - $dos_block_timeout + $security_crs_parameters = { + '_secdefaultaction' => $_secdefaultaction, + 'critical_anomaly_score' => $critical_anomaly_score, + 'error_anomaly_score' => $error_anomaly_score, + 'warning_anomaly_score' => $warning_anomaly_score, + 'notice_anomaly_score' => $notice_anomaly_score, + 'inbound_anomaly_threshold' => $inbound_anomaly_threshold, + 'outbound_anomaly_threshold' => $outbound_anomaly_threshold, + 'secrequestmaxnumargs' => $secrequestmaxnumargs, + 'allowed_methods' => $allowed_methods, + 'content_types' => $content_types, + 'restricted_extensions' => $restricted_extensions, + 'restricted_headers' => $restricted_headers, + 'paranoia_level' => $paranoia_level, + 'executing_paranoia_level' => $executing_paranoia_level, + 'enable_dos_protection' => $enable_dos_protection, + 'dos_burst_time_slice' => $dos_burst_time_slice, + 'dos_counter_threshold' => $dos_counter_threshold, + 'dos_block_timeout' => $dos_block_timeout, + } + + file { "${modsec_dir}/security_crs.conf": + ensure => file, + content => template('apache/mod/security_crs.conf.erb'), + require => File[$modsec_dir], + notify => Class['apache::service'], + } + + unless $facts['os']['name'] == 'SLES' or $facts['os']['name'] == 'Debian' or $facts['os']['name'] == 'Ubuntu' { + apache::security::rule_link { $activated_rules: } + } + } +} diff --git a/manifests/mod/setenvif.pp b/manifests/mod/setenvif.pp index 1b60edde8b..996f2fc766 100644 --- a/manifests/mod/setenvif.pp +++ b/manifests/mod/setenvif.pp @@ -1,12 +1,19 @@ +# @summary +# Installs `mod_setenvif`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_setenvif.html for additional documentation. +# class apache::mod::setenvif { - apache::mod { 'setenvif': } + include apache + ::apache::mod { 'setenvif': } # Template uses no variables file { 'setenvif.conf': ensure => file, path => "${apache::mod_dir}/setenvif.conf", - content => template('apache/mod/setenvif.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/setenvif.conf.epp'), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/shib.pp b/manifests/mod/shib.pp new file mode 100644 index 0000000000..cf267b4a6c --- /dev/null +++ b/manifests/mod/shib.pp @@ -0,0 +1,45 @@ +# @summary +# Installs and configures `mod_shib`. +# +# @param suppress_warning +# Toggles whether to trigger warning on RedHat nodes. +# +# @param mod_full_path +# Specifies a path to the module. Do not manually set this parameter without a special reason. +# +# @param package_name +# Name of the Shibboleth package to be installed. +# +# @param mod_lib +# Specifies a path to the module's libraries. Do not manually set this parameter without special reason. The `path` parameter +# overrides this value. +# +# This class installs and configures only the Apache components of a web application that consumes Shibboleth SSO identities. You +# can manage the Shibboleth configuration manually, with Puppet, or using a [Shibboleth Puppet Module](https://github.com/aethylred/puppet-shibboleth). +# +# @note +# The Shibboleth module isn't available on RH/CentOS without providing dependency packages provided by Shibboleth's repositories. +# See the [Shibboleth Service Provider Installation Guide](http://wiki.aaf.edu.au/tech-info/sp-install-guide). +# +# @see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig for additional documentation. +# @note Unsupported platforms: RedHat: all; CentOS: all; Scientific: all; SLES: all; Ubuntu: all; OracleLinux: all +class apache::mod::shib ( + Boolean $suppress_warning = false, + Optional[Stdlib::Absolutepath] $mod_full_path = undef, + Optional[String] $package_name = undef, + Optional[String] $mod_lib = undef, +) { + include apache + if $facts['os']['family'] == 'RedHat' and ! $suppress_warning { + warning('RedHat distributions do not have Apache mod_shib in their default package repositories.') + } + + $mod_shib = 'shib2' + + apache::mod { $mod_shib: + id => 'mod_shib', + path => $mod_full_path, + package => $package_name, + lib => $mod_lib, + } +} diff --git a/manifests/mod/socache_shmcb.pp b/manifests/mod/socache_shmcb.pp new file mode 100644 index 0000000000..e9be75dce8 --- /dev/null +++ b/manifests/mod/socache_shmcb.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_socache_shmcb`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_socache_shmcb.html for additional documentation. +# +class apache::mod::socache_shmcb { + ::apache::mod { 'socache_shmcb': } +} diff --git a/manifests/mod/speling.pp b/manifests/mod/speling.pp new file mode 100644 index 0000000000..538e8ffa6f --- /dev/null +++ b/manifests/mod/speling.pp @@ -0,0 +1,9 @@ +# @summary +# Installs `mod_spelling`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_speling.html for additional documentation. +# +class apache::mod::speling { + include apache + ::apache::mod { 'speling': } +} diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index ba183e1dd8..30841b774d 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -1,23 +1,221 @@ +# @summary +# Installs `mod_ssl`. +# +# @param ssl_compression +# Enable compression on the SSL level. +# +# @param ssl_sessiontickets +# Enable or disable use of TLS session tickets +# +# @param ssl_cryptodevice +# Enable use of a cryptographic hardware accelerator. +# +# @param ssl_options +# Configure various SSL engine run-time options. +# +# @param ssl_openssl_conf_cmd +# Configure OpenSSL parameters through its SSL_CONF API. +# +# @param ssl_cert +# Path to server PEM-encoded X.509 certificate data file. +# +# @param ssl_key +# Path to server PEM-encoded private key file +# +# @param ssl_ca +# File of concatenated PEM-encoded CA Certificates for Client Auth. +# +# @param ssl_cipher +# Cipher Suite available for negotiation in SSL handshake. +# +# @param ssl_honorcipherorder +# Option to prefer the server's cipher preference order. +# +# @param ssl_protocol +# Configure usable SSL/TLS protocol versions. +# Default based on the OS: +# - RedHat 8: [ 'all' ]. +# - Other Platforms: [ 'all', '-SSLv2', '-SSLv3' ]. +# +# @param ssl_proxy_protocol +# Configure usable SSL protocol flavors for proxy usage. +# +# @param ssl_proxy_cipher_suite +# Configure usable SSL ciphers for proxy usage. Equivalent to ssl_cipher but for proxy connections. +# +# @param ssl_pass_phrase_dialog +# Type of pass phrase dialog for encrypted private keys. +# +# @param ssl_random_seed_bytes +# Pseudo Random Number Generator (PRNG) seeding source. +# +# @param ssl_sessioncache +# Configures the storage type of the global/inter-process SSL Session Cache +# +# @param ssl_sessioncachetimeout +# Number of seconds before an SSL session expires in the Session Cache. +# +# @param ssl_stapling +# Enable stapling of OCSP responses in the TLS handshake. +# +# @param stapling_cache +# Configures the cache used to store OCSP responses which get included in +# the TLS handshake if SSLUseStapling is enabled. +# +# @param ssl_stapling_return_errors +# Pass stapling related OCSP errors on to client. +# +# @param ssl_mutex +# Configures mutex mechanism and lock file directory for all or specified mutexes. +# +# @param ssl_reload_on_change +# Enable reloading of apache if the content of ssl files have changed. It only affects ssl files configured here and not vhost ones. +# +# @param package_name +# Name of ssl package to install. +# +# On most operating systems, the ssl.conf is placed in the module configuration directory. On Red Hat based operating systems, this +# file is placed in /etc/httpd/conf.d, the same location in which the RPM stores the configuration. +# +# To use SSL with a virtual host, you must either set the default_ssl_vhost parameter in ::apache to true or the ssl parameter in +# apache::vhost to true. +# +# @see https://httpd.apache.org/docs/current/mod/mod_ssl.html for additional documentation. +# class apache::mod::ssl ( - $ssl_compression = false, -) { - $session_cache = $::osfamily ? { - 'debian' => '${APACHE_RUN_DIR}/ssl_scache(512000)', - 'redhat' => '/var/cache/mod_ssl/scache(512000)', + Boolean $ssl_compression = false, + Optional[Boolean] $ssl_sessiontickets = undef, + String $ssl_cryptodevice = 'builtin', + Array[String] $ssl_options = ['StdEnvVars'], + Optional[String] $ssl_openssl_conf_cmd = undef, + Optional[Stdlib::Absolutepath] $ssl_cert = undef, + Optional[Stdlib::Absolutepath] $ssl_key = undef, + Optional[Stdlib::Absolutepath] $ssl_ca = undef, + Variant[String[1], Hash[String[1], String[1]]] $ssl_cipher = $apache::params::ssl_cipher, + Variant[Boolean, Apache::OnOff] $ssl_honorcipherorder = true, + Array[String] $ssl_protocol = $apache::params::ssl_protocol, + Array $ssl_proxy_protocol = [], + Optional[String[1]] $ssl_proxy_cipher_suite = $apache::params::ssl_proxy_cipher_suite, + String $ssl_pass_phrase_dialog = 'builtin', + Integer $ssl_random_seed_bytes = 512, + String $ssl_sessioncache = $apache::params::ssl_sessioncache, + Integer $ssl_sessioncachetimeout = 300, + Boolean $ssl_stapling = false, + Optional[String] $stapling_cache = undef, + Optional[Boolean] $ssl_stapling_return_errors = undef, + String $ssl_mutex = 'default', + Boolean $ssl_reload_on_change = false, + Optional[String] $package_name = undef, +) inherits apache::params { + include apache + include apache::mod::mime + + if $ssl_honorcipherorder =~ Boolean { + $_ssl_honorcipherorder = $ssl_honorcipherorder + } else { + $_ssl_honorcipherorder = $ssl_honorcipherorder ? { + 'on' => true, + 'On' => true, + 'off' => false, + 'Off' => false, + default => true, + } + } + + if $stapling_cache =~ Undef { + $_stapling_cache = $facts['os']['family'] ? { + 'Debian' => "\${APACHE_RUN_DIR}/ocsp(32768)", + 'RedHat' => '/run/httpd/ssl_stapling(32768)', + 'FreeBSD' => '/var/run/ssl_stapling(32768)', + 'Gentoo' => '/var/run/ssl_stapling(32768)', + 'Suse' => '/var/lib/apache2/ssl_stapling(32768)', + } + } else { + $_stapling_cache = $stapling_cache + } + + if $facts['os']['family'] == 'Suse' { + if defined(Class['apache::mod::worker']) { + $suse_path = '/usr/lib64/apache2-worker' + } else { + $suse_path = '/usr/lib64/apache2-prefork' + } + ::apache::mod { 'ssl': + package => $package_name, + lib_path => $suse_path, + } + } else { + ::apache::mod { 'ssl': + package => $package_name, + } } - $ssl_mutex = $::osfamily ? { - 'debian' => 'file:${APACHE_RUN_DIR}/ssl_mutex', - 'redhat' => 'default', + + include apache::mod::socache_shmcb + + if $ssl_reload_on_change { + [$ssl_cert, $ssl_key, $ssl_ca].each |$ssl_file| { + if $ssl_file { + include apache::mod::ssl::reload + $_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G') + file { $_ssl_file_copy: + path => "${apache::params::puppet_ssl_dir}/${_ssl_file_copy}", + source => "file://${ssl_file}", + owner => 'root', + group => $apache::params::root_group, + mode => '0640', + seltype => 'cert_t', + notify => Class['apache::service'], + } + } + } + } + + # Template uses + # + # $ssl_compression + # $ssl_sessiontickets + # $ssl_cryptodevice + # $ssl_ca + # $ssl_cipher + # $ssl_honorcipherorder + # $ssl_options + # $ssl_openssl_conf_cmd + # $ssl_sessioncache + # $_stapling_cache + # $ssl_mutex + # $ssl_random_seed_bytes + # $ssl_sessioncachetimeout + $parameters = { + 'ssl_random_seed_bytes' => $ssl_random_seed_bytes, + 'ssl_pass_phrase_dialog' => $ssl_pass_phrase_dialog, + 'ssl_sessioncache' => $ssl_sessioncache, + 'ssl_sessioncachetimeout' => $ssl_sessioncachetimeout, + 'ssl_mutex' => $ssl_mutex, + 'ssl_compression' => $ssl_compression, + 'ssl_sessiontickets' => $ssl_sessiontickets, + 'ssl_cryptodevice' => $ssl_cryptodevice, + '_ssl_honorcipherorder' => $_ssl_honorcipherorder, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_ca' => $ssl_ca, + 'ssl_stapling' => $ssl_stapling, + 'ssl_stapling_return_errors' => $ssl_stapling_return_errors, + '_stapling_cache' => $_stapling_cache, + 'ssl_cipher' => $ssl_cipher, + 'ssl_protocol' => $ssl_protocol, + 'ssl_proxy_protocol' => $ssl_proxy_protocol, + 'ssl_proxy_cipher_suite' => $ssl_proxy_cipher_suite, + 'ssl_options' => $ssl_options, + 'ssl_openssl_conf_cmd' => $ssl_openssl_conf_cmd, } - apache::mod { 'ssl': } - # Template uses $ssl_compression, $session_cache, $ssl_mutex file { 'ssl.conf': ensure => file, - path => "${apache::mod_dir}/ssl.conf", - content => template('apache/mod/ssl.conf.erb'), + path => $apache::_ssl_file, + mode => $apache::file_mode, + content => epp('apache/mod/ssl.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/ssl/reload.pp b/manifests/mod/ssl/reload.pp new file mode 100644 index 0000000000..1aa0a8ca7b --- /dev/null +++ b/manifests/mod/ssl/reload.pp @@ -0,0 +1,17 @@ +# @summary +# Manages the puppet_ssl folder for ssl file copies, which is needed to track changes for reloading service on changes +# +# @api private +class apache::mod::ssl::reload () inherits apache::params { + file { $apache::params::puppet_ssl_dir: + ensure => directory, + purge => true, + recurse => true, + require => Package['httpd'], + } + file { 'README.txt': + path => "${apache::params::puppet_ssl_dir}/README.txt", + content => 'This directory contains puppet managed copies of ssl files, so it can track changes and reload apache on changes.', + seltype => 'etc_t', + } +} diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp index 084d84eeac..cd6416fe73 100644 --- a/manifests/mod/status.pp +++ b/manifests/mod/status.pp @@ -1,12 +1,52 @@ -class apache::mod::status { - apache::mod { 'status': } - # Template uses no variables +# @summary +# Installs and configures `mod_status`. +# +# @param requires +# A Variant type that can be: +# - String with: +# - '' or 'unmanaged' - Host auth control done elsewhere +# - 'ip ' - Allowed IPs/ranges +# - 'host ' - Allowed names/domains +# - 'all [granted|denied]' +# - Array of strings with ip or host as above +# - Hash with following keys: +# - 'requires' - Value => Array as above +# - 'enforce' - Value => String 'Any', 'All' or 'None' +# This encloses "Require" directives in "" block +# Optional - If unspecified, "Require" directives follow current flow +# +# @param extended_status +# Determines whether to track extended status information for each request, via the ExtendedStatus directive. +# +# @param status_path +# Path assigned to the Location directive which defines the URL to access the server status. +# +# @example +# # Simple usage allowing access from localhost and a private subnet +# class { 'apache::mod::status': +# requires => 'ip 127.0.0.1 ::1 10.10.10.10/24', +# } +# +# @see http://httpd.apache.org/docs/current/mod/mod_status.html for additional documentation. +# +class apache::mod::status ( + Optional[Variant[String, Array, Hash]] $requires = undef, + Apache::OnOff $extended_status = 'On', + String $status_path = '/server-status', +) inherits apache::params { + include apache + ::apache::mod { 'status': } + + $requires_defaults = 'ip 127.0.0.1 ::1' + + # Template uses $extended_status, $status_path file { 'status.conf': ensure => file, path => "${apache::mod_dir}/status.conf", + mode => $apache::file_mode, content => template('apache/mod/status.conf.erb'), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/suexec.pp b/manifests/mod/suexec.pp new file mode 100644 index 0000000000..b6a28b1f12 --- /dev/null +++ b/manifests/mod/suexec.pp @@ -0,0 +1,8 @@ +# @summary +# Installs `mod_suexec`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_suexec.html for additional documentation. +# +class apache::mod::suexec { + ::apache::mod { 'suexec': } +} diff --git a/manifests/mod/suphp.pp b/manifests/mod/suphp.pp deleted file mode 100644 index 26473cf2e5..0000000000 --- a/manifests/mod/suphp.pp +++ /dev/null @@ -1,14 +0,0 @@ -class apache::mod::suphp ( -){ - apache::mod { 'suphp': } - - file {'suphp.conf': - ensure => file, - path => "${apache::mod_dir}/suphp.conf", - content => template('apache/mod/suphp.conf.erb'), - require => Exec["mkdir ${apache::mod_dir}"], - before => File[$apache::mod_dir], - notify => Service['httpd'] - } -} - diff --git a/manifests/mod/userdir.pp b/manifests/mod/userdir.pp index 69f4044fd4..7cdf4b32ef 100644 --- a/manifests/mod/userdir.pp +++ b/manifests/mod/userdir.pp @@ -1,17 +1,59 @@ +# @summary +# Installs and configures `mod_userdir`. +# +# @param userdir +# Path or directory name to be used as the UserDir. +# +# @param disable_root +# Toggles whether to allow use of root directory. +# +# @param path +# Path to directory or pattern from which to find user-specific directories. +# +# @param overrides +# Array of directives that are allowed in .htaccess files. +# +# @param options +# Configures what features are available in a particular directory. +# +# @param unmanaged_path +# Toggles whether to manage path in userdir.conf +# +# @param custom_fragment +# Custom configuration to be added to userdir.conf +# +# @see https://httpd.apache.org/docs/current/mod/mod_userdir.html for additional documentation. +# class apache::mod::userdir ( - $home = '/home', - $dir = 'public_html', - $disable_root = true, + Optional[String[1]] $userdir = undef, + Boolean $disable_root = true, + String $path = '/home/*/public_html', + Array[String] $overrides = ['FileInfo', 'AuthConfig', 'Limit', 'Indexes'], + Array[String] $options = ['MultiViews', 'Indexes', 'SymLinksIfOwnerMatch', 'IncludesNoExec'], + Boolean $unmanaged_path = false, + Optional[String] $custom_fragment = undef, ) { - apache::mod { 'userdir': } + include apache + + ::apache::mod { 'userdir': } + + $parameters = { + 'disable_root' => $disable_root, + 'userdir' => pick($userdir, $path), + 'unmanaged_path' => $unmanaged_path, + 'path' => $path, + 'overrides' => $overrides, + 'options' => $options, + 'custom_fragment' => $custom_fragment, + } - # Template uses $home, $dir, $disable_root file { 'userdir.conf': ensure => file, path => "${apache::mod_dir}/userdir.conf", - content => template('apache/mod/userdir.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/userdir.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } } diff --git a/manifests/mod/version.pp b/manifests/mod/version.pp new file mode 100644 index 0000000000..4885578bc2 --- /dev/null +++ b/manifests/mod/version.pp @@ -0,0 +1,12 @@ +# @summary +# Installs `mod_version`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_version.html for additional documentation. +# +class apache::mod::version { + if $facts['os']['family'] == 'Debian' { + warning("${module_name}: module version_module is built-in and can't be loaded") + } else { + ::apache::mod { 'version': } + } +} diff --git a/manifests/mod/vhost_alias.pp b/manifests/mod/vhost_alias.pp index ec40447a35..3ff6fd1aa3 100644 --- a/manifests/mod/vhost_alias.pp +++ b/manifests/mod/vhost_alias.pp @@ -1,3 +1,8 @@ +# @summary +# Installs Apache `mod_vhost_alias`. +# +# @see https://httpd.apache.org/docs/current/mod/mod_vhost_alias.html for additional documentation. +# class apache::mod::vhost_alias { - apache::mod { 'vhost_alias': } + ::apache::mod { 'vhost_alias': } } diff --git a/manifests/mod/watchdog.pp b/manifests/mod/watchdog.pp new file mode 100644 index 0000000000..ff17a1cdd6 --- /dev/null +++ b/manifests/mod/watchdog.pp @@ -0,0 +1,31 @@ +# @summary +# Installs and configures `mod_watchdog`. +# +# @param watchdog_interval +# Sets the interval at which the watchdog_step hook runs. +# +# @see https://httpd.apache.org/docs/current/mod/mod_watchdog.html for additional documentation. +class apache::mod::watchdog ( + Optional[Integer] $watchdog_interval = undef, +) { + include apache + + $module_builtin = $facts['os']['family'] in ['Debian'] + + unless $module_builtin { + apache::mod { 'watchdog': + } + } + + if $watchdog_interval { + file { 'watchdog.conf': + ensure => file, + path => "${apache::mod_dir}/watchdog.conf", + mode => $apache::file_mode, + content => "WatchdogInterval ${watchdog_interval}\n", + require => Exec["mkdir ${apache::mod_dir}"], + before => File[$apache::mod_dir], + notify => Class['apache::service'], + } + } +} diff --git a/manifests/mod/worker.pp b/manifests/mod/worker.pp index 3966ed23d5..42fd52933f 100644 --- a/manifests/mod/worker.pp +++ b/manifests/mod/worker.pp @@ -1,64 +1,121 @@ +# @summary +# Installs and manages the MPM `worker`. +# +# @param startservers +# The number of child server processes created on startup +# +# @param minsparethreads +# Minimum number of idle threads to handle request spikes. +# +# @param maxsparethreads +# Maximum number of idle threads. +# +# @param threadsperchild +# The number of threads created by each child process. +# +# @param maxrequestsperchild +# Limit on the number of connectiojns an individual child server +# process will handle. This is the old name and is still supported. The new +# name is MaxConnectionsPerChild as of 2.3.9+. +# +# @param serverlimit +# With worker, use this directive only if your MaxRequestWorkers +# and ThreadsPerChild settings require more than 16 server processes +# (default). Do not set the value of this directive any higher than the +# number of server processes required by what you may want for +# MaxRequestWorkers and ThreadsPerChild. +# +# @param threadlimit +# This directive sets the maximum configured value for +# ThreadsPerChild for the lifetime of the Apache httpd process. +# +# @param listenbacklog +# Maximum length of the queue of pending connections. +# +# @param maxrequestworkers +# Maximum number of connections that will be processed simultaneously +# +# @see https://httpd.apache.org/docs/current/mod/worker.html for additional documentation. +# class apache::mod::worker ( - $startservers = '2', - $maxclients = '150', - $minsparethreads = '25', - $maxsparethreads = '75', - $threadsperchild = '25', - $maxrequestsperchild = '0', - $serverlimit = '25', + Integer $startservers = 2, + Integer $minsparethreads = 25, + Integer $maxsparethreads = 75, + Integer $threadsperchild = 25, + Integer $maxrequestsperchild = 0, + Integer $serverlimit = 25, + Integer $threadlimit = 64, + Integer $listenbacklog = 511, + Integer $maxrequestworkers = 150, ) { + include apache + + if defined(Class['apache::mod::event']) { + fail('May not include both apache::mod::worker and apache::mod::event on the same node') + } if defined(Class['apache::mod::itk']) { fail('May not include both apache::mod::worker and apache::mod::itk on the same node') } + if defined(Class['apache::mod::peruser']) { + fail('May not include both apache::mod::worker and apache::mod::peruser on the same node') + } if defined(Class['apache::mod::prefork']) { fail('May not include both apache::mod::worker and apache::mod::prefork on the same node') } File { owner => 'root', - group => 'root', - mode => '0644', + group => $apache::params::root_group, + mode => $apache::file_mode, } # Template uses: # - $startservers - # - $maxclients + # - $maxrequestworkers # - $minsparethreads # - $maxsparethreads # - $threadsperchild # - $maxrequestsperchild # - $serverlimit + # - $threadLimit + # - $listenbacklog + $parameters = { + 'serverlimit' => $serverlimit, + 'startservers' => $startservers, + 'threadlimit' => $threadlimit, + 'minsparethreads' => $minsparethreads, + 'maxsparethreads' => $maxsparethreads, + 'threadsperchild' => $threadsperchild, + 'maxrequestsperchild' => $maxrequestsperchild, + 'listenbacklog' => $listenbacklog, + 'maxrequestworkers' => $maxrequestworkers, + } + file { "${apache::mod_dir}/worker.conf": ensure => file, - content => template('apache/mod/worker.conf.erb'), + content => epp('apache/mod/worker.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'], + notify => Class['apache::service'], } - case $::osfamily { - 'redhat': { - file_line { '/etc/sysconfig/httpd worker enable': - ensure => present, - path => '/etc/sysconfig/httpd', - line => 'HTTPD=/usr/sbin/httpd.worker', - match => '#?HTTPD=/usr/sbin/httpd.worker', - notify => Service['httpd'], + case $facts['os']['family'] { + 'RedHat', 'Debian', 'FreeBSD': { + ::apache::mpm { 'worker': } } - 'debian': { - file { "${apache::mod_enable_dir}/worker.conf": - ensure => link, - target => "${apache::mod_dir}/worker.conf", - require => Exec["mkdir ${apache::mod_enable_dir}"], - before => File[$apache::mod_enable_dir], - notify => Service['httpd'], + 'Suse': { + ::apache::mpm { 'worker': + lib_path => '/usr/lib64/apache2-worker', } - package { 'apache2-mpm-worker': - ensure => present, + } + + 'Gentoo': { + ::portage::makeconf { 'apache2_mpms': + content => 'worker', } } default: { - fail("Unsupported osfamily ${::osfamily}") + fail("Unsupported osfamily ${$facts['os']['family']}") } } } diff --git a/manifests/mod/wsgi.pp b/manifests/mod/wsgi.pp index ff12fbf24c..dc5a739c02 100644 --- a/manifests/mod/wsgi.pp +++ b/manifests/mod/wsgi.pp @@ -1,19 +1,83 @@ +# @summary +# Installs and configures `mod_wsgi`. +# +# @param wsgi_restrict_embedded +# Enable restrictions on use of embedded mode. +# +# @param wsgi_socket_prefix +# Configure directory to use for daemon sockets. +# +# @param wsgi_python_path +# Additional directories to search for Python modules. +# +# @param wsgi_python_home +# Absolute path to Python prefix/exec_prefix directories. +# +# @param wsgi_python_optimize +# Enables basic Python optimisation features. +# +# @param wsgi_application_group +# Sets which application group WSGI application belongs to. +# +# @param package_name +# Names of package that installs mod_wsgi. +# +# @param mod_path +# Defines the path to the mod_wsgi shared object (.so) file. +# +# @see https://github.com/GrahamDumpleton/mod_wsgi for additional documentation. +# @note Unsupported platforms: SLES: all; RedHat: all; CentOS: all; OracleLinux: all; Scientific: all class apache::mod::wsgi ( - $wsgi_socket_prefix = undef, - $wsgi_python_home = undef, -){ - apache::mod { 'wsgi': } + Optional[String] $wsgi_restrict_embedded = undef, + Optional[String] $wsgi_socket_prefix = $apache::params::wsgi_socket_prefix, + Optional[Stdlib::Absolutepath] $wsgi_python_path = undef, + Optional[Stdlib::Absolutepath] $wsgi_python_home = undef, + Optional[Integer] $wsgi_python_optimize = undef, + Optional[String] $wsgi_application_group = undef, + Optional[String] $package_name = undef, + Optional[String] $mod_path = undef, +) inherits apache::params { + include apache + if ($package_name != undef and $mod_path == undef) or ($package_name == undef and $mod_path != undef) { + fail('apache::mod::wsgi - both package_name and mod_path must be specified!') + } + + if $package_name != undef { + if $mod_path =~ /\// { + $_mod_path = $mod_path + } else { + $_mod_path = "${apache::lib_path}/${mod_path}" + } + ::apache::mod { 'wsgi': + package => $package_name, + path => $_mod_path, + } + } + else { + ::apache::mod { 'wsgi': } + } # Template uses: + # - $wsgi_restrict_embedded # - $wsgi_socket_prefix + # - $wsgi_python_path # - $wsgi_python_home - file {'wsgi.conf': + $parameters = { + 'wsgi_restrict_embedded' => $wsgi_restrict_embedded, + 'wsgi_socket_prefix' => $wsgi_socket_prefix, + 'wsgi_python_home' => $wsgi_python_home, + 'wsgi_python_path' => $wsgi_python_path, + 'wsgi_application_group' => $wsgi_application_group, + 'wsgi_python_optimize' => $wsgi_python_optimize, + } + + file { 'wsgi.conf': ensure => file, path => "${apache::mod_dir}/wsgi.conf", - content => template('apache/mod/wsgi.conf.erb'), + mode => $apache::file_mode, + content => epp('apache/mod/wsgi.conf.epp', $parameters), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], - notify => Service['httpd'] + notify => Class['apache::service'], } } - diff --git a/manifests/mod/xsendfile.pp b/manifests/mod/xsendfile.pp index 571501a03b..955488461b 100644 --- a/manifests/mod/xsendfile.pp +++ b/manifests/mod/xsendfile.pp @@ -1,4 +1,9 @@ +# @summary +# Installs `mod_xsendfile`. +# +# @see https://tn123.org/mod_xsendfile/ for additional documentation. +# class apache::mod::xsendfile { include apache::params - apache::mod { 'xsendfile': } + ::apache::mod { 'xsendfile': } } diff --git a/manifests/mpm.pp b/manifests/mpm.pp new file mode 100644 index 0000000000..d4b15853d2 --- /dev/null +++ b/manifests/mpm.pp @@ -0,0 +1,138 @@ +# @summary Enables the use of Apache MPMs. +# +# @api private +define apache::mpm ( + String $lib_path = $apache::lib_path, +) { + if ! defined(Class['apache']) { + fail('You must include the apache base class before using any apache defined resources') + } + + $mpm = $name + $mod_dir = $apache::mod_dir + + $_lib = "mod_mpm_${mpm}.so" + $_path = "${lib_path}/${_lib}" + $_id = "mpm_${mpm}_module" + + if $facts['os']['family'] == 'Suse' { + #mpms on Suse 12 don't use .so libraries so create a placeholder load file + file { "${mod_dir}/${mpm}.load": + ensure => file, + path => "${mod_dir}/${mpm}.load", + content => '', + require => [ + Package['httpd'], + Exec["mkdir ${mod_dir}"], + ], + before => File[$mod_dir], + notify => Class['apache::service'], + } + } else { + file { "${mod_dir}/${mpm}.load": + ensure => file, + path => "${mod_dir}/${mpm}.load", + content => "LoadModule ${_id} ${_path}\n", + require => [ + Package['httpd'], + Exec["mkdir ${mod_dir}"], + ], + before => File[$mod_dir], + notify => Class['apache::service'], + } + } + + case $facts['os']['family'] { + 'Debian': { + file { "${apache::mod_enable_dir}/${mpm}.conf": + ensure => link, + target => "${apache::mod_dir}/${mpm}.conf", + require => Exec["mkdir ${apache::mod_enable_dir}"], + before => File[$apache::mod_enable_dir], + notify => Class['apache::service'], + } + + file { "${apache::mod_enable_dir}/${mpm}.load": + ensure => link, + target => "${apache::mod_dir}/${mpm}.load", + require => Exec["mkdir ${apache::mod_enable_dir}"], + before => File[$apache::mod_enable_dir], + notify => Class['apache::service'], + } + + if $mpm == 'itk' { + file { "${lib_path}/mod_mpm_itk.so": + ensure => link, + target => "${lib_path}/mpm_itk.so", + require => Package['httpd'], + before => Class['apache::service'], + } + } + + if $mpm == 'itk' { + package { 'libapache2-mpm-itk': + ensure => present, + before => [ + Class['apache::service'], + File[$apache::mod_enable_dir], + ], + } + } + + unless $mpm in ['itk', 'prefork'] { + include apache::mpm::disable_mpm_prefork + } + + if $mpm != 'worker' { + include apache::mpm::disable_mpm_worker + } + + if $mpm != 'event' { + include apache::mpm::disable_mpm_event + } + } + + 'FreeBSD': { + class { 'apache::package': + mpm_module => $mpm, + } + } + 'Gentoo': { + # so we don't fail + } + 'RedHat': { + # so we don't fail + } + 'Suse': { + file { "${apache::mod_enable_dir}/${mpm}.conf": + ensure => link, + target => "${apache::mod_dir}/${mpm}.conf", + require => Exec["mkdir ${apache::mod_enable_dir}"], + before => File[$apache::mod_enable_dir], + notify => Class['apache::service'], + } + + file { "${apache::mod_enable_dir}/${mpm}.load": + ensure => link, + target => "${apache::mod_dir}/${mpm}.load", + require => Exec["mkdir ${apache::mod_enable_dir}"], + before => File[$apache::mod_enable_dir], + notify => Class['apache::service'], + } + + if $mpm == 'itk' { + file { "${lib_path}/mod_mpm_itk.so": + ensure => link, + target => "${lib_path}/mpm_itk.so", + } + } + + package { "apache2-${mpm}": + ensure => present, + } + } + default: { + fail("Unsupported osfamily ${$facts['os']['family']}") + } + } +} diff --git a/manifests/mpm/disable_mpm_event.pp b/manifests/mpm/disable_mpm_event.pp new file mode 100644 index 0000000000..faa04cfe8f --- /dev/null +++ b/manifests/mpm/disable_mpm_event.pp @@ -0,0 +1,11 @@ +# @summary disable Apache-Module event +class apache::mpm::disable_mpm_event { + $event_command = ['/usr/sbin/a2dismod', 'mpm_event'] + $event_onlyif = [['/usr/bin/test', '-e', join([$apache::mod_enable_dir, 'mpm_event.load'],'/')]] + exec { '/usr/sbin/a2dismod mpm_event': + command => $event_command, + onlyif => $event_onlyif, + require => Package['httpd'], + notify => Class['apache::service'], + } +} diff --git a/manifests/mpm/disable_mpm_prefork.pp b/manifests/mpm/disable_mpm_prefork.pp new file mode 100644 index 0000000000..1488276915 --- /dev/null +++ b/manifests/mpm/disable_mpm_prefork.pp @@ -0,0 +1,11 @@ +# @summary disable Apache-Module prefork +class apache::mpm::disable_mpm_prefork { + $prefork_command = ['/usr/sbin/a2dismod', 'prefork'] + $prefork_onlyif = [['/usr/bin/test', '-e', join([$apache::mod_enable_dir, 'prefork.load'],'/')]] + exec { '/usr/sbin/a2dismod prefork': + command => $prefork_command, + onlyif => $prefork_onlyif, + require => Package['httpd'], + before => Class['apache::service'], + } +} diff --git a/manifests/mpm/disable_mpm_worker.pp b/manifests/mpm/disable_mpm_worker.pp new file mode 100644 index 0000000000..7da4a92ace --- /dev/null +++ b/manifests/mpm/disable_mpm_worker.pp @@ -0,0 +1,11 @@ +# @summary disable Apache-Module worker +class apache::mpm::disable_mpm_worker { + $worker_command = ['/usr/sbin/a2dismod', 'worker'] + $worker_onlyif = [['/usr/bin/test', '-e', join([$apache::mod_enable_dir, 'worker.load'],'/')]] + exec { '/usr/sbin/a2dismod worker': + command => $worker_command, + onlyif => $worker_onlyif, + require => Package['httpd'], + before => Class['apache::service'], + } +} diff --git a/manifests/namevirtualhost.pp b/manifests/namevirtualhost.pp index edbbfe4cf2..b2a3d22a67 100644 --- a/manifests/namevirtualhost.pp +++ b/manifests/namevirtualhost.pp @@ -1,10 +1,15 @@ +# @summary +# Enables name-based virtual hosts +# +# Adds all related directives to the `ports.conf` file in the Apache HTTPD configuration +# directory. Titles can take the forms `\*`, `\*:\`, `\_default\_:\`, +# `\`, or `\:\`. define apache::namevirtualhost { $addr_port = $name - include apache::params # Template uses: $addr_port concat::fragment { "NameVirtualHost ${addr_port}": - target => $apache::params::ports_file, - content => template('apache/namevirtualhost.erb'), + target => $apache::ports_file, + content => epp('apache/namevirtualhost.epp', { 'addr_port' => $addr_port }), } } diff --git a/manifests/package.pp b/manifests/package.pp new file mode 100644 index 0000000000..06b8bc77bf --- /dev/null +++ b/manifests/package.pp @@ -0,0 +1,40 @@ +# @summary +# Installs an Apache MPM. +# +# @api private +class apache::package ( + String $ensure = 'present', + String $mpm_module = $apache::params::mpm_module, +) inherits apache::params { + # The base class must be included first because it is used by parameter defaults + if ! defined(Class['apache']) { + fail('You must include the apache base class before using any apache defined resources') + } + + case $facts['os']['family'] { + 'FreeBSD': { + case $mpm_module { + 'prefork': { + } + 'worker': { + } + 'event': { + } + 'itk': { + package { 'www/mod_mpm_itk': + ensure => installed, + } + } + default: { fail("MPM module ${mpm_module} not supported on FreeBSD") } + } + } + default: { + } + } + + package { 'httpd': + ensure => $ensure, + name => $apache::apache_name, + notify => Class['Apache::Service'], + } +} diff --git a/manifests/params.pp b/manifests/params.pp index 65e9dcae7c..60318ef6aa 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,129 +1,785 @@ -# Class: apache::params +# @summary +# This class manages Apache parameters # -# This class manages Apache parameters -# -# Parameters: -# - The $user that Apache runs as -# - The $group that Apache runs as -# - The $apache_name is the name of the package and service on the relevant -# distribution -# - The $php_package is the name of the package that provided PHP -# - The $ssl_package is the name of the Apache SSL package -# - The $apache_dev is the name of the Apache development libraries package -# - The $conf_contents is the contents of the Apache configuration file -# -# Actions: -# -# Requires: -# -# Sample Usage: -# -class apache::params { - # This will be 5 or 6 on RedHat, 6 or wheezy on Debian, 12 or quantal on Ubuntu, 3 on Amazon, etc. - $osr_array = split($::operatingsystemrelease,'[\/\.]') - $distrelease = $osr_array[0] - if ! $distrelease { - fail("Class['apache::params']: Unparsable \$::operatingsystemrelease: ${::operatingsystemrelease}") +# @api private +class apache::params inherits apache::version { + if($facts['networking']['fqdn']) { + $servername = $facts['networking']['fqdn'] + } else { + $servername = $facts['networking']['hostname'] } - if($::fqdn) { - $servername = $::fqdn - } else { - $servername = $::hostname + # The default error log level + $log_level = 'warn' + $use_optional_includes = false + + # Default mime types settings + $mime_types_additional = { + 'AddHandler' => { 'type-map' => 'var', }, + 'AddType' => { 'text/html' => '.shtml', }, + 'AddOutputFilter' => { 'INCLUDES' => '.shtml', }, } - if $::osfamily == 'RedHat' or $::operatingsystem == 'amazon' { + # should we use systemd module? + $use_systemd = true + + # Default mode for files + $file_mode = '0644' + + # The default value for host hame lookup + $hostname_lookups = 'Off' + + # Default options for / directory + $root_directory_options = ['FollowSymLinks'] + + $vhost_include_pattern = '*' + + $modsec_audit_log_parts = 'ABIJDEFHZ' + $modsec_audit_log_type = 'Serial' + $modsec_custom_rules = false + $modsec_custom_rules_set = undef + + # no client certs should be trusted for auth by default. + $ssl_certs_dir = undef + + # Allow overriding the autoindex alias location + $icons_prefix = 'icons' + + if ($apache::version::scl_httpd_version) { + if $apache::version::scl_php_version == undef { + fail('If you define apache::version::scl_httpd_version, you also need to specify apache::version::scl_php_version') + } + $_scl_httpd_version_nodot = regsubst($apache::version::scl_httpd_version, '\.', '') + $_scl_httpd_name = "httpd${_scl_httpd_version_nodot}" + + $_scl_php_version_no_dot = regsubst($apache::version::scl_php_version, '\.', '') $user = 'apache' $group = 'apache' + $root_group = 'root' + $apache_name = "${_scl_httpd_name}-httpd" + $service_name = "${_scl_httpd_name}-httpd" + $httpd_root = "/opt/rh/${_scl_httpd_name}/root" + $httpd_dir = "${httpd_root}/etc/httpd" + $server_root = "${httpd_root}/etc/httpd" + $conf_dir = "${httpd_dir}/conf" + $confd_dir = "${httpd_dir}/conf.d" + $puppet_ssl_dir = "${httpd_dir}/puppet_ssl" + $mod_dir = "${httpd_dir}/conf.modules.d" + $mod_enable_dir = undef + $vhost_dir = "${httpd_dir}/conf.d" + $vhost_enable_dir = undef + $conf_file = 'httpd.conf' + $conf_enabled = undef + $ports_file = "${conf_dir}/ports.conf" + $pidfile = 'run/httpd.pid' + $logroot = "/var/log/${_scl_httpd_name}" + $logroot_mode = undef + $lib_path = 'modules' + $mpm_module = 'prefork' + $dev_packages = "${_scl_httpd_name}-httpd-devel" + $default_ssl_cert = '/etc/pki/tls/certs/localhost.crt' + $default_ssl_key = '/etc/pki/tls/private/localhost.key' + $ssl_sessioncache = '/var/cache/mod_ssl/scache(512000)' + $passenger_conf_file = 'passenger_extra.conf' + $passenger_conf_package_file = 'passenger.conf' + $passenger_root = undef + $passenger_ruby = undef + $passenger_default_ruby = undef + $php_version = $apache::version::scl_php_version + $mod_packages = { + 'authnz_ldap' => "${_scl_httpd_name}-mod_ldap", + 'ldap' => "${_scl_httpd_name}-mod_ldap", + "php${apache::version::scl_php_version}" => "rh-php${_scl_php_version_no_dot}-php", + 'ssl' => "${_scl_httpd_name}-mod_ssl", + } + $mod_libs = { + 'nss' => 'libmodnss.so', + } + $conf_template = 'apache/httpd.conf.epp' + $http_protocol_options = undef + $keepalive = 'On' + $keepalive_timeout = 15 + $max_keepalive_requests = 100 + $mime_support_package = 'mailcap' + $mime_types_config = '/etc/mime.types' + $docroot = "${httpd_root}/var/www/html" + $alias_icons_path = "${httpd_root}/usr/share/httpd/icons" + $error_documents_path = "${httpd_root}/usr/share/httpd/error" + if $facts['os']['family'] == 'RedHat' { + $wsgi_socket_prefix = '/var/run/wsgi' + } else { + $wsgi_socket_prefix = undef + } + $cas_cookie_path = '/var/cache/mod_auth_cas/' + $mellon_lock_file = '/run/mod_auth_mellon/lock' + $mellon_cache_size = 100 + $mellon_post_directory = undef + $modsec_version = 1 + $modsec_crs_package = 'mod_security_crs' + $modsec_dir = '/etc/httpd/modsecurity.d' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 + $modsec_secruleengine = 'On' + if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') <= 0 { + $modsec_crs_path = '/usr/lib/modsecurity.d' + $modsec_default_rules = [ + 'base_rules/modsecurity_35_bad_robots.data', + 'base_rules/modsecurity_35_scanners.data', + 'base_rules/modsecurity_40_generic_attacks.data', + 'base_rules/modsecurity_50_outbound.data', + 'base_rules/modsecurity_50_outbound_malware.data', + 'base_rules/modsecurity_crs_20_protocol_violations.conf', + 'base_rules/modsecurity_crs_21_protocol_anomalies.conf', + 'base_rules/modsecurity_crs_23_request_limits.conf', + 'base_rules/modsecurity_crs_30_http_policy.conf', + 'base_rules/modsecurity_crs_35_bad_robots.conf', + 'base_rules/modsecurity_crs_40_generic_attacks.conf', + 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf', + 'base_rules/modsecurity_crs_41_xss_attacks.conf', + 'base_rules/modsecurity_crs_42_tight_security.conf', + 'base_rules/modsecurity_crs_45_trojans.conf', + 'base_rules/modsecurity_crs_47_common_exceptions.conf', + 'base_rules/modsecurity_crs_49_inbound_blocking.conf', + 'base_rules/modsecurity_crs_50_outbound.conf', + 'base_rules/modsecurity_crs_59_outbound_blocking.conf', + 'base_rules/modsecurity_crs_60_correlation.conf', + ] + } else { + $modsec_crs_path = '/usr/share/mod_modsecurity_crs' + $modsec_default_rules = [ + 'rules/crawlers-user-agents.data', + ] + } + $error_log = 'error_log' + $scriptalias = "${httpd_root}/var/www/cgi-bin" + $access_log_file = 'access_log' + } + elsif $facts['os']['family'] == 'RedHat' or $facts['os']['name'] =~ /^[Aa]mazon$/ { + $user = 'apache' + $group = 'apache' + $root_group = 'root' $apache_name = 'httpd' + $service_name = 'httpd' $httpd_dir = '/etc/httpd' + $server_root = '/etc/httpd' $conf_dir = "${httpd_dir}/conf" $confd_dir = "${httpd_dir}/conf.d" - $mod_dir = "${httpd_dir}/conf.d" + $puppet_ssl_dir = "${httpd_dir}/puppet_ssl" + $conf_enabled = undef + $mod_dir = "${httpd_dir}/conf.modules.d" + $mod_enable_dir = undef $vhost_dir = "${httpd_dir}/conf.d" + $vhost_enable_dir = undef $conf_file = 'httpd.conf' $ports_file = "${conf_dir}/ports.conf" + $pidfile = 'run/httpd.pid' $logroot = '/var/log/httpd' + $logroot_mode = undef $lib_path = 'modules' $mpm_module = 'prefork' $dev_packages = 'httpd-devel' $default_ssl_cert = '/etc/pki/tls/certs/localhost.crt' $default_ssl_key = '/etc/pki/tls/private/localhost.key' - $ssl_certs_dir = '/etc/pki/tls/certs' - $passenger_root = '/usr/share/rubygems/gems/passenger-3.0.17' - $passenger_ruby = '/usr/bin/ruby' - $suphp_addhandler = 'php5-script' - $suphp_engine = 'off' - $suphp_configpath = undef + $ssl_sessioncache = '/var/cache/mod_ssl/scache(512000)' + $passenger_conf_file = 'passenger_extra.conf' + $passenger_conf_package_file = 'passenger.conf' + $passenger_root = undef + $passenger_ruby = undef + $passenger_default_ruby = undef + $php_version = $facts['os']['release']['major'] ? { + '9' => undef, # RedHat 9 doesn't ship mod_php + '8' => '7', # RedHat8 + default => '5', # RedHat5, RedHat6, RedHat7 + } $mod_packages = { - 'auth_kerb' => 'mod_auth_kerb', - 'fcgid' => 'mod_fcgid', - 'passenger' => 'mod_passenger', - 'perl' => 'mod_perl', - 'php5' => $distrelease ? { - '5' => 'php53', - default => 'php', + # NOTE: The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. + 'auth_cas' => 'mod_auth_cas', + 'auth_kerb' => 'mod_auth_kerb', + 'auth_gssapi' => 'mod_auth_gssapi', + 'auth_mellon' => 'mod_auth_mellon', + 'auth_openidc' => 'mod_auth_openidc', + 'authnz_ldap' => 'mod_ldap', + 'authnz_pam' => 'mod_authnz_pam', + 'fcgid' => 'mod_fcgid', + 'geoip' => 'mod_geoip', + 'http2' => 'mod_http2', + 'intercept_form_submit' => 'mod_intercept_form_submit', + 'ldap' => 'mod_ldap', + 'lookup_identity' => 'mod_lookup_identity', + 'md' => 'mod_md', + 'pagespeed' => 'mod-pagespeed-stable', + # NOTE: The passenger module isn't available on RH/CentOS without + # providing dependency packages provided by EPEL and passenger + # repositories. See + # https://www.phusionpassenger.com/library/install/apache/install/oss/el7/ + 'passenger' => 'mod_passenger', + 'perl' => 'mod_perl', + 'phpXXX' => 'php', + 'proxy_html' => 'mod_proxy_html', + 'python' => 'mod_python', + 'security' => 'mod_security', + # NOTE: The module for Shibboleth is not available on RH/CentOS without + # providing dependency packages provided by Shibboleth's repositories. + # See http://wiki.aaf.edu.au/tech-info/sp-install-guide + 'shibboleth' => 'shibboleth', + 'ssl' => 'mod_ssl', + 'wsgi' => $facts['os']['release']['major'] ? { + '7' => 'mod_wsgi', # RedHat7 + default => 'python3-mod_wsgi', # RedHat8+ }, - 'proxy_html' => 'mod_proxy_html', - 'python' => 'mod_python', - 'shibboleth' => 'shibboleth', - 'ssl' => 'mod_ssl', - 'wsgi' => 'mod_wsgi', - 'dav_svn' => 'mod_dav_svn', - 'suphp' => 'mod_suphp', - 'xsendfile' => 'mod_xsendfile', + 'dav_svn' => 'mod_dav_svn', + 'xsendfile' => 'mod_xsendfile', + 'nss' => 'mod_nss', + 'shib2' => 'shibboleth', } $mod_libs = { - 'php5' => 'libphp5.so', + 'nss' => 'libmodnss.so', + 'wsgi' => $facts['os']['release']['major'] ? { + '7' => 'mod_wsgi.so', + default => 'mod_wsgi_python3.so', + }, } - $conf_template = 'apache/httpd.conf.erb' - $keepalive = 'Off' + $conf_template = 'apache/httpd.conf.epp' + $http_protocol_options = undef + $keepalive = 'On' $keepalive_timeout = 15 - } elsif $::osfamily == 'Debian' { - $user = 'www-data' - $group = 'www-data' - $apache_name = 'apache2' + $max_keepalive_requests = 100 + $mime_support_package = 'mailcap' + $mime_types_config = '/etc/mime.types' + $docroot = '/var/www/html' + $alias_icons_path = '/usr/share/httpd/icons' + $error_documents_path = '/usr/share/httpd/error' + if $facts['os']['family'] == 'RedHat' { + $wsgi_socket_prefix = '/var/run/wsgi' + } else { + $wsgi_socket_prefix = undef + } + $cas_cookie_path = '/var/cache/mod_auth_cas/' + $mellon_lock_file = '/run/mod_auth_mellon/lock' + $mellon_cache_size = 100 + $mellon_post_directory = undef + $modsec_version = 1 + $modsec_crs_package = 'mod_security_crs' + $modsec_dir = '/etc/httpd/modsecurity.d' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 + $modsec_secruleengine = 'On' + if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') <= 0 { + $modsec_crs_path = '/usr/lib/modsecurity.d' + $modsec_default_rules = [ + 'base_rules/modsecurity_35_bad_robots.data', + 'base_rules/modsecurity_35_scanners.data', + 'base_rules/modsecurity_40_generic_attacks.data', + 'base_rules/modsecurity_50_outbound.data', + 'base_rules/modsecurity_50_outbound_malware.data', + 'base_rules/modsecurity_crs_20_protocol_violations.conf', + 'base_rules/modsecurity_crs_21_protocol_anomalies.conf', + 'base_rules/modsecurity_crs_23_request_limits.conf', + 'base_rules/modsecurity_crs_30_http_policy.conf', + 'base_rules/modsecurity_crs_35_bad_robots.conf', + 'base_rules/modsecurity_crs_40_generic_attacks.conf', + 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf', + 'base_rules/modsecurity_crs_41_xss_attacks.conf', + 'base_rules/modsecurity_crs_42_tight_security.conf', + 'base_rules/modsecurity_crs_45_trojans.conf', + 'base_rules/modsecurity_crs_47_common_exceptions.conf', + 'base_rules/modsecurity_crs_49_inbound_blocking.conf', + 'base_rules/modsecurity_crs_50_outbound.conf', + 'base_rules/modsecurity_crs_59_outbound_blocking.conf', + 'base_rules/modsecurity_crs_60_correlation.conf', + ] + } else { + $modsec_crs_path = '/usr/share/mod_modsecurity_crs' + $modsec_default_rules = [ + 'rules/crawlers-user-agents.data', + 'rules/iis-errors.data', + 'rules/java-classes.data', + 'rules/java-code-leakages.data', + 'rules/java-errors.data', + 'rules/lfi-os-files.data', + 'rules/php-config-directives.data', + 'rules/php-errors.data', + 'rules/php-function-names-933150.data', + 'rules/php-function-names-933151.data', + 'rules/php-variables.data', + 'rules/REQUEST-901-INITIALIZATION.conf', + 'rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf', + 'rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf', + 'rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf', + 'rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf', + 'rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf', + 'rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf', + 'rules/REQUEST-905-COMMON-EXCEPTIONS.conf', + 'rules/REQUEST-910-IP-REPUTATION.conf', + 'rules/REQUEST-911-METHOD-ENFORCEMENT.conf', + 'rules/REQUEST-912-DOS-PROTECTION.conf', + 'rules/REQUEST-913-SCANNER-DETECTION.conf', + 'rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf', + 'rules/REQUEST-921-PROTOCOL-ATTACK.conf', + 'rules/REQUEST-922-MULTIPART-ATTACK.conf', + 'rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf', + 'rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf', + 'rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf', + 'rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf', + 'rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf', + 'rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf', + 'rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf', + 'rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf', + 'rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf', + 'rules/REQUEST-949-BLOCKING-EVALUATION.conf', + 'rules/RESPONSE-950-DATA-LEAKAGES.conf', + 'rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf', + 'rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf', + 'rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf', + 'rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf', + 'rules/RESPONSE-959-BLOCKING-EVALUATION.conf', + 'rules/RESPONSE-980-CORRELATION.conf', + 'rules/restricted-files.data', + 'rules/restricted-upload.data', + 'rules/scanners-headers.data', + 'rules/scanners-urls.data', + 'rules/scanners-user-agents.data', + 'rules/scripting-user-agents.data', + 'rules/sql-errors.data', + 'rules/unix-shell.data', + 'rules/windows-powershell-commands.data', + ] + } + $error_log = 'error_log' + $scriptalias = '/var/www/cgi-bin' + $access_log_file = 'access_log' + } elsif $facts['os']['family'] == 'Debian' { + $user = 'www-data' + $group = 'www-data' + $root_group = 'root' + $apache_name = 'apache2' + $service_name = 'apache2' + $httpd_dir = '/etc/apache2' + $server_root = '/etc/apache2' + $conf_dir = $httpd_dir + $confd_dir = "${httpd_dir}/conf.d" + # Overwrite conf_enabled causes errors with Shibboleth when enabled on Ubuntu 18.04 + $conf_enabled = undef #"${httpd_dir}/conf-enabled.d" + $puppet_ssl_dir = "${httpd_dir}/puppet_ssl" + $mod_dir = "${httpd_dir}/mods-available" + $mod_enable_dir = "${httpd_dir}/mods-enabled" + $vhost_dir = "${httpd_dir}/sites-available" + $vhost_enable_dir = "${httpd_dir}/sites-enabled" + $conf_file = 'apache2.conf' + $ports_file = "${conf_dir}/ports.conf" + $pidfile = "\${APACHE_PID_FILE}" + $logroot = '/var/log/apache2' + $logroot_mode = undef + $lib_path = '/usr/lib/apache2/modules' + $mpm_module = 'worker' + $default_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' + $default_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key' + $ssl_sessioncache = "\${APACHE_RUN_DIR}/ssl_scache(512000)" + $php_version = $facts['os']['release']['major'] ? { + '10' => '7.3', # Debian Buster + '11' => '7.4', # Debian Bullseye + '12' => '8.2', # Debian Bookworm + '20.04' => '7.4', # Ubuntu Foccal Fossal + '22.04' => '8.1', # Ubuntu Jammy + default => '7.2', # Ubuntu Bionic, Cosmic and Disco + } + $_base_mod_packages = { + 'apreq2' => 'libapache2-mod-apreq2', + 'auth_cas' => 'libapache2-mod-auth-cas', + 'auth_openidc' => 'libapache2-mod-auth-openidc', + 'auth_gssapi' => 'libapache2-mod-auth-gssapi', + 'auth_mellon' => 'libapache2-mod-auth-mellon', + 'authnz_pam' => 'libapache2-mod-authnz-pam', + 'dav_svn' => 'libapache2-mod-svn', + 'fcgid' => 'libapache2-mod-fcgid', + 'geoip' => 'libapache2-mod-geoip', + 'intercept_form_submit' => 'libapache2-mod-intercept-form-submit', + 'jk' => 'libapache2-mod-jk', + 'lookup_identity' => 'libapache2-mod-lookup-identity', + 'pagespeed' => 'mod-pagespeed-stable', + 'passenger' => 'libapache2-mod-passenger', + 'perl' => 'libapache2-mod-perl2', + 'phpXXX' => 'libapache2-mod-phpXXX', + 'python' => 'libapache2-mod-python', + 'rpaf' => 'libapache2-mod-rpaf', + 'security' => 'libapache2-mod-security2', + 'xsendfile' => 'libapache2-mod-xsendfile', + } + $_os_mod_packages = case $facts['os']['name'] { + 'Debian': { + case $facts['os']['release']['major'] { + '10': { + { + 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'shib2' => 'libapache2-mod-shib2', + 'wsgi' => 'libapache2-mod-wsgi', + } + } + default: { + { + 'shib2' => 'libapache2-mod-shib', + 'wsgi' => 'libapache2-mod-wsgi-py3', + } + } + } + } + 'Ubuntu': { + case $facts['os']['release']['major'] { + '18.04': { + { + 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'nss' => 'libapache2-mod-nss', + 'shib2' => 'libapache2-mod-shib2', + 'wsgi' => 'libapache2-mod-wsgi', + } + } + '20.04': { + { + 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'shib2' => 'libapache2-mod-shib2', + 'wsgi' => 'libapache2-mod-wsgi', + } + } + default: { + { + 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'shib2' => 'libapache2-mod-shib', + 'wsgi' => 'libapache2-mod-wsgi-py3', + } + } + } + } + default: { + {} + } + } + $mod_packages = $_base_mod_packages + $_os_mod_packages + + $error_log = 'error.log' + $scriptalias = '/usr/lib/cgi-bin' + $access_log_file = 'access.log' + if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['major'], '19.04') < 0) { + $shib2_lib = 'mod_shib2.so' + } else { + $shib2_lib = 'mod_shib.so' + } + $mod_libs = { + 'shib2' => $shib2_lib, + } + $conf_template = 'apache/httpd.conf.epp' + $http_protocol_options = undef + $keepalive = 'On' + $keepalive_timeout = 15 + $max_keepalive_requests = 100 + $mime_types_config = '/etc/mime.types' + $mime_support_package = undef + $docroot = '/var/www/html' + $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $mellon_lock_file = undef + $mellon_cache_size = undef + $mellon_post_directory = '/var/cache/apache2/mod_auth_mellon/' + $modsec_version = 1 + $modsec_crs_package = 'modsecurity-crs' + $modsec_crs_path = '/usr/share/modsecurity-crs' + $modsec_dir = '/etc/modsecurity' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 + $modsec_secruleengine = 'On' + $modsec_default_rules = [ + 'crawlers-user-agents.data', + 'iis-errors.data', + 'java-code-leakages.data', + 'java-errors.data', + 'lfi-os-files.data', + 'php-config-directives.data', + 'php-errors.data', + 'php-function-names-933150.data', + 'php-function-names-933151.data', + 'php-variables.data', + 'restricted-files.data', + 'scanners-headers.data', + 'scanners-urls.data', + 'scanners-user-agents.data', + 'scripting-user-agents.data', + 'sql-errors.data', + 'sql-function-names.data', + 'unix-shell.data', + 'windows-powershell-commands.data', + ] + $alias_icons_path = '/usr/share/apache2/icons' + $error_documents_path = '/usr/share/apache2/error' + $dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev'] + + # + # Passenger-specific settings + # + + $passenger_conf_file = 'passenger.conf' + $passenger_conf_package_file = undef + $passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' + $passenger_ruby = undef + $passenger_default_ruby = '/usr/bin/ruby' + $wsgi_socket_prefix = undef + } elsif $facts['os']['family'] == 'FreeBSD' { + $user = 'www' + $group = 'www' + $root_group = 'wheel' + $apache_name = 'apache24' + $service_name = 'apache24' + $httpd_dir = '/usr/local/etc/apache24' + $server_root = '/usr/local' + $conf_dir = $httpd_dir + $confd_dir = "${httpd_dir}/Includes" + $conf_enabled = undef + $puppet_ssl_dir = "${httpd_dir}/puppet_ssl" + $mod_dir = "${httpd_dir}/Modules" + $mod_enable_dir = undef + $vhost_dir = "${httpd_dir}/Vhosts" + $vhost_enable_dir = undef + $conf_file = 'httpd.conf' + $ports_file = "${conf_dir}/ports.conf" + $pidfile = '/var/run/httpd.pid' + $logroot = '/var/log/apache24' + $logroot_mode = undef + $lib_path = '/usr/local/libexec/apache24' + $mpm_module = 'prefork' + $dev_packages = undef + $default_ssl_cert = '/usr/local/etc/apache24/server.crt' + $default_ssl_key = '/usr/local/etc/apache24/server.key' + $ssl_sessioncache = '/var/run/ssl_scache(512000)' + $passenger_conf_file = 'passenger.conf' + $passenger_conf_package_file = undef + $passenger_root = '/usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58' + $passenger_ruby = '/usr/local/bin/ruby' + $passenger_default_ruby = undef + $php_version = '5' + $mod_packages = { + # NOTE: I list here only modules that are not included in www/apache24 + # NOTE: 'passenger' needs to enable APACHE_SUPPORT in make config + # NOTE: 'php' needs to enable APACHE option in make config + # NOTE: 'dav_svn' needs to enable MOD_DAV_SVN make config + # NOTE: not sure where the shibboleth should come from + 'auth_kerb' => 'www/mod_auth_kerb2', + 'auth_gssapi' => 'www/mod_auth_gssapi', + 'auth_openidc'=> 'www/mod_auth_openidc', + 'fcgid' => 'www/mod_fcgid', + 'passenger' => 'www/rubygem-passenger', + 'perl' => 'www/mod_perl2', + 'phpXXX' => 'www/mod_phpXXX', + 'python' => 'www/mod_python3', + 'wsgi' => 'www/mod_wsgi', + 'dav_svn' => 'devel/subversion', + 'xsendfile' => 'www/mod_xsendfile', + 'rpaf' => 'www/mod_rpaf2', + 'shib2' => 'security/shibboleth2-sp', + } + $mod_libs = { + } + $conf_template = 'apache/httpd.conf.epp' + $http_protocol_options = undef + $keepalive = 'On' + $keepalive_timeout = 15 + $max_keepalive_requests = 100 + $mime_support_package = 'misc/mime-support' + $mime_types_config = '/usr/local/etc/mime.types' + $wsgi_socket_prefix = undef + $docroot = '/usr/local/www/apache24/data' + $alias_icons_path = '/usr/local/www/apache24/icons' + $error_documents_path = '/usr/local/www/apache24/error' + $error_log = 'httpd-error.log' + $scriptalias = '/usr/local/www/apache24/cgi-bin' + $access_log_file = 'httpd-access.log' + } elsif $facts['os']['family'] == 'Gentoo' { + $user = 'apache' + $group = 'apache' + $root_group = 'wheel' + $apache_name = 'www-servers/apache' + $service_name = 'apache2' $httpd_dir = '/etc/apache2' + $server_root = '/var/www' $conf_dir = $httpd_dir $confd_dir = "${httpd_dir}/conf.d" - $mod_dir = "${httpd_dir}/mods-available" - $mod_enable_dir = "${httpd_dir}/mods-enabled" - $vhost_dir = "${httpd_dir}/sites-available" - $vhost_enable_dir = "${httpd_dir}/sites-enabled" - $conf_file = 'apache2.conf' + $conf_enabled = undef + $puppet_ssl_dir = "${httpd_dir}/puppet_ssl" + $mod_dir = "${httpd_dir}/modules.d" + $mod_enable_dir = undef + $vhost_dir = "${httpd_dir}/vhosts.d" + $vhost_enable_dir = undef + $conf_file = 'httpd.conf' $ports_file = "${conf_dir}/ports.conf" $logroot = '/var/log/apache2' + $logroot_mode = undef $lib_path = '/usr/lib/apache2/modules' - $mpm_module = 'worker' - $dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev'] - $default_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' - $default_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key' - $ssl_certs_dir = '/etc/ssl/certs' + $mpm_module = 'prefork' + $dev_packages = undef + $default_ssl_cert = '/etc/ssl/apache2/server.crt' + $default_ssl_key = '/etc/ssl/apache2/server.key' + $ssl_sessioncache = '/var/run/ssl_scache(512000)' $passenger_root = '/usr' $passenger_ruby = '/usr/bin/ruby' - $suphp_addhandler = 'x-httpd-php' - $suphp_engine = 'off' - $suphp_configpath = '/etc/php5/apache2' + $passenger_conf_file = 'passenger.conf' + $passenger_conf_package_file = undef + $passenger_default_ruby = undef + $php_version = '5' $mod_packages = { - 'auth_kerb' => 'libapache2-mod-auth-kerb', - 'fcgid' => 'libapache2-mod-fcgid', - 'passenger' => 'libapache2-mod-passenger', - 'perl' => 'libapache2-mod-perl2', - 'php5' => 'libapache2-mod-php5', - 'proxy_html' => 'libapache2-mod-proxy-html', - 'python' => 'libapache2-mod-python', - 'wsgi' => 'libapache2-mod-wsgi', - 'dav_svn' => 'libapache2-svn', - 'suphp' => 'libapache2-mod-suphp', - 'xsendfile' => 'libapache2-mod-xsendfile', + # NOTE: I list here only modules that are not included in www-servers/apache + 'auth_kerb' => 'www-apache/mod_auth_kerb', + 'auth_gssapi' => 'www-apache/mod_auth_gssapi', + 'authnz_external' => 'www-apache/mod_authnz_external', + 'fcgid' => 'www-apache/mod_fcgid', + 'passenger' => 'www-apache/passenger', + 'perl' => 'www-apache/mod_perl', + 'phpXXX' => 'dev-lang/php', + 'proxy_html' => 'www-apache/mod_proxy_html', + 'proxy_fcgi' => 'www-apache/mod_proxy_fcgi', + 'python' => 'www-apache/mod_python', + 'wsgi' => 'www-apache/mod_wsgi', + 'dav_svn' => 'dev-vcs/subversion', + 'xsendfile' => 'www-apache/mod_xsendfile', + 'rpaf' => 'www-apache/mod_rpaf', + 'xml2enc' => 'www-apache/mod_xml2enc', } $mod_libs = { - 'php5' => 'libphp5.so', } - $conf_template = 'apache/httpd.conf.erb' - $keepalive = 'Off' - $keepalive_timeout = 15 + $conf_template = 'apache/httpd.conf.epp' + $http_protocol_options = undef + $keepalive = 'On' + $keepalive_timeout = 15 + $max_keepalive_requests = 100 + $mime_support_package = 'app-misc/mime-types' + $mime_types_config = '/etc/mime.types' + $wsgi_socket_prefix = undef + $docroot = '/var/www/localhost/htdocs' + $alias_icons_path = '/usr/share/apache2/icons' + $error_documents_path = '/usr/share/apache2/error' + $pidfile = '/var/run/apache2.pid' + $error_log = 'error.log' + $scriptalias = '/var/www/localhost/cgi-bin' + $access_log_file = 'access.log' + } elsif $facts['os']['family'] == 'Suse' { + $user = 'wwwrun' + $group = 'www' + $root_group = 'root' + $apache_name = 'apache2' + $service_name = 'apache2' + $httpd_dir = '/etc/apache2' + $server_root = '/etc/apache2' + $conf_dir = $httpd_dir + $confd_dir = "${httpd_dir}/conf.d" + $conf_enabled = undef + $puppet_ssl_dir = "${httpd_dir}/puppet_ssl" + $mod_dir = "${httpd_dir}/mods-available" + $mod_enable_dir = "${httpd_dir}/mods-enabled" + $vhost_dir = "${httpd_dir}/sites-available" + $vhost_enable_dir = "${httpd_dir}/sites-enabled" + $conf_file = 'httpd.conf' + $ports_file = "${conf_dir}/ports.conf" + $pidfile = '/var/run/httpd2.pid' + $logroot = '/var/log/apache2' + $logroot_mode = undef + $lib_path = '/usr/lib64/apache2' #changes for some modules based on mpm + $mpm_module = 'prefork' + if versioncmp($facts['os']['release']['major'], '15') < 0 { + $default_ssl_cert = '/etc/apache2/ssl.crt/server.crt' + $default_ssl_key = '/etc/apache2/ssl.key/server.key' + $php_version = '5' + } else { + $default_ssl_cert = '/etc/apache2/ssl.crt/default-server.crt' + $default_ssl_key = '/etc/apache2/ssl.key/default-server.key' + $php_version = '7' + } + $ssl_sessioncache = '/var/lib/apache2/ssl_scache(512000)' + if versioncmp($facts['os']['release']['major'], '11') < 0 or versioncmp($facts['os']['release']['major'], '12') >= 0 { + $mod_packages = { + 'auth_kerb' => 'apache2-mod_auth_kerb', + 'auth_gssapi' => 'apache2-mod_auth_gssapi', + 'dav_svn' => 'subversion-server', + 'perl' => 'apache2-mod_perl', + 'php5' => 'apache2-mod_php5', + 'php7' => 'apache2-mod_php7', + 'python' => 'apache2-mod_python', + 'security' => 'apache2-mod_security2', + 'worker' => 'apache2-worker', + } + } else { + $mod_packages = { + 'auth_kerb' => 'apache2-mod_auth_kerb', + 'auth_gssapi' => 'apache2-mod_auth_gssapi', + 'dav_svn' => 'subversion-server', + 'perl' => 'apache2-mod_perl', + 'php5' => 'apache2-mod_php53', + 'python' => 'apache2-mod_python', + 'security' => 'apache2-mod_security2', + } + } + $mod_libs = { + 'security' => '/usr/lib64/apache2/mod_security2.so', + 'php53' => '/usr/lib64/apache2/mod_php5.so', + } + $conf_template = 'apache/httpd.conf.epp' + $http_protocol_options = undef + $keepalive = 'On' + $keepalive_timeout = 15 + $max_keepalive_requests = 100 + $mime_support_package = 'aaa_base' + $mime_types_config = '/etc/mime.types' + $docroot = '/srv/www' + $cas_cookie_path = '/var/cache/apache2/mod_auth_cas/' + $mellon_lock_file = undef + $mellon_cache_size = undef + $mellon_post_directory = undef + $alias_icons_path = '/usr/share/apache2/icons' + $error_documents_path = '/usr/share/apache2/error' + $dev_packages = ['libapr-util1-devel', 'libapr1-devel', 'libcurl-devel'] + $modsec_version = 1 + $modsec_crs_package = undef + $modsec_crs_path = undef + $modsec_default_rules = [] + $modsec_dir = '/etc/apache2/modsecurity' + $secpcrematchlimit = 1500 + $secpcrematchlimitrecursion = 1500 + $modsec_secruleengine = 'On' + $error_log = 'error.log' + $scriptalias = '/usr/lib/cgi-bin' + $access_log_file = 'access.log' + + # + # Passenger-specific settings + # + + $passenger_conf_file = 'passenger.conf' + $passenger_conf_package_file = undef + + $passenger_root = '/usr/lib64/ruby/gems/1.8/gems/passenger-5.0.30' + $passenger_ruby = '/usr/bin/ruby' + $passenger_default_ruby = '/usr/bin/ruby' + $wsgi_socket_prefix = undef + } else { + fail("Class['apache::params']: Unsupported osfamily: ${$facts['os']['family']}") + } + + if $facts['os']['name'] == 'SLES' { + $verify_command = ['/usr/sbin/apache2ctl', '-t'] + } elsif $facts['os']['name'] == 'FreeBSD' { + $verify_command = ['/usr/local/sbin/apachectl', '-t'] + } elsif ($apache::version::scl_httpd_version) { + $verify_command = ["/opt/rh/${_scl_httpd_name}/root/usr/sbin/apachectl", '-t'] + } else { + $verify_command = ['/usr/sbin/apachectl', '-t'] + } + + if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '8') >= 0 { + # Use OpenSSL system profile. See update-crypto-policies(8) for more details + $ssl_protocol = [] + $ssl_cipher = 'PROFILE=SYSTEM' + $ssl_proxy_cipher_suite = 'PROFILE=SYSTEM' + } elsif $facts['os']['family'] == 'Debian' { + $ssl_protocol = ['all', '-SSLv3'] + $ssl_cipher = 'HIGH:!aNULL' + $ssl_proxy_cipher_suite = undef } else { - fail("Class['apache::params']: Unsupported osfamily: ${::osfamily}") + $ssl_protocol = ['all', '-SSLv2', '-SSLv3'] + $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES' + $ssl_proxy_cipher_suite = undef } } diff --git a/manifests/peruser/multiplexer.pp b/manifests/peruser/multiplexer.pp new file mode 100644 index 0000000000..c09189de13 --- /dev/null +++ b/manifests/peruser/multiplexer.pp @@ -0,0 +1,23 @@ +# @summary +# Checks if an Apache module has a class. +# +# If Apache has a class, it includes that class. If it does not, it passes the module name to the `apache::mod` defined type. +# +# @api private +define apache::peruser::multiplexer ( + String $user = $apache::user, + String $group = $apache::group, + Optional[String] $file = undef, +) { + if ! $file { + $filename = "${name}.conf" + } else { + $filename = $file + } + file { "${apache::mod_dir}/peruser/multiplexers/${filename}": + ensure => file, + content => "Multiplexer ${user} ${group}\n", + require => File["${apache::mod_dir}/peruser/multiplexers"], + notify => Class['apache::service'], + } +} diff --git a/manifests/peruser/processor.pp b/manifests/peruser/processor.pp new file mode 100644 index 0000000000..9be3d6109a --- /dev/null +++ b/manifests/peruser/processor.pp @@ -0,0 +1,21 @@ +# @summary +# Enables the `Peruser` module for FreeBSD only. +# +# @api private +define apache::peruser::processor ( + String $user, + String $group, + Optional[String] $file = undef, +) { + if ! $file { + $filename = "${name}.conf" + } else { + $filename = $file + } + file { "${apache::mod_dir}/peruser/processors/${filename}": + ensure => file, + content => "Processor ${user} ${group}\n", + require => File["${apache::mod_dir}/peruser/processors"], + notify => Class['apache::service'], + } +} diff --git a/manifests/php.pp b/manifests/php.pp deleted file mode 100644 index feb903e7be..0000000000 --- a/manifests/php.pp +++ /dev/null @@ -1,18 +0,0 @@ -# Class: apache::php -# -# This class installs PHP for Apache -# -# Parameters: -# - $php_package -# -# Actions: -# - Install Apache PHP package -# -# Requires: -# -# Sample Usage: -# -class apache::php { - warning('apache::php is deprecated; please use apache::mod::php') - include apache::mod::php -} diff --git a/manifests/proxy.pp b/manifests/proxy.pp deleted file mode 100644 index 0f4fde540b..0000000000 --- a/manifests/proxy.pp +++ /dev/null @@ -1,15 +0,0 @@ -# Class: apache::proxy -# -# This class enabled the proxy module for Apache -# -# Actions: -# - Enables Apache Proxy module -# -# Requires: -# -# Sample Usage: -# -class apache::proxy { - warning('apache::proxy is deprecated; please use apache::mod::proxy') - include apache::mod::proxy -} diff --git a/manifests/python.pp b/manifests/python.pp deleted file mode 100644 index 99ef289872..0000000000 --- a/manifests/python.pp +++ /dev/null @@ -1,18 +0,0 @@ -# Class: apache::python -# -# This class installs Python for Apache -# -# Parameters: -# - $php_package -# -# Actions: -# - Install Apache Python package -# -# Requires: -# -# Sample Usage: -# -class apache::python { - warning('apache::python is deprecated; please use apache::mod::python') - include apache::mod::python -} diff --git a/manifests/security/rule_link.pp b/manifests/security/rule_link.pp new file mode 100644 index 0000000000..59cd8dee8f --- /dev/null +++ b/manifests/security/rule_link.pp @@ -0,0 +1,21 @@ +# @summary +# Links the activated_rules from `apache::mod::security` to the respective CRS rules on disk. +# +# @api private +define apache::security::rule_link { + $parts = split($title, '/') + $filename = $parts[-1] + + $target = $title ? { + /^\// => $title, + default => "${apache::params::modsec_crs_path}/${title}", + } + + file { $filename: + ensure => 'link', + path => "${apache::mod::security::modsec_dir}/activated_rules/${filename}", + target => $target , + require => File["${apache::mod::security::modsec_dir}/activated_rules"], + notify => Class['apache::service'], + } +} diff --git a/manifests/service.pp b/manifests/service.pp index c95d3ca484..914b45ba9c 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,30 +1,36 @@ -# Class: apache::service -# -# Manages the Apache daemon -# -# Parameters: -# -# Actions: -# - Manage Apache service -# -# Requires: -# -# Sample Usage: -# -# sometype { 'foo': -# notify => Class['apache::service], -# } -# +# @summary +# Installs and configures Apache service. # +# @api private class apache::service ( - $service_enable = true, - $service_ensure = 'running', + String $service_name = $apache::params::service_name, + Boolean $service_enable = true, + Variant[Boolean, String] $service_ensure = 'running', + Boolean $service_manage = true, + Optional[String] $service_restart = undef ) { - validate_bool($service_enable) + # The base class must be included first because parameter defaults depend on it + if ! defined(Class['apache::params']) { + fail('You must include the apache::params class before using any apache defined resources') + } + case $service_ensure { + true, false, 'running', 'stopped': { + $_service_ensure = $service_ensure + } + default: { + $_service_ensure = undef + } + } + + $service_hasrestart = $service_restart == undef - service { 'httpd': - ensure => $service_ensure, - name => $apache::apache_name, - enable => $service_enable, + if $service_manage { + service { 'httpd': + ensure => $_service_ensure, + name => $service_name, + enable => $service_enable, + restart => $service_restart, + hasrestart => $service_hasrestart, + } } } diff --git a/manifests/ssl.pp b/manifests/ssl.pp deleted file mode 100644 index 21662e1685..0000000000 --- a/manifests/ssl.pp +++ /dev/null @@ -1,18 +0,0 @@ -# Class: apache::ssl -# -# This class installs Apache SSL capabilities -# -# Parameters: -# - The $ssl_package name from the apache::params class -# -# Actions: -# - Install Apache SSL capabilities -# -# Requires: -# -# Sample Usage: -# -class apache::ssl { - warning('apache::ssl is deprecated; please use apache::mod::ssl') - include apache::mod::ssl -} diff --git a/manifests/version.pp b/manifests/version.pp new file mode 100644 index 0000000000..8f96503045 --- /dev/null +++ b/manifests/version.pp @@ -0,0 +1,9 @@ +# @summary +# Try to automatically detect the version by OS +# +# @api private +class apache::version ( + Optional[String] $scl_httpd_version = undef, + Optional[String] $scl_php_version = undef, +) { +} diff --git a/manifests/vhost.pp b/manifests/vhost.pp index e07bdb4fe8..03c86938b0 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1,160 +1,1987 @@ -# Definition: apache::vhost -# -# This class installs Apache Virtual Hosts -# -# Parameters: -# - The $port to configure the host on -# - The $docroot provides the DocumentRoot variable -# - The $virtual_docroot provides VirtualDocumentationRoot variable -# - The $serveradmin will specify an email address for Apache that it will -# display when it renders one of it's error pages -# - The $ssl option is set true or false to enable SSL for this Virtual Host -# - The $priority of the site -# - The $servername is the primary name of the virtual host -# - The $serveraliases of the site -# - The $options for the given vhost -# - The $override for the given vhost (list of AllowOverride arguments) -# - The $vhost_name for name based virtualhosting, defaulting to * -# - The $logroot specifies the location of the virtual hosts logfiles, default -# to /var/log// -# - The $access_log specifies if *_access.log directives should be configured. -# - The $ensure specifies if vhost file is present or absent. -# - The $request_headers is a list of RequestHeader statement strings as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader -# - $aliases is a list of Alias hashes for mod_alias as per http://httpd.apache.org/docs/current/mod/mod_alias.html -# each statement is a hash in the form of { alias => '/alias', path => '/real/path/to/directory' } -# - $directories is a lost of hashes for creating statements as per http://httpd.apache.org/docs/2.2/mod/core.html#directory -# each statement is a hash in the form of { path => '/path/to/directory', => } -# see README.md for list of supported directives. -# -# Actions: -# - Install Apache Virtual Hosts -# -# Requires: -# - The apache class -# -# Sample Usage: -# -# # Simple vhost definition: -# apache::vhost { 'site.name.fqdn': -# port => '80', -# docroot => '/path/to/docroot', -# } -# -# # SSL vhost with non-SSL rewrite: -# apache::vhost { 'site.name.fqdn': -# port => '443', -# ssl => true, -# docroot => '/path/to/docroot', -# } -# apache::vhost { 'site.name.fqdn': -# port => '80', -# rewrite_cond => '%{HTTPS} off', -# rewrite_rule => '(.*) https://%{HTTPS_HOST}%{REQUEST_URI}', -# } -# apache::vhost { 'site.name.fqdn': -# port => '80', -# docroot => '/path/to/other_docroot', -# custom_fragment => template("${module_name}/my_fragment.erb"), -# } -# -define apache::vhost( - $docroot, - $virtual_docroot = false, - $port = undef, - $ip = undef, - $ip_based = false, - $add_listen = true, - $docroot_owner = 'root', - $docroot_group = 'root', - $serveradmin = false, - $ssl = false, - $ssl_cert = $apache::default_ssl_cert, - $ssl_key = $apache::default_ssl_key, - $ssl_chain = $apache::default_ssl_chain, - $ssl_ca = $apache::default_ssl_ca, - $ssl_crl_path = $apache::default_ssl_crl_path, - $ssl_crl = $apache::default_ssl_crl, - $ssl_certs_dir = $apache::params::ssl_certs_dir, - $ssl_protocol = undef, - $ssl_cipher = undef, - $ssl_honorcipherorder = undef, - $ssl_verify_client = undef, - $ssl_verify_depth = undef, - $ssl_options = undef, - $priority = undef, - $default_vhost = false, - $servername = $name, - $serveraliases = [], - $options = ['Indexes','FollowSymLinks','MultiViews'], - $override = ['None'], - $directoryindex = '', - $vhost_name = '*', - $logroot = $apache::logroot, - $access_log = true, - $access_log_file = undef, - $access_log_pipe = undef, - $access_log_syslog = undef, - $access_log_format = undef, - $aliases = undef, - $directories = undef, - $error_log = true, - $error_log_file = undef, - $error_log_pipe = undef, - $error_log_syslog = undef, - $fallbackresource = undef, - $scriptalias = undef, - $proxy_dest = undef, - $proxy_pass = undef, - $sslproxyengine = false, - $suphp_addhandler = $apache::params::suphp_addhandler, - $suphp_engine = $apache::params::suphp_engine, - $suphp_configpath = $apache::params::suphp_configpath, - $no_proxy_uris = [], - $redirect_source = '/', - $redirect_dest = undef, - $redirect_status = undef, - $rack_base_uris = undef, - $request_headers = undef, - $rewrite_rule = undef, - $rewrite_cond = undef, - $setenv = [], - $setenvif = [], - $block = [], - $ensure = 'present', - $wsgi_daemon_process = undef, - $wsgi_daemon_process_options = undef, - $wsgi_process_group = undef, - $wsgi_script_aliases = undef, - $custom_fragment = undef, - $itk = undef - ) { +# @summary +# Allows specialised configurations for virtual hosts that possess requirements +# outside of the defaults. +# +# The apache module allows a lot of flexibility in the setup and configuration of virtual hosts. +# This flexibility is due, in part, to `vhost` being a defined resource type, which allows Apache +# to evaluate it multiple times with different parameters.
+# The `apache::vhost` defined type allows you to have specialized configurations for virtual hosts +# that have requirements outside the defaults. You can set up a default virtual host within +# the base `::apache` class, as well as set a customized virtual host as the default. +# Customized virtual hosts have a lower numeric `priority` than the base class's, causing +# Apache to process the customized virtual host first.
+# The `apache::vhost` defined type uses `concat::fragment` to build the configuration file. To +# inject custom fragments for pieces of the configuration that the defined type doesn't +# inherently support, add a custom fragment.
+# For the custom fragment's `order` parameter, the `apache::vhost` defined type uses multiples +# of 10, so any `order` that isn't a multiple of 10 should work.
+# > **Note:** When creating an `apache::vhost`, it cannot be named `default` or `default-ssl`, +# because vhosts with these titles are always managed by the module. This means that you cannot +# override `Apache::Vhost['default']` or `Apache::Vhost['default-ssl]` resources. An optional +# workaround is to create a vhost named something else, such as `my default`, and ensure that the +# `default` and `default_ssl` vhosts are set to `false`: +# +# @example +# class { 'apache': +# default_vhost => false, +# default_ssl_vhost => false, +# } +# +# @param access_log +# Determines whether to configure `*_access.log` directives (`*_file`, `*_pipe`, or `*_syslog`). +# +# @param access_log_env_var +# Specifies that only requests with particular environment variables be logged. +# +# @param access_log_file +# Sets the filename of the `*_access.log` placed in `logroot`. Given a virtual host ---for +# instance, example.com--- it defaults to 'example.com_ssl.log' for +# [SSL-encrypted](https://httpd.apache.org/docs/current/ssl/index.html) virtual hosts and +# `example.com_access.log` for unencrypted virtual hosts. +# +# @param access_log_format +# Specifies the use of either a `LogFormat` nickname or a custom-formatted string for the +# access log. +# +# @param access_log_pipe +# Specifies a pipe where Apache sends access log messages. +# +# @param access_log_syslog +# Sends all access log messages to syslog. +# +# @param access_logs +# Allows you to give a hash that specifies the state of each of the `access_log_*` +# directives shown above, i.e. `access_log_pipe` and `access_log_syslog`. +# +# @param add_default_charset +# Sets a default media charset value for the `AddDefaultCharset` directive, which is +# added to `text/plain` and `text/html` responses. +# +# @param add_listen +# Determines whether the virtual host creates a `Listen` statement.
+# Setting `add_listen` to `false` prevents the virtual host from creating a `Listen` +# statement. This is important when combining virtual hosts that aren't passed an `ip` +# parameter with those that are. +# +# @param use_optional_includes +# Specifies whether Apache uses the `IncludeOptional` directive instead of `Include` for +# `additional_includes` in Apache 2.4 or newer. +# +# @param aliases +# Passes a list of [hashes][hash] to the virtual host to create `Alias`, `AliasMatch`, +# `ScriptAlias` or `ScriptAliasMatch` directives as per the `mod_alias` documentation.
+# For example: +# ``` puppet +# aliases => [ +# { aliasmatch => '^/image/(.*)\.jpg$', +# path => '/files/jpg.images/$1.jpg', +# }, +# { alias => '/image', +# path => '/ftp/pub/image', +# }, +# { scriptaliasmatch => '^/cgi-bin(.*)', +# path => '/usr/local/share/cgi-bin$1', +# }, +# { scriptalias => '/nagios/cgi-bin/', +# path => '/usr/lib/nagios/cgi-bin/', +# }, +# { alias => '/nagios', +# path => '/usr/share/nagios/html', +# }, +# ], +# ``` +# For the `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` keys to work, each needs +# a corresponding context, such as `` or +# ``. Puppet creates the directives in the order specified in +# the `aliases` parameter. As described in the `mod_alias` documentation, add more specific +# `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters before the more +# general ones to avoid shadowing.
+# If `apache::mod::passenger` is loaded and `PassengerHighPerformance` is `true`, the `Alias` +# directive might not be able to honor the `PassengerEnabled => off` statement. See +# [this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details. +# +# @param allow_encoded_slashes +# Sets the `AllowEncodedSlashes` declaration for the virtual host, overriding the server +# default. This modifies the virtual host responses to URLs with `\` and `/` characters. The +# default setting omits the declaration from the server configuration and selects the +# Apache default setting of `Off`. +# +# @param block +# Specifies the list of things to which Apache blocks access. Valid options are: `scm` (which +# blocks web access to `.svn`), `.git`, and `.bzr` directories. +# +# @param cas_attribute_prefix +# Adds a header with the value of this header being the attribute values when SAML +# validation is enabled. +# +# @param cas_attribute_delimiter +# Sets the delimiter between attribute values in the header created by `cas_attribute_prefix`. +# +# @param cas_login_url +# Sets the URL to which the module redirects users when they attempt to access a +# CAS-protected resource and don't have an active session. +# +# @param cas_root_proxied_as +# Sets the URL end users see when access to this Apache server is proxied per vhost. +# This URL should not include a trailing slash. +# +# @param cas_scrub_request_headers +# Remove inbound request headers that may have special meaning within mod_auth_cas. +# +# @param cas_sso_enabled +# Enables experimental support for single sign out (may mangle POST data). +# +# @param cas_validate_saml +# Parse response from CAS server for SAML. +# +# @param cas_validate_url +# Sets the URL to use when validating a client-presented ticket in an HTTP query string. +# +# @param cas_cookie_path +# Sets the location where information on the current session should be stored. This should +# be writable by the web server only. +# +# @param comment +# Adds comments to the header of the configuration file. Pass as string or an array of strings. +# For example: +# ``` puppet +# comment => "Account number: 123B", +# ``` +# Or: +# ``` puppet +# comment => [ +# "Customer: X", +# "Frontend domain: x.example.org", +# ] +# ``` +# +# @param default_vhost +# Sets a given `apache::vhost` defined type as the default to serve requests that do not +# match any other `apache::vhost` defined types. +# +# @param directoryindex +# Sets the list of resources to look for when a client requests an index of the directory +# by specifying a '/' at the end of the directory name. See the `DirectoryIndex` directive +# documentation for details. +# +# @param docroot +# **Required**.
+# Sets the `DocumentRoot` location, from which Apache serves files.
+# If `docroot` and `manage_docroot` are both set to `false`, no `DocumentRoot` will be set +# and the accompanying `` block will not be created. +# +# @param docroot_group +# Sets group access to the `docroot` directory. +# +# @param docroot_owner +# Sets individual user access to the `docroot` directory. +# +# @param docroot_mode +# Sets access permissions for the `docroot` directory, in numeric notation. +# +# @param manage_docroot +# Determines whether Puppet manages the `docroot` directory. +# +# @param error_log +# Specifies whether `*_error.log` directives should be configured. +# +# @param error_log_file +# Points the virtual host's error logs to a `*_error.log` file. If this parameter is +# undefined, Puppet checks for values in `error_log_pipe`, then `error_log_syslog`.
+# If none of these parameters is set, given a virtual host `example.com`, Puppet defaults +# to `$logroot/example.com_error_ssl.log` for SSL virtual hosts and +# `$logroot/example.com_error.log` for non-SSL virtual hosts. +# +# @param error_log_pipe +# Specifies a pipe to send error log messages to.
+# This parameter has no effect if the `error_log_file` parameter has a value. If neither +# this parameter nor `error_log_file` has a value, Puppet then checks `error_log_syslog`. +# +# @param error_log_syslog +# Determines whether to send all error log messages to syslog. +# This parameter has no effect if either of the `error_log_file` or `error_log_pipe` +# parameters has a value. If none of these parameters has a value, given a virtual host +# `example.com`, Puppet defaults to `$logroot/example.com_error_ssl.log` for SSL virtual +# hosts and `$logroot/example.com_error.log` for non-SSL virtual hosts. +# +# @param error_log_format +# Sets the [ErrorLogFormat](https://httpd.apache.org/docs/current/mod/core.html#errorlogformat) +# format specification for error log entries inside virtual host +# For example: +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# error_log_format => [ +# '[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M', +# { '[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T' => 'request' }, +# { "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" => 'request' }, +# { "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" => 'request' }, +# { '[%{uc}t] [C:%{c}L] local\ %a remote\ %A' => 'connection' }, +# ], +# } +# ``` +# +# @param error_documents +# A list of hashes which can be used to override the +# [ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument) +# settings for this virtual host.
+# For example: +# ``` puppet +# apache::vhost { 'sample.example.net': +# error_documents => [ +# { 'error_code' => '503', 'document' => '/service-unavail' }, +# { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' }, +# ], +# } +# ``` +# +# @param ensure +# Specifies if the virtual host is present or absent.
+# +# @param show_diff +# Specifies whether to set the show_diff parameter for the file resource. +# +# @param fallbackresource +# Sets the [FallbackResource](https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) +# directive, which specifies an action to take for any URL that doesn't map to anything in +# your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Values must either begin +# with a `/` or be `disabled`. +# +# @param filters +# [Filters](https://httpd.apache.org/docs/current/mod/mod_filter.html) enable smart, +# context-sensitive configuration of output content filters. +# ``` puppet +# apache::vhost { "$::fqdn": +# filters => [ +# 'FilterDeclare COMPRESS', +# 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', +# 'FilterChain COMPRESS', +# 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', +# ], +# } +# ``` +# +# @param h2_copy_files +# Sets the [H2CopyFiles](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2copyfiles) +# directive which influences how the requestion process pass files to the main connection. +# +# @param h2_direct +# Sets the [H2Direct](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2direct) +# directive which toggles the usage of the HTTP/2 Direct Mode. +# +# @param h2_early_hints +# Sets the [H2EarlyHints](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2earlyhints) +# directive which controls if HTTP status 103 interim responses are forwarded to +# the client or not. +# +# @param h2_max_session_streams +# Sets the [H2MaxSessionStreams](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2maxsessionstreams) +# directive which sets the maximum number of active streams per HTTP/2 session +# that the server allows. +# +# @param h2_modern_tls_only +# Sets the [H2ModernTLSOnly](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2moderntlsonly) +# directive which toggles the security checks on HTTP/2 connections in TLS mode. +# +# @param h2_push +# Sets the [H2Push](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2push) +# directive which toggles the usage of the HTTP/2 server push protocol feature. +# +# @param h2_push_diary_size +# Sets the [H2PushDiarySize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2pushdiarysize) +# directive which toggles the maximum number of HTTP/2 server pushes that are +# remembered per HTTP/2 connection. +# +# @param h2_push_priority +# Sets the [H2PushPriority](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2pushpriority) +# directive which defines the priority handling of pushed responses based on the +# content-type of the response. +# +# @param h2_push_resource +# Sets the [H2PushResource](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2pushresource) +# directive which declares resources for early pushing to the client. +# +# @param h2_serialize_headers +# Sets the [H2SerializeHeaders](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2serializeheaders) +# directive which toggles if HTTP/2 requests are serialized in HTTP/1.1 +# format for processing by httpd core. +# +# @param h2_stream_max_mem_size +# Sets the [H2StreamMaxMemSize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2streammaxmemsize) +# directive which sets the maximum number of outgoing data bytes buffered in +# memory for an active stream. +# +# @param h2_tls_cool_down_secs +# Sets the [H2TLSCoolDownSecs](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2tlscooldownsecs) +# directive which sets the number of seconds of idle time on a TLS connection +# before the TLS write size falls back to a small (~1300 bytes) length. +# +# @param h2_tls_warm_up_size +# Sets the [H2TLSWarmUpSize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2tlswarmupsize) +# directive which sets the number of bytes to be sent in small TLS records (~1300 +# bytes) until doing maximum sized writes (16k) on https: HTTP/2 connections. +# +# @param h2_upgrade +# Sets the [H2Upgrade](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2upgrade) +# directive which toggles the usage of the HTTP/1.1 Upgrade method for switching +# to HTTP/2. +# +# @param h2_window_size +# Sets the [H2WindowSize](https://httpd.apache.org/docs/current/mod/mod_http2.html#h2windowsize) +# directive which sets the size of the window that is used for flow control from +# client to server and limits the amount of data the server has to buffer. +# +# @param ip +# Sets the IP address the virtual host listens on. By default, uses Apache's default behavior +# of listening on all IPs. +# +# @param ip_based +# Enables an [IP-based](https://httpd.apache.org/docs/current/vhosts/ip-based.html) virtual +# host. This parameter inhibits the creation of a NameVirtualHost directive, since those are +# used to funnel requests to name-based virtual hosts. +# +# @param itk +# Configures [ITK](http://mpm-itk.sesse.net/) in a hash.
+# Usage typically looks something like: +# ``` puppet +# apache::vhost { 'sample.example.net': +# docroot => '/path/to/directory', +# itk => { +# user => 'someuser', +# group => 'somegroup', +# }, +# } +# ``` +# Valid values are: a hash, which can include the keys: +# * `user` + `group` +# * `assignuseridexpr` +# * `assigngroupidexpr` +# * `maxclientvhost` +# * `nice` +# * `limituidrange` (Linux 3.5.0 or newer) +# * `limitgidrange` (Linux 3.5.0 or newer) +# +# @param action +# Specifies whether you wish to configure mod_actions action directive which will +# activate cgi-script when triggered by a request. +# +# @param jk_mounts +# Sets up a virtual host with `JkMount` and `JkUnMount` directives to handle the paths +# for URL mapping between Tomcat and Apache.
+# The parameter must be an array of hashes where each hash must contain the `worker` +# and either the `mount` or `unmount` keys.
+# Usage typically looks like: +# ``` puppet +# apache::vhost { 'sample.example.net': +# jk_mounts => [ +# { mount => '/*', worker => 'tcnode1', }, +# { unmount => '/*.jpg', worker => 'tcnode1', }, +# ], +# } +# ``` +# +# @param http_protocol_options +# Specifies the strictness of HTTP protocol checks. +# +# @param keepalive +# Determines whether to enable persistent HTTP connections with the `KeepAlive` directive +# for the virtual host. By default, the global, server-wide `KeepAlive` setting is in effect.
+# Use the `keepalive_timeout` and `max_keepalive_requests` parameters to set relevant options +# for the virtual host. +# +# @param keepalive_timeout +# Sets the `KeepAliveTimeout` directive for the virtual host, which determines the amount +# of time to wait for subsequent requests on a persistent HTTP connection. By default, the +# global, server-wide `KeepAlive` setting is in effect.
+# This parameter is only relevant if either the global, server-wide `keepalive` parameter or +# the per-vhost `keepalive` parameter is enabled. +# +# @param max_keepalive_requests +# Limits the number of requests allowed per connection to the virtual host. By default, +# the global, server-wide `KeepAlive` setting is in effect.
+# This parameter is only relevant if either the global, server-wide `keepalive` parameter or +# the per-vhost `keepalive` parameter is enabled. +# +# @param auth_kerb +# Enable `mod_auth_kerb` parameters for a virtual host.
+# Usage typically looks like: +# ``` puppet +# apache::vhost { 'sample.example.net': +# auth_kerb => `true`, +# krb_method_negotiate => 'on', +# krb_auth_realms => ['EXAMPLE.ORG'], +# krb_local_user_mapping => 'on', +# directories => [ +# { +# path => '/var/www/html', +# auth_name => 'Kerberos Login', +# auth_type => 'Kerberos', +# auth_require => 'valid-user', +# }, +# ], +# } +# ``` +# +# @param krb_method_negotiate +# Determines whether to use the Negotiate method. +# +# @param krb_method_k5passwd +# Determines whether to use password-based authentication for Kerberos v5. +# +# @param krb_authoritative +# If set to `off`, authentication controls can be passed on to another module. +# +# @param krb_auth_realms +# Specifies an array of Kerberos realms to use for authentication. +# +# @param krb_5keytab +# Specifies the Kerberos v5 keytab file's location. +# +# @param krb_local_user_mapping +# Strips @REALM from usernames for further use. +# +# @param krb_verify_kdc +# This option can be used to disable the verification tickets against local keytab to prevent +# KDC spoofing attacks. +# +# @param krb_servicename +# Specifies the service name that will be used by Apache for authentication. Corresponding +# key of this name must be stored in the keytab. +# +# @param krb_save_credentials +# This option enables credential saving functionality. +# +# @param logroot +# Specifies the location of the virtual host's logfiles. +# +# @param logroot_ensure +# Determines whether or not to remove the logroot directory for a virtual host. +# +# @param logroot_mode +# Overrides the mode the logroot directory is set to. Do *not* grant write access to the +# directory the logs are stored in without being aware of the consequences; for more +# information, see [Apache's log security documentation](https://httpd.apache.org/docs/2.4/logs.html#security). +# +# @param logroot_owner +# Sets individual user access to the logroot directory. +# +# @param logroot_group +# Sets group access to the `logroot` directory. +# +# @param log_level +# Specifies the verbosity of the error log. +# +# @param modsec_body_limit +# Configures the maximum request body size (in bytes) ModSecurity accepts for buffering. +# +# @param modsec_disable_vhost +# Disables `mod_security` on a virtual host. Only valid if `apache::mod::security` is included. +# +# @param modsec_disable_ids +# Removes `mod_security` IDs from the virtual host.
+# Also takes a hash allowing removal of an ID from a specific location. +# ``` puppet +# apache::vhost { 'sample.example.net': +# modsec_disable_ids => [ 90015, 90016 ], +# } +# ``` +# +# ``` puppet +# apache::vhost { 'sample.example.net': +# modsec_disable_ids => { '/location1' => [ 90015, 90016 ] }, +# } +# ``` +# +# @param modsec_disable_ips +# Specifies an array of IP addresses to exclude from `mod_security` rule matching. +# +# @param modsec_disable_msgs +# Array of mod_security Msgs to remove from the virtual host. Also takes a hash allowing +# removal of an Msg from a specific location. +# ``` puppet +# apache::vhost { 'sample.example.net': +# modsec_disable_msgs => ['Blind SQL Injection Attack', 'Session Fixation Attack'], +# } +# ``` +# ``` puppet +# apache::vhost { 'sample.example.net': +# modsec_disable_msgs => { '/location1' => ['Blind SQL Injection Attack', 'Session Fixation Attack'] }, +# } +# ``` +# +# @param modsec_disable_tags +# Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing +# removal of an Tag from a specific location. +# ``` puppet +# apache::vhost { 'sample.example.net': +# modsec_disable_tags => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'], +# } +# ``` +# ``` puppet +# apache::vhost { 'sample.example.net': +# modsec_disable_tags => { '/location1' => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'] }, +# } +# ``` +# +# @param modsec_audit_log_file +# If set, it is relative to `logroot`.
+# One of the parameters that determines how to send `mod_security` audit +# log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). +# If none of those parameters are set, the global audit log is used +# (`/var/log/httpd/modsec\_audit.log`; Debian and derivatives: `/var/log/apache2/modsec\_audit.log`; others: ). +# +# @param modsec_audit_log_pipe +# If `modsec_audit_log_pipe` is set, it should start with a pipe. Example +# `|/path/to/mlogc /path/to/mlogc.conf`.
+# One of the parameters that determines how to send `mod_security` audit +# log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). +# If none of those parameters are set, the global audit log is used +# (`/var/log/httpd/modsec\_audit.log`; Debian and derivatives: `/var/log/apache2/modsec\_audit.log`; others: ). +# +# @param modsec_audit_log +# If `modsec_audit_log` is `true`, given a virtual host ---for instance, example.com--- it +# defaults to `example.com\_security\_ssl.log` for SSL-encrypted virtual hosts +# and `example.com\_security.log` for unencrypted virtual hosts.
+# One of the parameters that determines how to send `mod_security` audit +# log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)).
+# If none of those parameters are set, the global audit log is used +# (`/var/log/httpd/modsec\_audit.log`; Debian and derivatives: `/var/log/apache2/modsec\_audit.log`; others: ). +# +# @param modsec_inbound_anomaly_threshold +# Override the global scoring threshold level of the inbound blocking rules +# for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule +# Set. +# +# @param modsec_outbound_anomaly_threshold +# Override the global scoring threshold level of the outbound blocking rules +# for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule +# Set. +# +# @param modsec_allowed_methods +# Override global allowed methods. A space-separated list of allowed HTTP methods. +# +# @param no_proxy_uris +# Specifies URLs you do not want to proxy. This parameter is meant to be used in combination +# with [`proxy_dest`](#proxy_dest). +# +# @param no_proxy_uris_match +# This directive is equivalent to `no_proxy_uris`, but takes regular expressions. +# +# @param proxy_preserve_host +# Sets the [ProxyPreserveHost Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost).
+# Setting this parameter to `true` enables the `Host:` line from an incoming request to be +# proxied to the host instead of hostname. Setting it to `false` sets this directive to 'Off'. +# +# @param proxy_add_headers +# Sets the [ProxyAddHeaders Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders).
+# This parameter controlls whether proxy-related HTTP headers (X-Forwarded-For, +# X-Forwarded-Host and X-Forwarded-Server) get sent to the backend server. +# +# @param proxy_error_override +# Sets the [ProxyErrorOverride Directive](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride). +# This directive controls whether Apache should override error pages for proxied content. +# +# @param options +# Sets the [`Options`](https://httpd.apache.org/docs/current/mod/core.html#options) for the specified virtual host. For example: +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# options => ['Indexes', 'FollowSymLinks', 'MultiViews'], +# } +# ``` +# > **Note**: If you use the `directories` parameter of `apache::vhost`, 'Options', +# 'Override', and 'DirectoryIndex' are ignored because they are parameters within `directories`. +# +# @param override +# Sets the overrides for the specified virtual host. Accepts an array of +# [AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) arguments. +# +# @param passenger_enabled +# Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) +# directive to `on` or `off`. Requires `apache::mod::passenger` to be included. +# ``` puppet +# apache::vhost { 'sample.example.net': +# docroot => '/path/to/directory', +# directories => [ +# { path => '/path/to/directory', +# passenger_enabled => 'on', +# }, +# ], +# } +# ``` +# > **Note:** There is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) +# using the PassengerEnabled directive with the PassengerHighPerformance directive. +# +# @param passenger_base_uri +# Sets [PassengerBaseURI](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbase_rui), +# to specify that the given URI is a distinct application served by Passenger. +# +# @param passenger_ruby +# Sets [PassengerRuby](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerruby), +# specifying the Ruby interpreter to use when serving the relevant web applications. +# +# @param passenger_python +# Sets [PassengerPython](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpython), +# specifying the Python interpreter to use when serving the relevant web applications. +# +# @param passenger_nodejs +# Sets the [`PassengerNodejs`](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengernodejs), +# specifying Node.js command to use when serving the relevant web applications. +# +# @param passenger_meteor_app_settings +# Sets [PassengerMeteorAppSettings](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermeteorappsettings), +# specifying a JSON file with settings for the application when using a Meteor +# application in non-bundled mode. +# +# @param passenger_app_env +# Sets [PassengerAppEnv](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappenv), +# the environment for the Passenger application. If not specified, defaults to the global +# setting or 'production'. +# +# @param passenger_app_root +# Sets [PassengerRoot](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapproot), +# the location of the Passenger application root if different from the DocumentRoot. +# +# @param passenger_app_group_name +# Sets [PassengerAppGroupName](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappgroupname), +# the name of the application group that the current application should belong to. +# +# @param passenger_app_start_command +# Sets [PassengerAppStartCommand](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappstartcommand), +# how Passenger should start your app on a specific port. +# +# @param passenger_app_type +# Sets [PassengerAppType](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapptype), +# to force Passenger to recognize the application as a specific type. +# +# @param passenger_startup_file +# Sets the [PassengerStartupFile](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstartupfile), +# path. This path is relative to the application root. +# +# @param passenger_restart_dir +# Sets the [PassengerRestartDir](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrestartdir), +# to customize the directory in which `restart.txt` is searched for. +# +# @param passenger_spawn_method +# Sets [PassengerSpawnMethod](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerspawnmethod), +# whether Passenger spawns applications directly, or using a prefork copy-on-write mechanism. +# +# @param passenger_load_shell_envvars +# Sets [PassengerLoadShellEnvvars](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerloadshellenvvars), +# to enable or disable the loading of shell environment variables before spawning the application. +# +# @param passenger_preload_bundler +# Sets [PassengerPreloadBundler](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpreloadbundler), +# to enable or disable the loading of bundler before loading the application. +# +# @param passenger_rolling_restarts +# Sets [PassengerRollingRestarts](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrollingrestarts), +# to enable or disable support for zero-downtime application restarts through `restart.txt`. +# +# @param passenger_resist_deployment_errors +# Sets [PassengerResistDeploymentErrors](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerresistdeploymenterrors), +# to enable or disable resistance against deployment errors. +# +# @param passenger_user +# Sets [PassengerUser](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeruser), +# the running user for sandboxing applications. +# +# @param passenger_group +# Sets [PassengerGroup](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengergroup), +# the running group for sandboxing applications. +# +# @param passenger_friendly_error_pages +# Sets [PassengerFriendlyErrorPages](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerfriendlyerrorpages), +# which can display friendly error pages whenever an application fails to start. This +# friendly error page presents the startup error message, some suggestions for solving +# the problem, a backtrace and a dump of the environment variables. +# +# @param passenger_min_instances +# Sets [PassengerMinInstances](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermininstances), +# the minimum number of application processes to run. +# +# @param passenger_max_instances +# Sets [PassengerMaxInstances](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxinstances), +# the maximum number of application processes to run. +# +# @param passenger_max_preloader_idle_time +# Sets [PassengerMaxPreloaderIdleTime](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxpreloaderidletime), +# the maximum amount of time the preloader waits before shutting down an idle process. +# +# @param passenger_force_max_concurrent_requests_per_process +# Sets [PassengerForceMaxConcurrentRequestsPerProcess](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerforcemaxconcurrentrequestsperprocess), +# the maximum amount of concurrent requests the application can handle per process. +# +# @param passenger_start_timeout +# Sets [PassengerStartTimeout](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstarttimeout), +# the timeout for the application startup. +# +# @param passenger_concurrency_model +# Sets [PassengerConcurrencyModel](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerconcurrencyodel), +# to specify the I/O concurrency model that should be used for Ruby application processes. +# Passenger supports two concurrency models:
+# * `process` - single-threaded, multi-processed I/O concurrency. +# * `thread` - multi-threaded, multi-processed I/O concurrency. +# +# @param passenger_thread_count +# Sets [PassengerThreadCount](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerthreadcount), +# the number of threads that Passenger should spawn per Ruby application process.
+# This option only has effect if PassengerConcurrencyModel is `thread`. +# +# @param passenger_max_requests +# Sets [PassengerMaxRequests](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequests), +# the maximum number of requests an application process will process. +# +# @param passenger_max_request_time +# Sets [PassengerMaxRequestTime](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequesttime), +# the maximum amount of time, in seconds, that an application process may take to +# process a request. +# +# @param passenger_memory_limit +# Sets [PassengerMemoryLimit](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermemorylimit), +# the maximum amount of memory that an application process may use, in megabytes. +# +# @param passenger_stat_throttle_rate +# Sets [PassengerStatThrottleRate](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstatthrottlerate), +# to set a limit, in seconds, on how often Passenger will perform it's filesystem checks. +# +# @param passenger_pre_start +# Sets [PassengerPreStart](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerprestart), +# the URL of the application if pre-starting is required. +# +# @param passenger_high_performance +# Sets [PassengerHighPerformance](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerhighperformance), +# to enhance performance in return for reduced compatibility. +# +# @param passenger_buffer_upload +# Sets [PassengerBufferUpload](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferupload), +# to buffer HTTP client request bodies before they are sent to the application. +# +# @param passenger_buffer_response +# Sets [PassengerBufferResponse](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferresponse), +# to buffer Happlication-generated responses. +# +# @param passenger_error_override +# Sets [PassengerErrorOverride](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengererroroverride), +# to specify whether Apache will intercept and handle response with HTTP status codes of +# 400 and higher. +# +# @param passenger_max_request_queue_size +# Sets [PassengerMaxRequestQueueSize](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuesize), +# to specify the maximum amount of requests that are allowed to queue whenever the maximum +# concurrent request limit is reached. If the queue is already at this specified limit, then +# Passenger immediately sends a "503 Service Unavailable" error to any incoming requests.
+# A value of 0 means that the queue size is unbounded. +# +# @param passenger_max_request_queue_time +# Sets [PassengerMaxRequestQueueTime](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuetime), +# to specify the maximum amount of time that requests are allowed to stay in the queue +# whenever the maximum concurrent request limit is reached. If a request reaches this specified +# limit, then Passenger immeaditly sends a "504 Gateway Timeout" error for that request.
+# A value of 0 means that the queue time is unbounded. +# +# @param passenger_sticky_sessions +# Sets [PassengerStickySessions](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessions), +# to specify that, whenever possible, all requests sent by a client will be routed to the same +# originating application process. +# +# @param passenger_sticky_sessions_cookie_name +# Sets [PassengerStickySessionsCookieName](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookiename), +# to specify the name of the sticky sessions cookie. +# +# @param passenger_sticky_sessions_cookie_attributes +# Sets [PassengerStickySessionsCookieAttributes](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookieattributes), +# the attributes of the sticky sessions cookie. +# +# @param passenger_allow_encoded_slashes +# Sets [PassengerAllowEncodedSlashes](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerallowencodedslashes), +# to allow URLs with encoded slashes. Please note that this feature will not work properly +# unless Apache's `AllowEncodedSlashes` is also enabled. +# +# @param passenger_app_log_file +# Sets [PassengerAppLogFile](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapplogfile), +# app specific messages logged to a different file in addition to Passenger log file. +# +# @param passenger_debugger +# Sets [PassengerDebugger](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerdebugger), +# to turn support for Ruby application debugging on or off. +# +# @param passenger_lve_min_uid +# Sets [PassengerLveMinUid](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerlveminuid), +# to only allow the spawning of application processes with UIDs equal to, or higher than, this +# specified value on LVE-enabled kernels. +# +# @param passenger_dump_config_manifest +# Sets [PassengerLveMinUid](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengerlveminuid), +# to dump the configuration manifest to a file. +# +# @param passenger_admin_panel_url +# Sets [PassengerAdminPanelUrl](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelurl), +# to specify the URL of the Passenger admin panel. +# +# @param passenger_admin_panel_auth_type +# Sets [PassengerAdminPanelAuthType](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelauthtype), +# to specify the authentication type for the Passenger admin panel. +# +# @param passenger_admin_panel_username +# Sets [PassengerAdminPanelUsername](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelusername), +# to specify the username for the Passenger admin panel. +# +# @param passenger_admin_panel_password +# Sets [PassengerAdminPanelPassword](https://www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelpassword), +# to specify the password for the Passenger admin panel. +# +# @param php_values +# Allows per-virtual host setting [`php_value`s](http://php.net/manual/en/configuration.changes.php). +# These flags or values can be overwritten by a user or an application. +# Within a vhost declaration: +# ``` puppet +# php_values => { 'include_path' => '.:/usr/local/example-app/include' }, +# ``` +# +# @param php_flags +# Allows per-virtual host setting [`php_flags\``](http://php.net/manual/en/configuration.changes.php). +# These flags or values can be overwritten by a user or an application. +# +# @param php_admin_values +# Allows per-virtual host setting [`php_admin_value`](http://php.net/manual/en/configuration.changes.php). +# These flags or values cannot be overwritten by a user or an application. +# +# @param php_admin_flags +# Allows per-virtual host setting [`php_admin_flag`](http://php.net/manual/en/configuration.changes.php). +# These flags or values cannot be overwritten by a user or an application. +# +# @param port +# Sets the port the host is configured on. The module's defaults ensure the host listens +# on port 80 for non-SSL virtual hosts and port 443 for SSL virtual hosts. The host only +# listens on the port set in this parameter. +# +# @param priority +# Sets the relative load-order for Apache HTTPD VirtualHost configuration files.
+# If nothing matches the priority, the first name-based virtual host is used. Likewise, +# passing a higher priority causes the alphabetically first name-based virtual host to be +# used if no other names match.
+# > **Note:** You should not need to use this parameter. However, if you do use it, be +# aware that the `default_vhost` parameter for `apache::vhost` passes a priority of 15.
+# To omit the priority prefix in file names, pass a priority of `false`. +# +# @param protocols +# Sets the [Protocols](https://httpd.apache.org/docs/current/en/mod/core.html#protocols) +# directive, which lists available protocols for the virutal host. +# +# @param protocols_honor_order +# Sets the [ProtocolsHonorOrder](https://httpd.apache.org/docs/current/en/mod/core.html#protocolshonororder) +# directive which determines wether the order of Protocols sets precedence during negotiation. +# +# @param proxy_dest +# Specifies the destination address of a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. +# +# @param proxy_pass +# Specifies an array of `path => URI` values for a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) +# configuration. Optionally, parameters can be added as an array. +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# proxy_pass => [ +# { 'path' => '/a', 'url' => 'http://backend-a/' }, +# { 'path' => '/b', 'url' => 'http://backend-b/' }, +# { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}}, +# { 'path' => '/l', 'url' => 'http://backend-xy', +# 'reverse_urls' => ['http://backend-x', 'http://backend-y'] }, +# { 'path' => '/d', 'url' => 'http://backend-a/d', +# 'params' => { 'retry' => 0, 'timeout' => 5 }, }, +# { 'path' => '/e', 'url' => 'http://backend-a/e', +# 'keywords' => ['nocanon', 'interpolate'] }, +# { 'path' => '/f', 'url' => 'http://backend-f/', +# 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1']}, +# { 'path' => '/g', 'url' => 'http://backend-g/', +# 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, +# { 'path' => '/h', 'url' => 'http://backend-h/h', +# 'no_proxy_uris' => ['/h/admin', '/h/server-status'] }, +# ], +# } +# ``` +# * `reverse_urls`. *Optional.* This setting is useful when used with `mod_proxy_balancer`. Values: an array or string. +# * `reverse_cookies`. *Optional.* Sets `ProxyPassReverseCookiePath` and `ProxyPassReverseCookieDomain`. +# * `params`. *Optional.* Allows for ProxyPass key-value parameters, such as connection settings. +# * `setenv`. *Optional.* Sets [environment variables](https://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings) for the proxy directive. Values: array. +# +# @param proxy_dest_match +# This directive is equivalent to `proxy_dest`, but takes regular expressions, see +# [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +# for details. +# +# @param proxy_dest_reverse_match +# Allows you to pass a ProxyPassReverse if `proxy_dest_match` is specified. See +# [ProxyPassReverse](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) +# for details. +# +# @param proxy_pass_match +# This directive is equivalent to `proxy_pass`, but takes regular expressions, see +# [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +# for details. +# +# @param redirect_dest +# Specifies the address to redirect to. +# +# @param redirect_source +# Specifies the source URIs that redirect to the destination specified in `redirect_dest`. +# If more than one item for redirect is supplied, the source and destination must be the same +# length, and the items are order-dependent. +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# redirect_source => ['/images', '/downloads'], +# redirect_dest => ['http://img.example.com/', 'http://downloads.example.com/'], +# } +# ``` +# +# @param redirect_status +# Specifies the status to append to the redirect. +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# redirect_status => ['temp', 'permanent'], +# } +# ``` +# +# @param redirectmatch_regexp +# Determines which server status should be raised for a given regular expression +# and where to forward the user to. Entered as an array alongside redirectmatch_status +# and redirectmatch_dest. +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# redirectmatch_status => ['404', '404'], +# redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'], +# redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'], +# } +# ``` +# +# @param redirectmatch_status +# Determines which server status should be raised for a given regular expression +# and where to forward the user to. Entered as an array alongside redirectmatch_regexp +# and redirectmatch_dest. +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# redirectmatch_status => ['404', '404'], +# redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'], +# redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'], +# } +# ``` +# +# @param redirectmatch_dest +# Determines which server status should be raised for a given regular expression +# and where to forward the user to. Entered as an array alongside redirectmatch_status +# and redirectmatch_regexp. +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# redirectmatch_status => ['404', '404'], +# redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'], +# redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'], +# } +# ``` +# +# @param request_headers +# Modifies collected [request headers](https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) +# in various ways, including adding additional request headers, removing request headers, +# and so on. +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# request_headers => [ +# 'append MirrorID "mirror 12"', +# 'unset MirrorID', +# ], +# } +# ``` +# +# @param rewrites +# Creates URL rewrite rules. Expects an array of hashes.
+# Valid Hash keys include `comment`, `rewrite_base`, `rewrite_cond`, `rewrite_rule` +# or `rewrite_map`.
+# For example, you can specify that anyone trying to access index.html is served welcome.html +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] +# } +# ``` +# The parameter allows rewrite conditions that, when `true`, execute the associated rule. +# For instance, if you wanted to rewrite URLs only if the visitor is using IE +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# rewrites => [ +# { +# comment => 'redirect IE', +# rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], +# rewrite_rule => ['^index\.html$ welcome.html'], +# }, +# ], +# } +# ``` +# You can also apply multiple conditions. For instance, rewrite index.html to welcome.html +# only when the browser is Lynx or Mozilla (version 1 or 2) +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# rewrites => [ +# { +# comment => 'Lynx or Mozilla v1/2', +# rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], +# rewrite_rule => ['^index\.html$ welcome.html'], +# }, +# ], +# } +# ``` +# Multiple rewrites and conditions are also possible +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# rewrites => [ +# { +# comment => 'Lynx or Mozilla v1/2', +# rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], +# rewrite_rule => ['^index\.html$ welcome.html'], +# }, +# { +# comment => 'Internet Explorer', +# rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], +# rewrite_rule => ['^index\.html$ /index.IE.html [L]'], +# }, +# { +# rewrite_base => /apps/, +# rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'], +# }, +# { comment => 'Rewrite to lower case', +# rewrite_cond => ['%{REQUEST_URI} [A-Z]'], +# rewrite_map => ['lc int:tolower'], +# rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'], +# }, +# ], +# } +# ``` +# Refer to the [`mod_rewrite` documentation](https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html) +# for more details on what is possible with rewrite rules and conditions.
+# > **Note**: If you include rewrites in your directories, also include `apache::mod::rewrite` +# and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather +# than setting the rewrites in the virtual host's directories. +# +# @param rewrite_base +# The parameter [`rewrite_base`](https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase) +# specifies the URL prefix to be used for per-directory (htaccess) RewriteRule directives +# that substitue a relative path. +# +# @param rewrite_rule +# The parameter [`rewrite_rile`](https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule) +# allows the user to define the rules that will be used by the rewrite engine. +# +# @param rewrite_cond +# The parameter [`rewrite_cond`](https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond) +# defines a rule condition, that when satisfied will implement that rule within the +# rewrite engine. +# +# @param rewrite_inherit +# Determines whether the virtual host inherits global rewrite rules.
+# Rewrite rules may be specified globally (in `$conf_file` or `$confd_dir`) or +# inside the virtual host `.conf` file. By default, virtual hosts do not inherit +# global settings. To activate inheritance, specify the `rewrites` parameter and set +# `rewrite_inherit` parameter to `true`: +# ``` puppet +# apache::vhost { 'site.name.fdqn': +# ... +# rewrites => [ +# , +# ], +# rewrite_inherit => `true`, +# } +# ``` +# > **Note**: The `rewrites` parameter is **required** for this to have effect
+# Apache activates global `Rewrite` rules inheritance if the virtual host files contains +# the following directives: +# ``` ApacheConf +# RewriteEngine On +# RewriteOptions Inherit +# ``` +# Refer to the official [`mod_rewrite`](https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html) +# documentation, section "Rewriting in Virtual Hosts". +# +# @param scriptalias +# Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', such as +# '/usr/scripts'. +# +# @param serveradmin +# Specifies the email address Apache displays when it renders one of its error pages. +# +# @param serveraliases +# Sets the [ServerAliases](https://httpd.apache.org/docs/current/mod/core.html#serveralias) +# of the site. +# +# @param servername +# Sets the servername corresponding to the hostname you connect to the virtual host at. +# +# @param setenv +# Used by HTTPD to set environment variables for virtual hosts.
+# Example: +# ``` puppet +# apache::vhost { 'setenv.example.com': +# setenv => ['SPECIAL_PATH /foo/bin'], +# } +# ``` +# +# @param setenvif +# Used by HTTPD to conditionally set environment variables for virtual hosts. +# +# @param setenvifnocase +# Used by HTTPD to conditionally set environment variables for virtual hosts (caseless matching). +# +# @param suexec_user_group +# Allows the spcification of user and group execution privileges for CGI programs through +# inclusion of the `mod_suexec` module. +# +# @param vhost_name +# Enables name-based virtual hosting. If no IP is passed to the virtual host, but the +# virtual host is assigned a port, then the virtual host name is `vhost_name:port`. +# If the virtual host has no assigned IP or port, the virtual host name is set to the +# title of the resource. +# +# @param virtual_docroot +# Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the +# same name. For example, `http://example.com` would map to `/var/www/example.com`. +# Note that the `DocumentRoot` directive will not be present even though there is a value +# set for `docroot` in the manifest. See [`virtual_use_default_docroot`](#virtual_use_default_docroot) to change this behavior. +# ``` puppet +# apache::vhost { 'subdomain.loc': +# vhost_name => '*', +# port => 80, +# virtual_docroot => '/var/www/%-2+', +# docroot => '/var/www', +# serveraliases => ['*.loc',], +# } +# ``` +# +# @param virtual_use_default_docroot +# By default, when using `virtual_docroot`, the value of `docroot` is ignored. Setting this +# to `true` will mean both directives will be added to the configuration. +# ``` puppet +# apache::vhost { 'subdomain.loc': +# vhost_name => '*', +# port => 80, +# virtual_docroot => '/var/www/%-2+', +# docroot => '/var/www', +# virtual_use_default_docroot => true, +# serveraliases => ['*.loc',], +# } +# ``` +# +# @param wsgi_daemon_process +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process_options, wsgi_process_group, +# wsgi_script_aliases and wsgi_pass_authorization.
+# A hash that sets the name of the WSGI daemon, accepting +# [certain keys](http://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIDaemonProcess.html).
+# An example virtual host configuration with WSGI: +# ``` puppet +# apache::vhost { 'wsgi.example.com': +# port => 80, +# docroot => '/var/www/pythonapp', +# wsgi_daemon_process => 'wsgi', +# wsgi_daemon_process_options => +# { processes => 2, +# threads => 15, +# display-name => '%{GROUP}', +# }, +# wsgi_process_group => 'wsgi', +# wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, +# wsgi_chunked_request => 'On', +# } +# ``` +# +# @param wsgi_daemon_process_options +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_process_group, +# wsgi_script_aliases and wsgi_pass_authorization.
+# Sets the group ID that the virtual host runs under. +# +# @param wsgi_application_group +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +# and wsgi_pass_authorization.
+# This parameter defines the [`WSGIApplicationGroup directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html), +# thus allowing you to specify which application group the WSGI application belongs to, +# with all WSGI applications within the same group executing within the context of the +# same Python sub interpreter. +# +# @param wsgi_import_script +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +# and wsgi_pass_authorization.
+# This parameter defines the [`WSGIImportScript directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), +# which can be used in order to specify a script file to be loaded upon a process starting. +# +# @param wsgi_import_script_options +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +# and wsgi_pass_authorization.
+# This parameter defines the [`WSGIImportScript directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), +# which can be used in order to specify a script file to be loaded upon a process starting.
+# Specifies the process and aplication groups of the script. +# +# @param wsgi_chunked_request +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +# and wsgi_pass_authorization.
+# This parameter defines the [`WSGIChunkedRequest directive`](https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIChunkedRequest.html), +# allowing you to enable support for chunked request content.
+# WSGI is technically incapable of supporting chunked request content without all chunked +# request content having first been read in and buffered. +# +# @param wsgi_process_group +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, +# wsgi_script_aliases and wsgi_pass_authorization.
+# Requires a hash of web paths to filesystem `.wsgi paths/`. +# +# @param wsgi_script_aliases +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +# and wsgi_pass_authorization.
+# Uses the WSGI application to handle authorization instead of Apache when set to `On`.
+# For more information, see mod_wsgi's [WSGIPassAuthorization documentation](https://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html). +# +# @param wsgi_script_aliases_match +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, +# and wsgi_pass_authorization.
+# Uses the WSGI application to handle authorization instead of Apache when set to `On`.
+# This directive is similar to `wsgi_script_aliases`, but makes use of regular expressions +# in place of simple prefix matching.
+# For more information, see mod_wsgi's [WSGIPassAuthorization documentation](https://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html). +# +# @param wsgi_pass_authorization +# Sets up a virtual host with [WSGI](https://github.com/GrahamDumpleton/mod_wsgi) alongside +# wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group and +# wsgi_script_aliases.
+# Enables support for chunked requests. +# +# @param directories +# The `directories` parameter within the `apache::vhost` class passes an array of hashes +# to the virtual host to create [Directory](https://httpd.apache.org/docs/current/mod/core.html#directory), +# [File](https://httpd.apache.org/docs/current/mod/core.html#files), and +# [Location](https://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. +# These blocks take the form, `< Directory /path/to/directory>...< /Directory>`.
+# The `path` key sets the path for the directory, files, and location blocks. Its value +# must be a path for the `directory`, `files`, and `location` providers, or a regex for +# the `directorymatch`, `filesmatch`, or `locationmatch` providers. Each hash passed to +# `directories` **must** contain `path` as one of the keys.
+# The `provider` key is optional. If missing, this key defaults to `directory`. +# Values: `directory`, `files`, `proxy`, `location`, `directorymatch`, `filesmatch`, +# `proxymatch` or `locationmatch`. If you set `provider` to `directorymatch`, it +# uses the keyword `DirectoryMatch` in the Apache config file.
+# proxy_pass and proxy_pass_match are supported like their parameters to apache::vhost, and will +# be rendered without their path parameter as this will be inherited from the Location/LocationMatch container. +# An example use of `directories`: +# ``` puppet +# apache::vhost { 'files.example.net': +# docroot => '/var/www/files', +# directories => [ +# { 'path' => '/var/www/files', +# 'provider' => 'files', +# 'deny' => 'from all', +# }, +# { 'path' => '/var/www/html', +# 'provider' => 'directory', +# 'options' => ['-Indexes'], +# 'allow_override' => ['All'], +# }, +# ], +# } +# ``` +# > **Note:** At least one directory should match the `docroot` parameter. After you +# start declaring directories, `apache::vhost` assumes that all required Directory blocks +# will be declared. If not defined, a single default Directory block is created that matches +# the `docroot` parameter.
+# Available handlers, represented as keys, should be placed within the `directory`, +# `files`, or `location` hashes. This looks like +# ``` puppet +# apache::vhost { 'sample.example.net': +# docroot => '/path/to/directory', +# directories => [ { path => '/path/to/directory', handler => value } ], +# } +# ``` +# Any handlers you do not set in these hashes are considered `undefined` within Puppet and +# are not added to the virtual host, resulting in the module using their default values. +# +# The `directories` param can accepts the different authentication ways, including `gssapi`, `Basic (authz_core)`, +# and others. +# +# * `gssapi` - Specifies mod_auth_gssapi parameters for particular directories in a virtual host directory +# TODO: check, if this Documentation is obsolete +# +# ```puppet +# apache::vhost { 'sample.example.net': +# docroot => '/path/to/directory', +# directories => [ +# { path => '/path/to/different/dir', +# gssapi => { +# acceptor_name => '{HOSTNAME}', +# allowed_mech => ['krb5', 'iakerb', 'ntlmssp'], +# authname => 'Kerberos 5', +# authtype => 'GSSAPI', +# basic_auth => true, +# basic_auth_mech => ['krb5', 'iakerb', 'ntlmssp'], +# basic_ticket_timeout => 300, +# connection_bound => true, +# cred_store => { +# ccache => ['/path/to/directory'], +# client_keytab => ['/path/to/example.keytab'], +# keytab => ['/path/to/example.keytab'], +# }, +# deleg_ccache_dir => '/path/to/directory', +# deleg_ccache_env_var => 'KRB5CCNAME', +# deleg_ccache_perms => { +# mode => '0600', +# uid => 'example-user', +# gid => 'example-group', +# }, +# deleg_ccache_unique => true, +# impersonate => true, +# local_name => true, +# name_attributes => 'json', +# negotiate_once => true, +# publish_errors => true, +# publish_mech => true, +# required_name_attributes => 'auth-indicators=high', +# session_key => 'file:/path/to/example.key', +# signal_persistent_auth => true, +# ssl_only => true, +# use_s4u2_proxy => true, +# use_sessions => true, +# } +# }, +# ], +# } +# ``` +# +# * `Basic` - Specifies mod_authz_core parameters for particular directories in a virtual host directory +# ```puppet +# apache::vhost { 'sample.example.net': +# docroot => '/path/to/directory', +# directories => [ +# { +# path => '/path/to/different/dir', +# auth_type => 'Basic', +# authz_core => { +# require_all => { +# 'require_any' => { +# 'require' => ['user superadmin'], +# 'require_all' => { +# 'require' => ['group admins', 'ldap-group "cn=Administrators,o=Airius"'], +# }, +# }, +# 'require_none' => { +# 'require' => ['group temps', 'ldap-group "cn=Temporary Employees,o=Airius"'] +# } +# } +# } +# }, +# ], +# } +# ``` +# +# @param custom_fragment +# Pass a string of custom configuration directives to be placed at the end of the directory +# configuration. +# ``` puppet +# apache::vhost { 'monitor': +# ... +# directories => [ +# { +# path => '/path/to/directory', +# custom_fragment => ' +# +# SetHandler balancer-manager +# Order allow,deny +# Allow from all +# +# +# SetHandler server-status +# Order allow,deny +# Allow from all +# +# ProxyStatus On', +# }, +# ] +# } +# ``` +# +# @param headers +# Adds lines for [Header](https://httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. +# ``` puppet +# apache::vhost { 'sample.example.net': +# docroot => '/path/to/directory', +# directories => [ +# { +# path => '/path/to/directory', +# headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', +# }, +# ], +# } +# ``` +# +# @param shib_compat_valid_user +# Default is Off, matching the behavior prior to this command's existence. Addresses a conflict +# when using Shibboleth in conjunction with other auth/auth modules by restoring `standard` +# Apache behavior when processing the `valid-user` and `user` Require rules. See the +# [`mod_shib`documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions), +# and [NativeSPhtaccess](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess) +# topic for more details. This key is disabled if `apache::mod::shib` is not defined. +# +# @param ssl_options +# String or list of [SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), +# which configure SSL engine run-time options. This handler takes precedence over SSLOptions +# set in the parent block of the virtual host. +# ``` puppet +# apache::vhost { 'secure.example.net': +# docroot => '/path/to/directory', +# directories => [ +# { path => '/path/to/directory', +# ssl_options => '+ExportCertData', +# }, +# { path => '/path/to/different/dir', +# ssl_options => ['-StdEnvVars', '+ExportCertData'], +# }, +# ], +# } +# ``` +# +# @param additional_includes +# Specifies paths to additional static, specific Apache configuration files in virtual +# host directories. +# ``` puppet +# apache::vhost { 'sample.example.net': +# docroot => '/path/to/directory', +# directories => [ +# { path => '/path/to/different/dir', +# additional_includes => ['/custom/path/includes', '/custom/path/another_includes',], +# }, +# ], +# } +# ``` +# +# @param ssl +# Enables SSL for the virtual host. SSL virtual hosts only respond to HTTPS queries. +# +# @param ssl_ca +# Specifies the SSL certificate authority to be used to verify client certificates used +# for authentication. +# +# @param ssl_cert +# Specifies the SSL certification. +# +# @param ssl_protocol +# Specifies [SSLProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). +# Expects an array or space separated string of accepted protocols. +# +# @param ssl_cipher +# Specifies [SSLCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite). +# +# @param ssl_honorcipherorder +# Sets [SSLHonorCipherOrder](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), +# to cause Apache to use the server's preferred order of ciphers rather than the client's +# preferred order. +# +# @param ssl_certs_dir +# Specifies the location of the SSL certification directory to verify client certs. +# +# @param ssl_chain +# Specifies the SSL chain. This default works out of the box, but it must be updated in +# the base `apache` class with your specific certificate information before being used in +# production. +# +# @param ssl_crl +# Specifies the certificate revocation list to use. (This default works out of the box but +# must be updated in the base `apache` class with your specific certificate information +# before being used in production.) +# +# @param ssl_crl_path +# Specifies the location of the certificate revocation list to verify certificates for +# client authentication with. (This default works out of the box but must be updated in +# the base `apache` class with your specific certificate information before being used in +# production.) +# +# @param ssl_crl_check +# Sets the certificate revocation check level via the [SSLCARevocationCheck directive](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck) +# for ssl client authentication. The default works out of the box but must be specified when +# using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on +# older versions. +# +# @param ssl_key +# Specifies the SSL key.
+# Defaults are based on your operating system. Default work out of the box but must be +# updated in the base `apache` class with your specific certificate information before +# being used in production. +# +# @param ssl_verify_client +# Sets the [SSLVerifyClient](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) +# directive, which sets the certificate verification level for client authentication. +# ``` puppet +# apache::vhost { 'sample.example.net': +# ... +# ssl_verify_client => 'optional', +# } +# ``` +# +# @param ssl_verify_depth +# Sets the [SSLVerifyDepth](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) +# directive, which specifies the maximum depth of CA certificates in client certificate +# verification. You must set `ssl_verify_client` for it to take effect. +# ``` puppet +# apache::vhost { 'sample.example.net': +# ... +# ssl_verify_client => 'require', +# ssl_verify_depth => 1, +# } +# ``` +# +# @param ssl_proxy_protocol +# Sets the [SSLProxyProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyprotocol) +# directive, which controls which SSL protocol flavors `mod_ssl` should use when establishing +# its server environment for proxy. It connects to servers using only one of the provided +# protocols. +# +# @param ssl_proxy_verify +# Sets the [SSLProxyVerify](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify) +# directive, which configures certificate verification of the remote server when a proxy is +# configured to forward requests to a remote SSL server. +# +# @param ssl_proxy_verify_depth +# Sets the [SSLProxyVerifyDepth](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverifydepth) +# directive, which configures how deeply mod_ssl should verify before deciding that the +# remote server does not have a valid certificate.
+# A depth of 0 means that only self-signed remote server certificates are accepted, +# the default depth of 1 means the remote server certificate can be self-signed or +# signed by a CA that is directly known to the server. +# +# @param ssl_proxy_cipher_suite +# Sets the [SSLProxyCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite) +# directive, which controls cipher suites supported for ssl proxy traffic. +# +# @param ssl_proxy_ca_cert +# Sets the [SSLProxyCACertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycacertificatefile) +# directive, which specifies an all-in-one file where you can assemble the Certificates +# of Certification Authorities (CA) whose remote servers you deal with. These are used +# for Remote Server Authentication. This file should be a concatenation of the PEM-encoded +# certificate files in order of preference. +# +# @param ssl_proxy_machine_cert +# Sets the [SSLProxyMachineCertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) +# directive, which specifies an all-in-one file where you keep the certs and keys used +# for this server to authenticate itself to remote servers. This file should be a +# concatenation of the PEM-encoded certificate files in order of preference. +# ``` puppet +# apache::vhost { 'sample.example.net': +# ... +# ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem', +# } +# ``` +# @param ssl_proxy_machine_cert_chain +# Sets the [SSLProxyMachineCertificateChainFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatechainfile) +# directive, which specifies an all-in-one file where you keep the certificate chain for +# all of the client certs in use. This directive will be needed if the remote server +# presents a list of CA certificates that are not direct signers of one of the configured +# client certificates. This referenced file is simply the concatenation of the various +# PEM-encoded certificate files. Upon startup, each client certificate configured will be +# examined and a chain of trust will be constructed. +# +# @param ssl_proxy_check_peer_cn +# Sets the [SSLProxyCheckPeerCN](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn) +# directive, which specifies whether the remote server certificate's CN field is compared +# against the hostname of the request URL. +# +# @param ssl_proxy_check_peer_name +# Sets the [SSLProxyCheckPeerName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) +# directive, which specifies whether the remote server certificate's CN field is compared +# against the hostname of the request URL. +# +# @param ssl_proxy_check_peer_expire +# Sets the [SSLProxyCheckPeerExpire](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeerexpire) +# directive, which specifies whether the remote server certificate is checked for expiration +# or not. +# +# @param ssl_openssl_conf_cmd +# Sets the [SSLOpenSSLConfCmd](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) +# directive, which provides direct configuration of OpenSSL parameters. +# +# @param ssl_proxyengine +# Specifies whether or not to use [SSLProxyEngine](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). +# +# @param ssl_stapling +# Specifies whether or not to use [SSLUseStapling](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling). +# By default, uses what is set globally.
+# This parameter only applies to Apache 2.4 or higher and is ignored on older versions. +# +# @param ssl_stapling_timeout +# Can be used to set the [SSLStaplingResponderTimeout](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingrespondertimeout) directive.
+# This parameter only applies to Apache 2.4 or higher and is ignored on older versions. +# +# @param ssl_stapling_return_errors +# Can be used to set the [SSLStaplingReturnResponderErrors](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive.
+# This parameter only applies to Apache 2.4 or higher and is ignored on older versions. +# +# @param ssl_user_name +# Sets the [SSLUserName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusername) directive. +# +# @param ssl_reload_on_change +# Enable reloading of apache if the content of ssl files have changed. +# +# @param use_canonical_name +# Specifies whether to use the [`UseCanonicalName directive`](https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname), +# which allows you to configure how the server determines it's own name and port. +# +# @param define +# this lets you define configuration variables inside a vhost using [`Define`](https://httpd.apache.org/docs/2.4/mod/core.html#define), +# these can then be used to replace configuration values. All Defines are Undefined at the end of the VirtualHost. +# +# @param auth_oidc +# Enable `mod_auth_openidc` parameters for OpenID Connect authentication. +# +# @param oidc_settings +# An Apache::OIDCSettings Struct containing (mod_auth_openidc settings)[https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf]. +# +# @param limitreqfields +# The `limitreqfields` parameter sets the maximum number of request header fields in +# an HTTP request. This directive gives the server administrator greater control over +# abnormal client request behavior, which may be useful for avoiding some forms of +# denial-of-service attacks. The value should be increased if normal clients see an error +# response from the server that indicates too many fields were sent in the request. +# +# @param limitreqfieldsize +# The `limitreqfieldsize` parameter sets the maximum ammount of _bytes_ that will +# be allowed within a request header. +# +# @param limitreqline +# Limit the size of the HTTP request line that will be accepted from the client +# This directive sets the number of bytes that will be allowed on the HTTP +# request-line. The LimitRequestLine directive allows the server administrator +# to set the limit on the allowed size of a client's HTTP request-line. Since +# the request-line consists of the HTTP method, URI, and protocol version, the +# LimitRequestLine directive places a restriction on the length of a request-URI +# allowed for a request on the server. A server needs this value to be large +# enough to hold any of its resource names, including any information that might +# be passed in the query part of a GET request. +# +# @param limitreqbody +# Restricts the total size of the HTTP request body sent from the client +# The LimitRequestBody directive allows the user to set a limit on the allowed +# size of an HTTP request message body within the context in which the +# directive is given (server, per-directory, per-file or per-location). If the +# client request exceeds that limit, the server will return an error response +# instead of servicing the request. +# +# @param use_servername_for_filenames +# When set to true, default log / config file names will be derived from the sanitized +# value of the $servername parameter. +# When set to false (default), the existing behaviour of using the $name parameter +# will remain. +# +# @param use_port_for_filenames +# When set to true and use_servername_for_filenames is also set to true, default log / +# config file names will be derived from the sanitized value of both the $servername and +# $port parameters. +# When set to false (default), the port is not included in the file names and may lead to +# duplicate declarations if two virtual hosts use the same domain. +# +# @param mdomain +# All the names in the list are managed as one Managed Domain (MD). mod_md will request +# one single certificate that is valid for all these names. +# +# @param proxy_requests +# Whether to accept proxy requests +# +# @param userdir +# Instances of apache::mod::userdir +# +# @param proxy_protocol +# Enable or disable PROXY protocol handling +# +# @param proxy_protocol_exceptions +# Disable processing of PROXY header for certain hosts or networks +define apache::vhost ( + Variant[Stdlib::Absolutepath, Boolean] $docroot, + Boolean $manage_docroot = true, + Variant[Stdlib::Absolutepath, Boolean] $virtual_docroot = false, + Boolean $virtual_use_default_docroot = false, + Optional[Variant[Array[Stdlib::Port], Stdlib::Port]] $port = undef, + Optional[ + Variant[ + Array[Variant[Stdlib::IP::Address, Enum['*']]], + Variant[Stdlib::IP::Address, Enum['*']] + ] + ] $ip = undef, + Boolean $ip_based = false, + Boolean $add_listen = true, + String $docroot_owner = 'root', + String $docroot_group = $apache::params::root_group, + Optional[Stdlib::Filemode] $docroot_mode = undef, + Array[Enum['h2', 'h2c', 'http/1.1']] $protocols = [], + Optional[Boolean] $protocols_honor_order = undef, + Optional[String] $serveradmin = undef, + Boolean $ssl = false, + Optional[Stdlib::Absolutepath] $ssl_cert = $apache::default_ssl_cert, + Optional[Stdlib::Absolutepath] $ssl_key = $apache::default_ssl_key, + Optional[Stdlib::Absolutepath] $ssl_chain = $apache::default_ssl_chain, + Optional[Stdlib::Absolutepath] $ssl_ca = $apache::default_ssl_ca, + Optional[Stdlib::Absolutepath] $ssl_crl_path = $apache::default_ssl_crl_path, + Optional[Stdlib::Absolutepath] $ssl_crl = $apache::default_ssl_crl, + Optional[String] $ssl_crl_check = $apache::default_ssl_crl_check, + Optional[Stdlib::Absolutepath] $ssl_certs_dir = $apache::params::ssl_certs_dir, + Boolean $ssl_reload_on_change = $apache::default_ssl_reload_on_change, + Optional[Variant[Array[String], String]] $ssl_protocol = undef, + Optional[Variant[Array[String[1]], String[1], Hash[String[1], String[1]]]] $ssl_cipher = undef, + Variant[Boolean, Apache::OnOff, Undef] $ssl_honorcipherorder = undef, + Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_verify_client = undef, + Optional[Integer] $ssl_verify_depth = undef, + Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_proxy_verify = undef, + Optional[Integer[0]] $ssl_proxy_verify_depth = undef, + Optional[Stdlib::Absolutepath] $ssl_proxy_ca_cert = undef, + Optional[Apache::OnOff] $ssl_proxy_check_peer_cn = undef, + Optional[Apache::OnOff] $ssl_proxy_check_peer_name = undef, + Optional[Apache::OnOff] $ssl_proxy_check_peer_expire = undef, + Optional[Stdlib::Absolutepath] $ssl_proxy_machine_cert = undef, + Optional[Stdlib::Absolutepath] $ssl_proxy_machine_cert_chain = undef, + Optional[String] $ssl_proxy_cipher_suite = undef, + Optional[String] $ssl_proxy_protocol = undef, + Optional[Variant[Array[String], String]] $ssl_options = undef, + Optional[String] $ssl_openssl_conf_cmd = undef, + Boolean $ssl_proxyengine = false, + Optional[Boolean] $ssl_stapling = undef, + Optional[Integer] $ssl_stapling_timeout = undef, + Optional[Apache::OnOff] $ssl_stapling_return_errors = undef, + Optional[String] $ssl_user_name = undef, + Optional[Apache::Vhost::Priority] $priority = undef, + Boolean $default_vhost = false, + Optional[String] $servername = $name, + Variant[Array[String], String] $serveraliases = [], + Array[String] $options = ['Indexes', 'FollowSymLinks', 'MultiViews'], + Array[String] $override = ['None'], + Optional[String] $directoryindex = undef, + String $vhost_name = '*', + Stdlib::Absolutepath $logroot = $apache::logroot, + Enum['directory', 'absent'] $logroot_ensure = 'directory', + Optional[Stdlib::Filemode] $logroot_mode = undef, + Optional[String] $logroot_owner = undef, + Optional[String] $logroot_group = undef, + Optional[Apache::LogLevel] $log_level = undef, + Boolean $access_log = true, + Optional[String[1]] $access_log_file = undef, + Optional[String[1]] $access_log_pipe = undef, + Optional[Variant[String, Boolean]] $access_log_syslog = undef, + Optional[String[1]] $access_log_format = undef, + Optional[Variant[Boolean, String]] $access_log_env_var = undef, + Optional[Array[Hash]] $access_logs = undef, + Boolean $use_servername_for_filenames = false, + Boolean $use_port_for_filenames = false, + Array[Hash[String[1], String[1]]] $aliases = [], + Array[Hash] $directories = [], + Boolean $error_log = true, + Optional[String] $error_log_file = undef, + Optional[String] $error_log_pipe = undef, + Optional[Variant[String, Boolean]] $error_log_syslog = undef, + Optional[ + Array[ + Variant[ + String, + Hash[String, Enum['connection', 'request']] + ] + ] + ] $error_log_format = undef, + Optional[Pattern[/^((Strict|Unsafe)?\s*(\b(Registered|Lenient)Methods)?\s*(\b(Allow0\.9|Require1\.0))?)$/]] $http_protocol_options = undef, + Optional[Variant[String, Boolean]] $modsec_audit_log = undef, + Optional[String] $modsec_audit_log_file = undef, + Optional[String] $modsec_audit_log_pipe = undef, + Variant[Array[Hash], String] $error_documents = [], + Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]] $fallbackresource = undef, + Optional[String] $scriptalias = undef, + Optional[Integer] $limitreqfieldsize = undef, + Optional[Integer] $limitreqfields = undef, + Optional[Integer] $limitreqline = undef, + Optional[Integer] $limitreqbody = undef, + Optional[String] $proxy_dest = undef, + Optional[String] $proxy_dest_match = undef, + Optional[String] $proxy_dest_reverse_match = undef, + Optional[Variant[Array[Hash], Hash]] $proxy_pass = undef, + Optional[Variant[Array[Hash], Hash]] $proxy_pass_match = undef, + Boolean $proxy_requests = false, + Hash $php_flags = {}, + Hash $php_values = {}, + Variant[Array[String], Hash] $php_admin_flags = {}, + Variant[Array[String], Hash] $php_admin_values = {}, + Variant[Array[String], String] $no_proxy_uris = [], + Variant[Array[String], String] $no_proxy_uris_match = [], + Boolean $proxy_preserve_host = false, + Optional[Variant[String, Boolean]] $proxy_add_headers = undef, + Boolean $proxy_error_override = false, + Variant[String, Array[String]] $redirect_source = '/', + Optional[Variant[Array[String], String]] $redirect_dest = undef, + Optional[Variant[Array[String], String]] $redirect_status = undef, + Optional[Variant[Array[String], String]] $redirectmatch_status = undef, + Optional[Variant[Array[String], String]] $redirectmatch_regexp = undef, + Optional[Variant[Array[String], String]] $redirectmatch_dest = undef, + Array[String[1]] $headers = [], + Array[String[1]] $request_headers = [], + Array[String[1]] $filters = [], + Array[Hash] $rewrites = [], + Optional[String[1]] $rewrite_base = undef, + Optional[Variant[Array[String[1]], String[1]]] $rewrite_rule = undef, + Array[String[1]] $rewrite_cond = [], + Boolean $rewrite_inherit = false, + Variant[Array[String], String] $setenv = [], + Variant[Array[String], String] $setenvif = [], + Variant[Array[String], String] $setenvifnocase = [], + Variant[Array[String], String] $block = [], + Enum['absent', 'present'] $ensure = 'present', + Boolean $show_diff = true, + Optional[String] $wsgi_application_group = undef, + Optional[Variant[String, Hash]] $wsgi_daemon_process = undef, + Optional[Hash] $wsgi_daemon_process_options = undef, + Optional[String] $wsgi_import_script = undef, + Optional[Hash] $wsgi_import_script_options = undef, + Optional[String] $wsgi_process_group = undef, + Optional[Hash] $wsgi_script_aliases_match = undef, + Optional[Hash] $wsgi_script_aliases = undef, + Optional[Apache::OnOff] $wsgi_pass_authorization = undef, + Optional[Apache::OnOff] $wsgi_chunked_request = undef, + Optional[String] $custom_fragment = undef, + Optional[Hash] $itk = undef, + Optional[String] $action = undef, + Variant[Array[String], String] $additional_includes = [], + Boolean $use_optional_includes = $apache::use_optional_includes, + Optional[Variant[Apache::OnOff, Enum['nodecode']]] $allow_encoded_slashes = undef, + Optional[Pattern[/^[\w-]+ [\w-]+$/]] $suexec_user_group = undef, + + Optional[Boolean] $h2_copy_files = undef, + Optional[Boolean] $h2_direct = undef, + Optional[Boolean] $h2_early_hints = undef, + Optional[Integer] $h2_max_session_streams = undef, + Optional[Boolean] $h2_modern_tls_only = undef, + Optional[Boolean] $h2_push = undef, + Optional[Integer] $h2_push_diary_size = undef, + Array[String] $h2_push_priority = [], + Array[String] $h2_push_resource = [], + Optional[Boolean] $h2_serialize_headers = undef, + Optional[Integer] $h2_stream_max_mem_size = undef, + Optional[Integer] $h2_tls_cool_down_secs = undef, + Optional[Integer] $h2_tls_warm_up_size = undef, + Optional[Boolean] $h2_upgrade = undef, + Optional[Integer] $h2_window_size = undef, + + Optional[Boolean] $passenger_enabled = undef, + Optional[String] $passenger_base_uri = undef, + Optional[Stdlib::Absolutepath] $passenger_ruby = undef, + Optional[Stdlib::Absolutepath] $passenger_python = undef, + Optional[Stdlib::Absolutepath] $passenger_nodejs = undef, + Optional[String] $passenger_meteor_app_settings = undef, + Optional[String] $passenger_app_env = undef, + Optional[Stdlib::Absolutepath] $passenger_app_root = undef, + Optional[String] $passenger_app_group_name = undef, + Optional[String] $passenger_app_start_command = undef, + Optional[Enum['meteor', 'node', 'rack', 'wsgi']] $passenger_app_type = undef, + Optional[String] $passenger_startup_file = undef, + Optional[String] $passenger_restart_dir = undef, + Optional[Enum['direct', 'smart']] $passenger_spawn_method = undef, + Optional[Boolean] $passenger_load_shell_envvars = undef, + Optional[Boolean] $passenger_preload_bundler = undef, + Optional[Boolean] $passenger_rolling_restarts = undef, + Optional[Boolean] $passenger_resist_deployment_errors = undef, + Optional[String] $passenger_user = undef, + Optional[String] $passenger_group = undef, + Optional[Boolean] $passenger_friendly_error_pages = undef, + Optional[Integer] $passenger_min_instances = undef, + Optional[Integer] $passenger_max_instances = undef, + Optional[Integer] $passenger_max_preloader_idle_time = undef, + Optional[Integer] $passenger_force_max_concurrent_requests_per_process = undef, + Optional[Integer] $passenger_start_timeout = undef, + Optional[Enum['process', 'thread']] $passenger_concurrency_model = undef, + Optional[Integer] $passenger_thread_count = undef, + Optional[Integer] $passenger_max_requests = undef, + Optional[Integer] $passenger_max_request_time = undef, + Optional[Integer] $passenger_memory_limit = undef, + Optional[Integer] $passenger_stat_throttle_rate = undef, + Optional[Variant[String, Array[String]]] $passenger_pre_start = undef, + Optional[Boolean] $passenger_high_performance = undef, + Optional[Boolean] $passenger_buffer_upload = undef, + Optional[Boolean] $passenger_buffer_response = undef, + Optional[Boolean] $passenger_error_override = undef, + Optional[Integer] $passenger_max_request_queue_size = undef, + Optional[Integer] $passenger_max_request_queue_time = undef, + Optional[Boolean] $passenger_sticky_sessions = undef, + Optional[String] $passenger_sticky_sessions_cookie_name = undef, + Optional[String] $passenger_sticky_sessions_cookie_attributes = undef, + Optional[Boolean] $passenger_allow_encoded_slashes = undef, + Optional[String] $passenger_app_log_file = undef, + Optional[Boolean] $passenger_debugger = undef, + Optional[Integer] $passenger_lve_min_uid = undef, + Optional[String] $passenger_admin_panel_url = undef, + Optional[Enum['basic']] $passenger_admin_panel_auth_type = undef, + Optional[String] $passenger_admin_panel_username = undef, + Optional[String] $passenger_admin_panel_password = undef, + Optional[String] $passenger_dump_config_manifest = undef, + Optional[String] $add_default_charset = undef, + Boolean $modsec_disable_vhost = false, + Optional[Variant[Hash, Array]] $modsec_disable_ids = undef, + Array[String[1]] $modsec_disable_ips = [], + Optional[Variant[Hash, Array]] $modsec_disable_msgs = undef, + Optional[Variant[Hash, Array]] $modsec_disable_tags = undef, + Optional[String] $modsec_body_limit = undef, + Optional[Integer[1, default]] $modsec_inbound_anomaly_threshold = undef, + Optional[Integer[1, default]] $modsec_outbound_anomaly_threshold = undef, + Optional[String] $modsec_allowed_methods = undef, + Array[Hash] $jk_mounts = [], + Boolean $auth_kerb = false, + Apache::OnOff $krb_method_negotiate = 'on', + Apache::OnOff $krb_method_k5passwd = 'on', + Apache::OnOff $krb_authoritative = 'on', + Array[String] $krb_auth_realms = [], + Optional[String] $krb_5keytab = undef, + Optional[Apache::OnOff] $krb_local_user_mapping = undef, + Apache::OnOff $krb_verify_kdc = 'on', + String $krb_servicename = 'HTTP', + Apache::OnOff $krb_save_credentials = 'off', + Optional[Apache::OnOff] $keepalive = undef, + Optional[Variant[Integer, String]] $keepalive_timeout = undef, + Optional[Variant[Integer, String]] $max_keepalive_requests = undef, + Optional[String] $cas_attribute_prefix = undef, + Optional[String] $cas_attribute_delimiter = undef, + Optional[String] $cas_root_proxied_as = undef, + Boolean $cas_scrub_request_headers = false, + Boolean $cas_sso_enabled = false, + Optional[String] $cas_login_url = undef, + Optional[String] $cas_validate_url = undef, + Boolean $cas_validate_saml = false, + Optional[String] $cas_cookie_path = undef, + Optional[String] $shib_compat_valid_user = undef, + Optional[Variant[Apache::OnOff, Enum['DNS', 'dns']]] $use_canonical_name = undef, + Optional[Variant[String, Array[String]]] $comment = undef, + Hash $define = {}, + Boolean $auth_oidc = false, + Apache::OIDCSettings $oidc_settings = {}, + Optional[Variant[Boolean, String]] $mdomain = undef, + Optional[Variant[String[1], Array[String[1]]]] $userdir = undef, + Optional[Boolean] $proxy_protocol = undef, + Array[Stdlib::Host] $proxy_protocol_exceptions = [], +) { # The base class must be included first because it is used by parameter defaults if ! defined(Class['apache']) { fail('You must include the apache base class before using any apache defined resources') } - $apache_name = $apache::params::apache_name - - validate_re($ensure, '^(present|absent)$', - "${ensure} is not supported for ensure. - Allowed values are 'present' and 'absent'.") - validate_re($suphp_engine, '^(on|off)$', - "${suphp_engine} is not supported for suphp_engine. - Allowed values are 'on' and 'off'.") - validate_bool($ip_based) - validate_bool($access_log) - validate_bool($error_log) - validate_bool($ssl) - validate_bool($default_vhost) - validate_bool($sslproxyengine) - if $wsgi_script_aliases { - validate_hash($wsgi_script_aliases) - } - if $wsgi_daemon_process_options { - validate_hash($wsgi_daemon_process_options) - } - if $itk { - validate_hash($itk) - } + + $apache_name = $apache::apache_name + + # Input validation begins if $access_log_file and $access_log_pipe { fail("Apache::Vhost[${name}]: 'access_log_file' and 'access_log_pipe' cannot be defined at the same time") @@ -164,84 +1991,151 @@ fail("Apache::Vhost[${name}]: 'error_log_file' and 'error_log_pipe' cannot be defined at the same time") } - if $fallbackresource { - validate_re($fallbackresource, '^/|disabled', 'Please make sure fallbackresource starts with a / (or is "disabled")') + if $modsec_audit_log_file and $modsec_audit_log_pipe { + fail("Apache::Vhost[${name}]: 'modsec_audit_log_file' and 'modsec_audit_log_pipe' cannot be defined at the same time") } - if $ssl { - include apache::mod::ssl + # Input validation ends + + if $ssl_honorcipherorder =~ Boolean or $ssl_honorcipherorder == undef { + $_ssl_honorcipherorder = $ssl_honorcipherorder + } else { + $_ssl_honorcipherorder = $ssl_honorcipherorder ? { + 'on' => true, + 'On' => true, + 'off' => false, + 'Off' => false, + default => true, + } + } + + # Configure the defaultness of a vhost + if $priority { + $priority_real = "${priority}-" + } elsif $priority == false { + $priority_real = '' + } elsif $default_vhost { + $priority_real = '10-' + } else { + $priority_real = '25-' } - if $virtual_docroot { - include apache::mod::vhost_alias + # https://httpd.apache.org/docs/2.4/fr/mod/core.html#servername + # Syntax: ServerName [scheme://]domain-name|ip-address[:port] + # Sometimes, the server runs behind a device that processes SSL, such as a reverse proxy, load balancer or SSL offload + # appliance. + # When this is the case, specify the https:// scheme and the port number to which the clients connect in the ServerName + # directive to make sure that the server generates the correct self-referential URLs. + $normalized_servername = regsubst($servername, '(https?:\/\/)?([a-z0-9\/%_+.,#?!@&=-]+)(:?\d+)?', '\2', 'G') + + # IAC-1186: A number of configuration and log file names are generated using the $name parameter. It is possible for + # the $name parameter to contain spaces, which could then be transferred to the log / config filenames. Although + # POSIX compliant, this can be cumbersome. + # + # It seems more appropriate to use the $servername parameter to derive default log / config filenames from. We should + # also perform some sanitiation on the $servername parameter to strip spaces from it, as it defaults to the value of + # $name, should $servername NOT be defined. + # + # Because a single hostname may be use by multiple virtual hosts listening on different ports, the $port paramter can + # optionaly be used to avoid duplicate resources. + $filename = $use_servername_for_filenames ? { + true => $use_port_for_filenames ? { + true => regsubst("${normalized_servername}-${port}", ' ', '_', 'G'), + false => regsubst($normalized_servername, ' ', '_', 'G'), + }, + false => $name, } # This ensures that the docroot exists # But enables it to be specified across multiple vhost resources - if ! defined(File[$docroot]) { + if $manage_docroot and $docroot and ! defined(File[$docroot]) { file { $docroot: ensure => directory, owner => $docroot_owner, group => $docroot_group, + mode => $docroot_mode, require => Package['httpd'], + before => Concat["${priority_real}${filename}.conf"], } } # Same as above, but for logroot if ! defined(File[$logroot]) { file { $logroot: - ensure => directory, + ensure => $logroot_ensure, + owner => $logroot_owner, + group => $logroot_group, + mode => $logroot_mode, require => Package['httpd'], + before => Concat["${priority_real}${filename}.conf"], + notify => Class['Apache::Service'], } } + # Is apache::mod::shib enabled (or apache::mod['shib2']) + $shibboleth_enabled = defined(Apache::Mod['shib2']) - # Is apache::mod::passenger enabled (or apache::mod['passenger']) - $passenger_enabled = defined(Apache::Mod['passenger']) + # Is apache::mod::cas enabled (or apache::mod['cas']) + $cas_enabled = defined(Apache::Mod['auth_cas']) - # Define log file names - if $access_log_file { - $access_log_destination = "${logroot}/${access_log_file}" - } elsif $access_log_pipe { - $access_log_destination = "\"${access_log_pipe}\"" - } elsif $access_log_syslog { - $access_log_destination = "${access_log_syslog}" + if $access_log and !$access_logs { + $_access_logs = [{ + 'file' => $access_log_file, + 'pipe' => $access_log_pipe, + 'syslog' => $access_log_syslog, + 'format' => $access_log_format, + 'env' => $access_log_env_var + }] + } elsif $access_logs { + $_access_logs = $access_logs } else { - if $ssl { - $access_log_destination = "${logroot}/${servername}_access_ssl.log" - } else { - $access_log_destination = "${logroot}/${servername}_access.log" - } + $_access_logs = [] } if $error_log_file { - $error_log_destination = "${logroot}/${error_log_file}" + if $error_log_file =~ /^\// { + # Absolute path provided - don't prepend $logroot + $error_log_destination = $error_log_file + } else { + $error_log_destination = "${logroot}/${error_log_file}" + } } elsif $error_log_pipe { - $error_log_destination = "\"${error_log_pipe}\"" + $error_log_destination = $error_log_pipe } elsif $error_log_syslog { - $error_log_destination = "${error_log_syslog}" + $error_log_destination = $error_log_syslog } else { if $ssl { - $error_log_destination = "${logroot}/${servername}_error_ssl.log" + $error_log_destination = "${logroot}/${filename}_error_ssl.log" } else { - $error_log_destination = "${logroot}/${servername}_error.log" + $error_log_destination = "${logroot}/${filename}_error.log" } } - # Set access log format - if $access_log_format { - $_access_log_format = "\"${access_log_format}\"" + if $modsec_audit_log == false { + $modsec_audit_log_destination = undef + } elsif $modsec_audit_log_file { + $modsec_audit_log_destination = "${logroot}/${modsec_audit_log_file}" + } elsif $modsec_audit_log_pipe { + $modsec_audit_log_destination = $modsec_audit_log_pipe + } elsif $modsec_audit_log { + if $ssl { + $modsec_audit_log_destination = "${logroot}/${filename}_security_ssl.log" + } else { + $modsec_audit_log_destination = "${logroot}/${filename}_security.log" + } } else { - $_access_log_format = 'combined' + $modsec_audit_log_destination = undef } - if $ip { + $_ip = any2array(enclose_ipv6($ip)) if $port { - $listen_addr_port = "${ip}:${port}" - $nvh_addr_port = "${ip}:${port}" + $_port = any2array($port) + $listen_addr_port = split(inline_template("<%= @_ip.product(@_port).map {|x| x.join(':') }.join(',')%>"), ',') + $nvh_addr_port = split(inline_template("<%= @_ip.product(@_port).map {|x| x.join(':') }.join(',')%>"), ',') } else { - $nvh_addr_port = $ip + $listen_addr_port = undef + $nvh_addr_port = $_ip if ! $servername and ! $ip_based { fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters for name-based vhosts") } @@ -249,186 +2143,847 @@ } else { if $port { $listen_addr_port = $port - $nvh_addr_port = "${vhost_name}:${port}" + $nvh_addr_port = prefix(any2array($port), "${vhost_name}:") } else { + $listen_addr_port = undef $nvh_addr_port = $name - if ! $servername { + if ! $servername and $servername != '' { fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters, and/or 'servername' parameter") } } } + if $add_listen { - if $ip and defined(Apache::Listen[$port]) { + if $ip and defined(Apache::Listen[String($port)]) { fail("Apache::Vhost[${name}]: Mixing IP and non-IP Listen directives is not possible; check the add_listen parameter of the apache::vhost define to disable this") } - if ! defined(Apache::Listen[$listen_addr_port]) and $listen_addr_port { - apache::listen { $listen_addr_port: } + if $listen_addr_port and $ensure == 'present' { + ensure_resource('apache::listen', $listen_addr_port) + } + } + + ## Create a default directory list if none defined + if !empty($directories) { + $_directories = $directories + } elsif $docroot { + $_directories = [ + { + provider => 'directory', + path => $docroot, + options => $options, + allow_override => $override, + directoryindex => $directoryindex, + require => 'all granted', + }, + ] + } else { + $_directories = [] + } + + ## Create a global LocationMatch if locations aren't defined + if $modsec_disable_ids { + if $modsec_disable_ids =~ Array { + $_modsec_disable_ids = { '.*' => $modsec_disable_ids } + } else { + $_modsec_disable_ids = $modsec_disable_ids } } - if ! $ip_based { - if ! defined(Apache::Namevirtualhost[$nvh_addr_port]) { - apache::namevirtualhost { $nvh_addr_port: } + + if $modsec_disable_msgs { + if $modsec_disable_msgs =~ Array { + $_modsec_disable_msgs = { '.*' => $modsec_disable_msgs } + } else { + $_modsec_disable_msgs = $modsec_disable_msgs } } - # Load mod_rewrite if needed and not yet loaded - if $rewrite_rule { - if ! defined(Apache::Mod['rewrite']) { - apache::mod { 'rewrite': } + if $modsec_disable_tags { + if $modsec_disable_tags =~ Array { + $_modsec_disable_tags = { '.*' => $modsec_disable_tags } + } else { + $_modsec_disable_tags = $modsec_disable_tags } } - # Load mod_alias if needed and not yet loaded - if $scriptalias or ($redirect_source and $redirect_dest) { - if ! defined(Class['apache::mod::alias']) { - include apache::mod::alias + concat { "${priority_real}${filename}.conf": + ensure => $ensure, + path => "${apache::vhost_dir}/${priority_real}${filename}.conf", + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + show_diff => $show_diff, + order => 'numeric', + require => Package['httpd'], + notify => Class['apache::service'], + } + # NOTE(pabelanger): This code is duplicated in ::apache::vhost::custom and + # needs to be converted into something generic. + if $apache::vhost_enable_dir { + $vhost_enable_dir = $apache::vhost_enable_dir + $vhost_symlink_ensure = $ensure ? { + 'present' => link, + default => $ensure, + } + file { "${priority_real}${filename}.conf symlink": + ensure => $vhost_symlink_ensure, + path => "${vhost_enable_dir}/${priority_real}${filename}.conf", + target => "${apache::vhost_dir}/${priority_real}${filename}.conf", + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + require => Concat["${priority_real}${filename}.conf"], + notify => Class['apache::service'], } } - # Load mod_proxy if needed and not yet loaded - if ($proxy_dest or $proxy_pass) { - if ! defined(Class['apache::mod::proxy']) { - include apache::mod::proxy + $file_header_params = { + 'comment' => $comment, + 'nvh_addr_port' => $nvh_addr_port, + 'mdomain' => $mdomain, + 'servername' => $servername, + 'define' => $define, + 'protocols' => $protocols, + 'protocols_honor_order' => $protocols_honor_order, + 'limitreqfieldsize' => $limitreqfieldsize, + 'limitreqfields' => $limitreqfields, + 'limitreqline' => $limitreqline, + 'limitreqbody' => $limitreqbody, + 'serveradmin' => $serveradmin, + } + + concat::fragment { "${name}-apache-header": + target => "${priority_real}${filename}.conf", + order => 0, + content => epp('apache/vhost/_file_header.epp', $file_header_params), + } + + if $docroot and $ensure == 'present' { + if $virtual_docroot { + include apache::mod::vhost_alias + } + + $docroot_params = { + 'virtual_docroot' => $virtual_docroot, + 'docroot' => $docroot, + 'virtual_use_default_docroot' => $virtual_use_default_docroot, + } + + concat::fragment { "${name}-docroot": + target => "${priority_real}${filename}.conf", + order => 10, + content => epp('apache/vhost/_docroot.epp', $docroot_params), } } - # Load mod_passenger if needed and not yet loaded - if $rack_base_uris { - if ! defined(Class['apache::mod::passenger']) { - include apache::mod::passenger + if ! empty($aliases) and $ensure == 'present' { + include apache::mod::alias + $aliases_params = { + 'aliases' => $aliases, + } + concat::fragment { "${name}-aliases": + target => "${priority_real}${filename}.conf", + order => 20, + content => epp('apache/vhost/_aliases.epp', $aliases_params), } } - # Configure the defaultness of a vhost - if $priority { - $priority_real = $priority - } elsif $default_vhost { - $priority_real = '10' - } else { - $priority_real = '25' + if $itk and ! empty($itk) { + $itk_params = { + 'itk' => $itk, + 'kernelversion' => $facts['kernelversion'], + } + concat::fragment { "${name}-itk": + target => "${priority_real}${filename}.conf", + order => 30, + content => epp('apache/vhost/_itk.epp', $itk_params), + } + } + + if $fallbackresource { + $fall_back_res_params = { + 'fallbackresource' => $fallbackresource, + } + concat::fragment { "${name}-fallbackresource": + target => "${priority_real}${filename}.conf", + order => 40, + content => epp('apache/vhost/_fallbackresource.epp', $fall_back_res_params), + } } - # Check if mod_headers is required to process $request_headers - if $request_headers { - if ! defined(Class['apache::mod::headers']) { - include apache::mod::headers + if $allow_encoded_slashes { + $allow_encoded_slashes_params = { + 'allow_encoded_slashes' => $allow_encoded_slashes, + } + concat::fragment { "${name}-allow_encoded_slashes": + target => "${priority_real}${filename}.conf", + order => 50, + content => epp('apache/vhost/_allow_encoded_slashes.epp', $allow_encoded_slashes_params), } } - ## Apache include does not always work with spaces in the filename - $filename = regsubst($name, ' ', '_', 'G') + if $ensure == 'present' { + $_directories.each |Hash $directory| { + if 'auth_basic_authoritative' in $directory or 'auth_basic_fake' in $directory or 'auth_basic_provider' in $directory { + include apache::mod::auth_basic + } - ## Create a default directory list if none defined - if $directories { - $_directories = $directories - } else { - $_directories = [ { - provider => 'directory', - path => $docroot, - options => $options, - allow_override => $override, - directoryindex => $directoryindex, - order => 'allow,deny', - allow => 'from all', - } ] + if 'auth_user_file' in $directory { + include apache::mod::authn_file + } + + if 'auth_group_file' in $directory { + include apache::mod::authz_groupfile + } + + if 'gssapi' in $directory { + include apache::mod::auth_gssapi + } + + if $directory['provider'] and $directory['provider'] =~ 'location' and ('proxy_pass' in $directory or 'proxy_pass_match' in $directory) { + include apache::mod::proxy_http + + # To match processing in templates/vhost/_directories.erb + if $directory['proxy_pass_match'] { + Array($directory['proxy_pass_match']).each |$proxy| { + if $proxy['url'] =~ /"h2c?:\/\// { + include apache::mod::proxy_http2 + } + } + } elsif $directory['proxy_pass'] { + Array($directory['proxy_pass']).each |$proxy| { + if $proxy['url'] =~ /"h2c?:\/\// { + include apache::mod::proxy_http2 + } + } + } + } + + if 'request_headers' in $directory or 'headers' in $directory { + include apache::mod::headers + } + + if 'rewrites' in $directory { + include apache::mod::rewrite + } + + if 'setenv' in $directory { + include apache::mod::env + } + } + + # Template uses: + # - $_directories + # - $docroot + # - $shibboleth_enabled + # - $cas_enabled + unless empty($_directories) { + concat::fragment { "${name}-directories": + target => "${priority_real}${filename}.conf", + order => 60, + content => template('apache/vhost/_directories.erb'), + } + } + } + + # Template uses: + # - $additional_includes + # - $use_optional_includes + if $additional_includes and ! empty($additional_includes) { + concat::fragment { "${name}-additional_includes": + target => "${priority_real}${filename}.conf", + order => 70, + content => template('apache/vhost/_additional_includes.erb'), + } + } + + if $error_log or $log_level { + $logging_params = { + 'error_log' => $error_log, + 'log_level' => $log_level, + 'error_log_destination' => $error_log_destination, + 'error_log_format' => $error_log_format, + } + concat::fragment { "${name}-logging": + target => "${priority_real}${filename}.conf", + order => 80, + content => epp('apache/vhost/_logging.epp', $logging_params), + } + } + + # Template uses no variables + concat::fragment { "${name}-serversignature": + target => "${priority_real}${filename}.conf", + order => 90, + content => " ServerSignature Off\n", } # Template uses: - # - $nvh_addr_port - # - $servername - # - $serveradmin - # - $docroot - # - $virtual_docroot - # - $options - # - $override - # - $logroot - # - $name - # - $aliases - # - $_directories - # - $access_log + # - $_access_logs + # - $_access_log_env_var # - $access_log_destination # - $_access_log_format - # - $error_log - # - $error_log_destination - # - $fallbackresource - # - $custom_fragment - # block fragment: - # - $block - # directories fragment: - # - $passenger_enabled - # - $directories (a list of key-value hashes is expected) - # proxy fragment: - # - $proxy_dest - # - $no_proxy_uris - # rack fragment: - # - $rack_base_uris - # redirect fragment: - # - $redirect_source - # - $redirect_dest - # - $redirect_status - # requestheader fragment: - # - $request_headers - # rewrite fragment: - # - $rewrite_rule - # - $rewrite_cond - # scriptalias fragment: - # - $scriptalias - # - $ssl - # serveralias fragment: - # - $serveraliases - # setenv fragment: - # - $setenv - # - $setenvif - # ssl fragment: - # - $ssl - # - $ssl_cert - # - $ssl_key - # - $ssl_chain - # - $ssl_certs_dir - # - $ssl_ca - # - $ssl_crl - # - $ssl_crl_path - # - $ssl_verify_client - # - $ssl_verify_depth - # - $ssl_options - # suphp fragment: - # - $suphp_addhandler - # - $suphp_engine - # - $suphp_configpath - # wsgi fragment: - # - $wsgi_daemon_process - # - $wsgi_process_group - # - $wsgi_script_aliases - file { "${priority_real}-${filename}.conf": - ensure => $ensure, - path => "${apache::vhost_dir}/${priority_real}-${filename}.conf", - content => template('apache/vhost.conf.erb'), - owner => 'root', - group => 'root', - mode => '0644', - require => [ - Package['httpd'], - File[$docroot], - File[$logroot], - ], - notify => Service['httpd'], - } - if $::osfamily == 'Debian' { - $vhost_enable_dir = $apache::vhost_enable_dir - $vhost_symlink_ensure = $ensure ? { - present => link, - default => $ensure, + # - $_access_log_env_var + if !empty($_access_logs) { + concat::fragment { "${name}-access_log": + target => "${priority_real}${filename}.conf", + order => 100, + content => template('apache/vhost/_access_log.erb'), } - file{ "${priority_real}-${filename}.conf symlink": - ensure => $vhost_symlink_ensure, - path => "${vhost_enable_dir}/${priority_real}-${filename}.conf", - target => "${apache::vhost_dir}/${priority_real}-${filename}.conf", - owner => 'root', - group => 'root', - mode => '0644', - require => File["${priority_real}-${filename}.conf"], - notify => Service['httpd'], + } + + if $action { + concat::fragment { "${name}-action": + target => "${priority_real}${filename}.conf", + order => 110, + content => epp('apache/vhost/_action.epp', { 'action' => $action }), + } + } + + # Template uses: + # - $block + if $block and ! empty($block) { + concat::fragment { "${name}-block": + target => "${priority_real}${filename}.conf", + order => 120, + content => template('apache/vhost/_block.erb'), + } + } + + # Template uses: + # - $error_documents + if $error_documents and ! empty($error_documents) { + concat::fragment { "${name}-error_document": + target => "${priority_real}${filename}.conf", + order => 130, + content => template('apache/vhost/_error_document.erb'), + } + } + + if ! empty($headers) and $ensure == 'present' { + include apache::mod::headers + + concat::fragment { "${name}-header": + target => "${priority_real}${filename}.conf", + order => 140, + content => epp('apache/vhost/_header.epp', { 'headers' => $headers }), + } + } + + if ! empty($request_headers) and $ensure == 'present' { + include apache::mod::headers + + concat::fragment { "${name}-requestheader": + target => "${priority_real}${filename}.conf", + order => 150, + content => epp('apache/vhost/_requestheader.epp', { 'request_headers' => $request_headers }), } } -} + if $ssl_proxyengine { + $ssl_proxy_params = { + 'ssl_proxyengine' => $ssl_proxyengine, + 'ssl_proxy_verify' => $ssl_proxy_verify, + 'ssl_proxy_verify_depth' => $ssl_proxy_verify_depth, + 'ssl_proxy_ca_cert' => $ssl_proxy_ca_cert, + 'ssl_proxy_check_peer_cn' => $ssl_proxy_check_peer_cn, + 'ssl_proxy_check_peer_name' => $ssl_proxy_check_peer_name, + 'ssl_proxy_check_peer_expire' => $ssl_proxy_check_peer_expire, + 'ssl_proxy_machine_cert' => $ssl_proxy_machine_cert, + 'ssl_proxy_machine_cert_chain' => $ssl_proxy_machine_cert_chain, + 'ssl_proxy_cipher_suite' => $ssl_proxy_cipher_suite, + 'ssl_proxy_protocol' => $ssl_proxy_protocol, + } + concat::fragment { "${name}-sslproxy": + target => "${priority_real}${filename}.conf", + order => 160, + content => epp('apache/vhost/_sslproxy.epp', $ssl_proxy_params), + } + } + + if ($proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match or $proxy_preserve_host or ($proxy_add_headers =~ NotUndef)) and $ensure == 'present' { + include apache::mod::proxy_http + + # To match processing in templates/vhost/_proxy.erb + if $proxy_dest =~ Pattern[/^h2c?:\/\//] or $proxy_dest_match =~ Pattern[/^h2c?:\/\//] { + include apache::mod::proxy_http2 + } + [$proxy_pass, $proxy_pass_match].flatten.each |$proxy| { + if $proxy and $proxy['url'] =~ Pattern[/^h2c?:\/\//] { + include apache::mod::proxy_http2 + } + } + concat::fragment { "${name}-proxy": + target => "${priority_real}${filename}.conf", + order => 170, + content => template('apache/vhost/_proxy.erb'), + } + } + + # Template uses: + # - $redirect_source + # - $redirect_dest + # - $redirect_status + # - $redirect_dest_a + # - $redirect_source_a + # - $redirect_status_a + # - $redirectmatch_status + # - $redirectmatch_regexp + # - $redirectmatch_dest + # - $redirectmatch_status_a + # - $redirectmatch_regexp_a + # - $redirectmatch_dest + if (($redirect_source and $redirect_dest) or ($redirectmatch_regexp and $redirectmatch_dest)) and $ensure == 'present' { + include apache::mod::alias + + concat::fragment { "${name}-redirect": + target => "${priority_real}${filename}.conf", + order => 180, + content => template('apache/vhost/_redirect.erb'), + } + } + + # Template uses: + # - $rewrites + # - $rewrite_inherit + # - $rewrite_base + # - $rewrite_rule + # - $rewrite_cond + # - $rewrite_map + if (! empty($rewrites) or $rewrite_rule or $rewrite_inherit) and $ensure == 'present' { + include apache::mod::rewrite + concat::fragment { "${name}-rewrite": + target => "${priority_real}${filename}.conf", + order => 190, + content => template('apache/vhost/_rewrite.erb'), + } + } + + if $scriptalias and $ensure == 'present' { + include apache::mod::alias + concat::fragment { "${name}-scriptalias": + target => "${priority_real}${filename}.conf", + order => 200, + content => epp('apache/vhost/_scriptalias.epp', { 'scriptalias' => $scriptalias }), + } + } + + if ! empty($serveraliases) and $ensure == 'present' { + concat::fragment { "${name}-serveralias": + target => "${priority_real}${filename}.conf", + order => 210, + content => epp('apache/vhost/_serveralias.epp', { 'serveraliases' => [$serveraliases].flatten }), + } + } + + # Template uses: + # - $setenv + # - $setenvif + # - $setenvifnocase + $use_env_mod = !empty($setenv) + $use_setenvif_mod = !empty($setenvif) or !empty($setenvifnocase) + if ($use_env_mod or $use_setenvif_mod) and $ensure == 'present' { + if $use_env_mod { + include apache::mod::env + } + if $use_setenvif_mod { + include apache::mod::setenvif + } + + concat::fragment { "${name}-setenv": + target => "${priority_real}${filename}.conf", + order => 220, + content => template('apache/vhost/_setenv.erb'), + } + } + + # Template uses: + # - $ssl + # - $ssl_cert + # - $ssl_key + # - $ssl_chain + # - $ssl_certs_dir + # - $ssl_ca + # - $ssl_crl_path + # - $ssl_crl + # - $ssl_crl_check + # - $ssl_protocol + # - $ssl_cipher + # - $_ssl_honorcipherorder + # - $ssl_verify_client + # - $ssl_verify_depth + # - $ssl_options + # - $ssl_openssl_conf_cmd + # - $ssl_stapling + # - $mdomain + if $ssl and $ensure == 'present' { + include apache::mod::ssl + concat::fragment { "${name}-ssl": + target => "${priority_real}${filename}.conf", + order => 230, + content => template('apache/vhost/_ssl.erb'), + } + + if $ssl_reload_on_change { + [$ssl_cert, $ssl_key, $ssl_ca, $ssl_chain, $ssl_crl].each |$ssl_file| { + if $ssl_file { + include apache::mod::ssl::reload + $_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G') + file { "${filename}${_ssl_file_copy}": + path => "${apache::params::puppet_ssl_dir}/${filename}${_ssl_file_copy}", + source => "file://${ssl_file}", + owner => 'root', + group => $apache::params::root_group, + mode => '0640', + seltype => 'cert_t', + notify => Class['apache::service'], + } + } + } + } + } + + if $auth_kerb and $ensure == 'present' { + include apache::mod::auth_kerb + + concat::fragment { "${name}-auth_kerb": + target => "${priority_real}${filename}.conf", + order => 230, + content => stdlib::deferrable_epp('apache/vhost/_auth_kerb.epp', { + 'auth_kerb' => $auth_kerb, + 'krb_method_negotiate' => $krb_method_negotiate, + 'krb_method_k5passwd' => Deferred('sprintf', [$krb_method_k5passwd]), + 'krb_authoritative' => $krb_authoritative, + 'krb_auth_realms' => $krb_auth_realms, + 'krb_5keytab' => $krb_5keytab, + 'krb_local_user_mapping' => $krb_local_user_mapping, + 'krb_verify_kdc' => $krb_verify_kdc, + 'krb_servicename' => $krb_servicename, + 'krb_save_credentials' => $krb_save_credentials, + }), + } + } + + # Template uses: + # - $php_values + # - $php_flags + if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) { + concat::fragment { "${name}-php": + target => "${priority_real}${filename}.conf", + order => 240, + content => template('apache/vhost/_php.erb'), + } + } + + # Template uses: + # - $php_admin_values + # - $php_admin_flags + if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) { + concat::fragment { "${name}-php_admin": + target => "${priority_real}${filename}.conf", + order => 250, + content => template('apache/vhost/_php_admin.erb'), + } + } + + if $wsgi_daemon_process_options { + deprecation('apache::vhost::wsgi_daemon_process_options', 'This parameter is deprecated. Please add values inside Hash `wsgi_daemon_process`.') + } + if ($wsgi_application_group or $wsgi_daemon_process or ($wsgi_import_script and $wsgi_import_script_options) or $wsgi_process_group or ($wsgi_script_aliases and ! empty($wsgi_script_aliases)) or $wsgi_pass_authorization) and $ensure == 'present' { + include apache::mod::wsgi + $wsgi_params = { + 'wsgi_application_group' => $wsgi_application_group, + 'wsgi_daemon_process' => $wsgi_daemon_process, + 'wsgi_import_script' => $wsgi_import_script, + 'wsgi_process_group' => $wsgi_process_group, + 'wsgi_daemon_process_options'=> $wsgi_daemon_process_options, + 'wsgi_import_script_options' => $wsgi_import_script_options, + 'wsgi_script_aliases' => $wsgi_script_aliases, + 'wsgi_pass_authorization' => $wsgi_pass_authorization, + 'wsgi_chunked_request' => $wsgi_chunked_request, + 'wsgi_script_aliases_match' => $wsgi_script_aliases_match, + } + + concat::fragment { "${name}-wsgi": + target => "${priority_real}${filename}.conf", + order => 260, + content => epp('apache/vhost/_wsgi.epp', $wsgi_params), + } + } + + if $custom_fragment { + $custom_fragment_params = { + 'custom_fragment' => $custom_fragment, + } + concat::fragment { "${name}-custom_fragment": + target => "${priority_real}${filename}.conf", + order => 270, + content => epp('apache/vhost/_custom_fragment.epp', $custom_fragment_params), + } + } + + if $suexec_user_group and $ensure == 'present' { + include apache::mod::suexec + + concat::fragment { "${name}-suexec": + target => "${priority_real}${filename}.conf", + order => 290, + content => " SuexecUserGroup ${suexec_user_group}\n", + } + } + + if ('h2' in $protocols or 'h2c' in $protocols or $h2_copy_files != undef or $h2_direct != undef or $h2_early_hints != undef or $h2_max_session_streams != undef or $h2_modern_tls_only != undef or $h2_push != undef or $h2_push_diary_size != undef or $h2_push_priority != [] or $h2_push_resource != [] or $h2_serialize_headers != undef or $h2_stream_max_mem_size != undef or $h2_tls_cool_down_secs != undef or $h2_tls_warm_up_size != undef or $h2_upgrade != undef or $h2_window_size != undef) and $ensure == 'present' { + include apache::mod::http2 + $http2_params = { + 'h2_copy_files' => $h2_copy_files, + 'h2_direct' => $h2_direct, + 'h2_early_hints' => $h2_early_hints, + 'h2_max_session_streams' => $h2_max_session_streams, + 'h2_modern_tls_only' => $h2_modern_tls_only, + 'h2_push' => $h2_push, + 'h2_push_diary_size' => $h2_push_diary_size, + 'h2_push_priority' => $h2_push_priority, + 'h2_push_resource' => $h2_push_resource, + 'h2_serialize_headers' => $h2_serialize_headers, + 'h2_stream_max_mem_size' => $h2_stream_max_mem_size, + 'h2_tls_cool_down_secs' => $h2_tls_cool_down_secs, + 'h2_tls_warm_up_size' => $h2_tls_warm_up_size, + 'h2_upgrade' => $h2_upgrade, + 'h2_window_size' => $h2_window_size, + } + + concat::fragment { "${name}-http2": + target => "${priority_real}${filename}.conf", + order => 300, + content => epp('apache/vhost/_http2.epp', $http2_params), + } + } + + if $mdomain and $ensure == 'present' { + include apache::mod::md + } + + if $userdir and $ensure == 'present' { + include apache::mod::userdir + + concat::fragment { "${name}-userdir": + target => "${priority_real}${filename}.conf", + order => 300, + content => epp('apache/vhost/_userdir.epp', { 'userdir' => $userdir }), + } + } + + if ($passenger_enabled != undef or $passenger_start_timeout != undef or $passenger_ruby != undef or $passenger_python != undef or $passenger_nodejs != undef or $passenger_meteor_app_settings != undef or $passenger_app_env != undef or $passenger_app_root != undef or $passenger_app_group_name != undef or $passenger_app_start_command != undef or $passenger_app_type != undef or$passenger_startup_file != undef or $passenger_restart_dir != undef or $passenger_spawn_method != undef or $passenger_load_shell_envvars != undef or $passenger_preload_bundler != undef or $passenger_rolling_restarts != undef or $passenger_resist_deployment_errors != undef or $passenger_min_instances != undef or $passenger_max_instances != undef or $passenger_max_preloader_idle_time != undef or $passenger_force_max_concurrent_requests_per_process != undef or $passenger_concurrency_model != undef or $passenger_thread_count != undef or $passenger_high_performance != undef or $passenger_max_request_queue_size != undef or $passenger_max_request_queue_time != undef or $passenger_user != undef or $passenger_group != undef or $passenger_friendly_error_pages != undef or $passenger_buffer_upload != undef or $passenger_buffer_response != undef or $passenger_allow_encoded_slashes != undef or $passenger_lve_min_uid != undef or $passenger_base_uri != undef or $passenger_error_override != undef or $passenger_sticky_sessions != undef or $passenger_sticky_sessions_cookie_name != undef or $passenger_sticky_sessions_cookie_attributes != undef or $passenger_app_log_file != undef or $passenger_debugger != undef or $passenger_max_requests != undef or $passenger_max_request_time != undef or $passenger_memory_limit != undef or $passenger_dump_config_manifest != undef) and $ensure == 'present' { + include apache::mod::passenger + $passenger_params = { + 'passenger_enabled' => $passenger_enabled, + 'passenger_base_uri' => $passenger_base_uri, + 'passenger_ruby' => $passenger_ruby, + 'passenger_python' => $passenger_python, + 'passenger_nodejs' => $passenger_nodejs, + 'passenger_meteor_app_settings' => $passenger_meteor_app_settings, + 'passenger_app_env' => $passenger_app_env, + 'passenger_app_root' => $passenger_app_root, + 'passenger_app_group_name' => $passenger_app_group_name, + 'passenger_app_start_command' => $passenger_app_start_command, + 'passenger_app_type' => $passenger_app_type, + 'passenger_startup_file' => $passenger_startup_file, + 'passenger_restart_dir' => $passenger_restart_dir, + 'passenger_spawn_method' => $passenger_spawn_method, + 'passenger_load_shell_envvars' => $passenger_load_shell_envvars, + 'passenger_preload_bundler' => $passenger_preload_bundler, + 'passenger_rolling_restarts' => $passenger_rolling_restarts, + 'passenger_resist_deployment_errors' => $passenger_resist_deployment_errors, + 'passenger_user' => $passenger_user, + 'passenger_group' => $passenger_group, + 'passenger_friendly_error_pages' => $passenger_friendly_error_pages, + 'passenger_min_instances' => $passenger_min_instances, + 'passenger_max_instances' => $passenger_max_instances, + 'passenger_max_preloader_idle_time' => $passenger_max_preloader_idle_time, + 'passenger_force_max_concurrent_requests_per_process' => $passenger_force_max_concurrent_requests_per_process, + 'passenger_start_timeout' => $passenger_start_timeout, + 'passenger_concurrency_model' => $passenger_concurrency_model, + 'passenger_thread_count' => $passenger_thread_count, + 'passenger_max_requests' => $passenger_max_requests, + 'passenger_max_request_time' => $passenger_max_request_time, + 'passenger_memory_limit' => $passenger_memory_limit, + 'passenger_stat_throttle_rate' => $passenger_stat_throttle_rate, + 'passenger_high_performance' => $passenger_high_performance, + 'passenger_buffer_upload' => $passenger_buffer_upload, + 'passenger_buffer_response' => $passenger_buffer_response, + 'passenger_error_override' => $passenger_error_override, + 'passenger_max_request_queue_size' => $passenger_max_request_queue_size, + 'passenger_max_request_queue_time' => $passenger_max_request_queue_time, + 'passenger_sticky_sessions' => $passenger_sticky_sessions, + 'passenger_sticky_sessions_cookie_name' => $passenger_sticky_sessions_cookie_name, + 'passenger_sticky_sessions_cookie_attributes' => $passenger_sticky_sessions_cookie_attributes, + 'passenger_allow_encoded_slashes' => $passenger_allow_encoded_slashes, + 'passenger_app_log_file' => $passenger_app_log_file, + 'passenger_debugger' => $passenger_debugger, + 'passenger_lve_min_uid' => $passenger_lve_min_uid, + } + + concat::fragment { "${name}-passenger": + target => "${priority_real}${filename}.conf", + order => 300, + content => epp('apache/vhost/_passenger.epp', $passenger_params), + } + } + + if $add_default_charset { + $charsets_params = { + 'add_default_charset' => $add_default_charset, + } + concat::fragment { "${name}-charsets": + target => "${priority_real}${filename}.conf", + order => 310, + content => epp('apache/vhost/_charsets.epp', $charsets_params), + } + } + + if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods { + $security_params = { + 'modsec_disable_vhost' => $modsec_disable_vhost, + 'modsec_audit_log_destination' => $modsec_audit_log_destination, + '_modsec_disable_ids' => $modsec_disable_ids, + 'modsec_disable_ips' => $modsec_disable_ips, + '_modsec_disable_msgs' => $modsec_disable_msgs, + '_modsec_disable_tags' => $modsec_disable_tags, + 'modsec_body_limit' => $modsec_body_limit, + 'modsec_inbound_anomaly_threshold' => $modsec_inbound_anomaly_threshold, + 'modsec_outbound_anomaly_threshold' => $modsec_outbound_anomaly_threshold, + 'modsec_allowed_methods' => $modsec_allowed_methods, + } + concat::fragment { "${name}-security": + target => "${priority_real}${filename}.conf", + order => 320, + content => epp('apache/vhost/_security.epp', $security_params), + } + } + + if ! empty($filters) and $ensure == 'present' { + include apache::mod::filter + + concat::fragment { "${name}-filters": + target => "${priority_real}${filename}.conf", + order => 330, + content => epp('apache/vhost/_filters.epp', { 'filters' => $filters }), + } + } + + if !empty($jk_mounts) and $ensure == 'present' { + include apache::mod::jk + + concat::fragment { "${name}-jk_mounts": + target => "${priority_real}${filename}.conf", + order => 340, + content => epp('apache/vhost/_jk_mounts.epp', { 'jk_mounts' => $jk_mounts }), + } + } + + if $keepalive or $keepalive_timeout or $max_keepalive_requests { + $keep_alive_params = { + 'keepalive' => $keepalive, + 'keepalive_timeout' => $keepalive_timeout, + 'max_keepalive_requests' => $max_keepalive_requests, + } + concat::fragment { "${name}-keepalive_options": + target => "${priority_real}${filename}.conf", + order => 350, + content => epp('apache/vhost/_keepalive_options.epp', $keep_alive_params), + } + } + + if $cas_enabled { + $auth_cas_params = { + 'cas_enabled' => $cas_enabled, + 'cas_cookie_path' => $cas_cookie_path, + 'cas_login_url' => $cas_login_url, + 'cas_validate_url' => $cas_validate_url, + 'cas_version' => $apache::mod::auth_cas::cas_version, + 'cas_debug' => $apache::mod::auth_cas::cas_debug, + 'cas_certificate_path' => $apache::mod::auth_cas::cas_certificate_path, + 'cas_proxy_validate_url' => $apache::mod::auth_cas::cas_proxy_validate_url, + 'cas_validate_depth' => $apache::mod::auth_cas::cas_validate_depth, + 'cas_root_proxied_as' => $cas_root_proxied_as, + 'cas_cookie_entropy' => $apache::mod::auth_cas::cas_cookie_entropy, + 'cas_timeout' => $apache::mod::auth_cas::cas_timeout, + 'cas_idle_timeout' => $apache::mod::auth_cas::cas_idle_timeout, + 'cas_cache_clean_interval' => $apache::mod::auth_cas::cas_cache_clean_interval, + 'cas_cookie_domain' => $apache::mod::auth_cas::cas_cookie_domain, + 'cas_cookie_http_only' => $apache::mod::auth_cas::cas_cookie_http_only, + 'cas_authoritative' => $apache::mod::auth_cas::cas_authoritative, + 'cas_sso_enabled' => $cas_sso_enabled, + 'cas_validate_saml' => $cas_validate_saml, + 'cas_attribute_prefix' => $cas_attribute_prefix, + 'cas_attribute_delimiter' => $cas_attribute_delimiter, + 'cas_scrub_request_headers' => $cas_scrub_request_headers, + } + concat::fragment { "${name}-auth_cas": + target => "${priority_real}${filename}.conf", + order => 350, + content => epp('apache/vhost/_auth_cas.epp', $auth_cas_params), + } + } + + if $http_protocol_options { + concat::fragment { "${name}-http_protocol_options": + target => "${priority_real}${filename}.conf", + order => 350, + content => epp('apache/vhost/_http_protocol_options.epp', { 'http_protocol_options' => $http_protocol_options }), + } + } + + if $auth_oidc and $ensure == 'present' { + include apache::mod::auth_openidc + + concat::fragment { "${name}-auth_oidc": + target => "${priority_real}${filename}.conf", + order => 360, + content => stdlib::deferrable_epp('apache/vhost/_auth_oidc.epp', { + 'auth_oidc' => $auth_oidc, + 'oidc_settings' => $oidc_settings, + }), + } + } + + if $shibboleth_enabled { + concat::fragment { "${name}-shibboleth": + target => "${priority_real}${filename}.conf", + order => 370, + content => epp('apache/vhost/_shib.epp', { 'shib_compat_valid_user' => $shib_compat_valid_user }), + } + } + + if $use_canonical_name { + concat::fragment { "${name}-use_canonical_name": + target => "${priority_real}${filename}.conf", + order => 360, + content => " UseCanonicalName ${use_canonical_name}\n", + } + } + + if $proxy_protocol != undef { + include apache::mod::remoteip + + $proxy_protocol_params = { + proxy_protocol => $proxy_protocol, + proxy_protocol_exceptions => $proxy_protocol_exceptions, + } + + concat::fragment { "${name}-proxy_protocol": + target => "${priority_real}${filename}.conf", + order => 400, + content => epp('apache/vhost/_proxy_protocol.epp', $proxy_protocol_params), + } + } + + $file_footer_params = { + 'define' => $define, + 'passenger_pre_start' => $passenger_pre_start, + } + concat::fragment { "${name}-file_footer": + target => "${priority_real}${filename}.conf", + order => 999, + content => epp('apache/vhost/_file_footer.epp', $file_footer_params), + } +} diff --git a/manifests/vhost/custom.pp b/manifests/vhost/custom.pp new file mode 100644 index 0000000000..30cd17938f --- /dev/null +++ b/manifests/vhost/custom.pp @@ -0,0 +1,56 @@ +# @summary +# A wrapper around the `apache::custom_config` defined type. +# +# The `apache::vhost::custom` defined type is a thin wrapper around the `apache::custom_config` defined type, and simply overrides some of its default settings specific to the virtual host directory in Apache. +# +# @param content +# Sets the configuration file's content. +# +# @param ensure +# Specifies if the virtual host file is present or absent. +# +# @param priority +# Sets the relative load order for Apache HTTPD VirtualHost configuration files. +# +# @param verify_config +# Specifies whether to validate the configuration file before notifying the Apache service. +# +define apache::vhost::custom ( + String $content, + String $ensure = 'present', + Apache::Vhost::Priority $priority = 25, + Boolean $verify_config = true, +) { + include apache + + ## Apache include does not always work with spaces in the filename + $filename = regsubst($name, ' ', '_', 'G') + + ::apache::custom_config { $filename: + ensure => $ensure, + confdir => $apache::vhost_dir, + content => $content, + priority => $priority, + verify_config => $verify_config, + } + + # NOTE(pabelanger): This code is duplicated in ::apache::vhost and needs to + # converted into something generic. + if $apache::vhost_enable_dir { + $vhost_symlink_ensure = $ensure ? { + 'present' => link, + default => $ensure, + } + + file { "${priority}-${filename}.conf symlink": + ensure => $vhost_symlink_ensure, + path => "${apache::vhost_enable_dir}/${priority}-${filename}.conf", + target => "${apache::vhost_dir}/${priority}-${filename}.conf", + owner => 'root', + group => $apache::params::root_group, + mode => $apache::file_mode, + require => Apache::Custom_config[$filename], + notify => Class['apache::service'], + } + } +} diff --git a/manifests/vhost/fragment.pp b/manifests/vhost/fragment.pp new file mode 100644 index 0000000000..f88ef3aead --- /dev/null +++ b/manifests/vhost/fragment.pp @@ -0,0 +1,87 @@ +# @summary Define a fragment within a vhost +# +# @param vhost +# The title of the vhost resource to append to +# +# @param priority +# Set the priority to match the one `apache::vhost` sets. This must match the +# one `apache::vhost` sets or else the concat fragment won't be found. +# +# @param content +# The content to put in the fragment. Only when it's non-empty the actual +# fragment will be created. +# +# @param order +# The order to insert the fragment at +# +# @param port +# The port to use +# +# @example With a vhost without priority +# include apache +# apache::vhost { 'myvhost': +# } +# apache::vhost::fragment { 'myfragment': +# vhost => 'myvhost', +# content => '# Foo', +# } +# +# @example With a vhost with priority +# include apache +# apache::vhost { 'myvhost': +# priority => 42, +# } +# apache::vhost::fragment { 'myfragment': +# vhost => 'myvhost', +# priority => 42, +# content => '# Foo', +# } +# +# @example With a vhost with default vhost +# include apache +# apache::vhost { 'myvhost': +# default_vhost => true, +# } +# apache::vhost::fragment { 'myfragment': +# vhost => 'myvhost', +# priority => 10, # default_vhost implies priority 10 +# content => '# Foo', +# } +# +# @example Adding a fragment to the built in default vhost +# include apache +# apache::vhost::fragment { 'myfragment': +# vhost => 'default', +# priority => 15, +# content => '# Foo', +# } +# +define apache::vhost::fragment ( + String[1] $vhost, + Optional[Stdlib::Port] $port = undef, + Optional[Apache::Vhost::Priority] $priority = undef, + Optional[String] $content = undef, + Integer[0] $order = 900, +) { + # This copies the logic from apache::vhost + if $priority { + $priority_real = "${priority}-" + } elsif $priority == false { + $priority_real = '' + } else { + $priority_real = '25-' + } + + $filename = $port ? { + Integer => regsubst("${vhost}-${port}", ' ', '_', 'G'), + Undef => regsubst($vhost, ' ', '_', 'G'), + } + + if $content =~ String[1] { + concat::fragment { "${vhost}-${title}": + target => "${priority_real}${filename}.conf", + order => $order, + content => $content, + } + } +} diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp new file mode 100644 index 0000000000..89a885d175 --- /dev/null +++ b/manifests/vhost/proxy.pp @@ -0,0 +1,148 @@ +# @summary Configure a reverse proxy for a vhost +# +# @param vhost +# The title of the vhost resource to which reverse proxy configuration will +# be appended. +# +# @param priority +# Set the priority to match the one `apache::vhost` sets. This must match the +# one `apache::vhost` sets or else the vhost's `concat` resource won't be found. +# +# @param order +# The order in which the `concat::fragment` containing the proxy configuration +# will be inserted. Useful when multiple fragments will be attached to a single +# vhost's configuration. +# +# @param port +# Set the port to match the one `apache::vhost` sets. This must match the one +# `apache::vhost` sets or else the vhost's `concat` resource won't be found. +# +# @param proxy_dest +# Specifies the destination address of a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration for the `/` path. +# +# @param proxy_dest_match +# This directive is equivalent to `proxy_dest`, but takes regular expressions, see +# [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +# for details. +# +# @param proxy_dest_reverse_match +# Allows you to pass a ProxyPassReverse if `proxy_dest_match` is specified. See +# [ProxyPassReverse](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) +# for details. +# +# @param no_proxy_uris +# Paths to be excluded from reverse proxying. Only valid when already using `proxy_dest` +# or `proxy_dest_match` to map the `/` path, otherwise it will be absent in the final +# vhost configuration file. In that case, instead add `no_proxy_uris => [uri1, uri2, ...]` +# to the `Apache::Vhost::ProxyPass` definitions passed via the `proxy_pass` parameter. +# See examples for this class, or refer to documentation for the `Apache::Vhost::ProxyPass` +# data type. This configuration uses the [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) directive with `!`. +# +# @param no_proxy_uris_match +# This directive is equivalent to `no_proxy_uris` but takes regular expressions, +# as it instead uses [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch). +# +# @param proxy_pass +# Specifies an array of `path => URI` values for a [ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) +# configuration. +# See the documentation for the Apache::Vhost::ProxyPass data type for a detailed +# description of the structure including optional parameters. +# +# @param proxy_pass_match +# This directive is equivalent to `proxy_pass`, but takes regular expressions, see +# [ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) +# for details. +# +# @param proxy_requests +# Enables forward (standard) proxy requests. See [ProxyRequests](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyrequests) for details. +# +# @param proxy_preserve_host +# When enabled, pass the `Host:` line from the incoming request to the proxied host. +# See [ProxyPreserveHost](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost) for details. +# +# @param proxy_add_headers +# Add X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server HTTP headers. +# See [ProxyAddHeaders](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders) for details. +# +# @param proxy_error_override +# Override error pages from the proxied host. The current Puppet implementation +# supports enabling or disabling the directive, but not specifying a custom list +# of status codes. See [ProxyErrorOverride](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride) for details. +# +# @example Simple configuration proxying "/" but not "/admin" +# include apache +# apache::vhost { 'basic-proxy-vhost': +# } +# apache::vhost::proxy { 'proxy-to-backend-server': +# vhost => 'basic-proxy-vhost', +# proxy_dest => 'http://backend-server/', +# no_proxy_uris => '/admin', +# } +# +# @example Granular configuration using `Apache::Vhost::ProxyPass` data type +# include apache +# apache::vhost { 'myvhost': +# } +# apache::vhost::proxy { 'myvhost-proxy': +# vhost => 'myvhost', +# proxy_pass => [ +# { 'path' => '/a', 'url' => 'http://backend-a/' }, +# { 'path' => '/b', 'url' => 'http://backend-b/' }, +# { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}}, +# { 'path' => '/l', 'url' => 'http://backend-xy', +# 'reverse_urls' => ['http://backend-x', 'http://backend-y'] }, +# { 'path' => '/d', 'url' => 'http://backend-a/d', +# 'params' => { 'retry' => 0, 'timeout' => 5 }, }, +# { 'path' => '/e', 'url' => 'http://backend-a/e', +# 'keywords' => ['nocanon', 'interpolate'] }, +# { 'path' => '/f', 'url' => 'http://backend-f/', +# 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1']}, +# { 'path' => '/g', 'url' => 'http://backend-g/', +# 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, +# { 'path' => '/h', 'url' => 'http://backend-h/h', +# 'no_proxy_uris' => ['/h/admin', '/h/server-status'] }, +# ], +# } +# +define apache::vhost::proxy ( + String[1] $vhost, + Optional[Apache::Vhost::Priority] $priority = undef, + Integer[0] $order = 170, + Optional[Stdlib::Port] $port = undef, + Optional[String[1]] $proxy_dest = undef, + Optional[String[1]] $proxy_dest_match = undef, + Optional[String[1]] $proxy_dest_reverse_match = undef, + Variant[Array[String[1]], String[1]] $no_proxy_uris = [], + Variant[Array[String[1]], String[1]] $no_proxy_uris_match = [], + Optional[Array[Apache::Vhost::ProxyPass]] $proxy_pass = undef, + Optional[Array[Apache::Vhost::ProxyPass]] $proxy_pass_match = undef, + Boolean $proxy_requests = false, + Boolean $proxy_preserve_host = false, + Optional[Boolean] $proxy_add_headers = undef, + Boolean $proxy_error_override = false, +) { + include apache::mod::proxy + include apache::mod::proxy_http + + # To match processing in templates/vhost/_proxy.erb + if $proxy_dest =~ Pattern[/^h2c?:\/\//] or $proxy_dest_match =~ Pattern[/^h2c?:\/\//] { + include apache::mod::proxy_http2 + } + [$proxy_pass, $proxy_pass_match].flatten.each |$proxy| { + if $proxy and $proxy['url'] =~ Pattern[/^h2c?:\/\//] { + include apache::mod::proxy_http2 + } + } + + unless $proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match { + fail('At least one of proxy_dest, proxy_pass, proxy_pass_match or proxy_dest_match must be given') + } + + apache::vhost::fragment { "${name}-proxy": + vhost => $vhost, + port => $port, + priority => $priority, + order => $order, + content => template('apache/vhost/_proxy.erb'), + } +} diff --git a/manifests/vhosts.pp b/manifests/vhosts.pp new file mode 100644 index 0000000000..9ac49abaa3 --- /dev/null +++ b/manifests/vhosts.pp @@ -0,0 +1,26 @@ +# @summary +# Creates `apache::vhost` defined types. +# +# @note See the `apache::vhost` defined type's reference for a list of all virtual +# host parameters or Configuring virtual hosts in the README section. +# +# @example To create a [name-based virtual host](https://httpd.apache.org/docs/current/vhosts/name-based.html) `custom_vhost_1` +# class { 'apache::vhosts': +# vhosts => { +# 'custom_vhost_1' => { +# 'docroot' => '/var/www/custom_vhost_1', +# 'port' => 81, +# }, +# }, +# } +# +# @param vhosts +# A hash, where the key represents the name and the value represents a hash of +# `apache::vhost` defined type's parameters. +# +class apache::vhosts ( + Hash $vhosts = {}, +) { + include apache + create_resources('apache::vhost', $vhosts) +} diff --git a/metadata.json b/metadata.json index f7572b081e..473938b825 100644 --- a/metadata.json +++ b/metadata.json @@ -1,34 +1,94 @@ { - "name": "puppetlabs/apache", - "version": "0.9.0", - "summary": "Manage apache and mods", - "source": "git@github.com/puppetlabs/puppetlabs-apache.git", - "project_page": "http://github.com/puppetlabs/puppetlabs-apache", - "author": "Puppet Labs", - "license": "Apache-2.0", - "operatingsystem_support": [ - "RedHat", - "OpenSUSE", - "SLES", - "SLED", - "Debian", - "Ubuntu" - ], - "puppet_version": [ - 2.7, - 3.0, - 3.1, - 3.2, - 3.3 - ], - "dependencies": [ - { - "name": "puppetlabs/stdlib", - "version_requirement": ">= 2.2.1" - }, - { - "name": "puppetlabs/concat", - "version_requirement": ">= 1.0.0" - } - ] + "name": "puppetlabs-apache", + "version": "12.3.1", + "author": "puppetlabs", + "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", + "license": "Apache-2.0", + "source": "https://github.com/puppetlabs/puppetlabs-apache", + "project_page": "https://github.com/puppetlabs/puppetlabs-apache", + "issues_url": "https://github.com/puppetlabs/puppetlabs-apache/issues", + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.13.1 < 10.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 2.2.1 < 10.0.0" + } + ], + "operatingsystem_support": [ + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "7", + "8", + "9" + ] + }, + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "7", + "8" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Scientific", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "10", + "11", + "12" + ] + }, + { + "operatingsystem": "SLES", + "operatingsystemrelease": [ + "12", + "15" + ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ + "18.04", + "20.04", + "22.04" + ] + }, + { + "operatingsystem": "Rocky", + "operatingsystemrelease": [ + "8" + ] + }, + { + "operatingsystem": "AlmaLinux", + "operatingsystemrelease": [ + "8" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 7.9.0 < 9.0.0" + } + ], + "description": "Module for Apache configuration", + "pdk-version": "3.2.0", + "template-url": "https://github.com/puppetlabs/pdk-templates.git#main", + "template-ref": "tags/3.2.0.4-0-g5d17ec1" } diff --git a/pdk.yaml b/pdk.yaml new file mode 100644 index 0000000000..4bef4bd0f9 --- /dev/null +++ b/pdk.yaml @@ -0,0 +1,2 @@ +--- +ignore: [] diff --git a/provision.yaml b/provision.yaml new file mode 100644 index 0000000000..267e3b47b7 --- /dev/null +++ b/provision.yaml @@ -0,0 +1,70 @@ +--- +default: + provisioner: docker + images: + - litmusimage/debian:8 +vagrant: + provisioner: vagrant + images: + - centos/7 + - generic/ubuntu1804 +docker_deb: + provisioner: docker + images: + - litmusimage/debian:8 + - litmusimage/debian:9 + - litmusimage/debian:10 +docker_ub_6: + provisioner: docker + images: + - litmusimage/ubuntu:14.04 + - litmusimage/ubuntu:16.04 + - litmusimage/ubuntu:18.04 + - litmusimage/ubuntu:20.04 +docker_el7: + provisioner: docker + images: + - litmusimage/centos:7 + - litmusimage/oraclelinux:7 + - litmusimage/scientificlinux:7 +docker_el8: + provisioner: docker + images: + - litmusimage/centos:8 +release_checks_6: + provisioner: abs + images: + - redhat-6-x86_64 + - redhat-7-x86_64 + - redhat-8-x86_64 + - centos-6-x86_64 + - centos-7-x86_64 + - centos-8-x86_64 + - oracle-6-x86_64 + - oracle-7-x86_64 + - scientific-6-x86_64 + - scientific-7-x86_64 + - debian-8-x86_64 + - debian-9-x86_64 + - debian-10-x86_64 + - ubuntu-1404-x86_64 + - ubuntu-1604-x86_64 + - ubuntu-1804-x86_64 + - ubuntu-2004-x86_64 + - sles-12-x86_64 + - sles-15-x86_64 +release_checks_7: + provisioner: abs + images: + - redhat-7-x86_64 + - redhat-8-x86_64 + - centos-7-x86_64 + - centos-8-x86_64 + - oracle-7-x86_64 + - scientific-7-x86_64 + - debian-9-x86_64 + - debian-10-x86_64 + - sles-12-x86_64 + - sles-15-x86_64 + - ubuntu-1804-x86_64 + - ubuntu-2004-x86_64 diff --git a/readmes/README_ja_JP.md b/readmes/README_ja_JP.md new file mode 100644 index 0000000000..c38d0358d5 --- /dev/null +++ b/readmes/README_ja_JP.md @@ -0,0 +1,5748 @@ +# apache + +[モジュールの概要]: #module-description + +[セットアップ]: #setup +[Apacheの使用を始める]: #beginning-with-apache + +[使用方法]: #usage +[バーチャルホストの設定]: #configuring-virtual-hosts +[SSLを使ったバーチャルホストの設定]: #configuring-virtual-hosts-with-ssl +[バーチャルホストのポートおよびアドレスのバインディング設定]: #configuring-virtual-host-port-and-address-bindings +[アプリおよびプロセッサのバーチャルホストの設定]: #configuring-virtual-hosts-for-apps-and-processors +[IPベースのバーチャルホストの設定]: #configuring-ip-based-virtual-hosts +[Apacheモジュールのインストール]: #installing-apache-modules +[任意モジュールのインストール]: #installing-arbitrary-modules +[固有モジュールのインストール]: #installing-specific-modules +[FastCGIサーバの設定]: #configuring-fastcgi-servers-to-handle-php-files +[ロードバランシングの例]: #load-balancing-examples +[apacheの影響]: #what-the-apache-module-affects + +[リファレンス]: #reference +[パブリッククラス]: #public-classes +[プライベートクラス]: #private-classes +[パブリック定義タイプ]: #public-defined-types +[プライベート定義タイプ]: #private-defined-types +[テンプレート]: #templates +[タスク]: #tasks + +[制約事項]: #limitations + +[開発]: #development +[貢献]: #contributing + +[`AddDefaultCharset`]: https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset +[`add_listen`]: #add_listen +[`Alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#alias +[`AliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#aliasmatch +[エイリアスサーバ]: https://httpd.apache.org/docs/current/urlmapping.html +[`AllowEncodedSlashes`]: https://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes +[`apache`]: #class-apache +[`apache_version`]: #apache_version +[`apache::balancer`]: #defined-type-apachebalancer +[`apache::balancermember`]: #defined-type-apachebalancermember +[`apache::fastcgi::server`]: #defined-type-apachefastcgiserver +[`apache::mod`]: #defined-type-apachemod +[`apache::mod::`]: #classes-apachemodmodule-name +[`apache::mod::alias`]: #class-apachemodalias +[`apache::mod::auth_cas`]: #class-apachemodauth_cas +[`apache::mod::auth_mellon`]: #class-apachemodauth_mellon +[`apache::mod::authn_dbd`]: #class-apachemodauthn_dbd +[`apache::mod::authnz_ldap`]: #class-apachemodauthnz_ldap +[`apache::mod::cluster`]: #class-apachemodcluster +[`apache::mod::data]: #class-apachemoddata +[`apache::mod::disk_cache`]: #class-apachemoddisk_cache +[`apache::mod::dumpio`]: #class-apachemoddumpio +[`apache::mod::event`]: #class-apachemodevent +[`apache::mod::ext_filter`]: #class-apachemodext_filter +[`apache::mod::geoip`]: #class-apachemodgeoip +[`apache::mod::itk`]: #class-apachemoditk +[`apache::mod::jk`]: #class-apachemodjk +[`apache::mod::ldap`]: #class-apachemodldap +[`apache::mod::passenger`]: #class-apachemodpassenger +[`apache::mod::peruser`]: #class-apachemodperuser +[`apache::mod::prefork`]: #class-apachemodprefork +[`apache::mod::proxy`]: #class-apachemodproxy +[`apache::mod::proxy_balancer`]: #class-apachemodproxybalancer +[`apache::mod::proxy_fcgi`]: #class-apachemodproxy_fcgi +[`apache::mod::proxy_html`]: #class-apachemodproxy_html +[`apache::mod::python`]: #class-apachemodpython +[`apache::mod::security`]: #class-apachemodsecurity +[`apache::mod::shib`]: #class-apachemodshib +[`apache::mod::ssl`]: #class-apachemodssl +[`apache::mod::status`]: #class-apachemodstatus +[`apache::mod::userdir`]: #class-apachemoduserdir +[`apache::mod::worker`]: #class-apachemodworker +[`apache::mod::wsgi`]: #class-apachemodwsgi +[`apache::params`]: #class-apacheparams +[`apache::version`]: #class-apacheversion +[`apache::vhost`]: #defined-type-apachevhost +[`apache::vhost::custom`]: #defined-type-apachevhostcustom +[`apache::vhost::WSGIImportScript`]: #wsgiimportscript +[Apache HTTPサーバ]: https://httpd.apache.org +[Apacheモジュール]: https://httpd.apache.org/docs/current/mod/ +[配列]: https://docs.puppet.com/puppet/latest/reference/lang_data_array.html + +[オーディットログ]: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats#audit-log + +[beaker-rspec]: https://github.com/puppetlabs/beaker-rspec + +[証明書失効リスト]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile +[証明書失効リストパス]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath +[コモンゲートウェイインターフェース]: https://httpd.apache.org/docs/current/howto/cgi.html +[`confd_dir`]: #confd_dir +[`content`]: #content +[CONTRIBUTING.md]: CONTRIBUTING.md +[カスタムエラードキュメント]: https://httpd.apache.org/docs/current/custom-error.html +[`custom_fragment`]: #custom_fragment + +[`default_mods`]: #default_mods +[`default_ssl_crl`]: #default_ssl_crl +[`default_ssl_crl_path`]: #default_ssl_crl_path +[`default_ssl_vhost`]: #default_ssl_vhost +[`dev_packages`]: #dev_packages +[`directory`]: #directory +[`directories`]: #parameter-directories-for-apachevhost +[`DirectoryIndex`]: https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex +[`docroot`]: #docroot +[`docroot_owner`]: #docroot_owner +[`docroot_group`]: #docroot_group +[`DocumentRoot`]: https://httpd.apache.org/docs/current/mod/core.html#documentroot + +[`EnableSendfile`]: https://httpd.apache.org/docs/current/mod/core.html#enablesendfile +[適用モード]: http://selinuxproject.org/page/Guide/Mode +[`ensure`]: https://docs.puppet.com/latest/type.html#package-attribute-ensure +[`error_log_file`]: #error_log_file +[`error_log_syslog`]: #error_log_syslog +[`error_log_pipe`]: #error_log_pipe +[`ExpiresByType`]: https://httpd.apache.org/docs/current/mod/mod_expires.html#expiresbytype +[エクスポートリソース]: http://docs.puppet.com/latest/reference/lang_exported.md +[`ExtendedStatus`]: https://httpd.apache.org/docs/current/mod/core.html#extendedstatus + +[Facter]: http://docs.puppet.com/facter/ +[FastCGI]: http://www.fastcgi.com/ +[FallbackResource]: https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource +[`fallbackresource`]: #fallbackresource +[`FileETag`]: https://httpd.apache.org/docs/current/mod/core.html#fileetag +[フィルタルール]: https://httpd.apache.org/docs/current/filter.html +[`filters`]: #filters +[`ForceType`]: https://httpd.apache.org/docs/current/mod/core.html#forcetype + +[GeoIPScanProxyHeaders]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives +[`gentoo/puppet-portage`]: https://github.com/gentoo/puppet-portage + +[ハッシュ]: https://docs.puppet.com/puppet/latest/reference/lang_data_hash.html +[`HttpProtocolOptions`]: http://httpd.apache.org/docs/current/mod/core.html#httpprotocoloptions + +[`IncludeOptional`]: https://httpd.apache.org/docs/current/mod/core.html#includeoptional +[`Include`]: https://httpd.apache.org/docs/current/mod/core.html#include +[インターバル構文]: https://httpd.apache.org/docs/current/mod/mod_expires.html#AltSyn +[`ip`]: #ip +[`ip_based`]: #ip_based +[IPベースのバーチャルホスト]: https://httpd.apache.org/docs/current/vhosts/ip-based.html + +[`KeepAlive`]: https://httpd.apache.org/docs/current/mod/core.html#keepalive +[`KeepAliveTimeout`]: https://httpd.apache.org/docs/current/mod/core.html#keepalivetimeout +[`keepalive`パラメータ]: #keepalive +[`keepalive_timeout`]: #keepalive_timeout +[`limitreqfieldsize`]: https://httpd.apache.org/docs/current/mod/core.html#limitrequestfieldsize +[`limitreqfields`]: http://httpd.apache.org/docs/current/mod/core.html#limitrequestfields + +[`lib`]: #lib +[`lib_path`]: #lib_path +[`Listen`]: https://httpd.apache.org/docs/current/bind.html +[`ListenBackLog`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#listenbacklog +[`LoadFile`]: https://httpd.apache.org/docs/current/mod/mod_so.html#loadfile +[`LogFormat`]: https://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat +[`logroot`]: #logroot +[ログセキュリティ]: https://httpd.apache.org/docs/current/logs.html#security + +[`manage_docroot`]: #manage_docroot +[`manage_user`]: #manage_user +[`manage_group`]: #manage_group +[`supplementary_groups`]: #supplementary_groups +[`MaxConnectionsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxconnectionsperchild +[`max_keepalive_requests`]: #max_keepalive_requests +[`MaxRequestWorkers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxrequestworkers +[`MaxSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#maxsparethreads +[MIME `content-type`]: https://www.iana.org/assignments/media-types/media-types.xhtml +[`MinSpareThreads`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#minsparethreads +[`mod_alias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html +[`mod_auth_cas`]: https://github.com/Jasig/mod_auth_cas +[`mod_auth_kerb`]: http://modauthkerb.sourceforge.net/configure.html +[`mod_auth_gssapi`]: https://github.com/modauthgssapi/mod_auth_gssapi +[`mod_authnz_external`]: https://github.com/phokz/mod-auth-external +[`mod_auth_dbd`]: http://httpd.apache.org/docs/current/mod/mod_authn_dbd.html +[`mod_auth_mellon`]: https://github.com/UNINETT/mod_auth_mellon +[`mod_dbd`]: http://httpd.apache.org/docs/current/mod/mod_dbd.html +[`mod_disk_cache`]: https://httpd.apache.org/docs/2.2/mod/mod_disk_cache.html +[`mod_dumpio`]: https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html +[`mod_env`]: http://httpd.apache.org/docs/current/mod/mod_env.html +[`mod_expires`]: https://httpd.apache.org/docs/current/mod/mod_expires.html +[`mod_ext_filter`]: https://httpd.apache.org/docs/current/mod/mod_ext_filter.html +[`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html +[`mod_geoip`]: http://dev.maxmind.com/geoip/legacy/mod_geoip2/ +[`mod_info`]: https://httpd.apache.org/docs/current/mod/mod_info.html +[`mod_ldap`]: https://httpd.apache.org/docs/2.2/mod/mod_ldap.html +[`mod_mpm_event`]: https://httpd.apache.org/docs/current/mod/event.html +[`mod_negotiation`]: https://httpd.apache.org/docs/current/mod/mod_negotiation.html +[`mod_pagespeed`]: https://developers.google.com/speed/pagespeed/module/?hl=en +[`mod_passenger`]: https://www.phusionpassenger.com/library/config/apache/reference/ +[`mod_php`]: http://php.net/manual/en/book.apache.php +[`mod_proxy`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html +[`mod_proxy_balancer`]: https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html +[`mod_reqtimeout`]: https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html +[`mod_python`]: http://modpython.org/ +[`mod_rewrite`]: https://httpd.apache.org/docs/current/mod/mod_rewrite.html +[`mod_security`]: https://www.modsecurity.org/ +[`mod_ssl`]: https://httpd.apache.org/docs/current/mod/mod_ssl.html +[`mod_status`]: https://httpd.apache.org/docs/current/mod/mod_status.html +[`mod_version`]: https://httpd.apache.org/docs/current/mod/mod_version.html +[`mod_wsgi`]: https://modwsgi.readthedocs.org/en/latest/ +[モジュール貢献ガイド]: https://docs.puppet.com/forge/contributing.html +[`mpm_module`]: #mpm_module +[マルチプロセッシングモジュール]: https://httpd.apache.org/docs/current/mpm.html + +[名前ベースのバーチャルホスト]: https://httpd.apache.org/docs/current/vhosts/name-based.html +[`no_proxy_uris`]: #no_proxy_uris + +[オープンソース版Puppet]: https://docs.puppet.com/puppet/ +[`Options`]: https://httpd.apache.org/docs/current/mod/core.html#options + +[`path`]: #path +[`Peruser`]: https://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr +[`port`]: #port +[`priority`]: #defined-types-apachevhost +[`proxy_dest`]: #proxy_dest +[`proxy_dest_match`]: #proxy_dest_match +[`proxy_pass`]: #proxy_pass +[`ProxyPass`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass +[`ProxySet`]: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset +[Puppet Enterprise]: https://docs.puppet.com/pe/ +[Puppet Forge]: https://forge.puppet.com +[Puppet]: https://puppet.com +[Puppetモジュール]: https://docs.puppet.com/puppet/latest/reference/modules_fundamentals.html +[Puppetモジュールのコード]: https://github.com/puppetlabs/puppetlabs-apache/blob/main/manifests/default_mods.pp +[`purge_configs`]: #purge_configs +[`purge_vhost_dir`]: #purge_vhost_dir +[Python]: https://www.python.org/ + +[Rack]: http://rack.github.io/ +[`rack_base_uris`]: #rack_base_uris +[RFC 2616]: https://www.ietf.org/rfc/rfc2616.txt +[`RequestReadTimeout`]: https://httpd.apache.org/docs/current/mod/mod_reqtimeout.html#requestreadtimeout +[rspec-puppet]: http://rspec-puppet.com/ + +[`ScriptAlias`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptalias +[`ScriptAliasMatch`]: https://httpd.apache.org/docs/current/mod/mod_alias.html#scriptaliasmatch +[`scriptalias`]: #scriptalias +[SELinux]: http://selinuxproject.org/ +[`ServerAdmin`]: https://httpd.apache.org/docs/current/mod/core.html#serveradmin +[`serveraliases`]: #serveraliases +[`ServerLimit`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#serverlimit +[`ServerName`]: https://httpd.apache.org/docs/current/mod/core.html#servername +[`ServerRoot`]: https://httpd.apache.org/docs/current/mod/core.html#serverroot +[`ServerTokens`]: https://httpd.apache.org/docs/current/mod/core.html#servertokens +[`ServerSignature`]: https://httpd.apache.org/docs/current/mod/core.html#serversignature +[サービス属性リスタート]: http://docs.puppet.com/latest/type.html#service-attribute-restart +[`source`]: #source +[`SSLCARevocationCheck`]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck +[SSL証明書のキーファイル]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatekeyfile +[SSLチェーン]: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile +[SSL暗号化]: https://httpd.apache.org/docs/current/ssl/index.html +[`ssl`]: #ssl +[`ssl_cert`]: #ssl_cert +[`ssl_compression`]: #ssl_compression +[`ssl_key`]: #ssl_key +[`StartServers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#startservers +[suPHP]: http://www.suphp.org/Home.html +[`suphp_addhandler`]: #suphp_addhandler +[`suphp_configpath`]: #suphp_configpath +[`suphp_engine`]: #suphp_engine +[対応するオペレーティングシステム]: https://forge.puppet.com/supported#puppet-supported-modules-compatibility-matrix + +[`ThreadLimit`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#threadlimit +[`ThreadsPerChild`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#threadsperchild +[`TimeOut`]: https://httpd.apache.org/docs/current/mod/core.html#timeout +[テンプレート]: http://docs.puppet.com/puppet/latest/reference/lang_template.html +[`TraceEnable`]: https://httpd.apache.org/docs/current/mod/core.html#traceenable + +[`UseCanonicalName`]: https://httpd.apache.org/docs/current/mod/core.html#usecanonicalname + +[`verify_config`]: #verify_config +[`vhost`]: #defined-type-apachevhost +[`vhost_dir`]: #vhost_dir +[`virtual_docroot`]: #virtual_docroot + +[Webサーバゲートウェイインターフェース ]: https://www.python.org/dev/peps/pep-3333/#abstract +[`WSGIRestrictEmbedded`]: http://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIRestrictEmbedded.html +[`WSGIPythonPath`]: http://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIPythonPath.html +[`WSGIPythonHome`]: http://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIPythonHome.html + +#### 目次 + +1. [モジュールの概要 - apacheモジュールとは? 何をするためのもの?][モジュールの概要] +2. [セットアップ - apacheの使用を開始するにあたっての基礎][セットアップ] + - [apacheモジュールが影響を与えるもの][apacheの影響] + - [Apacheの使用を始める - インストール][Apacheの使用を始める] +3. [使用方法 - 設定に使用できるクラスと定義タイプ][使用方法] + - [バーチャルホストの設定 - 使用開始に役立つ例][バーチャルホストの設定] + - [PHPファイルを処理するFastCGIサーバの設定][FastCGIサーバの設定] + - [エクスポートおよび非エクスポートリソースのロードバランシング][ロードバランシングの例] +4. [リファレンス - モジュールの機能と動作について][リファレンス] + - [パブリッククラス][] + - [プライベートクラス][] + - [パブリック定義タイプ][] + - [プライベート定義タイプ][] + - [テンプレート][] + - [タスク][] +5. [制約事項 - OSの互換性など][制約事項] +6. [開発 - モジュールへの貢献方法][開発] + - [apacheモジュールへの貢献][貢献] + - [テストの実施 - クイックガイド][テストの実施] + + +## モジュールの概要 + +[Apache HTTPサーバ][] (Apache HTTPD、あるいは単にApacheとも呼ばれます)は、広く使用されているWebサーバです。この[Puppetモジュール][]によって、インフラ内でApacheを管理するための設定がシンプルなものになります。幅広いバーチャルホストセットアップを設定および管理し、[Apacheモジュール][]を効率的にインストールして設定することができます。 + + +## セットアップ + + +### apacheモジュールが影響を与えるもの: + +- (作成し、書き込みを行う)設定ファイルおよびディレクトリ + - **警告**: Puppetにより管理*されていない*設定はパージされます。 +- Apacheのパッケージ/サービス/設定ファイル +- Apacheモジュール +- バーチャルホスト +- リッスンするポート +- FreeBSDおよびGentooの`/etc/make.conf` + +Gentooでは、このモジュールは [`gentoo/puppet-portage`][] Puppetモジュールに依存します。Gentooについては、いくつかのオプションが適用され、一部の機能や設定が有効になりますが、このモジュールに[対応するオペレーティングシステム][]ではない点に留意してください。 + +> **警告**: このモジュールにより、Apache設定ファイルおよびディレクトリが修正され、Puppetで管理されていない設定がパージされます。Apache設定はPuppetで管理する必要があります。これは、管理されていない設定ファイルにより、予期せぬ不具合が生じる可能性があるためです。 +> +>全面的なPuppet管理を一時的に無効にするには、[`apache`][]クラス宣言の[`purge_configs`][]パラメータをfalseに設定します。この手順は、カスタマイズした設定を保存し、リロケーションするための一時的な対策としてのみ推奨されます。 + + +### Apacheの使用を始める + +デフォルトパラメータを用いてPuppetでApacheをインストールするには、[`apache`][]クラスを宣言します。 + +``` puppet +class { 'apache': } +``` + +デフォルトオプションを用いてこのクラスを宣言すると、モジュールでは以下のことが実行されます。 + +- オペレーティングシステムに適したApacheソフトウェアパッケージおよび[必要なApacheモジュール](#default_mods)をインストールします。 +- オペレーティングシステムに応じた[デフォルトロケーション](#conf_dir)を用いて、ディレクトリ内に必要な設定ファイルを配置します。 +- デフォルトのバーチャルホストおよび標準的なポート('80')とアドレス('\*')のバインディングを用いてサーバを設定します。 +- ドキュメントルートディレクトリを作成します。オペレーティングシステムによって異なりますが、通常は`/var/www`です。 +- Apacheサービスを開始します。 + +Apacheのデフォルト設定は、オペレーティングシステムによって異なります。これらのデフォルトは、テスト環境では機能しますが、本稼働環境には推奨されません。実際のサイトに応じてクラスのパラメータをカスタマイズすることを推奨します。 + +例えば、以下の宣言では、apacheモジュールの[デフォルトのバーチャルホスト設定][バーチャルホストの設定]を使わずにApacheがインストールされるので、すべてのApacheバーチャルホストをカスタマイズすることができます。 + +``` puppet +class { 'apache': + default_vhost => false, +} +``` + +> **注意**: `default_vhost`を`false`に設定する場合、少なくとも1つの`apache::vhost`リソースを追加する必要があります。追加しなければ、Apacheは起動しません。デフォルトのバーチャルホストを設定するには、`apache`クラスで`default_vhost`を設定するか、[`apache::vhost`][]定義タイプを使用します。[`apache::vhost`][]定義タイプを用いて、追加の固有バーチャルホストを設定することもできます。 + + +## 使用方法 + + +### バーチャルホストの設定 + +デフォルトの[`apache`][]クラスは、ポート80にバーチャルホストを設定します。すべてのインターフェースをリッスンし、[`docroot`][]パラメータのデフォルトディレクトリ`/var/www`をサーブします。 + + +基本の[名前ベースのバーチャルホスト][]を設定するには、[`apache::vhost`][]定義タイプで[`port`][]および[`docroot`][]パラメータを指定します。 + +``` puppet +apache::vhost { 'vhost.example.com': + port => '80', + docroot => '/var/www/vhost', +} +``` + +すべてのバーチャルホストパラメータのリストについては、[`apache::vhost`][]定義タイプのリファレンスを参照してください。 + +> **注意**: Apacheはバーチャルホストをアルファベット順に処理します。サーバ管理者は、バーチャルホスト設定ファイル名の先頭に数字を付けることで、 Apacheバーチャルホスト処理の優先順位を設定できます。[`apache::vhost`][]定義タイプは、デフォルトの [`priority`][]である25を適用します。これはPuppetではバーチャルホストのファイル名の先頭に`25-`が付いていると解釈されます。そのため、優先順位が同じサイトが複数ある場合や、`priority`パラメータの値をfalseに設定して優先順位番号を無効にした場合でも、Apacheはバーチャルホストをアルファベット順に処理します。 + +`docroot`のユーザおよびグループのオーナーシップを設定するには、[`docroot_owner`][]および[`docroot_group`][]パラメータを使用します。 + +``` puppet +apache::vhost { 'user.example.com': + port => '80', + docroot => '/var/www/user', + docroot_owner => 'www-data', + docroot_group => 'www-data', +} +``` + +#### SSLを使ったバーチャルホストの設定 + +[SSL encryption][]およびデフォルトのSSL証明書を使うようにバーチャルホストを設定するには、[`ssl`][]パラメータを設定します。また、[`port`][]パラメータを指定する必要もあります。通常は、'443'という値がHTTPSリクエストに対応します。 + +``` puppet +apache::vhost { 'ssl.example.com': + port => '443', + docroot => '/var/www/ssl', + ssl => true, +} +``` + +SSLおよび固有SSL証明書を使うようにバーチャルホストを設定するには、[`ssl_cert`][]および[`ssl_key`][]パラメータで証明書およびキーへのパスを使用します。 + +``` puppet +apache::vhost { 'cert.example.com': + port => '443', + docroot => '/var/www/cert', + ssl => true, + ssl_cert => '/etc/ssl/fourth.example.com.cert', + ssl_key => '/etc/ssl/fourth.example.com.key', +} +``` + +同じドメインでSSLと暗号化されていないバーチャルホストを混ぜて設定するには、それぞれを個別の[`apache::vhost`][]定義タイプで宣言します。 + +``` puppet +# The non-ssl virtual host +apache::vhost { 'mix.example.com non-ssl': + servername => 'mix.example.com', + port => '80', + docroot => '/var/www/mix', +} + +# The SSL virtual host at the same domain +apache::vhost { 'mix.example.com ssl': + servername => 'mix.example.com', + port => '443', + docroot => '/var/www/mix', + ssl => true, +} +``` + +暗号化されていない接続をSSLにリダイレクトするようにバーチャルホストを設定するには、それぞれを個別の[`apache::vhost`][]定義タイプで宣言し、SSLが有効化されているバーチャルホストに、暗号化されていないリクエストをリダイレクトします。 + +``` puppet +apache::vhost { 'redirect.example.com non-ssl': + servername => 'redirect.example.com', + port => '80', + docroot => '/var/www/redirect', + redirect_status => 'permanent', + redirect_dest => 'https://redirect.example.com/' +} + +apache::vhost { 'redirect.example.com ssl': + servername => 'redirect.example.com', + port => '443', + docroot => '/var/www/redirect', + ssl => true, +} +``` + +#### バーチャルホストのポートおよびアドレスのバインディング設定  + +バーチャルホストはデフォルトですべてのIPアドレス('\*')をリッスンします。特定のIPアドレスをリッスンするようにバーチャルホストを設定するには、[`ip`][]パラメータを使用します。 + +``` puppet +apache::vhost { 'ip.example.com': + ip => '127.0.0.1', + port => '80', + docroot => '/var/www/ip', +} +``` + +[`ip`][]パラメータにIPアドレスの配列を使えば、1つのバーチャルホストに複数のIPアドレスを設定することもできます。 + +``` puppet +apache::vhost { 'ip.example.com': + ip => ['127.0.0.1','169.254.1.1'], + port => '80', + docroot => '/var/www/ip', +} +``` + +[`port`][]パラメータにポートの配列を使えば、1つのバーチャルホストに複数のポートを設定することができます。 + +``` puppet +apache::vhost { 'ip.example.com': + ip => ['127.0.0.1'], + port => ['80','8080'] + docroot => '/var/www/ip', +} +``` + +[エイリアスサーバ][]を使ってバーチャルホストを設定するには、[`serveraliases`][]パラメータを使ってエイリアスを指定します。 + +``` puppet +apache::vhost { 'aliases.example.com': + serveraliases => [ + 'aliases.example.org', + 'aliases.example.net', + ], + port => '80', + docroot => '/var/www/aliases', +} +``` + +`/var/www/example.com`に'http://example.com.loc'をマッピングするケースのように、 同じ名前のディレクトリにマッピングされたサブドメイン用にワイルドカードエイリアスを使ってバーチャルホストを設定するには、[`serveraliases`][]パラメータを使ってワイルドカードエイリアスを、[`virtual_docroot`][]パラメータを使ってドキュメントルートを定義します。 + +``` puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => '80', + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} +``` + +[フィルタルール][]を使ってバーチャルホストを設定するには、[`filters`][]パラメータを使って、フィルタディレクティブを[array][]として渡します。 + +``` puppet +apache::vhost { 'subdomain.loc': + port => '80', + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], + docroot => '/var/www/html', +} +``` + +#### アプリおよびプロセッサのバーチャルホストの設定  + +[suPHP][]を使ってバーチャルホストを設定するには、以下のパラメータを使用します。 + +* [`suphp_engine`][]、suPHPエンジンを有効にします。 +* [`suphp_addhandler`][]、MIMEタイプを定義します。 +* [`suphp_configpath`][]、suPHPがPHPインタープリタに渡すパスを設定します。 +* [`directory`][]、ディレクトリ、ファイル、ロケーションの各ディレクティブブロックを設定します。 + +例:  + +``` puppet +apache::vhost { 'suphp.example.com': + port => '80', + docroot => '/home/appuser/myphpapp', + suphp_addhandler => 'x-httpd-php', + suphp_engine => 'on', + suphp_configpath => '/etc/php5/apache2', + directories => [ + { 'path' => '/home/appuser/myphpapp', + 'suphp' => { + user => 'myappuser', + group => 'myappgroup', + }, + }, + ], +} +``` + +[Python][]アプリケーション用の[Webサーバゲートウェイインターフェース][] (WSGI)を使ってバーチャルホストを設定するには、`wsgi`パラメータセットを使用します。 + +``` puppet +apache::vhost { 'wsgi.example.com': + port => '80', + docroot => '/var/www/pythonapp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => { + processes => '2', + threads => '15', + display-name => '%{GROUP}', + }, + wsgi_import_script => '/var/www/demo.wsgi', + wsgi_import_script_options => { + process-group => 'wsgi', + application-group => '%{GLOBAL}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, +} +``` + +Apache 2.2.16の時点では、Apacheは[FallbackResource][]をサポートしています。これは、一般的なRewriteRulesに代わるシンプルなディレクティブです。[`fallbackresource`][]パラメータを使えば、FallbackResourceを設定できます。 + +``` puppet +apache::vhost { 'wordpress.example.com': + port => '80', + docroot => '/var/www/wordpress', + fallbackresource => '/index.php', +} +``` + +> **注意**: Apache 2.2.24以降では、`fallbackresource`パラメータがサポートするのは'disabled'値のみです。 + +[コモンゲートウェイインターフェース][] (CGI)ファイル用の指定ディレクトリを使ってバーチャルホストを設定するには、[`scriptalias`][]パラメータを使って`cgi-bin`パスを定義します。 + +``` puppet +apache::vhost { 'cgi.example.com': + port => '80', + docroot => '/var/www/cgi', + scriptalias => '/usr/lib/cgi-bin', +} +``` + +[Rack][]用のバーチャルホストを設定するには、[`rack_base_uris`][]パラメータを使用します。 + +``` puppet +apache::vhost { 'rack.example.com': + port => '80', + docroot => '/var/www/rack', + rack_base_uris => ['/rackapp1', '/rackapp2'], +} +``` + +#### IPベースのバーチャルホストの設定  + +任意のポートをリッスンし、固有IPアドレスのリクエストに応答する[IPベースのバーチャルホスト][]を設定することができます。この例では、サーバはポート80および81をリッスンします。これは、この例のバーチャルホストが[`port`][]パラメータにより宣言されて_いない_ ためです。 + +``` puppet +apache::listen { '80': } + +apache::listen { '81': } +``` + +[`ip_based`][]パラメータを使ってIPベースのバーチャルホストを設定します。 + +``` puppet +apache::vhost { 'first.example.com': + ip => '10.0.0.10', + docroot => '/var/www/first', + ip_based => true, +} + +apache::vhost { 'second.example.com': + ip => '10.0.0.11', + docroot => '/var/www/second', + ip_based => true, +} +``` + +任意の[SSL][SSL暗号化]構成と暗号化されていない構成を組み合わせ、IPベースと[名前ベースのバーチャルホスト][]を混ぜて設定することもできます。 + +この例では、1つのIPアドレス(この例では、10.0.0.10)に2つのIPベースのバーチャルホストを追加します。一方はSSLを使用するもの、もう一方は暗号化されていないものです。 + +``` puppet +apache::vhost { 'The first IP-based virtual host, non-ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '80', + ip_based => true, + docroot => '/var/www/first', +} + +apache::vhost { 'The first IP-based vhost, ssl': + servername => 'first.example.com', + ip => '10.0.0.10', + port => '443', + ip_based => true, + docroot => '/var/www/first-ssl', + ssl => true, +} +``` + +次に、第2のIPアドレス(10.0.0.20)に2つの名前ベースのバーチャルホストを追加します。 + +``` puppet +apache::vhost { 'second.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/second', +} + +apache::vhost { 'third.example.com': + ip => '10.0.0.20', + port => '80', + docroot => '/var/www/third', +} +``` + +10.0.0.10または10.0.0.20のいずれかで応答する名前ベースのバーチャルホストを追加するには、Apacheのデフォルトの`Listen 80`を無効にする**必要があります**。これは、前述のIPベースのバーチャルホストとコンフリクトするためです。無効にするには、[`add_listen`][]パラメータを`false`に設定します。 + +``` puppet +apache::vhost { 'fourth.example.com': + port => '80', + docroot => '/var/www/fourth', + add_listen => false, +} + +apache::vhost { 'fifth.example.com': + port => '80', + docroot => '/var/www/fifth', + add_listen => false, +} +``` + +### Apacheモジュールのインストール  + +Puppet apacheモジュールを使って[Apacheモジュール][]をインストールするには、2つの方法があります。 + +- [`apache::mod::`][] クラスを使って、[パラメータを伴う固有のApacheモジュールをインストール][固有モジュールのインストール]する方法 +- [`apache::mod`][]定義タイプを使って、[任意のApacheモジュールをインストール][任意モジュールのインストール]する方法 + +#### 固有モジュールのインストール + +Puppet apacheモジュールは、多くの一般的な[Apacheモジュール][]のインストールをサポートしており、多くの場合、パラメータ化された設定オプションがあります。サポートされるApacheモジュールのリストについては、[`apache::mod::`][]クラスリファレンスを参照してください。 + +例えば、[`apache::mod::ssl`][]クラスを宣言すれば、デフォルト設定で`mod_ssl` Apacheモジュールをインストールすることができます。 + +``` puppet +class { 'apache::mod::ssl': } +``` + +[`apache::mod::ssl`][]には複数のパラメータ化されたオプションがあり、宣言する際に設定することができます。たとえば、圧縮を有効にして`mod_ssl`を有効化するには、[`ssl_compression`][]パラメータをtrueに設定します。 + +``` puppet +class { 'apache::mod::ssl': + ssl_compression => true, +} +``` + +一部のモジュールには必須条件があります。[`apache::mod::`][]のリファレンスを参照してください。 + +#### 任意モジュールのインストール + +オペレーティングシステムのパッケージマネージャでインストール可能な任意のモジュールの名前を[`apache::mod`][]定義タイプに渡し、それをインストールすることができます。固有モジュールクラスとは異なり、 [`apache::mod`][]定義タイプでは、インストールされている他のモジュールや固有のパラメータに基づいてインストールが調整されることはありません。Puppetはモジュールのパッケージを取得し、インストールするだけです。詳細な設定はユーザが必要に応じて行います。 + +例えば、[`mod_authnz_external`][] Apacheモジュールをインストールするには、'mod_authnz_external'の名前を使って定義タイプを宣言します。 + +``` puppet +apache::mod { 'mod_authnz_external': } +``` + +この方法でApacheモジュールを定義する際には、いくつかのオプションパラメータを指定できます。詳細については、[定義タイプのリファレンス][`apache::mod`]を参照してください。 + + +### PHPファイルを処理するFastCGIサーバの設定 + +[`apache::fastcgi::server`][]定義タイプを追加すれば、 [FastCGI][]サーバで特定のファイルに関するリクエストを処理することができます。以下の例では、PHPリクエストを処理するFastCGIサーバをポート9000の127.0.0.1 (ローカルホスト)で定義しています。 + +``` puppet +apache::fastcgi::server { 'php': + host => '127.0.0.1:9000', + timeout => 15, + flush => false, + faux_path => '/var/www/php.fcgi', + fcgi_alias => '/php.fcgi', + file_type => 'application/x-httpd-php' +} +``` + +[`custom_fragment`][]パラメータを使えば、指定したファイルタイプがFastCGIサーバで処理されるように、バーチャルホストを設定することができます。 + +``` puppet +apache::vhost { 'www': + ... + custom_fragment => 'AddType application/x-httpd-php .php' + ... +} +``` + + +### ロードバランシングの例 + +Apacheは、[`mod_proxy`][] Apacheモジュールを通じて、複数のグループのサーバにわたるロードバランシングをサポートしています。Puppetでは、[`apache::balancer`][]および[`apache::balancermember`][]定義タイプにより、Apacheロードバランシンググループ(バランサクラスタとも呼ばれます)をサポートしています。 + +[エクスポートリソース][]でロードバランシングを有効にするには、[`apache::balancermember`][]定義タイプをロードバランサメンバーサーバからエクスポートします。 + +``` puppet +@@apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} +``` + +次に、プロキシサーバでロードバランシンググループを作成します。 + +``` puppet +apache::balancer { 'puppet00': } +``` + +リソースをエクスポートせずにロードバランシングを有効にするには、プロキシサーバで以下を宣言します。 + +``` puppet +apache::balancer { 'puppet00': } + +apache::balancermember { "${::fqdn}-puppet00": + balancer_cluster => 'puppet00', + url => "ajp://${::fqdn}:8009", + options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'], +} +``` + +次に、プロキシサーバで`apache::balancer`および`apache::balancermember`定義タイプを宣言します。 + +バランサで[ProxySet](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyset)ディレクティブを使うには、`apache::balancer`の[`proxy_set`](#proxy_set)パラメータを使用します。 + +``` puppet +apache::balancer { 'puppet01': + proxy_set => { + 'stickysession' => 'JSESSIONID', + 'lbmethod' => 'bytraffic', + }, +} +``` + +ロードバランシングのスケジューラのアルゴリズム(`lbmethod`)は、[mod_proxy_balancerドキュメント](https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html)に記載されています。 + + +## リファレンス + +- [**パブリッククラス**](#public-classes) + - [クラス: apache](#class-apache) + - [クラス: apache::dev](#class-apachedev) + - [クラス: apache::vhosts](#class-apachevhosts) + - [クラス: apache::mod::\*](#classes-apachemodname) +- [**プライベートクラス**](#private-classes) + - [クラス: apache::confd::no_accf](#class-apacheconfdno_accf) + - [クラス: apache::default_confd_files](#class-apachedefault_confd_files) + - [クラス: apache::default_mods](#class-apachedefault_mods) + - [クラス: apache::package](#class-apachepackage) + - [クラス: apache::params](#class-apacheparams) + - [クラス: apache::service](#class-apacheservice) + - [クラス: apache::version](#class-apacheversion) +- [**パブリック定義タイプ**](#public-defined-types) + - [定義タイプ: apache::balancer](#defined-type-apachebalancer) + - [定義タイプ: apache::balancermember](#defined-type-apachebalancermember) + - [定義タイプ: apache::custom_config](#defined-type-apachecustom_config) + - [定義タイプ: apache::fastcgi::server](#defined-type-fastcgi-server) + - [定義タイプ: apache::listen](#defined-type-apachelisten) + - [定義タイプ: apache::mod](#defined-type-apachemod) + - [定義タイプ: apache::namevirtualhost](#defined-type-apachenamevirtualhost) + - [定義タイプ: apache::vhost](#defined-type-apachevhost) + - [定義タイプ: apache::vhost::custom](#defined-type-apachevhostcustom) +- [**プライベート定義タイプ**](#private-defined-types) + - [定義タイプ: apache::default_mods::load](#defined-type-default_mods-load) + - [定義タイプ: apache::peruser::multiplexer](#defined-type-apacheperusermultiplexer) + - [定義タイプ: apache::peruser::processor](#defined-type-apacheperuserprocessor) + - [定義タイプ: apache::security::file_link](#defined-type-apachesecurityfile_link) +- [**テンプレート**](#templates) +- [**タスク**](#tasks) + +### パブリッククラス + +#### クラス: `apache` + +システムでのApacheの基本的な設定とインストールをガイドします。 + +デフォルトオプションを用いてこのクラスを宣言すると、Puppetでは以下が実行されます。 + +- オペレーティングシステムに適したApacheソフトウェアパッケージおよび[必要なApacheモジュール](#default_mods)をインストールします。 +- [デフォルトロケーション](#conf_dir)を用いて、ディレクトリ内に必要な設定ファイルを配置します。デフォルトロケーションは、オペレーティングシステムによって異なります。 +- デフォルトのバーチャルホストおよび標準的なポート('80')とアドレス('\*')のバインディングを用いてサーバを設定します。 +- ドキュメントルートディレクトリを作成します。オペレーティングシステムによって異なりますが、通常は`/var/www`です。 +- Apacheサービスを開始します。 + +ここでは、デフォルトの`apache`クラスを宣言するだけです。 + +``` puppet +class { 'apache': } +``` + +##### `allow_encoded_slashes` + +[`AllowEncodedSlashes`][]宣言のサーバデフォルトを設定します。これにより、'\'および'/'を含むURLに対する応答が変更されます。このパラメータを指定しない場合、サーバの設定でこの宣言が省かれ、Apacheのデフォルト設定'off'が使用されます。 + +値: 'on'、'off'、'nodecode'。 + +デフォルト値: `undef`。 + +##### `apache_version` + +使用するApacheのバージョンを定義し、モジュールテンプレートの挙動、パッケージ名、デフォルトのApacheモジュールを設定します。このパラメータを理由なく手動で設定することは、推奨していません。 + +デフォルト値: [`apache::version`][]クラスにより検出されたオペレーティングシステムとリリースバージョンによって異なります。 + +##### `conf_dir` + +Apacheサーバのメイン設定ファイルを置くディレクトリを設定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2` +- **Red Hat**: `/etc/httpd/conf` + +##### `conf_template` + +メインのApache設定ファイルで使用される[テンプレート][]を定義します。apacheモジュールは、`conf.d`エントリによりカスタマイズされた最小限の設定ファイルを使用するように設計されているため、このパラメータの変更には潜在的なリスクが伴います。 + +デフォルト値: `apache/httpd.conf.epp`。 + +##### `confd_dir` + +Apacheサーバのカスタム設定ディレクトリの場所を設定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/apache2/conf.d` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2/conf.d` +- **Red Hat**: `/etc/httpd/conf.d` + +##### `default_charset` + +メイン設定ファイルで[`AddDefaultCharset`][]ディレクティブとして使用されます。 + +デフォルト値: `undef`。 + +##### `default_confd_files` + +[`confd_dir`][]パラメータにより定義されるディレクトリに、インクルード可能なApache設定ファイルのデフォルトセットを生成するかどうかを決定します。この設定ファイルは、サーバのオペレーティングシステムにApacheパッケージとともに通常インストールされるものに相当します。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `default_mods` + +オペレーティングシステムに応じたデフォルトの[Apacheモジュール][]のセットを設定して有効にするかどうかを決定します。 + +`false`の場合、Puppetはオペレーティングシステム上でHTTPデーモンを機能させるのに必要なApacheモジュールのみを含めます。[`apache::mod::`][]クラスまたは[`apache::mod`][]定義タイプを使えば、他のモジュールを個別に宣言することができます。 + +`true`の場合、Puppetはオペレーティングシステムと [`apache_version`][]および[`mpm_module`][]パラメータの値に応じて、その他のモジュールもインストールします。このモジュールリストは頻繁に変更されるので、最新のリストについては[Puppetモジュールのコード][]を参照してください。 + +このパラメータに配列が含まれる場合、Puppetは渡されたすべてのApacheモジュールを有効にします。 + +値: ブーリアンまたはApacheモジュール名の配列。 + +デフォルト値: `true`。 + +##### `default_ssl_ca` + +Apacheサーバのデフォルトの証明書認証局を設定します。 + +デフォルト値を使えばApacheサーバは機能しますが、本稼働環境にこのサーバをデプロイする前に、各自の認証局情報を用いてこのパラメータを更新する**必要があります**。 + +ブーリアン。 + +デフォルト値: `undef`。 + +##### `default_ssl_cert` + +[SSL暗号化][]証明書の保存場所を設定します。 + +デフォルト値を使えばApacheサーバは機能しますが、本稼働環境にこのサーバをデプロイする前に、各自の証明書ロケーション情報を用いてこのパラメータを更新する**必要があります**。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/ssl/certs/ssl-cert-snakeoil.pem` +- **FreeBSD**: `/usr/local/etc/apache22/server.crt` +- **Gentoo**: `/etc/ssl/apache2/server.crt` +- **Red Hat**: `/etc/pki/tls/certs/localhost.crt` + +##### `default_ssl_chain` + +デフォルトの[SSLチェーン][]の保存場所を設定します。 + +デフォルト値を使えばApacheサーバは機能しますが、本稼働環境にこのサーバをデプロイする前に、各自のSSLチェーンを用いてこのパラメータを更新する**必要があります**。 + +デフォルト値: `undef`。 + +##### `default_ssl_crl` + +使用するデフォルトの[証明書失効リスト][] (CRL)ファイルのパスを設定します。 + +デフォルト値を使えばApacheサーバは機能しますが、本稼働環境にこのサーバをデプロイする前に、CRLファイルパスを用いてこのパラメータを更新する**必要があります**。このパラメータは、[`default_ssl_crl_path`][]とともに使用することも、その代わりに使用することもできます。 + +デフォルト値: `undef`。 + +##### `default_ssl_crl_path` + +サーバの[証明書失効リストパス][]を設定します。これにはCRLが含まれます。 + +デフォルト値を使えばApacheサーバは機能しますが、本稼働環境でこのサーバをデプロイする前に、CRLファイルパスを用いてこのパラメータを更新する**必要があります**。 + +デフォルト値: `undef`。 + +##### `default_ssl_crl_check` + +[`SSLCARevocationCheck`][]ディレクティブを通じてデフォルトの証明書失効チェックレベルを設定します。このパラメータはApache 2.4以上にのみ適用され、それ以前のバージョンでは無視されます。 + +デフォルト値を使えばApacheサーバは機能しますが、本稼働環境で証明書失効リストを使用する際には、このパラメータを指定する**必要があります**。 + +デフォルト値: `undef`。 + +##### `default_ssl_key` + +[SSL証明書キーファイル][]の保存場所を設定します。 + +デフォルト値を使えばApacheサーバは機能しますが、本稼働環境にこのサーバをデプロイする前に、各自のSSLキーのロケーションを用いてこのパラメータを更新する**必要があります**。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/ssl/private/ssl-cert-snakeoil.key` +- **FreeBSD**: `/usr/local/etc/apache22/server.key` +- **Gentoo**: `/etc/ssl/apache2/server.key` +- **Red Hat**: `/etc/pki/tls/private/localhost.key` + + +##### `default_ssl_vhost` + +デフォルトの[SSL][SSL暗号化]バーチャルホストを設定します。 + +`true`の場合、Puppetは [`apache::vhost`][]定義タイプを用いて、以下のバーチャルホストを自動的に設定します。 + +```puppet +apache::vhost { 'default-ssl': + port => 443, + ssl => true, + docroot => $docroot, + scriptalias => $scriptalias, + serveradmin => $serveradmin, + access_log_file => "ssl_${access_log_file}", + } +``` + +> **注意**: SSLバーチャルホストはHTTPSクエリにのみ応答します。 + + +ブーリアン。 + +デフォルト値: `false`。 + +##### `default_type` + +_Apache 2.2のみ_。サーバが他の方法で適切な`content-type`を決定できない場合に送信される[MIME `content-type`][]を設定します。このディレクティブはApache 2.4以降では廃止予定になっており、設定ファイルの下位互換性確保の目的でのみ使われます。 + +デフォルト値: `undef`。 + +##### `default_vhost` + +クラスが宣言された際にデフォルトのバーチャルホストを設定します。 + +[カスタマイズしたバーチャルホスト][バーチャルホストの設定]を設定するには、このパラメータの値を`false`に設定します。 + +> **注意**: 少なくとも1つのバーチャルホストがなければ、Apacheは起動しません。このパラメータを`false`に設定する場合は、別の場所でバーチャルホストを設定する必要があります。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `dev_packages` + +使用する固有devパッケージを設定します。 + +値: 文字列または文字列の配列。 + +IUS yumリポジトリからhttpd 2.4を使用する例: + +``` puppet +include ::apache::dev +class { 'apache': + apache_name => 'httpd24u', + dev_packages => 'httpd24u-devel', +} +``` + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Red Hat:** 'httpd-devel' +- **Debian 8/Ubuntu 13.10以降:** ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev'] +- **それ以前のDebian/Ubuntuバージョン:** ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev'] +- **FreeBSD, Gentoo:** `undef` +- **Suse:** ['libapr-util1-devel', 'libapr1-devel'] + +##### `docroot` + +デフォルトの[`DocumentRoot`][]の場所を設定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/var/www/html` +- **FreeBSD**: `/usr/local/www/apache22/data` +- **Gentoo**: `/var/www/localhost/htdocs` +- **Red Hat**: `/var/www/html` + +##### `error_documents` + +Apacheサーバの[カスタムエラードキュメント][]を有効にするかどうかを決定します。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `group` + +リクエストに応答するために生成されるApacheプロセスを所有するグループIDを設定します。 + +デフォルトでは、Puppetはこのグループを`apache`クラスの下のリソースとして管理するよう試み、[`apache::params`][]クラスにより検出されたオペレーティングシステムに基づいてグループを決定します。このグループリソースを作成せずに、別のPuppetモジュールで作成されたグループを使用するには、[`manage_group`][]パラメータの値を`false`に設定します。 + +> **注意**: このパラメータを修正すると、Apacheが子プロセスを生成してリソースにアクセスする際に使用するグループIDのみが変更されます。親サーバプロセスを所有するユーザは変更されません。 + +##### `httpd_dir` + +Apacheサーバの基本設定ディレクトリを設定します。これは、特別に再パッケージされたApacheサーバビルドにおいて、デフォルトのディストリビューションパッケージと組み合わせると意図せぬ結果が生じる可能性がある場合に役立ちます。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local/etc/apache22` +- **Gentoo**: `/etc/apache2` +- **Red Hat**: `/etc/httpd` + +##### `http_protocol_options` + +HTTPプロトコルチェックの厳密さを指定します。 + +有効なオプション: 以下の値の選択肢のシーケンス: `Strict`または`Unsafe`、`RegisteredMethods`または`LenientMethods`、`Allow0.9`または`Require1.0`。 + +デフォルト '`Strict LenientMethods Allow0.9`'。 + +##### `keepalive` + +[`KeepAlive`][]ディレクティブによってHTTPの持続的接続を有効にするかどうかを決定します。 'On'に設定する場合は、[`keepalive_timeout`][]および[`max_keepalive_requests`][]パラメータを使って関連オプションを設定してください。 + +値: 'Off'、'On'。 + +デフォルト値: 'On'。 + +##### `keepalive_timeout` + +[`KeepAliveTimeout`]ディレクティブによって、HTTPの持続的接続でApacheサーバが後続のリクエストを行うまでの待機時間を設定します。このパラメータが意味を持つのは、[`keepalive` parameter][]を有効にしている場合のみです。 + +デフォルト値: '15'。 + +##### `max_keepalive_requests` + +[`keepalive` parameter][]が有効の場合に、1回の接続で許可されるリクエストの数を制限します。 + +デフォルト値: '100'。 + +##### `lib_path` + +[Apacheモジュール][Apacheモジュール]ファイルの保存場所を指定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**および**Gentoo**: `/usr/lib/apache2/modules` +- **FreeBSD**: `/usr/local/libexec/apache24` +- **Red Hat**: `modules` + +> **注意**: このパラメータは、特別な理由がない限り手動で設定しないでください。 + +##### `log_level` + +エラーログの詳細レベルを変更します。値: 'alert'、'crit'、'debug'、'emerg'、'error'、'info'、'notice'、'warn'。 + +デフォルト値: 'warn'。 + +##### `log_formats` + +追加の[`LogFormat`][]ディレクティブを定義します。値: [ハッシュ][]、例: + +``` puppet +$log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' } +``` + +Puppetの作成する`httpd.conf`には、以下のような複数の`LogFormats`が事前定義されています。 + +``` httpd +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent +LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded +``` + +定義した`log_formats`パラメータに上記のいずれかが含まれる場合は、**ユーザの**定義により上書きされます。 + +##### `logroot` + +バーチャルホストのApacheログファイルのディレクトリを変更します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/var/log/apache2` +- **FreeBSD**: `/var/log/apache22` +- **Gentoo**: `/var/log/apache2` +- **Red Hat**: `/var/log/httpd` + +##### `logroot_mode` + +デフォルトの[`logroot`][]ディレクトリをオーバーライドします。 + +> **注意**: 影響を把握できない場合は、ログが保存されているディレクトリへの書き込みアクセス権限を付与_しないで_ください。詳細については、[Apacheドキュメント][ログセキュリティ]を参照してください。 + +デフォルト値: `undef`。 + +##### `manage_group` + +`false`の場合、Puppetではグループリソースは作成されません。 + +別のPuppetモジュールで作成されたグループをApacheの実行に使用する場合は、この値を`false`に設定してください。このパラメータを設定せずに過去に作成されたグループを使用しようとすると、重複リソースエラーが生じます。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `supplementary_groups` + +ユーザの所属するグループのリスト。主要グループに加えて設定する場合に使用します。 + +デフォルト値: 追加グループなし。 + +注意: このオプションは、`manage_user`がtrueに設定されている場合のみ有効です。 + +##### `manage_user` + +`false`の場合、Puppetではユーザリソースが作成されません。 + +このパラメータは、別のPuppetモジュールで作成されたユーザをApache実行に使用する場合などに使用します。このパラメータを設定せずに過去に作成されたユーザを使用しようとすると、重複リソースエラーが生じます。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `mod_dir` + +Puppetが[Apacheモジュール][]の設定ファイルを置く場所を設定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/apache2/mods-available` +- **FreeBSD**: `/usr/local/etc/apache22/Modules` +- **Gentoo**: `/etc/apache2/modules.d` +- **Red Hat**: `/etc/httpd/conf.d` + +##### `mod_libs` + +デフォルトのモジュールライブラリ名をユーザがオーバーライドすることを許可します。 + +```puppet +include apache::params +class { 'apache': + mod_libs => merge($::apache::params::mod_libs, { + 'wsgi' => 'mod_wsgi_python3.so', + }) +} +``` + +ハッシュ。デフォルト値: `$apache::params::mod_libs` + +##### `mod_packages` + +デフォルトのモジュールパッケージ名をユーザがオーバーライドすることを許可します。 + +```puppet +include apache::params +class { 'apache': + mod_packages => merge($::apache::params::mod_packages, { + 'auth_kerb' => 'httpd24-mod_auth_kerb', + }) +} +``` + +ハッシュ。デフォルト値: `$apache::params::mod_packages`。 + +##### `mpm_module` + +HTTPDプロセスに関してロードおよび設定する[マルチプロセッシングモジュール][] (MPM)を決定します。値: 'event'、'itk'、'peruser'、'prefork'、'worker'、`false`。 + +カスタムパラメータを用いて以下のクラスを明示的に宣言するためには、このパラメータを`false`に設定する必要があります。 + +- [`apache::mod::event`][] +- [`apache::mod::itk`][] +- [`apache::mod::peruser`][] +- [`apache::mod::prefork`][] +- [`apache::mod::worker`][] + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: 'worker' +- **FreeBSD、Gentoo、Red Hat**: 'prefork' + +##### `package_ensure` + +`package`リソースの[`ensure`][]属性を制御します。値: 'absent'、'installed' (またはそれに相当する'present')、またはバージョン文字列。 + +デフォルト値: 'installed'。 + +##### `pidfile` + +pidファイルのカスタムロケーションの設定を許可します。カスタムビルトのApache rpmを使用する場合に役立ちます。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian:** '\${APACHE_PID_FILE}' +- **FreeBSD:** '/var/run/httpd.pid' +- **Red Hat:** 'run/httpd.pid' + +##### `ports_file` + +Apacheポート設定を含むファイルのパスを設定します。 + +デフォルト値: '{$conf_dir}/ports.conf'。 + +##### `purge_configs` + +他のすべてのApache設定およびバーチャルホストを削除します。 + +このパラメータを`false`に設定すると、一時的な対策として、既存の設定や管理されていない設定をApacheモジュールと共存させることができます。この場合、設定をこのモジュール内のリソースに移すことを推奨します。バーチャルホストの設定については、[`purge_vhost_dir`][]を参照してください。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `purge_vhost_dir` + +[`vhost_dir`][]パラメータの値が[`confd_dir`][]パラメータの値と異なる場合は、このパラメータにより、Puppetにより管理されて_いない_`vhost_dir`内の設定を削除するかどうかが決定されます。 + +`purge_vhost_dir`を`false`に設定すると、一時的な対策として、`vhost_dir`内の既存の設定や管理されていない設定をapacheモジュールと共存させることができます。 + +ブーリアン。 + +デフォルト値: [`purge_configs`][]と同じ。 + +##### `rewrite_lock` + +リライトロックのカスタムロケーションの設定を可能にします。これは、バーチャルホストの[`rewrites`][]パラメータでタイプprgのRewriteMapを使用している場合のベストプラクティスとされています。このパラメータは、Apacheバージョン2.2以前のみに適用され、それよりも新しいバージョンでは無視されます。 + +デフォルト値: `undef`。 + +##### `sendfile` + +[`EnableSendfile`][]ディレクティブで静的ファイルをサーブする際に、ApacheがLinuxカーネルの`sendfile`サポートを使用するようにします。値: 'On'、'Off'。 + +デフォルト値: 'On'。 + +##### `serveradmin` + +Apacheの[`ServerAdmin`][]ディレクティブでApacheサーバ管理者の連絡先情報を設定します。 + +デフォルト値: 'root@localhost'。 + +##### `servername` + +Apacheの[`ServerName`][]ディレクティブでApacheサーバ名を設定します。 + +`false`に設定すると、ServerNameは設定されません。 + +デフォルト値: [Facter][]により報告された'fqdn' fact。 + +##### `server_root` + +Apacheの[`ServerRoot`][]ディレクティブでApacheサーバのルートを設定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/apache2` +- **FreeBSD**: `/usr/local` +- **Gentoo**: `/var/www` +- **Red Hat**: `/etc/httpd` + +##### `server_signature` + +Apacheの[`ServerSignature`][]ディレクティブで、エラードキュメントや一部の[Apacheモジュール][]のアウトプットなどの、サーバ生成ドキュメントの下部に表示される末尾のフッタの行を設定します。値: 'Off'、'On'。 + +デフォルト値: 'On'。 + +##### `server_tokens` + +Apacheの[`ServerTokens`][]ディレクティブで、Apacheからブラウザに送信される、Apacheやオペレーティングシステムに関する情報の量を制御します。 + +デフォルト値: 'Prod'. + +##### `service_enable` + +システムの起動時にPuppetがApache HTTPDサービスを有効にするかどうかを決定します。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `service_ensure` + +サービスが稼働していることをPuppetが確認するかどうかを決定します。値: `true` (または'running')、`false` (または'stopped')。 + +値を`false`または'stopped'にすると、'httpd'サービスリソースの`ensure`パラメータが`false`に設定されます。この設定は、Pacemakerなどの別のアプリケーションでサービスを管理する場合に役立ちます。 + +デフォルト値: 'running'。 + +##### `service_name` + +Apacheサービスの名前を設定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **DebianおよびGentoo**: 'apache2' +- **FreeBSD**: 'apache22' +- **Red Hat**: 'httpd' + +##### `service_manage` + +PuppetでHTTPDサービスの状態を管理するかどうかを決定します。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `service_restart` + +HTTPDサービスの再起動にあたり、Puppetが特定のコマンドを使用するかどうかを決定します。 + +値: Apacheサービスを再起動するためのコマンド。デフォルト設定では、 [デフォルトのPuppet挙動][サービス属性リスタート]が使われます。 + +デフォルト値: `undef`。 + +##### `ssl_cert` + +特定の SSLCertificateFile を指定できるようになります。 + +詳細については、[SSLCertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#SSLCertificateFile)を参照してください。 + +デフォルト値: `undef`。 + +##### `ssl_key` +特定の SSLCertificateKey を指定できるようになります。 + +詳細については、[SSLCertificateKey](https://httpd.apache.org/docs/current/mod/mod_ssl.html#SSLCertificateKeyFile)を参照してください。 + +デフォルト値: `undef`。 + + +##### `ssl_ca` + +SSL証明書認証局を指定します。[SSLCACertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcacertificatefile)を使用してSSLクライアント認証で使用する証明書を確認します。 + +これはバーチャルホストレベルでオーバーライドすることが可能です。 + +デフォルト値: `undef`。 + + +##### `timeout` + +Apacheの[`TimeOut`][]ディレクティブを設定します。このディレクティブは、一部のイベントに関してリクエスト履行を止めるまでの Apacheの待機秒数を定義します。 + +デフォルト値: 120。 + +##### `trace_enable` + +[`TraceEnable`][]ディレクティブで、Apacheが`TRACE`リクエスト([RFC 2616][]ごと)をどのように処理するかを制御します。 + +値: 'Off'、'On'。 + +デフォルト値: 'On'。 + +##### `use_canonical_name` + +Apacheの [`UseCanonicalName`][]ディレクティブを制御します。このディレクティブは、Apacheが自己参照URLをどのように処理するかを制御します。指定しない場合、このパラメータの宣言がサーバの設定から除外され、Apacheのデフォルト設定'off'が使用されます。 + +値: 'On', 'on', 'Off', 'off', 'DNS', 'dns'。 + +デフォルト値: `undef`。 + +##### `use_systemd` + +systemdモジュールをCentos 7サーバにインストールするかどうかを制御します。これは、カスタムビルトのRPMを使用している場合は特に役立ちます。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `file_mode` + +設定ファイルの許可モードを設定します。 + +値: 文字列、記号表記法または数字表記法での許可モード。 + +デフォルト値: '0644'。 + +##### `root_directory_options` + +httpd.confの/ディレクトリで指定するオプションの配列。 + +デフォルト値: 'FollowSymLinks'。 + +##### `root_directory_secured` + +httpd.confの/ディレクトリについて、デフォルトのアクセスポリシーを設定します。`false`にすると、特定のアクセスポリシーがないすべてのリソースへのアクセスが許可されます。 `true`にするとデフォルトですべてのリソースへのアクセスが拒否されます。`true`の場合、リソースへのアクセスを許可するには、具体的なルールを使用する必要があります([`directories`](#parameter-directories-for-apachevhost)パラメータを用いたディレクトリブロックなどで)。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `vhost_dir` + +バーチャルホストの設定ファイルの保存場所を変更します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: `/etc/apache2/sites-available` +- **FreeBSD**: `/usr/local/etc/apache22/Vhosts` +- **Gentoo**: `/etc/apache2/vhosts.d` +- **Red Hat**: `/etc/httpd/conf.d` + +##### `vhost_include_pattern` + +`vhost_dir`に含まれるファイルのパターンを定義します。 + +`[^.#]\*.conf[^~]`などの値に設定すると、このディレクトリで偶発的に作成されたファイル(バージョン管理システムやエディタのバックアップにより作成されたファイルなど)がサーバ設定に*含まれなく*なります。 + +デフォルト値: '*'。 + +一部のオペレーティングシステムでは、`*.conf`の値が使用されます。デフォルトでは、このモジュールは`.conf`で終わる設定ファイルを作成します。 + +##### `user` + +Apacheがリクエストの応答に使用するユーザを変更します。Apacheの親プロセスは引き続きルートとして稼働しますが、子プロセスはこのパラメータで定義されたユーザとしてリソースにアクセスします。Puppetがこのユーザを管理しないようにするには、[`manage_user`][]パラメータを`false`に設定します。 + +デフォルト値: [`apache::params`][]クラスにより設定されたユーザに依存します。これはオペレーティングシステムによって異なります。 + +- **Debian**: 'www-data' +- **FreeBSD**: 'www' +- **Gentoo**および**Red Hat**: 'apache' + +Puppetがこのユーザを管理しないようにするには、[`manage_user`][]パラメータをfalseに設定します。 + +##### `apache_name` + +インストールするApacheパッケージの名前。標準的ではないApacheパッケージを使用している場合は、デフォルト設定をオーバーライドする必要があるかもしれません。 + +CentOS/RHELソフトウェアコレクション(SCL)では、`apache::version::scl_httpd_version`も使用できます。 + +デフォルト値: [`apache::params`][]クラスにより設定されたユーザに依存します。これはオペレーティングシステムによって異なります。 + +- **Debian**: 'apache2' +- **FreeBSD**: 'apache24' +- **Gentoo**: 'www-servers/apache' +- **Red Hat**: 'httpd' + +##### `error_log` + +メインサーバインスタンスのエラーログファイルの名前。`/`、`|`、または`syslog`で始まる文字列の場合、フルパスが設定されます。それ以外の場合は、ファイル名の先頭に`$logroot`がつきます。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: 'error.log' +- **FreeBSD**: 'httpd-error.log' +- **Gentoo**: 'error.log' +- **Red Hat**: 'error_log' +- **Suse**: 'error.log' + +##### `scriptalias` + +グローバルスクリプトエイリアスに使用するディレクトリ。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: '/usr/lib/cgi-bin' +- **FreeBSD**: '/usr/local/www/apache24/cgi-bin' +- **Gentoo**: 'var/www/localhost/cgi-bin' +- **Red Hat**: '/var/www/cgi-bin' +- **Suse**: '/usr/lib/cgi-bin' + +##### `access_log_file` + +メインサーバインスタンスのアクセスログファイルの名前。 + +デフォルト値: オペレーティングシステムによって異なります。 + +- **Debian**: 'error.log' +- **FreeBSD**: 'httpd-access.log' +- **Gentoo**: 'access.log' +- **Red Hat**: 'access_log' +- **Suse**: 'access.log' + +##### `limitreqfields` + +[`limitreqfields`][]パラメータは、HTTPリクエスト内のリクエストヘッダフィールドの最大数を設定します。このディレクティブを使用すると、サーバ管理者は異常なクライアントリクエスト動作の制御を強化できるので、ある種のDoS攻撃の防止に役立てることができます。送信リクエスト内のフィールドが多過ぎることを示すエラー応答が、通常のクライアントに対して表示される場合、この値を増やす必要があります。 + +デフォルト値: '100'。 + +#### クラス: `apache::dev` + +Apache開発ライブラリをインストールします。 + +デフォルト値: オペレーティングシステムによって異なります。使用するオペレーティングシステムに基づく、[`apache::params`][]クラスの[`dev_packages`][]パラメータ。 + +- **Debian**: Ubuntu 13.10およびDebian 8では'libaprutil1-dev'、'libapr1-dev'、'apache2-dev'。その他のバージョンでは'apache2-prefork-dev'。 +- **FreeBSD**: `undef`; FreeBSDでは、`apache::dev`を宣言する前に`apache::package`または`apache`クラスを宣言する必要があります。 +- **Gentoo**: `undef` +- **Red Hat**: 'httpd-devel' + +#### クラス: `apache::vhosts` + +[`apache::vhost`][]定義タイプを作成します。 + +**パラメータ**:  + +* `vhosts`: [`apache::vhost`][]定義タイプのパラメータを指定します。 + + 値: [ハッシュ][]、キーは名前を表し、値は[`apache::vhost`][]定義タイプのパラメータの[ハッシュ][]を表します。 + + デフォルト値: '{}'。 + + > **注意**: すべてのバーチャルホストのパラメータのリストや[バーチャルホストの設定]については、[`apache::vhost`][]定義タイプのリファレンスを参照してください。 + + 例えば、[名前ベースのバーチャルホスト][名前ベースのバーチャルホスト]のcustom_vhost_1を作成するには、`vhosts`パラメータを'{ "custom_vhost_1" => { "docroot" => "/var/www/custom_vhost_1", "port" => "81" }'に設定し、このクラスを宣言します。 + +``` puppet +class { 'apache::vhosts': + vhosts => { + 'custom_vhost_1' => { + 'docroot' => '/var/www/custom_vhost_1', + 'port' => '81', + }, + }, +} +``` + +#### クラス: `apache::mod::` + +指定した[Apacheモジュール][]を有効にします。Apacheモジュールを有効にして設定するには、このクラスを宣言します。 + +例えば、アイコンなしで[`mod_alias`][]をインストールして有効にするには、`icons_options`パラメータをNone'に設定して[`apache::mod::alias`][]クラスを宣言します。 + +``` puppet +class { 'apache::mod::alias': + icons_options => 'None', +} +``` + +以下のApacheモジュールにはサポートするクラスがあり、その多くは、パラメータ化された設定が可能です。[`apache::mod`][]定義タイプを使えば、他のApacheモジュールをインストールできます。 + +* `actions` +* `alias` ([`apache::mod::alias`][]参照) +* `auth_basic` +* `auth_cas`\* ([`apache::mod::auth_cas`][]参照) +* `auth_mellon`\* ([`apache::mod::auth_mellon`][]参照) +* `auth_kerb` +* auth_gssapi +* `authn_core` +* `authn_dbd`\* ([`apache::mod::authn_dbd`][]参照) +* `authn_file` +* `authnz_ldap`\* ([`apache::mod::authnz_ldap`][]参照) +* `authnz_pam` +* `authz_default` +* `authz_user` +* `autoindex` +* `cache` +* `cgi` +* `cgid` +* `cluster` ([`apache::mod::cluster`][]参照) +* `data` +* `dav` +* `dav_fs` +* `dav_svn`\* +* `dbd` +* `deflate\` +* `dev` +* `dir`\* +* `disk_cache` ([`apache::mod::disk_cache`][]参照) +* `dumpio` ([`apache::mod::dumpio`][]参照) +* `env` +* `event` ([`apache::mod::event`][]参照) +* `expires` +* `ext_filter` ([`apache::mod::ext_filter`][]参照) +* `fastcgi` +* `fcgid` +* `filter` +* `geoip` ([`apache::mod::geoip`][]参照) +* `headers` +* `include` +* `info`\* +* `intercept_form_submit` +* `itk` +* `jk` ([`apache::mod::jk`]参照) +* `ldap` ([`apache::mod::ldap`][]参照) +* `lookup_identity` +* `macro` ([`apache:mod:macro`][]参照) +* `mime` +* `mime_magic`\* +* `negotiation` +* `nss`\* ([`apache::mod::nss`][]参照) +* `pagespeed` ([`apache::mod::pagespeed`][]参照) +* `passenger`\* ([`apache::mod::passenger`][]参照) +* `perl` +* `peruser` +* `php` ([`mpm_module`][]を`prefork`に設定する必要があります) +* `prefork`\* +* `proxy`\* ([`apache::mod::proxy`][]参照) +* `proxy_ajp` +* `proxy_balancer`\* ([`apache::mod::proxy_balancer`][]参照) +* `proxy_balancer` +* `proxy_html` ([`apache::mod::proxy_html`][]参照) +* `proxy_http` +* `python` ([`apache::mod::python`][]参照) +* `reqtimeout` +* `remoteip`\* +* `rewrite` +* `rpaf`\* +* `setenvif` +* `security` +* `shib`\* ([`apache::mod::shib`]参照) +* `speling` +* `ssl`\* ([`apache::mod::ssl`][]参照) +* `status`\* ([`apache::mod::status`][]参照) +* `suphp` +* `userdir`\* ([`apache::mod::userdir`][]参照) +* `version` +* `vhost_alias` +* `worker`\* +* `wsgi` ([`apache::mod::wsgi`][]参照) +* `xsendfile` + +モジュールに付いている*のマークは、設定やモジュールを設定するためのパラメータが含まれるテンプレートがあることを示しています。ほとんどのApacheモジュールクラスパラメータにはデフォルト値があり、設定は必要ありません。 テンプレートのあるモジュールについては、Puppetでモジュールとともにテンプレートファイルがインストールされます。これらのテンプレートファイルは、モジュールが機能するために必要です。 + +##### クラス: `apache::mod::alias` + +[`mod_alias`][]をインストールして管理します。 + +**パラメータ**:  + +* `icons_options`: Apache [`Options`]ディレクティブにより、アイコンディレクトリのディレクトリリスティングを無効にします。 + + デフォルト値: 'Indexes MultiViews'。 + +* `icons_path`: `/icons/`エイリアスのローカルパスを設定します。 + + デフォルト値: オペレーティングシステムによって異なります。 + + * **Debian**: `/usr/share/apache2/icons` + * **FreeBSD**: `/usr/local/www/apache24/icons` + * **Gentoo**: `/var/www/icons` + * **Red Hat**: `/var/www/icons`、Apache 2.4の場合のみ、`/usr/share/httpd/icons` + +#### クラス: `apache::mod::disk_cache` + +Apache 2.2に[`mod_disk_cache`][]、またはApache 2.4に[`mod_cache_disk`][]をインストールして設定します。 + +デフォルト値: Apacheバージョンとオペレーティングシステムによって異なります。 + +- **Debian**: `/var/cache/apache2/mod_cache_disk` +- **FreeBSD**: `/var/cache/mod_cache_disk` +- **Red Hat、Apache 2.4**: `/var/cache/httpd/proxy` +- **Red Hat、Apache 2.2**: `/var/cache/mod_proxy` + +キャッシュルートを指定するには、パスを文字列として`cache_root`パラメータに渡します。 + +``` puppet +class {'::apache::mod::disk_cache': + cache_root => '/path/to/cache', +} +``` + +キャッシュ無視ヘッダを指定するには、文字列を`cache_ignore_headers`パラメータに渡します。 + +``` puppet +class {'::apache::mod::disk_cache': + cache_ignore_headers => "Set-Cookie", +} +``` + +##### クラス: `apache::mod::dumpio` + +[`mod_dumpio`][]をインストールして設定します。 + +```puppet +class{'apache': + default_mods => false, + log_level => 'dumpio:trace7', +} +class{'apache::mod::dumpio': + dump_io_input => 'On', + dump_io_output => 'Off', +} +``` + +**パラメータ**:  + +* `dump_io_input`: すべての入力データをエラーログにダンプします。 + + 値: 'On'、'Off'。  + + デフォルト値: 'Off'。 + +* `dump_io_output`: すべての出力データをエラーログにダンプします。 + + 値: 'On'、'Off'。  + + デフォルト値: 'Off'。 + +##### クラス: `apache::mod::event` + +[`mod_mpm_event`][]をインストールして管理します。同じサーバ上に、`apache::mod::event`と一緒に[`apache::mod::itk`][]、[`apache::mod::peruser`][]、[`apache::mod::prefork`][]、[`apache::mod::worker`][]を含めることはできません。 + +**パラメータ**:  + +* `listenbacklog`: モジュールの[`ListenBackLog`][]ディレクティブでペンディング接続キューの最大長を設定します。`false`に設定すると、このパラメータが削除されます。 + + デフォルト値: '511'。 + +* `maxrequestworkers` (_Apache 2.3.12以前_: `maxclients`): モジュールの[`MaxRequestWorkers`][]ディレクティブで、Apacheが同時に処理できる接続の最大数を設定します。`false`に設定すると、このパラメータが削除されます。 + + デフォルト値: '150'。 + +* `maxconnectionsperchild` (_Apache 2.3.8以前_: `maxrequestsperchild`): モジュールの[`MaxConnectionsPerChild`][]ディレクティブで、子サーバが稼働中に処理する接続の数を制限します。`false`に設定すると、このパラメータが削除されます。 + + デフォルト値: '0'。 + +* `maxsparethreads` and `minsparethreads`: [`MaxSpareThreads`][]および[`MinSpareThreads`][]ディレクティブで、待機スレッドの最大数と最小数を設定します。`false`に設定すると、このパラメータが削除されます。 + + デフォルト値: それぞれ'75'および'25'。 + +* `serverlimit`: [`ServerLimit`][]ディレクティブで、プロセスの設定数を制限します。`false`に設定すると、このパラメータが削除されます。 + + デフォルト値: '25'。 + +* `startservers`: モジュールの[`StartServers`][]ディレクティブで、起動時に作成される子サーバプロセスの数を設定します。`false`に設定すると、このパラメータが削除されます。 + + デフォルト値: '2'。 + +* `threadlimit`: モジュールの[`ThreadLimit`][]ディレクティブで、イベントスレッドの数を制限します。`false`に設定すると、このパラメータが削除されます。 + + デフォルト値: '64'。 + +* `threadsperchild`: [`ThreadsPerChild`][]ディレクティブで、各子サーバにより作成されるスレッドの数を設定します。 + + デフォルト値: '25'。`false`に設定すると、このパラメータが削除されます。 + +##### クラス: `apache::mod::auth_cas` + +[`mod_auth_cas`][]をインストールして管理します。パラメータの名前はApacheモジュールのディレクティブと共通です。 + +`cas_login_url`および`cas_validate_url`パラメータは必須です。 その他のいくつかのパラメータのデフォルト値は`undef`です。 + +> **注意**: auth_casモジュールは、EPELにより提供される依存関係パッケージがなければ、RH/CentOSで使用できません。 [https://github.com/Jasig/mod_auth_cas]()を参照してください。 + +**パラメータ**:  + +- `cas_attribute_prefix`: ヘッダを追加します。SAMLバリデーションが有効になっている場合には、このヘッダの値が属性値になります。 + + デフォルト値: CAS_。 + +- `cas_attribute_delimiter`:`cas_attribute_prefix`により作成されたヘッダの属性値の区切り文字。 + + デフォルト値: ,。 + +- `cas_authoritative`: オプションの認証ディレクティブを承認してバインドするかどうかを決定します。 + + デフォルト値: `undef`。 + +- `cas_certificate_path`: `cas_login_url`および`cas_validate_url`のサーバについて、証明書認証局のX509証明書へのパスを設定します。 + + デフォルト値: `undef`。 + +- `cas_cache_clean_interval`: キャッシュクリーニング時間の最小秒数を設定します。 + + デフォルト値: `undef`。 + +- `cas_cookie_domain`: `Set-Cookie` HTTPヘッダの`Domain=`パラメータの値を設定します。 + + デフォルト値: `undef`。 + +- `cas_cookie_entropy`: セッション識別子を作成する際に使用するバイト数を設定します。 + + デフォルト値: `undef`。 + +- `cas_cookie_http_only`: `mod_auth_cas`がクッキーを発行する際のオプションの`HttpOnly`フラグを設定します。 + + デフォルト値: `undef`。 + +- `cas_cookie_path`: casクッキーセッションデータの保存場所。Webサーバユーザによる書き込みを可能にする必要があります。 + + デフォルト値: OSによって異なります。 + +- `cas_cookie_path_mode`: `cas_cookie_path`のモード。 + + デフォルト値: '0750'。 + +- `cas_debug`: モジュールのデバッギングモードを有効にするかどうかを決定します。 + + デフォルト値: 'Off'。 + +- `cas_idle_timeout`: 待機タイムアウトの制限を秒数で設定します。 + + デフォルト値: `undef`。 + +- `cas_login_url`: **必須**。ユーザがCASで保護されたリソースへのアクセスを試み、かつアクティブなセッションがない場合に、モジュールがユーザをリダイレクトする先のURLを設定します。 + +- `cas_proxy_validate_url`: プロキシバリデーションを実施する際に使用するURL。 + + デフォルト値: `undef`。 + +- `cas_root_proxied_as`: このApacheサーバへのアクセスがプロキシされた場合に、エンドユーザに表示されるURLを設定します。 + + デフォルト値: `undef`。 + +- `cas_scrub_request_headers`: mod_auth_cas内で特別な意味を持つ可能性のあるインバウンドリクエストヘッダを削除します。 + +- `cas_sso_enabled`: シングルサインアウトの実験的サポートを有効にします(POSTデータが壊れる可能性があります)。 + + デフォルト値: 'Off'。 + +- `cas_timeout`: `mod_auth_cas`セッションのアクティブ状態を維持する時間(秒数)を制限します。 + + デフォルト値: `undef`。 + +- `cas_validate_depth`: チェーンされた証明書バリデーションの深さを制限します。 + + デフォルト値: `undef`。 + +- `cas_validate_saml`: SAMLに関するCASサーバからの解析応答。 + + デフォルト値: 'Off'。 + +- `cas_validate_server`: CASサーバの証明書をバリデーションするかどうか(1.1 - RedHat 7では廃止予定)。 + + デフォルト値: `undef`。 + +- `cas_validate_url`: **必須**。HTTPクエリ文字列でクライアントの提示するチケットをバリデーションする際に使用するURL。 + +- `cas_version`: 従うべきCASプロトコルバージョン。値: '1'、'2'。 + + デフォルト値: '2'。 + +- `suppress_warning`: RedHat上にいることを示す警告を表示しないようにします(`mod_auth_cas`パッケージは、現在はepel-testingレポジトリで使用できます)。 + + デフォルト値: `false`。 + +##### クラス: `apache::mod::auth_mellon` + +[`mod_auth_mellon`][]をインストールして管理します。パラメータの名前はApacheモジュールのディレクティブと共通です。 + +``` puppet +class{ 'apache::mod::auth_mellon': + mellon_cache_size => 101, +} +``` + +**パラメータ**:  + +* `mellon_cache_entry_size`: 1回のセッションの最大サイズ。 + + デフォルト値: `undef`。 + +* `mellon_cache_size`: mellonキャッシュのサイズ、単位はメガバイト。 + + デフォルト値: 100。 + +* `mellon_lock_file`: ロックファイルの場所。 + + デフォルト値: '`/run/mod_auth_mellon/lock`'。 + +* `mellon_post_directory`: ポストリクエストが保存される場所のフルパス。 + + デフォルト値: '`/var/cache/apache2/mod_auth_mellon/`'。 + +* `mellon_post_ttl`: ポストリクエストの維持時間。 + + デフォルト値: `undef`。 + +* `mellon_post_size`: ポストリクエストの最大サイズ。 + + デフォルト値: `undef`。 + +* `mellon_post_count`: ポストリクエストの最大数。 + + デフォルト値: `undef`。 + +##### クラス: `apache::mod::authn_dbd` + +`mod_authn_dbd`をインストールし、`authn_dbd.conf.epp`テンプレートを使用して設定を生成します。オプションで、AuthnProviderAliasを作成します。 + +``` puppet +class { 'apache::mod::authn_dbd': + $authn_dbd_params => + 'host=db01 port=3306 user=apache password=xxxxxx dbname=apacheauth', + $authn_dbd_query => 'SELECT password FROM authn WHERE user = %s', + $authn_dbd_alias => 'db_auth', +} +``` + +**パラメータ**:  + +* `authn_dbd_alias`: AuthnProviderAlias'の名前。 + +* `authn_dbd_dbdriver`: 使用するデータベースドライブを指定します。 + + デフォルト値: 'mysql'。 + +* `authn_dbd_exptime`: DBDExptimeに相当します。 + + デフォルト値: 300。 + +* `authn_dbd_keep`: DBDKeepに相当します。 + + デフォルト値: 8。 + +* `authn_dbd_max`: DBDMaxに相当します。 + + デフォルト値: 20。 + +* `authn_dbd_min`: DBDMinに相当します。 + + デフォルト値: 4。  + +* `authn_dbd_params`: **必須**。接続文字列に関して、DBDParamsに相当します。 + +* `authn_dbd_query`: 認証に関してユーザとパスワードを問い合わせるかどうか。 + +##### クラス: `apache::mod::authnz_ldap` + +`mod_authnz_ldap`をインストールし、`authnz_ldap.conf.epp`テンプレートを使用して設定を生成します。 + +**パラメータ**:  + +* `package_name`: パッケージの名前。 + + デフォルト値: `undef`。 + +* `verify_server_cert`: サーバの証明書を確認するかどうか。 + + デフォルト値: `undef`。 + +##### クラス: `apache::mod::cluster` + +**注意**: `mod_cluster`に関して提供されている公式なパッケージはありません。そのため、Apacheモジュールの外部から使用できるようにする必要があります。バイナリは[こちら](http://mod-cluster.jboss.org/)にあります。 + +``` puppet +class { '::apache::mod::cluster': + ip => '172.17.0.1', + allowed_network => '172.17.0.', + balancer_name => 'mycluster', + version => '1.3.1' +} +``` + +**パラメータ**:  + +* `port`: mod_clusterのリッスンポート。 + + デフォルト値: '6666'。 + +* `server_advertise`: サーバをアドバタイズするかどうか。 + + デフォルト値: `true`。 + +* `advertise_frequency`: アドバタイズメッセージ間のインターバルを秒数[.ミリ秒]で設定します。 + + デフォルト値: 10。 + +* `manager_allowed_network`: ネットワークにmod_cluster_managerへのアクセスを許可するかどうか。 + + デフォルト値: '127.0.0.1'。 + +* `keep_alive_timeout`: Apacheがリクエストを待機する長さを秒数で指定します。 + + デフォルト値: 60。 + +* `max_keep_alive_requests`: 維持されるリクエストの最大数。 + + デフォルト値: 0。 + +* `enable_mcpm_receive`: MCPMを有効にするかどうか。 + + デフォルト値: `true`。 + +* `ip`: リッスンするIPアドレスを指定します。 + +* `allowed_network`: バランスドメンバーネットワーク。 + +* `version`: `mod_cluster`バージョンを指定します。httpd 2.4ではバージョン1.3.0以上が必要です。 + +##### クラス: `apache::mod::deflate` + +[`mod_deflate`][]をインストールして設定します。 + +**パラメータ**:  + +* `types`: デフレートする[配列][]または[MIMEタイプ][MIME `content-type`]。 + + デフォルト値: ['text/html text/plain text/xml', 'text/css', 'application/x-javascript application/javascript application/ecmascript', 'application/rss+xml', 'application/json']。 + +* `notes`: [ハッシュ][]、キーはタイプを表し、値はノート名を表します。 + + デフォルト値: { 'Input' => 'instream'、'Output' => 'outstream'、'Ratio' => 'ratio' }。 + +##### クラス: `apache::mod::expires` + +[`mod_expires`][]をインストールし、`expires.conf.epp`を使用して設定を生成します。 + +**パラメータ**:  + +* `expires_active`: ドキュメント領域に関して`Expires`ヘッダの生成を有効にします。 + + ブーリアン。 + + デフォルト値: `true`。 + +* `expires_default`: [`ExpiresByType`][]構文または[インターバル構文][]を用いた有効期限計算のためのデフォルトアルゴリズムを指定します。 + + デフォルト値: `undef`。 + +* `expires_by_type`: 一連の[MIME `content-type`][]とその有効期限を表します。 + + 値: [ハッシュ][ハッシュ]の[配列][]、各ハッシュのキーは有効なMIME `content-type` ('text/json'など)、値は以下の有効な [インターバル構文][]。 + + デフォルト値: `undef`。 + +##### クラス: `apache::mod::ext_filter` + +[`mod_ext_filter`][]をインストールして設定します。 + +``` puppet +class { 'apache::mod::ext_filter': + ext_filter_define => { + 'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength', + 'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"', + }, +} +``` + +**パラメータ**:  + +* `ext_filter_define`: フィルタ名とそのパラメータのハッシュ。 + + デフォルト値: `undef`。 + +##### クラス: `apache::mod::fcgid` + +[`mod_fcgid`][]をインストールして設定します。 + +このクラスでは、使用可能なすべてのオプションを個別にパラメータ化するのではなく、`options` [ハッシュ][]を使って`mod_fcgid`を設定します。例: + +``` puppet +class { 'apache::mod::fcgid': + options => { + 'FcgidIPCDir' => '/var/run/fcgidsock', + 'SharememPath' => '/var/run/fcgid_shm', + 'AddHandler' => 'fcgid-script .fcgi', + }, +} +``` + +すべてのオプションのリストについては、[公式`mod_fcgid`ドキュメント][`mod_fcgid`]を参照してください。 + +`apache::mod::fcgid`を含める場合は、ディレクトリごと、バーチャルホストごとに[`FcgidWrapper`][]を設定できます。最初にモジュールをロードする必要があります。`apache::vhost`で`fcgiwrapper`パラメータを設定している場合、Puppetは自動的にはモジュールを有効化しません。 + +``` puppet +include apache::mod::fcgid + +apache::vhost { 'example.org': + docroot => '/var/www/html', + directories => { + path => '/var/www/html', + fcgiwrapper => { + command => '/usr/local/bin/fcgiwrapper', + } + }, +} +``` + +##### クラス: `apache::mod::geoip` + +[`mod_geoip`][]をインストールして管理します。 + +**パラメータ**:  + +* `db_file`: GeoIPデータベースファイルのパスを設定します。 + + 値: パス、または複数のGeoIPデータベースファイルの[配列][]パス。 + + デフォルト値: `/usr/share/GeoIP/GeoIP.dat`。 + +* `enable`: [`mod_geoip`][]を全体で有効にするかどうかを決定します。 + + ブーリアン。 + + デフォルト値: `false`。 + +* `flag`: GeoIPフラグを設定します。 + + 値: 'CheckCache'、'IndexCache'、'MemoryCache'、'Standard'。 + + デフォルト値: 'Standard'。 + +* `output`: 使用するアウトプット変数を定義します。 + + 値: 'All'、'Env'、'Request'、'Notes'。 + + デフォルト値: 'All'。 + +* `enable_utf8`: アウトプットをISO*8859*1 (ラテン*1)からUTF*8に変更します。 + + ブーリアン。 + + デフォルト値: `undef`。 + +* `scan_proxy_headers`: [GeoIPScanProxyHeaders][]オプションを有効にします。 + + ブーリアン。 + + デフォルト値: `undef`。 + +* `scan_proxy_header_field`: クライアントのIPアドレスの決定に使用するヘッダの[`mod_geoip`][]を指定します。 + + デフォルト値: `undef`。 + +* `use_last_xforwarededfor_ip` (sic): IPアドレスのカンマ区切りリストで見つかったクライアントのIPの最初または最後のIPアドレスを使うかどうかを決定します。 + + ブーリアン。 + + デフォルト値: `undef`。 + +##### クラス: `apache::mod::info` + +サーバ設定の全体的な概要を提供する[`mod_info`][]をインストールして管理します。 + +**パラメータ**:  + +* `allow_from`: IPv4またはIPv6アドレスのホワイトリスト、または`/server*info`にアクセスできる範囲。 + + 値: IPv4アドレス、IPv6アドレス、または範囲の1つまたは複数のオクテット、またはいずれかの配列。 + + デフォルト値: ['127.0.0.1','::1']。  + +* `apache_version`: 文字列で表されるApacheのバージョン番号、'2.2'や'2.4'など。  + + デフォルト値: [`$::apache::apache_version`][`apache_version`]の値。 + + +* `restrict_access`: アクセス制限を有効にするかどうかを決定します。`false`の場合、`allow_from`ホワイトリストは無視され、すべてのIPアドレスが `/server*info`にアクセスできるようになります。 + + ブーリアン。 + + デフォルト値: `true`。 + +##### クラス: `apache::mod::itk` + +[`mod_itk`][]をインストールして管理します。これはHTTPDプロセス向けにロードおよび設定されるMPMです。[公式ドキュメント](http://mpm-itk.sesse.net/)。 + +**パラメータ**:  + +* `startservers`: 起動時に作成される子サーバプロセスの数。 + + 値: 整数。 + + デフォルト値: `8`。 + +* `minspareservers`: 待機する子サーバプロセスに望ましい最小数。 + + 値: 整数。 + + デフォルト値: `5`。 + +* `maxspareservers`: 待機する子サーバプロセスに望ましい最大数。 + + 値: 整数。 + + デフォルト値: `20`。 + +* `serverlimit`: Apache httpdプロセスの継続期間に対して設定されるMaxRequestWorkersの最大数。 + + 値: 整数。 + + デフォルト値: `256`。 + +* `maxclients`: 処理される同時リクエストの最大数。 + + 値: 整数。 + + デフォルト値: `256`。 + +* `maxrequestsperchild`: 個々の子サーバプロセスが処理する接続の最大数。 + + 値: 整数。 + + デフォルト値: `4000`。 + +* `enablecapabilities`: 親プロセスのルート機能をほぼすべて削除し、User/Groupディレクティブで指定されたユーザとして、いくつかの追加機能(特にsetuid)付きで実行します。 セキュリティはある程度強化されますが、NFSなどの機能に対応しないファイルシステムによる処理では問題が生じるおそれがあります。 + + 値: ブール値。 + + デフォルト値: `undef`。 + +##### クラス: `apache::mod::jk` + +`mod_jk`をインストールして管理します。これは、Apache httpdリダイレクションと古いバージョンのTomCatおよびJBossを結ぶコネクタです。 + +**注意**: mod\_jkに関して提供されている公式のパッケージはありません。そのため、apacheモジュールの制御以外の手段で使用できるようにする必要があります。バイナリは[Apache Tomcatコネクタダウンロードページ](https://tomcat.apache.org/download-connectors.cgi)にあります。 + +``` puppet +class { '::apache::mod::jk': + ip => '192.168.2.15', + workers_file => 'conf/workers.properties', + mount_file => 'conf/uriworkermap.properties', + shm_file => 'run/jk.shm', + shm_size => '50M', + workers_file_content => { + + }, +} +``` + +詳細については、[templates/mod/jk/workers.properties.epp](templates/mod/jk/workers.properties.epp)を参照してください。 + +**`apache::mod::jk`**内のパラメータ: + +`mod_jk`パラメータを理解するための情報源としては、[公式ドキュメント](https://tomcat.apache.org/connectors-doc/reference/apache.html)が最適です。ただし、次はこれに含まれません: + +**add_listen** + +パラメータ`ip`および `port`に従って`Listen`ディレクティブを定義して(下記参照)、ApacheがIP/portの組合せをリッスンし`mod_jk`にリダイレクトするようにします。 +`Listen *:`または`Listen `のように、別の`Listen`ディレクティブが`mod_jk`バインディングで必要なものと競合するときに役立ちます。 + +タイプ: ブール値 +デフォルト: true + +**ip** + +`mod_jk`にバインディングするIP。 +バインディングアドレスがプライマリのネットワークインターフェースIPではないときに役立ちます。 + +タイプ: 文字列 +デフォルト: `$facts['ipaddress']` + +**port** + +`mod_jk`にバインディングするポート。 +リバースプロキシまたはキャッシュのような、別のものがポート80でリクエストを受信して、異なるポートのApacheに転送する必要があるときに役立ちます。 + +タイプ: 文字列(数値) +デフォルト: '80' + +**workers\_file\_content** + +各ディレクティブにはフォーマット`worker..=`があります。このマップは複数ハッシュのハッシュとして表され、外側のハッシュはワーカーを指定し、内側の各ハッシュは各ワーカーのプロパティと値を指定します。 +また、2つのグローバルディレクティブ 'worker.list'および'worker.maintain'もあります。 +例えば、以下のワーカーファイルは図1のようにパラメータ化します。 + +``` puppet +worker.list = status +worker.list = some_name,other_name + +worker.maintain = 60 + +# Optional comment +worker.some_name.type=ajp13 +worker.some_name.socket_keepalive=true + +# I just like comments +worker.other_name.type=ajp12 (why would you?) +worker.other_name.socket_keepalive=false +``` + +**図1:** + +``` puppet +$workers_file_content = { + worker_lists => ['status', 'some_name,other_name'], + worker_maintain => '60', + some_name => { + comment => 'Optional comment', + type => 'ajp13', + socket_keepalive => 'true', + }, + other_name => { + comment => 'I just like comments', + type => 'ajp12', + socket_keepalive => 'false', + }, +} +``` + +**mount\_file\_content** + +各ディレクティブにはフォーマット` = `があります。このマップは複数ハッシュのハッシュとして表され、外側のハッシュはワーカーを指定し、内側の各ハッシュは次の2つのアイテムを含みます: +* uri_list&mdash - ワーカーにマップするURIを用いた配列 +* comment&mdash - ワーカーに関するコメントを記したオプションの文字列 +例えば、以下のマウントファイルは図2のようにパラメータ化します。 + +``` puppet +# Worker 1 +/context_1/ = worker_1 +/context_1/* = worker_1 + +# Worker 2 +/ = worker_2 +/context_2/ = worker_2 +/context_2/* = worker_2 +``` + +**図2:** + +``` puppet +$mount_file_content = { + worker_1 => { + uri_list => ['/context_1/', '/context_1/*'], + comment => 'Worker 1', + }, + worker_2 => { + uri_list => ['/context_2/', '/context_2/*'], + comment => 'Worker 2', + }, +}, +``` + +**shm\_file and log\_file** + +これらのファイルがどのように定義されているかによって、クラスはそれらの最終パスを別々に作成します。 +- 相対パス: `logroot`で提供されたパスを追加します (下記参照) +- 絶対パスまたはパイプ: 提供されたパスをそのまま使用します + +例 (RHEL 6): + +``` puppet +shm_file => 'shm_file' +# Ends up in +$shm_path = '/var/log/httpd/shm_file' +``` +``` puppet +shm_file => '/run/shm_file' +# Ends up in +$shm_path = '/run/shm_file' +``` +``` puppet +shm_file => '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"' +# Ends up in +$shm_path = '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"' +``` + +> デフォルトのlogrootは十分健全です。このため、絶対パスを指定することは推奨しません。 + +**logroot** + +`shm_file`および`log_file`のベースディレクトリは`logroot`パラメータで決定されます。指定されない場合、デフォルトは`apache::params::logroot`です。 + +> デフォルトのlogrootは十分健全です。このため、上書きすることは推奨しません。 + +##### クラス: `apache::mod::passenger`  + +[`mod_passenger`][]をインストールして管理します。Red Hatベースのシステムの場合は、[passengerドキュメント](https://www.phusionpassenger.com/library/install/apache/install/oss/el6/#step-1:-upgrade-your-kernel,-or-disable-selinux)に記載された最小要件を満たしていることを確認してください。 + +現在のサーバ設定は、[Passengerリファレンス](https://www.phusionpassenger.com/library/config/apache/reference/)から直接取得されています。廃止予定の警告と削除失敗メッセージを有効にするには、 サーバにインストールされているバージョン番号を`passenger_installed_version`に設定します。 + +**パラメータ**:  + +|パラメータ|デフォルト値|passengerの設定|コンテキスト|注記| +|---------|-------------|------------------------|-------|-----| +|manage_repo|true|n/a||| +|mod_id|未定義|n/a||| +|mod_lib|未定義|n/a||| +|mod_lib_path|未定義|n/a||| +|mod_package|未定義|n/a||| +|mod_package_ensure|未定義|n/a||| +|mod_path|未定義|n/a||| +|passenger_allow_encoded_slashes|未定義|[`PassengerAllowEncodedSlashes`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerAllowEncodedSlashes)|server-config virutal-host htaccess directory || +|passenger_app_env|未定義|[`PassengerAppEnv`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerAppEnv)|server-config virutal-host htaccess directory || +|passenger_app_group_name|未定義|[`PassengerAppGroupName`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerAppGroupName)|server-config virutal-host htaccess directory || +|passenger_app_root|未定義|[`PassengerAppRoot`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerAppRoot)|server-config virutal-host htaccess directory || +|passenger_app_type|未定義|[`PassengerAppType`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerAppType)|server-config virutal-host htaccess directory || +|passenger_base_uri|未定義|[`PassengerBaseURI`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerBaseURI)|server-config virutal-host htaccess directory || +|passenger_buffer_response|未定義|[`PassengerBufferResponse`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerBufferResponse)|server-config virutal-host htaccess directory || +|passenger_buffer_upload|未定義|[`PassengerBufferUpload`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerBufferUpload)|server-config virutal-host htaccess directory || +|passenger_concurrency_model|未定義|[`PassengerConcurrencyModel`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerConcurrencyModel)|server-config virutal-host htaccess directory || +|passenger_conf_file|$::apache::params::passenger_conf_file|n/a||| +|passenger_conf_package_file|$::apache::params::passenger_conf_package_file|n/a||| +|passenger_data_buffer_dir|未定義|[`PassengerDataBufferDir`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerDataBufferDir)|server-config || +|passenger_debug_log_file|未定義|PassengerDebugLogFile|server-config |このオプションの名前は、バージョン5.0.5でPassengerLogFileに変更されています。| +|passenger_debugger|未定義|[`PassengerDebugger`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerDebugger)|server-config virutal-host htaccess directory || +|passenger_default_group|未定義|[`PassengerDefaultGroup`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerDefaultGroup)|server-config || +|passenger_default_ruby|$::apache::params::passenger_default_ruby|[`PassengerDefaultRuby`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerDefaultRuby)|server-config || +|passenger_default_user|未定義|[`PassengerDefaultUser`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerDefaultUser)|server-config || +|passenger_disable_security_update_check|未定義|[`PassengerDisableSecurityUpdateCheck`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerDisableSecurityUpdateCheck)|server-config || +|passenger_enabled|未定義|[`PassengerEnabled`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerEnabled)|server-config virutal-host htaccess directory || +|passenger_error_override|未定義|[`PassengerErrorOverride`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerErrorOverride)|server-config virutal-host htaccess directory || +|passenger_file_descriptor_log_file|未定義|[`PassengerFileDescriptorLogFile`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerFileDescriptorLogFile)|server-config || +|passenger_fly_with|未定義|[`PassengerFlyWith`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerFlyWith)|server-config || +|passenger_force_max_concurrent_requests_per_process|未定義|[`PassengerForceMaxConcurrentRequestsPerProcess`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerForceMaxConcurrentRequestsPerProcess)|server-config virutal-host htaccess directory || +|passenger_friendly_error_pages|未定義|[`PassengerFriendlyErrorPages`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerFriendlyErrorPages)|server-config virutal-host htaccess directory || +|passenger_group|未定義|[`PassengerGroup`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerGroup)|server-config virutal-host directory || +|passenger_high_performance|未定義|[`PassengerHighPerformance`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerHighPerformance)|server-config virutal-host htaccess directory || +|passenger_installed_version|未定義|n/a| |このオプションを設定すると、指定した値に対するpassengerオプションのバージョンチェックが有効になります。| +|passenger_instance_registry_dir|未定義|[`PassengerInstanceRegistryDir`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerInstanceRegistryDir)|server-config || +|passenger_load_shell_envvars|未定義|[`PassengerLoadShellEnvvars`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerLoadShellEnvvars)|server-config virutal-host htaccess directory || +|passenger_log_file|未定義|[`PassengerLogFile`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerLogFile)|server-config || +|passenger_log_level|未定義|[`PassengerLogLevel`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerLogLevel)|server-config || +|passenger_lve_min_uid|未定義|[`PassengerLveMinUid`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerLveMinUid)|server-config virtual-host || +|passenger_max_instances|未定義|[`PassengerMaxInstances`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMaxInstances)|server-config virutal-host htaccess directory || +|passenger_max_instances_per_app|未定義|[`PassengerMaxInstancesPerApp`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMaxInstancesPerApp)|server-config || +|passenger_max_pool_size|未定義|[`PassengerMaxPoolSize`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMaxPoolSize)|server-config || +|passenger_max_preloader_idle_time|未定義|[`PassengerMaxPreloaderIdleTime`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMaxPreloaderIdleTime)|server-config virtual-host || +|passenger_max_request_queue_size|未定義|[`PassengerMaxRequestQueueSize`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMaxRequestQueueSize)|server-config virutal-host htaccess directory || +|passenger_max_request_time|未定義|[`PassengerMaxRequestTime`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMaxRequestTime)|server-config virutal-host htaccess directory || +|passenger_max_requests|未定義|[`PassengerMaxRequests`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMaxRequests)|server-config virutal-host htaccess directory || +|passenger_memory_limit|未定義|[`PassengerMemoryLimit`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMemoryLimit)|server-config virutal-host htaccess directory || +|passenger_meteor_app_settings|未定義|[`PassengerMeteorAppSettings`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMeteorAppSettings)|server-config virutal-host htaccess directory || +|passenger_min_instances|未定義|[`PassengerMinInstances`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerMinInstances)|server-config virutal-host htaccess directory || +|passenger_nodejs|未定義|[`PassengerNodejs`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerNodejs)|server-config virutal-host htaccess directory || +|passenger_pool_idle_time|未定義|[`PassengerPoolIdleTime`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerPoolIdleTime)|server-config || +|passenger_pre_start|未定義|[`PassengerPreStart`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerPreStart)|server-config virtual-host || +|passenger_python|未定義|[`PassengerPython`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerPython)|server-config virutal-host htaccess directory || +|passenger_resist_deployment_errors|未定義|[`PassengerResistDeploymentErrors`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerResistDeploymentErrors)|server-config virutal-host htaccess directory || +|passenger_resolve_symlinks_in_document_root|未定義|[`PassengerResolveSymlinksInDocumentRoot`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerResolveSymlinksInDocumentRoot)|server-config virutal-host htaccess directory || +|passenger_response_buffer_high_watermark|未定義|[`PassengerResponseBufferHighWatermark`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerResponseBufferHighWatermark)|server-config || +|passenger_restart_dir|未定義|[`PassengerRestartDir`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerRestartDir)|server-config virutal-host htaccess directory || +|passenger_rolling_restarts|未定義|[`PassengerRollingRestarts`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerRollingRestarts)|server-config virutal-host htaccess directory || +|passenger_root|$::apache::params::passenger_root|[`PassengerRoot`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerRoot)|server-config || +|passenger_ruby|$::apache::params::passenger_ruby|[`PassengerRuby`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerRuby)|server-config virutal-host htaccess directory || +|passenger_security_update_check_proxy|未定義|[`PassengerSecurityUpdateCheckProxy`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerSecurityUpdateCheckProxy)|server-config || +|passenger_show_version_in_header|未定義|[`PassengerShowVersionInHeader`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerShowVersionInHeader)|server-config || +|passenger_socket_backlog|未定義|[`PassengerSocketBacklog`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerSocketBacklog)|server-config || +|passenger_spawn_method|未定義|[`PassengerSpawnMethod`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerSpawnMethod)|server-config virtual-host || +|passenger_start_timeout|未定義|[`PassengerStartTimeout`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerStartTimeout)|server-config virutal-host htaccess directory || +|passenger_startup_file|未定義|[`PassengerStartupFile`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerStartupFile)|server-config virutal-host htaccess directory || +|passenger_stat_throttle_rate|未定義|[`PassengerStatThrottleRate`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerStatThrottleRate)|server-config || +|passenger_sticky_sessions|未定義|[`PassengerStickySessions`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerStickySessions)|server-config virutal-host htaccess directory || +|passenger_sticky_sessions_cookie_name|未定義|[`PassengerStickySessionsCookieName`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerStickySessionsCookieName)|server-config virutal-host htaccess directory || +|passenger_thread_count|未定義|[`PassengerThreadCount`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerThreadCount)|server-config virutal-host htaccess directory || +|passenger_use_global_queue|未定義|PassengerUseGlobalQueue|server-config || +|passenger_user|未定義|[`PassengerUser`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerUser)|server-config virutal-host directory || +|passenger_user_switching|未定義|[`PassengerUserSwitching`](https://www.phusionpassenger.com/library/config/apache/reference/#PassengerUserSwitching)|server-config || +|rack_auto_detect|未定義|RackAutoDetect|server-config |これらのオプションは、バージョン4.0.0で最適化の一環として削除されました。代わりにPassengerEnabledを使用してください。| +|rack_autodetect|未定義|n/a||| +|rack_base_uri|未定義|RackBaseURI|server-config |3.0.0で廃止され、PassengerBaseURIが採用されました。| +|rack_env|未定義|[`RackEnv`](https://www.phusionpassenger.com/library/config/apache/reference/#RackEnv)|server-config virutal-host htaccess directory || +|rails_allow_mod_rewrite|未定義|RailsAllowModRewrite|server-config |このオプションは、バージョン4.0.0以降では何の影響も与えません。| +|rails_app_spawner_idle_time|未定義|RailsAppSpawnerIdleTime|server-config |このオプションはバージョン4.0.0で削除され、PassengerMaxPreloaderIdleTimeに置き換えられました。| +|rails_auto_detect|未定義|RailsAutoDetect|server-config |これらのオプションは、バージョン4.0.0で最適化の一環として削除されました。代わりにPassengerEnabledを使用してください。| +|rails_autodetect|未定義|n/a||| +|rails_base_uri|未定義|RailsBaseURI|server-config |3.0.0で廃止され、PassengerBaseURIが採用されました。| +|rails_default_user|未定義|RailsDefaultUser|server-config |3.0.0で廃止され、PassengerDefaultUserが採用されました。| +|rails_env|未定義|[`RailsEnv`](https://www.phusionpassenger.com/library/config/apache/reference/#RailsEnv)|server-config virutal-host htaccess directory || +|rails_framework_spawner_idle_time|未定義|RailsFrameworkSpawnerIdleTime|server-config |このオプションはバージョン4.0.0では使用できません。フレームワークスポーンも同時に削除されたので、代わりのオプションはありません。スマートスポーンを使用してください。| +|rails_ruby|未定義|RailsRuby|server-config |3.0.0で廃止され、PassengerRubyが採用されました。| +|rails_spawn_method|未定義|RailsSpawnMethod|server-config |3.0.0で廃止され、PassengerSpawnMethodが採用されました。| +|rails_user_switching|未定義|RailsUserSwitching|server-config |3.0.0で廃止され、PassengerUserSwitchingが採用されました。| +|wsgi_auto_detect|未定義|WsgiAutoDetect|server-config |これらのオプションは、バージョン4.0.0で最適化の一環として削除されました。代わりにPassengerEnabledを使用してください。| + + +##### クラス: `apache::mod::ldap` + +[`mod_ldap`][]をインストールして設定し、[`LDAPTrustedGlobalCert`](https://httpd.apache.org/docs/current/mod/mod_ldap.html#ldaptrustedglobalcert)ディレクティブの修正を可能にします。 + +``` puppet +class { 'apache::mod::ldap': + ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt', + ldap_trusted_global_cert_type => 'CA_DER', + ldap_trusted_mode => 'TLS', + ldap_shared_cache_size => '500000', + ldap_cache_entries => '1024', + ldap_cache_ttl => '600', + ldap_opcache_entries => '1024', + ldap_opcache_ttl => '600', +} +``` + +**パラメータ**  + +* `apache_version`: インストールされたApacheバージョンを指定します。 + + デフォルト値: `undef`。 + +* `ldap_trusted_global_cert_file`: LDAPサーバ上でSSLまたはTLS接続を確立する際に使用する、信頼できるCA証明書のパスとファイル名を指定します。 + +* `ldap_trusted_global_cert_type`:グローバルな信頼できる証明書フォーマットを指定します。 + + デフォルト値: 'CA_BASE64'。 + +* `ldap_trusted_mode`: LDAPサーバ接続時に使用されるSSL/TLSモードを指定します。 + +* `ldap_shared_cache_size`: 共有されたメモリのキャッシュのサイズをバイトで指定します。 + +* `ldap_cache_entries`: 一次LDAPキャッシュのエントリの最大数を指定します。 + +* `ldap_cache_ttl`: キャッシュされたアイテムが有効に保たれる時間を秒数で指定します。 + +* `ldap_opcache_entries`: LDAP比較演算のキャッシュに用いるエントリ数を指定します。 + +* `ldap_opcache_ttl`: 演算キャッシュのエントリが有効に保たれる時間を秒数で指定します。 + +* `package_name`: カスタムパッケージ名を指定します。 + + デフォルト値: `undef`。 + +##### クラス: `apache::mod::negotiation` + +[`mod_negotiation`][]をインストールして設定します。 + +**パラメータ**:  + +* `force_language_priority`: `ForceLanguagePriority`オプションを設定します。 + + 値: 文字列。  + + デフォルト値: `Prefer Fallback`。 + +* `language_priority`: モジュールの`LanguagePriority`オプションを設定するための言語の[配列][]。 + + デフォルト値: ['en'、'ca'、cs'、'da'、'de'、'el'、'eo'、'es'、'et'、'fr'、'he'、'hr'、'it'、'ja'、'ko'、'ltz'、'nl'、'nn'、'no'、'pl'、'pt'、'pt-BR'、'ru'、'sv'、'zh-CN'、'zh-TW']。 + +##### クラス: `apache::mod::nss` + +NSS暗号化ライブラリを使用するApacheのSSLプロバイダ。 + +**パラメータ:** + +- `transfer_log`: access.logのパス。 +- `error_log`: error.logのパス。 +- `passwd_file`: NSSPassPhraseDialogディレクティブに使用するファイルのパス。 +- `port`: SSLポート。デフォルト値8443。 + +##### クラス: `apache::mod::pagespeed` + +[`mod_pagespeed`][]をインストールして管理します。これは、Webページをリライトして冗長性と帯域を軽減するためのGoogleモジュールです。 + +このapacheモジュールには`mod-pagespeed-stable`が必要ですが、Puppetはパッケージを自動的にインストールするために必要なソフトウェアを管理**しません**。パッケージがインストールされていないか、お使いのパッケージマネージャで使用できない場合にこのクラスを宣言すると、Puppet実行は失敗します。 + +> **注意:** お使いのシステムが最新のGoogle Pagespeed要件を満たしていることを確認してください。 + +**パラメータ**:  + +以下のパラメータはモジュールのディレクティブに相当します。詳細については、[モジュールのドキュメント][`mod_pagespeed`]を参照してください。 + +* `inherit_vhost_config`: デフォルト値: 'on'。 +* `filter_xhtml`: デフォルト値: `false`。 +* `cache_path`: デフォルト値: '/var/cache/mod_pagespeed/'。 +* `log_dir`: デフォルト値: '/var/log/pagespeed'。 +* `memcache_servers`: デフォルト値: []。 +* `rewrite_level`: デフォルト値: 'CoreFilters'。 +* `disable_filters`: デフォルト値: []。 +* `enable_filters`: デフォルト値: []。 +* `forbid_filters`: デフォルト値: []。 +* `rewrite_deadline_per_flush_ms`: デフォルト値: 10。 +* `additional_domains`: デフォルト値: `undef`。 +* `file_cache_size_kb`: デフォルト値: 102400。 +* `file_cache_clean_interval_ms`: デフォルト値: 3600000。 +* `lru_cache_per_process`: デフォルト値: 1024。 +* `lru_cache_byte_limit`: デフォルト値: 16384。 +* `css_flatten_max_bytes`: デフォルト値: 2048。 +* `css_inline_max_bytes`: デフォルト値: 2048。 +* `css_image_inline_max_bytes`: デフォルト値: 2048。 +* `image_inline_max_bytes`: デフォルト値: 2048。 +* `js_inline_max_bytes`: デフォルト値: 2048。 +* `css_outline_min_bytes`: デフォルト値: 3000。 +* `js_outline_min_bytes`: デフォルト値: 3000。 +* `inode_limit`: デフォルト値: 500000。 +* `image_max_rewrites_at_once`: デフォルト値: 8。 +* `num_rewrite_threads`: デフォルト値: 4。 +* `num_expensive_rewrite_threads`: デフォルト値: 4。 +* `collect_statistics`: デフォルト値: 'on'。 +* `statistics_logging`: デフォルト値: 'on'。 +* `allow_view_stats`: デフォルト値: []。 +* `allow_pagespeed_console`: デフォルト値: []。 +* `allow_pagespeed_message`: デフォルト値: []。 +* `message_buffer_size`: デフォルト値: 100000。 +* `additional_configuration`: ディレクティブ値ペアのハッシュ、またはpagespeed設定の最後に挿入する行の配列。デフォルト値: '{ }'。 + +##### クラス: `apache::mod::passenger`  + +`mod_passenger`をインストールして設定します。 + +>**注意**: passengerモジュールは、EPELにより提供される依存関係パッケージと`mod_passengers`カスタムリポジトリがなければ、RH/CentOSでは使用できません。前述の`manage_repo`パラメータと[https://www.phusionpassenger.com/library/install/apache/install/oss/el7/]()を参照してください。 + +**パラメータ**:  + +* `passenger_conf_file`: `$::apache::params::passenger_conf_file` +* `passenger_conf_package_file: `$::apache::params::passenger_conf_package_file` +* `passenger_high_performance`: デフォルト値: `undef` +* `passenger_pool_idle_time`: デフォルト値: `undef` +* `passenger_max_request_queue_size`: デフォルト値: `undef` +* `passenger_max_requests`: デフォルト値: `undef` +* `passenger_spawn_method`: デフォルト値: `undef` +* `passenger_stat_throttle_rate`: デフォルト値: `undef` +* `rack_autodetect`: デフォルト値: `undef` +* `rails_autodetect`: デフォルト値: `undef` +* `passenger_root` : `$::apache::params::passenger_root` +* `passenger_ruby` : `$::apache::params::passenger_ruby` +* `passenger_default_ruby`: `$::apache::params::passenger_default_ruby` +* `passenger_max_pool_size`: デフォルト値: `undef` +* `passenger_min_instances`: デフォルト値: `undef` +* `passenger_max_instances_per_app`: デフォルト値: `undef` +* `passenger_use_global_queue`: デフォルト値: `undef` +* `passenger_app_env`: デフォルト値: `undef` +* `passenger_log_file`: デフォルト値: `undef` +* `passenger_log_level`: デフォルト値: `undef` +* `passenger_data_buffer_dir`: デフォルト値: `undef` +* `manage_repo`: phusionpassenger.comリポジトリを管理するかどうか。デフォルト値: `true` +* `mod_package`: デフォルト値: `undef` +* `mod_package_ensure`: デフォルト値: `undef` +* `mod_lib`: デフォルト値: `undef` +* `mod_lib_path`: デフォルト値: `undef` +* `mod_id`: デフォルト値: `undef` +* `mod_path`: デフォルト値: `undef` + +##### クラス: `apache::mod::proxy` + +I`mod_proxy`をインストールし、`proxy.conf.epp`テンプレートを使用して設定を生成します。 + +**`apache::mod::proxy`内のパラメータ**: + +- `allow_from`: デフォルト値: `undef` +- `apache_version`: デフォルト値: `undef` +- `package_name`: デフォルト値: `undef` +- `proxy_requests`: デフォルト値: 'Off' +- `proxy_via`: デフォルト値: 'On' + +##### クラス: `apache::mod::proxy_balancer` + +ロードバランシングを提供する[`mod_proxy_balancer`][]をインストールして管理します。 + +**パラメータ**:  + +* `manager`: バランサマネージャのサポートを有効にするかどうかを決定します。 + + デフォルト値: `false`。 + +* `manager_path`: バランサマネージャのサーバロケーション。 + + デフォルト値: '/balancer-manager'。 + +* `allow_from`: `/balancer-manager`にアクセスできるIPv4またはIPv6アドレスの[配列][]。 + + デフォルト値: ['127.0.0.1','::1']。  + +* `apache_version`: 文字列で表されるApacheのバージョン番号、'2.2'や'2.4'など。  + + デフォルト値: [`$::apache::apache_version`][`apache_version`]の値。Apache 2.4以上では、`mod_slotmem_shm`がロードされます。 + +##### クラス: `apache::mod::php` + +[`mod_php`][]をインストールして設定します。 + +**パラメータ**:  + +以下のパラメータのデフォルト値は、オペレーティングシステムによって異なります。このクラスのパラメータのほとんどは、`mod_php`ディレクティブに相当します。詳細については、[モジュールのドキュメント][`mod_php`]を参照してください。 + +* `package_name`: `mod_php`をインストールするパッケージの名前。 +* `path`: `mod_php`共有オブジェクト(`.so`)ファイルのパスを定義します。 +* `source`: デフォルト設定のパスを定義します。値には`puppet:///`パスが含まれます。 +* `template`: Puppetが設定ファイルの生成に使用する`php.conf`テンプレートのパスを定義します。 +* `content`: `php.conf`に任意のコンテンツを追加します。 + +##### クラス: `apache::mod::proxy_html` + +**注意**: `mod_proxy_html`に関して提供されている公式なパッケージはありません。そのため、apacheモジュールの外部から使用できるようにする必要があります。 + +##### クラス: `apache::mod::python` + +[`mod_python`][]をインストールして設定します。 + +**パラメータ**  + +* `loadfile_name`: pythonモジュールのロードに使用される設定ファイルの名前を指定します。 + +##### クラス: `apache::mod::reqtimeout` + +[`mod_reqtimeout`][]をインストールして設定します。 + +**パラメータ**  + +* `timeouts`: [`RequestReadTimeout`][]オプションを設定します。 + + 値: 文字列または[配列][]。 + + デフォルト値: ['header=20-40,MinRate=500', 'body=20,MinRate=500']。 + +##### クラス: `apache::mod::rewrite` + +Apacheモジュール`mod_rewrite`をインストールして有効にします。 + +##### クラス: `apache::mod::shib` + +[Shibboleth](http://shibboleth.net/) Apacheモジュール`mod_shib`をインストールします。このモジュールは、Shibboleth認証プロバイダおよびShibboleth FederationsによるSAML2シングルサインオン(SSO)認証を有効にするものです。このクラスを定義すると、`apache::vhost`インスタンス内でShibboleth固有のパラメータが有効になります。 + +このクラスでインストールおよび設定されるのは、Shibboleth SSO認証をコンシュームするWebアプリケーションのApacheコンポーネントのみです。PuppetでShibboleth設定を手動で管理することも、[Shibboleth Puppetモジュール](https://github.com/aethylred/puppet-shibboleth)を使用することもできます。 + +**注意**: shibbolethモジュールは、Shibbolethのリポジトリにより提供される依存関係パッケージがなければ、RH/CentOSでは使用できません。[Shibboleth Service Provider Installation Guide](http://wiki.aaf.edu.au/tech-info/sp-install-guide)を参照してください。 + +##### クラス: `apache::mod::ssl` + +[Apache SSL機能][`mod_ssl`]をインストールし、`ssl.conf.epp`テンプレートを使用して設定を生成します。ほとんどのオペレーティングシステムでは、この`ssl.conf`はモジュール設定ディレクトリに置かれています。Red Hatベースのオペレーティングシステムでは、このファイルは`/etc/httpd/conf.d`にあります。これは、RPMが設定を保存するのと同じロケーションです。 + +バーチャルホストでSSLを使用するには、`::apache`の[`default_ssl_vhost`][]パラメータを`true`に設定する**か**、[`apache::vhost`][]の[`ssl`][]パラメータを`true`に設定する必要があります。 + +- `ssl_cipher`: デフォルト値: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4' +- `ssl_compression`: デフォルト値: false +- `ssl_cryptodevice`: デフォルト値: 'builtin' +- `ssl_honorcipherorder`: デフォルト値: true +- `ssl_openssl_conf_cmd`: デフォルト値: undef +- `ssl_cert`: デフォルト値: undef。 +- `ssl_key`: デフォルト値: undef。 +- `ssl_options`: デフォルト値: ['StdEnvVars'] +- `ssl_pass_phrase_dialog`: デフォルト値: 'builtin' +- `ssl_protocol`: デフォルト値: ['all', '-SSLv2', '-SSLv3']。 +- `ssl_proxy_protocol`: デフォルト値: [] +- `ssl_random_seed_bytes`: 有効なオプション: 文字列、デフォルト値: '512' +- `ssl_sessioncache`: 有効なオプション: 文字列。デフォルト値: '300' +- `ssl_sessioncachetimeout`: 有効なオプション: 文字列。デフォルト値: '300' +- `ssl_mutex`: デフォルト値: OSによって異なります。有効なオプション: [mod_ssl][mod_ssl]ドキュメントを参照 + - RedHat/FreeBSD/Suse/Gentoo: 'default' + - Debian/Ubuntu + Apache >= 2.4: 'default' + - Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex' +**パラメータ: + +* `ssl_cipher` + + デフォルト値: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4' + +* `ssl_compression` + + デフォルト値: `false`。 + +* `ssl_cryptodevice` + + デフォルト値: 'builtin'  + +* `ssl_honorcipherorder` + + デフォルト値: `true`。 + +* `ssl_openssl_conf_cmd` + + デフォルト値: `undef`。 + +* `ssl_cert` + + デフォルト値: `undef`。 + +* `ssl_key` + + デフォルト値: `undef`。 + +* `ssl_options` + + デフォルト値: ['StdEnvVars'] + +* `ssl_pass_phrase_dialog` + + デフォルト値: 'builtin'  + +* `ssl_protocol` + + デフォルト値: ['all', '-SSLv2', '-SSLv3'] + +* `ssl_random_seed_bytes` + + 値: 文字列。  + + デフォルト値: '512' + +* `ssl_sessioncachetimeout` + + 値: 文字列。  + + デフォルト値: '300' + +* `ssl_mutex`: + + 値: [mod_ssl][mod_ssl]ドキュメントを参照。 + + デフォルト値: OSによって異なります: + + * RedHat/FreeBSD/Suse/Gentoo: 'default'. + * Debian/Ubuntu + Apache >= 2.4: 'default'. + * Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex'. + + +##### クラス: `apache::mod::status` + +[`mod_status`][]をインストールし、`status.conf.erb`テンプレートを使用して設定を生成します。 + +**パラメータ**:  + +* `allow_from`: `/server-status`にアクセスできるIPv4またはIPv6アドレスの[配列][]。 + + デフォルト値: ['127.0.0.1','::1']。  + +* Apacheバージョン2.4以降の`mod_authz_host` ディレクティブ(`require ip`、`require host`など)を使用して、アクセスできる/できないIPまたは名前の文字列、[配列][]、または[ハッシュ][]。このパラメータは、以下のいずれかの構成で指定します。 + + > Apacheバージョンが2.4以降の場合のみ使用 + + - `undef` - `allow_from` および古いディレクティブ構文(`Allow from `)を使用し、廃止予定の警告を通知します。 + - String + - `''`または`'unmanaged'` - authディレクティブなし(アクセス制御は別の方法で実施) + - `'ip '` - `/server-status`にアクセスできるIP/範囲 + - `'host '` - `/server-status`にアクセスできる名前/ドメイン + - `'all [granted|denied]'` - すべてのユーザを許可/ブロック + - 配列 - 各要素には上記のいずれかの文字列が入ります。配列要素ごとに1つのディレクティブになります。 + - 以下の構造を持つハッシュ(キー => 値の形式で表示、キーは文字列) + - `'requires'` => 上記に従った配列 - 配列と同じ作用 + - `'enforce'` => `'Any'`、`'All'`、`'None'`のいずれかの文字列(任意指定) - `'requires'`キーで指定されたすべてのディレクティブを``ブロックで囲みます。 + + デフォルト値: 'ip 127.0.0.1 ::1' + +* `extended_status`: [`ExtendedStatus`][]ディレクティブをつうじて、各リクエストに関する拡張ステータス情報を追跡するかどうかを決定します。 + + 値: 'Off'、'On'。 + + デフォルト値: 'On'。 + +* `status_path`: ステータスページのサーバロケーション。 + + デフォルト値: '/server-status'。 + +##### クラス: `apache::mod::userdir` + +`http://example.com/~user/`構文を用いて、ユーザ指定のディレクトリにアクセスできるようにします。すべてのパラメータは、[公式のApacheドキュメント](https://httpd.apache.org/docs/2.4/mod/mod_userdir.html)で見られます。 + +**パラメータ**:  + +* `overrides`: ディレクティブタイプの[配列][]。 + + デフォルト値: ['FileInfo', 'AuthConfig', 'Limit', 'Indexes']。 + +##### クラス: `apache::mod::version` + +多くのオペレーティングシステムおよびApache構成上で[`mod_version`][]をインストールします。 + +Apache 2.4を使用するDebianおよびUbuntuが`apache::mod::version`で分類された場合は、`mod_version`がビルトインされているためロードできない旨の警告をPuppetが表示します。 + +##### クラス: `apache::mod::security` + +Trustwaveの[`mod_security`][]をインストールして設定します。これはすべてのバーチャルホストでデフォルトで有効化され、実行されます。 + +**パラメータ**:  + +* `activated_rules`: `modsec_crs_path`のルールの[配列][]またはsymlinkを使用してアクティベートする絶対値。 +* `allowed_methods`: 許可されるHTTPメソッドのスペース区切りリスト。 + + デフォルト値: 'GET HEAD POST OPTIONS'。 + +* `content_types`: 1つまたは複数の許可される[MIMEタイプ][MIME `content-type`]のリスト。 + + デフォルト値: 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'。 + +* `crs_package`: CRSルールをインストールするパッケージの名前。 + + デフォルト値: [`apache::params`][]内の`modsec_crs_package`。 + +* `manage_security_crs`: security_crs.confルールファイルを管理します。 + + デフォルト値: `true`。 + +* `modsec_dir`: Puppetがmodsec設定およびアクティベートされたルールリンクをインストールする場所のパスを定義します。 + + デフォルト値: 'On'、[`apache::params`][]の`modsec_dir`により設定。 +${modsec\_dir}/activated\_rules。 + +* `modsec_secruleengine`: modsecルールエンジンを設定します。値: 'On'、'Off'、'DetectionOnly'。 + + デフォルト値: [`apache::params`][]の`modsec_secruleengine`。 + +* `restricted_extensions`: 禁止されるファイル拡張子のスペース区切りリスト。 + + デフォルト値: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'。 + +* `restricted_headers`: 禁止されるヘッダのスラッシュおよびスペースで区切ったリスト。 + + デフォルト値: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'。 + +* `secdefaultaction`: OWASP ModSecurityコアルールセットに関して、動作モード、自己完結('deny')、コラボレーティブ検出('pass')を設定します。 + + デフォルト値: 'deny'。"log,auditlog,deny,status:406,tag:'SLA 24/7'"などの完全な値を設定することもできます。 + +* `secpcrematchlimit`: PCREライブラリのマッチ限度数を設定します。 + + デフォルト値: 1500。  + +* `secpcrematchlimitrecursion`: PCREライブラリのマッチ再帰制限数を設定します。 + + デフォルト値: 1500。  + +* `logroot`: オーディットおよびデバッグログの場所を設定します。 + + デフォルト値はApacheのログディレクトリ(Redhat: `/var/log/httpd`、Debian: `/var/log/apache2`)。 + +* `audit_log_relevant_status`: オーディットロギングの目的に関して、考慮すべき応答ステータスコードを設定します。 + + デフォルト値: '^(?:5|4(?!04))'。 + +* `audit_log_parts`: [オーディットログ][]に入れるべきセクションを設定します。 + + デフォルト値: 'ABIJDEFHZ'。 + +* `anomaly_score_blocking`: OWASP ModSecurityコアルールセットのコラボレーティブ検出ブロッキングをアクティベートまたはディアクティベートします。 + + デフォルト値: 'off'。 + +* `inbound_anomaly_threshold`: OWASP ModSecurityコアルールセットのコラボレーティブ検出モードに関して、インバウンドブロッキングルールのスコアリング閾値レベルを設定します。 + + デフォルト値: 5。  + +* `outbound_anomaly_threshold`: OWASP ModSecurityコアルールセットのコラボレーティブ検出モードに関して、アウトバウンドブロッキングルールのスコアリング閾値レベルを設定します。 + + デフォルト値: 4。  + +* `critical_anomaly_score`: OWASP ModSecurityコアルールセットのコラボレーティブ検出モードに関して、重要なセキュリティレベルのスコアリングポイントを設定します。 + + デフォルト値: 5。  + +* `error_anomaly_score`: OWASP ModSecurityコアルールセットのコラボレーティブ検出モードに関して、エラー深刻度レベルのスコアリングポイントを設定します。 + + デフォルト値: 4。  + +* `warning_anomaly_score`: OWASP ModSecurityコアルールセットのコラボレーティブ検出モードに関して、警告深刻度レベルのスコアリングポイントを設定します。 + + デフォルト値: 3。 + +* `notice_anomaly_score`: OWASP ModSecurityコアルールセットのコラボレーティブ検出モードに関して、通知深刻度レベルのスコアリングポイントを設定します。 + +デフォルト値: 2。 + +* `secrequestmaxnumargs`: リクエストの引数の最大数を設定します。 + + デフォルト値: 255。 + +* `secrequestbodylimit`: バッファリングに関してModSecurityが受け入れる最大リクエストボディサイズを設定します。 + + デフォルト値: '13107200'。 + +* `secrequestbodynofileslimit`: バッファリングに関してModSecurityが受け入れる最大リクエストボディサイズを設定します。リクエスト内でトランスポートされたファイルのサイズは除外されます。 + + デフォルト値: '131072'。 + +* `secrequestbodyinmemorylimit`: ModSecurityがメモリに保存する最大リクエストボディサイズを設定します。 + + デフォルト値: '131072'。 + +##### クラス: `apache::mod::wsgi` + +[`mod_wsgi`][]を使用したPythonサポートを有効にします。 + +**パラメータ**:  + +* `mod_path`: `mod_wsgi`共有オブジェクト(`.so`)ファイルのパスを定義します。 + + デフォルト値: `undef`。 + + * `mod_path`パラメータに`/`が含まれていない場合、Puppetではオペレーティングシステムのデフォルトのモジュールパスの先頭にこれを付加します。含まれている場合は、そのとおりに扱われます。 + +* `package_name`: `mod_wsgi`をインストールするパッケージの名前。 + + デフォルト値: `undef`。 + +* `wsgi_python_home`: '/path/to/venv'などの[`WSGIPythonHome`][]ディレクティブを定義します。 + + 値: パスを指定する文字列。  + + デフォルト値: `undef`。 + +* `wsgi_python_path`: '/path/to/venv/site-packages'などの[`WSGIPythonPath`][]ディレクティブを定義します。 + + 値: パスを指定する文字列。  + + デフォルト値: `undef`。 + +* `wsgi_restrict_embedded`: 'On'などの[`WSGIRestrictEmbedded`][]ディレクティブを定義します。 + +値: On|Off|undef。 + +デフォルト値: undef。 + +* `wsgi_socket_prefix`: "\${APACHE\_RUN\_DIR}WSGI"などの[`WSGISocketPrefix`][]ディレクティブを定義します。 + + デフォルト値: [`apache::params`][]の`wsgi_socket_prefix`。 + +このクラスのパラメータはモジュールのディレクティブに相当します。詳細については、[モジュールのドキュメント][`mod_wsgi`]を参照してください。 + +### プライベートクラス + +#### クラス: `apache::confd::no_accf` + +FreeBSDの Apache 2.4で必要とされる`no-accf.conf`設定ファイルを`conf.d`内に作成します。 + +#### クラス: `apache::default_confd_files` + +FreeBSDに`conf.d`を含めます。 + +#### クラス: `apache::default_mods` + +デフォルト設定の実行に必要なApacheモジュールをインストールします。詳細については、`apache`クラスの[`default_mods`][]パラメータを参照してください。 + +#### クラス: `apache::package` + +基本のApacheパッケージをインストールして設定します。 + +#### クラス: `apache::params` + +各種のオペレーティングシステムのApacheパラメータを管理します。 + +#### クラス: `apache::service` + +Apacheデーモンを管理します。 + +#### クラス: `apache::version` + +オペレーティングシステムに基づき、Apacheバージョンの自動検出を試みます。 + +##### Red Hat Software Collections (SCL) + +CentOS/RHELのSoftware Collectionsでは、新しいApacheおよびPHPに加え、他のパッケージも使用できます。 + +`scl_httpd_version`が設定されている場合、Apache Httpdは[Software Collections](https://www.softwarecollections.org/en/)からインストールされます。 + +`scl_httpd_version`が設定されている場合、PHPをインストールする予定がない場合でも`scl_php_version`を設定する必要があります。 + +リポジトリはこのモジュールではまだ管理されていません。CentOSでは、`centos-release-scl-rh`パッケージをインストールすることでリポジトリを有効にできます。 + +##### `scl_httpd_version` + +Red Hat Software Collections (SCL)を使用してインストールされるhttpdのバージョン。CentOSおよびRHELのコレクションでは、新しいApacheおよびPHPパッケージを使用できます。 + +`scl_httpd_version`を設定すると、Apache httpdは[Software Collections](https://www.softwarecollections.org/en/)からインストールされます。 + +`scl_httpd_version`を設定した場合、PHPをインストールする予定がない場合でも`scl_php_version`を設定する必要があります。 + +SCLリポジトリはこのモジュールではまだ管理されていません。CentOSでは、`centos-release-scl-rh`パッケージをインストールすることでリポジトリを有効にできます。 + +有効な値: インストールするhttpdのバージョンを指定する文字列。例えば、Apache 2.4の場合は'2.4'を指定します。 + +デフォルト値: undef。 + +##### `scl_php_version` + +Red Hat Software Collections (SCL)を使用してインストールするhttpdのバージョン。CentOSおよびRHELのコレクションでは、新しいApacheおよびPHPのパッケージを使用できます。 + +`scl_php_version`を設定すると、PHPは[Software Collections](https://www.softwarecollections.org/en/)からインストールされます。 + +SCLリポジトリはこのモジュールではまだ管理されていません。CentOSでは、`centos-release-scl-rh`パッケージをインストールすることでリポジトリを有効にできます。 + +有効な値: インストールするPHPのバージョンを指定する文字列。例えば、PHP 7.1の場合は'7.1'を指定します。 + +デフォルト値: undef。 + +### パブリック定義タイプ  + +#### 定義タイプ: `apache::balancer` + +[`mod_proxy`][]を用いて、Apacheロードバランシンググループ(バランサクラスタとも呼ばれます)を作成します。各ロードバランシンググループには、1つ以上のバランサメンバーが必要です。これは、 [`apache::balancermember`][]定義タイプによりPuppet内で宣言することができます。 + +各Apacheロードバランシンググループにつき、1つの`apache::balancer`定義タイプを宣言します。すべてのバランサメンバーについて`apache::balancermember`定義タイプをエクスポートし、[エクスポートリソース][]を用いて単一のApacheロードバランササーバで収集することもできます。 + +**パラメータ**:  + +##### `name` + +バランサクラスタのタイトルと、その設定を含む`conf.d`の名前を設定します。 + +##### `proxy_set` + +キー‐値ペアを[`ProxySet`][]行として設定します。値: [ハッシュ][]。 + +デフォルト値: '{}'。 + +##### `options` + +バランサURLの後に[オプション](https://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember)の[配列][]を指定します。[`ProxyPass`][]で使用可能な任意のキー-値ペアを使用できます。 + +デフォルト値: []。  + +##### `collect_exported` + +[エクスポートリソース][]を使用するかどうかを決定します。 + +すべてのバックエンドサーバを静的に宣言する場合は、このパラメータを`false`に設定し、宣言済みの既存のバランサメンバーリソースに依存するようにします。また、[配列][]引数とともに`apache::balancermember`を使用します。 + +中央ノードで収集したエクスポートリソースを使用してバックエンドサーバを動的に宣言するには、このパラメータを`true`に設定し、バランサメンバーノードによりエクスポートされたバランサメンバーリソースを収集します。 + +エクスポートリソースを使用しない場合は、1回のPuppet実行ですべてのバランサメンバーが設定されます。エクスポートリソースを使用する場合は、まずバランシングしたノードについてPuppetを実行し、次にバランサで実行する必要があります。 + +ブーリアン。 + +デフォルト値: `true`。 + +#### 定義タイプ: `apache::balancermember` + +[`mod_proxy_balancer`][]のメンバーを定義します。これにより、ロードバランサの`apache.cfg`内でリッスンするサービス設定ブロック内のバランサメンバーが設定されます。 + +**パラメータ**:  + +##### `balancer_cluster` + +**必須**。  + +Apacheサービスのインスタンス名を設定します。宣言された[`apache::balancer`][]リソースの名前と一致する必要があります。 + +##### `url` + +バランサメンバーサーバとの連絡に使用するURLを指定します。 + +デフォルト値: 'http://${::fqdn}/'。 + +##### `options` + +URL後に[オプション](https://httpd.apache.org/docs/current/mod/mod_proxy.html#balancermember)の[配列][]を指定します。[`ProxyPass`][]で使用可能な任意のキー-値ペアを使用できます。 + +デフォルト値: 空配列。  + +#### 定義タイプ: `apache::custom_config` + +Apacheサーバの`conf.d`ディレクトリにカスタム設定ファイルを追加します。このファイルが無効で、この定義タイプの[`verify_config`][]パラメータの値が`true`になっている場合は、Puppet実行時にエラーが生じます。 + +**パラメータ**:  + +##### `ensure` + +設定ファイルが存在するべきかどうかを指定します。 + +値: 'absent'、'present'。  + +デフォルト値: 'present'。  + +##### `confdir`  + +Puppetが設定ファイルを置くディレクトリを設定します。 + +デフォルト値: [`$::apache::confd_dir`][`confd_dir`]の値。 + +##### `content` + +設定ファイルのコンテンツを設定します。`content`および[`source`][]パラメータは、相互排他的な関係にあります。 + +デフォルト値: `undef`。  + +##### `filename` + +Puppetが設定を保存する`confdir`下のファイル名を設定します。 + +デフォルト値: `priority`パラメータから生成したファイル名およびリソース名。 + +##### `priority` + +Apacheでは設定ファイルがアルファベット順に処理されるため、ファイル名の先頭にこのパラメータの数値を付加することで、設定ファイルの優先順位を設定します。 + +設定ファイル名の優先順位の接頭値を無視するには、このパラメータを`false`に設定します。 + +デフォルト値: '25'。 + +##### `source` + +設定ファイルのソースを指します。[`content`][]および`source`パラメータは互いに排他的です。 + +デフォルト値: `undef`。  + +##### `verify_command` + +Puppetが設定ファイルの確認に用いるコマンドを指定します。完全修飾コマンドを使用してください。 + +このパラメータは、[`verify_config`][]パラメータの値が`true`になっている場合にのみ使用されます。`verify_command`が失敗すると、Puppet実行により設定ファイルが削除されてエラーが生じますが、Apacheサービスには通知されません。 + +デフォルト値: '/usr/sbin/apachectl -t'。 + +##### `verify_config` + +Apacheサービスに通知する前に設定ファイルのバリデーションを行うかどうかを指定します。 + +ブーリアン。 + +デフォルト値: `true`。 + +#### 定義タイプ: `apache::fastcgi::server` + +特定のファイルタイプを処理する1つまたは複数の外部FastCGIサーバを定義します。この定義タイプは、[`mod_fastcgi`][FastCGI]とともに使用します。 + +**パラメータ**  + +##### `host` + +FastCGIのホスト名またはIPアドレスおよびTCPポート番号(1-65535)を決定します。 + +デフォルト値: '127.0.0.1:9000'。 + +##### `timeout` + +リクエストが中止され、エラーLogLevelにイベントが記録されるまでに、[FastCGI][]アプリケーションが非アクティブの状態で待機する秒数を設定します。この非アクティブタイマーは、FastCGIアプリケーションとの接続が待機中の場合のみ適用されます。アプリケーションの待ち行列に入ったリクエストに対して時間内に記述やフラッシュによる応答がないと、リクエストは中止されます。アプリケーションとの通信は完了したものの、クライアントとの通信が完了しなかった(応答がバッファリングされた)場合は、タイムアウトは適用されません。 + +デフォルト値: 15。 + +##### `flush` + +アプリケーションから受信したデータを、強制的に[`mod_fastcgi`][FastCGI]がクライアントに書き込みます。デフォルトでは、アプリケーションをできるだけ早くフリーな状態にするために、`mod_fastcgi`はデータをバッファリングします。 + +デフォルト値: `false`。 + +##### `faux_path` + +Apacheには、このファイル名を決定するURIを処理する[FastCGI][]があります。このパラメータで設定されたパスは、ローカルのファイルシステムに存在する必要はありません。 + +デフォルト値: "/var/www/${name}.fcgi"。 + +##### `alias` + +FastCGIサーバとアクションを内部でリンクします。このエイリアスは一意である必要があります。 + +デフォルト値: "/${name}.fcgi"。 + +##### `file_type` + +FastCGIサーバにより処理するファイルの[MIME `content-type`][]を設定します。 + +デフォルト値: 'application/x-httpd-php'。 + +#### 定義タイプ: `apache::listen` + +Apacheサーバまたはバーチャルホストのリッスンするアドレスとポートを定義する、Apache設定ディレクトリの`ports.conf`に、[`Listen`][]ディレクティブを追加します。[`apache::vhost`][]クラスはこの定義タイプを使用します。タイトルは ``、`:`、または`:`の形式をとります。 + +#### 定義タイプ: `apache::mod` + +対応する[`apache::mod::`][]クラスを持たないApacheモジュール用のパッケージをインストールし、Apacheサーバの`module`および`enable`ディレクトリ内で、モジュールのデフォルト設定ファイルを確認または配置します。デフォルトのロケーションは、オペレーティングシステムによって異なります。 + +**パラメータ**:  + +##### `package` + +**必須**。  + +PuppetがApacheモジュールのインストールに使用するパッケージの名前。 + +デフォルト値: `undef`。 + +##### `package_ensure` + +Apacheモジュールをインストールの必要性をPuppetが確認するかどうかを決定します。 + +値: 'absent'、'present'。  + +デフォルト値: 'present'。  + +##### `lib` + +モジュールの共有オブジェクト名を定義します。特別な理由がない限り、手動で設定しないでください。 + +デフォルト値: `mod_$name.so`。 + +##### `lib_path` + +モジュールのライブラリのパスを指定します。特別な理由がない限り、手動で設定しないでください。[`path`][]パラメータは、この値をオーバーライドします。 + +デフォルト値: `apache`クラスの[`lib_path`][]パラメータ。 + + +##### `loadfile_name` + +モジュールの[`LoadFile`][]ディレクティブのファイル名を設定します。Apacheの処理はアルファベット順に行われるため、ファイル名によってモジュールのロード順序も設定できます。 + +値: `\*.load`の形式のファイル名。 + +デフォルト値: '$name.load'のように、リソース名の後に'load'をつけた値。 + +##### `loadfiles` + +[`LoadFile`][]ディレクティブの配列を指定します。 + +デフォルト値: `undef`。 + +##### `path` + +モジュールのパスを指定します。特別な理由がない限り、このパラメータは手動で設定しないでください。 + +デフォルト値: [`lib_path`][]/[`lib`][]。 + +#### 定義タイプ: `apache::namevirtualhost` + +[名前ベースのバーチャルホスト][]を有効にし、Apache HTTPD設定ディレクトリの `ports.conf`ファイルに関連するすべてのディレクティブを追加します。タイトルは、'\*'、'\*:\'、'\_default\_:\、'\'、または'\:\'の形式をとることができます。 + +#### 定義タイプ: `apache::vhost` + +apacheモジュールでは、バーチャルホストのセットアップと設定に関して、かなりの柔軟性が認められています。この柔軟性の一部は、定義リソースタイプの`vhost`によるものです。これを使えば、さまざまなパラメータを用いて、Apacheを何度も検証することができます。 + +`apache::vhost`定義タイプを使えば、デフォルトの範囲外の要件を持つバーチャルホストについて、特別な設定をすることができます。基本の`::apache`クラス内でデフォルトのバーチャルホストを設定することも、カスタマイズしたバーチャルホストをデフォルトとして設定することもできます。カスタマイズしたバーチャルホストの[`priority`][]の数値は基本のクラスよりも小さくなるため、Apacheはカスタマイズしたバーチャルホストを先に処理します。 + +`apache::vhost`定義タイプでは、`concat::fragment`を使用して設定ファイルを構築します。定義タイプがもともとサポートしていない設定の要素についてカスタムフラグメントを挿入するには、カスタムフラグメントをひとつずつ追加します。 + +`apache::vhost`定義タイプでは、カスタムフラグメントの`order`パラメータについては10の倍数が使用されるため、10の倍数ではない`order`が機能します。 + +> **Note:** `apache::vhost`を作成するとき、`default`または`default-ssl`を指定することはできません。これはこの属性を持つvhostsが常にモジュールによって管理されるためです。これは`Apache::Vhost['default']`または`Apache::Vhost['default-ssl]`リソースを上書きできないことを意味します。 オプションの回避策として、`my default`などの別の名前のvhostを作成して、`default`および`default_ssl`が`false`に設定されていることを確認します。 + +``` +class { 'apache': + default_vhost => false + default_ssl_vhost => false, +} +``` + +**パラメータ**:  + +##### `access_log` + +`*_access.log`ディレクティブ(`*_file`,`*_pipe`または`*_syslog`)を設定するかどうかを決定します。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `access_log_env_var` + +特定の環境変数を持つリクエストのみをロギングするように指定します。 + +デフォルト値: `undef`。 + +##### `access_log_file` + +[`logroot`][]に置く`*_access.log`のファイル名を設定します。バーチャルホスト---例えばexample.comなど---を与えると、[SSL暗号化][SSL暗号化]バーチャルホストの場合はデフォルト値が'example.com_ssl.log'、暗号化されていないバーチャルホストの場合は'example.com_access.log'になります。 + +デフォルト値: `false`。 + +##### `access_log_format` + +アクセスログに、[`LogFormat`][]のニックネームかカスタムフォーマットの文字列のいずれを使うかを指定します。 + +デフォルト値: 'combined'。 + +##### `access_log_pipe` + +Apacheがアクセスログメッセージを送信するパイプを指定します。 + +デフォルト値: `undef`。 + +##### `access_log_syslog` + +すべてのアクセスログメッセージをsyslogに送ります。 + +デフォルト値: `undef`。 + +##### `add_default_charset` + +[`AddDefaultCharset`][]ディレクティブのデフォルトのメディア文字セット値を設定します。これは`text/plain`および`text/html`応答に追加されます。 + +デフォルト値: `undef`。 + +##### `add_listen` + +バーチャルホストが[`Listen`][]ステートメントを作成するかどうかを決定します。 + +`add_listen`を`false`に設定すると、バーチャルホストは`Listen`ステートメントを作成しません。これは、`ip`パラメータを渡されていないバーチャルホストと渡されているバーチャルホストを組み合わせる場合に重要となります。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `use_optional_includes` + +Apache 2.4以降の`additional_includes`について、Apacheが[`Include`][]の代わりに[`IncludeOptional`][]ディレクティブを使うかどうかを指定します。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `additional_includes` + +追加の静的なバーチャルホスト固有のApache設定ファイルのパスを指定します。このパラメータを使えば、このモジュールでサポートされていない固有のカスタム設定を実装することができます。 + +値: パスを指定する文字列また文字列の[配列][]。 + +デフォルト値: 空配列。  + +##### `aliases` + +[ハッシュ][ハッシュ]のリストをバーチャルホストに渡し、[`mod_alias`][]ドキュメントに従って[`Alias`][]、[`AliasMatch`][]、[`ScriptAlias`][]、または[`ScriptAliasMatch`][]ディレクティブを作成します。 + +例:  + +``` puppet +aliases => [ + { aliasmatch => '^/image/(.*)\.jpg$', + path => '/files/jpg.images/$1.jpg', + }, + { alias => '/image', + path => '/ftp/pub/image', + }, + { scriptaliasmatch => '^/cgi-bin(.*)', + path => '/usr/local/share/cgi-bin$1', + }, + { scriptalias => '/nagios/cgi-bin/', + path => '/usr/lib/nagios/cgi-bin/', + }, + { alias => '/nagios', + path => '/usr/share/nagios/html', + }, +], +``` + +`alias`、`aliasmatch`、`scriptalias`、`scriptaliasmatch`キーを機能させるには、``、``などの、それぞれに対応するコンテキストが必要です。Puppetは`aliases`パラメータで指定された順序でディレクティブを作成します。[`mod_alias`][]ドキュメントにもあるように、シャドーイングを避けるため、まず具体性の高い`alias`、`aliasmatch`、`scriptalias`、`scriptaliasmatch`パラメータを追加してから、全般的なパラメータを追加してください。 + +> **注意**: `scriptaliases`パラメータの代わりに`aliases`パラメータを使用すれば、各種のエイリアスディレクティブの順序を正確に制御できます。`scriptaliases`パラメータを使って`ScriptAliases`を定義すると、すべての*`Alias`ディレクティブの後に*すべての*`ScriptAlias`ディレクティブが*処理されます。これは`Alias`ディレクティブによる`ScriptAlias`ディレクティブのシャドーイングにつながり、多くの場合、問題が生じます。例えば、Nagiosに関する問題が生じる可能性があります。 + +I[`apache::mod::passenger`][]がロードされ、`PassengerHighPerformance`が`true`になっている場合、`Alias`ディレクティブが`PassengerEnabled => off`ステートメントを履行できない可能性があります。詳細については、[この記事](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html)を参照してください。 + +##### `allow_encoded_slashes` + +バーチャルホストの[`AllowEncodedSlashes`][]宣言を設定し、サーバのデフォルトをオーバーライドします。これにより、`\`および`/`文字を含むURLに対するバーチャルホストの応答が変更されます。値: 'nodecode'、'off'、'on'。デフォルト設定では、サーバ設定からこの宣言が省かれ、Apacheのデフォルト設定'Off'が選択されます。 + +デフォルト値: `undef`。  + +##### `block` + +Apacheがアクセスをブロックする対象のリストを指定します。有効なオプション: 'scm'、これにより、`.svn`、`.git`、`.bzr`ディレクティブへのWebアクセスがブロックされます。 + +デフォルト値: 空[配列][]。 + +##### `cas_attribute_prefix` + +SAMLバリデーションが有効になっている場合に、このヘッダの値を属性値としてヘッダを追加します。 + +デフォルト値: [`apache::mod::auth_cas`][]により設定された値。 + +##### `cas_attribute_delimiter` + +`cas_attribute_prefix`により作成されたヘッダの属性値の区切り文字を設定します。 + +デフォルト値: [`apache::mod::auth_cas`][]により設定された値。  + +##### `cas_login_url` + +ユーザがCASで保護されたリソースへのアクセスを試み、かつアクティブなセッションがない場合に、モジュールがユーザをリダイレクトする先のURLを設定します。 + +デフォルト値: [`apache::mod::auth_cas`][]により設定された値。  + +##### `cas_scrub_request_headers` + +mod_auth_cas内で特別な意味を持つ可能性のあるインバウンドリクエストヘッダを削除します。 + +デフォルト値: [`apache::mod::auth_cas`][]により設定された値。  + +##### `cas_sso_enabled` + +`cas_sso_enabled`: シングルサインアウトの実験的サポートを有効にします(POSTデータが壊れる可能性があります)。 + +デフォルト値: [`apache::mod::auth_cas`][]により設定された値。  + +##### `cas_validate_saml` + +SAMLに関するCASサーバからの解析応答。 + +デフォルト値: [`apache::mod::auth_cas`][]により設定された値。  + +##### `cas_validate_url` + +HTTPクエリ文字列でクライアントの提示するチケットをバリデーションする際に使用するURL。 + +デフォルト値: [`apache::mod::auth_cas`][]により設定された値。 + + +##### `comment` + +設定ファイルのヘッダにコメントを追加します。文字列または文字列の配列として渡します。 + +デフォルト値: `undef`。 + +例:  + +``` puppet +comment => "Account number: 123B", +``` + +Or: + +``` puppet +comment => [ + "Customer: X", + "Frontend domain: x.example.org", +] +``` + +##### `custom_fragment` + +カスタム設定ディレクティブの文字列を渡し、バーチャルホスト設定の最後に配置します。 + +デフォルト値: `undef`。 + +##### `default_vhost` + +任意の`apache::vhost`定義タイプを、他の`apache::vhost`定義タイプと一致しないリクエストをサーブするためのデフォルトとして設定します。 + +デフォルト値: `false`。 + +##### `directories` + +[`directories`](#parameter-directories-for-apachevhost)セクションを参照してください。 + +##### `directoryindex` + +ディレクトリ名の最後で'/'を指定することで、クライアントがディレクトリのインデックスをリクエストした際に探すべきリソースのリストを設定します。詳細については、[`DirectoryIndex`][]ディレクティブドキュメントを参照してください。 + +デフォルト値: `undef`。 + +##### `docroot` + +**必須**。  + +[`DocumentRoot`][]ロケーションを設定します。Apacheはここからファイルをサーブします。 + +`docroot`と[`manage_docroot`][]がともに`false`に設定されている場合、[`DocumentRoot`][]は設定されず、それに付随する``ブロックは作成されません。 + +値: ディレクトリパスを指定する文字列。 + +##### `docroot_group` + +[`docroot`][]ディレクトリへのグループアクセスを設定します。 + +値: システムグループを指定する文字列。 + +デフォルト値: 'root'。  + +##### `docroot_owner` + +[`docroot`][]ディレクトリへの個々のユーザのアクセスを設定します。 + +値: ユーザアカウントを指定する文字列。 + +デフォルト値: 'root'。  + +##### `docroot_mode` + +[`docroot`][]ディレクトリへのアクセス許可を数字表記法で設定します。 + +値: 文字列。  + +デフォルト値: `undef`。 + +##### `manage_docroot` + +Puppetが[`docroot`][]ディレクトリを管理するかどうかを決定します。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `error_log` + +`*_error.log`ディレクティブを設定するかどうかを指定します。 + +ブーリアン。 + +デフォルト値: `true`。 + +##### `error_log_file` + +バーチャルホストのエラーログについて、`*_error.log`ファイルを優先します。このパラメータが定義されていない場合、Puppetはまず[`error_log_pipe`][]で、次に[`error_log_syslog`][]で値を確認します。 + +これらのパラメータをいずれも設定しない場合は、例えばバーチャルホストが`example.com`なら、PuppetはSSLバーチャルホストのデフォルトを'$logroot/example.com_error_ssl.log'、非SSLバーチャルホストのデフォルトを'$logroot/example.com_error.log'とします。 + +デフォルト値: `undef`。 + +##### `error_log_pipe` + +エラーログメッセージを送るパイプを指定します。 + +[`error_log_file`][]パラメータに値がある場合は、このパラメータに効力は生じません。このパラメータにも`error_log_file`にも値がない場合、Puppetは[`error_log_syslog`][]をチェックします。 + +デフォルト値: `undef`。 + +##### `error_log_syslog` + +すべてのエラーログメッセージをsyslogに送るかどうかを決定します。 + +[`error_log_file`][]パラメータまたは[`error_log_pipe`][]パラメータのいずれかに値がある場合、このパラメータの効力は生じません。これらのパラメータのいずれにも値がない場合は、例えばバーチャルホスト`example.com`では、PuppetはSSLバーチャルホストのデフォルトを'$logroot/example.com_error_ssl.log'、非SSLバーチャルホストのデフォルトを '$logroot/example.com_error.log'とします。 + +ブーリアン。 + +デフォルト値: `undef`。 + +##### `error_documents` + +このバーチャルホストの[エラードキュメント](https://httpd.apache.org/docs/current/mod/core.html#errordocument)設定のオーバーライドに使用できるハッシュのリスト。 + +例:  + +``` puppet +apache::vhost { 'sample.example.net': + error_documents => [ + { 'error_code' => '503', 'document' => '/service-unavail' }, + { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' }, + ], +} +``` + +デフォルト値: []。  + +##### `ensure` + +バーチャルホストが存在するかどうかを指定します。 + +値: 'absent'、'present'。  + +デフォルト値: 'present'。  + +##### `fallbackresource` + +[FallbackResource](https://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource)ディレクティブを設定します。このディレクティブは、ファイルシステム内のどこにもマッピングされていないURLに対してどのようなアクションをとるか指定します。指定されていない場合は'HTTP 404 (Not Found)'が返されます。値は'/'で始めるか、'disabled'とする必要があります。 + +デフォルト値: `undef`。 + +##### `fastcgi_idle_timeout` + +fastcgiを使用する場合に、このオプションにより、サーバ応答のタイムアウトを設定します。 + +デフォルト値: `undef`。 + +##### `file_e_tag` + +[`FileETag`][]宣言のサーバデフォルトを設定します。これにより、静的ファイルの応答ヘッダフィールドが変更されます。 + +値: 'INode'、'MTime'、'Size'、'All'、'None'。 + +デフォルト値: `undef`、この場合、Apacheのデフォルト設定'MTime Size'が使用されます。 + +##### `filters` + +[フィルタ](https://httpd.apache.org/docs/current/mod/mod_filter.html)により、アウトプットコンテンツフィルタのスマートな文脈依存設定が有効になります。 + +``` puppet +apache::vhost { "$::fqdn": + filters => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], +} +``` + +##### `force_type` + +[`ForceType`][]ディレクティブを設定します。このディレクティブは、[MIME `content-type`][]がこのパラメータの値に一致するすべてのマッチングファイルをApacheに強制的にサーブさせます。 + +#### `add_charset` + +ディレクトリおよびファイル拡張子ごとに、Apacheにカスタムコンテンツ文字セットを設定させます。 + +##### `headers` + +レスポンスヘッダを置換、結合、または削除するための行を追加します。詳細については、[Apacheのmod_headersドキュメント](https://httpd.apache.org/docs/current/mod/mod_headers.html#header)を参照してください。 + +値: 文字列または文字列の配列。  + +デフォルト値: `undef`。 + +##### `ip` + +バーチャルホストがリッスンするIPアドレスを設定します。デフォルトでは、Apacheのデフォルト挙動が使用され、すべてのIPをリッスンします。 + +値: 文字列または文字列の配列。  + +デフォルト値: `undef`。 + +##### `ip_based` + +[IPベースの](https://httpd.apache.org/docs/current/vhosts/ip-based.html)バーチャルホストを有効にします。このパラメータにより、NameVirtualHostディレクティブの作成が禁止されます。これは、このディレクティブが名前ベースのバーチャルホストにリクエストを送る際に使用されるためです。 + +デフォルト値: `false`。 + +##### `itk` + +ハッシュで[ITK](http://mpm-itk.sesse.net/)を設定します。 + +通常は、以下のように使用します。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + itk => { + user => 'someuser', + group => 'somegroup', + }, +} +```  + +値: ハッシュ。キーを含めることもできます。 + +* ユーザ + グループ +* `assignuseridexpr` +* `assigngroupidexpr` +* `maxclientvhost` +* `nice` +* `limituidrange` (Linux 3.5.0以降) +* `limitgidrange` (Linux 3.5.0以降) + +通常は、以下のように使用します。  + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + itk => { + user => 'someuser', + group => 'somegroup', + }, +} +```  + +デフォルト値: `undef`。 + +##### `jk_mounts` + +'JkMount'および'JkUnMount'ディレクティブによりバーチャルホストを設定し、TomcatとApacheの間をマッピングするURLのパスを処理します。 + +このパラメータは、ハッシュの配列にする必要があります。各ハッシュには、'worker'と、'mount'または'unmount'キーのいずれかが含まれている必要があります。 + +通常は、以下のように使用します。  + +``` puppet +apache::vhost { 'sample.example.net': + jk_mounts => [ + { mount => '/*', worker => 'tcnode1', }, + { unmount => '/*.jpg', worker => 'tcnode1', }, + ], +} +``` +デフォルト値: `undef`。 + +##### `keepalive` + +バーチャルホストで[`KeepAlive`][]ディレクティブによるHTTPの持続的接続を有効にするかどうかを決定します。デフォルトでは、グローバルなサーバ全体の[`KeepAlive`][]設定が有効になります。 + +バーチャルホストの関連オプションを設定するには、`keepalive_timeout`および`max_keepalive_requests`パラメータを使用します。 + +値: 'Off'、'On'。 + +デフォルト値: `undef`。  + +##### `keepalive_timeout` + +バーチャルホストの[`KeepAliveTimeout`]ディレクティブを設定します。これにより、HTTPの持続的接続で後続のリクエストを実行するまでの待機時間が決まります。デフォルトでは、グローバルなサーバ全体の[`KeepAlive`][]設定が有効になります。 + +このパラメータが意味を持つのは、グローバルなサーバ全体の[`keepalive`パラメータ][]またはバーチャルホストごとの`keepalive`パラメータのいずれかが有効になっている場合のみです。  + +デフォルト値: `undef`。  + +##### `max_keepalive_requests` + +接続1回につき許可されるバーチャルホストへのリクエスト数を制限します。デフォルトでは、グローバルなサーバ全体の[`KeepAlive`][]設定が有効になります。 + +このパラメータが意味を持つのは、グローバルなサーバ全体の[`keepalive`パラメータ][]またはバーチャルホストごとの`keepalive`パラメータのいずれかが有効になっている場合のみです。  + +デフォルト値: `undef`。 + +##### `auth_kerb` + +バーチャルホストの[`mod_auth_kerb`][]パラメータを有効にします。 + +通常は、以下のように使用します。  + +``` puppet +apache::vhost { 'sample.example.net': + auth_kerb => `true`, + krb_method_negotiate => 'on', + krb_auth_realms => ['EXAMPLE.ORG'], + krb_local_user_mapping => 'on', + directories => { + path => '/var/www/html', + auth_name => 'Kerberos Login', + auth_type => 'Kerberos', + auth_require => 'valid-user', + }, +} +``` + +関連するパラメータは、`mod_auth_kerb`ディレクティブの名前に従います。 + +- `krb_method_negotiate`: Negotiateメソッドを使用するかどうかを決定します。デフォルト値: 'on'。 +- `krb_method_k5passwd`: Kerberos v5に関してパスワードベースの認証を使用するかどうかを決定します。デフォルト値: 'on'。 +- `krb_authoritative`: 'off'に設定すると、認証コントロールを別のモジュールに渡すことができます。デフォルト値: 'on'。 +- `krb_auth_realms`: 認証に使用するKerberos領域の配列を指定します。デフォルト値: []。 +- `krb_5keytab`: Kerberos v5キータブファイルのロケーションを指定します。デフォルト値: `undef`。 +- `krb_local_user_mapping`: 今後の使用のために、ユーザ名から@REALMを取り除きます。デフォルト値: `undef`。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `krb_verify_kdc` + +このオプションを使えば、ローカルなキータブに対する認証チケットを無効にし、KDCスプーフィング攻撃を防ぐことができます。 + +デフォルト値: 'on'。 + +##### `krb_servicename` + +Apacheが認証に使用するサービス名を指定します。この名前に対応するキーをキータブに保存する必要があります。 + +デフォルト値: 'HTTP'。 + +##### `krb_save_credentials` + +このオプションにより、認証情報の保存機能が有効になります。 + +デフォルト値: 'off'。 + +##### `logroot` + +バーチャルホストのログファイルの保存場所を指定します。 + +デフォルト値: `/var/log//`。 + +##### `$logroot_ensure` + +バーチャルホストのlogrootディレクトリを削除するかどうかを決定します。 + +値: 'directory'、'absent'。 + +デフォルト値: 'directory'。 + +##### `logroot_mode` + +logrootディレクトリで設定されたモードをオーバーライドします。影響を把握できない場合は、ログが保存されているディレクトリへの書き込みアクセス権限を付与*しないで*ください。詳細については、[Apacheのログセキュリティドキュメント](https://httpd.apache.org/docs/2.4/logs.html#security)を参照してください。 + +デフォルト値: `undef`。 + +##### `logroot_owner` + +logrootディレクトリへの個々のユーザのアクセスを設定します。 + +デフォルト値:`undef`。 + +##### `logroot_group` + +[`logroot`][]ディレクトリへのグループアクセスを設定します。 + +デフォルト値:`undef`。 + +##### `log_level` + +エラーログの詳細レベルを指定します。 + +値: 'emerg'、'alert'、'crit'、'error'、'warn'、'notice'、'info'、'debug'。 + +デフォルト値: グローバルサーバ設定については'warn'。バーチャルホストごとにオーバーライドできます。 + +###### `modsec_body_limit` + +バッファリングに関してModSecurityが受け入れる最大リクエストボディサイズをバイト数で設定します。 + +値: 整数。 + +デフォルト値: `undef`。 + +###### `modsec_disable_vhost` + +バーチャルホストで[`mod_security`][]を無効にします。[`apache::mod::security`][]が含まれている場合にのみ有効です。 + +ブーリアン。 + +デフォルト値: `undef`。 + +###### `modsec_disable_ids` + +バーチャルホストから`mod_security` IDを削除します。 + +値: バーチャルホストから削除する`mod_security` IDの配列。ハッシュも使用できます。この場合、特定のロケーションからのIDの削除が可能です。 + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_ids => [ 90015, 90016 ], +} +``` + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_ids => { '/location1' => [ 90015, 90016 ] }, +} +``` + +デフォルト値: `undef`。 + +###### `modsec_disable_ips` + +[`mod_security`][]ルールマッチングから除外するIPアドレスの配列を指定します。 + +デフォルト値: `undef`。 + +###### `modsec_disable_msgs` + +バーチャルホストから削除するmod_security Msgの配列。ハッシュも使用できます。この場合、特定のロケーションからのMsgの削除が可能です。 + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => ['Blind SQL Injection Attack', 'Session Fixation Attack'], +} +``` + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_msgs => { '/location1' => ['Blind SQL Injection Attack', 'Session Fixation Attack'] }, +} +``` + +デフォルト値: `undef`。 + +###### `modsec_disable_tags` + + バーチャルホストから削除するmod_securityタグの配列。ハッシュも使用できます。この場合、特定のロケーションからのタグの削除が可能です。 + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'], +} +``` + +``` puppet +apache::vhost { 'sample.example.net': + modsec_disable_tags => { '/location1' => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'] }, +} +``` + +デフォルト値: `undef`。 + +##### `modsec_audit*` + +* `modsec_audit_log` +* `modsec_audit_log_file` +* `modsec_audit_log_pipe` + +この3つのパラメータは、いずれも`mod_security`オーディットログの送信方法を決定します([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog))。 + +* `modsec_audit_log_file`が設定されている場合は、[`logroot`][]と比較されます。 + + デフォルト値: `undef`。 + +* `modsec_audit_log_pipe`を設定する場合は、パイプで始める必要があります。例えば、'|/path/to/mlogc /path/to/mlogc.conf'のようになります。 + + デフォルト値: `undef`。 + +* `modsec_audit_log`が`true`になっている場合、バーチャルホスト---example.comなど---を与えると、[SSL暗号化][SSL encryption]バーチャルホストの場合はデフォルト値が'example.com\_security\_ssl.log'、暗号化されていないバーチャルホストの場合は'example.com\_security.log'になります。 + + デフォルト値: `false`。 + +上述のパラメータがいずれも設定されていない場合、グローバルオーディットログが使用されます(''/var/log/httpd/modsec\_audit.log''; Debianおよびデリバティブ: ''/var/log/apache2/modsec\_audit.log''; その他: )。 + +##### `no_proxy_uris` + +プロキシを使用しないURLを指定します。このパラメータは、[`proxy_dest`](#proxy_dest)と組み合わせて使用することはできません。 + +デフォルト値: []。  + +##### `no_proxy_uris_match` + +このディレクティブは[`no_proxy_uris`][]と同じですが、正規表現をとります。 + +デフォルト値: []。  + +##### `proxy_preserve_host` + +[ProxyPreserveHostディレクティブ](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost)を設定します。 + +このパラメータを`true`に設定すると、受信リクエストの`Host:`行が有効になり、ホスト名ではなくホストにプロキシされます。`false`に設定すると、このディレクティブが'Off'になります。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `proxy_add_headers` + +[ProxyAddHeadersディレクティブ](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders)を設定します。 + +このパラメータは、プロキシ関連のHTTPヘッダ(X-Forwarded-For、X-Forwarded-Host、X-Forwarded-Server)をバックエンドサーバに送信するかどうかを制御します。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `proxy_error_override` + +[ProxyErrorOverrideディレクティブ](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride)を設定します。このディレクティブは、プロキシされたコンテンツに関するエラーページをApacheによりオーバーライドすべきかどうかを制御します。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `options` + +指定されたバーチャルホストの[`Options`][]を設定します。例: + +``` puppet +apache::vhost { 'site.name.fdqn': + … + options => ['Indexes','FollowSymLinks','MultiViews'], +} +``` + +> **注意**: [`apache::vhost`][]の[`directories`][]パラメータを使うと、'Options'、'Override'、'DirectoryIndex'は`directories`内のパラメータであるため、無視されます。 + +デフォルト値: ['Indexes','FollowSymLinks','MultiViews']。 + +##### `override` + +指定されたバーチャルホストのオーバーライドを設定します。[AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride)引数の配列を使用できます。 + +デフォルト値: ['None']。 + +##### `passenger_spawn_method` + +[PassengerSpawnMethod](https://www.phusionpassenger.com/library/config/apache/reference/#passengerspawnmethod)を設定します。Passengerが引き起こしたアプリケーションに直接か、preforkのcopy-on-writeメカニズムを使用します。 + +有効なオプション: `smart`または`direct`。 + +デフォルト値: `undef`。 + +##### `passenger_app_root` + +[PassengerRoot](https://www.phusionpassenger.com/library/config/apache/reference/#passengerapproot)を設定します。これは、DocumentRootと異なる場合のPassengerアプリケーションルートのロケーションです。 + +値: パスを指定する文字列。  + +デフォルト値: `undef`。 + +##### `passenger_app_env` + +[PassengerAppEnv](https://www.phusionpassenger.com/library/config/apache/reference/#passengerappenv)を設定します。これは、Passengerアプリケーションに関する環境です。指定されていない場合は、グローバル設定の'production'がデフォルトになります。 + +値: 環境名を指定する文字列。 + +デフォルト値: `undef`。 + +##### `passenger_log_file` + +デフォルトでは、PassengerログメッセージはApacheグローバルエラーログに書き込まれます。[PassengerLogFile](https://www.phusionpassenger.com/library/config/apache/reference/#passengerlogfile)を使えば、そのメッセージを別のファイルに書き込むように設定することができます。このオプションは、Passenger 5.0.5以降でのみ使用できます。 + +値: パスを指定する文字列。  + +デフォルト値: `undef`。 + +##### `passenger_log_level` + +このオプションを使えば、ログファイルに書き込む情報の量を指定できます。設定されていない場合は、[PassengerLogLevel](https://www.phusionpassenger.com/library/config/apache/reference/#passengerloglevel)は設定ファイルに表示されず、デフォルト値が使用されます。 + +デフォルト値: 3.0.0以前のPassengerバージョン: '0'; 5.0.0以降: '3'。 + +##### `passenger_ruby` + +[PassengerRuby](https://www.phusionpassenger.com/library/config/apache/reference/#passengerruby)を設定します。これは、バーチャルホスト上でこのアプリケーションに関して使用するRubyインタープリタです。 + +デフォルト値: `undef`。 + +##### `passenger_min_instances` + +[PassengerMinInstances](https://www.phusionpassenger.com/library/config/apache/reference/#passengermininstances)を設定します。これは、実行するアプリケーションプロセスの最小数です。 + +##### `passenger_max_requests` + +[PassengerMaxRequests](https://www.phusionpassenger.com/library/config/apache/reference/#pas +sengermaxrequests)を設定します。これは、アプリケーションプロセスが処理するリクエストの最大数です。 + +##### `passenger_max_instances_per_app` + +[PassengerMaxInstancesPerApp](https://www.phusionpassenger.com/library/config/apache/reference/#passengermaxinstancesperapp)を設定します。これは、単一のアプリケーションに関して同時に存在できるアプリケーションプロセスの最大数です。 + +デフォルト値: `undef`。 + +##### `passenger_start_timeout` + +[PassengerStartTimeout](https://www.phusionpassenger.com/library/config/apache/reference/#passengerstarttimeout)を設定します。これは、アプリケーション起動のタイムアウトです。 + +##### `passenger_pre_start` + +[PassengerPreStart](https://www.phusionpassenger.com/library/config/apache/reference/#passengerprestart)を設定します。これは、プレ起動が必要とされる場合のアプリケーションのURLです。 + +##### `passenger_user` + +[PassengerUser](https://www.phusionpassenger.com/library/config/apache/reference/#passengeruser)を設定します。これは、サンドボックスアプリケーションの実行ユーザです。 + +##### passenger_group + + [PassengerGroup](https://www.phusionpassenger.com/library/config/apache/reference/#passengergroup)を設定します。これは、サンドボックスアプリケーションの実行グループです。 + +##### `passenger_high_performance` + +[`PassengerHighPerformance`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerhighperformance)パラメータを設定します。 + +値: `true`、`false`。 + +デフォルト値: `undef`。 + +##### `passenger_nodejs` + +[`PassengerNodejs`](https://www.phusionpassenger.com/library/config/apache/reference/#passengernodejs)を設定します。これは、バーチャルホスト上でこのアプリケーションに関して使用するNodeJSインタープリタです。 + +##### `passenger_sticky_sessions` + +[`PassengerStickySessions`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerstickysessions)パラメータを設定します。 + +ブーリアン。 + +デフォルト値: `undef`。 + +##### `passenger_startup_file` + +[`PassengerStartupFile`](https://www.phusionpassenger.com/library/config/apache/reference/#passengerstartupfile)パスを設定します。このパスは、アプリケーションルートに関連しています。 + +##### `php_values & php_flags` + +バーチャルホストごとの設定[`php_value`または`php_flag`](http://php.net/manual/en/configuration.changes.php)を許可します。これらのフラグや値は、ユーザまたはアプリケーションにより上書きすることができます。 + +デフォルト値: '{}'。 + +vhostの宣言内 +``` puppet + php_values => [ 'include_path ".:/usr/local/example-app/include"' ], +``` + +##### `php_admin_flags & values` + +バーチャルホストごとの設定[`php_admin_value`または`php_admin_flag`](http://php.net/manual/en/configuration.changes.php)を許可します。これらのフラグや値は、ユーザまたはアプリケーションにより上書きすることができます。 + +デフォルト値: '{}'。 + +##### `port` + +ホストを設定するポートを設定します。モジュールのデフォルトでは、ホストがリッスンするのは、非SSLバーチャルホストではポート80、SSLバーチャルホストではポート443です。ホストはこのパラメータで設定されたポートのみをリッスンします。 + +##### `priority` + +Apache HTTPD VirtualHost設定ファイルに関連するロード順序を設定します。 + +優先順位に一致するものがない場合は、アルファベット順で最初の名前ベースのバーチャルホストが使用されます。同様に、高い優先順位を渡すと、他に一致する名前がなければ、アルファベット順で最初の名前ベースのバーチャルホストが使用されます。 + +> **注意:** このパラメータを使用する必要はありません。ただし、使用する場合は、`apache::vhost`の`default_vhost`パラメータの優先順位は'15'になる点に留意してください。 + +ファイル名の優先順位の接頭値を無視するには、優先順位として`false`を渡します。 + +デフォルト値: '25'。 + +##### `proxy_dest` + +[ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass)設定の宛先アドレスを指定します。 + +デフォルト値: `undef`。 + +##### `proxy_pass` + +[ProxyPass](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass)設定の`path => URI`値の配列を指定します。オプションで、配列としてパラメータを追加できます。 + +デフォルト値: `undef`。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + proxy_pass => [ + { 'path' => '/a', 'url' => 'http://backend-a/' }, + { 'path' => '/b', 'url' => 'http://backend-b/' }, + { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}}, + { 'path' => '/l', 'url' => 'http://backend-xy', + 'reverse_urls' => ['http://backend-x', 'http://backend-y'] }, + { 'path' => '/d', 'url' => 'http://backend-a/d', + 'params' => { 'retry' => '0', 'timeout' => '5' }, }, + { 'path' => '/e', 'url' => 'http://backend-a/e', + 'keywords' => ['nocanon', 'interpolate'] }, + { 'path' => '/f', 'url' => 'http://backend-f/', + 'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1']}, + { 'path' => '/g', 'url' => 'http://backend-g/', + 'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], }, + { 'path' => '/h', 'url' => 'http://backend-h/h', + 'no_proxy_uris' => ['/h/admin', '/h/server-status'] }, + ], +} +``` + +* `reverse_urls`。*オプション。*この設定は、`mod_proxy_balancer`とともに使用する場合に役立ちます。値: 配列または文字列。 +* `reverse_cookies`。*オプション。*`ProxyPassReverseCookiePath`および`ProxyPassReverseCookieDomain`を設定します。 +* `params`。*オプション。*接続設定などのProxyPassキー-値パラメータを許可します。 +* `setenv`。*オプション。*プロキシディレクティブの[環境変数](https://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings)を設定します。値: 配列。 + +##### `proxy_dest_match` + +このディレクティブは[`proxy_dest`][]と同じですが、正規表現をとります。詳細については、[ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch)を参照してください。 + +##### `proxy_dest_reverse_match` + +[`proxy_dest_match`][]が指定されている場合に、ProxyPassReverseを渡せるようにします。詳細については、[ProxyPassReverse](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse)を参照してください。 + +##### `proxy_pass_match` + +このディレクティブは[`proxy_pass`][]と同じですが、正規表現をとります。詳細については、[ProxyPassMatch](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch)を参照してください。 + +##### `rack_base_uris` + +rack設定のリソース識別子を設定します。指定されたファイルパスは、_rack.erbテンプレート内の[Phusion Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsbaseuri_and_rackbaseuri)のrackアプリケーションルートとしてリストされます。 + +デフォルト値: `undef`。 + +##### `passenger_base_uris` + +任意のURIをPhusion Passengerのサーブするアプリケーションとして指定するのに使用します。指定されたファイルパスは、_passenger_base_uris.erbテンプレート内の[Phusion Passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#PassengerBaseURI)のpassengerアプリケーションルートとしてリストされます。 + +デフォルト値: `undef`。 + +##### `redirect_dest` + +リダイレクト先のアドレスを指定します。 + +デフォルト値: `undef`。 + +##### `redirect_source` + +`redirect_dest`で指定された宛先にリダイレクトするソースURIを指定します。リダイレクトするアイテムが複数提供されている場合は、ソースと宛先の長さを一致させる必要があります。また、アイテムは順序に依存します。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + redirect_source => ['/images','/downloads'], + redirect_dest => ['http://img.example.com/','http://downloads.example.com/'], +} +``` + +##### `redirect_status` + +リダイレクトに追加するステータスを指定します。 + +デフォルト値: `undef`。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + redirect_status => ['temp','permanent'], +} +``` + +##### `redirectmatch_*` + +* `redirectmatch_regexp` +* `redirectmatch_status` +* `redirectmatch_dest` + +任意の正規表現について呼び出すサーバステータスとユーザの転送先を決定します。配列として入力します。 + +デフォルト値: `undef`。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + redirectmatch_status => ['404','404'], + redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'], + redirectmatch_dest => ['http://www.example.com/$1','http://www.example.com/$2'], +} +``` + +##### `request_headers` + +他のリクエストヘッダの追加、リクエストヘッダの削除など、収集した[リクエストヘッダ](https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader)をさまざまな形で修正します。 + +デフォルト値: `undef`。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + request_headers => [ + 'append MirrorID "mirror 12"', + 'unset MirrorID', + ], +} +``` + +##### `rewrites` + +URLリライトルールを作成します。ハッシュの配列が求められます。 + +値: 'comment'、'rewrite_base'、'rewrite_cond'、'rewrite_rule'、'rewrite_map'のいずれかのハッシュキー。 + +デフォルト値: `undef`。 + +誰かがindex.htmlにアクセスした場合、welcome.htmlを表示するように指定できます。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ] +} +``` + +このパラメータにより条件をリライトし、`true`の場合に関連ルールを実行させることが可能です。例えば、ビジターがIEを使っている場合のみURLをリライトするには、以下のように設定します。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'redirect IE', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} +``` + +複数の条件を適用することもできます。たとえば、ブラウザがLynxかMozilla(バージョン1または2)の場合にのみ、index.htmlをwelcome.htmlにリライトする場合は、以下のようになります。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + ], +} +``` + +複数のリライトと条件を設定することも可能です。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + { + comment => 'Lynx or Mozilla v1/2', + rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'], + rewrite_rule => ['^index\.html$ welcome.html'], + }, + { + comment => 'Internet Explorer', + rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'], + rewrite_rule => ['^index\.html$ /index.IE.html [L]'], + }, + { + rewrite_base => /apps/, + rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'], + }, + { comment => 'Rewrite to lower case', + rewrite_cond => ['%{REQUEST_URI} [A-Z]'], + rewrite_map => ['lc int:tolower'], + rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'], + }, + ], +} +``` + +リライトのルールおよび条件については、[`mod_rewrite`ドキュメント][`mod_rewrite`]を参照してください。 + +##### `rewrite_inherit` + +バーチャルホストが全体のリライトルールを継承するかどうかを決定します。 + +デフォルト値: `false`。 + +リライトルールは、全体(`$conf_file`または`$confd_dir`で)またはバーチャルホストの`.conf`ファイル内で指定することができます。デフォルトでは、バーチャルホストは全体の設定を継承しません。継承を有効にするには、`rewrites`パラメータを指定し、`rewrite_inherit`パラメータを`true`に設定します。 + +``` puppet +apache::vhost { 'site.name.fdqn': + … + rewrites => [ + , + ], + rewrite_inherit => `true`, +} +``` + +> **注意**: この設定を有効にするには、`rewrites`パラメータが**必須**です。 + +バーチャルホストに以下のディレクティブが含まれている場合は、Apacheが全体の`Rewrite`ルールを有効にします。 + +``` ApacheConf +RewriteEngine On +RewriteOptions Inherit +``` + +[公式`mod_rewrite`ドキュメント](https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html)のセクション"Rewriting in Virtual Hosts"を参照してください。 + +##### `scriptalias` + +'/usr/scripts'などの、パス'/cgi-bin'のエイリアスとするCGIスクリプトのディレクトリを定義します。 + +デフォルト値: `undef`。 + +##### `scriptaliases` + +> **注意**: このパラメータは廃止予定であり、`aliases`パラメータに置き換えられます。 + +ハッシュの配列をバーチャルホストに渡し、[`mod_alias`ドキュメント][`mod_alias`]に従ってScriptAliasまたはScriptAliasMatchステートメントのいずれかを作成します。 + +``` puppet +scriptaliases => [ + { + alias => '/myscript', + path => '/usr/share/myscript', + }, + { + aliasmatch => '^/foo(.*)', + path => '/usr/share/fooscripts$1', + }, + { + aliasmatch => '^/bar/(.*)', + path => '/usr/share/bar/wrapper.sh/$1', + }, + { + alias => '/neatscript', + path => '/usr/share/neatscript', + }, +] +``` + +ScriptAliasおよびScriptAliasMatchディレクティブは、指定した順に作成されます。 [AliasおよびAliasMatch](#aliases)ディレクティブと同様、シャドーイングを避けるため、まず具体的なエイリアスを指定してから、全般的なものを指定してください。 + +##### `serveradmin` + +エラーページの表示時にApacheが表示するEメールアドレスを指定します。 + +デフォルト値: `undef`。 + +##### `serveraliases` + +サイトの[ServerAliases](https://httpd.apache.org/docs/current/mod/core.html#serveralias)を設定します。 + +デフォルト値: []。  + +##### `servername` + +バーチャルホストに接続するホスト名に対応するサーバ名を設定します。 + +デフォルト値: リソースのタイトル。 + +##### `setenv` + +HTTPDにより使用し、バーチャルホストの環境変数を設定します。 + +デフォルト値: []。  + +例: + +``` puppet +apache::vhost { 'setenv.example.com': + setenv => ['SPECIAL_PATH /foo/bin'], +} +``` + +##### `setenvif` + +HTTPDにより使用し、条件を用いてバーチャルホストの環境変数を設定します。 + +デフォルト値: []。  + +##### `setenvifnocase` + +HTTPDにより使用し、条件を用いてバーチャルホストの環境変数を設定します(大文字小文字を区別しないマッチング)。 + +デフォルト値: []。  + +##### `suphp_*` + +* `suphp_addhandler` +* `suphp_configpath` +* `suphp_engine` + +[suPHP](http://suphp.org/DocumentationView.html?file=apache/CONFIG)によりバーチャルホストを設定します。 + +* `suphp_addhandler`。デフォルト値: RedHatおよびFreeBSDでは'php5-script'、DebianおよびGentooでは'x-httpd-php'。 +* `suphp_configpath`。デフォルト値: RedHatおよびFreeBSDでは`undef`、DebianおよびGentooでは'/etc/php5/apache2'。 +* `suphp_engine`。値: 'on'または'off'。デフォルト値: 'off'。 + +suPHPによるバーチャルホスト設定の例: + +``` puppet +apache::vhost { 'suphp.example.com': + port => '80', + docroot => '/home/appuser/myphpapp', + suphp_addhandler => 'x-httpd-php', + suphp_engine => 'on', + suphp_configpath => '/etc/php5/apache2', + directories => { path => '/home/appuser/myphpapp', + 'suphp' => { user => 'myappuser', group => 'myappgroup' }, + } +} +``` + +##### `vhost_name` + +名前ベースのバーチャルホストを有効にします。バーチャルホストにIPではなくポートが割り当てられている場合は、バーチャルホスト名は'vhost_name:port'になります。バーチャルホストにIPもポートも割り当てられていない場合は、バーチャルホスト名はリソースのタイトルに設定されます。 + +デフォルト値: '*'。 + +##### `virtual_docroot` + +同じ名前を持つディレクトリにマッピングされたワイルドカードエイリアスサブドメインにより、バーチャルホストを設定します。例えば、'http://example.com' would map to '/var/www/example.com'のようになります。 + +デフォルト値: `false`。 + +``` puppet +apache::vhost { 'subdomain.loc': + vhost_name => '*', + port => '80', + virtual_docroot => '/var/www/%-2+', + docroot => '/var/www', + serveraliases => ['*.loc',], +} +``` + +##### `wsgi*` + +* `wsgi_daemon_process` +* `wsgi_daemon_process_options` +* `wsgi_process_group` +* `wsgi_script_aliases` +* `wsgi_pass_authorization` + +[WSGI](https://github.com/GrahamDumpleton/mod_wsgi)によりバーチャルホストを設定します。 + +* `wsgi_daemon_process`: WSGIデーモンの名前を設定するハッシュ。[特定のキー](http://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIDaemonProcess.html)を使用できます。デフォルト値: `undef`。 +* `wsgi_daemon_process_options`。_オプション。_ デフォルト値: `undef`。 +* `wsgi_process_group`: バーチャルホストが実行されるグループIDを設定します。デフォルト値: `undef`。 +* `wsgi_script_aliases`: ファイルシステム.wsgiパスへのWebパスのハッシュにする必要があります。デフォルト値: `undef`。 +* `wsgi_script_aliases_match`: ファイルシステム.wsgiパスへのWebパスの正規表現のハッシュにする必要があります。デフォルト値: `undef`。 +* `wsgi_pass_authorization`: 'On'に設定すると、Apacheの代わりにWSGIアプリケーションを使って認証を処理します。詳細については、[mod_wsgi's WSGIPassAuthorizationドキュメント] (https://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html)を参照してください。デフォルト値: `undef`、これにより、Apacheのデフォルト値である'Off'が使われます。 +* `wsgi_chunked_request`: チャンク形式のリクエストのサポートを有効にします。デフォルト値: `undef`。 + +WSGIによるバーチャルホスト設定の例: + +``` puppet +apache::vhost { 'wsgi.example.com': + port => '80', + docroot => '/var/www/pythonapp', + wsgi_daemon_process => 'wsgi', + wsgi_daemon_process_options => + { processes => '2', + threads => '15', + display-name => '%{GROUP}', + }, + wsgi_process_group => 'wsgi', + wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' }, + wsgi_chunked_request => 'On', +} +``` + +#### `apache::vhost`のパラメータ`directories` + +`apache::vhost`クラスの`directories`パラメータは、バーチャルホストにハッシュの配列を渡し、[Directory](https://httpd.apache.org/docs/current/mod/core.html#directory)、[File](https://httpd.apache.org/docs/current/mod/core.html#files)、[Location](https://httpd.apache.org/docs/current/mod/core.html#location)ディレクティブブロックを作成します。これらのブロックは、'< Directory /path/to/directory>...< /Directory>'の形式をとります。 + +`path`キーは、ディレクトリ、ファイル、ロケーションブロックのパスを設定します。この値は、'directory'、'files'、または'location'プロバイダのパスか、'directorymatch'、'filesmatch'、または 'locationmatch'プロバイダの正規表現でなければなりません。`directories`に渡される各ハッシュには、キーのひとつとして`path`が含まれていなければ**なりません**。 + +`provider`キーはオプションです。設定されていない場合、このキーのデフォルトは'directory'になります。値: 'directory'、'files'、'proxy'、'location'、'directorymatch'、'filesmatch'、'proxymatch'、'locationmatch'。`provider`を'directorymatch'に設定すると、 Apache設定ファイルでキーワード'DirectoryMatch'が使用されます。 + +`directories`の使用例: + +``` puppet +apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => [ + { 'path' => '/var/www/files', + 'provider' => 'files', + 'deny' => 'from all', + }, + ], +} +``` + +> **注意:** 少なくとも1つのディレクトリが`docroot`パラメータとマッチする必要があります。ディレクトリの宣言を開始すると、`apache::vhost`は必要なすべてのディレクトリブロックが宣言されるものと見なします。定義されない場合、`docroot`パラメータにマッチする1つのデフォルトディレクトリブロックが作成されます。 + +`directory`、`files`、または`location`ハッシュ内に、使用可能なハンドラを配置し、キーとして表す必要があります。以下のようになります。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ { path => '/path/to/directory', handler => value } ], +} +``` + +これらのハッシュで設定していないハンドラは、Puppet内で'undefined'と見なされ、バーチャルホストに追加されず、モジュールではデフォルト値が使われます。サポートされているハンドラは、次のとおりです。 + +##### `addhandlers` + +[AddHandler](https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler)ディレクティブを設定します。これは、ファイル名の拡張子を指定されたハンドラにマッピングするものです。ハッシュのリストを使用し、`extensions`はハンドラによりマッピングされた拡張子を記述するために使用されます。`{ handler => 'handler-name', extensions => ['extension'] }`の形式をとります。 + +例: + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + addhandlers => [{ handler => 'cgi-script', extensions => ['.cgi']}], + }, + ], +} +``` + +##### `allow` + +[Allow](https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow)ディレクティブを設定します。これは、ホスト名またはIPに基づく認証をグループ化するものです。**廃止予定:**このパラメータは、Apacheが変更されたため、廃止予定になっています。Apache 2.2以下でのみ機能します。1つのルールに対する単一の文字列としても、複数のルールに対する配列としても使用できます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + allow => 'from example.org', + }, + ], +} +``` + +##### `allow_override` + +[.htaccess](https://httpd.apache.org/docs/current/mod/core.html#allowoverride)ファイルで許可されるディレクティブのタイプを設定します。配列を使用できます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + allow_override => ['AuthConfig', 'Indexes'], + }, + ], +} +``` + +##### `auth_basic_authoritative` + +[AuthBasicAuthoritative](https://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicauthoritative)の値を設定します。これにより、下位のApacheモジュールに権限と認証を渡すかどうかが決定されます。 + +##### `auth_basic_fake` + +[AuthBasicFake](https://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicfake)の値を設定します。これにより、任意のディレクティブブロックに関する認証情報が静的に設定されます。 + +##### `auth_basic_provider` + +[AuthBasicProvider](https://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicprovider)の値を設定します。これにより、任意のロケーションの認証プロバイダが設定されます。 + +##### `auth_digest_algorithm` + +[AuthDigestAlgorithm](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestalgorithm)の値を設定します。これにより、チャレンジおよびレスポンスハッシュの計算に用いるアルゴリズムを選択します。 + +###### `auth_digest_domain` + +[AuthDigestDomain](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestdomain)の値を設定します。これにより、ダイジェスト認証に関して、同じ保護スペースで1つまたは複数のURIを指定できます。 + +##### `auth_digest_nonce_lifetime` + +[AuthDigestNonceLifetime](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestnoncelifetime)の値を設定します。これにより、サーバのノンスが有効になる長さを制御します。 + +##### `auth_digest_provider` + +[AuthDigestProvider](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestprovider)の値を設定します。これにより、任意のロケーションに関する認証プロバイダを設定します。 + +##### `auth_digest_qop` + +[AuthDigestQop](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestqop)の値を設定します。これにより、ダイジェスト認証で用いる保護品質を決定します。 + +##### `auth_digest_shmem_size` + +[AuthAuthDigestShmemSize](https://httpd.apache.org/docs/current/mod/mod_auth_digest.html#authdigestshmemsize)の値を設定します。これにより、クライアントの追跡に関して、サーバに割り当てられる共通メモリの量を定義します。 + +##### `auth_group_file` + +[AuthGroupFile](https://httpd.apache.org/docs/current/mod/mod_authz_groupfile.html#authgroupfile)の値を設定します。これにより、認証に関して、ユーザグループのリストを含むテキストファイルの名前を設定します。 + +##### `auth_name` + +[AuthName](https://httpd.apache.org/docs/current/mod/mod_authn_core.html#authname)の値を設定します。これにより、認証領域の名前を設定します。 + +##### `auth_require` + +アクセスを許可するのに必要なエンティティ名を設定します。詳細については、[Require](https://httpd.apache.org/docs/current/mod/mod_authz_host.html#requiredirectives)を参照してください。 + +##### `auth_type` + +[AuthType](https://httpd.apache.org/docs/current/mod/mod_authn_core.html#authtype)の値を設定します。これにより、ユーザ認証のタイプをガイドします。 + +##### `auth_user_file` + +[AuthUserFile](https://httpd.apache.org/docs/current/mod/mod_authn_file.html#authuserfile)の値を設定します。これにより、認証に関するユーザ/パスワードを含むテキストファイルの名前を設定します。 + +##### `auth_merging` + +[AuthMerging](https://httpd.apache.org/docs/current/mod/mod_authz_core.html#authmerging)の値を設定します。これにより、認証ロジックを組み合わせるかどうかを決定します。 + +##### `auth_ldap_url` + +[AuthLDAPURL](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapurl)の値を設定します。これにより、AuthBasicProvider 'ldap'を使用する場合のLDAPサーバのURLを決定します。 + +##### `auth_ldap_bind_dn` + +[AuthLDAPBindDN](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapbinddn)の値を設定します。これにより、AuthBasicProvider 'ldap'を使用する場合に、エントリの検索時にLDAPサーバにバインドするオプションのDNを使用できるようになります。 + +##### `auth_ldap_bind_password` + +[AuthLDAPBindPassword](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapbindpassword)の値を設定します。これにより、AuthBasicProvider 'ldap'を使用する場合に、バインドDNとともに用いるオプションのバインドパスワードを使用できるようになります。 + +##### `auth_ldap_group_attribute` + +[AuthLDAPGroupAttribute](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapgroupattribute)の値の配列。ldapグループ内のユーザメンバーの確認に使用するLDAP属性を指定します。 + +デフォルト値: "member"および "uniquemember"。 + +##### `auth_ldap_group_attribute_is_dn` + +[AuthLDAPGroupAttributeIsDN](https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#authldapgroupattributeisdn)の値を設定し、ldapグループのメンバーにDNかシンプルなユーザ名のどちらを使用するかを指定します。onに設定すると、グループメンバーシップの確認時に、クライアントユーザ名の識別名が使用されます。そうでない場合は、ユーザ名が使われます。有効な値は"on"か"off"です。 + +##### `custom_fragment` + +カスタム設定ディレクティブの文字列を渡し、ディレクトリ設定の最後に配置します。 + +``` puppet +apache::vhost { 'monitor': + … + directories => [ + { + path => '/path/to/directory', + custom_fragment => ' + + SetHandler balancer-manager + Order allow,deny + Allow from all + + + SetHandler server-status + Order allow,deny + Allow from all + +ProxyStatus On', + }, + ] +} +``` + +##### `dav` + +[Dav](http://httpd.apache.org/docs/current/mod/mod_dav.html#dav)の値を設定します。これにより、WebDAV HTTPメソッドを有効にするかどうかを決定します。値としては、'On'、'Off'、またはプロバイダの名前を使用できます。'On'に設定すると、`mod_dav_fs`モジュールにより実装されているデフォルトのファイルシステムプロバイダが有効になります。 + +##### `dav_depth_infinity` + +[DavDepthInfinity](http://httpd.apache.org/docs/current/mod/mod_dav.html#davdepthinfinity)の値を設定します。これは、`Depth: Infinity`ヘッダを持つ`PROPFIND`リクエストの処理を有効にするのに使用されます。 + +##### `dav_min_timeout` + +[DavMinTimeout](http://httpd.apache.org/docs/current/mod/mod_dav.html#davmintimeout)の値を設定します。DAVリソースでサーバがロック状態を維持する時間(秒数)を指定します。 + +##### `deny` + +[Deny](https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny)ディレクティブを設定し、サーバへのアクセスを否定するホストを指定します。**廃止予定:** このパラメータは、Apacheが変更されたため、廃止予定になっています。Apache 2.2以下でのみ機能します。1つのルールに対する単一の文字列としても、複数のルールに対する配列としても使用できます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + deny => 'from example.org', + }, + ], +} +``` + +##### `error_documents` + +ディレクトリの[ErrorDocument](https://httpd.apache.org/docs/current/mod/core.html#errordocument)設定をオーバーライドするハッシュの配列。 + +``` puppet +apache::vhost { 'sample.example.net': + directories => [ + { path => '/srv/www', + error_documents => [ + { 'error_code' => '503', + 'document' => '/service-unavail', + }, + ], + }, + ], +} +``` + +##### `ext_filter_options` + +[ExtFilterOptions](https://httpd.apache.org/docs/current/mod/mod_ext_filter.html)ディレクティブを設定します。 +このディレクティブを使用する前に、`class { 'apache::mod::ext_filter': }`を宣言する必要があります。 + +``` puppet +apache::vhost { 'filter.example.org': + docroot => '/var/www/filter', + directories => [ + { path => '/var/www/filter', + ext_filter_options => 'LogStderr Onfail=abort', + }, + ], +} +``` + +##### `geoip_enable` + +[GeoIPEnable](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Configuration)ディレクティブを設定します。 +このディレクティブを使用する前に、`class {'apache::mod::geoip': }`を宣言する必要があります。 + +``` puppet +apache::vhost { 'first.example.com': + docroot => '/var/www/first', + directories => [ + { path => '/var/www/first', + geoip_enable => `true`, + }, + ], +} +``` + +##### `headers` + +[Header](https://httpd.apache.org/docs/current/mod/mod_headers.html#header)ディレクティブの行を追加します。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => { + path => '/path/to/directory', + headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', + }, +} +``` + +##### `index_options` + +[ディレクトリインデキシング](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexoptions)の設定を可能にします。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + directoryindex => 'disabled', # this is needed on Apache 2.4 or mod_autoindex doesn't work + options => ['Indexes','FollowSymLinks','MultiViews'], + index_options => ['IgnoreCase', 'FancyIndexing', 'FoldersFirst', 'NameWidth=*', 'DescriptionWidth=*', 'SuppressHTMLPreamble'], + }, + ], +} +``` + +##### `index_order_default` + +ディレクトリインデックスの[デフォルトの順序付け](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexorderdefault)を設定します。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + order => 'Allow,Deny', + index_order_default => ['Descending', 'Date'], + }, + ], +} +``` + +###### `index_style_sheet` + +[IndexStyleSheet](https://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexstylesheet)を設定します。これにより、ディレクトリインデックスにCSSスタイルシートが追加されます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + options => ['Indexes','FollowSymLinks','MultiViews'], + index_options => ['FancyIndexing'], + index_style_sheet => '/styles/style.css', + }, + ], +} +``` + +##### `limit` + +ディレクトリブロック内に[Limit](https://httpd.apache.org/docs/current/mod/core.html#limit)ブロックを作成します。`require`ディレクティブを含めることもできます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/docroot', + directories => [ + { path => '/', + provider => 'location', + limit => [ + { methods => 'GET HEAD', + require => ['valid-user'] + }, + ], + }, + ], +} +``` + +##### `limit_except` + +ディレクトリブロック内に[LimitExcept](https://httpd.apache.org/docs/current/mod/core.html#limitexcept)ブロックを作成します。`require`ディレクティブを含めることもできます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/docroot', + directories => [ + { path => '/', + provider => 'location', + limit_except => [ + { methods => 'GET HEAD', + require => ['valid-user'] + }, + ], + }, + ], +} +``` + +##### `mellon_enable` + +[MellonEnable][`mod_auth_mellon`]ディレクトリを設定し、 [`mod_auth_mellon`][]を有効にします。[`apache::mod::auth_mellon`][]を使って`mod_auth_mellon`をインストールできます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/', + provider => 'directory', + mellon_enable => 'info', + mellon_sp_private_key_file => '/etc/certs/${::fqdn}.key', + mellon_endpoint_path => '/mellon', + mellon_set_env_no_prefix => { 'ADFS_GROUP' => 'http://schemas.xmlsoap.org/claims/Group', + 'ADFS_EMAIL' => 'http://schemas.xmlsoap.org/claims/EmailAddress', }, + mellon_user => 'ADFS_LOGIN', + }, + { path => '/protected', + provider => 'location', + mellon_enable => 'auth', + auth_type => 'Mellon', + auth_require => 'valid-user', + mellon_cond => ['ADFS_LOGIN userA [MAP]','ADFS_LOGIN userB [MAP]'], + }, + ] +} +``` + +関連するパラメータは、`mod_auth_mellon`ディレクティブの名前に従います。 + +- `mellon_cond`: アクセスを許可するために満たす必要のあるmellon条件の配列をとり、配列内の各アイテムについて [MellonCond][`mod_auth_mellon`]ディレクティブを作成します。 +- `mellon_endpoint_path`: [MellonEndpointPath][`mod_auth_mellon`]を設定し、mellonエンドポイントパスを設定します。 +- `mellon_sp_metadata_file`: SPメタデータファイルの[MellonSPMetadataFile][`mod_auth_mellon`]ロケーションを設定します。 +- `mellon_idp_metadata_file`: IDPメタデータファイルの[MellonIDPMetadataFile][`mod_auth_mellon`]ロケーションを設定します。 +- `mellon_saml_rsponse_dump`: [MellonSamlResponseDump][`mod_auth_mellon`]ディレクティブを設定し、SAMLのデバッグを有効にします。 +- `mellon_set_env_no_prefix`:環境変数にマッピングする属性名のハッシュに関する [MellonSetEnvNoPrefix][`mod_auth_mellon`]ディレクティブを +設定します。 +- `mellon_sp_private_key_file`: サービスプロバイダのプライベートキー保存場所に関する[MellonSPPrivateKeyFile][`mod_auth_mellon`]ディレクティブを設定します。 +- `mellon_sp_cert_file`: サービスプロバイダの公開キー保存場所に関する[MellonSPCertFile][`mod_auth_mellon`]ディレクティブを設定します。 +- `mellon_user`: ユーザ名に関して使用する[MellonUser][`mod_auth_mellon`]属性を設定します。 +- `mellon_session_length`: [MellonSessionLength][`mod_auth_mellon`]属性を設定します。 + +##### `options` + +任意のディレクトリブロックに関する[オプション](https://httpd.apache.org/docs/current/mod/core.html#options)をリスト化します。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + options => ['Indexes','FollowSymLinks','MultiViews'], + }, + ], +} +``` + +##### `order` + +[Apacheコアドキュメント](https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order)に従い、AllowおよびDenyステートメントの処理順序を設定します。**廃止予定:** このパラメータは、Apacheが変更されたため、廃止予定になっています。Apache 2.2以下でのみ機能します。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + order => 'Allow,Deny', + }, + ], +} +``` + +##### `passenger_enabled` + +[PassengerEnabled](http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled)ディレクティブの値を'on'または'off'に設定します。`apache::mod::passenger`を含める必要があります。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + passenger_enabled => 'on', + }, + ], +} +``` + +> **注意:** PassengerEnabledディレクティブをPassengerHighPerformanceディレクティブとともに使用すると、[問題](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html)が生じます。 + +##### `php_value`および`php_flag` + +`php_value`はディレクトリの値を設定し、`php_flag`はブーリアンを用いてディレクトリを設定します。詳細は[こちら](http://php.net/manual/en/configuration.changes.php)で確認できます。 + +##### `php_admin_value`および`php_admin_flag` + +`php_admin_value`はディレクトリの値を設定し、`php_admin_flag`はブーリアンを用いてディレクトリを設定します。詳細は[こちら](http://php.net/manual/en/configuration.changes.php)で確認できます。 + + +##### `require` + + +[Apache Authzドキュメント](https://httpd.apache.org/docs/current/mod/mod_authz_core.html#require)に従い、`Require`ディレクティブを設定します。`require`が設定されていない場合、`Require all granted`がデフォルトになります。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + require => 'ip 10.17.42.23', + } + ], +} +``` + +より複雑な要件設定が必要な場合、apache >= 2.4では[RequireAll](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall)、[RequireNone](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requirenone)または[RequireAny](https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireany)ディレクティブを使用できます。'any'、'none'、'all'のみをサポートする(その他の値は無視されます)'enforce'キーを使うと、以下のように設定できます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + require => { + enforce => 'any', + requires => [ + 'ip 1.2.3.4', + 'not host host.example.com', + 'user xyz', + ], + }, + }, + ], +} +``` + +`require`を`unmanaged`に設定すると、何も設定されません。これは、カスタムフラグメントで扱われる複雑な認証/権限要件に役立ちます。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + require => 'unmanaged', + } + ], +} +``` + + + +##### `satisfy` + +[Apacheコアドキュメント](https://httpd.apache.org/docs/2.2/mod/core.html#satisfy)に従い、`Satisfy`ディレクティブを設定します。**廃止予定:** このパラメータは、Apacheが変更されたため、廃止予定になっています。Apache 2.2以下でのみ機能します。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + satisfy => 'Any', + } + ], +} +``` + +##### `sethandler` + +[Apache Coreドキュメント](https://httpd.apache.org/docs/2.2/mod/core.html#sethandler)に従い、`SetHandler`ディレクティブを設定します。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + sethandler => 'None', + } + ], +} +``` + +##### `set_output_filter` + +[Apache Coreドキュメント](https://httpd.apache.org/docs/current/mod/core.html#setoutputfilter)に従い、`SetOutputFilter`ディレクティブを設定します。 + +``` puppet +apache::vhost{ 'filter.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + set_output_filter => puppetdb-strip-resource-params, + }, + ], +} +``` + +##### `rewrites` + +バーチャルホストディレクトリ内でURL [`rewrites`](#rewrites)ルールを作成します。ハッシュの配列が求められます。ハッシュキーは'comment'、'rewrite_base'、'rewrite_cond'または'rewrite_rule'のいずれかにすることができます。 + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + rewrites => [ { comment => 'Permalink Rewrites', + rewrite_base => '/' + }, + { rewrite_rule => ['^index\.php$ - [L]'] + }, + { rewrite_cond => ['%{REQUEST_FILENAME} !-f', + '%{REQUEST_FILENAME} !-d', + ], + rewrite_rule => ['. /index.php [L]'], + } + ], + }, + ], +} +``` + +> **注意**: ディレクトリにリライトを含める場合は、`apache::mod::rewrite`も含めてください。また、バーチャルホストのディレクトリのリライト設定ではなく、`apache::vhost`の`rewrites`パラメータを用いたリライトの設定を考慮してください。 + +##### `shib_request_settings` + +アプリケーションリクエストに関して、有効なコンテンツ設定の設定または変更を可能にします。このコマンドは、次の2つのパラメータをとります: コンテンツ設定の名前、およびそれについて設定する値。有効な設定については、Shibboleth [コンテンツ設定ドキュメント](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings)を参照してください。このキーは、`apache::mod::shib`が定義されていない場合は無効になります。詳細については、[`mod_shib`ドキュメント](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions)を参照してください。 + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + shib_request_settings => { 'requiresession' => 'On' }, + shib_use_headers => 'On', + }, + ], +} +``` + +##### `shib_use_headers` + +'On'に設定すると、アプリケーションに属性を公開するリクエストヘッダの使用がオンになります。このキーの値は'On'または'Off'です。デフォルト値は'Off'です。このキーは、`apache::mod::shib`が定義されていない場合は無効になります。詳細については、[`mod_shib`ドキュメント](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions)を参照してください。 + +##### `shib_compat_valid_user` + +このコマンドが存在しなかったときの動作と合わせるため、デフォルト値はOffです。 "valid-user"および"user"のRequireルールの処理で、「標準」Apacheの動作を復元して、Shibbolethをその他のauth/authモジュールと組み合わせて使用する場合の競合を解消します。詳細については、[`mod_shib`ドキュメント](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions)、および[NativeSPhtaccess](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess)を参照してください。`apache::mod::shib`が定義されていない場合、このキーは無効です。 + +##### `ssl_options` + +[SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions)の文字列またはリスト。これにより、SSLエンジンのランタイムオプションが設定されます。このハンドラは、バーチャルホストの親ブロック内のSSLOptionsセットよりも優先されます。 + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + ssl_options => '+ExportCertData', + }, + { path => '/path/to/different/dir', + ssl_options => ['-StdEnvVars', '+ExportCertData'], + }, + ], +} +``` + +##### `suphp` + +[suPHP_UserGroup](http://www.suphp.org/DocumentationView.html?file=apache/CONFIG)設定に関する'user'および'group'キーを含むハッシュ。バーチャルホスト宣言で`suphp_engine => on`とともに使用する必要があり、`directories`内でのみ渡すことができます。 + +``` puppet +apache::vhost { 'secure.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/directory', + suphp => { + user => 'myappuser', + group => 'myappgroup', + }, + }, + ], +} +``` +##### `additional_includes` + +バーチャルホストディレクトリ内にある追加の静的な固有のApache設定ファイルのパスを指定します。値: 文字列パスの配列。 + +``` puppet +apache::vhost { 'sample.example.net': + docroot => '/path/to/directory', + directories => [ + { path => '/path/to/different/dir', + additional_includes => ['/custom/path/includes', '/custom/path/another_includes',], + }, + ], +} +``` + +#### `apache::vhost`のSSLパラメータ + +`::vhost`のすべてのSSLパラメータは、基本の`apache`クラスで設定された値がデフォルトになります。以下のパラメータを使えば、特定のバーチャルホストに関する個別のSSL設定を調整できます。 + +##### `ssl` + +バーチャルホストのSSLを有効にします。SSLバーチャルホストはHTTPSクエリにのみ応答します。値: ブーリアン。 + +デフォルト値: `false`。 + +##### `ssl_ca` + +使用するSSL認証局を指定して、認証に使用するクライアントの証明書を検証します。これを使用するには、`ssl_verify_client`も設定する必要があります。 + +デフォルト値: `undef`。 + +##### `ssl_cert` + +SSL証明書を指定します。 + +デフォルト値: オペレーティングシステムによって異なります。 + +* RedHat: '/etc/pki/tls/certs/localhost.crt' +* Debian: '/etc/ssl/certs/ssl-cert-snakeoil.pem' +* FreeBSD: '/usr/local/etc/apache22/server.crt' +* Gentoo: '/etc/ssl/apache2/server.crt' + +##### `ssl_protocol` + +[SSLProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol)を指定します。許可されるプロトコルの配列またはスペースで区切った文字列が求められます。 + +デフォルト値: 'all'、'-SSLv2'、'-SSLv3'。 + +##### `ssl_cipher` + +[SSLCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite)を指定します。 + +デフォルト値: 'HIGH:MEDIUM:!aNULL:!MD5'。 + +##### `ssl_honorcipherorder` + +[SSLHonorCipherOrder](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder)を指定し、クライアントの優先順ではなくサーバの優先順をApacheに使用させます。値: + +値: ブーリアン、'on'、'off'。 + +デフォルト値: `true`。 + +##### `ssl_certs_dir` + +SSL認証ディレクトリの場所を指定してクライアントの証明書を検証します。`ssl_verify_client`も設定されていない限り使用されません(下記参照)。 + +デフォルト: undef + +##### `ssl_chain` + +SSLチェーンを指定します。このデフォルト値は設定しなくても機能しますが、本稼働環境で使用する前に、固有の証明書情報により基本の`apache`クラス内で更新する必要があります。 + +デフォルト値: `undef`。 + +##### `ssl_crl` + +使用する証明書失効リストを指定します。(このデフォルト値は設定しなくても機能しますが、本稼働環境で使用する前に、固有の証明書情報により基本の`apache`クラス内で更新する必要があります。) + +デフォルト値: `undef`。 + +##### `ssl_crl_path` + +証明書失効リストの保存場所を指定して、クライアント認証の証明書を検証します(このデフォルト値は設定しなくても機能しますが、本稼働環境で使用する前に、固有の証明書情報により基本の`apache`クラス内で更新する必要があります)。 + +デフォルト値: `undef`。 + +##### `ssl_crl_check` + +[SSLCARevocationCheckディレクティブ](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck)により、SSLクライアント認証の証明書失効チェックレベルを設定します。このデフォルト値は設定しなくても機能しますが、本稼働環境でCRLを使用する際に指定する必要があります。Apache 2.4以上にのみ適用され、それ以前のバージョンではこの値は無視されます。 + +デフォルト値: `undef`。 + +##### `ssl_key` + +SSLキーを指定します。 + +デフォルト値はオペレーティングシステムによって異なります。このデフォルト値は設定しなくても機能しますが、本稼働環境で使用する前に、固有の証明書情報により基本の`apache`クラス内で更新する必要があります。 + +* RedHat: '/etc/pki/tls/private/localhost.key' +* Debian: '/etc/ssl/private/ssl-cert-snakeoil.key' +* FreeBSD: '/usr/local/etc/apache22/server.key' +* Gentoo: '/etc/ssl/apache2/server.key' + +##### `ssl_verify_client` + +[SSLVerifyClient](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient)ディレクティブを設定します。これにより、クライアント認証に関する証明書確認レベルが設定されます。 + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_verify_client => 'optional', +} +``` + +値: 'none'、'optional'、'require'、'optional_no_ca'。 + +デフォルト値: `undef`。 + + +##### `ssl_verify_depth` + +[SSLVerifyDepth](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth)ディレクティブを設定します。これにより、クライアント認証確認におけるCA証明書の最大深さが指定されます。これを有効にするには、`ssl_verify_client`を設定する必要があります。 + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_verify_client => 'require', + ssl_verify_depth => 1, +} +``` + +デフォルト値: `undef`。 + +##### `ssl_proxy_protocol` + +[SSLProxyProtocol](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyprotocol)ディレクティブを設定します。これにより、プロキシに関するサーバ環境を確立する際に`mod_ssl`が使用すべきSSLプロトコルフレーバーを制御します。提示されたプロトコルのうちの1つのみを使用しているサーバに接続します。 + +デフォルト値: `undef`。 + +##### `ssl_proxy_verify` + +[SSLProxyVerify](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify)ディレクティブを設定します。これにより、リクエストをリモートSSLサーバに転送するようにプロキシが設定されている場合のリモートサーバの証明書確認を設定します。 + +デフォルト値: `undef`。 + +##### `ssl_proxy_verify_depth` + +[SSLProxyVerifyDepth](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverifydepth)ディレクティブを設定します。これにより、リモートサーバに有効な証明書がないと判断するにあたり、mod_sslが行う確認の深さを設定します。 + +深さ0では、自己署名リモートサーバ証明書のみが許可されます。デフォルトの深さ 1では、リモートサーバ証明書を自己署名にすることも、サーバが直接知っているCAにより署名することもできます。 + +デフォルト値: `undef`。  + +##### `ssl_proxy_cipher_suite` + +[SSLProxyCipherSuite](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite)ディレクティブを設定します。このディレクティブは、sslプロキシトラフィックに対してサポートされる暗号化スイートを制御します。 + +デフォルト値: `undef`。  + +##### `ssl_proxy_ca_cert` + +[SSLProxyCACertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycacertificatefile)ディレクティブを設定します。これにより、やりとりするリモートサーバに関する認証局(CA)の証明書を集められるオールインワンファイルを指定します。これはリモートサーバ認証に用いられます。このファイルは、PEMエンコード証明書ファイルを優先順に連結したものにする必要があります。 + +デフォルト値: `undef`。  + +##### `ssl_proxy_machine_cert` + +[SSLProxyMachineCertificateFile](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile)ディレクティブを設定します。これにより、このサーバがリモートサーバの認証に用いる証明書とキーを保存するオールインワンファイルを指定します。このファイルは、PEMエンコード証明書ファイルを優先順に連結したものにする必要があります。 + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem', +} +``` + +デフォルト値: `undef`。  + +##### `ssl_proxy_check_peer_cn` + +[SSLProxyCheckPeerCN](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn)ディレクティブを設定します。これにより、リモートサーバの証明書のCNフィールドをリクエストURLのホスト名と比較するかどうかを指定します。 + +値: 'on'、'off'。  + +デフォルト値: `undef`。  + +##### `ssl_proxy_check_peer_name` + +[SSLProxyCheckPeerName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername)ディレクティブを設定します。これにより、リモートサーバの証明書のCNフィールドをリクエストURLのホスト名と比較するかどうかを決定します。 + +値: 'on'、'off'。  + +デフォルト値: `undef`。  + +##### `ssl_proxy_check_peer_expire` + +[SSLProxyCheckPeerExpire](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeerexpire)ディレクティブを設定します。これにより、リモートサーバの証明書の有効期限をチェックするかどうかを指定します。 + +値: 'on'、'off'。  + +デフォルト値: `undef`。  + +##### `ssl_options` + +[SSLOptions](https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions)ディレクティブを設定します。これにより、各種のSSLエンジンのランタイムオプションを設定します。これは任意のバーチャルホスト全体の設定で、文字列にすることも配列にすることもできます。 + +文字列: + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_options => '+ExportCertData', +} +``` + +配列: + +``` puppet +apache::vhost { 'sample.example.net': + … + ssl_options => ['+StrictRequire', '+ExportCertData'], +} +``` + +デフォルト値: `undef`。 + +##### `ssl_openssl_conf_cmd` + +[SSLOpenSSLConfCmd](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd)ディレクティブを設定します。これにより、OpenSSLパラメータを直接設定できます。 + +デフォルト値: `undef`。  + +##### `ssl_proxyengine` + +[SSLProxyEngine](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine)を使用するかどうかを指定します。 + +ブーリアン。 + +デフォルト値: `false`。 + +##### `ssl_stapling` + +[SSLUseStapling](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling)を使用するかどうかを指定します。デフォルトでは、全体で設定されているものを使用します。 + +このパラメータはApache 2.4以上にのみ適用され、それ以前のバージョンでは無視されます。  + +ブーリアンまたは`undef`。 + +デフォルト値: `undef`。  + +##### `ssl_stapling_timeout` + +[SSLStaplingResponderTimeout](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingrespondertimeout)ディレクティブの設定に使用できます。 + +このパラメータはApache 2.4以上にのみ適用され、それ以前のバージョンでは無視されます。  + +デフォルト値: なし。  + +##### `ssl_stapling_return_errors` + +[SSLStaplingReturnResponderErrors](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors)ディレクティブの設定に使用できます。 + +このパラメータはApache 2.4以上にのみ適用され、それ以前のバージョンでは無視されます。  + +デフォルト値: なし。  + +#### 定義タイプ: FastCGIサーバ + +このタイプは、mod\_fastcgiとともに使用します。特定のファイルタイプを扱う1つまたは複数の外部FastCGIサーバを定義することができます。 + +** 注意 ** Ubuntu 10.04+では、マルチバースリポジトリを手動で有効にする必要があります。 + +例: + +``` puppet +apache::fastcgi::server { 'php': + host => '127.0.0.1:9000', + timeout => 15, + flush => `false`, + faux_path => '/var/www/php.fcgi', + fcgi_alias => '/php.fcgi', + file_type => 'application/x-httpd-php', + pass_header => '' +} +``` + +その後、バーチャルホスト内で、上で指定したfastcgiサーバで扱う特定のファイルタイプを設定することができます。 + +``` puppet +apache::vhost { 'www': + ... + custom_fragment => 'AddType application/x-httpd-php .php' + ... +} +``` + +##### `host` + +FastCGIサーバのホスト名またはIPアドレスおよびTCPポート番号(1-65535)。 + +unixソケットを渡すこともできます。 + +``` puppet +apache::fastcgi::server { 'php': + host => '/var/run/fcgi.sock', +} +``` + +##### `timeout` + +リクエストが中止され、(エラーLogLevel)にイベントが記録されるまでに、FastCGIアプリケーションが非アクティブの状態で待機する秒数。この非アクティブタイマーは、FastCGIアプリケーションとの接続が待機中の場合のみ適用されます。アプリケーションの待ち行列に入ったリクエストに対して、時間内に記述やフラッシュによる応答がないと、リクエストは中止されます。アプリケーションとの通信が完了したものの、クライアントとの通信が完了しなかった(応答がバッファリングされた)場合は、タイムアウトは適用されません。 + +##### `flush` + +アプリケーションから受信したデータを、強制的にクライアントに書き込みます。デフォルトでは、アプリケーションをできるだけ早くフリーな状態にするために、`mod_fastcgi`はデータをバッファリングします。 + +##### `faux_path` + +ローカルファイルシステムに存在する必要はありません。Apacheがこのファイル名に解読するURIは、この外部FastCGIアプリケーションにより処理されます。 + +##### `alias` + +一意のエイリアス。 アクションとFastCGIサーバをリンクさせるために内部で用いられます。 + +##### `file_type` + +FastCGIサーバにより処理するファイルのMIMEタイプ。 + +##### `pass_header` + +リクエスト環境で渡されるHTTPリクエストヘッダの名前。このオプションにより、通常はCGI環境で利用できないヘッダコンテンツ(認証など)が利用できるようになります。 + +#### 定義タイプ: `apache::vhost::custom` + +`apache::vhost::custom`定義タイプは、 `apache::custom_config`定義タイプのシンラッパーで、Apacheにおいてバーチャルホストディレクトリに固有のデフォルト設定の一部をオーバーライドします。 + +**`apache::vhost::custom`内のパラメータ**: + +##### `content` + +設定ファイルのコンテンツを設定します。 + +##### `ensure` + +バーチャルホストファイルが存在するかどうかを指定します。 + +値: 'absent'、'present'。  + +デフォルト値: 'present'。  + +##### `priority` + +Apache HTTPD VirtualHost設定ファイルに関する相対的なロード順序を設定します。 + +デフォルト値: '25'。 + +##### `verify_config` + +Apacheサービスに通知する前に設定ファイルのバリデーションを行うかどうかを指定します。 + +ブーリアン。 + +デフォルト値: `true`。 + +### プライベート定義タイプ + +#### 定義タイプ: `apache::peruser::multiplexer`  + +この定義タイプは、Apacheモジュールにクラスがあるかどうかを確認します。クラスがある場合は、そのクラスを含めます。ない場合は、モジュール名を[`apache::mod`][]定義タイプに渡します。 + +#### 定義タイプ: `apache::peruser::multiplexer`  + +FreeBSDに関してのみ、[`Peruser`][]モジュールを有効にします。  + +#### 定義タイプ: `apache::peruser::processor` + +FreeBSDに関してのみ、[`Peruser`][]モジュールを有効にします。  + +#### 定義タイプ: `apache::security::file_link` + +[`apache::mod::security`][]の`activated_rules`をディスク上のそれぞれのCRSルールにリンクします。 + +### テンプレート + +Apacheモジュールは、[`apache::vhost`][]および[`apache::mod`][]定義タイプを有効にするにあたり、テンプレートに大きく依存しています。このテンプレートは、オペレーティングシステムに固有の[Facter][] factsをベースに構築されています。明示的にコールアウトされない限り、ほとんどのテンプレートは設定には使われません。 + +### タスク + +Apacheモジュールには、サービスの再起動なしでApache設定を再ロードできるタスクがあります。タスクの実行方法については、[Puppet Enterpriseマニュアル](https://puppet.com/docs/pe/2017.3/orchestrator/running_tasks.html)または[Boltマニュアル](https://puppet.com/docs/bolt/latest/bolt.html)を参照してください。 + +### 関数 +#### apache_pw_hash +Apacheが読みこむhtpasswdファイルに適したフォーマットでパスワードをハッシュします。 + +現在はSHAハッシュを使用しています。これは、このフォーマットは安全ではないとされているものの、ほとんどのプラットフォームでサポートされているもっとも安全なフォーマットであるためです。 + + +## 制約事項 + + サポートされているオペレーティングシステムの一覧については、[metadata.json](https://github.com/puppetlabs/puppetlabs-apache/blob/main/metadata.json)を参照してください。 + +### FreeBSD + +FreeBSDでこのモジュールを使用するには、apache24-2.4.12 (www/apache24)以降を使用する_必要があります_。 + +### Gentoo + +Gentooでは、このモジュールは[`gentoo/puppet-portage`][] Puppetモジュールに依存します。Gentooに関しては、一部の機能や設定が適用または有効化されますが、このモジュールに[対応するオペレーティングシステム][]ではありません。 + +### RHEL/CentOS +[`apache::mod::auth_cas`][]、[`apache::mod::passenger`][]、[`apache::mod::proxy_html`][]、[`apache::mod::shib`][]クラスは、追加のリポジトリから依存関係パッケージが提供されていなければ、RH/CentOSでは機能しません。 + +関連するリポジトリとパッケージについては、以下の各ドキュメントを参照してください。 + +#### RHEL/CentOS 5 + +[`apache::mod::passenger`][]および[`apache::mod::proxy_html`][]クラスは、リポジトリに適合するパッケージがないため、テストされていません。 + +#### RHEL/CentOS 6 + +[`apache::mod::passenger`][]クラスは、EL6リポジトリに適合するパッケージがないため、インストールされません。 + +#### RHEL/CentOS 7 + +[`apache::mod::passenger`][]および[`apache::mod::proxy_html`][]クラスは、EL7リポジトリに適合するパッケージがないため、テストされていません。また、[`apache::vhost`][]定義タイプの[`rack_base_uris`][]パラメータも、同様の理由でテストされていません。 + +### SELinuxおよびカスタムパス + +[SELinux][]が[適用モード][]になっていて、`logroot`、`mod_dir`、`vhost_dir`、`docroot`に関してカスタムパスを使用したい場合は、ファイルのコンテキストを各自で管理する必要があります。 + +これにはPuppetを使用できます。 + +``` puppet +exec { 'set_apache_defaults': + command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + require => Package['policycoreutils-python'], +} + +package { 'policycoreutils-python': + ensure => installed, +} + +exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Class['Apache::Service'], + require => Class['apache'], +} + +class { 'apache': } + +host { 'test.server': + ip => '127.0.0.1', +} + +file { '/custom/path': + ensure => directory, +} + +file { '/custom/path/include': + ensure => present, + content => '#additional_includes', +} + +apache::vhost { 'test.server': + docroot => '/custom/path', + additional_includes => '/custom/path/include', +} +``` + +`chcon`ではなく、`semanage fcontext`を用いてコンテキストを設定する必要があります。これは、Puppetの`file`リソースでは、リソースにより指定されていない場合、その値のコンテキストがリセットされるためです。 + +### Ubuntu 16.04 +[`apache::mod::suphp`][]クラスは、リポジトリに適合するパッケージがないため、テストされていません。 + + +## 開発 + +### 貢献 + +[Puppet Forge][]上の[Puppet][]モジュールはオープンプロジェクトであり、その価値を維持するにはコミュニティからの貢献が欠かせません。Puppetが提供する膨大な数のプラットフォームや、無数のハードウェア、ソフトウェア、デプロイ設定に弊社がアクセスすることは不可能です。 + +できるだけ変更に簡単に貢献していただき、お使いの環境でモジュールが動作するようにしたいと考えています。モジュールの品質の維持と改善のため、Puppetは貢献者に守っていただくガイドラインを設けています。 + +詳細については、[モジュールコントリビューションガイド][]および[CONTRIBUTING.md][]を参照してください。 diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb new file mode 100644 index 0000000000..27a8d1681e --- /dev/null +++ b/spec/acceptance/apache_parameters_spec.rb @@ -0,0 +1,614 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'apache parameters' do + # Currently this test only does something on FreeBSD. + describe 'default_confd_files => false' do + it 'doesnt do anything' do + pp = "class { 'apache': default_confd_files => false }" + apply_manifest(pp, catch_failures: true) + end + + if os[:family] == 'freebsd' + describe file("#{apache_hash['confd_dir']}/no-accf.conf.epp") do + it { is_expected.not_to be_file } + end + end + end + + describe 'default_confd_files => true' do + it 'copies conf.d files' do + pp = "class { 'apache': default_confd_files => true }" + apply_manifest(pp, catch_failures: true) + end + + if os[:family] == 'freebsd' + describe file("#{apache_hash['confd_dir']}/no-accf.conf.epp") do + it { is_expected.to be_file } + end + end + end + + describe 'when set adds a listen statement' do + it 'applys cleanly' do + pp = "class { 'apache': ip => '10.1.1.1', service_ensure => stopped }" + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['ports_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'Listen 10.1.1.1' } + end + end + + describe 'service tests => true' do + pp = <<-MANIFEST + class { 'apache': + service_enable => true, + service_manage => true, + service_ensure => running, + } + MANIFEST + it 'starts the service' do + apply_manifest(pp, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + end + + describe 'service tests => false' do + pp = <<-MANIFEST + class { 'apache': + service_enable => false, + service_ensure => stopped, + } + MANIFEST + it 'stops the service' do + apply_manifest(pp, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.not_to be_running } + it { is_expected.not_to be_enabled } + end + end + + describe 'service manage => false' do + pp = <<-MANIFEST + class { 'apache': + service_enable => true, + service_manage => false, + service_ensure => true, + } + MANIFEST + it 'we dont manage the service, so it shouldnt start the service' do + apply_manifest(pp, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.not_to be_running } + it { is_expected.not_to be_enabled } + end + end + + # IAC-785: The Shibboleth mod does not seem to be configured correctly on Debian 10 systems. We should reenable + # this test on Debian 10 systems once the issue has been RCA'd and resolved. + describe 'conf_enabled => /etc/apache2/conf-enabled', skip: 'IAC-785' do + pp = <<-MANIFEST + class { 'apache': + purge_configs => false, + conf_enabled => "/etc/apache2/conf-enabled" + } + MANIFEST + it 'applies cleanly' do + run_shell('touch /etc/apache2/conf-enabled/test.conf') + apply_manifest(pp, catch_failures: true) + end + + # Ensure the created file didn't disappear. + describe file('/etc/apache2/conf-enabled/test.conf') do + it { is_expected.to be_file } + end + + # Ensure the default file didn't disappear. + describe file('/etc/apache2/conf-enabled/security.conf') do + it { is_expected.to be_file } + end + end + + describe 'purge parameters => false' do + pp = <<-MANIFEST + class { 'apache': + purge_configs => false, + purge_vhost_dir => false, + vhost_dir => "#{apache_hash['confd_dir']}.vhosts" + } + MANIFEST + it 'applies cleanly' do + run_shell("touch #{apache_hash['confd_dir']}/test.conf") + run_shell("mkdir -p #{apache_hash['confd_dir']}.vhosts && touch #{apache_hash['confd_dir']}.vhosts/test.conf") + apply_manifest(pp, catch_failures: true) + end + + # Ensure the files didn't disappear. + describe file("#{apache_hash['confd_dir']}/test.conf") do + it { is_expected.to be_file } + end + + describe file("#{apache_hash['confd_dir']}.vhosts/test.conf") do + it { is_expected.to be_file } + end + end + + if os[:family] != 'debian' + describe 'purge parameters => true' do + pp = <<-MANIFEST + class { 'apache': + purge_configs => true, + purge_vhost_dir => true, + vhost_dir => "#{apache_hash['confd_dir']}.vhosts" + } + MANIFEST + it 'applies cleanly' do + run_shell("touch #{apache_hash['confd_dir']}/test.conf") + run_shell("mkdir -p #{apache_hash['confd_dir']}.vhosts && touch #{apache_hash['confd_dir']}.vhosts/test.conf") + apply_manifest(pp, catch_failures: true) + end + + # File should be gone + describe file("#{apache_hash['confd_dir']}/test.conf") do + it { is_expected.not_to be_file } + end + + describe file("#{apache_hash['confd_dir']}.vhosts/test.conf") do + it { is_expected.not_to be_file } + end + end + end + + describe 'serveradmin' do + it 'applies cleanly' do + pp = "class { 'apache': serveradmin => 'test@example.com' }" + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['vhost']) do + it { is_expected.to be_file } + it { is_expected.to contain 'ServerAdmin test@example.com' } + end + end + + describe 'sendfile' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': sendfile => 'On' }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'EnableSendfile On' } + end + + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': sendfile => 'Off' }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'Sendfile Off' } + end + end + + describe 'error_documents' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': error_documents => true }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'Alias /error/' } + end + end + + describe 'timeout' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': timeout => 1234 }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'Timeout 1234' } + end + end + + describe 'httpd_dir' do + describe 'setup' do + pp = <<-MANIFEST + class { 'apache': httpd_dir => '/tmp', service_ensure => stopped } + include 'apache::mod::mime' + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + end + + describe file("#{apache_hash['mod_dir']}/mime.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'AddLanguage eo .eo' } + end + end + + describe 'http_protocol_options' do + # Actually >= 2.4.24, but the minor version is not provided + # https://bugs.launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.15 + # basically versions of the ubuntu or sles apache package cause issue + if apache_hash['version'] >= '2.4' && os[:family] !~ %r{ubuntu|sles} + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': http_protocol_options => 'Unsafe RegisteredMethods Require1.0'}" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'HttpProtocolOptions Unsafe RegisteredMethods Require1.0' } + end + end + end + + describe 'server_root' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': server_root => '/tmp/root', service_ensure => stopped }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'ServerRoot "/tmp/root"' } + end + end + + describe 'confd_dir' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': confd_dir => '/tmp/root', service_ensure => stopped, use_optional_includes => true }" + apply_manifest(pp, catch_failures: true) + end + end + + if apache_hash['version'] == '2.4' + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'IncludeOptional "/tmp/root/*.conf"' } + end + else + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'Include "/tmp/root/*.conf"' } + end + end + end + + describe 'conf_template' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': conf_template => 'another/test.conf.epp', service_ensure => stopped }" + run_shell('mkdir -p /etc/puppetlabs/code/environments/production/modules/another/templates') + run_shell("echo 'testcontent' >> /etc/puppetlabs/code/environments/production/modules/another/templates/test.conf.epp") + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'testcontent' } + end + end + + describe 'servername' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': servername => 'test.server', service_ensure => stopped }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'ServerName "test.server"' } + end + end + + describe 'user' do + describe 'setup' do + pp = <<-MANIFEST + class { 'apache': + manage_user => true, + manage_group => true, + user => 'testweb', + group => 'testweb', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + end + + describe user('testweb') do + it { is_expected.to exist } + it { is_expected.to belong_to_group 'testweb' } + end + + describe group('testweb') do + it { is_expected.to exist } + end + end + + describe 'logformats' do + describe 'setup' do + pp = <<-MANIFEST + class { 'apache': + log_formats => { + 'vhost_common' => '%v %h %l %u %t \\"%r\\" %>s %b', + 'vhost_combined' => '%v %h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-agent}i\\"', + } + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common' } + it { is_expected.to contain 'LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined' } + end + end + + describe 'keepalive' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': keepalive => 'Off', keepalive_timeout => 30, max_keepalive_requests => 200 }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'KeepAlive Off' } + it { is_expected.to contain 'KeepAliveTimeout 30' } + it { is_expected.to contain 'MaxKeepAliveRequests 200' } + end + end + + describe 'limitrequestfieldsize' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': limitreqfieldsize => 16830 }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'LimitRequestFieldSize 16830' } + end + end + + describe 'limitrequestfields' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': limitreqfields => 120 }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'LimitRequestFields 120' } + end + end + + describe 'logging' do + describe 'setup' do + pp = <<-MANIFEST + if $facts['os']['family'] == 'RedHat' and $facts['os']['selinux']['enabled'] { + exec { 'set_apache_defaults': + command => 'semanage fcontext -a -t httpd_log_t "/apache_spec/logs(/.*)?"', + unless => 'semanage fcontext --list | grep /apache_spec/logs | grep httpd_log_t', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + } + exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Service['httpd'], + require => [File['/apache_spec'], Class['apache']], + subscribe => Exec['set_apache_defaults'], + refreshonly => true, + } + } + file { ['/apache_spec', '/apache_spec/logs']: ensure => directory, } + class { 'apache': logroot => '/apache_spec/logs' } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + end + + describe file("/apache_spec/logs/#{apache_hash['error_log']}") do + it { is_expected.to be_file } + end + end + + describe 'ports_file' do + pp = <<-MANIFEST + file { '/apache_spec': ensure => directory, } + class { 'apache': + ports_file => '/apache_spec/ports_file', + ip => '10.1.1.1', + service_ensure => stopped + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file('/apache_spec/ports_file') do + it { is_expected.to be_file } + it { is_expected.to contain 'Listen 10.1.1.1' } + end + end + + describe 'server_tokens' do + pp = <<-MANIFEST + class { 'apache': + server_tokens => 'Minor', + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'ServerTokens Minor' } + end + end + + describe 'server_signature' do + pp = <<-MANIFEST + class { 'apache': + server_signature => 'testsig', + service_ensure => stopped, + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'ServerSignature testsig' } + end + end + + describe 'hostname_lookups' do + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': hostname_lookups => 'On' }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'HostnameLookups On' } + end + + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': hostname_lookups => 'Off' }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'HostnameLookups Off' } + end + + describe 'setup' do + it 'applies cleanly' do + pp = "class { 'apache': hostname_lookups => 'Double' }" + apply_manifest(pp, catch_failures: true) + end + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'HostnameLookups Double' } + end + end + + describe 'trace_enable' do + pp = <<-MANIFEST + class { 'apache': + trace_enable => 'Off', + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'TraceEnable Off' } + end + end + + describe 'limitreqline' do + pp = <<-MANIFEST + class { 'apache': + limitreqline => 8190, + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'LimitRequestLine 8190' } + end + end + + describe 'file_e_tag' do + pp = <<-MANIFEST + class { 'apache': + file_e_tag => 'None', + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['conf_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'FileETag None' } + end + end + + describe 'package_ensure' do + pp = <<-MANIFEST + class { 'apache': + package_ensure => present, + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe package(apache_hash['package_name']) do + it { is_expected.to be_installed } + end + end +end diff --git a/spec/acceptance/apache_ssl_spec.rb b/spec/acceptance/apache_ssl_spec.rb new file mode 100644 index 0000000000..08b249c9e4 --- /dev/null +++ b/spec/acceptance/apache_ssl_spec.rb @@ -0,0 +1,197 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'apache ssl' do + describe 'ssl parameters' do + pp = <<-MANIFEST + class { 'apache': + service_ensure => stopped, + default_ssl_vhost => true, + default_ssl_cert => '/tmp/ssl_cert', + default_ssl_key => '/tmp/ssl_key', + default_ssl_chain => '/tmp/ssl_chain', + default_ssl_ca => '/tmp/ssl_ca', + default_ssl_crl_path => '/tmp/ssl_crl_path', + default_ssl_crl => '/tmp/ssl_crl', + default_ssl_crl_check => 'chain', + } + MANIFEST + it 'runs without error' do + idempotent_apply(pp) + end + + describe file("#{apache_hash['mod_ssl_dir']}/ssl.conf") do + it { is_expected.to be_file } + + if os[:family].include?('redhat') && os[:release].to_i >= 8 + it { is_expected.not_to contain 'SSLProtocol' } + elsif ['debian', 'ubuntu'].include?(os[:family]) + it { is_expected.to contain 'SSLProtocol all -SSLv3' } + else + it { is_expected.to contain 'SSLProtocol all -SSLv2 -SSLv3' } + end + end + + describe file("#{apache_hash['vhost_dir']}/15-default-ssl-443.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } + it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } + it { is_expected.to contain 'SSLCertificateChainFile "/tmp/ssl_chain"' } + it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } + it { is_expected.to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' } + it { is_expected.to contain 'SSLCARevocationFile "/tmp/ssl_crl"' } + + if apache_hash['version'] == '2.4' + it { is_expected.to contain 'SSLCARevocationCheck chain' } + else + it { is_expected.not_to contain 'SSLCARevocationCheck' } + end + end + end + + describe 'vhost ssl parameters' do + pp = <<-MANIFEST + file { [ + '/tmp/ssl_cert', + '/tmp/ssl_key', + '/tmp/ssl_chain', + '/tmp/ssl_ca', + '/tmp/ssl_crl', + ]: + ensure => file, + before => Class['apache'] + } + + class { 'apache': + service_ensure => stopped, + } + + apache::vhost { 'test_ssl': + docroot => '/tmp/test', + ssl => true, + ssl_cert => '/tmp/ssl_cert', + ssl_key => '/tmp/ssl_key', + ssl_chain => '/tmp/ssl_chain', + ssl_ca => '/tmp/ssl_ca', + ssl_crl_path => '/tmp/ssl_crl_path', + ssl_crl => '/tmp/ssl_crl', + ssl_crl_check => 'chain flag', + ssl_certs_dir => '/tmp', + ssl_reload_on_change => true, + ssl_protocol => 'test', + ssl_cipher => 'test', + ssl_honorcipherorder => true, + ssl_verify_client => 'require', + ssl_verify_depth => 1, + ssl_options => ['test', 'test1'], + ssl_proxyengine => true, + ssl_proxy_protocol => 'TLSv1.2', + } + MANIFEST + it 'runs without error' do + idempotent_apply(pp) + end + + describe file("#{apache_hash['vhost_dir']}/25-test_ssl.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } + it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } + it { is_expected.to contain 'SSLCertificateChainFile "/tmp/ssl_chain"' } + it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } + it { is_expected.to contain 'SSLCACertificatePath "/tmp"' } + it { is_expected.to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' } + it { is_expected.to contain 'SSLCARevocationFile "/tmp/ssl_crl"' } + it { is_expected.to contain 'SSLProxyEngine On' } + it { is_expected.to contain 'SSLProtocol test' } + it { is_expected.to contain 'SSLCipherSuite test' } + it { is_expected.to contain 'SSLHonorCipherOrder On' } + it { is_expected.to contain 'SSLVerifyClient require' } + it { is_expected.to contain 'SSLVerifyDepth 1' } + it { is_expected.to contain 'SSLOptions test test1' } + + if apache_hash['version'] == '2.4' + it { is_expected.to contain 'SSLCARevocationCheck chain flag' } + else + it { is_expected.not_to contain 'SSLCARevocationCheck' } + end + end + + describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_cert") do + it { is_expected.to be_file } + end + + describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_key") do + it { is_expected.to be_file } + end + + describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_chain") do + it { is_expected.to be_file } + end + + describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_ca") do + it { is_expected.to be_file } + end + + describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_crl") do + it { is_expected.to be_file } + end + end + + describe 'vhost ssl ssl_ca only' do + pp = <<-MANIFEST + class { 'apache': + service_ensure => stopped, + } + + apache::vhost { 'test_ssl_ca_only': + docroot => '/tmp/test', + ssl => true, + ssl_cert => '/tmp/ssl_cert', + ssl_key => '/tmp/ssl_key', + ssl_ca => '/tmp/ssl_ca', + ssl_verify_client => 'optional', + } + MANIFEST + it 'runs without error' do + idempotent_apply(pp) + end + + describe file("#{apache_hash['vhost_dir']}/25-test_ssl_ca_only.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } + it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } + it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } + it { is_expected.not_to contain 'SSLCACertificatePath' } + end + end + + describe 'vhost ssl ssl_certs_dir' do + pp = <<-MANIFEST + class { 'apache': + service_ensure => stopped, + } + + apache::vhost { 'test_ssl_certs_dir_only': + docroot => '/tmp/test', + ssl => true, + ssl_cert => '/tmp/ssl_cert', + ssl_key => '/tmp/ssl_key', + ssl_certs_dir => '/tmp', + ssl_verify_client => 'require', + } + MANIFEST + it 'runs without error' do + idempotent_apply(pp) + end + + describe file("#{apache_hash['vhost_dir']}/25-test_ssl_certs_dir_only.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLCertificateFile "/tmp/ssl_cert"' } + it { is_expected.to contain 'SSLCertificateKeyFile "/tmp/ssl_key"' } + it { is_expected.to contain 'SSLCACertificatePath "/tmp"' } + it { is_expected.to contain 'SSLVerifyClient require' } + it { is_expected.not_to contain 'SSLCACertificateFile' } + end + end +end diff --git a/spec/acceptance/auth_openidc_spec.rb b/spec/acceptance/auth_openidc_spec.rb new file mode 100644 index 0000000000..e61c92ac71 --- /dev/null +++ b/spec/acceptance/auth_openidc_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'apache::mod::auth_openidc', if: mod_supported_on_platform?('apache::mod::auth_openidc') do + pp = <<-MANIFEST + include apache + apache::vhost { 'example.com': + docroot => '/var/www/example.com', + port => 80, + auth_oidc => true, + oidc_settings => { + 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration', + 'ClientID' => 'test', + 'RedirectURI' => 'https://login.example.com/redirect_uri', + 'ProviderTokenEndpointAuth' => 'client_secret_basic', + 'RemoteUserClaim' => 'sub', + 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', + 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd', + }, + } + MANIFEST + + it 'succeeds in configuring a virtual host using mod_auth_openidc' do + apply_manifest(pp, catch_failures: true) + end + + it 'is idempotent' do + apply_manifest(pp, catch_changes: true) + end +end diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb new file mode 100644 index 0000000000..e1ce12f132 --- /dev/null +++ b/spec/acceptance/class_spec.rb @@ -0,0 +1,64 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'apache class' do + context 'default parameters' do + let(:pp) { "class { 'apache': }" } + + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe package(apache_hash['package_name']) do + it { is_expected.to be_installed } + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe port(80) do + it { is_expected.to be_listening } + end + end + + context 'custom site/mod dir parameters' do + let(:pp) do + <<-MANIFEST + if $facts['os']['family'] == 'RedHat' and $facts['os']['selinux']['enabled'] { + exec { 'set_apache_defaults': + command => 'semanage fcontext --add -t httpd_config_t "/apache_spec/apache_custom(/.*)?"', + unless => 'semanage fcontext --list | grep /apache_spec/apache_custom | grep httpd_config_t', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + } + exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Service['httpd'], + require => [File['/apache_spec/apache_custom'], Class['apache']], + subscribe => Exec['set_apache_defaults'], + refreshonly => true, + } + } + file { ['/apache_spec', '/apache_spec/apache_custom']: + ensure => directory, + } + class { 'apache': + mod_dir => '/apache_spec/apache_custom/mods', + vhost_dir => '/apache_spec/apache_custom/vhosts', + } + MANIFEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + end +end diff --git a/spec/acceptance/custom_config_spec.rb b/spec/acceptance/custom_config_spec.rb new file mode 100644 index 0000000000..94754240ea --- /dev/null +++ b/spec/acceptance/custom_config_spec.rb @@ -0,0 +1,92 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'apache::custom_config define' do + context 'invalid config' do + pp = <<-MANIFEST + class { 'apache': } + apache::custom_config { 'acceptance_test': + content => 'INVALID', + } + MANIFEST + it 'does not add the config' do + apply_manifest(pp, expect_failures: true) + end + + describe file("#{apache_hash['confd_dir']}/25-acceptance_test.conf") do + it { expect(file).not_to exist } + end + end + + context 'valid config' do + pp = <<-MANIFEST + class { 'apache': } + apache::custom_config { 'acceptance_test': + content => '# just a comment', + } + MANIFEST + it 'adds the config' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['confd_dir']}/25-acceptance_test.conf") do + it { is_expected.to contain '# just a comment' } + end + end + + context 'with a custom filename' do + pp = <<-MANIFEST + class { 'apache': } + apache::custom_config { 'filename_test': + filename => 'custom_filename', + content => '# just another comment', + } + MANIFEST + it 'stores content in the described file' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['confd_dir']}/custom_filename") do + it { is_expected.to contain '# just another comment' } + end + end + + describe 'custom_config without priority prefix' do + pp = <<-MANIFEST + class { 'apache': } + apache::custom_config { 'prefix_test': + priority => false, + content => '# just a comment', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['confd_dir']}/prefix_test.conf") do + it { is_expected.to be_file } + end + end + + describe 'custom_config only applied after configs are written' do + pp = <<-MANIFEST + class { 'apache': } + + apache::custom_config { 'ordering_test': + content => '# just a comment', + } + + # Try to wedge the apache::custom_config call between when httpd.conf is written and + # ports.conf is written. This should trigger a dependency cycle + File["#{apache_hash['conf_file']}"] -> Apache::Custom_config['ordering_test'] -> Concat["#{apache_hash['ports_file']}"] + MANIFEST + it 'applies in the right order' do + expect(apply_manifest(pp, expect_failures: true).stderr).to match(%r{Found 1 dependency cycle}i) + end + + describe file("#{apache_hash['confd_dir']}/25-ordering_test.conf") do + it { is_expected.not_to be_file } + end + end +end diff --git a/spec/acceptance/default_mods_spec.rb b/spec/acceptance/default_mods_spec.rb new file mode 100644 index 0000000000..83872c634b --- /dev/null +++ b/spec/acceptance/default_mods_spec.rb @@ -0,0 +1,80 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'apache::default_mods class' do + describe 'no default mods' do + let(:pp) do + <<-MANIFEST + class { 'apache': + default_mods => false, + } + MANIFEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_running } + end + end + + describe 'alternative default mods' do + let(:pp) do + <<-MANIFEST + class { 'apache': + default_mods => [ + 'info', + 'alias', + 'mime', + 'env', + 'expires', + ], + } + apache::vhost { 'defaults.example.com': + docroot => '#{apache_hash['doc_root']}/defaults', + aliases => [ + { + alias => '/css', + path => '#{apache_hash['doc_root']}/css', + }, + ], + setenv => 'TEST1 one', + } + MANIFEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_running } + end + end + + describe 'change loadfile name' do + let(:pp) do + <<-MANIFEST + class { 'apache': default_mods => false } + ::apache::mod { 'auth_basic': + loadfile_name => 'zz_auth_basic.load', + } + MANIFEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_running } + end + + describe file("#{apache_hash['mod_dir']}/zz_auth_basic.load") do + it { is_expected.to be_file } + end + end +end diff --git a/spec/acceptance/init_task_spec.rb b/spec/acceptance/init_task_spec.rb new file mode 100644 index 0000000000..bfe8c34b6b --- /dev/null +++ b/spec/acceptance/init_task_spec.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'apache tasks' do + describe 'reload' do + pp = <<-MANIFEST + class { 'apache': + default_vhost => false, + } + apache::listen { '9090':} + MANIFEST + it 'execute reload' do + apply_manifest(pp, catch_failures: true) + + result = run_bolt_task('apache', 'action' => 'reload') + expect(result.stdout).to contain(%(reload successful)) + end + end +end diff --git a/spec/acceptance/itk_spec.rb b/spec/acceptance/itk_spec.rb new file mode 100644 index 0000000000..cb183def2f --- /dev/null +++ b/spec/acceptance/itk_spec.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +case os[:family] +when 'debian', 'ubuntu' + service_name = 'apache2' +when 'redhat' + service_name = 'httpd' +when 'freebsd' + service_name = 'apache24' +end + +# IAC-787: The http-itk mod package is not available in any of the standard RHEL/CentOS 8.x repos. Disable this test +# on those platforms until we can find a suitable source for this package. +describe 'apache::mod::itk class', if: service_name && mod_supported_on_platform?('apache::mod::itk') do + describe 'running puppet code' do + pp = <<-MANIFEST + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::itk': } + MANIFEST + + it 'behaves idempotently' do + idempotent_apply(pp) + end + end + + describe service(service_name) do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end +end diff --git a/spec/acceptance/mod_apreq2_spec.rb b/spec/acceptance/mod_apreq2_spec.rb new file mode 100644 index 0000000000..0708ea7068 --- /dev/null +++ b/spec/acceptance/mod_apreq2_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +_apache_hash = apache_settings_hash + +describe 'apache::mod::apreq2', if: mod_supported_on_platform?('apache::mod::apreq2') do + pp = <<-MANIFEST + class { 'apache' : } + class { 'apache::mod::apreq2': } + MANIFEST + + it 'succeeds in installing the mod_authnz_apreq2 module' do + apply_manifest(pp, catch_failures: true) + end +end diff --git a/spec/acceptance/mod_authnz_ldap_spec.rb b/spec/acceptance/mod_authnz_ldap_spec.rb new file mode 100644 index 0000000000..aa92bcf51b --- /dev/null +++ b/spec/acceptance/mod_authnz_ldap_spec.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash + +# We need to restrict this test to RHEL 7.x, 8.x derived OSs as there are too many unique +# dependency issues to solve on all supported platforms. +describe 'apache::mod::authnz_ldap', if: mod_supported_on_platform?('apache::mod::authnz_ldap') do + context 'Default mod_authnz_ldap module installation' do + pp = if run_shell("grep 'Oracle Linux Server' /etc/os-release", expect_failures: true).exit_status == 0 + <<-MANIFEST + yumrepo { 'ol7_optional_latest': + name => 'ol7_optional_latest', + baseurl => 'https://yum.oracle.com/repo/OracleLinux/OL7/optional/latest/x86_64/', + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle', + gpgcheck => 1, + enabled => 1, + } + class { 'apache': } + class { 'apache::mod::authnz_ldap': } + MANIFEST + else + <<-MANIFEST + class { 'apache': } + class { 'apache::mod::authnz_ldap': } + MANIFEST + end + + it 'succeeds in installing the mod_authnz_ldap module' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['mod_dir']}/authnz_ldap.load") do + it { is_expected.to contain 'mod_authnz_ldap.so' } + end + end +end diff --git a/spec/acceptance/mod_dav_svn_spec.rb b/spec/acceptance/mod_dav_svn_spec.rb new file mode 100644 index 0000000000..956036b747 --- /dev/null +++ b/spec/acceptance/mod_dav_svn_spec.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'apache::mod::dav_svn class' do + context 'dav_svn module with authz_svn disabled' do + pp = <<-MANIFEST + class { 'apache': } + class { 'apache::mod::dav_svn': + authz_svn_enabled => false, + } + MANIFEST + + it 'applies with no errors' do + apply_manifest(pp, catch_failures: true) + end + + it 'applies a second time without changes' do + apply_manifest(pp, catch_changes: true) + end + end + + context 'dav_svn module with authz_svn enabled' do + pp = <<-MANIFEST + class { 'apache': } + class { 'apache::mod::dav_svn': + authz_svn_enabled => true, + } + MANIFEST + + it 'applies with no errors' do + apply_manifest(pp, catch_failures: true) + end + + it 'applies a second time without changes' do + apply_manifest(pp, catch_changes: true) + end + end +end diff --git a/spec/acceptance/mod_ldap_spec.rb b/spec/acceptance/mod_ldap_spec.rb new file mode 100644 index 0000000000..2924046a7b --- /dev/null +++ b/spec/acceptance/mod_ldap_spec.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash + +describe 'apache::mod::ldap', if: mod_supported_on_platform?('apache::mod::ldap') do + context 'Default ldap module installation' do + pp = <<-MANIFEST + class { 'apache': } + class { 'apache::mod::ldap': } + MANIFEST + + it 'succeeds in installing the ldap module' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['mod_dir']}/ldap.load") do + it { is_expected.to contain 'mod_ldap.so' } + end + end +end diff --git a/spec/acceptance/mod_md_spec.rb b/spec/acceptance/mod_md_spec.rb new file mode 100644 index 0000000000..047c7c5116 --- /dev/null +++ b/spec/acceptance/mod_md_spec.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'apache::mod::md', if: mod_supported_on_platform?('apache::mod::md') do + pp = <<-MANIFEST + class { 'apache': + } + apache::vhost { 'example.com': + docroot => '/var/www/example.com', + port => 443, + ssl => true, + mdomain => true, + } + MANIFEST + + it 'succeeds in configuring a virtual host using mod_md' do + apply_manifest(pp, catch_failures: true) + end +end diff --git a/spec/acceptance/mod_php_spec.rb b/spec/acceptance/mod_php_spec.rb new file mode 100644 index 0000000000..8fd3dc9c29 --- /dev/null +++ b/spec/acceptance/mod_php_spec.rb @@ -0,0 +1,105 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash + +describe 'apache::mod::php class', if: mod_supported_on_platform?('apache::mod::php') do + context 'default php config' do + pp = <<-MANIFEST + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::php': } + apache::vhost { 'php.example.com': + port => 80, + docroot => '#{apache_hash['doc_root']}/php', + } + host { 'php.example.com': ip => '127.0.0.1', } + file { '#{apache_hash['doc_root']}/php/index.php': + ensure => file, + content => "\\n", + } + MANIFEST + + it 'succeeds in puppeting php' do + apply_manifest(pp, catch_failures: true) + end + + if os[:family] == 'debian' && os[:release] =~ %r{^9\.} + describe file("#{apache_hash['mod_dir']}/php7.0.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'debian' && os[:release] =~ %r{^10\.} + describe file("#{apache_hash['mod_dir']}/php7.3.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'debian' && os[:release] =~ %r{^11\.} + describe file("#{apache_hash['mod_dir']}/php7.4.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'debian' && os[:release] =~ %r{^12} + describe file("#{apache_hash['mod_dir']}/php8.2.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'ubuntu' && os[:release] == '18.04' + describe file("#{apache_hash['mod_dir']}/php7.2.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'ubuntu' && os[:release] == '20.04' + describe file("#{apache_hash['mod_dir']}/php7.4.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'ubuntu' && os[:release] == '22.04' + describe file("#{apache_hash['mod_dir']}/php8.1.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'redhat' && os[:release] =~ %r{^(8)\b} + describe file("#{apache_hash['mod_dir']}/php7.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + elsif os[:family] == 'sles' && os[:release].to_i >= 15 + describe file("#{apache_hash['mod_dir']}/php7.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + else + describe file("#{apache_hash['mod_dir']}/php5.conf") do + it { is_expected.to contain 'DirectoryIndex index.php' } + end + end + end + + context 'custom extensions, php_flag, php_value, php_admin_flag, and php_admin_value' do + pp = <<-MANIFEST + class { 'apache': + mpm_module => 'prefork', + } + class { 'apache::mod::php': + extensions => ['.php','.php5'], + } + + apache::vhost { 'php.example.com': + port => 80, + docroot => '#{apache_hash['doc_root']}/php', + php_values => { 'include_path' => '.:/usr/share/pear:/usr/bin/php', }, + php_flags => { 'display_errors' => 'on', }, + php_admin_values => { 'open_basedir' => '/var/www/php/:/usr/share/pear/', }, + php_admin_flags => { 'engine' => 'on', }, + } + host { 'php.example.com': ip => '127.0.0.1', } + file { '#{apache_hash['doc_root']}/php/index.php5': + ensure => file, + content => "\\n", + } + MANIFEST + it 'succeeds in puppeting php' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-php.example.com.conf") do + it { is_expected.to contain ' php_flag display_errors on' } + it { is_expected.to contain ' php_value include_path ".:/usr/share/pear:/usr/bin/php"' } + it { is_expected.to contain ' php_admin_flag engine on' } + it { is_expected.to contain ' php_admin_value open_basedir /var/www/php/:/usr/share/pear/' } + end + end +end diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb new file mode 100644 index 0000000000..dedab8e505 --- /dev/null +++ b/spec/acceptance/mod_security_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash + +describe 'apache::mod::security class', if: mod_supported_on_platform?('apache::mod::security') do + context 'default mod security config' do + pp = <<-MANIFEST + class { 'apache': } + class { 'apache::mod::security': } + MANIFEST + it 'succeeds in puppeting mod security' do + apply_manifest(pp, catch_failures: true) + end + end + + context 'with vhost config' do + pp = <<-MANIFEST + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsecurity.example.com': + port => 80, + docroot => '#{apache_hash['doc_root']}', + } + host { 'modsecurity.example.com': ip => '127.0.0.1', } + MANIFEST + it 'succeeds in puppeting mod security' do + apply_manifest(pp, catch_failures: true) + end + end +end diff --git a/spec/acceptance/prefork_worker_spec.rb b/spec/acceptance/prefork_worker_spec.rb new file mode 100644 index 0000000000..1c23a07f05 --- /dev/null +++ b/spec/acceptance/prefork_worker_spec.rb @@ -0,0 +1,68 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'prefork_worker_spec.rb', if: mod_supported_on_platform?('apache::mod::event') do + describe 'apache::mod::event class' do + describe 'running puppet code' do + let(:pp) do + <<-MANIFEEST + class { 'apache': + mpm_module => 'event', + } + MANIFEEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + end + + describe 'apache::mod::worker class' do + describe 'running puppet code' do + let(:pp) do + <<-MANIFEEST + class { 'apache': + mpm_module => 'worker', + } + MANIFEEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + end + + describe 'apache::mod::prefork class' do + describe 'running puppet code' do + let(:pp) do + <<-MANIFEEST + class { 'apache': + mpm_module => 'prefork', + } + MANIFEEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + end +end diff --git a/spec/acceptance/service_spec.rb b/spec/acceptance/service_spec.rb new file mode 100644 index 0000000000..d4442fe25b --- /dev/null +++ b/spec/acceptance/service_spec.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'apache::service class' do + describe 'adding dependencies in between the base class and service class' do + let(:pp) do + <<-MANIFEST + class { 'apache': } + file { '/tmp/test': + require => Class['apache'], + notify => Class['apache::service'], + } + MANIFEST + end + + it 'behaves idempotently' do + idempotent_apply(pp) + end + end +end diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb new file mode 100644 index 0000000000..0152d5b7f5 --- /dev/null +++ b/spec/acceptance/vhost_spec.rb @@ -0,0 +1,1309 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'apache::vhost define' do + context 'no default vhosts' do + pp = <<-MANIFEST + class { 'apache': + default_vhost => false, + default_ssl_vhost => false, + service_ensure => stopped, + } + if ($facts['os']['family'] == 'Suse' and $facts['os']['release']['major'] < '15') { + exec { '/usr/bin/gensslcert': + require => Class['apache'], + } + } elsif ($facts['os']['family'] == 'Suse' and $facts['os']['release']['major'] >= '15') { + # In SLES 15, if not given a name, gensslcert defaults the name to be the hostname + exec { '/usr/bin/gensslcert -n default': + require => Class['apache'], + } + } + MANIFEST + it 'creates no default vhosts' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/15-default-80.conf") do + it { is_expected.not_to be_file } + end + + describe file("#{apache_hash['vhost_dir']}/15-default-ssl-443.conf") do + it { is_expected.not_to be_file } + end + end + + context 'default vhost without ssl' do + pp = <<-MANIFEST + class { 'apache': } + MANIFEST + it 'creates a default vhost config' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/15-default-80.conf") do + it { is_expected.to contain '' } + end + + describe file("#{apache_hash['vhost_dir']}/15-default-ssl-443.conf") do + it { is_expected.not_to be_file } + end + end + + context 'default vhost with ssl', unless: (os[:family].include?('redhat') && os[:release].to_i >= 8) do + pp = <<-MANIFEST + file { '#{apache_hash['run_dir']}': + ensure => 'directory', + recurse => true, + } + + class { 'apache': + default_ssl_vhost => true, + require => File['#{apache_hash['run_dir']}'], + } + MANIFEST + it 'creates default vhost configs' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/15-default-80.conf") do + it { is_expected.to contain '' } + end + + describe file("#{apache_hash['vhost_dir']}/15-default-ssl-443.conf") do + it { is_expected.to contain '' } + it { is_expected.to contain 'SSLEngine on' } + end + end + + context 'new vhost on port 80' do + pp = <<-MANIFEST + class { 'apache': } + file { '/var/www': + ensure => 'directory', + recurse => true, + } + + apache::vhost { 'first.example.com': + port => 80, + docroot => '/var/www/first', + require => File['/var/www'], + } + MANIFEST + it 'configures an apache vhost' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-first.example.com.conf") do + it { is_expected.to contain '' } + it { is_expected.to contain 'ServerName first.example.com' } + end + end + + context 'new proxy vhost on port 80' do + pp = <<-MANIFEST + class { 'apache': } + apache::vhost { 'proxy.example.com': + port => 80, + docroot => '/var/www/proxy', + proxy_pass => [ + { 'path' => '/foo', 'url' => 'http://backend-foo/'}, + ], + proxy_preserve_host => true, + proxy_error_override => true, + } + MANIFEST + it 'configures an apache proxy vhost' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-proxy.example.com.conf") do + it { is_expected.to contain '' } + it { is_expected.to contain 'ServerName proxy.example.com' } + it { is_expected.to contain 'ProxyPass' } + it { is_expected.to contain 'ProxyPreserveHost On' } + it { is_expected.to contain 'ProxyErrorOverride On' } + it { is_expected.not_to contain 'ProxyAddHeaders' } + it { is_expected.not_to contain '' } + end + end + + context 'new proxy vhost on port 80' do + pp = <<-MANIFEST + class { 'apache': } + apache::vhost { 'proxy.example.com': + port => 80, + docroot => '#{apache_hash['doc_root']}/proxy', + proxy_pass_match => [ + { 'path' => '/foo', 'url' => 'http://backend-foo/'}, + ], + proxy_preserve_host => true, + proxy_error_override => true, + } + MANIFEST + it 'configures an apache proxy vhost' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-proxy.example.com.conf") do + it { is_expected.to contain '' } + it { is_expected.to contain 'ServerName proxy.example.com' } + it { is_expected.to contain 'ProxyPassMatch /foo http://backend-foo/' } + it { is_expected.to contain 'ProxyPreserveHost On' } + it { is_expected.to contain 'ProxyErrorOverride On' } + it { is_expected.not_to contain 'ProxyAddHeaders' } + it { is_expected.not_to contain '' } + end + end + + context 'new vhost with multiple IP addresses on multiple ports' do + pp = <<-MANIFEST + class { 'apache': + default_vhost => false, + } + apache::vhost { 'example.com': + port => [80, 8080], + ip => ['127.0.0.1','127.0.0.2'], + ip_based => true, + docroot => '/var/www/html', + } + host { 'host1.example.com': ip => '127.0.0.1', } + host { 'host2.example.com': ip => '127.0.0.2', } + file { '/var/www/html/index.html': + ensure => file, + content => "Hello from vhost\\n", + } + MANIFEST + it 'configures one apache vhost with 2 ip addresses and 2 ports' do + apply_manifest(pp, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe file("#{apache_hash['vhost_dir']}/25-example.com.conf") do + it { is_expected.to contain '' } + it { is_expected.to contain 'ServerName example.com' } + end + + describe file(apache_hash['ports_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'Listen 127.0.0.1:80' } + it { is_expected.to contain 'Listen 127.0.0.1:8080' } + it { is_expected.to contain 'Listen 127.0.0.2:80' } + it { is_expected.to contain 'Listen 127.0.0.2:8080' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:80' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.1:8080' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.2:80' } + it { is_expected.not_to contain 'NameVirtualHost 127.0.0.2:8080' } + end + + it 'answers to host1.example.com port 80' do + run_shell('/usr/bin/curl host1.example.com:80', acceptable_exit_codes: 0) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + + it 'answers to host1.example.com port 8080' do + run_shell('/usr/bin/curl host1.example.com:8080', acceptable_exit_codes: 0) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + + it 'answers to host2.example.com port 80' do + run_shell('/usr/bin/curl host2.example.com:80', acceptable_exit_codes: 0) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + + it 'answers to host2.example.com port 8080' do + run_shell('/usr/bin/curl host2.example.com:8080', acceptable_exit_codes: 0) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + end + + context 'new vhost with IPv6 address on port 80', :ipv6 do + pp = <<-MANIFEST + class { 'apache': + default_vhost => false, + } + apache::vhost { 'example.com': + port => 80, + ip => '::1', + ip_based => true, + docroot => '/var/www/html', + } + host { 'ipv6.example.com': ip => '::1', } + file { '/var/www/html/index.html': + ensure => file, + content => "Hello from vhost\\n", + } + MANIFEST + it 'configures one apache vhost with an ipv6 address' do + apply_manifest(pp, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe file("#{apache_hash['vhost_dir']}/25-example.com.conf") do + it { is_expected.to contain '' } + it { is_expected.to contain 'ServerName example.com' } + end + + describe file(apache_hash['ports_file']) do + it { is_expected.to be_file } + it { is_expected.to contain 'Listen [::1]:80' } + it { is_expected.not_to contain 'NameVirtualHost [::1]:80' } + end + + it 'answers to ipv6.example.com' do + run_shell('/usr/bin/curl ipv6.example.com:80', acceptable_exit_codes: 0) do |r| + expect(r.stdout).to eq("Hello from vhost\n") + end + end + end + + context 'apache_directories' do + let(:pp) do + <<-MANIFEST + class { 'apache': } + + if versioncmp('#{apache_hash['version']}', '2.4') >= 0 { + $_files_match_directory = { 'path' => '(.swp|.bak|~)$', 'provider' => 'filesmatch', 'require' => 'all denied', } + } else { + $_files_match_directory = { 'path' => '(.swp|.bak|~)$', 'provider' => 'filesmatch', 'deny' => 'from all', } + } + + $_directories = [ + { 'path' => '/var/www/files', }, + $_files_match_directory, + ] + + apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => $_directories, + } + file { '/var/www/files/index.html': + ensure => file, + content => "Hello World\\n", + } + file { '/var/www/files/index.html.bak': + ensure => file, + content => "Hello World\\n", + } + host { 'files.example.net': ip => '127.0.0.1', } + MANIFEST + end + + describe 'readme example, adapted' do + it 'configures a vhost with Files' do + apply_manifest(pp, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + it 'answers to files.example.net #stdout' do + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/index.html').stdout).to eq("Hello World\n") + end + + it 'answers to files.example.net #stderr' do + result = run_shell('/usr/bin/curl -sSf files.example.net:80/index.html.bak', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 403}) + expect(result.exit_code).to eq 22 + end + end + + describe 'other Directory options' do + pp_one = <<-MANIFEST + class { 'apache': } + + $_files_match_directory = [{ 'path' => 'private.html$', 'provider' => 'filesmatch', 'require' => 'all denied' }] + + $_directories = [ + { 'path' => '/var/www/files', }, + { 'path' => '/foo/', 'provider' => 'location', 'directoryindex' => 'notindex.html', }, + ] + $_files_match_directory + + apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => $_directories, + } + file { '/var/www/files/foo': + ensure => directory, + } + file { '/var/www/files/foo/notindex.html': + ensure => file, + content => "Hello Foo\\n", + } + file { '/var/www/files/private.html': + ensure => file, + content => "Hello World\\n", + } + file { '/var/www/files/bar': + ensure => directory, + } + file { '/var/www/files/bar/bar.html': + ensure => file, + content => "Hello Bar\\n", + } + host { 'files.example.net': ip => '127.0.0.1', } + MANIFEST + it 'configures a vhost with multiple Directory sections' do + apply_manifest(pp_one, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + it 'answers to files.example.net #stdout' do + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/').stdout).to eq("Hello World\n") + end + + it 'answers to files.example.net #stdout foo' do + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/foo/').stdout).to eq("Hello Foo\n") + end + + it 'answers to files.example.net #stderr' do + result = run_shell('/usr/bin/curl -sSf files.example.net:80/private.html', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 403}) + expect(result.exit_code).to eq 22 + end + + it 'answers to files.example.net #stdout bar' do + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/bar/bar.html').stdout).to eq("Hello Bar\n") + end + end + + describe 'SetHandler directive' do + pp_two = <<-MANIFEST + class { 'apache': } + apache::mod { 'status': } + host { 'files.example.net': ip => '127.0.0.1', } + apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => [ + { path => '/var/www/files', }, + { path => '/server-status', provider => 'location', sethandler => 'server-status', }, + ], + } + file { '/var/www/files/index.html': + ensure => file, + content => "Hello World\\n", + } + MANIFEST + it 'configures a vhost with a SetHandler directive' do + apply_manifest(pp_two, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + it 'answers to files.example.net #stdout' do + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/index.html').stdout).to eq("Hello World\n") + end + + it 'answers to files.example.net #stdout regex' do + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/server-status?auto').stdout).to match(%r{Scoreboard: }) + end + end + + describe 'Satisfy and Auth directive', unless: apache_hash['version'] == '2.4' do + pp_two = <<-MANIFEST + class { 'apache': } + host { 'files.example.net': ip => '127.0.0.1', } + apache::vhost { 'files.example.net': + docroot => '/var/www/files', + directories => [ + { + path => '/var/www/files/foo', + auth_type => 'Basic', + auth_name => 'Basic Auth', + auth_user_file => '/var/www/htpasswd', + auth_require => "valid-user", + }, + { + path => '/var/www/files/bar', + auth_type => 'Basic', + auth_name => 'Basic Auth', + auth_user_file => '/var/www/htpasswd', + auth_require => 'valid-user', + satisfy => 'Any', + }, + { + path => '/var/www/files/baz', + allow => 'from 10.10.10.10', + auth_type => 'Basic', + auth_name => 'Basic Auth', + auth_user_file => '/var/www/htpasswd', + auth_require => 'valid-user', + satisfy => 'Any', + }, + { + path => '/var/www/files/authz', + auth_type => 'Basic', + auth_name => 'Basic Auth', + authz_core => { + require_all => { + require_any => { + require => [ + '127.0.0.1' + '10.10.10.10' + ], + require_all => { + auth_user_file => ['/var/www/htpasswd'], + require => ['valid-user'], + }, + }, + } + } + }, + ], + } + file { '/var/www/files/foo': + ensure => directory, + } + file { '/var/www/files/bar': + ensure => directory, + } + file { '/var/www/files/baz': + ensure => directory, + } + file { '/var/www/files/authz': + ensure => directory, + } + file { '/var/www/files/foo/index.html': + ensure => file, + content => "Hello World\\n", + } + file { '/var/www/files/bar/index.html': + ensure => file, + content => "Hello World\\n", + } + file { '/var/www/files/baz/index.html': + ensure => file, + content => "Hello World\\n", + } + file { '/var/www/files/authz/index.html': + ensure => file, + content => "Hello World\\n", + } + file { '/var/www/htpasswd': + ensure => file, + content => "login:IZ7jMcLSx0oQk", # "password" as password + } + MANIFEST + it 'configures a vhost with Satisfy and Auth directive' do + apply_manifest(pp_two, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + + it 'answers to files.example.net' do + result = run_shell('/usr/bin/curl -sSf files.example.net:80/foo/index.html', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 401}) + expect(result.exit_code).to eq 22 + expect(run_shell('/usr/bin/curl -sSf -u login:password files.example.net:80/foo/index.html').stdout).to eq("Hello World\n") + expect(run_shell('/usr/bin/curl -sSf files.example.net:80/bar/index.html').stdout).to eq("Hello World\n") + expect(run_shell('/usr/bin/curl -sSf -u login:password files.example.net:80/bar/index.html').stdout).to eq("Hello World\n") + result = run_shell('/usr/bin/curl -sSf files.example.net:80/baz/index.html', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 401}) + expect(result.exit_code).to eq 22 + expect(run_shell('/usr/bin/curl -sSf -u login:password files.example.net:80/baz/index.html').stdout).to eq("Hello World\n") + result = run_shell('/usr/bin/curl -sSf files.example.net:80/authz/index.html', expect_failures: true) + expect(result.stderr).to match(%r{curl: \(22\) The requested URL returned error: 401}) + expect(result.exit_code).to eq 22 + expect(run_shell('/usr/bin/curl -sSf -u login:password files.example.net:80/authz/index.html').stdout).to eq("Hello World\n") + end + end + end + end + + context 'virtual_docroot hosting separate sites' do + pp = <<-MANIFEST + class { 'apache': } + apache::vhost { 'virt.example.com': + vhost_name => '*', + serveraliases => '*virt.example.com', + port => 80, + docroot => '/var/www/virt', + virtual_docroot => '/var/www/virt/%1', + } + host { 'virt.example.com': ip => '127.0.0.1', } + host { 'a.virt.example.com': ip => '127.0.0.1', } + host { 'b.virt.example.com': ip => '127.0.0.1', } + file { [ '/var/www/virt/a', '/var/www/virt/b', ]: ensure => directory, } + file { '/var/www/virt/a/index.html': ensure => file, content => "Hello from a.virt\\n", } + file { '/var/www/virt/b/index.html': ensure => file, content => "Hello from b.virt\\n", } + MANIFEST + it 'configures a vhost with VirtualDocumentRoot' do + apply_manifest(pp, catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + it 'answers to a.virt.example.com' do + run_shell('/usr/bin/curl a.virt.example.com:80', acceptable_exit_codes: 0) do |r| + expect(r.stdout).to eq("Hello from a.virt\n") + end + end + + it 'answers to b.virt.example.com' do + run_shell('/usr/bin/curl b.virt.example.com:80', acceptable_exit_codes: 0) do |r| + expect(r.stdout).to eq("Hello from b.virt\n") + end + end + end + + context 'proxy_pass for alternative vhost' do + it 'configures a local vhost and a proxy vhost' do + apply_manifest(%( + class { 'apache': default_vhost => false, } + apache::vhost { 'localhost': + docroot => '/var/www/local', + ip => '127.0.0.1', + port => 8888, + } + apache::listen { '*:80': } + apache::vhost { 'proxy.example.com': + docroot => '/var/www', + port => 80, + add_listen => false, + proxy_pass => { + 'path' => '/', + 'url' => 'http://localhost:8888/subdir/', + }, + } + host { 'proxy.example.com': ip => '127.0.0.1', } + file { ['/var/www/local', '/var/www/local/subdir']: ensure => directory, } + file { '/var/www/local/subdir/index.html': + ensure => file, + content => "Hello from localhost\\n", + } + ), catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + it 'gets a response from the back end #stdout' do + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + expect(r.stdout).to eq("Hello from localhost\n") + end + end + + it 'gets a response from the back end #exit_code' do + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + expect(r.exit_code).to eq(0) + end + end + end + + context 'proxy_pass_match for alternative vhost' do + it 'configures a local vhost and a proxy vhost' do + apply_manifest(%( + class { 'apache': default_vhost => false, } + apache::vhost { 'localhost': + docroot => '/var/www/local', + ip => '127.0.0.1', + port => 8888, + } + apache::listen { '*:80': } + apache::vhost { 'proxy.example.com': + docroot => '/var/www', + port => 80, + add_listen => false, + proxy_pass_match => { + 'path' => '/', + 'url' => 'http://localhost:8888/subdir/', + }, + } + host { 'proxy.example.com': ip => '127.0.0.1', } + file { ['/var/www/local', '/var/www/local/subdir']: ensure => directory, } + file { '/var/www/local/subdir/index.html': + ensure => file, + content => "Hello from localhost\\n", + } + ), catch_failures: true) + end + + describe service(apache_hash['service_name']) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + it 'gets a response from the back end #stdout' do + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + expect(r.stdout).to eq("Hello from localhost\n") + end + end + + it 'gets a response from the back end #exit_code' do + run_shell('/usr/bin/curl --max-redirs 0 proxy.example.com:80') do |r| + expect(r.exit_code).to eq(0) + end + end + end + + describe 'ip_based' do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + ip_based => true, + servername => 'test.server', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['ports_file']) do + it { is_expected.to be_file } + it { is_expected.not_to contain 'NameVirtualHost test.server' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'ServerName test.server' } + end + end + + describe 'ip_based and no servername' do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + ip_based => true, + servername => '', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['ports_file']) do + it { is_expected.to be_file } + it { is_expected.not_to contain 'NameVirtualHost test.server' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.not_to contain 'ServerName' } + end + end + + describe 'add_listen' do + pp = <<-MANIFEST + class { 'apache': default_vhost => false } + host { 'testlisten.server': ip => '127.0.0.1' } + apache::listen { '81': } + apache::vhost { 'testlisten.server': + docroot => '/tmp', + port => 80, + add_listen => false, + servername => 'testlisten.server', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['ports_file']) do + it { is_expected.to be_file } + it { is_expected.not_to contain 'Listen 80' } + it { is_expected.to contain 'Listen 81' } + end + end + + describe 'docroot' do + pp = <<-MANIFEST + user { 'test_owner': ensure => present, } + group { 'test_group': ensure => present, } + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp/test', + docroot_owner => 'test_owner', + docroot_group => 'test_group', + docroot_mode => '0750', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file('/tmp/test') do + it { is_expected.to be_directory } + it { is_expected.to be_owned_by 'test_owner' } + it { is_expected.to be_grouped_into 'test_group' } + it { is_expected.to be_mode 750 } + end + end + + describe 'default_vhost' do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + default_vhost => true, + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file(apache_hash['ports_file']) do + it { is_expected.to be_file } + end + + describe file("#{apache_hash['vhost_dir']}/10-test.server.conf") do + it { is_expected.to be_file } + end + end + + describe 'parameter tests', if: mod_supported_on_platform?('apache::mod::itk') do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.itk': ip => '127.0.0.1' } + apache::vhost { 'test.itk': + docroot => '/tmp', + itk => { user => 'nobody', group => 'nobody' } + } + host { 'test.custom_fragment': ip => '127.0.0.1' } + apache::vhost { 'test.custom_fragment': + docroot => '/tmp', + custom_fragment => inline_template('#weird test string'), + } + apache::vhost { 'test.without_priority_prefix': + priority => false, + docroot => '/tmp' + } + apache::vhost { 'test.ssl_protocol': + docroot => '/tmp', + ssl => true, + ssl_protocol => ['All', '-SSLv2'], + ssl_user_name => 'SSL_CLIENT_S_DN_CN', + } + apache::vhost { 'test.block': + docroot => '/tmp', + block => 'scm', + } + apache::vhost { 'test.setenv_setenvif': + docroot => '/tmp', + setenv => ['TEST /test'], + setenvif => ['Request_URI ".gif$" object_is_image=gif'] + } + apache::vhost { 'test.rewrite': + docroot => '/tmp', + rewrites => [ + { comment => 'test', + rewrite_cond => '%{HTTP_USER_AGENT} ^Lynx/ [OR]', + rewrite_rule => ['^index.html$ welcome.html'], + rewrite_map => ['lc int:tolower'], + } + ], + } + apache::vhost { 'test.request_headers': + docroot => '/tmp', + request_headers => ['append MirrorID "mirror 12"'], + } + apache::vhost { 'test.redirect': + docroot => '/tmp', + redirect_source => ['/images'], + redirect_dest => ['http://test.server/'], + redirect_status => ['permanent'], + } + apache::vhost { 'test.no_proxy_uris': + docroot => '/tmp', + proxy_dest => 'http://test2', + no_proxy_uris => [ 'http://test2/test' ], + } + apache::vhost { 'test.proxy': + docroot => '/tmp', + proxy_dest => 'http://testproxy', + } + apache::vhost { 'test.aliases': + docroot => '/tmp', + aliases => [ + { alias => '/image' , path => '/ftp/pub/image' } , + { scriptalias => '/myscript' , path => '/usr/share/myscript' } + ], + } + apache::vhost { 'test.access_logs': + docroot => '/tmp', + logroot => '/tmp', + access_logs => [ + {'file' => 'log1'}, + {'file' => 'log2', 'env' => 'admin' }, + {'file' => '/var/tmp/log3', 'format' => '%h %l'}, + {'syslog' => 'syslog' } + ] + } + apache::vhost { 'test.access_log_env_var': + docroot => '/tmp', + logroot => '/tmp', + access_log_syslog => 'syslog', + access_log_env_var => 'admin', + } + apache::vhost { 'test.access_log_format': + docroot => '/tmp', + logroot => '/tmp', + access_log_syslog => 'syslog', + access_log_format => '%h %l', + } + apache::vhost { 'test.logroot': + docroot => '/tmp', + logroot => '/tmp', + } + apache::vhost { 'test.override': + docroot => '/tmp', + override => ['All'], + } + apache::vhost { 'test.options': + docroot => '/tmp', + options => ['Indexes','FollowSymLinks', 'ExecCGI'], + } + apache::vhost { 'test.empty_options': + docroot => '/tmp', + options => [], + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.itk.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'AssignUserId nobody nobody' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.custom_fragment.conf") do + it { is_expected.to be_file } + it { is_expected.to contain '#weird test string' } + end + + describe file("#{apache_hash['vhost_dir']}/test.without_priority_prefix.conf") do + it { is_expected.to be_file } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.ssl_protocol.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SSLProtocol *All -SSLv2' } + it { is_expected.to contain 'SSLUserName *SSL_CLIENT_S_DN_CN' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.block.conf") do + it { is_expected.to be_file } + it { is_expected.to contain '' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.setenv_setenvif.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'SetEnv TEST /test' } + it { is_expected.to contain 'SetEnvIf Request_URI "\.gif$" object_is_image=gif' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.rewrite.conf") do + it { is_expected.to be_file } + it { is_expected.to contain '#test' } + it { is_expected.to contain 'RewriteCond %{HTTP_USER_AGENT} ^Lynx/ [OR]' } + it { is_expected.to contain 'RewriteRule ^index.html$ welcome.html' } + it { is_expected.to contain 'RewriteMap lc int:tolower' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.request_headers.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'append MirrorID "mirror 12"' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.redirect.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Redirect permanent /images http://test.server/' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.no_proxy_uris.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'ProxyPass http://test2/test !' } + it { is_expected.to contain 'ProxyPass / http://test2/' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.proxy.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'ProxyPass / http://testproxy/' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.aliases.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Alias /image "/ftp/pub/image"' } + it { is_expected.to contain 'ScriptAlias /myscript "/usr/share/myscript"' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.access_logs.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'CustomLog "/tmp/log1" combined' } + it { is_expected.to contain 'CustomLog "/tmp/log2" combined env=admin' } + it { is_expected.to contain 'CustomLog "/var/tmp/log3" "%h %l"' } + it { is_expected.to contain 'CustomLog "syslog" combined' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.access_log_env_var.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'CustomLog "syslog" combined env=admin' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.access_log_format.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'CustomLog "syslog" "%h %l"' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.logroot.conf") do + it { is_expected.to be_file } + it { is_expected.to contain ' CustomLog "/tmp' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.override.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'AllowOverride All' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.options.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Options Indexes FollowSymLinks ExecCGI' } + end + + describe file("#{apache_hash['vhost_dir']}/25-test.empty_options.conf") do + it { is_expected.to be_file } + it { is_expected.not_to contain 'Options' } + end + end + + context 'when a manifest defines $servername' do + describe 'when the $use_servername_for_filenames parameter is set to true' do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + use_servername_for_filenames => true, + servername => 'test.servername', + docroot => '/tmp', + logroot => '/tmp', + } + MANIFEST + it 'applies cleanly' do + _result = apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.servername.conf") do + it { is_expected.to be_file } + it { is_expected.to contain ' ErrorLog "/tmp/test.servername_error.log' } + it { is_expected.to contain ' CustomLog "/tmp/test.servername_access.log' } + end + end + + describe 'when the $use_servername_for_filenames parameter is NOT defined' do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + servername => 'test.servername', + docroot => '/tmp', + logroot => '/tmp', + } + MANIFEST + it 'applies cleanly' do + _result = apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain ' ErrorLog "/tmp/test.server_error.log' } + it { is_expected.to contain ' CustomLog "/tmp/test.server_access.log' } + end + end + end + + ['access', 'error'].each do |logtype| + case logtype + when 'access' + logname = 'CustomLog' + when 'error' + logname = 'ErrorLog' + end + + describe "#{logtype}_log" do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + logroot => '/tmp', + #{logtype}_log => false, + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.not_to contain " #{logname} \"/tmp" } + end + end + + describe "#{logtype}_log_pipe" do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + logroot => '/tmp', + #{logtype}_log_pipe => '|/bin/sh', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain " #{logname} \"|/bin/sh" } + end + end + + describe "#{logtype}_log_syslog" do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + logroot => '/tmp', + #{logtype}_log_syslog => 'syslog', + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain " #{logname} \"syslog\"" } + end + end + end + + describe 'actions' do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + action => 'php-fastcgi', + } + MANIFEST + it 'applies cleanly' do + pp += "\nclass { 'apache::mod::actions': }" if %r{debian|suse|ubuntu|sles}.match?(os[:family]) + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Action php-fastcgi /cgi-bin virtual' } + end + end + + describe 'directory rewrite rules' do + pp = <<-MANIFEST + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + if ! defined(Class['apache::mod::rewrite']) { + include ::apache::mod::rewrite + } + apache::vhost { 'test.server': + docroot => '/tmp', + directories => [ + { + path => '/tmp', + rewrites => [ + { + comment => 'Permalink Rewrites', + rewrite_base => '/', + }, + { rewrite_rule => [ '^index\\.php$ - [L]' ] }, + { rewrite_cond => [ + '%{REQUEST_FILENAME} !-f', + '%{REQUEST_FILENAME} !-d', ], rewrite_rule => [ '. /index.php [L]' ], } + ], + }, + ], + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain '#Permalink Rewrites' } + it { is_expected.to contain 'RewriteEngine On' } + it { is_expected.to contain 'RewriteBase /' } + it { is_expected.to contain 'RewriteRule ^index\.php$ - [L]' } + it { is_expected.to contain 'RewriteCond %{REQUEST_FILENAME} !-f' } + it { is_expected.to contain 'RewriteCond %{REQUEST_FILENAME} !-d' } + it { is_expected.to contain 'RewriteRule . /index.php [L]' } + end + end + + describe 'wsgi' do + context 'filter on OS', if: mod_supported_on_platform?('apache::mod::wsgi') do + pp = <<-MANIFEST + class { 'apache': } + class { 'apache::mod::wsgi': } + host { 'test.server': ip => '127.0.0.1' } + apache::vhost { 'test.server': + docroot => '/tmp', + wsgi_application_group => '%{GLOBAL}', + wsgi_daemon_process => { 'wsgi' => { 'python-home' => '/usr' }, 'foo' => {} }, + wsgi_import_script => '/test1', + wsgi_import_script_options => { application-group => '%{GLOBAL}', process-group => 'wsgi' }, + wsgi_process_group => 'nobody', + wsgi_script_aliases => { '/test' => '/test1' }, + wsgi_script_aliases_match => { '/test/([^/*])' => '/test1' }, + wsgi_pass_authorization => 'On', + wsgi_chunked_request => 'On', + } + MANIFEST + it 'import_script applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'WSGIApplicationGroup %{GLOBAL}' } + it { is_expected.to contain 'WSGIDaemonProcess foo' } + it { is_expected.to contain 'WSGIDaemonProcess wsgi python-home=/usr' } + it { is_expected.to contain 'WSGIImportScript /test1 application-group=%{GLOBAL} process-group=wsgi' } + it { is_expected.to contain 'WSGIProcessGroup nobody' } + it { is_expected.to contain 'WSGIScriptAlias /test "/test1"' } + it { is_expected.to contain 'WSGIPassAuthorization On' } + it { is_expected.to contain 'WSGIChunkedRequest On' } + end + end + end + + describe 'additional_includes' do + pp = <<-MANIFEST + if $facts['os']['family'] == 'RedHat' and $facts['os']['selinux']['enabled'] { + exec { 'set_apache_defaults': + command => 'semanage fcontext --add -t httpd_sys_content_t "/apache_spec/docroot(/.*)?"', + unless => 'semanage fcontext --list | grep /apache_spec/docroot | grep httpd_sys_content_t', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + } + exec { 'restorecon_apache': + command => 'restorecon -Rv /apache_spec', + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + before => Service['httpd'], + require => [File['/apache_spec/include'], Class['apache']], + subscribe => Exec['set_apache_defaults'], + refreshonly => true, + } + } + class { 'apache': } + host { 'test.server': ip => '127.0.0.1' } + file { ['/apache_spec', '/apache_spec/docroot']: ensure => directory, } + file { '/apache_spec/include': ensure => present, content => '#additional_includes' } + apache::vhost { 'test.server': + docroot => '/apache_spec/docroot', + additional_includes => '/apache_spec/include', + } + MANIFEST + + it 'behaves idempotently' do + idempotent_apply(pp) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'Include "/apache_spec/include"' } + end + end + + describe 'shibboleth parameters', if: (os[:family] == 'debian') do + pp = <<-MANIFEST + class { 'apache': } + class { 'apache::mod::shib': } + apache::vhost { 'test.server': + port => 80, + docroot => '/var/www/html', + shib_compat_valid_user => 'On' + } + MANIFEST + it 'applies cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'ShibCompatValidUser On' } + end + end + + # IAC-587: These tests do not currently run successfully on certain RHEL OSs due to dependency issues with the + # mod_auth_openidc module. + describe 'auth_oidc', if: mod_supported_on_platform?('apache::mod::authnz_ldap') do + pp = <<-MANIFEST + class { 'apache': } + apache::vhost { 'test.server': + port => 80, + docroot => '/var/www/html', + auth_oidc => true, + oidc_settings => { + 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration', + 'ClientID' => 'test', + 'RedirectURI' => 'https://login.example.com/redirect_uri', + 'ProviderTokenEndpointAuth' => 'client_secret_basic', + 'RemoteUserClaim' => 'sub', + 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', + 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' + } + } + MANIFEST + it 'applys cleanly' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do + it { is_expected.to be_file } + it { is_expected.to contain 'OIDCProviderMetadataURL https://login.example.com/.well-known/openid-configuration' } + it { is_expected.to contain 'OIDCClientID test' } + it { is_expected.to contain 'OIDCRedirectURI https://login.example.com/redirect_uri' } + it { is_expected.to contain 'OIDCProviderTokenEndpointAuth client_secret_basic' } + it { is_expected.to contain 'OIDCRemoteUserClaim sub' } + it { is_expected.to contain 'OIDCClientSecret aae053a9-4abf-4824-8956-e94b2af335c8' } + it { is_expected.to contain 'OIDCCryptoPassphrase 4ad1bb46-9979-450e-ae58-c696967df3cd' } + end + end +end diff --git a/spec/acceptance/vhosts_spec.rb b/spec/acceptance/vhosts_spec.rb new file mode 100644 index 0000000000..1048c2074b --- /dev/null +++ b/spec/acceptance/vhosts_spec.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' +apache_hash = apache_settings_hash +describe 'apache::vhosts class' do + context 'custom vhosts defined via class apache::vhosts' do + pp = <<-MANIFEST + class { 'apache::vhosts': + vhosts => { + 'custom_vhost_1' => { + 'docroot' => '/var/www/custom_vhost_1', + 'port' => 81, + }, + 'custom_vhost_2' => { + 'docroot' => '/var/www/custom_vhost_2', + 'port' => 82, + }, + }, + } + MANIFEST + it 'creates custom vhost config files' do + apply_manifest(pp, catch_failures: true) + end + + describe file("#{apache_hash['vhost_dir']}/25-custom_vhost_1.conf") do + it { is_expected.to contain '' } + end + + describe file("#{apache_hash['vhost_dir']}/25-custom_vhost_2.conf") do + it { is_expected.to contain '' } + end + end +end diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb index 51218cfd1b..f7ff3b7581 100644 --- a/spec/classes/apache_spec.rb +++ b/spec/classes/apache_spec.rb @@ -1,359 +1,741 @@ +# frozen_string_literal: true + require 'spec_helper' -describe 'apache', :type => :class do - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_package("httpd").with( - 'notify' => 'Class[Apache::Service]', - 'ensure' => 'installed' +describe 'apache', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_package('httpd').with( + 'notify' => 'Class[Apache::Service]', + 'ensure' => 'installed', ) } - it { should contain_user("www-data") } - it { should contain_group("www-data") } - it { should contain_class("apache::service") } - it { should contain_file("/etc/apache2/sites-enabled").with( - 'ensure' => 'directory', - 'recurse' => 'true', - 'purge' => 'true', - 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' + + it { is_expected.to contain_user('www-data') } + it { is_expected.to contain_group('www-data') } + it { is_expected.to contain_class('apache::service') } + + it { + expect(subject).to contain_file('/var/www/html').with( + 'ensure' => 'directory', ) } - it { should contain_file("/etc/apache2/mods-enabled").with( - 'ensure' => 'directory', - 'recurse' => 'true', - 'purge' => 'true', - 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' - ) + + it { + expect(subject).to contain_file('/etc/apache2/sites-enabled').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') } - it { should contain_file("/etc/apache2/mods-available").with( - 'ensure' => 'directory', - 'recurse' => 'true', - 'purge' => 'true', - 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' - ) + + it { + expect(subject).to contain_file('/etc/apache2/mods-enabled').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') } - it { should contain_concat("/etc/apache2/ports.conf").with( - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - 'notify' => 'Class[Apache::Service]' - ) + + it { + expect(subject).to contain_file('/etc/apache2/mods-available').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'false' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') } + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').without_content(%r{ServerAdmin}) } + + it { + expect(subject).to contain_concat('/etc/apache2/ports.conf').with( + 'owner' => 'root', 'group' => 'root', + 'mode' => '0644' + ).that_notifies('Class[Apache::Service]') + } + # Assert that load files are placed and symlinked for these mods, but no conf file. - [ - 'auth_basic', - 'authn_file', - 'authz_default', - 'authz_groupfile', - 'authz_host', - 'authz_user', - 'dav', - 'env' - ].each do |modname| - it { should contain_file("#{modname}.load").with( - 'path' => "/etc/apache2/mods-available/#{modname}.load", - 'ensure' => 'file' - ) } - it { should contain_file("#{modname}.load symlink").with( - 'path' => "/etc/apache2/mods-enabled/#{modname}.load", - 'ensure' => 'link', - 'target' => "/etc/apache2/mods-available/#{modname}.load" - ) } - it { should_not contain_file("#{modname}.conf") } - it { should_not contain_file("#{modname}.conf symlink") } + ['auth_basic', 'authn_file', 'authz_groupfile', 'authz_host', 'authz_user', 'dav', 'env'].each do |modname| + it { + expect(subject).to contain_file("#{modname}.load").with( + 'path' => "/etc/apache2/mods-available/#{modname}.load", + 'ensure' => 'file', + ) + } + + it { + expect(subject).to contain_file("#{modname}.load symlink").with( + 'path' => "/etc/apache2/mods-enabled/#{modname}.load", + 'ensure' => 'link', + 'target' => "/etc/apache2/mods-available/#{modname}.load", + ) + } + + it { is_expected.not_to contain_file("#{modname}.conf") } + it { is_expected.not_to contain_file("#{modname}.conf symlink") } + end + + context 'with use_optional_includes' do + let :params do + { + use_optional_includes: true + } + end + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^IncludeOptional "/etc/apache2/conf\.d/\*\.conf"$} } + end + + context 'with serveradmin' do + let(:params) do + { + serveradmin: 'admin@example.com' + } + end + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^ServerAdmin admin@example\.com$} } + end + + context 'when specifying slash encoding behaviour' do + let :params do + { allow_encoded_slashes: 'nodecode' } + end + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^AllowEncodedSlashes nodecode$} } + end + + context 'when specifying fileETag behaviour' do + let :params do + { file_e_tag: 'None' } + end + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^FileETag None$} } + end + + context 'when specifying canonical name behaviour' do + let :params do + { use_canonical_name: 'dns' } + end + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^UseCanonicalName dns$} } + end + + context 'when specifying default character set' do + let :params do + { default_charset: 'none' } + end + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^AddDefaultCharset none$} } end # Assert that both load files and conf files are placed and symlinked for these mods - [ - 'alias', - 'autoindex', - 'dav_fs', - 'deflate', - 'dir', - 'mime', - 'negotiation', - 'setenvif', - ].each do |modname| - it { should contain_file("#{modname}.load").with( - 'path' => "/etc/apache2/mods-available/#{modname}.load", - 'ensure' => 'file' - ) } - it { should contain_file("#{modname}.load symlink").with( - 'path' => "/etc/apache2/mods-enabled/#{modname}.load", - 'ensure' => 'link', - 'target' => "/etc/apache2/mods-available/#{modname}.load" - ) } - it { should contain_file("#{modname}.conf").with( - 'path' => "/etc/apache2/mods-available/#{modname}.conf", - 'ensure' => 'file' - ) } - it { should contain_file("#{modname}.conf symlink").with( - 'path' => "/etc/apache2/mods-enabled/#{modname}.conf", - 'ensure' => 'link', - 'target' => "/etc/apache2/mods-available/#{modname}.conf" - ) } - end - describe "Don't create user resource" do - context "when parameter manage_user is false" do - let :params do - { :manage_user => false } - end + ['alias', 'autoindex', 'dav_fs', 'deflate', 'dir', 'mime', 'negotiation', 'setenvif'].each do |modname| + it { + expect(subject).to contain_file("#{modname}.load").with( + 'path' => "/etc/apache2/mods-available/#{modname}.load", + 'ensure' => 'file', + ) + } - it { should_not contain_user('www-data') } - it { should contain_file("/etc/apache2/apache2.conf").with_content %r{^User www-data\n} } + it { + expect(subject).to contain_file("#{modname}.load symlink").with( + 'path' => "/etc/apache2/mods-enabled/#{modname}.load", + 'ensure' => 'link', + 'target' => "/etc/apache2/mods-available/#{modname}.load", + ) + } + + it { + expect(subject).to contain_file("#{modname}.conf").with( + 'path' => "/etc/apache2/mods-available/#{modname}.conf", + 'ensure' => 'file', + ) + } + + it { + expect(subject).to contain_file("#{modname}.conf symlink").with( + 'path' => "/etc/apache2/mods-enabled/#{modname}.conf", + 'ensure' => 'link', + 'target' => "/etc/apache2/mods-available/#{modname}.conf", + ) + } + end + + describe "Don't create user resource when parameter manage_user is false" do + let :params do + { manage_user: false } + end + + it { is_expected.not_to contain_user('www-data') } + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^User www-data\n} } + end + + describe "Don't create group resource when parameter manage_group is false" do + let :params do + { manage_group: false } end + + it { is_expected.not_to contain_group('www-data') } + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^Group www-data\n} } + end + + describe 'Add extra LogFormats When parameter log_formats is a hash' do + let :params do + { log_formats: { + 'vhost_common' => '%v %h %l %u %t "%r" %>s %b', + 'vhost_combined' => '%v %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"' + } } + end + + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^LogFormat "%v %h %l %u %t "%r" %>s %b" vhost_common\n} } + it { is_expected.to contain_file('/etc/apache2/apache2.conf').with_content %r{^LogFormat "%v %h %l %u %t "%r" %>s %b "%\{Referer\}i" "%\{User-agent\}i"" vhost_combined\n} } end - describe "Don't create group resource" do - context "when parameter manage_group is false" do - let :params do - { :manage_group => false } + + describe 'Override existing LogFormats When parameter log_formats is a hash' do + let :params do + { log_formats: { + 'common' => '%v %h %l %u %t "%r" %>s %b', + 'combined' => '%v %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"' + } } + end + + expected = [ + %r{^LogFormat "%v %h %l %u %t "%r" %>s %b" common\n}, + %r{^LogFormat "%v %h %l %u %t "%r" %>s %b" common\n}, + %r{^LogFormat "%v %h %l %u %t "%r" %>s %b "%\{Referer\}i" "%\{User-agent\}i"" combined\n}, + ] + unexpected = [ + %r{^LogFormat "%h %l %u %t "%r" %>s %b "%\{Referer\}i" "%\{User-agent\}i"" combined\n}, + %r{^LogFormat "%h %l %u %t "%r" %>s %b "%\{Referer\}i" "%\{User-agent\}i"" combined\n}, + ] + it 'Expected to contain' do + expected.each do |reg| + expect(subject).to contain_file('/etc/apache2/apache2.conf').with_content reg end + end - it { should_not contain_group('www-data') } - it { should contain_file("/etc/apache2/apache2.conf").with_content %r{^Group www-data\n} } + it 'Not expected to contain' do + unexpected.each do |reg| + expect(subject).to contain_file('/etc/apache2/apache2.conf').without_content reg + end end end - end - context "on a RedHat 5 OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '5', - :concat_basedir => '/dne', + + describe 'Alternate mpm_modules when declaring mpm_module => prefork' do + let :params do + { mpm_module: 'worker' } + end + + it { is_expected.to contain_exec('/usr/sbin/a2dismod mpm_event') } + it { is_expected.to contain_exec('/usr/sbin/a2dismod prefork') } + end + + context 'on Ubuntu 18.04' do + include_examples 'Ubuntu 18.04' + + it { + expect(subject).to contain_file('/var/www/html').with( + 'ensure' => 'directory', + ) } end - it { should include_class("apache::params") } - it { should contain_package("httpd").with( - 'notify' => 'Class[Apache::Service]', - 'ensure' => 'installed' + end + + context 'on a RedHat 8 OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_package('httpd').with( + 'notify' => 'Class[Apache::Service]', + 'ensure' => 'installed', ) } - it { should contain_user("apache") } - it { should contain_group("apache") } - it { should contain_class("apache::service") } - it { should contain_file("/etc/httpd/conf.d").with( - 'ensure' => 'directory', - 'recurse' => 'true', - 'purge' => 'true', - 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' + + it { is_expected.to contain_user('apache') } + it { is_expected.to contain_group('apache') } + it { is_expected.to contain_class('apache::service') } + + it { + expect(subject).to contain_file('/var/www/html').with( + 'ensure' => 'directory', ) } - it { should contain_concat("/etc/httpd/conf/ports.conf").with( - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0644', - 'notify' => 'Class[Apache::Service]' - ) + + it { + expect(subject).to contain_file('/etc/httpd/conf.d').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') + } + + it { + expect(subject).to contain_concat('/etc/httpd/conf/ports.conf').with( + 'owner' => 'root', 'group' => 'root', + 'mode' => '0644' + ).that_notifies('Class[Apache::Service]') } - describe "Alternate confd/mod/vhosts directory" do + + describe 'Alternate confd/mod/vhosts directory' do let :params do { - :vhost_dir => '/etc/httpd/site.d', - :confd_dir => '/etc/httpd/conf.d', - :mod_dir => '/etc/httpd/mod.d', + vhost_dir: '/etc/httpd/site.d', + confd_dir: '/etc/httpd/conf.d', + mod_dir: '/etc/httpd/mod.d' } end - ['mod.d','site.d','conf.d'].each do |dir| - it { should contain_file("/etc/httpd/#{dir}").with( - 'ensure' => 'directory', - 'recurse' => 'true', - 'purge' => 'true', - 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' - ) } + ['mod.d', 'site.d', 'conf.d'].each do |dir| + it { + expect(subject).to contain_file("/etc/httpd/#{dir}").with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') + } end # Assert that load files are placed for these mods, but no conf file. - [ - 'auth_basic', - 'authn_file', - 'authz_default', - 'authz_groupfile', - 'authz_host', - 'authz_user', - 'dav', - 'env', - ].each do |modname| - it { should contain_file("#{modname}.load").with_path( - "/etc/httpd/mod.d/#{modname}.load" - ) } - it { should_not contain_file("#{modname}.conf").with_path( - "/etc/httpd/mod.d/#{modname}.conf" - ) } + ['auth_basic', 'authn_file', 'authz_groupfile', 'authz_host', 'authz_user', 'dav', 'env'].each do |modname| + it { + expect(subject).to contain_file("#{modname}.load").with_path( + "/etc/httpd/mod.d/#{modname}.load", + ) + } + + it { + expect(subject).not_to contain_file("#{modname}.conf").with_path( + "/etc/httpd/mod.d/#{modname}.conf", + ) + } end # Assert that both load files and conf files are placed for these mods - [ - 'alias', - 'autoindex', - 'dav_fs', - 'deflate', - 'dir', - 'mime', - 'negotiation', - 'setenvif', - ].each do |modname| - it { should contain_file("#{modname}.load").with_path( - "/etc/httpd/mod.d/#{modname}.load" - ) } - it { should contain_file("#{modname}.conf").with_path( - "/etc/httpd/mod.d/#{modname}.conf" - ) } - end - - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include /etc/httpd/conf\.d/\*\.conf$} } - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include /etc/httpd/site\.d/\*\.conf$} } - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include /etc/httpd/mod\.d/\*\.conf$} } - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include /etc/httpd/mod\.d/\*\.load$} } - end - - describe "Alternate conf.d directory" do - let :params do - { :confd_dir => '/etc/httpd/special_conf.d' } - end - - it { should contain_file("/etc/httpd/special_conf.d").with( - 'ensure' => 'directory', - 'recurse' => 'true', - 'purge' => 'true', - 'notify' => 'Class[Apache::Service]', - 'require' => 'Package[httpd]' - ) } - end - - describe "Alternate mpm_modules" do - context "when declaring mpm_module is false" do - let :params do - { :mpm_module => false } - end - it 'should not declare mpm modules' do - should_not contain_class('apache::mod::itk') - should_not contain_class('apache::mod::prefork') - should_not contain_class('apache::mod::worker') - end + ['alias', 'autoindex', 'dav_fs', 'deflate', 'dir', 'mime', 'negotiation', 'setenvif'].each do |modname| + it { + expect(subject).to contain_file("#{modname}.load").with_path( + "/etc/httpd/mod.d/#{modname}.load", + ) + } + + it { + expect(subject).to contain_file("#{modname}.conf").with_path( + "/etc/httpd/mod.d/#{modname}.conf", + ) + } end - context "when declaring mpm_module => prefork" do - let :params do - { :mpm_module => 'prefork' } - end - it { should contain_class('apache::mod::prefork') } - it { should_not contain_class('apache::mod::itk') } - it { should_not contain_class('apache::mod::worker') } + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^IncludeOptional "/etc/httpd/site\.d/\*"$} } + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^Include "/etc/httpd/mod\.d/\*\.conf"$} } + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^Include "/etc/httpd/mod\.d/\*\.load"$} } + end + + describe 'Alternate confd/mod/vhosts directory' do + let :params do + { + vhost_dir: '/etc/httpd/site.d', + confd_dir: '/etc/httpd/conf.d', + mod_dir: '/etc/httpd/mod.d', + use_optional_includes: true + } end - context "when declaring mpm_module => worker" do - let :params do - { :mpm_module => 'worker' } - end - it { should contain_class('apache::mod::worker') } - it { should_not contain_class('apache::mod::itk') } - it { should_not contain_class('apache::mod::prefork') } + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^IncludeOptional "/etc/httpd/conf\.d/\*\.conf"$} } + end + + describe 'Alternate confd/mod/vhosts directory when specifying slash encoding behaviour' do + let :params do + { + vhost_dir: '/etc/httpd/site.d', + confd_dir: '/etc/httpd/conf.d', + mod_dir: '/etc/httpd/mod.d', + allow_encoded_slashes: 'nodecode' + } end - context "when declaring mpm_module => breakme" do - let :params do - { :mpm_module => 'breakme' } - end - it { expect { subject }.to raise_error Puppet::Error, /does not match/ } + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^AllowEncodedSlashes nodecode$} } + end + + describe 'Alternate confd/mod/vhosts directory when specifying default character set' do + let :params do + { + vhost_dir: '/etc/httpd/site.d', + confd_dir: '/etc/httpd/conf.d', + mod_dir: '/etc/httpd/mod.d', + default_charset: 'none' + } end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^AddDefaultCharset none$} } end - describe "different templates for httpd.conf" do - context "with default" do - let :params do - { :conf_template => 'apache/httpd.conf.erb' } - end - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^# Security\n} } + describe 'Alternate conf directory' do + let :params do + { conf_dir: '/opt/rh/root/etc/httpd/conf' } end - context "with non-default" do - let :params do - { :conf_template => 'site_apache/fake.conf.erb' } - end - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Fake template for rspec.$} } + + it { + expect(subject).to contain_file('/opt/rh/root/etc/httpd/conf/httpd.conf').with( + 'ensure' => 'file', + ).that_notifies('Class[Apache::Service]').that_requires(['Package[httpd]', 'Concat[/etc/httpd/conf/ports.conf]']) + } + end + + describe 'Alternate conf.d directory' do + let :params do + { confd_dir: '/etc/httpd/special_conf.d' } end + + it { + expect(subject).to contain_file('/etc/httpd/special_conf.d').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') + } end - describe "default mods" do - context "without" do - let :params do - { :default_mods => false } - end + describe 'Alternate mpm_modules when declaring mpm_module is false' do + let :params do + { mpm_module: false } + end - it { should contain_apache__mod('authz_host') } - it { should_not contain_apache__mod('env') } - end - context "custom" do - let :params do - { :default_mods => [ - 'info', - 'alias', - 'mime', - 'env', - 'setenv', - 'expires', - ]} + unexpected = ['apache::mod::event', 'apache::mod::itk', 'apache::mod::peruser', 'apache::mod::prefork', 'apache::mod::worker'] + it 'does not declare mpm modules' do + unexpected.each do |not_expect| + expect(subject).not_to contain_class(not_expect) end + end + end - it { should contain_apache__mod('authz_host') } - it { should contain_apache__mod('env') } - it { should contain_class('apache::mod::info') } - it { should contain_class('apache::mod::mime') } + describe 'Alternate mpm_modules when declaring mpm_module => prefork' do + let :params do + { mpm_module: 'prefork' } end + + it { is_expected.to contain_class('apache::mod::prefork') } + it { is_expected.not_to contain_class('apache::mod::event') } + it { is_expected.not_to contain_class('apache::mod::itk') } + it { is_expected.not_to contain_class('apache::mod::peruser') } + it { is_expected.not_to contain_class('apache::mod::worker') } end - describe "Don't create user resource" do - context "when parameter manage_user is false" do - let :params do - { :manage_user => false } - end - it { should_not contain_user('apache') } - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^User apache\n} } + describe 'Alternate mpm_modules when declaring mpm_module => worker' do + let :params do + { mpm_module: 'worker' } end + + it { is_expected.to contain_class('apache::mod::worker') } + it { is_expected.not_to contain_class('apache::mod::event') } + it { is_expected.not_to contain_class('apache::mod::itk') } + it { is_expected.not_to contain_class('apache::mod::peruser') } + it { is_expected.not_to contain_class('apache::mod::prefork') } end - describe "Don't create group resource" do - context "when parameter manage_group is false" do - let :params do - { :manage_group => false } - end - it { should_not contain_group('apache') } - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Group apache\n} } + describe 'different templates for httpd.conf with default' do + let :params do + { conf_template: 'apache/httpd.conf.epp' } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^# Security\n} } + end + describe 'different templates for httpd.conf with non-default' do + let :params do + { conf_template: 'site_apache/fake.conf.epp' } end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^Fake template for rspec.$} } end - describe "sendfile" do - context "with invalid value" do - let :params do - { :sendfile => 'foo' } - end - it "should fail" do - expect do - subject - end.to raise_error(Puppet::Error, /"foo" does not match/) - end + + describe 'default mods without' do + let :params do + { default_mods: false } end - context "On" do - let :params do - { :sendfile => 'On' } - end - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^EnableSendfile On\n} } + + it { is_expected.to contain_apache__mod('authz_host') } + it { is_expected.not_to contain_apache__mod('env') } + end + + describe 'default mods custom' do + let :params do + { default_mods: ['info', 'alias', 'mime', 'env', 'setenv', 'expires'] } end - context "Off" do - let :params do - { :sendfile => 'Off' } - end - it { should contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^EnableSendfile Off\n} } + + it { is_expected.to contain_apache__mod('authz_host') } + it { is_expected.to contain_apache__mod('env') } + it { is_expected.to contain_class('apache::mod::info') } + it { is_expected.to contain_class('apache::mod::mime') } + end + + describe "Don't create user resource when parameter manage_user is false" do + let :params do + { manage_user: false } + end + + it { is_expected.not_to contain_user('apache') } + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^User apache\n} } + end + + describe "Don't create group resource when parameter manage_group is false" do + let :params do + { manage_group: false } end + + it { is_expected.not_to contain_group('apache') } + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^Group apache\n} } end + + describe 'sendfile with invalid value' do + let :params do + { sendfile: 'foo' } + end + + it 'fails' do + expect { + catalogue + }.to raise_error(Puppet::PreformattedError, %r{Evaluation Error: Error while evaluating a Resource Statement, Class\[Apache\]: parameter 'sendfile' expects a match for Apache::OnOff = Enum\['Off', 'On', 'off', 'on'\]}) # rubocop:disable Layout/LineLength + end + end + + describe 'sendfile On' do + let :params do + { sendfile: 'On' } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^EnableSendfile On\n} } + end + + describe 'sendfile Off' do + let :params do + { sendfile: 'Off' } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^EnableSendfile Off\n} } + end + + describe 'hostname lookup with invalid value' do + let :params do + { hostname_lookups: 'foo' } + end + + it 'fails' do + expect { + catalogue + }.to raise_error(Puppet::Error, %r{Evaluation Error}) + end + end + + describe 'hostname_lookups On' do + let :params do + { hostname_lookups: 'On' } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^HostnameLookups On\n} } + end + + describe 'hostname_lookups Off' do + let :params do + { hostname_lookups: 'Off' } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^HostnameLookups Off\n} } + end + + describe 'hostname_lookups Double' do + let :params do + { hostname_lookups: 'Double' } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{^HostnameLookups Double\n} } + end + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 10' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::package').with('ensure' => 'present') } + it { is_expected.to contain_user('www') } + it { is_expected.to contain_group('www') } + it { is_expected.to contain_class('apache::service') } + + it { + expect(subject).to contain_file('/usr/local/www/apache24/data').with( + 'ensure' => 'directory', + ) + } + + it { + expect(subject).to contain_file('/usr/local/etc/apache24/Vhosts').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') + } + + it { + expect(subject).to contain_file('/usr/local/etc/apache24/Modules').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') + } + + it { + expect(subject).to contain_concat('/usr/local/etc/apache24/ports.conf').with( + 'owner' => 'root', 'group' => 'wheel', + 'mode' => '0644' + ).that_notifies('Class[Apache::Service]') + } + + # Assert that load files are placed for these mods, but no conf file. + ['auth_basic', 'authn_core', 'authn_file', 'authz_groupfile', 'authz_host', 'authz_user', 'dav', 'env'].each do |modname| + it { + expect(subject).to contain_file("#{modname}.load").with( + 'path' => "/usr/local/etc/apache24/Modules/#{modname}.load", + 'ensure' => 'file', + ) + } + + it { is_expected.not_to contain_file("#{modname}.conf") } + end + + # Assert that both load files and conf files are placed for these mods + ['alias', 'autoindex', 'dav_fs', 'deflate', 'dir', 'mime', 'negotiation', 'setenvif'].each do |modname| + it { + expect(subject).to contain_file("#{modname}.load").with( + 'path' => "/usr/local/etc/apache24/Modules/#{modname}.load", + 'ensure' => 'file', + ) + } + + it { + expect(subject).to contain_file("#{modname}.conf").with( + 'path' => "/usr/local/etc/apache24/Modules/#{modname}.conf", + 'ensure' => 'file', + ) + } + end + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_user('apache') } + it { is_expected.to contain_group('apache') } + it { is_expected.to contain_class('apache::service') } + + it { + expect(subject).to contain_file('/var/www/localhost/htdocs').with( + 'ensure' => 'directory', + ) + } + + it { + expect(subject).to contain_file('/etc/apache2/vhosts.d').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') + } + + it { + expect(subject).to contain_file('/etc/apache2/modules.d').with( + 'ensure' => 'directory', 'recurse' => 'true', + 'purge' => 'true' + ).that_notifies('Class[Apache::Service]').that_requires('Package[httpd]') + } + + it { + expect(subject).to contain_concat('/etc/apache2/ports.conf').with( + 'owner' => 'root', 'group' => 'wheel', + 'mode' => '0644' + ).that_notifies('Class[Apache::Service]') + } + end + + context 'on all OSes' do + include_examples 'RedHat 8' + + context 'with a custom apache_name parameter' do + let :params do + { + apache_name: 'httpd24-httpd' + } + end + + it { + expect(subject).to contain_package('httpd').with( + 'ensure' => 'installed', + 'name' => 'httpd24-httpd', + ).that_notifies('Class[Apache::Service]') + } + end + + context 'with a custom file_mode parameter' do + let :params do + { + file_mode: '0640' + } + end + + it { + expect(subject).to contain_concat('/etc/httpd/conf/ports.conf').with( + 'mode' => '0640', + ) + } + end + + context 'with a custom root_directory_options parameter' do + let :params do + { + root_directory_options: ['-Indexes', '-FollowSymLinks'] + } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{Options -Indexes -FollowSymLinks} } + end + + context 'with a custom root_directory_secured parameter' do + let :params do + { + root_directory_secured: true + } + end + + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{Options FollowSymLinks\n\s+AllowOverride None\n\s+Require all denied} } + end + + context 'default vhost defaults' do + it { is_expected.to contain_apache__vhost('default').with_ensure('present') } + it { is_expected.to contain_apache__vhost('default-ssl').with_ensure('absent') } + it { is_expected.to contain_file('/etc/httpd/conf/httpd.conf').with_content %r{Options FollowSymLinks} } + end + + context 'without default non-ssl vhost' do + let :params do + { + default_vhost: false + } + end + + it { is_expected.to contain_apache__vhost('default').with_ensure('absent') } + it { is_expected.not_to contain_file('/var/www/html') } + end + + context 'with default ssl vhost' do + let :params do + { + default_ssl_vhost: true + } + end + + it { is_expected.to contain_apache__vhost('default-ssl').with_ensure('present') } + it { is_expected.to contain_file('/var/www/html') } + end + end + + context 'with unsupported osfamily' do + include_examples 'Darwin' + + it { is_expected.to compile.and_raise_error(%r{Unsupported osfamily}) } end end diff --git a/spec/classes/dev_spec.rb b/spec/classes/dev_spec.rb index 8bdf1200b8..1dcafdaeed 100644 --- a/spec/classes/dev_spec.rb +++ b/spec/classes/dev_spec.rb @@ -1,26 +1,36 @@ +# frozen_string_literal: true + require 'spec_helper' -describe 'apache::dev', :type => :class do - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - } - end - it { should include_class("apache::params") } - it { should contain_package("libaprutil1-dev") } - it { should contain_package("libapr1-dev") } - it { should contain_package("apache2-prefork-dev") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - } +describe 'apache::dev' do + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + context 'with all defaults' do + let(:pre_condition) do + [ + 'include apache', + ] + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('apache::params') } + + case facts[:os]['name'] + when 'Debian' + it { is_expected.to contain_package('libaprutil1-dev') } + it { is_expected.to contain_package('libapr1-dev') } + + it { is_expected.to contain_package('apache2-prefork-dev') } if facts[:os]['release']['major'].to_i < 8 + when 'Ubuntu' + it { is_expected.to contain_package('apache2-dev') } + when 'RedHat' + it { is_expected.to contain_package('httpd-devel') } + end + end end - it { should include_class("apache::params") } - it { should contain_package("httpd-devel") } end end diff --git a/spec/classes/mod/alias_spec.rb b/spec/classes/mod/alias_spec.rb new file mode 100644 index 0000000000..cdaeba7ba2 --- /dev/null +++ b/spec/classes/mod/alias_spec.rb @@ -0,0 +1,85 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::alias', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS', :compile do + include_examples 'Debian 11' + + it { is_expected.to contain_apache__mod('alias') } + it { is_expected.to contain_file('alias.conf').with(content: %r{Alias /icons/ "/usr/share/apache2/icons/"}) } + end + + context 'on a RedHat 7-based OS', :compile do + include_examples 'RedHat 7' + + it { is_expected.to contain_apache__mod('alias') } + it { is_expected.to contain_file('alias.conf').with(content: %r{Alias /icons/ "/usr/share/httpd/icons/"}) } + end + + context 'on a RedHat 8-based OS', :compile do + include_examples 'RedHat 8' + + it { is_expected.to contain_apache__mod('alias') } + it { is_expected.to contain_file('alias.conf').with(content: %r{Alias /icons/ "/usr/share/httpd/icons/"}) } + end + + context 'with icons options', :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :params do + { + 'icons_options' => 'foo' + } + end + + include_examples 'RedHat 7' + + it { is_expected.to contain_apache__mod('alias') } + it { is_expected.to contain_file('alias.conf').with(content: %r{Options foo}) } + end + + context 'with icons path change', :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :params do + { + 'icons_prefix' => 'apache-icons' + } + end + + include_examples 'RedHat 7' + + it { is_expected.to contain_apache__mod('alias') } + it { is_expected.to contain_file('alias.conf').with(content: %r{Alias /apache-icons/ "/usr/share/httpd/icons/"}) } + end + + context 'with icons path as false', :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :params do + { + 'icons_path' => false + } + end + + include_examples 'RedHat 7' + + it { is_expected.to contain_apache__mod('alias') } + it { is_expected.not_to contain_file('alias.conf') } + end + + context 'on a FreeBSD OS', :compile do + include_examples 'FreeBSD 10' + + it { is_expected.to contain_apache__mod('alias') } + it { is_expected.to contain_file('alias.conf').with(content: %r{Alias /icons/ "/usr/local/www/apache24/icons/"}) } + end + end +end diff --git a/spec/classes/mod/auth_cas_spec.rb b/spec/classes/mod/auth_cas_spec.rb new file mode 100644 index 0000000000..9b053f3de2 --- /dev/null +++ b/spec/classes/mod/auth_cas_spec.rb @@ -0,0 +1,74 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::auth_cas', type: :class do + context 'default params' do + let :params do + { + cas_login_url: 'https://cas.example.com/login', + cas_validate_url: 'https://cas.example.com/validate', + cas_cookie_path: '/var/cache/apache2/mod_auth_cas/' + } + end + + it_behaves_like 'a mod class, without including apache' + end + + context 'default configuration with parameters' do + let :params do + { + cas_login_url: 'https://cas.example.com/login', + cas_validate_url: 'https://cas.example.com/validate', + cas_timeout: 1234, + cas_idle_timeout: 4321 + } + end + + context 'on a Debian OS', :compile do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_cas') } + it { is_expected.to contain_package('libapache2-mod-auth-cas') } + it { is_expected.to contain_file('auth_cas.conf').with_path('/etc/apache2/mods-available/auth_cas.conf') } + it { is_expected.to contain_file('/var/cache/apache2/mod_auth_cas/').with_owner('www-data') } + it { is_expected.to contain_file('auth_cas.conf').with_content(%r{CASTimeout 1234}) } + it { is_expected.to contain_file('auth_cas.conf').with_content(%r{CASIdleTimeout 4321}) } + end + + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_cas') } + it { is_expected.to contain_package('mod_auth_cas') } + it { is_expected.to contain_file('auth_cas.conf').with_path('/etc/httpd/conf.modules.d/auth_cas.conf') } + it { is_expected.to contain_file('/var/cache/mod_auth_cas/').with_owner('apache') } + it { is_expected.to contain_file('auth_cas.conf').with_content(%r{CASTimeout 1234}) } + it { is_expected.to contain_file('auth_cas.conf').with_content(%r{CASIdleTimeout 4321}) } + end + + context 'vhost setup', :compile do + let :pre_condition do + "class { 'apache': } apache::vhost { 'test.server': docroot => '/var/www/html', cas_root_proxied_as => 'http://test.server', cas_cookie_path => '/my/cas/path'} " + end + + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_cas') } + it { is_expected.to contain_package('mod_auth_cas') } + it { is_expected.to contain_file('auth_cas.conf').with_path('/etc/httpd/conf.modules.d/auth_cas.conf') } + it { is_expected.to contain_file('/var/cache/mod_auth_cas/').with_owner('apache') } + + it { + expect(subject).to contain_concat__fragment('test.server-auth_cas').with(content: %r{^\s+CASRootProxiedAs http://test.server$}) + expect(subject).to contain_concat__fragment('test.server-auth_cas').with(content: %r{^\s+CASCookiePath /my/cas/path$}) + } + end + end +end diff --git a/spec/classes/mod/auth_gssapi_spec.rb b/spec/classes/mod/auth_gssapi_spec.rb new file mode 100644 index 0000000000..f50d6dd2e4 --- /dev/null +++ b/spec/classes/mod/auth_gssapi_spec.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::auth_gssapi', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS', :compile do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_gssapi') } + it { is_expected.to contain_package('libapache2-mod-auth-gssapi') } + end + + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_gssapi') } + it { is_expected.to contain_package('mod_auth_gssapi') } + end + + context 'on a FreeBSD OS', :compile do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_gssapi') } + it { is_expected.to contain_package('www/mod_auth_gssapi') } + end + + context 'on a Gentoo OS', :compile do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_gssapi') } + it { is_expected.to contain_package('www-apache/mod_auth_gssapi') } + end + end +end diff --git a/spec/classes/mod/auth_kerb_spec.rb b/spec/classes/mod/auth_kerb_spec.rb index c4aa8a67f6..84410311bf 100644 --- a/spec/classes/mod/auth_kerb_spec.rb +++ b/spec/classes/mod/auth_kerb_spec.rb @@ -1,29 +1,66 @@ -describe 'apache::mod::auth_kerb', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::auth_kerb', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS', :compile do + include_examples 'Debian 10' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_kerb') } + it { is_expected.to contain_package('libapache2-mod-auth-kerb') } + end + + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_kerb') } + it { is_expected.to contain_package('mod_auth_kerb') } + end + + context 'on a FreeBSD OS', :compile do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_kerb') } + it { is_expected.to contain_package('www/mod_auth_kerb2') } + end + + context 'on a Gentoo OS', :compile do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_kerb') } + it { is_expected.to contain_package('www-apache/mod_auth_kerb') } end - it { should include_class("apache::params") } - it { should contain_apache__mod("auth_kerb") } - it { should contain_package("libapache2-mod-auth-kerb") } end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + + context 'overriding mod_packages' do + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + let :pre_condition do + <<-MANIFEST + include apache::params + class { 'apache': + mod_packages => merge($::apache::params::mod_packages, { + 'auth_kerb' => 'httpd24-mod_auth_kerb', + }) + } + MANIFEST + end + + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_kerb') } + it { is_expected.to contain_package('httpd24-mod_auth_kerb') } + it { is_expected.not_to contain_package('mod_auth_kerb') } end - it { should include_class("apache::params") } - it { should contain_apache__mod("auth_kerb") } - it { should contain_package("mod_auth_kerb") } end end diff --git a/spec/classes/mod/auth_mellon_spec.rb b/spec/classes/mod/auth_mellon_spec.rb new file mode 100644 index 0000000000..22f496fe95 --- /dev/null +++ b/spec/classes/mod/auth_mellon_spec.rb @@ -0,0 +1,71 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::auth_mellon', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters on a Debian OS' do + include_examples 'Debian 11' + + describe 'with no parameters' do + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_mellon') } + it { is_expected.to contain_package('libapache2-mod-auth-mellon') } + it { is_expected.to contain_file('auth_mellon.conf').with_path('/etc/apache2/mods-available/auth_mellon.conf') } + it { is_expected.to contain_file('auth_mellon.conf').with_content("MellonPostDirectory \"/var/cache/apache2/mod_auth_mellon/\"\n") } + end + + describe 'with parameters' do + let :params do + { mellon_cache_size: 200, + mellon_cache_entry_size: 2010, + mellon_lock_file: '/tmp/junk', + mellon_post_directory: '/tmp/post', + mellon_post_ttl: 5, + mellon_post_size: 8, + mellon_post_count: 10 } + end + + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonCacheSize\s+200$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonCacheEntrySize\s+2010$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonLockFile\s+"/tmp/junk"$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostDirectory\s+"/tmp/post"$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostTTL\s+5$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostSize\s+8$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostCount\s+10$}) } + end + end + + context 'default configuration with parameters on a RedHat OS' do + include_examples 'RedHat 8' + + describe 'with no parameters' do + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_apache__mod('auth_mellon') } + it { is_expected.to contain_package('mod_auth_mellon') } + it { is_expected.to contain_file('auth_mellon.conf').with_path('/etc/httpd/conf.modules.d/auth_mellon.conf') } + it { is_expected.to contain_file('auth_mellon.conf').with_content("MellonCacheSize 100\nMellonLockFile \"/run/mod_auth_mellon/lock\"\n") } + end + + describe 'with parameters' do + let :params do + { mellon_cache_size: 200, + mellon_cache_entry_size: 2010, + mellon_lock_file: '/tmp/junk', + mellon_post_directory: '/tmp/post', + mellon_post_ttl: 5, + mellon_post_size: 8, + mellon_post_count: 10 } + end + + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonCacheSize\s+200$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonCacheEntrySize\s+2010$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonLockFile\s+"/tmp/junk"$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostDirectory\s+"/tmp/post"$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostTTL\s+5$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostSize\s+8$}) } + it { is_expected.to contain_file('auth_mellon.conf').with_content(%r{^MellonPostCount\s+10$}) } + end + end +end diff --git a/spec/classes/mod/auth_openidc_spec.rb b/spec/classes/mod/auth_openidc_spec.rb new file mode 100644 index 0000000000..ed0ad42cfd --- /dev/null +++ b/spec/classes/mod/auth_openidc_spec.rb @@ -0,0 +1,77 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::auth_openidc', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS', :compile do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_class('apache::mod::authz_user') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('libapache2-mod-auth-openidc') } + it { is_expected.not_to contain_package('dnf-module-mod_auth_openidc') } + end + + context 'on RedHat 7', :compile do + include_examples 'RedHat 7' + + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_class('apache::mod::authz_user') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('mod_auth_openidc') } + it { is_expected.not_to contain_package('dnf-module-mod_auth_openidc') } + end + + context 'on RedHat 8', :compile do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_class('apache::mod::authz_user') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('mod_auth_openidc') } + + it do + expect(subject).to contain_package('dnf-module-mod_auth_openidc') + .with_ensure('present') + .with_name('mod_auth_openidc') + .that_comes_before('Package[mod_auth_openidc]') + end + end + + context 'on a FreeBSD OS', :compile do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_class('apache::mod::authz_user') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('www/mod_auth_openidc') } + it { is_expected.not_to contain_package('dnf-module-mod_auth_openidc') } + end + end + + context 'overriding mod_packages' do + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + let :pre_condition do + <<-MANIFEST + include apache::params + class { 'apache': + mod_packages => merge($::apache::params::mod_packages, { + 'auth_openidc' => 'httpd24-mod_auth_openidc', + }) + } + MANIFEST + end + + it { is_expected.to contain_class('apache::mod::authn_core') } + it { is_expected.to contain_class('apache::mod::authz_user') } + it { is_expected.to contain_apache__mod('auth_openidc') } + it { is_expected.to contain_package('httpd24-mod_auth_openidc') } + it { is_expected.not_to contain_package('mod_auth_openidc') } + end + end +end diff --git a/spec/classes/mod/authn_dbd_spec.rb b/spec/classes/mod/authn_dbd_spec.rb new file mode 100644 index 0000000000..e59e96f235 --- /dev/null +++ b/spec/classes/mod/authn_dbd_spec.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::authn_dbd', type: :class do + context 'default params' do + let :params do + { + authn_dbd_params: 'host=db_host port=3306 user=apache password=###### dbname=apache_auth' + } + end + + it_behaves_like 'a mod class, without including apache' + end + + context 'default configuration with parameters' do + let :params do + { + authn_dbd_params: 'host=db_host port=3306 user=apache password=###### dbname=apache_auth', + authn_dbd_alias: 'db_authn', + authn_dbd_query: 'SELECT password FROM authn WHERE username = %s' + } + end + + context 'on a Debian OS', :compile do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('authn_dbd') } + it { is_expected.to contain_apache__mod('dbd') } + it { is_expected.to contain_file('authn_dbd.conf').with_path('/etc/apache2/mods-available/authn_dbd.conf') } + end + + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('authn_dbd') } + it { is_expected.to contain_apache__mod('dbd') } + it { is_expected.to contain_file('authn_dbd.conf').with_path('/etc/httpd/conf.modules.d/authn_dbd.conf') } + end + end +end diff --git a/spec/classes/mod/authnz_ldap_spec.rb b/spec/classes/mod/authnz_ldap_spec.rb new file mode 100644 index 0000000000..f672c4a573 --- /dev/null +++ b/spec/classes/mod/authnz_ldap_spec.rb @@ -0,0 +1,85 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::authnz_ldap', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::ldap') } + it { is_expected.to contain_apache__mod('authnz_ldap') } + + context 'default verify_server_cert' do + it { is_expected.to contain_file('authnz_ldap.conf').with_content(%r{^LDAPVerifyServerCert On$}) } + end + + context 'verify_server_cert = false' do + let(:params) { { verify_server_cert: false } } + + it { is_expected.to contain_file('authnz_ldap.conf').with_content(%r{^LDAPVerifyServerCert Off$}) } + end + + context 'verify_server_cert = wrong' do + let(:params) { { verify_server_cert: 'wrong' } } + + it 'raises an error' do + expect(subject).to compile.and_raise_error(%r{parameter 'verify_server_cert' expects a Boolean value, got String}) + end + end + end + + context 'default configuration with parameters on a RedHat OS' do + on_supported_os.each do |os, os_facts| + next unless os.start_with?('redhat') + + context "On #{os}" do + let :facts do + os_facts + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::ldap') } + it { is_expected.to contain_apache__mod('authnz_ldap') } + + if os_facts[:operatingsystemmajrelease].to_i >= 7 + it { is_expected.to contain_package('mod_ldap') } + else + it { is_expected.to contain_package('mod_authz_ldap') } + end + + context 'default verify_server_cert' do + it { is_expected.to contain_file('authnz_ldap.conf').with_content(%r{^LDAPVerifyServerCert On$}) } + end + + context 'verify_server_cert = false' do + let(:params) { { verify_server_cert: false } } + + it { is_expected.to contain_file('authnz_ldap.conf').with_content(%r{^LDAPVerifyServerCert Off$}) } + end + + context 'verify_server_cert = wrong' do + let(:params) { { verify_server_cert: 'wrong' } } + + it 'raises an error' do + expect(subject).to compile.and_raise_error(%r{parameter 'verify_server_cert' expects a Boolean value, got String}) + end + end + + context 'SCL', if: (os_facts[:operatingsystemmajrelease].to_i >= 6 && os_facts[:operatingsystemmajrelease].to_i < 8) do + let(:pre_condition) do + "class { 'apache::version': + scl_httpd_version => '2.4', + scl_php_version => '7.0', + } + include apache" + end + + it { is_expected.to contain_package('httpd24-mod_ldap') } + end + end + end + end +end diff --git a/spec/classes/mod/authnz_pam_spec.rb b/spec/classes/mod/authnz_pam_spec.rb new file mode 100644 index 0000000000..c97574878e --- /dev/null +++ b/spec/classes/mod/authnz_pam_spec.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::authnz_pam', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_package('libapache2-mod-authnz-pam') } + it { is_expected.to contain_apache__mod('authnz_pam') } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_package('mod_authnz_pam') } + it { is_expected.to contain_apache__mod('authnz_pam') } + end + end +end diff --git a/spec/classes/mod/authz_groupfile_spec.rb b/spec/classes/mod/authz_groupfile_spec.rb new file mode 100644 index 0000000000..dbab5e7392 --- /dev/null +++ b/spec/classes/mod/authz_groupfile_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::authz_groupfile' do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_apache__mod('authz_groupfile') } + end + end +end diff --git a/spec/classes/mod/cache_disk_spec.rb b/spec/classes/mod/cache_disk_spec.rb new file mode 100644 index 0000000000..fdd55fa8d9 --- /dev/null +++ b/spec/classes/mod/cache_disk_spec.rb @@ -0,0 +1,120 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::cache_disk', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + let(:params) do + { + cache_enable: ['/'], + } + end + + let :pre_condition do + 'class{ "apache": + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::cache_disk') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + default_config = %r{CacheEnable disk /\nCacheRoot "/var/cache/apache2/mod_cache_disk"} + + it { is_expected.to contain_file('cache_disk.conf').with(content: default_config) } + + describe 'with multiple cache_enable parameters' do + let(:params) do + { + cache_enable: ['/', '/something'], + } + end + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheEnable disk /something\nCacheRoot "/var/cache/apache2/mod_cache_disk"}) + } + end + + describe 'with cache_dir_length' do + let(:params) do + { + cache_dir_length: 2, + cache_enable: ['/'], + } + end + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{#{default_config}\nCacheDirLength 2}) + } + end + + describe 'with cache_dir_levels' do + let(:params) do + { + cache_dir_levels: 2, + cache_enable: ['/'], + } + end + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{#{default_config}\nCacheDirLevels 2}) + } + end + end + + context 'on a RedHat 8-based OS' do + include_examples 'RedHat 8' + + let(:params) do + { + cache_enable: ['/'], + } + end + + let :pre_condition do + 'class{ "apache": + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/httpd/proxy"}) + } + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 10' + + let(:params) do + { + cache_enable: ['/'], + } + end + + let :pre_condition do + 'class{ "apache": + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/mod_cache_disk"}) + } + end +end diff --git a/spec/classes/mod/cache_spec.rb b/spec/classes/mod/cache_spec.rb new file mode 100644 index 0000000000..3e98a3e679 --- /dev/null +++ b/spec/classes/mod/cache_spec.rb @@ -0,0 +1,122 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::cache', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::cache') } + it { is_expected.to contain_apache__mod('cache') } + + it { + expect(subject).to contain_file('cache.conf') + .with(content: '') + } + + describe 'with cache_ignore_headers' do + let(:params) do + { + cache_ignore_headers: ['Set-Cookie'], + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheIgnoreHeaders Set-Cookie}) + } + end + + describe 'with cache_ignore_headers' do + let(:params) do + { + cache_ignore_headers: ['Set-Cookie', 'X-Forwarded-For', 'Cross-Origin-Embedder-Policy', 'Expires', 'Access-Control-Allow-Headers'], + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheIgnoreHeaders Access-Control-Allow-Headers Cross-Origin-Embedder-Policy Expires Set-Cookie X-Forwarded-For}) + } + end + + describe 'with cache_default_expire' do + let(:params) do + { + cache_default_expire: 2000, + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheDefaultExpire 2000}) + } + end + + describe 'with cache_max_expire' do + let(:params) do + { + cache_max_expire: 2000, + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheMaxExpire 2000}) + } + end + + describe 'with cache_ignore_no_lastmod' do + let(:params) do + { + cache_ignore_no_lastmod: 'On', + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheIgnoreNoLastMod On}) + } + end + + describe 'with cache_header' do + let(:params) do + { + cache_header: 'On', + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheHeader On}) + } + end + + describe 'with cache_lock' do + let(:params) do + { + cache_lock: 'On', + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheLock On}) + } + end + + describe 'with cache_ignore_cache_control' do + let(:params) do + { + cache_ignore_cache_control: 'On', + } + end + + it { + expect(subject).to contain_file('cache.conf') + .with(content: %r{CacheIgnoreCacheControl On}) + } + end + end +end diff --git a/spec/classes/mod/cluster_spec.rb b/spec/classes/mod/cluster_spec.rb new file mode 100644 index 0000000000..0a93fad648 --- /dev/null +++ b/spec/classes/mod/cluster_spec.rb @@ -0,0 +1,51 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::cluster', type: :class do + context 'on a RedHat OS Release 7 with mod version = 1.3.0' do + include_examples 'RedHat 7' + + let(:params) do + { + allowed_network: '172.17.0', + balancer_name: 'mycluster', + ip: '172.17.0.1', + version: '1.3.0' + } + end + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_apache__mod('proxy') } + it { is_expected.to contain_apache__mod('proxy_ajp') } + it { is_expected.to contain_apache__mod('manager') } + it { is_expected.to contain_apache__mod('proxy_cluster') } + it { is_expected.to contain_apache__mod('advertise') } + it { is_expected.to contain_apache__mod('cluster_slotmem') } + + it { is_expected.to contain_file('cluster.conf') } + end + + context 'on a RedHat OS Release 7 with mod version > 1.3.0' do + include_examples 'RedHat 7' + + let(:params) do + { + allowed_network: '172.17.0', + balancer_name: 'mycluster', + ip: '172.17.0.1', + version: '1.3.1' + } + end + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_apache__mod('proxy') } + it { is_expected.to contain_apache__mod('proxy_ajp') } + it { is_expected.to contain_apache__mod('manager') } + it { is_expected.to contain_apache__mod('proxy_cluster') } + it { is_expected.to contain_apache__mod('advertise') } + it { is_expected.to contain_apache__mod('cluster_slotmem') } + + it { is_expected.to contain_file('cluster.conf') } + end +end diff --git a/spec/classes/mod/data_spec.rb b/spec/classes/mod/data_spec.rb new file mode 100644 index 0000000000..6456104120 --- /dev/null +++ b/spec/classes/mod/data_spec.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::data', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_apache__mod('data') } + end +end diff --git a/spec/classes/mod/dav_svn_spec.rb b/spec/classes/mod/dav_svn_spec.rb index 4d293b37d7..fadcc69df6 100644 --- a/spec/classes/mod/dav_svn_spec.rb +++ b/spec/classes/mod/dav_svn_spec.rb @@ -1,29 +1,101 @@ -describe 'apache::mod::dav_svn', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::dav_svn', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('libapache2-mod-svn') } + it { is_expected.to contain_file('dav_svn.load').with_content(%r{LoadModule dav_svn_module}) } + + describe 'with parameters' do + let :params do + { + 'authz_svn_enabled' => true + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('libapache2-mod-svn') } + it { is_expected.to contain_apache__mod('authz_svn') } + it { is_expected.to contain_file('dav_svn_authz_svn.load').with_content(%r{LoadModule authz_svn_module}) } + end end - it { should include_class("apache::params") } - it { should contain_apache__mod('dav_svn') } - it { should contain_package("libapache2-svn") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('mod_dav_svn') } + it { is_expected.to contain_file('dav_svn.load').with_content(%r{LoadModule dav_svn_module}) } + + describe 'with parameters' do + let :params do + { + 'authz_svn_enabled' => true + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('mod_dav_svn') } + it { is_expected.to contain_apache__mod('authz_svn') } + it { is_expected.to contain_file('dav_svn_authz_svn.load').with_content(%r{LoadModule authz_svn_module}) } + end + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('devel/subversion') } + it { is_expected.to contain_file('dav_svn.load').with_content(%r{LoadModule dav_svn_module}) } + + describe 'with parameters' do + let :params do + { + 'authz_svn_enabled' => true + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('devel/subversion') } + it { is_expected.to contain_apache__mod('authz_svn') } + it { is_expected.to contain_file('dav_svn_authz_svn.load').with_content(%r{LoadModule authz_svn_module}) } + end + end + + context 'on a Gentoo OS', :compile do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('dev-vcs/subversion') } + it { is_expected.to contain_file('dav_svn.load').with_content(%r{LoadModule dav_svn_module}) } + + describe 'with parameters' do + let :params do + { + 'authz_svn_enabled' => true + } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dav_svn') } + it { is_expected.to contain_package('dev-vcs/subversion') } + it { is_expected.to contain_apache__mod('authz_svn') } + it { is_expected.to contain_file('dav_svn_authz_svn.load').with_content(%r{LoadModule authz_svn_module}) } + end end - it { should include_class("apache::params") } - it { should contain_apache__mod('dav_svn') } - it { should contain_package("mod_dav_svn") } end end diff --git a/spec/classes/mod/deflate_spec.rb b/spec/classes/mod/deflate_spec.rb new file mode 100644 index 0000000000..045a3cd04b --- /dev/null +++ b/spec/classes/mod/deflate_spec.rb @@ -0,0 +1,89 @@ +# frozen_string_literal: true + +require 'spec_helper' + +# This function is called inside the OS specific contexts +def general_deflate_specs + it { is_expected.to contain_apache__mod('deflate') } + + expected = "AddOutputFilterByType DEFLATE application/rss+xml\n" \ + "AddOutputFilterByType DEFLATE application/x-javascript\n" \ + "AddOutputFilterByType DEFLATE text/css\n" \ + "AddOutputFilterByType DEFLATE text/html\n" \ + "\n" \ + "DeflateFilterNote Input instream\n" \ + "DeflateFilterNote Output outstream\n" \ + "DeflateFilterNote Ratio ratio\n" + + it do + expect(subject).to contain_file('deflate.conf').with_content(expected) + end +end + +describe 'apache::mod::deflate', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + let :pre_condition do + 'class { "apache::mod::deflate": + types => [ "text/html", "text/css" , "application/x-javascript", "application/rss+xml"], + notes => { + "Input" => "instream", + "Ratio" => "ratio", + "Output" => "outstream", + } + } + ' + end + + context 'On a Debian OS with default params' do + include_examples 'Debian 11' + + # Load the more generic tests for this context + general_deflate_specs + + it { + expect(subject).to contain_file('deflate.conf').with(ensure: 'file', + path: '/etc/apache2/mods-available/deflate.conf') + } + + it { + expect(subject).to contain_file('deflate.conf symlink').with(ensure: 'link', + path: '/etc/apache2/mods-enabled/deflate.conf') + } + end + + context 'on a RedHat OS with default params' do + include_examples 'RedHat 8' + + # Load the more generic tests for this context + general_deflate_specs + + it { is_expected.to contain_file('deflate.conf').with_path('/etc/httpd/conf.modules.d/deflate.conf') } + end + + context 'On a FreeBSD OS with default params' do + include_examples 'FreeBSD 9' + + # Load the more generic tests for this context + general_deflate_specs + + it { + expect(subject).to contain_file('deflate.conf').with(ensure: 'file', + path: '/usr/local/etc/apache24/Modules/deflate.conf') + } + end + + context 'On a Gentoo OS with default params' do + include_examples 'Gentoo' + + # Load the more generic tests for this context + general_deflate_specs + + it { + expect(subject).to contain_file('deflate.conf').with(ensure: 'file', + path: '/etc/apache2/modules.d/deflate.conf') + } + end + end +end diff --git a/spec/classes/mod/dev_spec.rb b/spec/classes/mod/dev_spec.rb deleted file mode 100644 index 4d88768531..0000000000 --- a/spec/classes/mod/dev_spec.rb +++ /dev/null @@ -1,27 +0,0 @@ -describe 'apache::dev', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should contain_package("libaprutil1-dev") } - it { should contain_package("libapr1-dev") } - it { should contain_package("apache2-prefork-dev") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should contain_package("httpd-devel") } - end -end diff --git a/spec/classes/mod/dir_spec.rb b/spec/classes/mod/dir_spec.rb index ec94b2899f..f76404eda5 100644 --- a/spec/classes/mod/dir_spec.rb +++ b/spec/classes/mod/dir_spec.rb @@ -1,61 +1,35 @@ -describe 'apache::mod::dir', :type => :class do - let :pre_condition do - 'class { "apache": - default_mods => false, - }' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - context "passing no parameters" do - it { should include_class("apache::params") } - it { should contain_apache__mod('dir') } - it { should contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { should contain_file('dir.conf').with_content(/ index\.html /) } - it { should contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { should contain_file('dir.conf').with_content(/ index\.cgi /) } - it { should contain_file('dir.conf').with_content(/ index\.pl /) } - it { should contain_file('dir.conf').with_content(/ index\.php /) } - it { should contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::dir', type: :class do + ['Debian 11', 'RedHat 8', 'FreeBSD 9', 'Gentoo'].each do |os| + context "default configuration with parameters on #{os}" do + include_examples os + + context 'passing no parameters' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('dir') } + + it do + expect(subject).to contain_file('dir.conf') + .with_content(%r{^DirectoryIndex }) + .with_content(%r{ index\.html }) + .with_content(%r{ index\.html\.var }) + .with_content(%r{ index\.cgi }) + .with_content(%r{ index\.pl }) + .with_content(%r{ index\.php }) + .with_content(%r{ index\.xhtml$}) + end end - it { should contain_file('dir.conf').with_content(/ example\.txt /) } - it { should contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } - end - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - context "passing no parameters" do - it { should include_class("apache::params") } - it { should contain_apache__mod('dir') } - it { should contain_file('dir.conf').with_content(/^DirectoryIndex /) } - it { should contain_file('dir.conf').with_content(/ index\.html /) } - it { should contain_file('dir.conf').with_content(/ index\.html\.var /) } - it { should contain_file('dir.conf').with_content(/ index\.cgi /) } - it { should contain_file('dir.conf').with_content(/ index\.pl /) } - it { should contain_file('dir.conf').with_content(/ index\.php /) } - it { should contain_file('dir.conf').with_content(/ index\.xhtml$/) } - end - context "passing indexes => ['example.txt','fearsome.aspx']" do - let :params do - {:indexes => ['example.txt','fearsome.aspx']} + + context "passing indexes => ['example.txt','fearsome.aspx']" do + let :params do + { indexes: ['example.txt', 'fearsome.aspx'] } + end + + it { is_expected.to contain_file('dir.conf').with_content(%r{ example\.txt }).with_content(%r{ fearsome\.aspx$}) } end - it { should contain_file('dir.conf').with_content(/ example\.txt /) } - it { should contain_file('dir.conf').with_content(/ fearsome\.aspx$/) } end end -end \ No newline at end of file +end diff --git a/spec/classes/mod/disk_cache_spec.rb b/spec/classes/mod/disk_cache_spec.rb new file mode 100644 index 0000000000..9438d0886d --- /dev/null +++ b/spec/classes/mod/disk_cache_spec.rb @@ -0,0 +1,185 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::disk_cache', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + let(:params) do + { + cache_ignore_headers: 'Set-Cookie' + } + end + + let :pre_condition do + 'class{ "apache": + default_mods => ["cache", "disk_cache"], + mod_dir => "/tmp/junk", + }' + end + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/apache2/mod_cache_disk"\nCacheDirLevels 2\nCacheDirLength 1\nCacheIgnoreHeaders Set-Cookie}) + } + + context 'with $default_cache_enable = false' do + let(:params) { { 'default_cache_enable' => false } } + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheRoot "/var/cache/apache2/mod_cache_disk"\nCacheDirLevels 2\nCacheDirLength 1\n}) + } + end + + context 'with $default_cache_enable = true' do + let(:params) { { 'default_cache_enable' => true } } + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/apache2/mod_cache_disk"\nCacheDirLevels 2\nCacheDirLength 1\n}) + } + end + + context 'with $default_cache_enable = foo' do + let(:params) { { 'default_cache_enable' => 'foo' } } + + it { is_expected.not_to compile } + end + end + + context 'on a RedHat 8-based OS' do + include_examples 'RedHat 8' + + let(:params) do + { + cache_ignore_headers: 'Set-Cookie' + } + end + + let :pre_condition do + 'class{ "apache": + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/httpd/proxy"\nCacheDirLevels 2\nCacheDirLength 1\nCacheIgnoreHeaders Set-Cookie}) + } + + context 'with $default_cache_enable = false' do + let(:params) { { 'default_cache_enable' => false } } + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheRoot "/var/cache/httpd/proxy"\nCacheDirLevels 2\nCacheDirLength 1\n}) + } + end + + context 'with $default_cache_enable = true' do + let(:params) { { 'default_cache_enable' => true } } + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/httpd/proxy"\nCacheDirLevels 2\nCacheDirLength 1\n}) + } + end + + context 'with $default_cache_enable = foo' do + let(:params) { { 'default_cache_enable' => 'foo' } } + + it { is_expected.not_to compile } + end + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 10' + + let(:params) do + { + cache_ignore_headers: 'Set-Cookie' + } + end + + let :pre_condition do + 'class{ "apache": + default_mods => ["cache"], + mod_dir => "/tmp/junk", + }' + end + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/mod_cache_disk"\nCacheDirLevels 2\nCacheDirLength 1\nCacheIgnoreHeaders Set-Cookie}) + } + + context 'with $default_cache_enable = false' do + let(:params) { { 'default_cache_enable' => false } } + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheRoot "/var/cache/mod_cache_disk"\nCacheDirLevels 2\nCacheDirLength 1\n}) + } + end + + context 'with $default_cache_enable = true' do + let(:params) { { 'default_cache_enable' => true } } + + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::disk_cache') } + it { is_expected.to contain_class('apache::mod::cache').that_comes_before('Class[Apache::Mod::Cache_disk]') } + it { is_expected.to contain_apache__mod('cache_disk') } + + it { + expect(subject).to contain_file('cache_disk.conf') + .with(content: %r{CacheEnable disk /\nCacheRoot "/var/cache/mod_cache_disk"\nCacheDirLevels 2\nCacheDirLength 1\n}) + } + end + + context 'with $default_cache_enable = foo' do + let(:params) { { 'default_cache_enable' => 'foo' } } + + it { is_expected.not_to compile } + end + end +end diff --git a/spec/classes/mod/dumpio_spec.rb b/spec/classes/mod/dumpio_spec.rb new file mode 100644 index 0000000000..218351d5e0 --- /dev/null +++ b/spec/classes/mod/dumpio_spec.rb @@ -0,0 +1,46 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::dumpio', type: :class do + context 'on a Debian OS' do + let :pre_condition do + 'class{"apache": + default_mods => false, + mod_dir => "/tmp/junk", + }' + end + + include_examples 'Debian 11' + + context 'default configuration fore parameters' do + it { is_expected.to compile } + it { is_expected.to contain_class('apache::mod::dumpio') } + it { is_expected.to contain_file('dumpio.conf').with_path('/tmp/junk/dumpio.conf') } + it { is_expected.to contain_file('dumpio.conf').with_content(%r{^\s*DumpIOInput\s+"Off"$}) } + it { is_expected.to contain_file('dumpio.conf').with_content(%r{^\s*DumpIOOutput\s+"Off"$}) } + end + + context 'with dumpio_input set to On' do + let :params do + { + dump_io_input: 'On' + } + end + + it { is_expected.to contain_file('dumpio.conf').with_content(%r{^\s*DumpIOInput\s+"On"$}) } + it { is_expected.to contain_file('dumpio.conf').with_content(%r{^\s*DumpIOOutput\s+"Off"$}) } + end + + context 'with dumpio_ouput set to On' do + let :params do + { + dump_io_output: 'On' + } + end + + it { is_expected.to contain_file('dumpio.conf').with_content(%r{^\s*DumpIOInput\s+"Off"$}) } + it { is_expected.to contain_file('dumpio.conf').with_content(%r{^\s*DumpIOOutput\s+"On"$}) } + end + end +end diff --git a/spec/classes/mod/event_spec.rb b/spec/classes/mod/event_spec.rb new file mode 100644 index 0000000000..39d83ae992 --- /dev/null +++ b/spec/classes/mod/event_spec.rb @@ -0,0 +1,134 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::event', type: :class do + let :pre_condition do + 'class { "apache": mpm_module => false, }' + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('event') } + it { is_expected.to contain_file('/usr/local/etc/apache24/Modules/event.conf').with_ensure('file') } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('event') } + it { is_expected.to contain_file('/etc/apache2/modules.d/event.conf').with_ensure('file') } + end + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('event') } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file') } + it { is_expected.to contain_file('/etc/apache2/mods-enabled/event.conf').with_ensure('link') } + + context 'Test mpm_event new params' do + let :params do + { + serverlimit: 0, + startservers: 1, + minsparethreads: 3, + maxsparethreads: 4, + threadsperchild: 5, + threadlimit: 7, + listenbacklog: 8, + maxrequestworkers: 9, + maxconnectionsperchild: 10 + } + end + + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ServerLimit\s*0}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*StartServers\s*1}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*MinSpareThreads\s*3}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*MaxSpareThreads\s*4}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ThreadsPerChild\s*5}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ThreadLimit\s*7}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ListenBacklog\s*8}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*MaxRequestWorkers\s*9}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*MaxConnectionsPerChild\s*10}) } + end + + context 'Test mpm_event old style params' do + let :params do + { + serverlimit: 0, + startservers: 1, + minsparethreads: 3, + maxsparethreads: 4, + threadsperchild: 5, + threadlimit: 7, + listenbacklog: 8, + maxrequestworkers: :undef, + maxconnectionsperchild: :undef + } + end + + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ServerLimit\s*0}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*StartServers\s*1}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*MinSpareThreads\s*3}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*MaxSpareThreads\s*4}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ThreadsPerChild\s*5}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ThreadLimit\s*7}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').with_content(%r{^\s*ListenBacklog\s*8}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*MaxRequestWorkers}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*MaxConnectionsPerChild}) } + end + + context 'Test mpm_event false params' do + let :params do + { + serverlimit: false, + startservers: false, + minsparethreads: false, + maxsparethreads: false, + threadsperchild: false, + threadlimit: false, + listenbacklog: false, + maxrequestworkers: false, + maxconnectionsperchild: false + } + end + + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*ServerLimit}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*StartServers}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*MinSpareThreads}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*MaxSpareThreads}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*ThreadsPerChild}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*ThreadLimit}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*ListenBacklog}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*MaxRequestWorkers}) } + it { is_expected.to contain_file('/etc/apache2/mods-available/event.conf').with_ensure('file').without_content(%r{^\s*MaxConnectionsPerChild}) } + end + + it { + expect(subject).to contain_file('/etc/apache2/mods-available/event.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so\n") + } + + it { is_expected.to contain_file('/etc/apache2/mods-enabled/event.load').with_ensure('link') } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('worker') } + it { is_expected.not_to contain_apache__mod('prefork') } + + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/event.conf').with_ensure('file') } + + it { + expect(subject).to contain_file('/etc/httpd/conf.modules.d/event.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_event_module modules/mod_mpm_event.so\n") + } + end +end diff --git a/spec/classes/mod/expires_spec.rb b/spec/classes/mod/expires_spec.rb new file mode 100644 index 0000000000..e9b201a79d --- /dev/null +++ b/spec/classes/mod/expires_spec.rb @@ -0,0 +1,62 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::expires', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'with expires active', :compile do + include_examples 'Debian 11' + + it { is_expected.to contain_apache__mod('expires') } + it { is_expected.to contain_file('expires.conf').with(content: %r{ExpiresActive On\n}) } + end + + context 'with expires default', :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :params do + { + 'expires_default' => 'access plus 1 month' + } + end + + include_examples 'RedHat 7' + + it { is_expected.to contain_apache__mod('expires') } + + it { + expect(subject).to contain_file('expires.conf').with_content( + "ExpiresActive On\n" \ + "ExpiresDefault \"access plus 1 month\"\n", + ) + } + end + + context 'with expires by type', :compile do + let :pre_condition do + 'class { apache: default_mods => false }' + end + let :params do + { + 'expires_by_type' => [ + { 'text/json' => 'mod plus 1 day' }, + { 'text/html' => 'access plus 1 year' }, + ] + } + end + + include_examples 'RedHat 7' + + it { is_expected.to contain_apache__mod('expires') } + + it { + expect(subject).to contain_file('expires.conf').with_content( + "ExpiresActive On\n" \ + "ExpiresByType text/json \"mod plus 1 day\"\n" \ + "ExpiresByType text/html \"access plus 1 year\"\n", + ) + } + end +end diff --git a/spec/classes/mod/ext_filter_spec.rb b/spec/classes/mod/ext_filter_spec.rb new file mode 100644 index 0000000000..010639103b --- /dev/null +++ b/spec/classes/mod/ext_filter_spec.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::ext_filter', type: :class do + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + include_examples 'Debian 11' + + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('ext_filter') } + it { is_expected.not_to contain_file('ext_filter.conf') } + end + + describe 'with parameters' do + let :params do + { ext_filter_define: { 'filtA' => 'input=A output=B', + 'filtB' => 'input=C cmd="C"' } } + end + + it { is_expected.to contain_file('ext_filter.conf').with_content(%r{^ExtFilterDefine\s+filtA\s+input=A output=B$}) } + it { is_expected.to contain_file('ext_filter.conf').with_content(%r{^ExtFilterDefine\s+filtB\s+input=C cmd="C"$}) } + end + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('ext_filter') } + it { is_expected.not_to contain_file('ext_filter.conf') } + end + + describe 'with parameters' do + let :params do + { ext_filter_define: { 'filtA' => 'input=A output=B', + 'filtB' => 'input=C cmd="C"' } } + end + + it { is_expected.to contain_file('ext_filter.conf').with_path('/etc/httpd/conf.modules.d/ext_filter.conf') } + it { is_expected.to contain_file('ext_filter.conf').with_content(%r{^ExtFilterDefine\s+filtA\s+input=A output=B$}) } + it { is_expected.to contain_file('ext_filter.conf').with_content(%r{^ExtFilterDefine\s+filtB\s+input=C cmd="C"$}) } + end + end +end diff --git a/spec/classes/mod/fcgid_spec.rb b/spec/classes/mod/fcgid_spec.rb index be444c8496..7121d4984d 100644 --- a/spec/classes/mod/fcgid_spec.rb +++ b/spec/classes/mod/fcgid_spec.rb @@ -1,29 +1,57 @@ -describe 'apache::mod::fcgid', :type => :class do - let :pre_condition do - 'include apache' +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::fcgid', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_apache__mod('fcgid').with('loadfile_name' => nil) + } + + it { is_expected.to contain_package('libapache2-mod-fcgid') } end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + + context 'on RHEL7' do + include_examples 'RedHat 7' + + describe 'without parameters' do + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_apache__mod('fcgid').with('loadfile_name' => 'unixd_fcgid.load') } + + it { is_expected.to contain_package('mod_fcgid') } end - it { should include_class("apache::params") } - it { should contain_apache__mod('fcgid') } - it { should contain_package("libapache2-mod-fcgid") } end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_apache__mod('fcgid') } - it { should contain_package("mod_fcgid") } + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 10' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_apache__mod('fcgid').with('loadfile_name' => 'unixd_fcgid.load') + } + + it { is_expected.to contain_package('www/mod_fcgid') } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_apache__mod('fcgid').with('loadfile_name' => nil) + } + + it { is_expected.to contain_package('www-apache/mod_fcgid') } end end diff --git a/spec/classes/mod/http2_spec.rb b/spec/classes/mod/http2_spec.rb new file mode 100644 index 0000000000..54130e36c7 --- /dev/null +++ b/spec/classes/mod/http2_spec.rb @@ -0,0 +1,95 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::http2', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::mod::http2') } + + context 'with default values' do + let(:expected_content) do + <<~EOT + # The http2 Apache module configuration file is being + # managed by Puppet and changes will be overwritten. + + EOT + end + + it { is_expected.to contain_file('http2.conf').with(content: expected_content) } + end + + context 'with all values set' do + let(:params) do + { + h2_copy_files: false, + h2_direct: true, + h2_early_hints: false, + h2_max_session_streams: 100, + h2_max_worker_idle_seconds: 600, + h2_max_workers: 20, + h2_min_workers: 10, + h2_modern_tls_only: true, + h2_push: true, + h2_push_diary_size: 256, + h2_push_priority: [ + 'application/json 32', + 'image/jpeg before', + 'text/css interleaved', + ], + h2_push_resource: [ + '/xxx.css', + '/xxx.js', + ], + h2_serialize_headers: true, + h2_stream_max_mem_size: 128_000, + h2_tls_cool_down_secs: 0, + h2_tls_warm_up_size: 0, + h2_upgrade: false, + h2_window_size: 128_000 + } + end + + let(:expected_content) do + <<~EOT + # The http2 Apache module configuration file is being + # managed by Puppet and changes will be overwritten. + + H2CopyFiles Off + H2Direct On + H2EarlyHints Off + H2MaxSessionStreams 100 + H2MaxWorkerIdleSeconds 600 + H2MaxWorkers 20 + H2MinWorkers 10 + H2ModernTLSOnly On + H2Push On + H2PushDiarySize 256 + H2PushPriority application/json 32 + H2PushPriority image/jpeg before + H2PushPriority text/css interleaved + H2PushResource /xxx.css + H2PushResource /xxx.js + H2SerializeHeaders On + H2StreamMaxMemSize 128000 + H2TLSCoolDownSecs 0 + H2TLSWarmUpSize 0 + H2Upgrade Off + H2WindowSize 128000 + EOT + end + + it { is_expected.to contain_file('http2.conf').with(content: expected_content) } + end + end + + context 'on Red Hat 8' do + include_examples 'RedHat 8' do + it { is_expected.to contain_class('apache::mod::http2') } + it { is_expected.to contain_package('mod_http2') } + end + end +end diff --git a/spec/classes/mod/info_spec.rb b/spec/classes/mod/info_spec.rb index a057bf1dd8..b683c51241 100644 --- a/spec/classes/mod/info_spec.rb +++ b/spec/classes/mod/info_spec.rb @@ -1,81 +1,119 @@ -# This function is called inside the OS specific contexts -def general_info_specs - it { should contain_apache__mod("info") } - - it do - should contain_file("info.conf").with_content( - "\n"\ - " SetHandler server-info\n"\ - " Order deny,allow\n"\ - " Deny from all\n"\ - " Allow from 127.0.0.1 ::1\n"\ - "\n" - ) - end -end +# frozen_string_literal: true + +require 'spec_helper' -describe 'apache::mod::info', :type => :class do - let :pre_condition do - 'include apache' +def general_info_specs_apache24 + it { is_expected.to contain_apache__mod('info') } + + context 'passing no parameters' do + expected = "\n " \ + "SetHandler server-info\n " \ + "Require ip 127.0.0.1 ::1\n" \ + "\n" + it { is_expected.to contain_file('info.conf').with_content(expected) } end - context "On a Debian OS with default params" do - let :facts do + context 'passing restrict_access => false' do + let :params do { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + restrict_access: false } end - # Load the more generic tests for this context - general_info_specs() - - it { should contain_file("info.conf").with({ - :ensure => 'file', - :path => '/etc/apache2/mods-available/info.conf', - } ) } - it { should contain_file("info.conf symlink").with({ - :ensure => 'link', - :path => '/etc/apache2/mods-enabled/info.conf', - } ) } + it { + expect(subject).to contain_file('info.conf').with_content( + "\n " \ + "SetHandler server-info\n" \ + "\n", + ) + } end - context "on a RedHat OS with default params" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + context "passing allow_from => ['10.10.1.2', '192.168.1.2', '127.0.0.1']" do + let :params do + { allow_from: ['10.10.1.2', '192.168.1.2', '127.0.0.1'] } end - # Load the more generic tests for this context - general_info_specs() - - it { should contain_file("info.conf").with_path("/etc/httpd/conf.d/info.conf") } + expected = "\n " \ + "SetHandler server-info\n " \ + "Require ip 10.10.1.2 192.168.1.2 127.0.0.1\n" \ + "\n" + it { + expect(subject).to contain_file('info.conf').with_content(expected) + } end - context "with $allow_from => ['10.10.10.10','11.11.11.11']" do - let :facts do + context 'passing both restrict_access and allow_from' do + let :params do { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + restrict_access: false, + allow_from: ['10.10.1.2', '192.168.1.2', '127.0.0.1'] } end - let :params do - { :allow_from => ['10.10.10.10','11.11.11.11'] } - end - it do - should contain_file("info.conf").with_content( - "\n"\ - " SetHandler server-info\n"\ - " Order deny,allow\n"\ - " Deny from all\n"\ - " Allow from 10.10.10.10 11.11.11.11\n"\ - "\n" + + it { + expect(subject).to contain_file('info.conf').with_content( + "\n " \ + "SetHandler server-info\n" \ + "\n", ) - end + } + end +end + +describe 'apache::mod::info', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'On a Debian OS' do + include_examples 'Debian 11' + + # Load the more generic tests for this context + general_info_specs_apache24 + + it { + expect(subject).to contain_file('info.conf').with(ensure: 'file', + path: '/etc/apache2/mods-available/info.conf') + } + + it { + expect(subject).to contain_file('info.conf symlink').with(ensure: 'link', + path: '/etc/apache2/mods-enabled/info.conf') + } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + # Load the more generic tests for this context + general_info_specs_apache24 + + it { + expect(subject).to contain_file('info.conf').with(ensure: 'file', + path: '/etc/httpd/conf.modules.d/info.conf') + } + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 10' + + # Load the more generic tests for this context + general_info_specs_apache24 + + it { + expect(subject).to contain_file('info.conf').with(ensure: 'file', + path: '/usr/local/etc/apache24/Modules/info.conf') + } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + # Load the more generic tests for this context + general_info_specs_apache24 + + it { + expect(subject).to contain_file('info.conf').with(ensure: 'file', + path: '/etc/apache2/modules.d/info.conf') + } end end diff --git a/spec/classes/mod/intercept_form_submit_spec.rb b/spec/classes/mod/intercept_form_submit_spec.rb new file mode 100644 index 0000000000..2e12c182b3 --- /dev/null +++ b/spec/classes/mod/intercept_form_submit_spec.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::intercept_form_submit', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_package('libapache2-mod-intercept-form-submit') } + it { is_expected.to contain_apache__mod('intercept_form_submit') } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_package('mod_intercept_form_submit') } + it { is_expected.to contain_apache__mod('intercept_form_submit') } + end + end +end diff --git a/spec/classes/mod/itk_spec.rb b/spec/classes/mod/itk_spec.rb index 7a0f7615ca..2ecf14f76f 100644 --- a/spec/classes/mod/itk_spec.rb +++ b/spec/classes/mod/itk_spec.rb @@ -1,19 +1,97 @@ -describe 'apache::mod::itk', :type => :class do +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::itk', type: :class do let :pre_condition do 'class { "apache": mpm_module => false, }' end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('itk') } + it { is_expected.to contain_file('/etc/apache2/mods-available/itk.conf').with_ensure('file') } + it { is_expected.to contain_file('/etc/apache2/mods-enabled/itk.conf').with_ensure('link') } + + context 'with prefork mpm' do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + + it { + expect(subject).to contain_file('/etc/apache2/mods-available/itk.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_itk_module /usr/lib/apache2/modules/mod_mpm_itk.so\n") } + + it { is_expected.to contain_file('/etc/apache2/mods-enabled/itk.load').with_ensure('link') } + end + + context 'with enablecapabilities not set' do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + + it { is_expected.not_to contain_file('/etc/apache2/mods-available/itk.conf').with_content(%r{EnableCapabilities}) } + end + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('itk') } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/itk.conf').with_ensure('file') } + it { is_expected.to contain_package('httpd-itk') } + + context 'with prefork mpm' do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + + it { + expect(subject).to contain_file('/etc/httpd/conf.modules.d/itk.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_itk_module modules/mod_mpm_itk.so\n") + } + end + + context 'with enablecapabilities set' do + let :pre_condition do + 'class { "apache": mpm_module => prefork, }' + end + + let :params do + { + enablecapabilities: false + } + end + + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/itk.conf').with_content(%r{EnableCapabilities Off}) } + end + end + + context 'on a FreeBSD OS' do + let :pre_condition do + 'class { "apache": mpm_module => false, }' + end + + include_examples 'FreeBSD 10' + # TODO: fact mpm_module itk? + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('itk') } + it { is_expected.to contain_file('/usr/local/etc/apache24/Modules/itk.conf').with_ensure('file') } + it { is_expected.to contain_package('www/mod_mpm_itk') } + + context 'with enablecapabilities set' do + let :params do + { + enablecapabilities: true + } + end + + it { is_expected.to contain_file('/usr/local/etc/apache24/Modules/itk.conf').with_content(%r{EnableCapabilities On}) } end - it { should include_class("apache::params") } - it { should_not contain_apache__mod('itk') } - it { should contain_file("/etc/apache2/mods-available/itk.conf").with_ensure('file') } - it { should contain_file("/etc/apache2/mods-enabled/itk.conf").with_ensure('link') } - it { should contain_package("apache2-mpm-itk") } end end diff --git a/spec/classes/mod/jk_spec.rb b/spec/classes/mod/jk_spec.rb new file mode 100644 index 0000000000..5566f33f46 --- /dev/null +++ b/spec/classes/mod/jk_spec.rb @@ -0,0 +1,187 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::jk', type: :class do + it_behaves_like 'a mod class, without including apache' + + shared_examples 'minimal resources' do |mod_dir| + it { is_expected.to compile } + it { is_expected.to compile.with_all_deps } + it { is_expected.to create_class('apache::mod::jk') } + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_apache__mod('jk') } + it { is_expected.to contain_file('jk.conf').that_notifies('Class[apache::service]') } + it { is_expected.to contain_file('jk.conf').with(path: "#{mod_dir}/jk.conf") } + end + + shared_examples 'specific workers_file' do |mod_dir| + # let(:pre_condition) do + # 'include apache' + # end + let(:params) do + { + workers_file: "#{mod_dir}/workers.properties", + workers_file_content: { + 'worker_a' => { + 'type' => 'ajp13', + 'socket_keepalive' => 'true', + 'comment' => 'This is worker A' + }, + 'worker_b' => { + 'type' => 'ajp13', + 'socket_keepalive' => 'true', + 'comment' => 'This is worker B' + }, + 'worker_maintain' => 40, + 'worker_lists' => ['worker_a,worker_b'] + } + } + end + + it { is_expected.to compile } + it { is_expected.to compile.with_all_deps } + + expected_content = "# This file is generated automatically by Puppet - DO NOT EDIT\n" \ + "# Any manual changes will be overwritten\n" \ + "\n" \ + "worker.list = worker_a,worker_b\n" \ + "\n" \ + "worker.maintain = 40\n" \ + "\n" \ + "# This is worker A\n" \ + "worker.worker_a.socket_keepalive=true\n" \ + "worker.worker_a.type=ajp13\n" \ + "\n" \ + "# This is worker B\n" \ + "worker.worker_b.socket_keepalive=true\n" \ + "worker.worker_b.type=ajp13\n" + it { is_expected.to contain_file("#{mod_dir}/workers.properties").with_content(expected_content) } + end + + default_ip = '192.168.1.1' + altern8_ip = '10.1.2.3' + default_port = 80 + altern8_port = 8008 + + context 'Debian 11' do + include_examples 'Debian 11' + + context 'with only required facts and default parameters' do + let(:facts) { override_facts(super(), 'networking' => { 'ip' => default_ip }) } + let(:pre_condition) do + 'include apache' + end + let(:params) do + { + logroot: '/var/log/apache2' + } + end + let(:mod_dir) { mod_dir } + + mod_dir = '/etc/apache2/mods-available' + + it_behaves_like 'minimal resources', mod_dir + it_behaves_like 'specific workers_file', mod_dir + it { is_expected.to contain_apache__listen("#{default_ip}:#{default_port}") } + it { is_expected.to contain_package('libapache2-mod-jk') } + + it { + verify_contents(catalogue, 'jk.conf', ['', '']) + } + end + end + + context 'RHEL 8' do + include_examples 'RedHat 8' + let(:pre_condition) do + 'include apache' + end + let(:params) do + { + logroot: '/var/log/httpd' + } + end + + context 'with required facts' do + let(:facts) { override_facts(super(), 'networking' => { 'ip' => default_ip }) } + + context 'and default parameters' do + let(:mod_dir) { mod_dir } + + mod_dir = '/etc/httpd/conf.modules.d' + + it_behaves_like 'minimal resources', mod_dir + it_behaves_like 'specific workers_file', mod_dir + it { is_expected.to contain_apache__listen("#{default_ip}:#{default_port}") } + + it { + verify_contents(catalogue, 'jk.conf', ['', '']) + } + end + + context 'and alternative IP' do + let(:params) { super().merge(ip: altern8_ip) } + + it { is_expected.to contain_apache__listen("#{altern8_ip}:#{default_port}") } + end + + context 'and alternative port' do + let(:params) { super().merge(port: altern8_port) } + + it { is_expected.to contain_apache__listen("#{default_ip}:#{altern8_port}") } + end + + context 'no binding' do + let(:params) { super().merge(add_listen: false) } + + it { is_expected.not_to contain_apache__listen("#{default_ip}:#{default_port}") } + end + + { + default: { + shm_file: :undef, + log_file: :undef, + shm_path: '/var/log/httpd/jk-runtime-status', + log_path: '/var/log/httpd/mod_jk.log' + }, + relative: { + shm_file: 'shm_file', + log_file: 'log_file', + shm_path: '/var/log/httpd/shm_file', + log_path: '/var/log/httpd/log_file' + }, + absolute: { + shm_file: '/run/shm_file', + log_file: '/tmp/log_file', + shm_path: '/run/shm_file', + log_path: '/tmp/log_file' + }, + pipe: { + shm_file: :undef, + log_file: '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"', + shm_path: '/var/log/httpd/jk-runtime-status', + log_path: '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"' + } + }.each do |option, paths| + context "#{option} shm_file and log_file paths" do + let(:params) do + super().merge( + shm_file: paths[:shm_file], + log_file: paths[:log_file], + ) + end + + expected = "# This file is generated automatically by Puppet - DO NOT EDIT\n" \ + "# Any manual changes will be overwritten\n" \ + "\n" \ + "\n " \ + "JkShmFile #{paths[:shm_path]}\n " \ + "JkLogFile #{paths[:log_path]}\n" \ + "\n" + it { is_expected.to contain_file('jk.conf').with_content(expected) } + end + end + end + end +end diff --git a/spec/classes/mod/lbmethod_bybusyness.rb b/spec/classes/mod/lbmethod_bybusyness.rb new file mode 100644 index 0000000000..2a54c8335e --- /dev/null +++ b/spec/classes/mod/lbmethod_bybusyness.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::lbmethod_byrequests', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + context 'with Apache version >= 2.4' do + let :params do + { + apache_version: '2.4' + } + end + + it { + # rubocop:disable Layout/LineLength + expect(subject).to contain_file('/etc/apache2/mods-enabled/lbmethod_byrequests.load').with('ensure' => 'file', + 'content' => "LoadModule lbmethod_byrequests_module /usr/lib/apache2/modules/mod_lbmethod_byrequests.so\n") + # rubocop:enable Layout/LineLength + } + end + end +end diff --git a/spec/classes/mod/lbmethod_byrequests.rb b/spec/classes/mod/lbmethod_byrequests.rb new file mode 100644 index 0000000000..2a54c8335e --- /dev/null +++ b/spec/classes/mod/lbmethod_byrequests.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::lbmethod_byrequests', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + context 'with Apache version >= 2.4' do + let :params do + { + apache_version: '2.4' + } + end + + it { + # rubocop:disable Layout/LineLength + expect(subject).to contain_file('/etc/apache2/mods-enabled/lbmethod_byrequests.load').with('ensure' => 'file', + 'content' => "LoadModule lbmethod_byrequests_module /usr/lib/apache2/modules/mod_lbmethod_byrequests.so\n") + # rubocop:enable Layout/LineLength + } + end + end +end diff --git a/spec/classes/mod/lbmethod_bytraffic.rb b/spec/classes/mod/lbmethod_bytraffic.rb new file mode 100644 index 0000000000..2a54c8335e --- /dev/null +++ b/spec/classes/mod/lbmethod_bytraffic.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::lbmethod_byrequests', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + context 'with Apache version >= 2.4' do + let :params do + { + apache_version: '2.4' + } + end + + it { + # rubocop:disable Layout/LineLength + expect(subject).to contain_file('/etc/apache2/mods-enabled/lbmethod_byrequests.load').with('ensure' => 'file', + 'content' => "LoadModule lbmethod_byrequests_module /usr/lib/apache2/modules/mod_lbmethod_byrequests.so\n") + # rubocop:enable Layout/LineLength + } + end + end +end diff --git a/spec/classes/mod/lbmethod_heartbeat.rb b/spec/classes/mod/lbmethod_heartbeat.rb new file mode 100644 index 0000000000..2a54c8335e --- /dev/null +++ b/spec/classes/mod/lbmethod_heartbeat.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::lbmethod_byrequests', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + context 'with Apache version >= 2.4' do + let :params do + { + apache_version: '2.4' + } + end + + it { + # rubocop:disable Layout/LineLength + expect(subject).to contain_file('/etc/apache2/mods-enabled/lbmethod_byrequests.load').with('ensure' => 'file', + 'content' => "LoadModule lbmethod_byrequests_module /usr/lib/apache2/modules/mod_lbmethod_byrequests.so\n") + # rubocop:enable Layout/LineLength + } + end + end +end diff --git a/spec/classes/mod/ldap_spec.rb b/spec/classes/mod/ldap_spec.rb new file mode 100644 index 0000000000..15c160d44a --- /dev/null +++ b/spec/classes/mod/ldap_spec.rb @@ -0,0 +1,97 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::ldap', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::ldap') } + it { is_expected.to contain_apache__mod('ldap') } + + context 'default ldap_trusted_global_cert_file' do + it { is_expected.to contain_file('ldap.conf').without_content(%r{^LDAPTrustedGlobalCert}) } + end + + context 'ldap_trusted_global_cert_file param' do + let(:params) { { ldap_trusted_global_cert_file: 'ca.pem' } } + + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPTrustedGlobalCert CA_BASE64 ca\.pem$}) } + end + + context 'set multiple ldap params' do + let(:params) do + { + ldap_trusted_global_cert_file: 'ca.pem', + ldap_trusted_global_cert_type: 'CA_DER', + ldap_trusted_mode: 'TLS', + ldap_shared_cache_size: 500_000, + ldap_cache_entries: 1024, + ldap_cache_ttl: 600, + ldap_opcache_entries: 1024, + ldap_opcache_ttl: 600, + ldap_path: '/custom-ldap-status' + } + end + + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPTrustedGlobalCert CA_DER ca\.pem$}) } + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPTrustedMode TLS$}) } + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPSharedCacheSize 500000$}) } + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPCacheEntries 1024$}) } + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPCacheTTL 600$}) } + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPOpCacheEntries 1024$}) } + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPOpCacheTTL 600$}) } + + expected_ldap_path_re = + "\n" \ + "\s*SetHandler ldap-status\n" \ + ".*\n" \ + "\n" + it { is_expected.to contain_file('ldap.conf').with_content(%r{#{expected_ldap_path_re}}m) } + end + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::ldap') } + it { is_expected.to contain_apache__mod('ldap') } + + context 'default ldap_trusted_global_cert_file' do + it { is_expected.to contain_file('ldap.conf').without_content(%r{^LDAPTrustedGlobalCert}) } + end + + context 'ldap_trusted_global_cert_file param' do + let(:params) { { ldap_trusted_global_cert_file: 'ca.pem' } } + + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPTrustedGlobalCert CA_BASE64 ca\.pem$}) } + end + + context 'ldap_trusted_global_cert_file and ldap_trusted_global_cert_type params' do + let(:params) do + { + ldap_trusted_global_cert_file: 'ca.pem', + ldap_trusted_global_cert_type: 'CA_DER' + } + end + + it { is_expected.to contain_file('ldap.conf').with_content(%r{^LDAPTrustedGlobalCert CA_DER ca\.pem$}) } + end + + context 'SCL' do + let(:pre_condition) do + "class { 'apache::version': + scl_httpd_version => '2.4', + scl_php_version => '7.0', + } + include apache" + end + + it { is_expected.to contain_package('httpd24-mod_ldap') } + end + end +end diff --git a/spec/classes/mod/log_forensic_spec.rb b/spec/classes/mod/log_forensic_spec.rb new file mode 100644 index 0000000000..e869a55ba6 --- /dev/null +++ b/spec/classes/mod/log_forensic_spec.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::log_forensic', type: :class do + ['Debian 11', 'RedHat 8'].each do |os| + context "on a #{os} OS" do + include_examples os + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::log_forensic') } + it { is_expected.to contain_apache__mod('log_forensic') } + it { is_expected.to contain_file('log_forensic.load').with_content(%r{LoadModule log_forensic_module}) } + end + end +end diff --git a/spec/classes/mod/lookup_identity.rb b/spec/classes/mod/lookup_identity.rb new file mode 100644 index 0000000000..9cfeaf469d --- /dev/null +++ b/spec/classes/mod/lookup_identity.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::lookup_identity', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_package('libapache2-mod-lookup-identity') } + it { is_expected.to contain_apache__mod('lookup_identity') } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_package('mod_lookup_identity') } + it { is_expected.to contain_apache__mod('lookup_identity') } + end + end +end diff --git a/spec/classes/mod/md_spec.rb b/spec/classes/mod/md_spec.rb new file mode 100644 index 0000000000..495cbfd8f3 --- /dev/null +++ b/spec/classes/mod/md_spec.rb @@ -0,0 +1,201 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::md', type: :class do + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + if facts[:os]['family'] == 'Debian' + context 'validating all md params - using Debian' do + md_options = { + 'md_activation_delay' => { type: 'Duration', pass_opt: 'MDActivationDelay' }, + 'md_base_server' => { type: 'OnOff', pass_opt: 'MDBaseServer' }, + 'md_ca_challenges' => { type: 'CAChallenges', pass_opt: 'MDCAChallenges' }, + 'md_certificate_agreement' => { type: 'MDCertificateAgreement', pass_opt: 'MDCertificateAgreement' }, + 'md_certificate_authority' => { type: 'URL', pass_opt: 'MDCertificateAuthority' }, + 'md_certificate_check' => { type: 'String', pass_opt: 'MDCertificateCheck' }, + 'md_certificate_monitor' => { type: 'URL', pass_opt: 'MDCertificateMonitor' }, + 'md_certificate_protocol' => { type: 'MDCertificateProtocol', pass_opt: 'MDCertificateProtocol' }, + 'md_certificate_status' => { type: 'OnOff', pass_opt: 'MDCertificateStatus' }, + 'md_challenge_dns01' => { type: 'Path', pass_opt: 'MDChallengeDns01' }, + 'md_contact_email' => { type: 'EMail', pass_opt: 'MDContactEmail' }, + 'md_http_proxy' => { type: 'URL', pass_opt: 'MDHttpProxy' }, + 'md_members' => { type: 'MDMembers', pass_opt: 'MDMembers' }, + 'md_message_cmd' => { type: 'Path', pass_opt: 'MDMessageCmd' }, + 'md_must_staple' => { type: 'OnOff', pass_opt: 'MDMustStaple' }, + 'md_notify_cmd' => { type: 'Path', pass_opt: 'MDNotifyCmd' }, + 'md_port_map' => { type: 'String', pass_opt: 'MDPortMap' }, + 'md_private_keys' => { type: 'String', pass_opt: 'MDPrivateKeys' }, + 'md_renew_mode' => { type: 'MDRenewMode', pass_opt: 'MDRenewMode' }, + 'md_renew_window' => { type: 'Duration', pass_opt: 'MDRenewWindow' }, + 'md_require_https' => { type: 'MDRequireHttps', pass_opt: 'MDRequireHttps' }, + 'md_server_status' => { type: 'OnOff', pass_opt: 'MDServerStatus' }, + 'md_staple_others' => { type: 'OnOff', pass_opt: 'MDStapleOthers' }, + 'md_stapling' => { type: 'OnOff', pass_opt: 'MDStapling' }, + 'md_stapling_keep_response' => { type: 'Duration', pass_opt: 'MDStaplingKeepResponse' }, + 'md_stapling_renew_window' => { type: 'Duration', pass_opt: 'MDStaplingRenewWindow' }, + 'md_store_dir' => { type: 'Path', pass_opt: 'MDStoreDir' }, + 'md_warn_window' => { type: 'Duration', pass_opt: 'MDWarnWindow' } + } + + md_options.each do |config_option, config_hash| + puppetized_config_option = config_option + case config_hash[:type] + when 'CAChallenges' + valid_config_values = [['dns-01'], ['tls-alpn-01', 'http-01']] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => #{valid_value}" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value.join(' ')}}) } + end + end + when 'EMail' + valid_config_values = ['root@example.com'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => #{valid_value}" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'Duration' + valid_config_values = ['7d', '33%'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'MDCertificateAgreement' + valid_config_values = ['accepted'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'MDCertificateProtocol' + valid_config_values = ['ACME'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'MDMembers' + valid_config_values = ['auto', 'manual'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'MDRenewMode' + valid_config_values = ['always', 'auto', 'manual'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'MDRequireHttps' + valid_config_values = ['off', 'temporary', 'permanent'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'OnOff' + valid_config_values = ['on', 'off'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'Path' + valid_config_values = ['/some/path/to/somewhere'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => #{valid_value}" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} "#{valid_value}"$}) } + end + end + when 'String' + valid_config_values = ['a random string'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'URL' + valid_config_values = ['https://example.com/example'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + else + valid_config_values = config_hash[:type] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + end + end + end + end + + it { is_expected.to contain_class('apache::mod::watchdog') } + it { is_expected.to contain_apache__mod('md') } + it { is_expected.to contain_file('md.conf') } + end + end +end diff --git a/spec/classes/mod/mime_magic_spec.rb b/spec/classes/mod/mime_magic_spec.rb new file mode 100644 index 0000000000..12da4510f9 --- /dev/null +++ b/spec/classes/mod/mime_magic_spec.rb @@ -0,0 +1,60 @@ +# frozen_string_literal: true + +require 'spec_helper' + +# This function is called inside the OS specific contexts +def general_mime_magic_specs + it { is_expected.to contain_apache__mod('mime_magic') } +end + +describe 'apache::mod::mime_magic', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'On a Debian OS with default params' do + include_examples 'Debian 11' + + general_mime_magic_specs + + it do + expect(subject).to contain_file('mime_magic.conf').with_content( + "MIMEMagicFile \"/etc/apache2/magic\"\n", + ) + end + + it { + expect(subject).to contain_file('mime_magic.conf').with(ensure: 'file', + path: '/etc/apache2/mods-available/mime_magic.conf') + } + + it { + expect(subject).to contain_file('mime_magic.conf symlink').with(ensure: 'link', + path: '/etc/apache2/mods-enabled/mime_magic.conf') + } + + context 'with magic_file => /tmp/Debian_magic' do + let :params do + { magic_file: '/tmp/Debian_magic' } + end + + it do + expect(subject).to contain_file('mime_magic.conf').with_content( + "MIMEMagicFile \"/tmp/Debian_magic\"\n", + ) + end + end + end + + context 'on a RedHat OS with default params' do + include_examples 'RedHat 8' + + general_mime_magic_specs + + it do + expect(subject).to contain_file('mime_magic.conf').with_content( + "MIMEMagicFile \"/etc/httpd/conf/magic\"\n", + ) + end + + it { is_expected.to contain_file('mime_magic.conf').with_path('/etc/httpd/conf.modules.d/mime_magic.conf') } + end +end diff --git a/spec/classes/mod/mime_spec.rb b/spec/classes/mod/mime_spec.rb new file mode 100644 index 0000000000..483e9b5989 --- /dev/null +++ b/spec/classes/mod/mime_spec.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +require 'spec_helper' + +# This function is called inside the OS specific conte, :compilexts +def general_mime_specs + it { is_expected.to contain_apache__mod('mime') } + + it do + expect(subject).to contain_file('mime.conf').with_content(%r{AddHandler type-map var}) + expect(subject).to contain_file('mime.conf').with_content(%r{ddOutputFilter INCLUDES .shtml}) + expect(subject).to contain_file('mime.conf').with_content(%r{AddType text/html .shtml}) + expect(subject).to contain_file('mime.conf').with_content(%r{AddType application/x-compress .Z}) + end +end + +describe 'apache::mod::mime', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'On a Debian OS with default params', :compile do + include_examples 'Debian 11' + + general_mime_specs + + it { is_expected.to contain_file('mime.conf').with_path('/etc/apache2/mods-available/mime.conf') } + end + + context 'on a RedHat OS with default params', :compile do + include_examples 'RedHat 8' + + general_mime_specs + + it { is_expected.to contain_file('mime.conf').with_path('/etc/httpd/conf.modules.d/mime.conf') } + end +end diff --git a/spec/classes/mod/negotiation_spec.rb b/spec/classes/mod/negotiation_spec.rb new file mode 100644 index 0000000000..dc0074fe2a --- /dev/null +++ b/spec/classes/mod/negotiation_spec.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::negotiation', type: :class do + it_behaves_like 'a mod class, without including apache' + describe 'OS independent tests' do + include_examples 'Debian 11' + + context 'default params' do + it { is_expected.to contain_class('apache') } + + it do + expect(subject).to contain_file('negotiation.conf').with(ensure: 'file', + content: 'LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW +ForceLanguagePriority Prefer Fallback +') + end + end + + context 'with force_language_priority parameter' do + let :params do + { force_language_priority: 'Prefer' } + end + + it do + expect(subject).to contain_file('negotiation.conf').with(ensure: 'file', + content: %r{^ForceLanguagePriority Prefer$}) + end + end + + context 'with language_priority parameter' do + let :params do + { language_priority: ['en', 'es'] } + end + + it do + expect(subject).to contain_file('negotiation.conf').with(ensure: 'file', + content: %r{^LanguagePriority en es$}) + end + end + end +end diff --git a/spec/classes/mod/pagespeed_spec.rb b/spec/classes/mod/pagespeed_spec.rb new file mode 100644 index 0000000000..9890db02b9 --- /dev/null +++ b/spec/classes/mod/pagespeed_spec.rb @@ -0,0 +1,38 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::pagespeed', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('pagespeed') } + it { is_expected.to contain_package('mod-pagespeed-stable') } + + context 'when setting additional_configuration to a Hash' do + let :params do + { additional_configuration: { 'Key' => 'Value' } } + end + + it { is_expected.to contain_file('pagespeed.conf').with_content %r{Key Value} } + end + + context 'when setting additional_configuration to an Array' do + let :params do + { additional_configuration: ['Key Value'] } + end + + it { is_expected.to contain_file('pagespeed.conf').with_content %r{Key Value} } + end + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('pagespeed') } + it { is_expected.to contain_package('mod-pagespeed-stable') } + it { is_expected.to contain_file('pagespeed.conf') } + end +end diff --git a/spec/classes/mod/passenger_spec.rb b/spec/classes/mod/passenger_spec.rb index 3995dc9ddc..f974ff378c 100644 --- a/spec/classes/mod/passenger_spec.rb +++ b/spec/classes/mod/passenger_spec.rb @@ -1,100 +1,483 @@ -describe 'apache::mod::passenger', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_apache__mod('passenger') } - it { should contain_package("libapache2-mod-passenger") } - it { should contain_file('passenger.conf').with({ - 'path' => '/etc/apache2/mods-available/passenger.conf', - }) } - it { should contain_file('passenger.conf').with_content(/^ PassengerRoot \/usr$/) } - it { should contain_file('passenger.conf').with_content(/^ PassengerRuby \/usr\/bin\/ruby$/) } - describe "with passenger_high_performance => true" do - let :params do - { :passenger_high_performance => 'true' } - end - it { should contain_file('passenger.conf').with_content(/^ PassengerHighPerformance true$/) } - end - describe "with passenger_pool_idle_time => 1200" do - let :params do - { :passenger_pool_idle_time => 1200 } - end - it { should contain_file('passenger.conf').with_content(/^ PassengerPoolIdleTime 1200$/) } - end - describe "with passenger_max_requests => 20" do - let :params do - { :passenger_max_requests => 20 } - end - it { should contain_file('passenger.conf').with_content(/^ PassengerMaxRequests 20$/) } - end - describe "with passenger_stat_throttle_rate => 10" do - let :params do - { :passenger_stat_throttle_rate => 10 } - end - it { should contain_file('passenger.conf').with_content(/^ PassengerStatThrottleRate 10$/) } - end - describe "with passenger_max_pool_size => 16" do - let :params do - { :passenger_max_pool_size => 16 } - end - it { should contain_file('passenger.conf').with_content(/^ PassengerMaxPoolSize 16$/) } - end - describe "with rack_autodetect => true" do - let :params do - { :rack_autodetect => true } - end - it { should contain_file('passenger.conf').with_content(/^ RackAutoDetect true$/) } - end - describe "with rails_autodetect => true" do - let :params do - { :rails_autodetect => true } - end - it { should contain_file('passenger.conf').with_content(/^ RailsAutoDetect true$/) } - end - describe "with passenger_root => '/usr/lib/example'" do - let :params do - { :passenger_root => '/usr/lib/example' } - end - it { should contain_file('passenger.conf').with_content(/^ PassengerRoot \/usr\/lib\/example$/) } - end - describe "with passenger_ruby => /user/lib/example/ruby" do - let :params do - { :passenger_ruby => '/user/lib/example/ruby' } - end - it { should contain_file('passenger.conf').with_content(/^ PassengerRuby \/user\/lib\/example\/ruby$/) } - end - describe "with passenger_use_global_queue => true" do - let :params do - { :passenger_use_global_queue => 'true' } +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::passenger', type: :class do + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts end - it { should contain_file('passenger.conf').with_content(/^ PassengerUseGlobalQueue true$/) } - end - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + case facts[:os]['family'] + when 'Debian' + context 'validating all passenger params - using Debian' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('passenger') } + it { is_expected.to contain_package('libapache2-mod-passenger') } + + it { + expect(subject).to contain_file('zpassenger.load').with('path' => '/etc/apache2/mods-available/zpassenger.load') + } + + it { + expect(subject).to contain_file('passenger.conf').with('path' => '/etc/apache2/mods-available/passenger.conf') + } + + passenger_config_options = { + 'passenger_allow_encoded_slashes' => { type: 'OnOff', pass_opt: :PassengerAllowEncodedSlashes }, + 'passenger_anonymous_telemetry_proxy' => { type: 'String', pass_opt: :PassengerAnonymousTelemetryProxy }, + 'passenger_app_env' => { type: 'String', pass_opt: :PassengerAppEnv }, + 'passenger_app_group_name' => { type: 'String', pass_opt: :PassengerAppGroupName }, + 'passenger_app_root' => { type: 'FullPath', pass_opt: :PassengerAppRoot }, + 'passenger_app_type' => { type: 'String', pass_opt: :PassengerAppType }, + 'passenger_base_uri' => { type: 'URI', pass_opt: :PassengerBaseURI }, + 'passenger_buffer_response' => { type: 'OnOff', pass_opt: :PassengerBufferResponse }, + 'passenger_buffer_upload' => { type: 'OnOff', pass_opt: :PassengerBufferUpload }, + 'passenger_concurrency_model' => { type: ['process', 'thread'], pass_opt: :PassengerConcurrencyModel }, + 'passenger_data_buffer_dir' => { type: 'FullPath', pass_opt: :PassengerDataBufferDir }, + 'passenger_debug_log_file' => { type: 'String', pass_opt: :PassengerDebugLogFile }, + 'passenger_debugger' => { type: 'OnOff', pass_opt: :PassengerDebugger }, + 'passenger_default_group' => { type: 'String', pass_opt: :PassengerDefaultGroup }, + 'passenger_default_ruby' => { type: 'FullPath', pass_opt: :PassengerDefaultRuby }, + 'passenger_default_user' => { type: 'String', pass_opt: :PassengerDefaultUser }, + 'passenger_disable_anonymous_telemetry' => { type: 'Boolean', pass_opt: :PassengerDisableAnonymousTelemetry }, + 'passenger_disable_log_prefix' => { type: 'Boolean', pass_opt: :PassengerDisableLogPrefix }, + 'passenger_disable_security_update_check' => { type: 'OnOff', pass_opt: :PassengerDisableSecurityUpdateCheck }, + 'passenger_enabled' => { type: 'OnOff', pass_opt: :PassengerEnabled }, + 'passenger_error_override' => { type: 'OnOff', pass_opt: :PassengerErrorOverride }, + 'passenger_file_descriptor_log_file' => { type: 'FullPath', pass_opt: :PassengerFileDescriptorLogFile }, + 'passenger_fly_with' => { type: 'FullPath', pass_opt: :PassengerFlyWith }, + 'passenger_force_max_concurrent_requests_per_process' => { type: 'Integer', pass_opt: :PassengerForceMaxConcurrentRequestsPerProcess }, + 'passenger_friendly_error_pages' => { type: 'OnOff', pass_opt: :PassengerFriendlyErrorPages }, + 'passenger_group' => { type: 'String', pass_opt: :PassengerGroup }, + 'passenger_high_performance' => { type: 'OnOff', pass_opt: :PassengerHighPerformance }, + 'passenger_instance_registry_dir' => { type: 'FullPath', pass_opt: :PassengerInstanceRegistryDir }, + 'passenger_load_shell_envvars' => { type: 'OnOff', pass_opt: :PassengerLoadShellEnvvars }, + 'passenger_preload_bundler' => { type: 'Boolean', pass_opt: :PassengerPreloadBundler }, + 'passenger_log_file' => { type: 'FullPath', pass_opt: :PassengerLogFile }, + 'passenger_log_level' => { type: 'Integer', pass_opt: :PassengerLogLevel }, + 'passenger_lve_min_uid' => { type: 'Integer', pass_opt: :PassengerLveMinUid }, + 'passenger_max_instances' => { type: 'Integer', pass_opt: :PassengerMaxInstances }, + 'passenger_max_instances_per_app' => { type: 'Integer', pass_opt: :PassengerMaxInstancesPerApp }, + 'passenger_max_pool_size' => { type: 'Integer', pass_opt: :PassengerMaxPoolSize }, + 'passenger_max_preloader_idle_time' => { type: 'Integer', pass_opt: :PassengerMaxPreloaderIdleTime }, + 'passenger_max_request_queue_size' => { type: 'Integer', pass_opt: :PassengerMaxRequestQueueSize }, + 'passenger_max_request_time' => { type: 'Integer', pass_opt: :PassengerMaxRequestTime }, + 'passenger_max_requests' => { type: 'Integer', pass_opt: :PassengerMaxRequests }, + 'passenger_memory_limit' => { type: 'Integer', pass_opt: :PassengerMemoryLimit }, + 'passenger_meteor_app_settings' => { type: 'FullPath', pass_opt: :PassengerMeteorAppSettings }, + 'passenger_min_instances' => { type: 'Integer', pass_opt: :PassengerMinInstances }, + 'passenger_nodejs' => { type: 'FullPath', pass_opt: :PassengerNodejs }, + 'passenger_pool_idle_time' => { type: 'Integer', pass_opt: :PassengerPoolIdleTime }, + 'passenger_pre_start' => { type: 'URI', pass_opt: :PassengerPreStart }, + 'passenger_python' => { type: 'FullPath', pass_opt: :PassengerPython }, + 'passenger_resist_deployment_errors' => { type: 'OnOff', pass_opt: :PassengerResistDeploymentErrors }, + 'passenger_resolve_symlinks_in_document_root' => { type: 'OnOff', pass_opt: :PassengerResolveSymlinksInDocumentRoot }, + 'passenger_response_buffer_high_watermark' => { type: 'Integer', pass_opt: :PassengerResponseBufferHighWatermark }, + 'passenger_restart_dir' => { type: 'Path', pass_opt: :PassengerRestartDir }, + 'passenger_rolling_restarts' => { type: 'OnOff', pass_opt: :PassengerRollingRestarts }, + 'passenger_root' => { type: 'FullPath', pass_opt: :PassengerRoot }, + 'passenger_ruby' => { type: 'FullPath', pass_opt: :PassengerRuby }, + 'passenger_security_update_check_proxy' => { type: 'URI', pass_opt: :PassengerSecurityUpdateCheckProxy }, + 'passenger_show_version_in_header' => { type: 'OnOff', pass_opt: :PassengerShowVersionInHeader }, + 'passenger_socket_backlog' => { type: 'Integer', pass_opt: :PassengerSocketBacklog }, + 'passenger_spawn_dir' => { type: 'FullPath', pass_opt: :PassengerSpawnDir }, + 'passenger_spawn_method' => { type: ['smart', 'direct'], pass_opt: :PassengerSpawnMethod }, + 'passenger_start_timeout' => { type: 'Integer', pass_opt: :PassengerStartTimeout }, + 'passenger_startup_file' => { type: 'RelPath', pass_opt: :PassengerStartupFile }, + 'passenger_stat_throttle_rate' => { type: 'Integer', pass_opt: :PassengerStatThrottleRate }, + 'passenger_sticky_sessions' => { type: 'OnOff', pass_opt: :PassengerStickySessions }, + 'passenger_sticky_sessions_cookie_name' => { type: 'String', pass_opt: :PassengerStickySessionsCookieName }, + 'passenger_sticky_sessions_cookie_attributes' => { type: 'QuotedString', pass_opt: :PassengerStickySessionsCookieAttributes }, + 'passenger_thread_count' => { type: 'Integer', pass_opt: :PassengerThreadCount }, + 'passenger_use_global_queue' => { type: 'String', pass_opt: :PassengerUseGlobalQueue }, + 'passenger_user' => { type: 'String', pass_opt: :PassengerUser }, + 'passenger_user_switching' => { type: 'OnOff', pass_opt: :PassengerUserSwitching }, + 'rack_env' => { type: 'String', pass_opt: :RackEnv }, + 'rails_env' => { type: 'String', pass_opt: :RailsEnv }, + 'rails_framework_spawner_idle_time' => { type: 'String', pass_opt: :RailsFrameworkSpawnerIdleTime } + } + passenger_config_options.each do |config_option, config_hash| + puppetized_config_option = config_option + case config_hash[:type] + # UnionStationFilter values are quoted strings + when 'QuotedString' + valid_config_values = ['"a quoted string"'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value.delete('"')}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ #{config_hash[:pass_opt]} "#{valid_value}"$}) } + end + end + when 'FullPath', 'RelPath', 'Path' + valid_config_values = ['/some/path/to/somewhere'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => #{valid_value}" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ #{config_hash[:pass_opt]} "#{valid_value}"$}) } + end + end + when 'URI', 'String' + valid_config_values = ['some_value_for_you'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => #{valid_value}" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ #{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'Integer' + valid_config_values = [4711] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => #{valid_value}" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ #{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'OnOff' + valid_config_values = ['on', 'off'] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ #{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + when 'Boolean' + valid_config_values = [true, false] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => #{valid_value}" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + let :expected_value do + { + true => 'On', + false => 'Off' + }[valid_value] + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ #{config_hash[:pass_opt]} #{expected_value}$}) } + end + end + else + valid_config_values = config_hash[:type] + valid_config_values.each do |valid_value| + describe "with #{puppetized_config_option} => '#{valid_value}'" do + let :params do + { puppetized_config_option.to_sym => valid_value } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ #{config_hash[:pass_opt]} #{valid_value}$}) } + end + end + end + end + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('passenger') } + it { is_expected.to contain_package('libapache2-mod-passenger') } + + it { + expect(subject).to contain_file('zpassenger.load').with('path' => '/etc/apache2/mods-available/zpassenger.load') + } + + it { + expect(subject).to contain_file('passenger.conf').with('path' => '/etc/apache2/mods-available/passenger.conf') + } + + context 'passenger config with passenger_installed_version set', test: true do + describe 'fails when an option is not valid for $passenger_installed_version' do + let :params do + { + passenger_installed_version: '4.0.0', + passenger_instance_registry_dir: '/some/path/to/nowhere' + } + end + + it { is_expected.to raise_error(%r{passenger_instance_registry_dir is not introduced until version 5.0.0}) } + end + + describe 'fails when an option is removed' do + let :params do + { + passenger_installed_version: '5.3.0', + passenger_resist_deployment_errors: 'on' + } + end + + it { is_expected.to raise_error(%r{REMOVED PASSENGER OPTION}) } + end + + describe 'warns when an option is deprecated' do + let :params do + { + passenger_installed_version: '5.1.0', + passenger_debug_log_file: '/some/path/to/log' + } + end + + specify { expect { warn(%r{DEPRECATED PASSENGER OPTION}) }.to output(%r{DEPRECATED PASSENGER OPTION}).to_stderr } + end + end + + describe "with passenger_root => '/usr/lib/example'" do + let :params do + { passenger_root: '/usr/lib/example' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerRoot "/usr/lib/example"}) } + end + + describe 'with passenger_ruby => /usr/lib/example/ruby' do + let :params do + { passenger_ruby: '/usr/lib/example/ruby' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerRuby "/usr/lib/example/ruby"}) } + end + + describe 'with passenger_default_ruby => /usr/lib/example/ruby1.9.3' do + let :params do + { passenger_ruby: '/usr/lib/example/ruby1.9.3' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerRuby "/usr/lib/example/ruby1.9.3"}) } + end + + describe 'with passenger_high_performance => on' do + let :params do + { passenger_high_performance: 'on' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerHighPerformance on$}) } + end + + describe 'with passenger_pool_idle_time => 1200' do + let :params do + { passenger_pool_idle_time: 1200 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerPoolIdleTime 1200$}) } + end + + describe 'with passenger_max_request_queue_size => 100' do + let :params do + { passenger_max_request_queue_size: 100 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerMaxRequestQueueSize 100$}) } + end + + describe 'with passenger_max_requests => 20' do + let :params do + { passenger_max_requests: 20 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerMaxRequests 20$}) } + end + + describe 'with passenger_spawn_method => direct' do + let :params do + { passenger_spawn_method: 'direct' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerSpawnMethod direct$}) } + end + + describe 'with passenger_stat_throttle_rate => 10' do + let :params do + { passenger_stat_throttle_rate: 10 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerStatThrottleRate 10$}) } + end + + describe 'with passenger_max_pool_size => 16' do + let :params do + { passenger_max_pool_size: 16 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerMaxPoolSize 16$}) } + end + + describe 'with passenger_min_instances => 5' do + let :params do + { passenger_min_instances: 5 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerMinInstances 5$}) } + end + + describe 'with passenger_max_instances_per_app => 8' do + let :params do + { passenger_max_instances_per_app: 8 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerMaxInstancesPerApp 8$}) } + end + + describe 'with passenger_use_global_queue => on' do + let :params do + { passenger_use_global_queue: 'on' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerUseGlobalQueue on$}) } + end + + describe "with passenger_app_env => 'foo'" do + let :params do + { passenger_app_env: 'foo' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerAppEnv foo$}) } + end + + describe "with passenger_log_file => '/var/log/apache2/passenger.log'" do + let :params do + { passenger_log_file: '/var/log/apache2/passenger.log' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerLogFile "/var/log/apache2/passenger.log"$}) } + end + + describe 'with passenger_log_level => 3' do + let :params do + { passenger_log_level: 3 } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerLogLevel 3$}) } + end + + describe "with mod_path => '/usr/lib/foo/mod_foo.so'" do + let :params do + { mod_path: '/usr/lib/foo/mod_foo.so' } + end + + it { is_expected.to contain_file('zpassenger.load').with_content(%r{^LoadModule passenger_module /usr/lib/foo/mod_foo\.so$}) } + end + + describe "with mod_lib_path => '/usr/lib/foo'" do + let :params do + { mod_lib_path: '/usr/lib/foo' } + end + + it { is_expected.to contain_file('zpassenger.load').with_content(%r{^LoadModule passenger_module /usr/lib/foo/mod_passenger\.so$}) } + end + + describe "with mod_lib => 'mod_foo.so'" do + let :params do + { mod_lib: 'mod_foo.so' } + end + + it { is_expected.to contain_file('zpassenger.load').with_content(%r{^LoadModule passenger_module /usr/lib/apache2/modules/mod_foo\.so$}) } + end + + describe "with mod_id => 'mod_foo'" do + let :params do + { mod_id: 'mod_foo' } + end + + it { is_expected.to contain_file('zpassenger.load').with_content(%r{^LoadModule mod_foo /usr/lib/apache2/modules/mod_passenger\.so$}) } + end + + context 'with defaults' do + it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerRoot "/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini"}) } + it { is_expected.to contain_file('passenger.conf').without_content(%r{PassengerRuby}) } + it { is_expected.to contain_file('passenger.conf').with_content(%r{PassengerDefaultRuby "/usr/bin/ruby"}) } + end + when 'RedHat' + context 'on a RedHat OS' do + case facts[:os]['release']['major'] + when '6' + context 'on EL6' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('passenger') } + it { is_expected.to contain_package('mod_passenger') } + + it { + expect(subject).to contain_file('passenger_package.conf').with('path' => '/etc/httpd/conf.d/passenger.conf') + } + + it { is_expected.to contain_file('passenger_package.conf').without_content } + it { is_expected.to contain_file('passenger_package.conf').without_source } + + it { + expect(subject).to contain_file('zpassenger.load').with('path' => '/etc/httpd/conf.d/zpassenger.load') + } + + it { is_expected.to contain_file('passenger.conf').without_content(%r{PassengerRoot}) } + it { is_expected.to contain_file('passenger.conf').without_content(%r{PassengerRuby}) } + + describe "with passenger_root => '/usr/lib/example'" do + let :params do + { passenger_root: '/usr/lib/example' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerRoot "/usr/lib/example"$}) } + end + + describe 'with passenger_ruby => /usr/lib/example/ruby' do + let :params do + { passenger_ruby: '/usr/lib/example/ruby' } + end + + it { is_expected.to contain_file('passenger.conf').with_content(%r{^ PassengerRuby "/usr/lib/example/ruby"$}) } + end + end + when '7' + + context 'on EL7' do + it { + expect(subject).to contain_file('passenger_package.conf').with('path' => '/etc/httpd/conf.d/passenger.conf') + } + + it { + expect(subject).to contain_file('zpassenger.load').with('path' => '/etc/httpd/conf.modules.d/zpassenger.load') + } + end + when '8' + + context 'on EL8' do + it { + expect(subject).to contain_file('passenger_package.conf').with('path' => '/etc/httpd/conf.d/passenger.conf') + } + + it { + expect(subject).to contain_file('zpassenger.load').with('path' => '/etc/httpd/conf.modules.d/zpassenger.load') + } + end + end + end + when 'FreeBSD' + context 'on a FreeBSD OS' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('passenger') } + it { is_expected.to contain_package('www/rubygem-passenger') } + end + when 'Gentoo' + context 'on a Gentoo OS' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('passenger') } + it { is_expected.to contain_package('www-apache/passenger') } + end + end end - it { should include_class("apache::params") } - it { should contain_apache__mod('passenger') } - it { should contain_package("mod_passenger") } - it { should contain_file('passenger.conf').with({ - 'path' => '/etc/httpd/conf.d/passenger.conf', - }) } - it { should contain_file('passenger.conf').with_content(/^ PassengerRoot \/usr\/share\/rubygems\/gems\/passenger-3.0.17$/) } - it { should contain_file('passenger.conf').with_content(/^ PassengerRuby \/usr\/bin\/ruby$/) } end end diff --git a/spec/classes/mod/perl_spec.rb b/spec/classes/mod/perl_spec.rb index 0f76abbd90..ad41e97503 100644 --- a/spec/classes/mod/perl_spec.rb +++ b/spec/classes/mod/perl_spec.rb @@ -1,29 +1,38 @@ -describe 'apache::mod::perl', :type => :class do - let :pre_condition do - 'include apache' +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::perl', type: :class do + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('perl') } + it { is_expected.to contain_package('libapache2-mod-perl2') } end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_apache__mod('perl') } - it { should contain_package("libapache2-mod-perl2") } + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('perl') } + it { is_expected.to contain_package('mod_perl') } end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_apache__mod('perl') } - it { should contain_package("mod_perl") } + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('perl') } + it { is_expected.to contain_package('www/mod_perl2') } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('perl') } + it { is_expected.to contain_package('www-apache/mod_perl') } end end diff --git a/spec/classes/mod/peruser_spec.rb b/spec/classes/mod/peruser_spec.rb new file mode 100644 index 0000000000..b95904a3b9 --- /dev/null +++ b/spec/classes/mod/peruser_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::peruser', type: :class do + let :pre_condition do + 'class { "apache": mpm_module => false, }' + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 10' + + it { is_expected.to compile.and_raise_error(%r{Unsupported osfamily FreeBSD}) } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('peruser') } + it { is_expected.to contain_file('/etc/apache2/modules.d/peruser.conf').with_ensure('file') } + end +end diff --git a/spec/classes/mod/php_spec.rb b/spec/classes/mod/php_spec.rb index 69617fb03c..9cb56b04d7 100644 --- a/spec/classes/mod/php_spec.rb +++ b/spec/classes/mod/php_spec.rb @@ -1,72 +1,392 @@ -describe 'apache::mod::php', :type => :class do - describe "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - context "with mpm_module => prefork" do - let :pre_condition do - 'class { "apache": mpm_module => prefork, }' +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::php', type: :class do + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts end - it { should include_class("apache::params") } - it { should contain_apache__mod('php5') } - it { should contain_package("libapache2-mod-php5") } - it { should contain_file("php5.load").with( - :content => "LoadModule php5_module /usr/lib/apache2/modules/libphp5.so\n" - ) } - end - context 'with mpm_module => worker' do let :pre_condition do - 'class { "apache": mpm_module => worker, }' - end - it 'should raise an error' do - expect { subject }.to raise_error Puppet::Error, /mpm_module => 'prefork'/ - end - end - end - describe "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - context "with default params" do - let :pre_condition do - 'class { "apache": }' - end - it { should include_class("apache::params") } - it { should contain_apache__mod('php5') } - it { should contain_package("php") } - it { should contain_file("php5.load").with( - :content => "LoadModule php5_module modules/libphp5.so\n" - ) } - end - context "with specific version" do - let :pre_condition do - 'class { "apache": }' + 'class { "apache": mpm_module => prefork, }' end - let :params do - { :package_ensure => '5.3.13'} + + case facts[:os]['family'] + when 'Debian' + describe 'on a Debian OS' do + context 'with mpm_module => prefork' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::prefork') } + end + + case facts[:os]['release']['major'] + when '9' + context 'on stretch' do + it { is_expected.to contain_apache__mod('php7.0') } + it { is_expected.to contain_package('libapache2-mod-php7.0') } + + it { + expect(subject).to contain_file('php7.0.load').with( + content: "LoadModule php7_module /usr/lib/apache2/modules/libphp7.0.so\n", + ) + } + end + when '10' + context 'on buster' do + it { is_expected.to contain_apache__mod('php7.3') } + it { is_expected.to contain_package('libapache2-mod-php7.3') } + + it { + expect(subject).to contain_file('php7.3.load').with( + content: "LoadModule php7_module /usr/lib/apache2/modules/libphp7.3.so\n", + ) + } + + context 'with php8.0' do + let :params do + { php_version: '8.0' } + end + + it { is_expected.to contain_apache__mod('php8.0') } + it { is_expected.to contain_package('libapache2-mod-php8.0') } + + it { + expect(subject).to contain_file('php8.0.load').with( + content: "LoadModule php_module /usr/lib/apache2/modules/libphp8.0.so\n", + ) + } + end + end + when '11' + context 'on bullseye' do + it { is_expected.to contain_apache__mod('php7.4') } + it { is_expected.to contain_package('libapache2-mod-php7.4') } + + it { + expect(subject).to contain_file('php7.4.load').with( + content: "LoadModule php7_module /usr/lib/apache2/modules/libphp7.4.so\n", + ) + } + + context 'with php8.0' do + let :params do + { php_version: '8.0' } + end + + it { is_expected.to contain_apache__mod('php8.0') } + it { is_expected.to contain_package('libapache2-mod-php8.0') } + + it { + expect(subject).to contain_file('php8.0.load').with( + content: "LoadModule php_module /usr/lib/apache2/modules/libphp8.0.so\n", + ) + } + end + end + when '12' + context 'on bookworm' do + it { is_expected.to contain_apache__mod('php8.2') } + it { is_expected.to contain_package('libapache2-mod-php8.2') } + + it { + expect(subject).to contain_file('php8.2.load').with( + content: "LoadModule php_module /usr/lib/apache2/modules/libphp8.2.so\n", + ) + } + end + when '18.04' + context 'on bionic' do + let :params do + { content: 'somecontent' } + end + + it { + expect(subject).to contain_file('php7.2.conf').with( + content: 'somecontent', + ) + } + end + end + end + when 'RedHat' + case facts[:os]['release']['major'] + when '9' + it { is_expected.to compile.and_raise_error(%r{RedHat 9 does not support mod_php}) } + else + describe 'on a RedHat OS' do + context 'with default params' do + let :pre_condition do + 'class { "apache": }' + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_package('php') } + + if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module modules/libphp5.so\n") } + elsif facts[:os]['release']['major'].to_i == 8 + it { is_expected.to contain_apache__mod('php7') } + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module modules/libphp7.so\n") } + + context 'with php8.0' do + let :params do + { php_version: '8.0' } + end + + it { is_expected.to contain_apache__mod('php') } + it { is_expected.to contain_file('php.load').with(content: "LoadModule php_module modules/libphp.so\n") } + end + elsif facts[:os]['release']['major'].to_i >= 9 + it { is_expected.to contain_apache__mod('php') } + it { is_expected.to contain_file('php.load').with(content: "LoadModule php_module modules/libphp.so\n") } + end + end + + context 'with alternative package name' do + let :pre_condition do + 'class { "apache": }' + end + let :params do + { package_name: 'php54' } + end + + it { is_expected.to contain_package('php54') } + end + + context 'with alternative path' do + let :pre_condition do + 'class { "apache": }' + end + let :params do + { path: 'alternative-path' } + end + + it { is_expected.to contain_package('php') } + + if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module alternative-path\n") } + elsif facts[:os]['release']['major'].to_i == 8 + it { is_expected.to contain_apache__mod('php7') } + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module alternative-path\n") } + elsif facts[:os]['release']['major'].to_i >= 9 + it { is_expected.to contain_apache__mod('php') } + it { is_expected.to contain_file('php.load').with(content: "LoadModule php_module alternative-path\n") } + end + end + + context 'with alternative extensions' do + let :pre_condition do + 'class { "apache": }' + end + let :params do + { + extensions: ['.php', '.php5'] + } + end + + it { is_expected.to contain_file('php5.conf').with_content(Regexp.new(Regexp.escape(''))) } if facts[:os]['release']['major'].to_i < 8 + end + + if facts[:os]['release']['major'].to_i > 5 + context 'with specific version' do + let :pre_condition do + 'class { "apache": }' + end + let :params do + { package_ensure: '5.3.13' } + end + + it { + expect(subject).to contain_package('php').with( + ensure: '5.3.13', + ) + } + end + end + context 'with mpm_module => prefork' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::prefork') } + it { is_expected.to contain_package('php') } + + if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module modules/libphp5.so\n") } + elsif facts[:os]['release']['major'].to_i == 8 + it { is_expected.to contain_apache__mod('php7') } + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module modules/libphp7.so\n") } + elsif facts[:os]['release']['major'].to_i >= 9 + it { is_expected.to contain_apache__mod('php') } + it { is_expected.to contain_file('php.load').with(content: "LoadModule php_module modules/libphp.so\n") } + end + end + + context 'with mpm_module => itk' do + let :pre_condition do + 'class { "apache": mpm_module => itk, }' + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::itk') } + it { is_expected.to contain_package('php') } + + if facts[:os]['release']['major'].to_i < 8 + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_file('php5.load').with(content: "LoadModule php5_module modules/libphp5.so\n") } + elsif facts[:os]['release']['major'].to_i == 8 + it { is_expected.to contain_apache__mod('php7') } + it { is_expected.to contain_file('php7.load').with(content: "LoadModule php7_module modules/libphp7.so\n") } + elsif facts[:os]['release']['major'].to_i >= 9 + it { is_expected.to contain_apache__mod('php') } + it { is_expected.to contain_file('php.load').with(content: "LoadModule php_module modules/libphp.so\n") } + end + end + end + end + when 'FreeBSD' + describe 'on a FreeBSD OS' do + context 'with mpm_module => prefork' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_package('www/mod_php5') } + it { is_expected.to contain_file('php5.load') } + end + + context 'with mpm_module => itk' do + let :pre_condition do + 'class { "apache": mpm_module => itk, }' + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::itk') } + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_package('www/mod_php5') } + it { is_expected.to contain_file('php5.load') } + end + end + when 'Gentoo' + describe 'on a Gentoo OS' do + context 'with mpm_module => prefork' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_package('dev-lang/php') } + it { is_expected.to contain_file('php5.load') } + end + + context 'with mpm_module => itk' do + let :pre_condition do + 'class { "apache": mpm_module => itk, }' + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_class('apache::mod::itk') } + it { is_expected.to contain_apache__mod('php5') } + it { is_expected.to contain_package('dev-lang/php') } + it { is_expected.to contain_file('php5.load') } + end + end end - it { should contain_package("php").with( - :ensure => '5.3.13' - ) } - end - context "with mpm_module => prefork" do - let :pre_condition do - 'class { "apache": mpm_module => prefork, }' + + # all the following tests are for legacy php/apache versions. They don't work on modern ubuntu and redhat 8 + next if (facts[:os]['release']['major'].to_i >= 15 && facts[:os]['name'] == 'SLES') || + (facts[:os]['family'] == 'Debian') || + (facts[:os]['release']['major'].to_i >= 8 && (facts[:os]['name'] == 'RedHat' || facts[:os]['name'] == 'CentOS' || + facts[:os]['name'] == 'Rocky' || facts[:os]['name'] == 'AlmaLinux')) + + describe 'OS independent tests' do + context 'with content param' do + let :params do + { content: 'somecontent' } + end + + it { + expect(subject).to contain_file('php5.conf').with( + content: 'somecontent', + ) + } + end + + context 'with template param' do + let :params do + { template: 'apache/mod/php.conf.erb' } + end + + it { + expect(subject).to contain_file('php5.conf').with( + content: %r{^# PHP is an HTML-embedded scripting language which attempts to make it}, + ) + } + end + + context 'with source param' do + let :params do + { source: 'some-path' } + end + + it { + expect(subject).to contain_file('php5.conf').with( + source: 'some-path', + ) + } + end + + context 'content has priority over template' do + let :params do + { + template: 'apache/mod/php5.conf.erb', + content: 'somecontent' + } + end + + it { + expect(subject).to contain_file('php5.conf').with( + content: 'somecontent', + ) + } + end + + context 'source has priority over template' do + let :params do + { + template: 'apache/mod/php5.conf.erb', + source: 'some-path' + } + end + + it { + expect(subject).to contain_file('php5.conf').with( + source: 'some-path', + ) + } + end + + context 'source has priority over content' do + let :params do + { + content: 'somecontent', + source: 'some-path' + } + end + + it { + expect(subject).to contain_file('php5.conf').with( + source: 'some-path', + ) + } + end + + context 'with mpm_module => worker' do + let :pre_condition do + 'class { "apache": mpm_module => worker, }' + end + + it 'raises an error' do + expect(subject).to compile.and_raise_error(%r{mpm_module => 'prefork' or mpm_module => 'itk'}) + end + end end - it { should include_class("apache::params") } - it { should contain_apache__mod('php5') } - it { should contain_package("php") } - it { should contain_file("php5.load").with( - :content => "LoadModule php5_module modules/libphp5.so\n" - ) } end end end diff --git a/spec/classes/mod/prefork_spec.rb b/spec/classes/mod/prefork_spec.rb index fa34a20c84..0ebe44794a 100644 --- a/spec/classes/mod/prefork_spec.rb +++ b/spec/classes/mod/prefork_spec.rb @@ -1,35 +1,54 @@ -describe 'apache::mod::prefork', :type => :class do +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::prefork', type: :class do let :pre_condition do 'class { "apache": mpm_module => false, }' end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should_not contain_apache__mod('prefork') } - it { should contain_file("/etc/apache2/mods-available/prefork.conf").with_ensure('file') } - it { should contain_file("/etc/apache2/mods-enabled/prefork.conf").with_ensure('link') } - it { should contain_package("apache2-mpm-prefork") } + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('prefork') } + it { is_expected.to contain_file('/etc/apache2/mods-available/prefork.conf').with_ensure('file') } + it { is_expected.to contain_file('/etc/apache2/mods-enabled/prefork.conf').with_ensure('link') } + + it { + expect(subject).to contain_file('/etc/apache2/mods-available/prefork.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_prefork_module /usr/lib/apache2/modules/mod_mpm_prefork.so\n") + } + + it { is_expected.to contain_file('/etc/apache2/mods-enabled/prefork.load').with_ensure('link') } end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should_not contain_apache__mod('prefork') } - it { should contain_file("/etc/httpd/conf.d/prefork.conf").with_ensure('file') } - it { should contain_file_line("/etc/sysconfig/httpd prefork enable").with({ - 'require' => 'Package[httpd]', - }) + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('prefork') } + it { is_expected.not_to contain_apache__mod('event') } + + it { + expect(subject).to contain_file('/etc/httpd/conf.modules.d/prefork.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_prefork_module modules/mod_mpm_prefork.so\n") } end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('prefork') } + it { is_expected.to contain_file('/usr/local/etc/apache24/Modules/prefork.conf').with_ensure('file') } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('prefork') } + it { is_expected.to contain_file('/etc/apache2/modules.d/prefork.conf').with_ensure('file') } + end end diff --git a/spec/classes/mod/proxy_balancer_spec.rb b/spec/classes/mod/proxy_balancer_spec.rb new file mode 100644 index 0000000000..d43cecd7fd --- /dev/null +++ b/spec/classes/mod/proxy_balancer_spec.rb @@ -0,0 +1,57 @@ +# frozen_string_literal: true + +require 'spec_helper' + +# Helper function for testing the contents of `proxy_balancer.conf` +def balancer_manager_conf_spec(allow_from, manager_path) + expected = "\n " \ + "SetHandler balancer-manager\n " \ + "Require ip #{Array(allow_from).join(' ')}\n" \ + "\n" + it do + expect(subject).to contain_file('proxy_balancer.conf').with_content(expected) + end +end + +describe 'apache::mod::proxy_balancer', type: :class do + let :pre_condition do + [ + 'include apache::mod::proxy', + ] + end + + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with default parameters' do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_apache__mod('proxy_balancer') } + + it { is_expected.not_to contain_file('proxy_balancer.conf') } + it { is_expected.not_to contain_file('proxy_balancer.conf symlink') } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_apache__mod('proxy_balancer') } + + it { is_expected.not_to contain_file('proxy_balancer.conf') } + it { is_expected.not_to contain_file('proxy_balancer.conf symlink') } + end + end + + context "default configuration with custom parameters $manager => true, $allow_from => ['10.10.10.10','11.11.11.11'], $status_path => '/custom-manager' on a Debian OS" do + include_examples 'Debian 11' + let :params do + { + manager: true, + allow_from: ['10.10.10.10', '11.11.11.11'], + manager_path: '/custom-manager' + } + end + + balancer_manager_conf_spec(['10.10.10.10', '11.11.11.11'], '/custom-manager') + end +end diff --git a/spec/classes/mod/proxy_connect_spec.rb b/spec/classes/mod/proxy_connect_spec.rb new file mode 100644 index 0000000000..c579a58d34 --- /dev/null +++ b/spec/classes/mod/proxy_connect_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::proxy_connect', type: :class do + let :pre_condition do + [ + 'include apache::mod::proxy', + ] + end + + include_examples 'a mod class, without including apache' + + it { is_expected.to contain_apache__mod('proxy_connect') } +end diff --git a/spec/classes/mod/proxy_html_spec.rb b/spec/classes/mod/proxy_html_spec.rb index c257fe7461..a049f6aa71 100644 --- a/spec/classes/mod/proxy_html_spec.rb +++ b/spec/classes/mod/proxy_html_spec.rb @@ -1,33 +1,64 @@ -describe 'apache::mod::proxy_html', :type => :class do +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::proxy_html', type: :class do let :pre_condition do [ - 'include apache', 'include apache::mod::proxy', 'include apache::mod::proxy_http', ] end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + shared_examples 'debian' do |loadfiles| + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('proxy_html').with(loadfiles: loadfiles) } end - it { should include_class("apache::params") } - it { should contain_apache__mod('proxy_html') } - it { should contain_package("libapache2-mod-proxy-html") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + + include_examples 'Debian 11' + + context 'on i386' do + let(:facts) { override_facts(super(), os: { hardware: 'i386' }) } + + it { is_expected.to contain_apache__mod('xml2enc').with(loadfiles: nil) } + + it_behaves_like 'debian', ['/usr/lib/i386-linux-gnu/libxml2.so.2'] + end + + context 'on x64' do + let(:facts) { override_facts(super(), os: { architecture: 'x86_64' }) } + + it { is_expected.to contain_apache__mod('xml2enc').with(loadfiles: nil) } + + it_behaves_like 'debian', ['/usr/lib/x86_64-linux-gnu/libxml2.so.2'] end - it { should include_class("apache::params") } - it { should contain_apache__mod('proxy_html') } - it { should contain_package("mod_proxy_html") } + end + + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('proxy_html').with(loadfiles: nil) } + it { is_expected.to contain_package('mod_proxy_html') } + it { is_expected.to contain_apache__mod('xml2enc').with(loadfiles: nil) } + end + + context 'on a FreeBSD OS', :compile do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('proxy_html').with(loadfiles: nil) } + it { is_expected.to contain_apache__mod('xml2enc').with(loadfiles: nil) } + end + + context 'on a Gentoo OS', :compile do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('proxy_html').with(loadfiles: nil) } + it { is_expected.to contain_apache__mod('xml2enc').with(loadfiles: nil) } + it { is_expected.to contain_package('www-apache/mod_proxy_html') } end end diff --git a/spec/classes/mod/proxy_http2_spec.rb b/spec/classes/mod/proxy_http2_spec.rb new file mode 100644 index 0000000000..c353048b22 --- /dev/null +++ b/spec/classes/mod/proxy_http2_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::proxy_http2' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('apache::mod::proxy') } + it { is_expected.to contain_apache__mod('proxy_http2') } + end + end +end diff --git a/spec/classes/mod/proxy_http_spec.rb b/spec/classes/mod/proxy_http_spec.rb new file mode 100644 index 0000000000..85a63317a2 --- /dev/null +++ b/spec/classes/mod/proxy_http_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::proxy_http' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('apache::mod::proxy') } + it { is_expected.to contain_apache__mod('proxy_http') } + end + end +end diff --git a/spec/classes/mod/proxy_spec.rb b/spec/classes/mod/proxy_spec.rb new file mode 100644 index 0000000000..c14240353e --- /dev/null +++ b/spec/classes/mod/proxy_spec.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::proxy', type: :class do + it_behaves_like 'a mod class, without including apache' + + on_supported_os.each do |os, os_facts| + context "On #{os}" do + let :facts do + os_facts + end + + it { is_expected.to contain_file('proxy.conf').with_content(%r{ProxyRequests Off}) } + it { is_expected.to contain_file('proxy.conf').without_content(%r{ProxyTimeout}) } + + context 'with parameters set' do + let(:params) do + { proxy_timeout: 12_345 } + end + + it { is_expected.to contain_file('proxy.conf').with_content(%r{ProxyTimeout 12345}) } + end + end + end +end diff --git a/spec/classes/mod/proxy_wstunnel.rb b/spec/classes/mod/proxy_wstunnel.rb new file mode 100644 index 0000000000..4626d539c4 --- /dev/null +++ b/spec/classes/mod/proxy_wstunnel.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::proxy_wstunnel', type: :class do + it_behaves_like 'a mod class, without including apache' +end diff --git a/spec/classes/mod/python_spec.rb b/spec/classes/mod/python_spec.rb index 09e8cc2f94..4fe137226c 100644 --- a/spec/classes/mod/python_spec.rb +++ b/spec/classes/mod/python_spec.rb @@ -1,29 +1,48 @@ -describe 'apache::mod::python', :type => :class do - let :pre_condition do - 'include apache' +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::python', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('python') } + it { is_expected.to contain_package('libapache2-mod-python') } end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('python') } + it { is_expected.to contain_package('mod_python') } + it { is_expected.to contain_file('python.load').with_path('/etc/httpd/conf.modules.d/python.load') } + + describe 'with loadfile_name specified' do + let :params do + { loadfile_name: 'FooBar' } + end + + it { is_expected.to contain_file('FooBar').with_path('/etc/httpd/conf.modules.d/FooBar') } end - it { should include_class("apache::params") } - it { should contain_apache__mod("python") } - it { should contain_package("libapache2-mod-python") } end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_apache__mod("python") } - it { should contain_package("mod_python") } + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('python') } + it { is_expected.to contain_package('www/mod_python3') } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('python') } + it { is_expected.to contain_package('www-apache/mod_python') } end end diff --git a/spec/classes/mod/remoteip_spec.rb b/spec/classes/mod/remoteip_spec.rb new file mode 100644 index 0000000000..2ab7ee72aa --- /dev/null +++ b/spec/classes/mod/remoteip_spec.rb @@ -0,0 +1,117 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::remoteip', type: :class do + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('remoteip') } + + it { + expect(subject).to contain_file('remoteip.conf').with('path' => '/etc/apache2/mods-available/remoteip.conf') + } + + describe 'with header X-Forwarded-For' do + let :params do + { header: 'X-Forwarded-For' } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPHeader X-Forwarded-For$}) } + end + + describe 'with internal_proxy => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { internal_proxy: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 10.42.17.8$}) } + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 10.42.18.99$}) } + end + + describe 'with IPv4 CIDR in internal_proxy => [ 192.168.1.0/24 ]' do + let :params do + { internal_proxy: ['192.168.1.0/24'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 192.168.1.0/24$}) } + end + + describe 'with IPv6 CIDR in internal_proxy => [ fd00:fd00:fd00:2000::/64 ]' do + let :params do + { internal_proxy: ['fd00:fd00:fd00:2000::/64'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy fd00:fd00:fd00:2000::/64$}) } + end + + describe 'with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { proxy_ips: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 10.42.17.8$}) } + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 10.42.18.99$}) } + end + + describe 'with IPv4 CIDR in proxy_ips => [ 192.168.1.0/24 ]' do + let :params do + { proxy_ips: ['192.168.1.0/24'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy 192.168.1.0/24$}) } + end + + describe 'with IPv6 CIDR in proxy_ips => [ fd00:fd00:fd00:2000::/64 ]' do + let :params do + { proxy_ips: ['fd00:fd00:fd00:2000::/64'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPInternalProxy fd00:fd00:fd00:2000::/64$}) } + end + + describe 'with trusted_proxy => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { trusted_proxy: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPTrustedProxy 10.42.17.8$}) } + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPTrustedProxy 10.42.18.99$}) } + end + + describe 'with trusted_proxy_ips => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { trusted_proxy: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPTrustedProxy 10.42.17.8$}) } + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPTrustedProxy 10.42.18.99$}) } + end + + describe 'with proxy_protocol_exceptions => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { proxy_protocol_exceptions: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPProxyProtocolExceptions 10.42.17.8$}) } + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPProxyProtocolExceptions 10.42.18.99$}) } + end + + describe 'with IPv4 CIDR in proxy_protocol_exceptions => [ 192.168.1.0/24 ]' do + let :params do + { proxy_protocol_exceptions: ['192.168.1.0/24'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPProxyProtocolExceptions 192.168.1.0/24$}) } + end + + describe 'with IPv6 CIDR in proxy_protocol_exceptions => [ fd00:fd00:fd00:2000::/64 ]' do + let :params do + { proxy_protocol_exceptions: ['fd00:fd00:fd00:2000::/64'] } + end + + it { is_expected.to contain_file('remoteip.conf').with_content(%r{^RemoteIPProxyProtocolExceptions fd00:fd00:fd00:2000::/64$}) } + end + end +end diff --git a/spec/classes/mod/reqtimeout_spec.rb b/spec/classes/mod/reqtimeout_spec.rb new file mode 100644 index 0000000000..63b3415fc4 --- /dev/null +++ b/spec/classes/mod/reqtimeout_spec.rb @@ -0,0 +1,126 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::reqtimeout', type: :class do + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + include_examples 'Debian 11' + + context 'passing no parameters' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-40,minrate=500\nRequestReadTimeout body=10,minrate=500$}) } + end + + context "passing timeouts => ['header=20-60,minrate=600', 'body=60,minrate=600']" do + let :params do + { timeouts: ['header=20-60,minrate=600', 'body=60,minrate=600'] } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600\nRequestReadTimeout body=60,minrate=600$}) } + end + + context "passing timeouts => 'header=20-60,minrate=600'" do + let :params do + { timeouts: 'header=20-60,minrate=600' } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600$}) } + end + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + context 'passing no parameters' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-40,minrate=500\nRequestReadTimeout body=10,minrate=500$}) } + end + + context "passing timeouts => ['header=20-60,minrate=600', 'body=60,minrate=600']" do + let :params do + { timeouts: ['header=20-60,minrate=600', 'body=60,minrate=600'] } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600\nRequestReadTimeout body=60,minrate=600$}) } + end + + context "passing timeouts => 'header=20-60,minrate=600'" do + let :params do + { timeouts: 'header=20-60,minrate=600' } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600$}) } + end + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + context 'passing no parameters' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-40,minrate=500\nRequestReadTimeout body=10,minrate=500$}) } + end + + context "passing timeouts => ['header=20-60,minrate=600', 'body=60,minrate=600']" do + let :params do + { timeouts: ['header=20-60,minrate=600', 'body=60,minrate=600'] } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600\nRequestReadTimeout body=60,minrate=600$}) } + end + + context "passing timeouts => 'header=20-60,minrate=600'" do + let :params do + { timeouts: 'header=20-60,minrate=600' } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600$}) } + end + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + context 'passing no parameters' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-40,minrate=500\nRequestReadTimeout body=10,minrate=500$}) } + end + + context "passing timeouts => ['header=20-60,minrate=600', 'body=60,minrate=600']" do + let :params do + { timeouts: ['header=20-60,minrate=600', 'body=60,minrate=600'] } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600\nRequestReadTimeout body=60,minrate=600$}) } + end + + context "passing timeouts => 'header=20-60,minrate=600'" do + let :params do + { timeouts: 'header=20-60,minrate=600' } + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('reqtimeout') } + it { is_expected.to contain_file('reqtimeout.conf').with_content(%r{^RequestReadTimeout header=20-60,minrate=600$}) } + end + end +end diff --git a/spec/classes/mod/rpaf_spec.rb b/spec/classes/mod/rpaf_spec.rb new file mode 100644 index 0000000000..27b1dfdf93 --- /dev/null +++ b/spec/classes/mod/rpaf_spec.rb @@ -0,0 +1,120 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::rpaf', type: :class do + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('rpaf') } + it { is_expected.to contain_package('libapache2-mod-rpaf') } + + it { + expect(subject).to contain_file('rpaf.conf').with('path' => '/etc/apache2/mods-available/rpaf.conf') + } + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFenable On$}) } + + describe 'with sethostname => true' do + let :params do + { sethostname: 'true' } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFsethostname On$}) } + end + + describe 'with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { proxy_ips: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFproxy_ips 10.42.17.8 10.42.18.99$}) } + end + + describe 'with header => X-Real-IP' do + let :params do + { header: 'X-Real-IP' } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFheader X-Real-IP$}) } + end + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('rpaf') } + it { is_expected.to contain_package('www/mod_rpaf2') } + + it { + expect(subject).to contain_file('rpaf.conf').with('path' => '/usr/local/etc/apache24/Modules/rpaf.conf') + } + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFenable On$}) } + + describe 'with sethostname => true' do + let :params do + { sethostname: 'true' } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFsethostname On$}) } + end + + describe 'with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { proxy_ips: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFproxy_ips 10.42.17.8 10.42.18.99$}) } + end + + describe 'with header => X-Real-IP' do + let :params do + { header: 'X-Real-IP' } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFheader X-Real-IP$}) } + end + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('rpaf') } + it { is_expected.to contain_package('www-apache/mod_rpaf') } + + it { + expect(subject).to contain_file('rpaf.conf').with('path' => '/etc/apache2/modules.d/rpaf.conf') + } + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFenable On$}) } + + describe 'with sethostname => true' do + let :params do + { sethostname: 'true' } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFsethostname On$}) } + end + + describe 'with proxy_ips => [ 10.42.17.8, 10.42.18.99 ]' do + let :params do + { proxy_ips: ['10.42.17.8', '10.42.18.99'] } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFproxy_ips 10.42.17.8 10.42.18.99$}) } + end + + describe 'with header => X-Real-IP' do + let :params do + { header: 'X-Real-IP' } + end + + it { is_expected.to contain_file('rpaf.conf').with_content(%r{^RPAFheader X-Real-IP$}) } + end + end +end diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb new file mode 100644 index 0000000000..1263777670 --- /dev/null +++ b/spec/classes/mod/security_spec.rb @@ -0,0 +1,387 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::security', type: :class do + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + case facts[:os]['family'] + when 'Suse' + context 'on Suse based systems' do + it { + expect(subject).to contain_file('security.conf') + .with_content(%r{^\s+SecTmpDir /var/lib/mod_security$}) + } + end + when 'RedHat' + context 'on RedHat based systems' do + it { + expect(subject).to contain_apache__mod('security').with( + id: 'security2_module', + lib: 'mod_security2.so', + ) + } + + it { + expect(subject).to contain_apache__mod('unique_id').with( + id: 'unique_id_module', + lib: 'mod_unique_id.so', + ) + } + + it { is_expected.to contain_package('mod_security_crs') } + + if (facts[:os]['release']['major'].to_i > 6 && facts[:os]['release']['major'].to_i <= 7) || (facts[:os]['release']['major'].to_i >= 8) + it { + expect(subject).to contain_file('security.conf').with( + path: '/etc/httpd/conf.modules.d/security.conf', + ) + } + end + + it { + expect(subject).to contain_file('security.conf') + .with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$}) + .with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$}) + .with_content(%r{^\s+SecAuditLogType Serial$}) + .with_content(%r{^\s+SecDebugLog /var/log/httpd/modsec_debug.log$}) + .with_content(%r{^\s+SecAuditLog /var/log/httpd/modsec_audit.log$}) + .with_content(%r{^\s+SecTmpDir /var/lib/mod_security$}) + } + + it { + expect(subject).to contain_file('/etc/httpd/modsecurity.d').with( + ensure: 'directory', path: '/etc/httpd/modsecurity.d', + owner: 'root', group: 'root', mode: '0755' + ) + } + + it { + expect(subject).to contain_file('/etc/httpd/modsecurity.d/activated_rules').with( + ensure: 'directory', path: '/etc/httpd/modsecurity.d/activated_rules', + owner: 'apache', group: 'apache' + ) + } + + it { + expect(subject).to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with( + path: '/etc/httpd/modsecurity.d/security_crs.conf', + ) + } + + if facts[:os]['release']['major'].to_i <= 7 + it { is_expected.to contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') } + + it { + expect(subject).to contain_file('modsecurity_35_bad_robots.data').with( + path: '/etc/httpd/modsecurity.d/activated_rules/modsecurity_35_bad_robots.data', + target: '/usr/lib/modsecurity.d/base_rules/modsecurity_35_bad_robots.data', + ) + } + else + it { is_expected.to contain_apache__security__rule_link('rules/crawlers-user-agents.data') } + + it { + expect(subject).to contain_file('crawlers-user-agents.data').with( + path: '/etc/httpd/modsecurity.d/activated_rules/crawlers-user-agents.data', + target: '/usr/share/mod_modsecurity_crs/rules/crawlers-user-agents.data', + ) + } + end + + describe 'with parameters' do + let :params do + { + activated_rules: [ + '/tmp/foo/bar.conf', + ], + audit_log_relevant_status: '^(?:5|4(?!01|04))', + audit_log_parts: 'ABCDZ', + audit_log_type: 'Concurrent', + audit_log_format: 'JSON', + audit_log_storage_dir: '/var/log/httpd/audit', + debug_log_level: 3, + secdefaultaction: 'deny,status:406,nolog,auditlog', + secrequestbodyaccess: 'Off', + secresponsebodyaccess: 'On', + secrequestbodylimitaction: 'ProcessPartial', + secresponsebodylimitaction: 'Reject' + } + end + + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogType Concurrent$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogFormat JSON$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecDebugLogLevel 3$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyLimitAction ProcessPartial$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyLimitAction Reject$} } + it { is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} } + + it { + expect(subject).to contain_file('bar.conf').with( + path: '/etc/httpd/modsecurity.d/activated_rules/bar.conf', + target: '/tmp/foo/bar.conf', + ) + } + end + + describe 'with other modsec parameters' do + let :params do + { + manage_security_crs: false + } + end + + it { is_expected.not_to contain_file('/etc/httpd/modsecurity.d/security_crs.conf') } + end + + describe 'with custom parameters' do + let :params do + { + custom_rules: false + } + end + + it { + expect(subject).not_to contain_file('/etc/httpd/modsecurity.d/custom_rules/custom_01_rules.conf') + } + end + + describe 'with parameters' do + let :params do + { + custom_rules: true, + custom_rules_set: ['REMOTE_ADDR "^127.0.0.1" "id:199999,phase:1,nolog,allow,ctl:ruleEngine=off"'] + } + end + + it { + expect(subject).to contain_file('/etc/httpd/modsecurity.d/custom_rules').with( + ensure: 'directory', path: '/etc/httpd/modsecurity.d/custom_rules', + owner: 'apache', group: 'apache' + ) + } + + it { is_expected.to contain_file('/etc/httpd/modsecurity.d/custom_rules/custom_01_rules.conf').with_content %r{^\s*.*"id:199999,phase:1,nolog,allow,ctl:ruleEngine=off"$} } + end + + describe 'with CRS parameters' do + let :params do + { + paranoia_level: 1, + executing_paranoia_level: 2, + enable_dos_protection: true, + dos_burst_time_slice: 30, + dos_counter_threshold: 120, + dos_block_timeout: 300 + } + end + + if facts[:os]['release']['major'].to_i < 8 && facts[:os]['family'] == 'RedHat' + it { + expect(subject).to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \ + %r{ + ^SecAction\ \\\n + \ \ "id:'900001',\ \\\n + \ \ phase:1,\ \\\n + \ \ t:none,\ \\\n + \ \ setvar:tx.critical_anomaly_score=5,\ \\\n + \ \ setvar:tx.error_anomaly_score=4,\ \\\n + \ \ setvar:tx.warning_anomaly_score=3,\ \\\n + \ \ setvar:tx.notice_anomaly_score=2,\ \\\n + \ \ nolog,\ \\\n + \ \ pass"$ + }x + } + else + it { + expect(subject).to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \ + %r{^SecAction \\\n\s+"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$} + expect(subject).to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \ + %r{^SecAction \\\n\s+"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=2"$} + expect(subject).to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \ + %r{ + ^SecAction\ \\\n + \s+"id:900700,\\\n + \s+phase:1,\\\n + \s+nolog,\\\n + \s+pass,\\\n + \s+t:none,\\\n + \s+setvar:'tx.dos_burst_time_slice=30',\\\n + \s+setvar:'tx.dos_counter_threshold=120',\\\n + \s+setvar:'tx.dos_block_timeout=300'"$ + }x + } + end + end + + describe 'with invalid CRS parameters' do + let :params do + { + paranoia_level: 2, + executing_paranoia_level: 1 + } + end + + it { + expect(subject).to compile.and_raise_error(%r{Executing paranoia level cannot be lower than paranoia level}) + } + end + end + when 'Debian' + context 'on Debian based systems' do + it { + expect(subject).to contain_apache__mod('security').with( + id: 'security2_module', + lib: 'mod_security2.so', + ) + } + + it { + expect(subject).to contain_apache__mod('unique_id').with( + id: 'unique_id_module', + lib: 'mod_unique_id.so', + ) + } + + it { is_expected.to contain_package('modsecurity-crs') } + + it { + expect(subject).to contain_file('security.conf').with( + path: '/etc/apache2/mods-available/security.conf', + ) + } + + it { + expect(subject).to contain_file('security.conf') + .with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$}) + .with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$}) + .with_content(%r{^\s+SecAuditLogType Serial$}) + .with_content(%r{^\s+SecDebugLog /var/log/apache2/modsec_debug.log$}) + .with_content(%r{^\s+SecAuditLog /var/log/apache2/modsec_audit.log$}) + .with_content(%r{^\s+SecTmpDir /var/cache/modsecurity$}) + } + + it { + expect(subject).to contain_file('/etc/modsecurity').with( + ensure: 'directory', path: '/etc/modsecurity', + owner: 'root', group: 'root', mode: '0755' + ) + } + + it { + expect(subject).to contain_file('/etc/modsecurity/activated_rules').with( + ensure: 'directory', path: '/etc/modsecurity/activated_rules', + owner: 'www-data', group: 'www-data' + ) + } + + it { + expect(subject).to contain_file('/etc/modsecurity/security_crs.conf').with( + path: '/etc/modsecurity/security_crs.conf', + ) + } + + describe 'with custom parameters' do + let :params do + { + custom_rules: false + } + end + + it { + expect(subject).not_to contain_file('/etc/modsecurity/custom_rules/custom_01_rules.conf') + } + end + + describe 'with parameters' do + let :params do + { + custom_rules: true, + custom_rules_set: ['REMOTE_ADDR "^127.0.0.1" "id:199999,phase:1,nolog,allow,ctl:ruleEngine=off"'] + } + end + + it { + expect(subject).to contain_file('/etc/modsecurity/custom_rules').with( + ensure: 'directory', path: '/etc/modsecurity/custom_rules', + owner: 'www-data', group: 'www-data' + ) + } + + it { is_expected.to contain_file('/etc/modsecurity/custom_rules/custom_01_rules.conf').with_content %r{\s*.*"id:199999,phase:1,nolog,allow,ctl:ruleEngine=off"$} } + end + + describe 'with mod security version' do + let :params do + { + version: 2 + } + end + + it { is_expected.to contain_apache__mod('security2') } + + it { + expect(subject).to contain_file('security.conf').with( + path: '/etc/apache2/mods-available/security2.conf', + ) + } + end + + describe 'with CRS parameters' do + let :params do + { + paranoia_level: 1, + executing_paranoia_level: 1, + enable_dos_protection: true, + dos_burst_time_slice: 30, + dos_counter_threshold: 120, + dos_block_timeout: 300 + } + end + + it { + expect(subject).to contain_file('/etc/modsecurity/security_crs.conf').with_content \ + %r{^SecAction \\\n\s+"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$} + expect(subject).to contain_file('/etc/modsecurity/security_crs.conf').with_content \ + %r{^SecAction \\\n\s+"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=1"$} + expect(subject).to contain_file('/etc/modsecurity/security_crs.conf').with_content \ + %r{ + ^SecAction\ \\\n + \s+"id:900700,\\\n + \s+phase:1,\\\n + \s+nolog,\\\n + \s+pass,\\\n + \s+t:none,\\\n + \s+setvar:'tx.dos_burst_time_slice=30',\\\n + \s+setvar:'tx.dos_counter_threshold=120',\\\n + \s+setvar:'tx.dos_block_timeout=300'"$ + }x + } + end + + describe 'with invalid CRS parameters' do + let :params do + { + paranoia_level: 2, + executing_paranoia_level: 1 + } + end + + it { + expect(subject).to compile.and_raise_error(%r{Executing paranoia level cannot be lower than paranoia level}) + } + end + end + end + end + end +end diff --git a/spec/classes/mod/shib_spec.rb b/spec/classes/mod/shib_spec.rb new file mode 100644 index 0000000000..92168a7d56 --- /dev/null +++ b/spec/classes/mod/shib_spec.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::shib', type: :class do + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + include_examples 'Debian 11' + + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('shib2').with_id('mod_shib') } + end + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + describe 'with no parameters' do + it { is_expected.to contain_apache__mod('shib2').with_id('mod_shib') } + end + end +end diff --git a/spec/classes/mod/speling_spec.rb b/spec/classes/mod/speling_spec.rb new file mode 100644 index 0000000000..1ba5bf0389 --- /dev/null +++ b/spec/classes/mod/speling_spec.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::speling', type: :class do + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_apache__mod('speling') } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_apache__mod('speling') } + end +end diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index f58dde265c..a424c3ee06 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -1,41 +1,324 @@ -describe 'apache::mod::ssl', :type => :class do - let :pre_condition do - 'include apache' - end +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::ssl', type: :class do + it_behaves_like 'a mod class, without including apache' context 'on an unsupported OS' do - let :facts do - { - :osfamily => 'Magic', - :operatingsystemrelease => '0', - :concat_basedir => '/dne', - } - end - it { expect { subject }.to raise_error(Puppet::Error, /Unsupported osfamily:/) } + include_examples 'Unsupported OS' + + it { is_expected.to compile.and_raise_error(%r{Unsupported osfamily:}) } end - context 'on a RedHat OS' do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + context 'on a RedHat' do + context '8 OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + it { is_expected.to contain_package('mod_ssl') } + + it { + expect(subject).to contain_file('ssl.conf') + .with_path('/etc/httpd/conf.modules.d/ssl.conf') + .without_content(%r{SSLProtocol}) + .with_content(%r{^ SSLCipherSuite PROFILE=SYSTEM$}) + .with_content(%r{^ SSLProxyCipherSuite PROFILE=SYSTEM$}) } + + context 'with ssl_proxy_cipher_suite' do + let(:params) do + { + ssl_proxy_cipher_suite: 'HIGH' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProxyCipherSuite HIGH}) } + end + + context 'with empty ssl_protocol' do + let(:params) do + { + ssl_protocol: [] + } + end + + it { is_expected.to contain_file('ssl.conf').without_content(%r{SSLProtocol}) } + end + + context 'ciphers with ssl_protocol' do + let(:params) do + { + ssl_cipher: { + 'TLSv1.1' => 'RSA:!EXP:!NULL:+HIGH:+MEDIUM', + 'TLSv1.2' => 'RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW' + } + } + end + + it { is_expected.to contain_file('ssl.conf').without_content(%r{ SSLCipherSuite TLSv1.1 RSA:!EXP:!NULL:+HIGH:+MEDIUM}) } + it { is_expected.to contain_file('ssl.conf').without_content(%r{ SSLCipherSuite TLSv1.2 RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW}) } + end + end + + context '7 OS with custom directories for PR#1635' do + include_examples 'RedHat 7' + let :pre_condition do + "class { 'apache': + confd_dir => '/etc/httpd/conf.puppet.d', + default_mods => false, + default_vhost => false, + mod_dir => '/etc/httpd/conf.modules.puppet.d', + vhost_dir => '/etc/httpd/conf.puppet.d', + }" + end + + it { is_expected.to contain_package('mod_ssl') } + it { is_expected.to contain_file('ssl.conf').with_path('/etc/httpd/conf.puppet.d/ssl.conf') } end - it { should include_class('apache::params') } - it { should contain_apache__mod('ssl') } - it { should contain_package('mod_ssl') } end context 'on a Debian OS' do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + it { is_expected.not_to contain_package('libapache2-mod-ssl') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv3}) } + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionCache "shmcb:/var/run/ssl_scache\(512000\)"$}) } + end + + context 'on a Suse OS' do + include_examples 'SLES 12' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__mod('ssl') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionCache "shmcb:/var/lib/apache2/ssl_scache\(512000\)"$}) } + end + + # Template config doesn't vary by distro + context 'on all distros' do + include_examples 'RedHat 8' + + context 'not setting ssl_pass_phrase_dialog' do + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLPassPhraseDialog builtin$}) } + end + + context 'setting ssl_cert' do + let :params do + { + ssl_cert: '/etc/pki/some/path/localhost.crt' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLCertificateFile}) } + end + + context 'setting ssl_key' do + let :params do + { + ssl_key: '/etc/pki/some/path/localhost.key' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLCertificateKeyFile}) } + end + + context 'setting ssl_ca to a path' do + let :params do + { + ssl_ca: '/etc/pki/some/path/ca.crt' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLCACertificateFile}) } + end + + context 'setting ssl_cert with reload' do + let :params do + { + ssl_cert: '/etc/pki/some/path/localhost.crt', + ssl_reload_on_change: true + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLCertificateFile}) } + it { is_expected.to contain_file('_etc_pki_some_path_localhost.crt') } + end + + context 'with default values' do + it { is_expected.not_to contain_file('ssl.conf').with_content(%r{^ SSLCompression Off$}) } + it { is_expected.not_to contain_file('ssl.conf').with_content(%r{^ SSLSessionTickets (Off|On)$}) } + end + + context 'with ssl_compression set to true' do + let :params do + { + ssl_compression: true + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLCompression On$}) } + end + + context 'with ssl_sessiontickets set to false' do + let :params do + { + ssl_sessiontickets: false + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionTickets Off$}) } + end + + context 'with ssl_stapling set to true' do + let :params do + { + ssl_stapling: true + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLUseStapling On$}) } + end + + context 'with ssl_stapling_return_errors set to true' do + let :params do + { + ssl_stapling_return_errors: true + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLStaplingReturnResponderErrors On$}) } + end + + context 'with stapling_cache' do + let :params do + { + stapling_cache: '/tmp/customstaplingcache(51200)' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLStaplingCache "shmcb:/tmp/customstaplingcache\(51200\)"$}) } + end + + context 'setting ssl_pass_phrase_dialog' do + let :params do + { + ssl_pass_phrase_dialog: 'exec:/path/to/program' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLPassPhraseDialog exec:/path/to/program$}) } + end + + context 'setting ssl_random_seed_bytes' do + let :params do + { + ssl_random_seed_bytes: 1024 + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLRandomSeed startup file:/dev/urandom 1024$}) } + end + + context 'setting ssl_openssl_conf_cmd' do + let :params do + { + ssl_openssl_conf_cmd: 'DHParameters "foo.pem"' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^\s+SSLOpenSSLConfCmd DHParameters "foo.pem"$}) } + end + + context 'setting ssl_mutex' do + let :params do + { + ssl_mutex: 'posixsem' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ Mutex posixsem$}) } + end + + context 'setting ssl_sessioncache' do + let :params do + { + ssl_sessioncache: '/tmp/customsessioncache(51200)' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionCache "shmcb:/tmp/customsessioncache\(51200\)"$}) } + end + + context 'setting ssl_proxy_protocol' do + let :params do + { + ssl_proxy_protocol: ['-ALL', '+TLSv1'] + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLProxyProtocol -ALL \+TLSv1$}) } + end + + context 'setting ssl_honorcipherorder' do + context 'default value' do + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLHonorCipherOrder On$}) } + end + + context 'force on' do + let :params do + { + ssl_honorcipherorder: true + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLHonorCipherOrder On$}) } + end + + context 'force off' do + let :params do + { + ssl_honorcipherorder: false + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLHonorCipherOrder Off$}) } + end + + context 'set on' do + let :params do + { + ssl_honorcipherorder: 'on' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLHonorCipherOrder On$}) } + end + + context 'set off' do + let :params do + { + ssl_honorcipherorder: 'off' + } + end + + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLHonorCipherOrder Off$}) } + end end - it { should include_class('apache::params') } - it { should contain_apache__mod('ssl') } - it { should_not contain_package('libapache2-mod-ssl') } end end diff --git a/spec/classes/mod/status_spec.rb b/spec/classes/mod/status_spec.rb new file mode 100644 index 0000000000..5e1a52cd2d --- /dev/null +++ b/spec/classes/mod/status_spec.rb @@ -0,0 +1,192 @@ +# frozen_string_literal: true + +require 'spec_helper' + +def require_directives(requires) + case requires + when :undef + " Require ip 127.0.0.1 ::1\n" + when String + if ['', 'unmanaged'].include? requires.downcase + '' + else + " Require #{requires}\n" + end + when Array + requires.map { |req| " Require #{req}\n" }.join + when Hash + if requires.key?(:enforce) + \ + " \n" + \ + requires[:requires].map { |req| " Require #{req}\n" }.join + \ + " \n" + else + requires[:requires].map { |req| " Require #{req}\n" }.join + end + end +end + +shared_examples 'status_conf_spec_require' do |requires, extended_status, status_path| + expected = + "\n " \ + "SetHandler server-status\n" \ + "#{require_directives(requires)}" \ + "\n" \ + "ExtendedStatus #{extended_status}\n" \ + "\n" \ + "\n " \ + "# Show Proxy LoadBalancer status in mod_status\n " \ + "ProxyStatus On\n" \ + "\n" + it('status conf require') do + expect(subject).to contain_file('status.conf').with_content(expected) + end +end + +describe 'apache::mod::status', type: :class do + it_behaves_like 'a mod class, without including apache' + + context 'default configuration with parameters' do + context 'on a Debian 11 OS' do + include_examples 'Debian 11' + + context 'with default params' do + it { is_expected.to contain_apache__mod('status') } + + include_examples 'status_conf_spec_require', 'ip 127.0.0.1 ::1', 'On', '/server-status' + + it { + expect(subject).to contain_file('status.conf').with(ensure: 'file', + path: '/etc/apache2/mods-available/status.conf') + } + + it { + expect(subject).to contain_file('status.conf symlink').with(ensure: 'link', + path: '/etc/apache2/mods-enabled/status.conf') + } + end + + context "with custom parameters $extended_status => 'Off', $status_path => '/custom-status'" do + let :params do + { + extended_status: 'Off', + status_path: '/custom-status' + } + end + + it { is_expected.to compile } + + include_examples 'status_conf_spec_require', 'ip 127.0.0.1 ::1', 'Off', '/custom-status' + end + + # Only On or Off are valid options + ['On', 'Off'].each do |valid_param| + context "with valid value $extended_status => '#{valid_param}'" do + let :params do + { extended_status: valid_param } + end + + it 'expects to succeed regular expression validation' do + expect(subject).to compile + end + end + end + + ['Yes', 'No'].each do |invalid_param| + context "with invalid value $extended_status => '#{invalid_param}'" do + let :params do + { extended_status: invalid_param } + end + + it 'expects to fail regular expression validation' do + expect(subject).to compile.and_raise_error(%r{extended_status}) + end + end + end + end + + context 'on a RedHat 8 OS' do + include_examples 'RedHat 8' + + context 'with default params' do + it { is_expected.to contain_apache__mod('status') } + + include_examples 'status_conf_spec_require', 'ip 127.0.0.1 ::1', 'On', '/server-status' + + it { is_expected.to contain_file('status.conf').with_path('/etc/httpd/conf.modules.d/status.conf') } + end + end + + valid_requires = { + undef: :undef, + empty: '', + unmanaged: 'unmanaged', + string: 'ip 127.0.0.1 192.168', + array: [ + 'ip 127.0.0.1', + 'ip ::1', + 'host localhost', + ], + hash: { + requires: [ + 'ip 10.1', + 'host somehost', + ] + }, + enforce: { + enforce: 'all', + requires: [ + 'ip 127.0.0.1', + 'host localhost', + ] + } + } + valid_requires.each do |req_key, req_value| + context "with default params and #{req_key} requires" do + let :params do + { + requires: req_value + } + end + + context 'on a Debian 11 OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_apache__mod('status') } + + include_examples 'status_conf_spec_require', req_value, 'On', '/server-status' + + it { + expect(subject).to contain_file('status.conf').with(ensure: 'file', + path: '/etc/apache2/mods-available/status.conf') + } + + it { + expect(subject).to contain_file('status.conf symlink').with(ensure: 'link', + path: '/etc/apache2/mods-enabled/status.conf') + } + end + + context 'on a RedHat 7 OS' do + include_examples 'RedHat 7' + + it { is_expected.to contain_apache__mod('status') } + + include_examples 'status_conf_spec_require', req_value, 'On', '/server-status' + + it { is_expected.to contain_file('status.conf').with_path('/etc/httpd/conf.modules.d/status.conf') } + end + + context 'on a RedHat 8 OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_apache__mod('status') } + + include_examples 'status_conf_spec_require', req_value, 'On', '/server-status' + + it { is_expected.to contain_file('status.conf').with_path('/etc/httpd/conf.modules.d/status.conf') } + end + end + end + end +end diff --git a/spec/classes/mod/suphp_spec.rb b/spec/classes/mod/suphp_spec.rb deleted file mode 100644 index 2d6517c330..0000000000 --- a/spec/classes/mod/suphp_spec.rb +++ /dev/null @@ -1,27 +0,0 @@ -describe 'apache::mod::suphp', :type => :class do - let :pre_condition do - 'include apache' - end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_package("libapache2-mod-suphp") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should contain_package("mod_suphp") } - end -end diff --git a/spec/classes/mod/userdir_spec.rb b/spec/classes/mod/userdir_spec.rb new file mode 100644 index 0000000000..a12d5c02fb --- /dev/null +++ b/spec/classes/mod/userdir_spec.rb @@ -0,0 +1,64 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::userdir', type: :class do + context 'on a Debian OS' do + let :pre_condition do + 'class { "apache": + default_mods => false, + mod_dir => "/tmp/junk", + }' + end + + include_examples 'Debian 11' + + context 'default parameters' do + it { is_expected.to compile } + end + + context 'with path set to something' do + let :params do + { + path: '/home/*/*/public_html' + } + end + + it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*UserDir\s+/home/\*/\*/public_html$}) } + it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*$}) } + end + + context 'with userdir set to something' do + let :params do + { + path: '/home/*/*/public_html', + userdir: 'public_html' + } + end + + it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*UserDir\s+public_html$}) } + it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*$}) } + end + + context 'with unmanaged_path set to true' do + let :params do + { + unmanaged_path: true + } + end + + it { is_expected.to contain_file('userdir.conf').with_content(%r{^\s*UserDir\s+/home/\*/public_html$}) } + it { is_expected.not_to contain_file('userdir.conf').with_content(%r{^\s* :class do +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::worker', type: :class do let :pre_condition do 'class { "apache": mpm_module => false, }' end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should include_class("apache::params") } - it { should_not contain_apache__mod('worker') } - it { should contain_file("/etc/apache2/mods-available/worker.conf").with_ensure('file') } - it { should contain_file("/etc/apache2/mods-enabled/worker.conf").with_ensure('link') } - it { should contain_package("apache2-mpm-worker") } + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('worker') } + it { is_expected.to contain_file('/etc/apache2/mods-available/worker.conf').with_ensure('file') } + + it { + expect(subject).to contain_file('/etc/apache2/mods-available/worker.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_worker_module /usr/lib/apache2/modules/mod_mpm_worker.so\n") + } + end + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('worker') } + it { is_expected.not_to contain_apache__mod('event') } + + it { + expect(subject).to contain_file('/etc/httpd/conf.modules.d/worker.load').with('ensure' => 'file', + 'content' => "LoadModule mpm_worker_module modules/mod_mpm_worker.so\n") + } + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('worker') } + it { is_expected.to contain_file('/usr/local/etc/apache24/Modules/worker.conf').with_ensure('file') } end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + it { is_expected.not_to contain_apache__mod('worker') } + it { is_expected.to contain_file('/etc/apache2/modules.d/worker.conf').with_ensure('file') } + end + + # Template config doesn't vary by distro + context 'on all distros' do + include_examples 'RedHat 8' + + context 'defaults' do + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+ServerLimit\s+25$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+StartServers\s+2$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MaxRequestWorkers\s+150$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MinSpareThreads\s+25$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MaxSpareThreads\s+75$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+ThreadsPerChild\s+25$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MaxRequestsPerChild\s+0$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+ThreadLimit\s+64$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s*ListenBacklog\s*511}) } + end + + context 'setting params' do + let :params do + { + serverlimit: 10, + startservers: 11, + maxrequestworkers: 12, + minsparethreads: 13, + maxsparethreads: 14, + threadsperchild: 15, + maxrequestsperchild: 16, + threadlimit: 17, + listenbacklog: 8 + } + end + + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+ServerLimit\s+10$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+StartServers\s+11$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MaxRequestWorkers\s+12$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MinSpareThreads\s+13$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MaxSpareThreads\s+14$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+ThreadsPerChild\s+15$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+MaxRequestsPerChild\s+16$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s+ThreadLimit\s+17$}) } + it { is_expected.to contain_file('/etc/httpd/conf.modules.d/worker.conf').with(content: %r{^\s*ListenBacklog\s*8}) } end - it { should include_class("apache::params") } - it { should_not contain_apache__mod('worker') } - it { should contain_file("/etc/httpd/conf.d/worker.conf").with_ensure('file') } - it { should contain_file_line("/etc/sysconfig/httpd worker enable") } end end diff --git a/spec/classes/mod/wsgi_spec.rb b/spec/classes/mod/wsgi_spec.rb index 30ef523e41..d3f9ff24f1 100644 --- a/spec/classes/mod/wsgi_spec.rb +++ b/spec/classes/mod/wsgi_spec.rb @@ -1,42 +1,174 @@ -describe 'apache::mod::wsgi', :type => :class do - let :pre_condition do - 'include apache' +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::mod::wsgi', type: :class do + it_behaves_like 'a mod class, without including apache' + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_class('apache::mod::wsgi').with( + 'wsgi_socket_prefix' => nil, + ) + } + + it { is_expected.to contain_package('libapache2-mod-wsgi-py3') } end - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + + context 'on a RedHat OS' do + include_examples 'RedHat 8' + + context 'on RHEL8' do + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_file('wsgi.load').with_content(%r{LoadModule wsgi_module modules/mod_wsgi_python3.so}) } + it { is_expected.to contain_package('python3-mod_wsgi') } + end + + describe 'with WSGIRestrictEmbedded enabled' do + let :params do + { wsgi_restrict_embedded: 'On' } + end + + it { is_expected.to contain_file('wsgi.conf').with_content(%r{^ WSGIRestrictEmbedded On$}) } + end + + describe 'with custom WSGISocketPrefix' do + let :params do + { wsgi_socket_prefix: 'run/wsgi' } + end + + it { is_expected.to contain_file('wsgi.conf').with_content(%r{^ WSGISocketPrefix run/wsgi$}) } + end + + describe 'with custom WSGIPythonHome' do + let :params do + { wsgi_python_home: '/path/to/virtenv' } + end + + it { is_expected.to contain_file('wsgi.conf').with_content(%r{^ WSGIPythonHome "/path/to/virtenv"$}) } + end + + describe 'with custom WSGIApplicationGroup' do + let :params do + { wsgi_application_group: '%{GLOBAL}' } + end + + it { is_expected.to contain_file('wsgi.conf').with_content(%r{^ WSGIApplicationGroup "%{GLOBAL}"$}) } + end + + describe 'with custom WSGIPythonOptimize' do + let :params do + { wsgi_python_optimize: 1 } + end + + it { is_expected.to contain_file('wsgi.conf').with_content(%r{^ WSGIPythonOptimize 1$}) } + end + + describe 'with custom package_name and mod_path' do + let :params do + { + package_name: 'mod_wsgi_package', + mod_path: '/foo/bar/baz' + } + end + + it { + expect(subject).to contain_apache__mod('wsgi').with('package' => 'mod_wsgi_package', + 'path' => '/foo/bar/baz') } + + it { is_expected.to contain_package('mod_wsgi_package') } + it { is_expected.to contain_file('wsgi.load').with_content(%r{LoadModule wsgi_module /foo/bar/baz}) } end - it { should include_class("apache::params") } - it { should contain_apache__mod('wsgi') } - it { should contain_package("libapache2-mod-wsgi") } - end - context "on a RedHat OS" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + + describe 'with custom mod_path not containing /' do + let :params do + { + package_name: 'mod_wsgi_package', + mod_path: 'wsgi_mod_name.so' + } + end + + it { + expect(subject).to contain_apache__mod('wsgi').with('path' => 'modules/wsgi_mod_name.so', + 'package' => 'mod_wsgi_package') } + + it { is_expected.to contain_file('wsgi.load').with_content(%r{LoadModule wsgi_module modules/wsgi_mod_name.so}) } end - it { should include_class("apache::params") } - it { should contain_apache__mod('wsgi') } - it { should contain_package("mod_wsgi") } - describe "with custom WSGISocketPrefix" do + describe 'with package_name but no mod_path' do let :params do - { :wsgi_socket_prefix => 'run/wsgi' } + { + mod_path: '/foo/bar/baz' + } end - it {should contain_file('wsgi.conf').with_content(/^ WSGISocketPrefix run\/wsgi$/)} + + it { is_expected.to compile.and_raise_error(%r{apache::mod::wsgi - both package_name and mod_path must be specified!}) } end - describe "with custom WSGIPythonHome" do + + describe 'with mod_path but no package_name' do let :params do - { :wsgi_python_home => '/path/to/virtenv' } + { + package_name: '/foo/bar/baz' + } end - it {should contain_file('wsgi.conf').with_content(/^ WSGIPythonHome \/path\/to\/virtenv$/)} + + it { is_expected.to compile.and_raise_error(%r{apache::mod::wsgi - both package_name and mod_path must be specified!}) } + end + end + + context 'on a FreeBSD OS' do + include_examples 'FreeBSD 9' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_class('apache::mod::wsgi').with( + 'wsgi_socket_prefix' => nil, + ) + } + + it { is_expected.to contain_package('www/mod_wsgi') } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { is_expected.to contain_class('apache::params') } + + it { + expect(subject).to contain_class('apache::mod::wsgi').with( + 'wsgi_socket_prefix' => nil, + ) + } + + it { is_expected.to contain_package('www-apache/mod_wsgi') } + end + + context 'overriding mod_libs' do + context 'on a RedHat OS', :compile do + include_examples 'RedHat 8' + let :pre_condition do + <<-MANIFEST + include apache::params + class { 'apache': + mod_packages => merge($::apache::params::mod_packages, { + 'wsgi' => 'python3-mod_wsgi', + }), + mod_libs => merge($::apache::params::mod_libs, { + 'wsgi' => 'mod_wsgi_python3.so', + }) + } + MANIFEST + end + + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_file('wsgi.load').with_content(%r{LoadModule wsgi_module modules/mod_wsgi_python3.so}) } + it { is_expected.to contain_package('python3-mod_wsgi') } end end end diff --git a/spec/classes/params_spec.rb b/spec/classes/params_spec.rb index 39e16b6f31..5faa269cac 100644 --- a/spec/classes/params_spec.rb +++ b/spec/classes/params_spec.rb @@ -1,21 +1,12 @@ +# frozen_string_literal: true + require 'spec_helper' -describe 'apache::params', :type => :class do - context "On a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should contain_apache__params } +describe 'apache::params', type: :class do + context 'On a Debian OS' do + include_examples 'Debian 11' - # There are 4 resources in this class currently - # there should not be any more resources because it is a params class - # The resources are class[apache::params], class[main], class[settings], stage[main] - it "Should not contain any resources" do - subject.resources.size.should == 4 - end + it { is_expected.to compile.with_all_deps } + it { is_expected.to have_resource_count(0) } end end diff --git a/spec/classes/service_spec.rb b/spec/classes/service_spec.rb index 037790eab1..85a03fbb40 100644 --- a/spec/classes/service_spec.rb +++ b/spec/classes/service_spec.rb @@ -1,77 +1,133 @@ +# frozen_string_literal: true + require 'spec_helper' -describe 'apache::service', :type => :class do - context "on a Debian OS" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - it { should contain_service("httpd").with( - 'ensure' => 'running', - 'enable' => 'true' +describe 'apache::service', type: :class do + let :pre_condition do + 'include apache::params' + end + + context 'on a Debian OS' do + include_examples 'Debian 11' + + it { + expect(subject).to contain_service('httpd').with( + 'name' => 'apache2', + 'ensure' => 'running', + 'enable' => 'true', ) } - context "with $service_enable => true" do - let (:params) {{ :service_enable => true }} - it { should contain_service("httpd").with( - 'ensure' => 'running', - 'enable' => 'true' + context "with $service_name => 'foo'" do + let(:params) { { service_name: 'foo' } } + + it { + expect(subject).to contain_service('httpd').with( + 'name' => 'foo', ) } end - context "with $service_enable => false" do - let (:params) {{ :service_enable => false }} - it { should contain_service("httpd").with( - 'ensure' => 'running', - 'enable' => 'false' + context 'with $service_enable => true' do + let(:params) { { service_enable: true } } + + it { + expect(subject).to contain_service('httpd').with( + 'name' => 'apache2', + 'ensure' => 'running', + 'enable' => 'true', ) } end - context "$service_enable must be a bool" do - let (:params) {{ :service_enable => 'not-a-boolean' }} + context 'with $service_enable => false' do + let(:params) { { service_enable: false } } - it 'should fail' do - expect { subject }.to raise_error(Puppet::Error, /is not a boolean/) - end + it { + expect(subject).to contain_service('httpd').with( + 'name' => 'apache2', + 'ensure' => 'running', + 'enable' => 'false', + ) + } end context "with $service_ensure => 'running'" do - let (:params) {{ :service_ensure => 'running', }} - it { should contain_service("httpd").with( - 'ensure' => 'running', - 'enable' => 'true' + let(:params) { { service_ensure: 'running' } } + + it { + expect(subject).to contain_service('httpd').with( + 'ensure' => 'running', + 'enable' => 'true', ) } end context "with $service_ensure => 'stopped'" do - let (:params) {{ :service_ensure => 'stopped', }} - it { should contain_service("httpd").with( - 'ensure' => 'stopped', - 'enable' => 'true' + let(:params) { { service_ensure: 'stopped' } } + + it { + expect(subject).to contain_service('httpd').with( + 'ensure' => 'stopped', + 'enable' => 'true', ) } end - end + context "with $service_ensure => 'UNDEF'" do + let(:params) { { service_ensure: 'UNDEF' } } + + it { is_expected.to contain_service('httpd').without_ensure } + end - context "on a RedHat 5 OS" do - let :facts do + context 'with $service_restart unset' do + it { is_expected.to contain_service('httpd').without_restart } + end + + context "with $service_restart => '/usr/sbin/apachectl graceful'" do + let(:params) { { service_restart: '/usr/sbin/apachectl graceful' } } + + it { + expect(subject).to contain_service('httpd').with( + 'restart' => '/usr/sbin/apachectl graceful', + ) + } + end + end + + context 'on a RedHat 8 OS, do not manage service' do + include_examples 'RedHat 8' + let(:params) do { - :osfamily => 'RedHat', - :operatingsystemrelease => '5', - :concat_basedir => '/dne', + 'service_ensure' => 'running', + 'service_name' => 'httpd', + 'service_manage' => false } end - it { should contain_service("httpd").with( - 'ensure' => 'running', - 'enable' => 'true' + + it { is_expected.not_to contain_service('httpd') } + end + + context 'on a FreeBSD 9 OS' do + include_examples 'FreeBSD 9' + + it { + expect(subject).to contain_service('httpd').with( + 'name' => 'apache24', + 'ensure' => 'running', + 'enable' => 'true', + ) + } + end + + context 'on a Gentoo OS' do + include_examples 'Gentoo' + + it { + expect(subject).to contain_service('httpd').with( + 'name' => 'apache2', + 'ensure' => 'running', + 'enable' => 'true', ) } end diff --git a/spec/classes/vhosts_spec.rb b/spec/classes/vhosts_spec.rb new file mode 100644 index 0000000000..70f0cae528 --- /dev/null +++ b/spec/classes/vhosts_spec.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::vhosts', type: :class do + context 'on all OSes' do + include_examples 'RedHat 8' + + context 'with custom vhosts parameter' do + let :params do + { + vhosts: { + 'custom_vhost_1' => { + 'docroot' => '/var/www/custom_vhost_1', + 'port' => 81 + }, + 'custom_vhost_2' => { + 'docroot' => '/var/www/custom_vhost_2', + 'port' => 82 + } + } + } + end + + it { is_expected.to contain_apache__vhost('custom_vhost_1') } + it { is_expected.to contain_apache__vhost('custom_vhost_2') } + end + end +end diff --git a/spec/default_facts.yml b/spec/default_facts.yml new file mode 100644 index 0000000000..3346c394df --- /dev/null +++ b/spec/default_facts.yml @@ -0,0 +1,9 @@ +# Use default_module_facts.yml for module specific facts. +# +# Facts specified here will override the values provided by rspec-puppet-facts. +--- +networking: + ip: "172.16.254.254" + ip6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA" + mac: "AA:AA:AA:AA:AA:AA" +is_pe: false diff --git a/spec/defines/balancer_spec.rb b/spec/defines/balancer_spec.rb new file mode 100644 index 0000000000..5626cff603 --- /dev/null +++ b/spec/defines/balancer_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::balancer', type: :define do + let :title do + 'myapp' + end + + include_examples 'Debian 11' + + describe 'apache pre_condition with defaults' do + let :pre_condition do + 'include apache' + end + + describe 'works when only declaring resource title' do + it { is_expected.to contain_concat('apache_balancer_myapp') } + it { is_expected.to contain_concat__fragment('00-myapp-header').with_content(%r{^$}) } + end + + describe 'accept a target parameter and use it' do + let :params do + { + target: '/tmp/myapp.conf' + } + end + + it { + expect(subject).to contain_concat('apache_balancer_myapp').with(path: '/tmp/myapp.conf') + } + end + + describe 'accept an options parameter and use it' do + let :params do + { + options: ['timeout=0', 'nonce=none'] + } + end + + it { + expect(subject).to contain_concat__fragment('00-myapp-header').with_content( + %r{^$}, + ) + } + end + end + + describe 'apache pre_condition with conf_dir set' do + let :pre_condition do + 'class{"apache": + confd_dir => "/junk/path" + }' + end + + it { + expect(subject).to contain_concat('apache_balancer_myapp').with(path: '/junk/path/balancer_myapp.conf') + } + end + + describe 'with lbmethod set' do + let :params do + { + proxy_set: { + 'lbmethod' => 'bytraffic' + } + } + end + + it { is_expected.to contain_apache__mod('slotmem_shm') } + it { is_expected.to contain_apache__mod('lbmethod_bytraffic') } + end +end diff --git a/spec/defines/balancermember_spec.rb b/spec/defines/balancermember_spec.rb new file mode 100644 index 0000000000..acd06c1be6 --- /dev/null +++ b/spec/defines/balancermember_spec.rb @@ -0,0 +1,56 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::balancermember', type: :define do + let :pre_condition do + 'include apache' + end + + include_examples 'Debian 11' + + describe 'allows multiple balancermembers with the same url' do + let :pre_condition do + 'include apache + apache::balancer {"balancer":} + apache::balancer {"balancer-external":} + apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancer-external"} + ' + end + let :title do + 'http://127.0.0.1:8080/' + end + let :params do + { + options: [], + url: 'http://127.0.0.1:8080/', + balancer_cluster: 'balancer-internal' + } + end + + it { is_expected.to contain_concat__fragment('BalancerMember http://127.0.0.1:8080/') } + end + + describe 'allows balancermember with a different target' do + let :pre_condition do + 'include apache + apache::balancer {"balancername": target => "/etc/apache/balancer.conf"} + apache::balancermember {"http://127.0.0.1:8080-external": url => "http://127.0.0.1:8080/", balancer_cluster => "balancername"} + ' + end + let :title do + 'http://127.0.0.1:8080/' + end + let :params do + { + options: [], + url: 'http://127.0.0.1:8080/', + balancer_cluster: 'balancername' + } + end + + it { + expect(subject).to contain_concat__fragment('BalancerMember http://127.0.0.1:8080/').with(target: 'apache_balancer_balancername') + } + end +end diff --git a/spec/defines/custom_config_spec.rb b/spec/defines/custom_config_spec.rb new file mode 100644 index 0000000000..89ef1f1611 --- /dev/null +++ b/spec/defines/custom_config_spec.rb @@ -0,0 +1,112 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::custom_config', type: :define do + let :pre_condition do + 'class { "apache": }' + end + let :title do + 'rspec' + end + + include_examples 'Debian 11' + + context 'defaults with content' do + let :params do + { + 'content' => '# Test' + } + end + + it { + expect(subject).to contain_exec('syntax verification for rspec') + .with('refreshonly' => 'true', 'command' => ['/usr/sbin/apachectl', '-t']) + .that_subscribes_to('File[apache_rspec]') + .that_notifies('Class[Apache::Service]') + .that_comes_before('Exec[remove rspec if invalid]') + } + + it { + expect(subject).to contain_exec('remove rspec if invalid') + .with('unless' => [['/usr/sbin/apachectl', '-t']], 'refreshonly' => 'true') + .that_subscribes_to('File[apache_rspec]') + } + + it { + expect(subject).to contain_file('apache_rspec') + .with('ensure' => 'present', 'content' => '# Test') + .that_requires('Package[httpd]') + } + end + + context 'set everything with source' do + let :params do + { + 'confdir' => '/dne', + 'priority' => 30, + 'source' => 'puppet:///modules/apache/test', + 'verify_command' => ['/bin/true'] + } + end + + it { + expect(subject).to contain_exec('syntax verification for rspec').with('command' => ['/bin/true']) + } + + it { + expect(subject).to contain_exec('remove rspec if invalid').with('command' => ['/bin/rm', '/dne/30-rspec.conf'], + 'unless' => [['/bin/true']]) + } + + it { + expect(subject).to contain_file('apache_rspec') + .that_requires('Package[httpd]') + .with('path' => '/dne/30-rspec.conf', + 'ensure' => 'present', + 'source' => 'puppet:///modules/apache/test') + } + end + + context 'verify_config => false' do + let :params do + { + 'content' => '# test', + 'verify_config' => false + } + end + + it { is_expected.not_to contain_exec('syntax verification for rspec') } + it { is_expected.not_to contain_exec('remove rspec if invalid') } + it { is_expected.to contain_file('apache_rspec').that_notifies('Class[Apache::Service]') } + end + + context 'ensure => absent' do + let :params do + { + 'ensure' => 'absent' + } + end + + it { is_expected.not_to contain_exec('syntax verification for rspec') } + it { is_expected.not_to contain_exec('remove rspec if invalid') } + it { is_expected.to contain_file('apache_rspec').with('ensure' => 'absent') } + end + + describe 'validation' do + context 'both content and source' do + let :params do + { + 'content' => 'foo', + 'source' => 'bar' + } + end + + it { is_expected.to compile.and_raise_error(%r{Only one of \$content and \$source can be specified\.}) } + end + + context 'neither content nor source' do + it { is_expected.to compile.and_raise_error(%r{One of \$content and \$source must be specified\.}) } + end + end +end diff --git a/spec/defines/mod_spec.rb b/spec/defines/mod_spec.rb index 77c8dfd918..dc7ddde243 100644 --- a/spec/defines/mod_spec.rb +++ b/spec/defines/mod_spec.rb @@ -1,78 +1,106 @@ +# frozen_string_literal: true + require 'spec_helper' -describe 'apache::mod', :type => :define do +describe 'apache::mod', type: :define do let :pre_condition do 'include apache' end - context "on a RedHat osfamily" do - let :facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } + + let :title do + 'spec_m' + end + + context 'on a RedHat osfamily' do + include_examples 'RedHat 8' + + describe 'for non-special modules' do + it { is_expected.to contain_class('apache::params') } + + it 'manages the module load file' do + expect(subject).to contain_file('spec_m.load').with(path: '/etc/httpd/conf.modules.d/spec_m.load', + content: "LoadModule spec_m_module modules/mod_spec_m.so\n", + owner: 'root', + group: 'root', + mode: '0644') + end end - describe "for non-special modules" do - let :title do - 'spec_m' + describe 'with file_mode set' do + let :pre_condition do + "class {'::apache': file_mode => '0640'}" end - it { should include_class("apache::params") } - it "should manage the module load file" do - should contain_file('spec_m.load').with({ - :path => '/etc/httpd/conf.d/spec_m.load', - :content => "LoadModule spec_m_module modules/mod_spec_m.so\n", - :owner => 'root', - :group => 'root', - :mode => '0644', - } ) + + it 'manages the module load file' do + expect(subject).to contain_file('spec_m.load').with(mode: '0640') end end - describe "with shibboleth module and package param passed" do + describe 'with shibboleth module and package param passed' do # name/title for the apache::mod define let :title do 'xsendfile' end # parameters - let(:params) { {:package => 'mod_xsendfile'} } + let(:params) { { package: 'mod_xsendfile' } } - it { should include_class("apache::params") } - it { should contain_package('mod_xsendfile') } + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_package('mod_xsendfile') } end end - context "on a Debian osfamily" do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end + context 'on a Debian osfamily' do + include_examples 'Debian 11' - describe "for non-special modules" do - let :title do - 'spec_m' + describe 'for non-special modules' do + it { is_expected.to contain_class('apache::params') } + + it 'manages the module load file' do + expect(subject).to contain_file('spec_m.load').with(path: '/etc/apache2/mods-available/spec_m.load', + content: "LoadModule spec_m_module /usr/lib/apache2/modules/mod_spec_m.so\n", + owner: 'root', + group: 'root', + mode: '0644') end - it { should include_class("apache::params") } - it "should manage the module load file" do - should contain_file('spec_m.load').with({ - :path => '/etc/apache2/mods-available/spec_m.load', - :content => "LoadModule spec_m_module /usr/lib/apache2/modules/mod_spec_m.so\n", - :owner => 'root', - :group => 'root', - :mode => '0644', - } ) + + it 'links the module load file' do + expect(subject).to contain_file('spec_m.load symlink').with(path: '/etc/apache2/mods-enabled/spec_m.load', + target: '/etc/apache2/mods-available/spec_m.load', + owner: 'root', + group: 'root', + mode: '0644') + end + end + end + + context 'on a FreeBSD osfamily' do + include_examples 'FreeBSD 9' + + describe 'for non-special modules' do + it { is_expected.to contain_class('apache::params') } + + it 'manages the module load file' do + expect(subject).to contain_file('spec_m.load').with(path: '/usr/local/etc/apache24/Modules/spec_m.load', + content: "LoadModule spec_m_module /usr/local/libexec/apache24/mod_spec_m.so\n", + owner: 'root', + group: 'wheel', + mode: '0644') end - it "should link the module load file" do - should contain_file('spec_m.load symlink').with({ - :path => '/etc/apache2/mods-enabled/spec_m.load', - :target => '/etc/apache2/mods-available/spec_m.load', - :owner => 'root', - :group => 'root', - :mode => '0644', - } ) + end + end + + context 'on a Gentoo osfamily' do + include_examples 'Gentoo' + + describe 'for non-special modules' do + it { is_expected.to contain_class('apache::params') } + + it 'manages the module load file' do + expect(subject).to contain_file('spec_m.load').with(path: '/etc/apache2/modules.d/spec_m.load', + content: "LoadModule spec_m_module /usr/lib/apache2/modules/mod_spec_m.so\n", + owner: 'root', + group: 'wheel', + mode: '0644') end end end diff --git a/spec/defines/modsec_link_spec.rb b/spec/defines/modsec_link_spec.rb new file mode 100644 index 0000000000..6671790590 --- /dev/null +++ b/spec/defines/modsec_link_spec.rb @@ -0,0 +1,51 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::security::rule_link', type: :define do + let :pre_condition do + 'class { "apache": } + class { "apache::mod::security": activated_rules => [] } + ' + end + + let :title do + 'base_rules/modsecurity_35_bad_robots.data' + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + it { is_expected.to compile.with_all_deps } + + case facts[:os]['family'] + when 'RedHat' + if facts[:os]['release']['major'].to_i <= 7 + it { + expect(subject).to contain_file('modsecurity_35_bad_robots.data').with( + path: '/etc/httpd/modsecurity.d/activated_rules/modsecurity_35_bad_robots.data', + target: '/usr/lib/modsecurity.d/base_rules/modsecurity_35_bad_robots.data', + ) + } + else + it { + expect(subject).to contain_file('modsecurity_35_bad_robots.data').with( + path: '/etc/httpd/modsecurity.d/activated_rules/modsecurity_35_bad_robots.data', + target: '/usr/share/mod_modsecurity_crs/base_rules/modsecurity_35_bad_robots.data', + ) + } + end + when 'Debian' + it { + expect(subject).to contain_file('modsecurity_35_bad_robots.data').with( + path: '/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data', + target: '/usr/share/modsecurity-crs/base_rules/modsecurity_35_bad_robots.data', + ) + } + end + end + end +end diff --git a/spec/defines/vhost_custom_spec.rb b/spec/defines/vhost_custom_spec.rb new file mode 100644 index 0000000000..627afa29d1 --- /dev/null +++ b/spec/defines/vhost_custom_spec.rb @@ -0,0 +1,66 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::vhost::custom', type: :define do + let :title do + 'rspec.example.com' + end + let(:params) do + { + content: 'foobar' + } + end + + describe 'os-dependent items' do + context 'on RedHat based systems' do + include_examples 'RedHat 8' + + it { is_expected.to compile } + end + + context 'on Debian based systems' do + include_examples 'Debian 11' + + it { + expect(subject).to contain_file('apache_rspec.example.com').with( + ensure: 'present', + content: 'foobar', + path: '/etc/apache2/sites-available/25-rspec.example.com.conf', + ) + } + + it { + expect(subject).to contain_file('25-rspec.example.com.conf symlink').with( + ensure: 'link', + path: '/etc/apache2/sites-enabled/25-rspec.example.com.conf', + target: '/etc/apache2/sites-available/25-rspec.example.com.conf', + ) + } + end + + context 'on FreeBSD systems' do + include_examples 'FreeBSD 9' + + it { + expect(subject).to contain_file('apache_rspec.example.com').with( + ensure: 'present', + content: 'foobar', + path: '/usr/local/etc/apache24/Vhosts/25-rspec.example.com.conf', + ) + } + end + + context 'on Gentoo systems' do + include_examples 'Gentoo' + + it { + expect(subject).to contain_file('apache_rspec.example.com').with( + ensure: 'present', + content: 'foobar', + path: '/etc/apache2/vhosts.d/25-rspec.example.com.conf', + ) + } + end + end +end diff --git a/spec/defines/vhost_fragment_spec.rb b/spec/defines/vhost_fragment_spec.rb new file mode 100644 index 0000000000..36aecc8c15 --- /dev/null +++ b/spec/defines/vhost_fragment_spec.rb @@ -0,0 +1,120 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::vhost::fragment' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + let(:title) { 'myfragment' } + + context 'adding to the default vhost' do + let(:pre_condition) { 'include apache' } + + let(:params) do + { + vhost: 'default', + port: 80, + priority: 15 + } + end + + context 'with content' do + let(:params) { super().merge(content: '# Foo') } + + it 'creates a vhost concat fragment' do + expect(subject).to compile.with_all_deps + expect(subject).to contain_concat('15-default-80.conf') + expect(subject).to create_concat__fragment('default-myfragment') + .with_target('15-default-80.conf') + .with_order(900) + .with_content('# Foo') + end + end + + context 'without content' do + let(:params) { super().merge(content: '') } + + it 'does not create a vhost concat fragment' do + expect(subject).to compile.with_all_deps + expect(subject).to contain_concat('15-default-80.conf') + expect(subject).not_to contain_concat__fragment('default-myfragment') + end + end + end + + context 'adding to a custom vhost' do + let(:params) do + { + vhost: 'custom', + content: '# Foo' + } + end + + context 'with priority => false' do + let(:params) { super().merge(priority: false) } + let(:pre_condition) do + <<-PUPPET + include apache + apache::vhost { 'custom': + docroot => '/path/to/docroot', + priority => false, + } + PUPPET + end + + it 'creates a vhost concat fragment' do + expect(subject).to compile.with_all_deps + expect(subject).to contain_concat('custom.conf') + expect(subject).to create_concat__fragment('custom-myfragment') + .with_target('custom.conf') + .with_order(900) + .with_content('# Foo') + end + end + + context 'with priority => 42' do + let(:params) { super().merge(priority: 42) } + let(:pre_condition) do + <<-PUPPET + include apache + apache::vhost { 'custom': + docroot => '/path/to/docroot', + priority => 42, + } + PUPPET + end + + it 'creates a vhost concat fragment' do + expect(subject).to compile.with_all_deps + expect(subject).to contain_concat('42-custom.conf') + expect(subject).to create_concat__fragment('custom-myfragment') + .with_target('42-custom.conf') + .with_order(900) + .with_content('# Foo') + end + end + + context 'with default priority' do + let(:pre_condition) do + <<-PUPPET + include apache + apache::vhost { 'custom': + docroot => '/path/to/docroot', + } + PUPPET + end + + it 'creates a vhost concat fragment' do + expect(subject).to compile.with_all_deps + expect(subject).to contain_concat('25-custom.conf') + expect(subject).to create_concat__fragment('custom-myfragment') + .with_target('25-custom.conf') + .with_order(900) + .with_content('# Foo') + end + end + end + end + end +end diff --git a/spec/defines/vhost_proxy_spec.rb b/spec/defines/vhost_proxy_spec.rb new file mode 100644 index 0000000000..191f4c5c68 --- /dev/null +++ b/spec/defines/vhost_proxy_spec.rb @@ -0,0 +1,110 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::vhost::proxy' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + let(:title) { 'myproxy' } + + context 'adding to the default vhost' do + let(:pre_condition) { 'include apache' } + + let(:params) do + { + vhost: 'default', + port: 80, + priority: 15 + } + end + + context 'without any parameters' do + it { is_expected.to compile.and_raise_error(%r{At least one of}) } + end + + context 'with proxy_pass' do + let(:params) do + super().merge( + proxy_pass: [ + { + path: '/', + url: 'http://localhost:8080/' + }, + ], + ) + end + + it 'creates a concat fragment' do + expect(subject).to compile.with_all_deps + expect(subject).to contain_class('apache::mod::proxy') + expect(subject).to contain_class('apache::mod::proxy_http') + expect(subject).to contain_concat('15-default-80.conf') + expect(subject).to create_concat__fragment('default-myproxy-proxy') + .with_target('15-default-80.conf') + .with_order(170) + .with_content( + Regexp.new(<<~CONTENT), + \n\s\s## Proxy rules + \s\sProxyRequests Off + \s\sProxyPreserveHost Off + \s\sProxyPass / http://localhost:8080/ + \s\sProxyPassReverse / http://localhost:8080/ + CONTENT + ) + end + + context 'with HTTP/2 proxy_dest URL' do + let(:params) do + super().merge(proxy_dest: 'h2://localhost:8080/') + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('apache::mod::proxy_http2') } + end + + context 'with HTTP/2 proxy_dest_match URL' do + let(:params) do + super().merge(proxy_dest_match: 'h2://localhost:8080/') + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('apache::mod::proxy_http2') } + end + + context 'with HTTP/2 proxy_pass URL' do + let(:params) do + super().merge( + proxy_pass: [ + { + path: '/', + url: 'h2://localhost:8080/' + }, + ], + ) + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('apache::mod::proxy_http2') } + end + + context 'with HTTP/2 proxy_pass_match URL' do + let(:params) do + super().merge( + proxy_pass_match: [ + { + path: '/', + url: 'h2://localhost:8080/' + }, + ], + ) + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('apache::mod::proxy_http2') } + end + end + end + end + end +end diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index 27de85c5ba..b80fd61b0e 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -1,715 +1,2193 @@ +# frozen_string_literal: true + require 'spec_helper' -describe 'apache::vhost', :type => :define do - let :pre_condition do - 'class { "apache": default_vhost => false, }' - end - let :title do - 'rspec.example.com' - end - let :default_params do - { - :docroot => '/rspec/docroot', - :port => '84', - } - end - describe 'os-dependent items' do - context "on RedHat based systems" do - let :default_facts do - { - :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } +describe 'apache::vhost', type: :define do + describe 'os-independent items' do + on_supported_os.each do |os, os_facts| + let(:apache_name) { (facts[:os]['family'] == 'RedHat') ? 'httpd' : 'apache2' } + + let :pre_condition do + "class {'apache': default_vhost => false, default_mods => false, vhost_enable_dir => '/etc/#{apache_name}/sites-enabled'}" end - let :params do default_params end - let :facts do default_facts end - it { should include_class("apache") } - it { should include_class("apache::params") } - end - context "on Debian based systems" do - let :default_facts do + + let :title do + 'rspec.example.com' + end + + let :default_params do { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', + docroot: '/rspec/docroot', + port: 84 } end - let :params do default_params end - let :facts do default_facts end - it { should include_class("apache") } - it { should include_class("apache::params") } - it { should contain_file("25-rspec.example.com.conf").with( - :ensure => 'present', - :path => '/etc/apache2/sites-available/25-rspec.example.com.conf' - ) } - it { should contain_file("25-rspec.example.com.conf symlink").with( - :ensure => 'link', - :path => '/etc/apache2/sites-enabled/25-rspec.example.com.conf', - :target => '/etc/apache2/sites-available/25-rspec.example.com.conf' - ) } - end - end - describe 'os-independent items' do - let :facts do - { - :osfamily => 'Debian', - :operatingsystemrelease => '6', - :concat_basedir => '/dne', - } - end - describe 'basic assumptions' do - let :params do default_params end - it { should include_class("apache") } - it { should include_class("apache::params") } - it { should contain_apache__listen(params[:port]) } - it { should contain_apache__namevirtualhost("*:#{params[:port]}") } - end - context ".conf content" do - [ - { - :title => 'should contain docroot', - :attr => 'docroot', - :value => '/not/default', - :match => [' DocumentRoot /not/default',' '], - }, - { - :title => 'should set a port', - :attr => 'port', - :value => '8080', - :match => '', - }, - { - :title => 'should set an ip', - :attr => 'ip', - :value => '10.0.0.1', - :match => '', - }, - { - :title => 'should set a serveradmin', - :attr => 'serveradmin', - :value => 'test@test.com', - :match => ' ServerAdmin test@test.com' - }, - { - :title => 'should enable ssl', - :attr => 'ssl', - :value => true, - :match => ' SSLEngine on', - }, - { - :title => 'should set a servername', - :attr => 'servername', - :value => 'param.test', - :match => ' ServerName param.test', - }, - { - :title => 'should accept server aliases', - :attr => 'serveraliases', - :value => ['one.com','two.com'], - :match => [' ServerAlias one.com',' ServerAlias two.com'], - }, - { - :title => 'should accept setenv', - :attr => 'setenv', - :value => ['TEST1 one','TEST2 two'], - :match => [' SetEnv TEST1 one',' SetEnv TEST2 two'], - }, - { - :title => 'should accept setenvif', - :attr => 'setenvif', - ## These are bugged in rspec-puppet; the $1 is droped - #:value => ['Host "^([^\.]*)\.website\.com$" CLIENT_NAME=$1'], - #:match => [' SetEnvIf Host "^([^\.]*)\.website\.com$" CLIENT_NAME=$1'], - :value => ['Host "^test\.com$" VHOST_ACCESS=test'], - :match => [' SetEnvIf Host "^test\.com$" VHOST_ACCESS=test'], - }, - { - :title => 'should accept options', - :attr => 'options', - :value => ['Fake','Options'], - :match => ' Options Fake Options', - }, - { - :title => 'should accept overrides', - :attr => 'override', - :value => ['Fake', 'Override'], - :match => ' AllowOverride Fake Override', - }, - { - :title => 'should accept logroot', - :attr => 'logroot', - :value => '/fake/log', - :match => [/CustomLog \/fake\/log\//,/ErrorLog \/fake\/log\//], - }, - { - :title => 'should accept pipe destination for access log', - :attr => 'access_log_pipe', - :value => '| /bin/fake/logging', - :match => /CustomLog "| \/bin\/fake\/logging" combined$/, - }, - { - :title => 'should accept pipe destination for error log', - :attr => 'error_log_pipe', - :value => '| /bin/fake/logging', - :match => /ErrorLog "| \/bin\/fake\/logging" combined$/, - }, - { - :title => 'should accept syslog destination for access log', - :attr => 'access_log_syslog', - :value => 'syslog:local1', - :match => /CustomLog syslog:local1 combined$/, - }, - { - :title => 'should accept syslog destination for error log', - :attr => 'error_log_syslog', - :value => 'syslog', - :match => /ErrorLog syslog$/, - }, - { - :title => 'should accept custom format for access logs', - :attr => 'access_log_format', - :value => '%h %{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\" \"Host: %{Host}i\" %T %D', - :match => /CustomLog \/var\/log\/.+_access\.log "%h %\{X-Forwarded-For\}i %l %u %t \\"%r\\" %s %b \\"%\{Referer\}i\\" \\"%\{User-agent\}i\\" \\"Host: %\{Host\}i\\" %T %D"$/, - }, - { - :title => 'should contain access logs', - :attr => 'access_log', - :value => true, - :match => /CustomLog \/var\/log\/.+_access\.log combined$/, - }, - { - :title => 'should not contain access logs', - :attr => 'access_log', - :value => false, - :notmatch => /CustomLog \/var\/log\/.+_access\.log combined$/, - }, - { - :title => 'should contain error logs', - :attr => 'error_log', - :value => true, - :match => /ErrorLog.+$/, - }, - { - :title => 'should not contain error logs', - :attr => 'error_log', - :value => false, - :notmatch => /ErrorLog.+$/, - }, - { - :title => 'should accept scriptaliases', - :attr => 'scriptalias', - :value => '/usr/scripts', - :match => ' ScriptAlias /cgi-bin/ "/usr/scripts/"', - }, - { - :title => 'should accept proxy destinations', - :attr => 'proxy_dest', - :value => 'http://fake.com', - :match => [ - ' ProxyPass / http://fake.com/', - ' ', - ' ProxyPassReverse /', - ' ', - ], - :notmatch => /ProxyPass .+!$/, - }, - { - :title => 'should accept proxy_pass hash', - :attr => 'proxy_pass', - :value => { 'path' => '/path-a', 'url' => 'http://fake.com/a/' }, - :match => [ - ' ProxyPass /path-a http://fake.com/a/', - ' ProxyPassReverse /path-a http://fake.com/a/', - ], - :notmatch => /ProxyPass .+!$/, - }, - { - :title => 'should accept proxy_pass array of hash', - :attr => 'proxy_pass', - :value => [ - { 'path' => '/path-a', 'url' => 'http://fake.com/a/' }, - { 'path' => '/path-b', 'url' => 'http://fake.com/b/' }, - ], - :match => [ - ' ProxyPass /path-a http://fake.com/a/', - ' ', - ' ProxyPassReverse /', - ' ', - ' ProxyPass /path-b http://fake.com/b/', - ' ', - ' ProxyPassReverse /', - ' ', - ], - :notmatch => /ProxyPass .+!$/, - }, - { - :title => 'should enable rack', - :attr => 'rack_base_uris', - :value => ['/rack1','/rack2'], - :match => [' RackBaseURI /rack1',' RackBaseURI /rack2'], - }, - { - :title => 'should accept request headers', - :attr => 'request_headers', - :value => ['append something', 'unset something_else'], - :match => [ - ' RequestHeader append something', - ' RequestHeader unset something_else', - ], - }, - { - :title => 'should accept rewrite rules', - :attr => 'rewrite_rule', - :value => 'not a real rule', - :match => ' RewriteRule not a real rule', - }, - { - :title => 'should block scm', - :attr => 'block', - :value => 'scm', - :match => ' ', - }, - { - :title => 'should accept a custom fragment', - :attr => 'custom_fragment', - :value => " Some custom fragment line\n That spans multiple lines", - :match => [ - ' Some custom fragment line', - ' That spans multiple lines', - '', - ], - }, - { - :title => 'should accept an array of alias hashes', - :attr => 'aliases', - :value => [ { 'alias' => '/', 'path' => '/var/www'} ], - :match => ' Alias / /var/www', - }, - { - :title => 'should accept an alias hash', - :attr => 'aliases', - :value => { 'alias' => '/', 'path' => '/var/www'}, - :match => ' Alias / /var/www', - }, - { - :title => 'should accept multiple aliases', - :attr => 'aliases', - :value => [ - { 'alias' => '/', 'path' => '/var/www'}, - { 'alias' => '/cgi-bin', 'path' => '/var/www/cgi-bin'}, - { 'alias' => '/css', 'path' => '/opt/someapp/css'}, - ], - :match => [ - ' Alias / /var/www', - ' Alias /cgi-bin /var/www/cgi-bin', - ' Alias /css /opt/someapp/css' - ], - }, - { - :title => 'should accept a suPHP_Engine', - :attr => 'suphp_engine', - :value => 'on', - :match => ' suPHP_Engine on', - }, - { - :title => 'should accept a wsgi script alias', - :attr => 'wsgi_script_aliases', - :value => { '/' => '/var/www/myapp.wsgi'}, - :match => ' WSGIScriptAlias / /var/www/myapp.wsgi', - }, - { - :title => 'should accept multiple wsgi aliases', - :attr => 'wsgi_script_aliases', - :value => { - '/wiki' => '/usr/local/wsgi/scripts/mywiki.wsgi', - '/blog' => '/usr/local/wsgi/scripts/myblog.wsgi', - '/' => '/usr/local/wsgi/scripts/myapp.wsgi', - }, - :match => [ - ' WSGIScriptAlias /wiki /usr/local/wsgi/scripts/mywiki.wsgi', - ' WSGIScriptAlias /blog /usr/local/wsgi/scripts/myblog.wsgi', - ' WSGIScriptAlias / /usr/local/wsgi/scripts/myapp.wsgi' - ], - }, - { - :title => 'should accept a directory', - :attr => 'directories', - :value => { 'path' => '/opt/app' }, - :notmatch => ' ', - :match => [ - ' ', - ' AllowOverride None', - ' Order allow,deny', - ' Allow from all', - ' ', - ], - }, - { - :title => 'should accept directory directives hash', - :attr => 'directories', - :value => { - 'path' => '/opt/app', - 'headers' => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"', - 'allow' => 'from rspec.org', - 'allow_override' => 'Lol', - 'deny' => 'from google.com', - 'options' => '-MultiViews', - 'order' => 'deny,yned', - 'passenger_enabled' => 'onf', - }, - :match => [ - ' ', - ' Header Set X-Robots-Tag "noindex, noarchive, nosnippet"', - ' Allow from rspec.org', - ' AllowOverride Lol', - ' Deny from google.com', - ' Options -MultiViews', - ' Order deny,yned', - ' PassengerEnabled onf', - ' ', - ], - }, - { - :title => 'should accept directory directives with arrays and hashes', - :attr => 'directories', - :value => [ - { - 'path' => '/opt/app1', - 'allow' => 'from rspec.org', - 'allow_override' => ['AuthConfig','Indexes'], - 'deny' => 'from google.com', - 'options' => ['-MultiViews','+MultiViews'], - 'order' => ['deny','yned'], - 'passenger_enabled' => 'onf', - }, - { - 'path' => '/opt/app2', - 'addhandlers' => { - 'handler' => 'cgi-script', - 'extensions' => '.cgi', + context "on #{os}" do + let :facts do + os_facts + end + + describe 'basic assumptions' do + let(:params) { default_params } + + it { is_expected.to contain_class('apache') } + it { is_expected.to contain_class('apache::params') } + it { is_expected.to contain_apache__listen(params[:port]) } + end + + context 'set everything!' do + let :params do + { + 'docroot' => '/var/www/foo', + 'manage_docroot' => false, + 'virtual_docroot' => true, + 'virtual_use_default_docroot' => false, + 'port' => 8080, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'add_listen' => false, + 'docroot_owner' => 'user', + 'docroot_group' => 'wheel', + 'docroot_mode' => '0664', + 'serveradmin' => 'foo@localhost', + 'ssl' => true, + 'ssl_cert' => '/ssl/cert', + 'ssl_key' => '/ssl/key', + 'ssl_chain' => '/ssl/chain', + 'ssl_crl_path' => '/ssl/crl', + 'ssl_crl' => '/ssl/foo.crl', + 'ssl_certs_dir' => '/ssl/certs', + 'ssl_protocol' => 'SSLv2', + 'ssl_cipher' => 'HIGH', + 'ssl_honorcipherorder' => 'Off', + 'ssl_verify_client' => 'optional', + 'ssl_verify_depth' => 3, + 'ssl_options' => '+ExportCertData', + 'ssl_openssl_conf_cmd' => 'DHParameters "foo.pem"', + 'ssl_proxy_verify' => 'require', + 'ssl_proxy_check_peer_cn' => 'on', + 'ssl_proxy_check_peer_name' => 'on', + 'ssl_proxy_check_peer_expire' => 'on', + 'ssl_proxyengine' => true, + 'ssl_proxy_cipher_suite' => 'HIGH', + 'ssl_proxy_protocol' => 'TLSv1.2', + 'ssl_user_name' => 'SSL_CLIENT_S_DN_CN', + 'ssl_reload_on_change' => true, + 'priority' => 30, + 'default_vhost' => true, + 'servername' => 'example.com', + 'serveraliases' => ['test-example.com'], + 'options' => ['MultiView'], + 'override' => ['All'], + 'directoryindex' => 'index.html', + 'vhost_name' => 'test', + 'logroot' => '/var/www/logs', + 'logroot_ensure' => 'directory', + 'logroot_mode' => '0600', + 'logroot_owner' => 'root', + 'logroot_group' => 'root', + 'log_level' => 'crit', + 'aliases' => [ + { + 'alias' => '/image', + 'path' => '/rspec/image' + }, + ], + 'access_log' => false, + 'access_log_file' => 'httpd_access_log', + 'access_log_syslog' => true, + 'access_log_format' => '%h %l %u %t \"%r\" %>s %b', + 'access_log_env_var' => '', + 'directories' => [ + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => ['valid-user', 'all denied'] + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'additional_includes' => ['/custom/path/includes', '/custom/path/another_includes'] + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => 'all granted' + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'all', + 'requires' => ['all-valid1', 'all-valid2'] + } + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'none', + 'requires' => ['none-valid1', 'none-valid2'] + } + }, + { + 'path' => '/var/www/files', + 'provider' => 'files', + 'require' => + { + 'enforce' => 'any', + 'requires' => ['any-valid1', 'any-valid2'] + }, + 'enable_sendfile' => 'On', + }, + { + 'path' => '*', + 'provider' => 'proxy' + }, + { 'path' => '/var/www/files/indexed_directory', + 'directoryindex' => 'disabled', + 'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'], + 'index_options' => ['FancyIndexing'], + 'index_style_sheet' => '/styles/style.css' }, + { 'path' => '/var/www/files/output_filtered', + 'set_output_filter' => 'output_filter' }, + { 'path' => '/var/www/files/input_filtered', + 'set_input_filter' => 'input_filter' }, + { 'path' => '/var/www/files', + 'provider' => 'location', + 'limit' => [ + { 'methods' => 'GET HEAD', + 'require' => ['valid-user'] }, + ] }, + { 'path' => '/var/www/files', + 'provider' => 'location', + 'limit_except' => [ + { 'methods' => 'GET HEAD', + 'require' => ['valid-user'] }, + ] }, + { 'path' => '/var/www/dav', + 'dav' => 'filesystem', + 'dav_depth_infinity' => true, + 'dav_min_timeout' => 600 }, + { + 'path' => '/var/www/http2', + 'h2_copy_files' => true, + 'h2_push_resource' => [ + '/foo.css', + '/foo.js', + ] + }, + { + 'path' => '/', + 'provider' => 'location', + 'auth_ldap_referrals' => 'off', + 'auth_basic_fake' => 'demo demopass', + 'auth_user_file' => '/path/to/authz_user_file', + 'auth_group_file' => '/path/to/authz_group_file', + 'setenv' => ['SPECIAL_PATH /foo/bin'] + }, + { + 'path' => '/proxy', + 'provider' => 'location', + 'proxy_pass' => [ + { + 'url' => 'http://backend-b/', + 'keywords' => ['noquery', 'interpolate'], + 'params' => { + 'retry' => 0, + 'timeout' => 5 + } + }, + ] + }, + { + 'path' => '^/proxy', + 'provider' => 'locationmatch', + 'proxy_pass_match' => [ + { + 'url' => 'http://backend-b/', + 'keywords' => ['noquery', 'interpolate'], + 'params' => { + 'retry' => 0, + 'timeout' => 5 + } + }, + ] + }, + { + 'path' => '/var/www/node-app/public', + 'passenger_enabled' => true, + 'passenger_base_uri' => '/app', + 'passenger_ruby' => '/path/to/ruby', + 'passenger_python' => '/path/to/python', + 'passenger_nodejs' => '/path/to/nodejs', + 'passenger_meteor_app_settings' => '/path/to/file.json', + 'passenger_app_env' => 'demo', + 'passenger_app_root' => '/var/www/node-app', + 'passenger_app_group_name' => 'foo_bar', + 'passenger_app_start_command' => 'start-command', + 'passenger_app_type' => 'node', + 'passenger_startup_file' => 'start.js', + 'passenger_restart_dir' => 'temp', + 'passenger_load_shell_envvars' => false, + 'passenger_preload_bundler' => false, + 'passenger_rolling_restarts' => false, + 'passenger_resist_deployment_errors' => false, + 'passenger_user' => 'nodeuser', + 'passenger_group' => 'nodegroup', + 'passenger_friendly_error_pages' => true, + 'passenger_min_instances' => 7, + 'passenger_max_instances' => 9, + 'passenger_force_max_concurrent_requests_per_process' => 12, + 'passenger_start_timeout' => 10, + 'passenger_concurrency_model' => 'thread', + 'passenger_thread_count' => 20, + 'passenger_max_requests' => 2000, + 'passenger_max_request_time' => 1, + 'passenger_memory_limit' => 32, + 'passenger_high_performance' => false, + 'passenger_buffer_upload' => false, + 'passenger_buffer_response' => false, + 'passenger_error_override' => false, + 'passenger_max_request_queue_size' => 120, + 'passenger_max_request_queue_time' => 5, + 'passenger_sticky_sessions' => true, + 'passenger_sticky_sessions_cookie_name' => '_delicious_cookie', + 'passenger_sticky_sessions_cookie_attributes' => 'SameSite=Lax; Secure;', + 'passenger_allow_encoded_slashes' => false, + 'passenger_app_log_file' => '/tmp/app.log', + 'passenger_debugger' => false, + 'gssapi' => { + 'acceptor_name' => '{HOSTNAME}', + 'allowed_mech' => ['krb5', 'iakerb', 'ntlmssp'], + 'authname' => 'Kerberos 5', + 'authtype' => 'GSSAPI', + 'basic_auth' => true, + 'basic_auth_mech' => ['krb5', 'iakerb', 'ntlmssp'], + 'basic_ticket_timeout' => 300, + 'connection_bound' => true, + 'cred_store' => { + 'ccache' => ['/path/to/directory'], + 'client_keytab' => ['/path/to/example.keytab'], + 'keytab' => ['/path/to/example.keytab'] + }, + 'deleg_ccache_dir' => '/path/to/directory', + 'deleg_ccache_env_var' => 'KRB5CCNAME', + 'deleg_ccache_perms' => { + 'mode' => '0600', + 'uid' => 'example-user', + 'gid' => 'example-group' + }, + 'deleg_ccache_unique' => true, + 'impersonate' => true, + 'local_name' => true, + 'name_attributes' => 'json', + 'negotiate_once' => true, + 'publish_errors' => true, + 'publish_mech' => true, + 'required_name_attributes' => 'auth-indicators=high', + 'session_key' => 'file:/path/to/example.key', + 'signal_persistent_auth' => true, + 'ssl_only' => true, + 'use_s4u2_proxy' => true, + 'use_sessions' => true + } + }, + { + 'path' => '/private_1', + 'provider' => 'location', + 'ssl_options' => ['+ExportCertData', '+StdEnvVars'], + 'ssl_verify_client' => 'optional', + 'ssl_verify_depth' => 10 + }, + { + 'path' => '/private_2', + 'provider' => 'location', + 'mellon_enable' => 'auth', + 'mellon_sp_private_key_file' => '/etc/httpd/mellon/example.com_mellon.key', + 'mellon_sp_cert_file' => '/etc/httpd/mellon/example.com_mellon.crt', + 'mellon_sp_metadata_file' => '/etc/httpd/mellon/example.com_sp_mellon.xml', + 'mellon_idp_metadata_file' => '/etc/httpd/mellon/example.com_idp_mellon.xml', + 'mellon_set_env' => { 'isMemberOf' => 'urn:oid:1.3.6.1.4.1.5923.1.5.1.1' }, + 'mellon_set_env_no_prefix' => { 'isMemberOf' => 'urn:oid:1.3.6.1.4.1.5923.1.5.1.1' }, + 'mellon_user' => 'urn:oid:0.9.2342.19200300.100.1.1', + 'mellon_saml_response_dump' => 'Off', + 'mellon_cond' => ['isMemberOf "cn=example-access,ou=Groups,o=example,o=com" [MAP]'], + 'mellon_session_length' => '300' + }, + { + 'path' => '/secure', + 'provider' => 'location', + 'auth_type' => 'Basic', + 'authz_core' => { + 'require_all' => { + 'require_any' => { + 'require' => ['user superadmin'], + 'require_all' => { + 'require' => ['group admins', 'ldap-group "cn=Administrators,o=Airius"'], + }, + }, + 'require_none' => { + 'require' => ['group temps', 'ldap-group "cn=Temporary Employees,o=Airius"'] + } + } + } + }, + ], + 'error_log' => false, + 'error_log_file' => 'httpd_error_log', + 'error_log_syslog' => true, + 'error_log_format' => ['[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i'], + 'error_documents' => 'true', + 'fallbackresource' => '/index.php', + 'scriptalias' => '/usr/lib/cgi-bin', + 'limitreqfieldsize' => 8190, + 'limitreqfields' => 100, + 'limitreqline' => 8190, + 'limitreqbody' => 0, + 'proxy_dest' => '/', + 'proxy_pass' => [ + { + 'path' => '/a', + 'url' => 'http://backend-a/', + 'keywords' => ['noquery', 'interpolate'], + 'no_proxy_uris' => ['/a/foo', '/a/bar'], + 'no_proxy_uris_match' => ['/a/foomatch'], + 'reverse_cookies' => [ + { + 'path' => '/a', + 'url' => 'http://backend-a/' + }, + { + 'domain' => 'foo', + 'url' => 'http://foo' + }, + ], + 'params' => { + 'retry' => 0, + 'timeout' => 5 + }, + 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1'] + }, + ], + 'proxy_pass_match' => [ + { + 'path' => '/a', + 'url' => 'http://backend-a/', + 'keywords' => ['noquery', 'interpolate'], + 'no_proxy_uris' => ['/a/foo', '/a/bar'], + 'no_proxy_uris_match' => ['/a/foomatch'], + 'params' => { + 'retry' => 0, + 'timeout' => 5 + }, + 'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1'] + }, + ], + 'proxy_requests' => false, + 'php_admin_flags' => ['foo', 'bar'], + 'php_admin_values' => ['true', 'false'], + 'no_proxy_uris' => '/foo', + 'no_proxy_uris_match' => '/foomatch', + 'proxy_preserve_host' => true, + 'proxy_add_headers' => true, + 'proxy_error_override' => true, + 'redirect_source' => '/bar', + 'redirect_dest' => '/', + 'redirect_status' => 'temp', + 'redirectmatch_status' => ['404'], + 'redirectmatch_regexp' => ['\.git$'], + 'redirectmatch_dest' => ['http://www.example.com'], + 'headers' => ['Set X-Robots-Tag "noindex, noarchive, nosnippet"'], + 'request_headers' => ['append MirrorID "mirror 12"'], + 'rewrites' => [ + { + 'rewrite_rule' => ['^index.html$ rewrites.html'] + }, + ], + 'filters' => [ + 'FilterDeclare COMPRESS', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain', + 'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml', + 'FilterChain COMPRESS', + 'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no', + ], + 'rewrite_base' => '/', + 'rewrite_rule' => '^index.html$ welcome.html', + 'rewrite_cond' => ['%{HTTP_USER_AGENT} ^MSIE'], + 'rewrite_inherit' => true, + 'setenv' => ['FOO=/bin/true'], + 'setenvif' => 'Request_URI "\.gif$" object_is_image=gif', + 'setenvifnocase' => 'REMOTE_ADDR ^127.0.0.1 localhost=true', + 'block' => 'scm', + 'wsgi_application_group' => '%{GLOBAL}', + 'wsgi_daemon_process' => { 'foo' => { 'python-home' => '/usr' }, 'bar' => {} }, + 'wsgi_daemon_process_options' => { + 'processes' => 2, + 'threads' => 15, + 'display-name' => '%{GROUP}' }, - }, - ], - :match => [ - ' ', - ' Allow from rspec.org', - ' AllowOverride AuthConfig Indexes', - ' Deny from google.com', - ' Options -MultiViews +MultiViews', - ' Order deny,yned', - ' PassengerEnabled onf', - ' ', - ' ', - ' AllowOverride None', - ' Order allow,deny', - ' Allow from all', - ' AddHandler cgi-script .cgi', - ' ', - ], - }, - { - :title => 'should accept multiple directories', - :attr => 'directories', - :value => [ - { 'path' => '/opt/app' }, - { 'path' => '/var/www' }, - { 'path' => '/rspec/docroot'} - ], - :match => [ - ' ', - ' ', - ' ', - ], - }, - { - :title => 'should contain virtual_docroot', - :attr => 'virtual_docroot', - :value => '/not/default', - :match => [ - ' VirtualDocumentRoot /not/default', - ], - }, - { - :title => 'should accept setting SSLProtocol', - :attr => 'ssl_protocol', - :value => 'all -SSLv2', - :match => ' SSLProtocol all -SSLv2', - }, - { - :title => 'should accept setting SSLCipherSuite', - :attr => 'ssl_cipher', - :value => 'RC4-SHA:HIGH:!ADH:!SSLv2', - :match => ' SSLCipherSuite RC4-SHA:HIGH:!ADH:!SSLv2', - }, - { - :title => 'should accept setting SSLHonorCipherOrder', - :attr => 'ssl_honorcipherorder', - :value => 'On', - :match => ' SSLHonorCipherOrder On' - }, - { - :title => 'should accept setting SSLVerifyClient', - :attr => 'ssl_verify_client', - :value => 'optional', - :match => /SSLVerifyClient\w+optional/ - }, - { - :title => 'should accept setting SSLVerifyDepth', - :attr => 'ssl_verify_depth', - :value => '1', - :match => /SSLVerifyDepth\w+1/ - }, - { - :title => 'should accept setting SSLOptions with a string', - :attr => 'ssl_options', - :value => '+ExportCertData', - :match => /SSLOptions\w+\+ExportCertData/ - }, - { - :title => 'should accept setting SSLOptions with an array', - :attr => 'ssl_options', - :value => ['+StdEnvVars','+ExportCertData'], - :match => /SSLOptions\w+\+StdEnvVars\w+\+ExportCertData/ - }, + 'wsgi_import_script' => '/var/www/demo.wsgi', + 'wsgi_import_script_options' => { + 'process-group' => 'wsgi', + 'application-group' => '%{GLOBAL}' + }, + 'wsgi_process_group' => 'wsgi', + 'wsgi_script_aliases' => { + '/' => '/var/www/demo.wsgi' + }, + 'wsgi_script_aliases_match' => { + '^/test/(^[/*)' => '/var/www/demo.wsgi' + }, + 'wsgi_pass_authorization' => 'On', + 'custom_fragment' => '#custom string', + 'itk' => { + 'user' => 'someuser', + 'group' => 'somegroup' + }, + 'wsgi_chunked_request' => 'On', + 'action' => 'foo', + 'additional_includes' => '/custom/path/includes', + 'use_optional_includes' => true, + 'suexec_user_group' => 'root root', + 'allow_encoded_slashes' => 'nodecode', + 'use_canonical_name' => 'dns', + + 'h2_copy_files' => false, + 'h2_direct' => true, + 'h2_early_hints' => false, + 'h2_max_session_streams' => 100, + 'h2_modern_tls_only' => true, + 'h2_push' => true, + 'h2_push_diary_size' => 256, + 'h2_push_priority' => [ + 'application/json 32', + ], + 'h2_push_resource' => [ + '/css/main.css', + '/js/main.js', + ], + 'h2_serialize_headers' => false, + 'h2_stream_max_mem_size' => 65_536, + 'h2_tls_cool_down_secs' => 1, + 'h2_tls_warm_up_size' => 1_048_576, + 'h2_upgrade' => true, + 'h2_window_size' => 65_535, + + 'passenger_enabled' => false, + 'passenger_base_uri' => '/app', + 'passenger_ruby' => '/usr/bin/ruby1.9.1', + 'passenger_python' => '/usr/local/bin/python', + 'passenger_nodejs' => '/usr/bin/node', + 'passenger_meteor_app_settings' => '/path/to/some/file.json', + 'passenger_app_env' => 'test', + 'passenger_app_root' => '/usr/share/myapp', + 'passenger_app_group_name' => 'app_customer', + 'passenger_app_start_command' => 'start-my-app', + 'passenger_app_type' => 'rack', + 'passenger_startup_file' => 'bin/www', + 'passenger_restart_dir' => 'tmp', + 'passenger_spawn_method' => 'direct', + 'passenger_load_shell_envvars' => false, + 'passenger_preload_bundler' => false, + 'passenger_rolling_restarts' => false, + 'passenger_resist_deployment_errors' => true, + 'passenger_user' => 'sandbox', + 'passenger_group' => 'sandbox', + 'passenger_friendly_error_pages' => false, + 'passenger_min_instances' => 1, + 'passenger_max_instances' => 30, + 'passenger_max_preloader_idle_time' => 600, + 'passenger_force_max_concurrent_requests_per_process' => 10, + 'passenger_start_timeout' => 600, + 'passenger_concurrency_model' => 'thread', + 'passenger_thread_count' => 5, + 'passenger_max_requests' => 1000, + 'passenger_max_request_time' => 2, + 'passenger_memory_limit' => 64, + 'passenger_stat_throttle_rate' => 5, + 'passenger_pre_start' => 'http://localhost/myapp', + 'passenger_high_performance' => true, + 'passenger_buffer_upload' => false, + 'passenger_buffer_response' => false, + 'passenger_error_override' => true, + 'passenger_max_request_queue_size' => 10, + 'passenger_max_request_queue_time' => 2, + 'passenger_sticky_sessions' => true, + 'passenger_sticky_sessions_cookie_name' => '_nom_nom_nom', + 'passenger_sticky_sessions_cookie_attributes' => 'Nom=nom; Secure;', + 'passenger_allow_encoded_slashes' => true, + 'passenger_app_log_file' => '/app/log/file', + 'passenger_debugger' => true, + 'passenger_lve_min_uid' => 500, + 'add_default_charset' => 'UTF-8', + 'jk_mounts' => [ + { 'mount' => '/*', 'worker' => 'tcnode1' }, + { 'unmount' => '/*.jpg', 'worker' => 'tcnode1' }, + ], + 'auth_kerb' => true, + 'krb_method_negotiate' => 'off', + 'krb_method_k5passwd' => 'off', + 'krb_authoritative' => 'off', + 'krb_auth_realms' => ['EXAMPLE.ORG', 'EXAMPLE.NET'], + 'krb_5keytab' => '/tmp/keytab5', + 'krb_local_user_mapping' => 'off', + 'http_protocol_options' => 'Strict LenientMethods Allow0.9', + 'keepalive' => 'on', + 'keepalive_timeout' => 100, + 'max_keepalive_requests' => 1000, + 'protocols' => ['h2', 'http/1.1'], + 'protocols_honor_order' => true, + 'auth_oidc' => true, + 'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration', + 'ClientID' => 'test', + 'RedirectURI' => 'https://login.example.com/redirect_uri', + 'ProviderTokenEndpointAuth' => 'client_secret_basic', + 'RemoteUserClaim' => 'sub', + 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', + 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' }, + 'mdomain' => 'example.com example.net auto', + 'userdir' => 'disabled', + 'proxy_protocol' => true, + 'proxy_protocol_exceptions' => ['127.0.0.1', '10.0.0.0/8'], + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.not_to contain_file('/var/www/foo') } + it { is_expected.to contain_class('apache::mod::ssl') } + + it { + expect(subject).to contain_file('ssl.conf').with( + content: %r{^\s+SSLHonorCipherOrder On$}, + ) + } + + it { + expect(subject).to contain_file('ssl.conf').with( + content: %r{^\s+SSLPassPhraseDialog builtin$}, + ) + } + + it { + expect(subject).to contain_file('ssl.conf').with( + content: %r{^\s+SSLSessionCacheTimeout 300$}, + ) + } + + it { is_expected.to contain_file('rspec.example.com_ssl_cert') } + it { is_expected.to contain_file('rspec.example.com_ssl_key') } + it { is_expected.to contain_file('rspec.example.com_ssl_chain') } + it { is_expected.to contain_file('rspec.example.com_ssl_foo.crl') } - ].each do |param| - describe "when #{param[:attr]} is #{param[:value]}" do - let :params do default_params.merge({ param[:attr].to_sym => param[:value] }) end + it { + expect(subject).to contain_file('/var/www/logs').with('ensure' => 'directory', + 'mode' => '0600') + } - it { should contain_file("25-#{title}.conf").with_mode('0644') } - it param[:title] do - lines = subject.resource('file', "25-#{title}.conf").send(:parameters)[:content].split("\n") - (Array(param[:match]).collect { |x| (lines.grep x).first }.length).should == Array(param[:match]).length - (Array(param[:notmatch]).collect { |x| lines.grep x }.flatten).should be_empty + it { is_expected.to contain_class('apache::mod::alias') } + it { is_expected.to contain_class('apache::mod::auth_basic') } + it { is_expected.to contain_class('apache::mod::authn_file') } + it { is_expected.to contain_class('apache::mod::authz_groupfile') } + it { is_expected.to contain_class('apache::mod::auth_gssapi') } + it { is_expected.to contain_class('apache::mod::env') } + it { is_expected.to contain_class('apache::mod::filter') } + it { is_expected.to contain_class('apache::mod::headers') } + it { is_expected.to contain_class('apache::mod::mime') } + it { is_expected.to contain_class('apache::mod::passenger') } + it { is_expected.to contain_class('apache::mod::proxy') } + it { is_expected.to contain_class('apache::mod::proxy_http') } + it { is_expected.to contain_class('apache::mod::rewrite') } + it { is_expected.to contain_class('apache::mod::setenvif') } + it { is_expected.to contain_class('apache::mod::suexec') } + it { is_expected.to contain_class('apache::mod::vhost_alias') } + it { is_expected.to contain_class('apache::mod::wsgi') } + + it { + expect(subject).to contain_concat('30-rspec.example.com.conf').with('owner' => 'root', + 'mode' => '0644', + 'show_diff' => true, + 'require' => 'Package[httpd]', + 'notify' => 'Class[Apache::Service]') + } + + if os_facts[:os]['name'] == 'Ubuntu' + it { + expect(subject).to contain_file('30-rspec.example.com.conf symlink').with('ensure' => 'link', + 'path' => "/etc/#{apache_name}/sites-enabled/30-rspec.example.com.conf") + } end + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header') + .with_content(%r{^\s+LimitRequestFieldSize 8190$}) + .with_content(%r{^\s+LimitRequestFields 100$}) + .with_content(%r{^\s+LimitRequestLine 8190$}) + .with_content(%r{^\s+LimitRequestBody 0$}) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-docroot') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-aliases').with( + content: %r{^\s+Alias /image "/rspec/image"$}, + ) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-itk') } + it { is_expected.to contain_concat__fragment('rspec.example.com-fallbackresource') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-directories') + .with_content(%r{^\s+$}) + .with_content(%r{^\s+Include\s'/custom/path/includes'$}) + .with_content(%r{^\s+Include\s'/custom/path/another_includes'$}) + .with_content(%r{^\s+H2CopyFiles\sOn$}) + .with_content(%r{^\s+H2PushResource\s/foo.css$}) + .with_content(%r{^\s+H2PushResource\s/foo.js$}) + .with_content(%r{^\s+Require valid-user$}) + .with_content(%r{^\s+Require all denied$}) + .with_content(%r{^\s+Require all granted$}) + .with_content(%r{^\s+Require user superadmin$}) + .with_content(%r{^\s+$}) + .with_content(%r{^\s+$}) + .with_content(%r{^\s+Require all-valid1$}) + .with_content(%r{^\s+Require all-valid2$}) + .with_content(%r{^\s+$}) + .with_content(%r{^\s+$}) + .with_content(%r{^\s+Require none-valid1$}) + .with_content(%r{^\s+Require none-valid2$}) + .with_content(%r{^\s+$}) + .with_content(%r{^\s+$}) + .with_content(%r{^\s+Require any-valid1$}) + .with_content(%r{^\s+Require any-valid2$}) + .with_content(%r{^\s+EnableSendfile On$}) + .with_content(%r{^\s+LDAPReferrals off$}) + .with_content(%r{^\s+ProxyPass http://backend-b/ retry=0 timeout=5 noquery interpolate$}) + .with_content(%r{^\s+ProxyPassMatch http://backend-b/ retry=0 timeout=5 noquery interpolate$}) + .with_content(%r{^\s+Options\sIndexes\sFollowSymLinks\sMultiViews$}) + .with_content(%r{^\s+IndexOptions\sFancyIndexing$}) + .with_content(%r{^\s+IndexStyleSheet\s'/styles/style\.css'$}) + .with_content(%r{^\s+DirectoryIndex\sdisabled$}) + .with_content(%r{^\s+SetOutputFilter\soutput_filter$}) + .with_content(%r{^\s+SetInputFilter\sinput_filter$}) + .with_content(%r{^\s+$}) + .with_content(%r{\s+\s*Require valid-user\s*}m) + .with_content(%r{^\s+$}) + .with_content(%r{\s+\s*Require valid-user\s*}m) + .with_content(%r{^\s+Dav\sfilesystem$}) + .with_content(%r{^\s+DavDepthInfinity\sOn$}) + .with_content(%r{^\s+DavMinTimeout\s600$}) + .with_content(%r{^\s+PassengerEnabled\sOn$}) + .with_content(%r{^\s+PassengerBaseURI\s/app$}) + .with_content(%r{^\s+PassengerRuby\s/path/to/ruby$}) + .with_content(%r{^\s+PassengerPython\s/path/to/python$}) + .with_content(%r{^\s+PassengerNodejs\s/path/to/nodejs$}) + .with_content(%r{^\s+PassengerMeteorAppSettings\s/path/to/file\.json$}) + .with_content(%r{^\s+PassengerAppEnv\sdemo$}) + .with_content(%r{^\s+PassengerAppRoot\s/var/www/node-app$}) + .with_content(%r{^\s+PassengerAppGroupName\sfoo_bar$}) + .with_content(%r{^\s+PassengerAppType\snode$}) + .with_content(%r{^\s+PassengerStartupFile\sstart\.js$}) + .with_content(%r{^\s+PassengerRestartDir\stemp$}) + .with_content(%r{^\s+PassengerLoadShellEnvvars\sOff$}) + .with_content(%r{^\s+PassengerPreloadBundler\sOff$}) + .with_content(%r{^\s+PassengerRollingRestarts\sOff$}) + .with_content(%r{^\s+PassengerResistDeploymentErrors\sOff$}) + .with_content(%r{^\s+PassengerUser\snodeuser$}) + .with_content(%r{^\s+PassengerGroup\snodegroup$}) + .with_content(%r{^\s+PassengerFriendlyErrorPages\sOn$}) + .with_content(%r{^\s+PassengerMinInstances\s7$}) + .with_content(%r{^\s+PassengerMaxInstances\s9$}) + .with_content(%r{^\s+PassengerForceMaxConcurrentRequestsPerProcess\s12$}) + .with_content(%r{^\s+PassengerStartTimeout\s10$}) + .with_content(%r{^\s+PassengerConcurrencyModel\sthread$}) + .with_content(%r{^\s+PassengerThreadCount\s20$}) + .with_content(%r{^\s+PassengerMaxRequests\s2000$}) + .with_content(%r{^\s+PassengerMaxRequestTime\s1$}) + .with_content(%r{^\s+PassengerMemoryLimit\s32$}) + .with_content(%r{^\s+PassengerHighPerformance\sOff$}) + .with_content(%r{^\s+PassengerBufferUpload\sOff$}) + .with_content(%r{^\s+PassengerBufferResponse\sOff$}) + .with_content(%r{^\s+PassengerErrorOverride\sOff$}) + .with_content(%r{^\s+PassengerMaxRequestQueueSize\s120$}) + .with_content(%r{^\s+PassengerMaxRequestQueueTime\s5$}) + .with_content(%r{^\s+PassengerStickySessions\sOn$}) + .with_content(%r{^\s+PassengerStickySessionsCookieName\s_delicious_cookie$}) + .with_content(%r{^\s+PassengerAllowEncodedSlashes\sOff$}) + .with_content(%r{^\s+PassengerDebugger\sOff$}) + .with_content(%r{^\s+GssapiAcceptorName\s{HOSTNAME}$}) + .with_content(%r{^\s+GssapiAllowedMech\skrb5$}) + .with_content(%r{^\s+GssapiAllowedMech\siakerb$}) + .with_content(%r{^\s+GssapiAllowedMech\sntlmssp$}) + .with_content(%r{^\s+GssapiBasicAuth\sOn$}) + .with_content(%r{^\s+GssapiBasicAuthMech\skrb5$}) + .with_content(%r{^\s+GssapiBasicAuthMech\siakerb$}) + .with_content(%r{^\s+GssapiBasicAuthMech\sntlmssp$}) + .with_content(%r{^\s+GssapiBasicTicketTimeout\s300$}) + .with_content(%r{^\s+GssapiConnectionBound\sOn$}) + .with_content(%r{^\s+GssapiCredStore\sccache:FILE:/path/to/directory$}) + .with_content(%r{^\s+GssapiCredStore\sclient_keytab:/path/to/example\.keytab$}) + .with_content(%r{^\s+GssapiCredStore\skeytab:/path/to/example\.keytab$}) + .with_content(%r{^\s+GssapiDelegCcacheDir\s/path/to/directory$}) + .with_content(%r{^\s+GssapiDelegCcacheEnvVar\sKRB5CCNAME$}) + .with_content(%r{^\s+GssapiDelegCcachePerms\smode:0600\suid:example-user\sgid:example-group$}) + .with_content(%r{^\s+GssapiDelegCcacheUnique\sOn$}) + .with_content(%r{^\s+GssapiImpersonate\sOn$}) + .with_content(%r{^\s+GssapiLocalName\sOn$}) + .with_content(%r{^\s+GssapiNameAttributes\sjson$}) + .with_content(%r{^\s+GssapiNegotiateOnce\sOn$}) + .with_content(%r{^\s+GssapiPublishErrors\sOn$}) + .with_content(%r{^\s+GssapiPublishMech\sOn$}) + .with_content(%r{^\s+GssapiRequiredNameAttributes\s"auth-indicators=high"$}) + .with_content(%r{^\s+GssapiSessionKey\sfile:/path/to/example\.key$}) + .with_content(%r{^\s+GssapiSignalPersistentAuth\sOn$}) + .with_content(%r{^\s+GssapiSSLonly\sOn$}) + .with_content(%r{^\s+GssapiUseS4U2Proxy\sOn$}) + .with_content(%r{^\s+GssapiUseSessions\sOn$}) + .with_content(%r{^\s+SSLVerifyClient\soptional$}) + .with_content(%r{^\s+SSLVerifyDepth\s10$}) + .with_content(%r{^\s+MellonEnable\s"auth"$}) + .with_content(%r{^\s+MellonSPPrivateKeyFile\s"/etc/httpd/mellon/example\.com_mellon\.key"$}) + .with_content(%r{^\s+MellonSPCertFile\s"/etc/httpd/mellon/example\.com_mellon\.crt"$}) + .with_content(%r{^\s+MellonSPMetadataFile\s"/etc/httpd/mellon/example\.com_sp_mellon\.xml"$}) + .with_content(%r{^\s+MellonIDPMetadataFile\s"/etc/httpd/mellon/example\.com_idp_mellon\.xml"$}) + .with_content(%r{^\s+MellonSetEnv\s"isMemberOf"\s"urn:oid:1\.3\.6\.1\.4\.1\.5923\.1\.5\.1\.1"$}) + .with_content(%r{^\s+MellonSetEnvNoPrefix\s"isMemberOf"\s"urn:oid:1\.3\.6\.1\.4\.1\.5923\.1\.5\.1\.1"$}) + .with_content(%r{^\s+MellonUser\s"urn:oid:0\.9\.2342\.19200300\.100\.1\.1"$}) + .with_content(%r{^\s+MellonCond\sisMemberOf\s"cn=example-access,ou=Groups,o=example,o=com"\s\[MAP\]$}) + .with_content(%r{^\s+MellonSessionLength\s"300"$}) + } + # rubocop:enable RSpec/ExampleLength + + it { is_expected.to contain_concat__fragment('rspec.example.com-additional_includes') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-logging') + .with_content(%r{^\s+ErrorLogFormat "\[%t\] \[%l\] %7F: %E: \[client\\ %a\] %M% ,\\ referer\\ %\{Referer\}i"$}) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-serversignature') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-access_log') } + it { is_expected.to contain_concat__fragment('rspec.example.com-action') } + it { is_expected.to contain_concat__fragment('rspec.example.com-block') } + it { is_expected.to contain_concat__fragment('rspec.example.com-error_document') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-proxy') + .with_content(%r{retry=0}) + .with_content(%r{timeout=5}) + .with_content(%r{SetEnv force-proxy-request-1.0 1}) + .with_content(%r{SetEnv proxy-nokeepalive 1}) + .with_content(%r{noquery interpolate}) + .with_content(%r{ProxyPreserveHost On}) + .with_content(%r{ProxyAddHeaders On}) + .with_content(%r{ProxyPassReverseCookiePath\s+/a\s+http://}) + .with_content(%r{ProxyPassReverseCookieDomain\s+foo\s+http://foo}) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-redirect') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-rewrite') + .with_content(%r{^\s+RewriteEngine On$}) + .with_content(%r{^\s+RewriteOptions Inherit$}) + .with_content(%r{^\s+RewriteBase /}) + .with_content(%r{^\s+RewriteRule \^index\.html\$ rewrites.html$}) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-scriptalias') } + it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias').with_content(%r{^ ServerAlias test-example\.com$}) } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-setenv') + .with_content(%r{SetEnv FOO=/bin/true}) + .with_content(%r{SetEnvIf Request_URI "\\.gif\$" object_is_image=gif}) + .with_content(%r{SetEnvIfNoCase REMOTE_ADDR \^127.0.0.1 localhost=true}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-ssl') + .with_content(%r{^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$}) + .with_content(%r{^\s+SSLHonorCipherOrder\s+Off$}) + .with_content(%r{^\s+SSLUserName\s+SSL_CLIENT_S_DN_CN$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-sslproxy') + .with_content(%r{^\s+SSLProxyEngine On$}) + .with_content(%r{^\s+SSLProxyCheckPeerCN\s+on$}) + .with_content(%r{^\s+SSLProxyCheckPeerName\s+on$}) + .with_content(%r{^\s+SSLProxyCheckPeerExpire\s+on$}) + .with_content(%r{^\s+SSLProxyCipherSuite\s+HIGH$}) + .with_content(%r{^\s+SSLProxyProtocol\s+TLSv1.2$}) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') } + it { is_expected.to contain_concat__fragment('rspec.example.com-header') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-filters').with( + content: %r{^\s+FilterDeclare COMPRESS$}, + ) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-requestheader') } + it { is_expected.to contain_concat__fragment('rspec.example.com-wsgi') } + it { is_expected.to contain_concat__fragment('rspec.example.com-custom_fragment') } + it { is_expected.to contain_concat__fragment('rspec.example.com-suexec') } + it { is_expected.to contain_concat__fragment('rspec.example.com-allow_encoded_slashes') } + it { is_expected.to contain_concat__fragment('rspec.example.com-passenger') } + it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-security') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-file_footer') + .with_content(%r{^PassengerPreStart\shttp://localhost/myapp$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-jk_mounts') + .with_content(%r{^\s+JkMount\s+/\*\s+tcnode1$}) + .with_content(%r{^\s+JkUnMount\s+/\*\.jpg\s+tcnode1$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-auth_kerb') + .with_content(%r{^\s+KrbMethodNegotiate\soff$}) + .with_content(%r{^\s+KrbAuthoritative\soff$}) + .with_content(%r{^\s+KrbAuthRealms\sEXAMPLE.ORG\sEXAMPLE.NET$}) + .with_content(%r{^\s+Krb5Keytab\s/tmp/keytab5$}) + .with_content(%r{^\s+KrbLocalUserMapping\soff$}) + .with_content(%r{^\s+KrbServiceName\sHTTP$}) + .with_content(%r{^\s+KrbSaveCredentials\soff$}) + .with_content(%r{^\s+KrbVerifyKDC\son$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-http_protocol_options').with( + content: %r{^\s*HttpProtocolOptions\s+Strict\s+LenientMethods\s+Allow0\.9$}, + ) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-keepalive_options') + .with_content(%r{^\s+KeepAlive\son$}) + .with_content(%r{^\s+KeepAliveTimeout\s100$}) + .with_content(%r{^\s+MaxKeepAliveRequests\s1000$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header') + .with_content(%r{^\s+Protocols\sh2 http/1.1$}) + .with_content(%r{^\s+ProtocolsHonorOrder\sOn$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-http2') + .with_content(%r{^\s+H2CopyFiles\sOff$}) + .with_content(%r{^\s+H2Direct\sOn$}) + .with_content(%r{^\s+H2EarlyHints\sOff$}) + .with_content(%r{^\s+H2MaxSessionStreams\s100$}) + .with_content(%r{^\s+H2ModernTLSOnly\sOn$}) + .with_content(%r{^\s+H2Push\sOn$}) + .with_content(%r{^\s+H2PushDiarySize\s256$}) + .with_content(%r{^\s+H2PushPriority\sapplication/json 32$}) + .with_content(%r{^\s+H2PushResource\s/css/main.css$}) + .with_content(%r{^\s+H2PushResource\s/js/main.js$}) + .with_content(%r{^\s+H2SerializeHeaders\sOff$}) + .with_content(%r{^\s+H2StreamMaxMemSize\s65536$}) + .with_content(%r{^\s+H2TLSCoolDownSecs\s1$}) + .with_content(%r{^\s+H2TLSWarmUpSize\s1048576$}) + .with_content(%r{^\s+H2Upgrade\sOn$}) + .with_content(%r{^\s+H2WindowSize\s65535$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-passenger') + .with_content(%r{^\s+PassengerEnabled\sOff$}) + .with_content(%r{^\s+PassengerBaseURI\s/app$}) + .with_content(%r{^\s+PassengerRuby\s/usr/bin/ruby1\.9\.1$}) + .with_content(%r{^\s+PassengerPython\s/usr/local/bin/python$}) + .with_content(%r{^\s+PassengerNodejs\s/usr/bin/node$}) + .with_content(%r{^\s+PassengerMeteorAppSettings\s/path/to/some/file.json$}) + .with_content(%r{^\s+PassengerAppEnv\stest$}) + .with_content(%r{^\s+PassengerAppRoot\s/usr/share/myapp$}) + .with_content(%r{^\s+PassengerAppGroupName\sapp_customer$}) + .with_content(%r{^\s+PassengerAppType\srack$}) + .with_content(%r{^\s+PassengerStartupFile\sbin/www$}) + .with_content(%r{^\s+PassengerRestartDir\stmp$}) + .with_content(%r{^\s+PassengerSpawnMethod\sdirect$}) + .with_content(%r{^\s+PassengerLoadShellEnvvars\sOff$}) + .with_content(%r{^\s+PassengerPreloadBundler\sOff$}) + .with_content(%r{^\s+PassengerRollingRestarts\sOff$}) + .with_content(%r{^\s+PassengerResistDeploymentErrors\sOn$}) + .with_content(%r{^\s+PassengerUser\ssandbox$}) + .with_content(%r{^\s+PassengerGroup\ssandbox$}) + .with_content(%r{^\s+PassengerFriendlyErrorPages\sOff$}) + .with_content(%r{^\s+PassengerMinInstances\s1$}) + .with_content(%r{^\s+PassengerMaxInstances\s30$}) + .with_content(%r{^\s+PassengerMaxPreloaderIdleTime\s600$}) + .with_content(%r{^\s+PassengerForceMaxConcurrentRequestsPerProcess\s10$}) + .with_content(%r{^\s+PassengerStartTimeout\s600$}) + .with_content(%r{^\s+PassengerConcurrencyModel\sthread$}) + .with_content(%r{^\s+PassengerThreadCount\s5$}) + .with_content(%r{^\s+PassengerMaxRequests\s1000$}) + .with_content(%r{^\s+PassengerMaxRequestTime\s2$}) + .with_content(%r{^\s+PassengerMemoryLimit\s64$}) + .with_content(%r{^\s+PassengerStatThrottleRate\s5$}) + .with_content(%r{^\s+PassengerHighPerformance\sOn$}) + .with_content(%r{^\s+PassengerBufferUpload\sOff$}) + .with_content(%r{^\s+PassengerBufferResponse\sOff$}) + .with_content(%r{^\s+PassengerErrorOverride\sOn$}) + .with_content(%r{^\s+PassengerMaxRequestQueueSize\s10$}) + .with_content(%r{^\s+PassengerMaxRequestQueueTime\s2$}) + .with_content(%r{^\s+PassengerStickySessions\sOn$}) + .with_content(%r{^\s+PassengerStickySessionsCookieName\s_nom_nom_nom$}) + .with_content(%r{^\s+PassengerAllowEncodedSlashes\sOn$}) + .with_content(%r{^\s+PassengerDebugger\sOn$}) + .with_content(%r{^\s+PassengerLveMinUid\s500$}) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-auth_oidc') + .with_content(%r{^\s+OIDCProviderMetadataURL\shttps://login.example.com/\.well-known/openid-configuration$}) + .with_content(%r{^\s+OIDCClientID\stest$}) + .with_content(%r{^\s+OIDCRedirectURI\shttps://login\.example.com/redirect_uri$}) + .with_content(%r{^\s+OIDCProviderTokenEndpointAuth\sclient_secret_basic$}) + .with_content(%r{^\s+OIDCRemoteUserClaim\ssub$}) + .with_content(%r{^\s+OIDCClientSecret\saae053a9-4abf-4824-8956-e94b2af335c8$}) + .with_content(%r{^\s+OIDCCryptoPassphrase\s4ad1bb46-9979-450e-ae58-c696967df3cd$}) + } + + it { is_expected.to contain_class('apache::mod::md') } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^MDomain example\.com example\.net auto$}, + ) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-proxy_protocol') + .with_content(%r{^\s+RemoteIPProxyProtocol On$}) + .with_content(%r{^\s+RemoteIPProxyProtocolExceptions 127\.0\.0\.1$}) + .with_content(%r{^\s+RemoteIPProxyProtocolExceptions 10\.0\.0\.0/8$}) + } end - end - end - context 'attribute resources' do - describe 'when access_log_file and access_log_pipe are specified' do - let :params do default_params.merge({ - :access_log_file => 'fake.log', - :access_log_pipe => '| /bin/fake', - }) end - it 'should cause a failure' do - expect { subject }.to raise_error(Puppet::Error, /'access_log_file' and 'access_log_pipe' cannot be defined at the same time/) + context 'vhost with proxy_add_headers true' do + let :params do + { + 'docroot' => '/var/www/foo', + 'manage_docroot' => false, + 'virtual_docroot' => true, + 'virtual_use_default_docroot' => false, + 'port' => 8080, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'add_listen' => false, + 'serveradmin' => 'foo@localhost', + 'priority' => 30, + 'default_vhost' => true, + 'servername' => 'example.com', + 'serveraliases' => ['test-example.com'], + 'options' => ['MultiView'], + 'override' => ['All'], + 'directoryindex' => 'index.html', + 'vhost_name' => 'test', + 'proxy_add_headers' => true + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{ProxyAddHeaders On}) } end - end - describe 'when error_log_file and error_log_pipe are specified' do - let :params do default_params.merge({ - :error_log_file => 'fake.log', - :error_log_pipe => '| /bin/fake', - }) end - it 'should cause a failure' do - expect { subject }.to raise_error(Puppet::Error, /'error_log_file' and 'error_log_pipe' cannot be defined at the same time/) + + context 'vhost with proxy_add_headers false' do + let :params do + { + 'docroot' => '/var/www/foo', + 'manage_docroot' => false, + 'virtual_docroot' => true, + 'virtual_use_default_docroot' => false, + 'port' => 8080, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'add_listen' => false, + 'serveradmin' => 'foo@localhost', + 'priority' => 30, + 'default_vhost' => true, + 'servername' => 'example.com', + 'serveraliases' => ['test-example.com'], + 'options' => ['MultiView'], + 'override' => ['All'], + 'directoryindex' => 'index.html', + 'vhost_name' => 'test', + 'proxy_add_headers' => false + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{ProxyAddHeaders Off}) } end - end - describe 'when docroot owner is specified' do - let :params do default_params.merge({ - :docroot_owner => 'testuser', - :docroot_group => 'testgroup', - }) end - it 'should set vhost ownership' do - should contain_file(params[:docroot]).with({ - :ensure => :directory, - :owner => 'testuser', - :group => 'testgroup', - }) + + context 'vhost without proxy' do + let :params do + { + 'docroot' => '/var/www/foo', + 'manage_docroot' => false, + 'virtual_docroot' => true, + 'virtual_use_default_docroot' => false, + 'port' => 8080, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'add_listen' => false, + 'serveradmin' => 'foo@localhost', + 'priority' => 30, + 'default_vhost' => true, + 'servername' => 'example.com', + 'serveraliases' => ['test-example.com'], + 'options' => ['MultiView'], + 'override' => ['All'], + 'directoryindex' => 'index.html', + 'vhost_name' => 'test' + } + end + + it { is_expected.to compile } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-proxy') } end - end - describe 'when wsgi_daemon_process and wsgi_daemon_process_options are specified' do - let :params do default_params.merge({ - :wsgi_daemon_process => 'example.org', - :wsgi_daemon_process_options => { 'processes' => '2', 'threads' => '15' }, - }) end - it 'should set wsgi_daemon_process_options' do - should contain_file("25-#{title}.conf").with_content( - /^ WSGIDaemonProcess example.org processes=2 threads=15$/ - ) + context 'vhost without proxy_add_headers' do + let :params do + { + 'docroot' => '/var/www/foo', + 'manage_docroot' => false, + 'virtual_docroot' => true, + 'virtual_use_default_docroot' => false, + 'port' => 8080, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'add_listen' => false, + 'serveradmin' => 'foo@localhost', + 'priority' => 30, + 'default_vhost' => true, + 'servername' => 'example.com', + 'serveraliases' => ['test-example.com'], + 'options' => ['MultiView'], + 'override' => ['All'], + 'directoryindex' => 'index.html', + 'vhost_name' => 'test', + 'proxy_preserve_host' => true + } + end + + it { is_expected.to compile } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{ProxyAddHeaders}) } end - end - describe 'when rewrite_rule and rewrite_cond are specified' do - let :params do default_params.merge({ - :rewrite_cond => '%{HTTPS} off', - :rewrite_rule => '(.*) https://%{HTTPS_HOST}%{REQUEST_URI}', - }) end - it 'should set RewriteCond' do - should contain_file("25-#{title}.conf").with_content( - /^ RewriteCond %\{HTTPS\} off$/ - ) + context 'vhost with scheme and port in servername and use_servername_for_filenames' do + let :params do + { + 'port' => 80, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'servername' => 'https://www.example.com:443', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present', + 'use_servername_for_filenames' => true + } + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+ServerName https://www\.example\.com:443$}, + ) + } + + it { + expect(subject).to contain_concat('25-www.example.com.conf') + } end - end - describe 'when suphp_engine is on and suphp_configpath is specified' do - let :params do default_params.merge({ - :suphp_engine => 'on', - :suphp_configpath => '/etc/php5/apache2', - }) end - it 'should set suphp_configpath' do - should contain_file("25-#{title}.conf").with_content( - /^ suPHP_ConfigPath \/etc\/php5\/apache2$/ - ) + context 'vhost with scheme in servername and use_servername_for_filenames' do + let :params do + { + 'port' => 80, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'servername' => 'https://www.example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present', + 'use_servername_for_filenames' => true + } + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+ServerName https://www\.example\.com$}, + ) + } + + it { + expect(subject).to contain_concat('25-www.example.com.conf') + } end - end - describe 'when suphp_engine is on and suphp_addhandler is specified' do - let :params do default_params.merge({ - :suphp_engine => 'on', - :suphp_addhandler => 'x-httpd-php', - }) end - it 'should set suphp_addhandler' do - should contain_file("25-#{title}.conf").with_content( - /^ suPHP_AddHandler x-httpd-php/ - ) + context 'vhost with port in servername and use_servername_for_filenames' do + let :params do + { + 'port' => 80, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'servername' => 'www.example.com:443', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present', + 'use_servername_for_filenames' => true + } + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+ServerName www\.example\.com:443$}, + ) + } + + it { + expect(subject).to contain_concat('25-www.example.com.conf') + } end - end - describe 'priority/default settings' do - describe 'when neither priority/default is specified' do - let :params do default_params end - it { should contain_file("25-#{title}.conf").with_path( - /25-#{title}.conf/ - ) } + context 'vhost with servername and use_servername_for_filenames' do + let :params do + { + 'port' => 80, + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'servername' => 'www.example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present', + 'use_servername_for_filenames' => true + } + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^\s+ServerName www\.example\.com$}, + ) + } + + it { + expect(subject).to contain_concat('25-www.example.com.conf') + } end - describe 'when both priority/default_vhost is specified' do + + context 'vhost with multiple ip addresses' do let :params do - default_params.merge({ - :priority => 15, - :default_vhost => true, - }) + { + 'port' => 80, + 'ip' => ['127.0.0.1', '::1'], + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } end - it { should contain_file("15-#{title}.conf").with_path( - /15-#{title}.conf/ - ) } + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{[./m]*[./m]*$}, + ) + } + + it { is_expected.to contain_concat__fragment('Listen 127.0.0.1:80') } + it { is_expected.to contain_concat__fragment('Listen [::1]:80') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost 127.0.0.1:80') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost [::1]:80') } end - describe 'when only priority is specified' do + + context 'vhost with multiple ports' do let :params do - default_params.merge({ :priority => 14, }) + { + 'port' => [80, 8080], + 'ip' => '127.0.0.1', + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } end - it { should contain_file("14-#{title}.conf").with_path( - /14-#{title}.conf/ - ) } + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{[./m]*[./m]*$}, + ) + } + + it { is_expected.to contain_concat__fragment('Listen 127.0.0.1:80') } + it { is_expected.to contain_concat__fragment('Listen 127.0.0.1:8080') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost 127.0.0.1:80') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost 127.0.0.1:8080') } end - describe 'when only default is specified' do + + describe 'serveraliases parameter' do + let(:params) { default_params.merge(serveraliases: serveraliases) } + + context 'with a string' do + let(:serveraliases) { 'alias.example.com' } + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias').with_content(%r{^ ServerAlias alias\.example\.com$}) } + end + + context 'with an array' do + let(:serveraliases) { ['alias1.example.com', 'alias2.example.com'] } + + it { is_expected.to compile.with_all_deps } + it do + expect(subject).to contain_concat__fragment('rspec.example.com-serveralias') + .with_content(%r{^ ServerAlias alias1\.example\.com$}) + .with_content(%r{^ ServerAlias alias2\.example\.com$}) + end + end + end + + context 'vhost with multiple ip addresses, multiple ports' do let :params do - default_params.merge({ :default_vhost => true, }) + { + 'port' => [80, 8080], + 'ip' => ['127.0.0.1', '::1'], + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } end - it { should contain_file("10-#{title}.conf").with_path( - /10-#{title}.conf/ - ) } + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{[./m]*[./m]*$}, + ) + } + + it { is_expected.to contain_concat__fragment('Listen 127.0.0.1:80') } + it { is_expected.to contain_concat__fragment('Listen 127.0.0.1:8080') } + it { is_expected.to contain_concat__fragment('Listen [::1]:80') } + it { is_expected.to contain_concat__fragment('Listen [::1]:8080') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost 127.0.0.1:80') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost 127.0.0.1:8080') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost [::1]:80') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost [::1]:8080') } end - end - describe 'various ip/port combos' do - describe 'when ip_based is true' do - let :params do default_params.merge({ :ip_based => true }) end - it 'should not specify a NameVirtualHost' do - should contain_apache__listen(params[:port]) - should_not contain_apache__namevirtualhost("*:#{params[:port]}") + context 'vhost with ipv6 address' do + let :params do + { + 'port' => 80, + 'ip' => '::1', + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{[./m]*[./m]*$}, + ) + } + + it { is_expected.to contain_concat__fragment('Listen [::1]:80') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost [::1]:80') } end - describe 'when ip_based is default' do - let :params do default_params end - it 'should specify a NameVirtualHost' do - should contain_apache__listen(params[:port]) - should contain_apache__namevirtualhost("*:#{params[:port]}") + context 'vhost with wildcard ip address' do + let :params do + { + 'port' => 80, + 'ip' => '*', + 'ip_based' => true, + 'servername' => 'example.com', + 'docroot' => '/var/www/html', + 'add_listen' => true, + 'ensure' => 'present' + } end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{[./m]*[./m]*$}, + ) + } + + it { is_expected.to contain_concat__fragment('Listen *:80') } + it { is_expected.not_to contain_concat__fragment('NameVirtualHost *:80') } end - describe 'when an ip is set' do - let :params do default_params.merge({ :ip => '10.0.0.1' }) end - it 'should specify a NameVirtualHost for the ip' do - should_not contain_apache__listen(params[:port]) - should contain_apache__listen("10.0.0.1:#{params[:port]}") - should contain_apache__namevirtualhost("10.0.0.1:#{params[:port]}") + context 'vhost with backwards compatible virtual_docroot' do + let :params do + { + 'docroot' => '/var/www/html', + 'virtual_docroot' => '/var/www/sites/%0' + } end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-docroot').with( + content: %r{^\s+VirtualDocumentRoot "/var/www/sites/%0"$}, + ) + } + + it { + expect(subject).not_to contain_concat__fragment('rspec.example.com-docroot').with( + content: %r{^\s+DocumentRoot "/var/www/html"$}, + ) + } end - describe 'an ip_based vhost without a port' do + context 'vhost with virtual_docroot and docroot' do let :params do { - :docroot => '/fake', - :ip => '10.0.0.1', - :ip_based => true, + 'docroot' => '/var/www/html', + 'virtual_use_default_docroot' => true, + 'virtual_docroot' => '/var/www/sites/%0' } end - it 'should specify a NameVirtualHost for the ip' do - should_not contain_apache__listen(params[:ip]) - should_not contain_apache__namevirtualhost(params[:ip]) - should contain_file("25-#{title}.conf").with_content %r{} + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-docroot').with( + content: %r{^\s+VirtualDocumentRoot "/var/www/sites/%0"$}, + ) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-docroot').with( + content: %r{^\s+DocumentRoot "/var/www/html"$}, + ) + } + end + + context 'modsec_audit_log' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'modsec_audit_log' => true + } end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-security').with( + content: %r{^\s*SecAuditLog "/var/log/#{apache_name}/rspec\.example\.com_security\.log"$}, + ) + } end - end - describe 'redirect rules' do - describe 'without lockstep arrays' do + context 'modsec_audit_log_file' do let :params do - default_params.merge({ - :redirect_source => [ - '/login', - '/logout', - ], - :redirect_dest => [ - 'http://10.0.0.10/login', - 'http://10.0.0.10/logout', - ], - :redirect_status => [ - 'permanent', - '', - ], - }) + { + 'docroot' => '/rspec/docroot', + 'modsec_audit_log_file' => 'foo.log' + } end - it { should contain_file("25-#{title}.conf").with_content %r{ Redirect permanent /login http://10\.0\.0\.10/login} } - it { should contain_file("25-#{title}.conf").with_content %r{ Redirect /logout http://10\.0\.0\.10/logout} } + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-security').with( + content: %r{\s*SecAuditLog "/var/log/#{apache_name}/foo.log"$}, + ) + } end - describe 'without a status' do + + context 'modsec_anomaly_threshold' do let :params do - default_params.merge({ - :redirect_source => [ - '/login', - '/logout', - ], - :redirect_dest => [ - 'http://10.0.0.10/login', - 'http://10.0.0.10/logout', - ], - }) + { + 'docroot' => '/rspec/docroot', + 'modsec_inbound_anomaly_threshold' => 10_000, + 'modsec_outbound_anomaly_threshold' => 10_000 + } end - it { should contain_file("25-#{title}.conf").with_content %r{ Redirect /login http://10\.0\.0\.10/login} } - it { should contain_file("25-#{title}.conf").with_content %r{ Redirect /logout http://10\.0\.0\.10/logout} } + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-security').with( + content: %r{ + ^\s+SecAction\ \\\n + \s+"id:900110,\\\n + \s+phase:1,\\\n + \s+nolog,\\\n + \s+pass,\\\n + \s+t:none,\\\n + \s+setvar:tx.inbound_anomaly_score_threshold=10000,\ \\\n + \s+setvar:tx.outbound_anomaly_score_threshold=10000"$ + }x, + ) + } end - describe 'with a single status and dest' do + + context 'modsec_allowed_methods' do let :params do - default_params.merge({ - :redirect_source => [ - '/login', - '/logout', - ], - :redirect_dest => 'http://10.0.0.10/test', - :redirect_status => 'permanent', - }) + { + 'docroot' => '/rspec/docroot', + 'modsec_allowed_methods' => 'GET HEAD POST OPTIONS' + } + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-security').with( + content: %r{ + ^\s+SecAction\ \\\n + \s+"id:900200,\\\n + \s+phase:1,\\\n + \s+nolog,\\\n\s+pass,\\\n + \s+t:none,\\\n + \s+setvar:'tx.allowed_methods=GET\ HEAD\ POST\ OPTIONS'"$ + }x, + ) + } + end + + context 'set only aliases' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'aliases' => [ + { + 'alias' => '/alias', + 'path' => '/rspec/docroot' + }, + ] + } end - it { should contain_file("25-#{title}.conf").with_content %r{ Redirect permanent /login http://10\.0\.0\.10/test} } - it { should contain_file("25-#{title}.conf").with_content %r{ Redirect permanent /logout http://10\.0\.0\.10/test} } + it { is_expected.to contain_class('apache::mod::alias') } end - describe 'with a directoryindex specified' do + context 'proxy_pass_match' do let :params do - default_params.merge({ - :directoryindex => 'index.php' - }) + { + 'docroot' => '/rspec/docroot', + 'proxy_pass_match' => [ + { + 'path' => '.*', + 'url' => 'http://backend-a/', + 'params' => { 'timeout' => 300 } + }, + ] + } + end + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-proxy').with_content( + %r{ProxyPassMatch .* http://backend-a/ timeout=300}, + ).with_content(%r{## Proxy rules}) + } + end + + context 'proxy_dest_match and no proxy_dest_reverse_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_dest_match' => '/' + } + end + + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{## Proxy rules}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{ProxyPassMatch\s+/\s+//}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{ProxyPassReverse\s+/\s+/}) } + end + + context 'proxy_dest_match and proxy_dest_reverse_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_dest_match' => '/', + 'proxy_dest_reverse_match' => 'http://localhost:8180' + } + end + + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{## Proxy rules}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{ProxyPassMatch\s+/\s+//}) } + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(%r{ProxyPassReverse\s+/\s+http://localhost:8180/}) } + end + + context 'not everything can be set together...' do + let :params do + { + 'access_log_pipe' => '/dev/null', + 'error_log_pipe' => '/dev/null', + 'docroot' => '/var/www/foo', + 'ensure' => 'absent', + 'show_diff' => false, + 'manage_docroot' => true, + 'logroot' => '/tmp/logroot', + 'logroot_ensure' => 'absent' + } + end + + it { is_expected.to compile } + it { is_expected.not_to contain_class('apache::mod::ssl') } + it { is_expected.not_to contain_class('apache::mod::mime') } + it { is_expected.not_to contain_class('apache::mod::vhost_alias') } + it { is_expected.not_to contain_class('apache::mod::wsgi') } + it { is_expected.not_to contain_class('apache::mod::passenger') } + it { is_expected.not_to contain_class('apache::mod::suexec') } + it { is_expected.not_to contain_class('apache::mod::rewrite') } + it { is_expected.not_to contain_class('apache::mod::alias') } + it { is_expected.not_to contain_class('apache::mod::proxy') } + it { is_expected.not_to contain_class('apache::mod::proxy_http') } + it { is_expected.not_to contain_class('apache::mod::headers') } + it { is_expected.not_to contain_file('rspec.example.com_ssl_cert') } + it { is_expected.not_to contain_file('rspec.example.com_ssl_key') } + it { is_expected.not_to contain_file('rspec.example.com_ssl_chain') } + it { is_expected.not_to contain_file('rspec.example.com_ssl_foo.crl') } + it { is_expected.to contain_file('/var/www/foo') } + + it { + expect(subject).to contain_file('/tmp/logroot').with('ensure' => 'absent') + } + + it { + expect(subject).to contain_concat('25-rspec.example.com.conf').with('ensure' => 'absent', + 'show_diff' => false) + } + + it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-docroot') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-aliases') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-itk') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-fallbackresource') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-directories') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-additional_includes') } + it { is_expected.to contain_concat__fragment('rspec.example.com-logging') } + it { is_expected.to contain_concat__fragment('rspec.example.com-serversignature') } + it { is_expected.to contain_concat__fragment('rspec.example.com-access_log') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-action') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-block') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-error_document') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-proxy') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-redirect') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-rewrite') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-scriptalias') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-serveralias') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-setenv') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-sslproxy') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-php_admin') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-header') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-requestheader') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-wsgi') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-custom_fragment') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-suexec') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-charsets') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-limits') } + it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } + end + + context 'wsgi_application_group should set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_application_group' => '%{GLOBAL}' + } + end + + it { is_expected.to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_daemon_process should set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_daemon_process' => { 'foo' => { 'python-home' => '/usr' }, 'bar' => {} } + } + end + + it { is_expected.to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_import_script on its own should not set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_import_script' => '/var/www/demo.wsgi' + } end - it { should contain_file("25-#{title}.conf").with_content %r{DirectoryIndex index.php} } - end + + it { is_expected.not_to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_import_script_options on its own should not set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_import_script_options' => { + 'process-group' => 'wsgi', + 'application-group' => '%{GLOBAL}' + } + } + end + + it { is_expected.not_to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_import_script and wsgi_import_script_options should set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_import_script' => '/var/www/demo.wsgi', + 'wsgi_import_script_options' => { + 'process-group' => 'wsgi', + 'application-group' => '%{GLOBAL}' + } + } + end + + it { is_expected.to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_process_group should set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_daemon_process' => 'wsgi' + } + end + + it { is_expected.to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_script_aliases with non-empty aliases should set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_script_aliases' => { + '/' => '/var/www/demo.wsgi' + } + } + end + + it { is_expected.to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_script_aliases with empty aliases should set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_script_aliases' => {} + } + end + + it { is_expected.not_to contain_class('apache::mod::wsgi') } + end + + context 'wsgi_pass_authorization should set apache::mod::wsgi' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'wsgi_pass_authorization' => 'On' + } + end + + it { is_expected.to contain_class('apache::mod::wsgi') } + end + + context 'when not setting nor managing the docroot' do + let :params do + { + 'docroot' => false, + 'manage_docroot' => false + } + end + + it { is_expected.to compile } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-docroot') } + end + + context 'ssl_proxyengine without ssl' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'ssl' => false, + 'ssl_proxyengine' => true + } + end + + it { is_expected.to compile } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy') } + end + + context 'ssl_proxy_protocol without ssl_proxyengine' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'ssl' => true, + 'ssl_proxyengine' => false, + 'ssl_proxy_protocol' => 'TLSv1.2' + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.not_to contain_concat__fragment('rspec.example.com-sslproxy') } + end + + context 'ssl_honorcipherorder' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'ssl' => true + } + end + + context 'ssl_honorcipherorder default' do + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').without_content(%r{^\s*SSLHonorCipherOrder}i) } + end + + context 'ssl_honorcipherorder on' do + let :params do + super().merge({ 'ssl_honorcipherorder' => 'on' }) + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with_content(%r{^\s*SSLHonorCipherOrder\s+On$}) } + end + + context 'ssl_honorcipherorder true' do + let :params do + super().merge({ 'ssl_honorcipherorder' => true }) + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with_content(%r{^\s*SSLHonorCipherOrder\s+On$}) } + end + + context 'ssl_honorcipherorder off' do + let :params do + super().merge({ 'ssl_honorcipherorder' => 'off' }) + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with_content(%r{^\s*SSLHonorCipherOrder\s+Off$}) } + end + + context 'ssl_honorcipherorder false' do + let :params do + super().merge({ 'ssl_honorcipherorder' => false }) + end + + it { is_expected.to compile } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with_content(%r{^\s*SSLHonorCipherOrder\s+Off$}) } + end + end + + describe 'access logs' do + context 'single log file' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'access_log_file' => 'my_log_file' + } + end + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-access_log').with( + content: %r{^\s+CustomLog.*my_log_file" combined\s*$}, + ) + } + end + + context 'single log file with environment' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'access_log_file' => 'my_log_file', + 'access_log_env_var' => 'prod' + } + end + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-access_log').with( + content: %r{^\s+CustomLog.*my_log_file" combined\s+env=prod$}, + ) + } + end + + context 'multiple log files' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'access_logs' => [ + { 'file' => '/tmp/log1', 'env' => 'dev' }, + { 'file' => 'log2' }, + { 'syslog' => 'syslog', 'format' => '%h %l' }, + ] + } + end + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-access_log').with( + content: %r{^\s+CustomLog "/tmp/log1"\s+combined\s+env=dev$}, + ) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-access_log').with( + content: %r{^\s+CustomLog "/var/log/#{apache_name}/log2"\s+combined\s*$}, + ) + } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-access_log').with( + content: %r{^\s+CustomLog "syslog" "%h %l"\s*$}, + ) + } + end + end + + describe 'error logs format' do + context 'single log format directive as a string' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'error_log_format' => ['[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i'] + } + end + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-logging').with( + content: %r{^\s+ErrorLogFormat "\[%t\] \[%l\] %7F: %E: \[client\\ %a\] %M% ,\\ referer\\ %\{Referer\}i"$}, + ) + } + end + + context 'multiple log format directives' do + let(:params) do + { + 'docroot' => '/rspec/docroot', + 'error_log_format' => [ + '[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M', + { '[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T' => 'request' }, + { "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" => 'request' }, + { "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" => 'request' }, + { '[%{uc}t] [C:%{c}L] local\ %a remote\ %A' => 'connection' }, + ] + } + end + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-logging') + .with_content(%r{^\s+ErrorLogFormat "\[%\{uc\}t\] \[%-m:%-l\] \[R:%L\] \[C:%\{C\}L\] %7F: %E: %M"$}) + .with_content(%r{^\s+ErrorLogFormat request "\[%\{uc\}t\] \[R:%L\] Request %k on C:%\{c\}L pid:%P tid:%T"$}) + .with_content(%r{^\s+ErrorLogFormat request "\[%\{uc\}t\] \[R:%L\] UA:'%\+\{User-Agent\}i'"$}) + .with_content(%r{^\s+ErrorLogFormat request "\[%\{uc\}t\] \[R:%L\] Referer:'%\+\{Referer\}i'"$}) + .with_content(%r{^\s+ErrorLogFormat connection "\[%\{uc\}t\] \[C:%\{c\}L\] local\\ %a remote\\ %A"$}) + } + end + end + + describe 'validation' do + let(:params) do + { + 'docroot' => '/rspec/docroot' + } + end + + [ + 'ensure', 'ip_based', 'access_log', 'error_log', + 'ssl', 'default_vhost', 'ssl_proxyengine', 'rewrites', 'suexec_user_group', + 'wsgi_script_alias', 'wsgi_daemon_process_options', + 'wsgi_import_script_alias', 'itk', 'logroot_ensure', 'log_level', + 'fallbackresource' + ].each do |parameter| + context "bad #{parameter}" do + let(:params) { super().merge(parameter => 'bogus') } + + it { is_expected.to raise_error(Puppet::Error) } + end + end + + context 'bad rewrites 2' do + let(:params) { super().merge('rewrites' => ['bogus']) } + + it { is_expected.to raise_error(Puppet::Error) } + end + + context 'empty rewrites' do + let(:params) do + super().merge( + 'rewrite_inherit' => false, + 'rewrites' => [], + ) + end + + it { + expect(subject).to compile + expect(subject).not_to contain_concat__fragment('rspec.example.com-rewrite') + } + end + + context 'empty rewrites_with_rewrite_inherit' do + let(:params) do + super().merge( + 'rewrite_inherit' => true, + 'rewrites' => [], + ) + end + + it { + expect(subject).not_to contain_concat__fragment('rspec.example.com-rewrite') + .with_content(%r{^\s+RewriteOptions Inherit$}) + .with_content(%r{^\s+RewriteEngine On$}) + .with_content(%r{^\s+RewriteRule \^index\.html\$ welcome.html$}) + } + end + + context 'empty rewrites_without_rewrite_inherit' do + let(:params) do + super().merge( + 'rewrite_inherit' => false, + 'rewrites' => [], + ) + end + + it { + expect(subject).not_to contain_concat__fragment('rspec.example.com-rewrite') + .with_content(%r{^\s+RewriteEngine On$}) + .with_content(%r{^\s+RewriteRule \^index\.html\$ welcome.html$}) + .without(content: %r{^\s+RewriteOptions Inherit$}) + } + end + + context 'bad error_log_format flag' do + let :params do + super().merge( + 'error_log_format' => [ + { 'some format' => 'bogus' }, + ], + ) + end + + it { is_expected.to raise_error(Puppet::Error) } + end + + context 'access_log_file and access_log_pipe' do + let :params do + super().merge( + 'access_log_file' => 'bogus', + 'access_log_pipe' => 'bogus', + ) + end + + it { is_expected.to raise_error(Puppet::Error) } + end + + context 'error_log_file and error_log_pipe' do + let :params do + super().merge( + 'error_log_file' => 'bogus', + 'error_log_pipe' => 'bogus', + ) + end + + it { is_expected.to raise_error(Puppet::Error) } + end + + context 'bad custom_fragment' do + let(:params) { super().merge('custom_fragment' => true) } + + it { is_expected.to raise_error(Puppet::Error) } + end + + context 'bad access_logs' do + let(:params) { super().merge('access_logs' => '/var/log/somewhere') } + + it { is_expected.to raise_error(Puppet::Error) } + end + + context 'default of require all granted' do + let :params do + { + 'docroot' => '/var/www/foo', + 'directories' => [ + { + 'path' => '/var/www/foo/files', + 'provider' => 'files' + }, + ] + + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat('25-rspec.example.com.conf') } + + if os_facts[:os]['family'] == 'RedHat' || os_facts[:os]['name'] == 'SLES' + it { + expect(subject).to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+Require all granted$}, + ) + } + else + it { is_expected.to contain_concat__fragment('rspec.example.com-directories') } + end + end + + context 'require unmanaged' do + let :params do + { + 'docroot' => '/var/www/foo', + 'directories' => [ + { + 'path' => '/var/www/foo', + 'require' => 'unmanaged' + }, + ] + + } + end + + it { is_expected.to compile } + it { is_expected.to contain_concat('25-rspec.example.com.conf') } + + it { + expect(subject).not_to contain_concat__fragment('rspec.example.com-directories').with( + content: %r{^\s+Require all granted$}, + ) + } + end + + describe 'redirectmatch_*' do + let(:params) { super().merge(port: 84) } + + context 'dest and regexp' do + let(:params) { super().merge(redirectmatch_dest: 'http://other.example.com$1.jpg', redirectmatch_regexp: '(.*).gif$') } + + it { is_expected.to contain_concat__fragment('rspec.example.com-redirect') } + it { is_expected.to contain_class('apache::mod::alias') } + end + + context 'none' do + it { is_expected.not_to contain_concat__fragment('rspec.example.com-redirect') } + it { is_expected.not_to contain_class('apache::mod::alias') } + end + end + end + + context 'oidc_settings RedirectURL' do + describe 'with VALID relative URI' do + let :params do + default_params.merge( + 'auth_oidc' => true, + 'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration', + 'ClientID' => 'test', + 'RedirectURI' => '/some/valid/relative/uri', + 'ProviderTokenEndpointAuth' => 'client_secret_basic', + 'RemoteUserClaim' => 'sub', + 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', + 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' }, + ) + end + + it { is_expected.to compile } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-auth_oidc').with( + content: %r{^\s+OIDCRedirectURI\s/some/valid/relative/uri$}, + ) + } + end + + describe 'with INVALID relative URI' do + let :params do + default_params.merge( + 'auth_oidc' => true, + 'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration', + 'ClientID' => 'test', + 'RedirectURI' => 'invalid_uri', + 'ProviderTokenEndpointAuth' => 'client_secret_basic', + 'RemoteUserClaim' => 'sub', + 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', + 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' }, + ) + end + + it { is_expected.not_to compile } + end + end + + context 'mdomain' do + let :params do + default_params.merge( + 'mdomain' => true, + ) + end + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + content: %r{^MDomain rspec.example.com$}, + ) + } + end + + context 'userdir' do + let :params do + default_params.merge( + 'userdir' => [ + 'disabled', + 'enabled bob', + ], + ) + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-apache-userdir') + .with(content: %r{^\s+UserDir disabled$}) + .with(content: %r{^\s+UUserDir enabled bob$}) + } + end + end end end end diff --git a/spec/fixtures/files/negotiation.conf b/spec/fixtures/files/negotiation.conf new file mode 100644 index 0000000000..c0bb8b9fd2 --- /dev/null +++ b/spec/fixtures/files/negotiation.conf @@ -0,0 +1,4 @@ +# This is a file only for spec testing + +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW +ForceLanguagePriority Prefer Fallback diff --git a/spec/fixtures/files/spec b/spec/fixtures/files/spec new file mode 100644 index 0000000000..76e9a14466 --- /dev/null +++ b/spec/fixtures/files/spec @@ -0,0 +1 @@ +# This is a file only for spec testing diff --git a/spec/fixtures/modules/site_apache/templates/fake.conf.erb b/spec/fixtures/site_apache/templates/fake.conf.epp similarity index 100% rename from spec/fixtures/modules/site_apache/templates/fake.conf.erb rename to spec/fixtures/site_apache/templates/fake.conf.epp diff --git a/templates/mod/negotiation.conf.erb b/spec/fixtures/templates/negotiation.conf.erb similarity index 76% rename from templates/mod/negotiation.conf.erb rename to spec/fixtures/templates/negotiation.conf.erb index 50921019bc..5575022463 100644 --- a/templates/mod/negotiation.conf.erb +++ b/spec/fixtures/templates/negotiation.conf.erb @@ -1,2 +1,4 @@ +# This is a template only for spec testing + LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW ForceLanguagePriority Prefer Fallback diff --git a/spec/functions/authz_core_config_spec.rb b/spec/functions/authz_core_config_spec.rb new file mode 100644 index 0000000000..068b82a31e --- /dev/null +++ b/spec/functions/authz_core_config_spec.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apache::authz_core_config' do + let(:input1) do + { + 'Require' => [ + 'user foo', + 'user bar', + ] + } + end + + let(:input2) do + { + 'require_all' => { + 'require_any' => { + 'require' => ['user superadmin'], + 'require_all' => { + 'require' => ['group admins', 'ldap-group "cn=Administrators,o=Airius"'] + } + }, + 'require_none' => { + 'require' => ['group temps', 'ldap-group "cn=Temporary Employees,o=Airius"'] + } + } + } + end + let(:output2) do + [ + ' ', + ' ', + ' Require user superadmin', + ' ', + ' Require group admins', + ' Require ldap-group "cn=Administrators,o=Airius"', + ' ', + ' ', + ' ', + ' Require group temps', + ' Require ldap-group "cn=Temporary Employees,o=Airius"', + ' ', + ' ', + ] + end + + it { is_expected.to run.with_params(nil).and_raise_error(StandardError) } + it { is_expected.to run.with_params([]).and_raise_error(StandardError) } + it { is_expected.to run.with_params({}).and_return([]) } + it { is_expected.to run.with_params(input1).and_return([' Require user foo', ' Require user bar']) } + it { is_expected.to run.with_params(input2).and_return(output2) } +end diff --git a/spec/functions/bool2httpd_spec.rb b/spec/functions/bool2httpd_spec.rb new file mode 100644 index 0000000000..eb7bcf1c28 --- /dev/null +++ b/spec/functions/bool2httpd_spec.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +require 'spec_helper' + +shared_examples 'apache::bool2httpd function' do + it { is_expected.not_to eq(nil) } + it { is_expected.to run.with_params.and_raise_error(ArgumentError) } + it { is_expected.to run.with_params('1', '2').and_raise_error(ArgumentError) } + it { is_expected.to run.with_params(true).and_return('On') } + it { is_expected.to run.with_params('true').and_return('On') } + + it 'expected to return a string "On"' do + expect(subject.execute(true)).to be_an_instance_of(String) + end + + it { is_expected.to run.with_params(false).and_return('Off') } + it { is_expected.to run.with_params('false').and_return('Off') } + + it 'expected to return a string "Off"' do + expect(subject.execute(false)).to be_an_instance_of(String) + end + + it { is_expected.to run.with_params('mail').and_return('mail') } + it { is_expected.to run.with_params(nil).and_return('Off') } + it { is_expected.to run.with_params(:undef).and_return('Off') } + it { is_expected.to run.with_params('foo').and_return('foo') } +end + +describe 'apache::bool2httpd' do + it_behaves_like 'apache::bool2httpd function' + + describe 'deprecated non-namespaced shim' do + describe 'bool2httpd', type: :puppet_function do + it_behaves_like 'apache::bool2httpd function' + end + end +end diff --git a/spec/functions/pw_hash_spec.rb b/spec/functions/pw_hash_spec.rb new file mode 100644 index 0000000000..40674aa890 --- /dev/null +++ b/spec/functions/pw_hash_spec.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +require 'spec_helper' + +shared_examples 'apache::pw_hash function' do + it { is_expected.not_to eq(nil) } + it { is_expected.to run.with_params.and_raise_error(ArgumentError) } + it { is_expected.to run.with_params('').and_raise_error(ArgumentError) } + it { is_expected.to run.with_params(1).and_raise_error(ArgumentError) } + it { is_expected.to run.with_params(true).and_raise_error(ArgumentError) } + it { is_expected.to run.with_params({}).and_raise_error(ArgumentError) } + it { is_expected.to run.with_params([]).and_raise_error(ArgumentError) } + it { is_expected.to run.with_params('test').and_return('{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=') } +end + +describe 'apache::pw_hash' do + it_behaves_like 'apache::pw_hash function' + + describe 'deprecated shims' do + describe 'apache_pw_hash', type: :puppet_function do + it_behaves_like 'apache::pw_hash function' + end + + describe 'apache::apache_pw_hash', type: :puppet_function do + it_behaves_like 'apache::pw_hash function' + end + end +end diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp new file mode 100644 index 0000000000..641c9d4f24 --- /dev/null +++ b/spec/setup_acceptance_node.pp @@ -0,0 +1,56 @@ +# needed by tests +package { 'curl': + ensure => 'latest', +} + +case $facts['os']['family'] { + 'SLES', 'SUSE': { + # Enable legacy repo to install net-tools-deprecated package + # If SUSE OS major version is >= 15 and minor version is > 3 + if (versioncmp($facts['os']['release']['major'], '15') >= 0 and versioncmp($facts['os']['release']['minor'], '3') == 1) { + exec { 'enable legacy repos': + path => '/bin:/usr/bin/:/sbin:/usr/sbin', + command => "SUSEConnect --product sle-module-legacy/${facts['os']['release']['major']}.${facts['os']['release']['minor']}/x86_64", + unless => "SUSEConnect --status-text | grep sle-module-legacy/${facts['os']['release']['major']}.${facts['os']['release']['minor']}/x86_64", + } + } + # needed for netstat, for serverspec checks + package { 'net-tools-deprecated': + ensure => 'latest', + } + } + 'RedHat': { + # Make sure selinux is disabled so the tests work. + if $facts['os']['selinux']['enabled'] { + exec { 'setenforce 0': + path => $facts['path'], + } + } + + if $facts['os']['selinux']['enabled'] { + $semanage_package = $facts['os']['release']['major'] ? { + '6' => 'policycoreutils-python', + '7' => 'policycoreutils-python', + default => 'policycoreutils-python-utils', + } + package { $semanage_package: + ensure => installed, + } + } + + if versioncmp($facts['os']['release']['major'], '8') >= 0 { + package { 'iproute': + ensure => installed, + } + } + include epel + } + 'Debian': { + if $facts['os']['name'] == 'Debian' and versioncmp($facts['os']['release']['major'], '11') >= 0 { + # Ensure ipv6 is enabled on our Debian 11 Docker boxes + exec { 'sysctl -w net.ipv6.conf.all.disable_ipv6=0': + path => $facts['path'], + } + } + } +} diff --git a/spec/spec.opts b/spec/spec.opts deleted file mode 100644 index de653df4b3..0000000000 --- a/spec/spec.opts +++ /dev/null @@ -1,4 +0,0 @@ ---format s ---colour ---loadby mtime ---backtrace diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 2c6f56649a..ae7c1f6818 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1 +1,75 @@ +# frozen_string_literal: true + +RSpec.configure do |c| + c.mock_with :rspec +end + require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' + +require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) + +include RspecPuppetFacts + +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} + +default_fact_files = [ + File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')), + File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')), +] + +default_fact_files.each do |f| + next unless File.exist?(f) && File.readable?(f) && File.size?(f) + + begin + require 'deep_merge' + default_facts.deep_merge!(YAML.safe_load(File.read(f), permitted_classes: [], permitted_symbols: [], aliases: true)) + rescue StandardError => e + RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}" + end +end + +# read default_facts and merge them over what is provided by facterdb +default_facts.each do |fact, value| + add_custom_fact fact, value, merge_facts: true +end + +RSpec.configure do |c| + c.default_facts = default_facts + c.before :each do + # set to strictest setting for testing + # by default Puppet runs at warning level + Puppet.settings[:strict] = :warning + Puppet.settings[:strict_variables] = true + end + c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT'] + c.after(:suite) do + RSpec::Puppet::Coverage.report!(0) + end + + # Filter backtrace noise + backtrace_exclusion_patterns = [ + %r{spec_helper}, + %r{gems}, + ] + + if c.respond_to?(:backtrace_exclusion_patterns) + c.backtrace_exclusion_patterns = backtrace_exclusion_patterns + elsif c.respond_to?(:backtrace_clean_patterns) + c.backtrace_clean_patterns = backtrace_exclusion_patterns + end +end + +# Ensures that a module is defined +# @param module_name Name of the module +def ensure_module_defined(module_name) + module_name.split('::').reduce(Object) do |last_module, next_module| + last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) + last_module.const_get(next_module, false) + end +end + +# 'spec_overrides' from sync.yml will appear below this line diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 0000000000..9899608a14 --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +require 'puppet_litmus' +require 'spec_helper_acceptance_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_acceptance_local.rb')) + +PuppetLitmus.configure! +ApacheModTestFilterHelper.instance.initialize_ampc(os) diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb new file mode 100644 index 0000000000..974921d9c6 --- /dev/null +++ b/spec/spec_helper_acceptance_local.rb @@ -0,0 +1,152 @@ +# frozen_string_literal: true + +require 'singleton' +require_relative '../util/apache_mod_platform_support' + +class LitmusHelper + include Singleton + include PuppetLitmus +end + +class ApacheModTestFilterHelper + include Singleton + + def initialize_ampc(os) + @ampc = ApacheModPlatformCompatibility.new + @ampc.generate_supported_platforms_versions + @ampc.register_running_platform(os) + @ampc.generate_mod_platform_exclusions + end + + def mod_supported_on_platform?(mod) + @ampc.mod_supported_on_platform?(mod) + end + + def print_parsing_errors + @ampc.print_parsing_errors + end +end + +RSpec.configure do |c| + # IPv6 is not enabled by default in the new travis-ci Trusty environment (see https://github.com/travis-ci/travis-ci/issues/8891 ) + c.filter_run_excluding ipv6: true if ENV['CI'] == 'true' + c.before :suite do + LitmusHelper.instance.run_shell('puppet module install puppet/epel') if %r{redhat|oracle}.match?(os[:family]) + + LitmusHelper.instance.apply_manifest(File.read(File.join(__dir__, 'setup_acceptance_node.pp'))) + end + + c.after :suite do + ApacheModTestFilterHelper.instance.print_parsing_errors + end +end + +def apache_settings_hash + osfamily = os[:family] + operatingsystemrelease = os[:release].to_f + apache = {} + case osfamily + when 'redhat', 'oracle' + apache['httpd_dir'] = '/etc/httpd' + apache['confd_dir'] = '/etc/httpd/conf.d' + apache['conf_file'] = '/etc/httpd/conf/httpd.conf' + apache['ports_file'] = '/etc/httpd/conf/ports.conf' + apache['vhost_dir'] = '/etc/httpd/conf.d' + apache['vhost'] = '/etc/httpd/conf.d/15-default-80.conf' + apache['run_dir'] = '/var/run/httpd' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'httpd' + apache['package_name'] = 'httpd' + apache['error_log'] = 'error_log' + if operatingsystemrelease >= 8 && osfamily == 'redhat' + apache['version'] = '2.4' + apache['mod_dir'] = '/etc/httpd/conf.modules.d' + apache['mod_ssl_dir'] = apache['mod_dir'] + elsif operatingsystemrelease >= 7 && osfamily == 'redhat' + apache['version'] = '2.4' + apache['mod_dir'] = '/etc/httpd/conf.modules.d' + apache['mod_ssl_dir'] = apache['confd_dir'] + elsif operatingsystemrelease >= 7 && osfamily == 'oracle' + apache['version'] = '2.4' + apache['mod_dir'] = '/etc/httpd/conf.modules.d' + apache['mod_ssl_dir'] = apache['confd_dir'] + else + apache['version'] = '2.2' + apache['mod_dir'] = '/etc/httpd/conf.d' + apache['mod_ssl_dir'] = apache['mod_dir'] + end + when 'debian', 'ubuntu' + apache['httpd_dir'] = '/etc/apache2' + apache['confd_dir'] = '/etc/apache2/conf.d' + apache['mod_dir'] = '/etc/apache2/mods-available' + apache['conf_file'] = '/etc/apache2/apache2.conf' + apache['ports_file'] = '/etc/apache2/ports.conf' + apache['vhost'] = '/etc/apache2/sites-available/15-default-80.conf' + apache['vhost_dir'] = '/etc/apache2/sites-enabled' + apache['run_dir'] = '/var/run/apache2' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'apache2' + apache['package_name'] = 'apache2' + apache['error_log'] = 'error.log' + apache['version'] = '2.4' + apache['mod_ssl_dir'] = apache['mod_dir'] + when 'freebsd' + apache['httpd_dir'] = '/usr/local/etc/apache24' + apache['confd_dir'] = '/usr/local/etc/apache24/Includes' + apache['mod_dir'] = '/usr/local/etc/apache24/Modules' + apache['conf_file'] = '/usr/local/etc/apache24/httpd.conf' + apache['ports_file'] = '/usr/local/etc/apache24/Includes/ports.conf' + apache['vhost'] = '/usr/local/etc/apache24/Vhosts/15-default-80.conf' + apache['vhost_dir'] = '/usr/local/etc/apache24/Vhosts' + apache['run_dir'] = '/var/run/apache24' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'apache24' + apache['package_name'] = 'apache24' + apache['error_log'] = 'http-error.log' + apache['version'] = '2.4' + apache['mod_ssl_dir'] = apache['mod_dir'] + when 'gentoo' + apache['httpd_dir'] = '/etc/apache2' + apache['confd_dir'] = '/etc/apache2/conf.d' + apache['mod_dir'] = '/etc/apache2/modules.d' + apache['conf_file'] = '/etc/apache2/httpd.conf' + apache['ports_file'] = '/etc/apache2/ports.conf' + apache['vhost'] = '/etc/apache2/vhosts.d/15-default-80.conf' + apache['vhost_dir'] = '/etc/apache2/vhosts.d' + apache['run_dir'] = '/var/run/apache2' + apache['doc_root'] = '/var/www' + apache['service_name'] = 'apache2' + apache['package_name'] = 'www-servers/apache' + apache['error_log'] = 'http-error.log' + apache['version'] = '2.4' + apache['mod_ssl_dir'] = apache['mod_dir'] + when 'suse', 'sles' + apache['httpd_dir'] = '/etc/apache2' + apache['confd_dir'] = '/etc/apache2/conf.d' + apache['mod_dir'] = '/etc/apache2/mods-available' + apache['conf_file'] = '/etc/apache2/httpd.conf' + apache['ports_file'] = '/etc/apache2/ports.conf' + apache['vhost'] = '/etc/apache2/sites-available/15-default-80.conf' + apache['vhost_dir'] = '/etc/apache2/sites-available' + apache['run_dir'] = '/var/run/apache2' + apache['doc_root'] = '/srv/www' + apache['service_name'] = 'apache2' + apache['package_name'] = 'apache2' + apache['error_log'] = 'error.log' + apache['version'] = if operatingsystemrelease < 12 + '2.2' + else + '2.4' + end + apache['mod_ssl_dir'] = apache['mod_dir'] + else + raise 'unable to figure out what apache version' + end + apache +end + +def mod_supported_on_platform?(mod) + return false if ENV['DISABLE_MOD_TEST_EXCLUSION'] + + ApacheModTestFilterHelper.instance.mod_supported_on_platform?(mod) +end diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb new file mode 100644 index 0000000000..d2c5fc09bf --- /dev/null +++ b/spec/spec_helper_local.rb @@ -0,0 +1,209 @@ +# frozen_string_literal: true + +if ENV['COVERAGE'] == 'yes' + require 'simplecov' + require 'simplecov-console' + require 'codecov' + + SimpleCov.formatters = [ + SimpleCov::Formatter::HTMLFormatter, + SimpleCov::Formatter::Console, + SimpleCov::Formatter::Codecov, + ] + SimpleCov.start do + track_files 'lib/**/*.rb' + + add_filter '/spec' + + # do not track vendored files + add_filter '/vendor' + add_filter '/.vendor' + + # do not track gitignored files + # this adds about 4 seconds to the coverage check + # this could definitely be optimized + add_filter do |f| + # system returns true if exit status is 0, which with git-check-ignore means file is ignored + system("git check-ignore --quiet #{f.filename}") + end + end +end + +shared_examples 'compile', compile: true do + it { is_expected.to compile.with_all_deps } +end + +shared_context 'a mod class, without including apache' do + let(:facts) { on_supported_os['debian-10-x86_64'] } +end + +shared_context 'Debian 10' do + let(:facts) { on_supported_os['debian-10-x86_64'] } +end + +shared_context 'Debian 11' do + let(:facts) { on_supported_os['debian-11-x86_64'] } +end + +shared_context 'Ubuntu 18.04' do + let(:facts) { on_supported_os['ubuntu-18.04-x86_64'] } +end + +shared_context 'RedHat 7' do + let(:facts) { on_supported_os['redhat-7-x86_64'] } +end + +shared_context 'RedHat 8' do + let(:facts) { on_supported_os['redhat-8-x86_64'] } +end + +shared_context 'Fedora 28' do + let :facts do + { + kernel: 'Linux', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + os: { + name: 'Fedora', + family: 'Redhat', + release: { + major: '28', + full: '28' + } + }, + identity: { + uid: 'root' + } + } + end +end + +shared_context 'FreeBSD 9' do + let :facts do + { + kernel: 'FreeBSD', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + os: { + name: 'FreeBSD', + family: 'FreeBSD', + release: { + full: '9' + } + }, + identity: { + uid: 'root' + } + } + end +end + +shared_context 'FreeBSD 10' do + let :facts do + { + kernel: 'FreeBSD', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + os: { + name: 'FreeBSD', + family: 'FreeBSD', + release: { + full: '10' + } + }, + identity: { + uid: 'root' + } + } + end +end + +shared_context 'Gentoo' do + let :facts do + { + kernel: 'Linux', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin', + os: { + name: 'Gentoo', + family: 'Gentoo', + release: { + major: '2.7', + full: '2.7' + } + }, + identity: { + uid: 'root' + } + } + end +end + +shared_context 'Darwin' do + let :facts do + { + os: { + family: 'Darwin', + name: 'Darwin', + release: { + full: '13.1.0' + } + } + } + end +end + +shared_context 'Unsupported OS' do + let :facts do + { + kernel: 'Linux', + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + os: { + name: 'Magic', + family: 'Magic', + release: { + full: '0' + } + }, + identity: { + uid: 'root' + } + } + end +end + +shared_context 'SLES 12' do + let(:facts) { on_supported_os['sles-12-x86_64'] } +end + +# Override facts +# Taken from: https://github.com/voxpupuli/voxpupuli-test/blob/master/lib/voxpupuli/test/facts.rb +# +# This doesn't use deep_merge because that's highly unpredictable. It can merge +# nested hashes in place, modifying the original. It's also unable to override +# true to false. +# +# A deep copy is obtained by using Marshal so it can be modified in place. Then +# it recursively overrides values. If the result is a hash, it's recursed into. +# +# A typical example: +# +# let(:facts) do +# override_facts(super(), os: {'selinux' => {'enabled' => false}}) +# end +def override_facts(base_facts, **overrides) + facts = Marshal.load(Marshal.dump(base_facts)) + apply_overrides!(facts, overrides, false) + facts +end + +# A private helper to override_facts +def apply_overrides!(facts, overrides, enforce_strings) + overrides.each do |key, value| + # Nested facts are strings + key = key.to_s if enforce_strings + + if value.is_a?(Hash) + facts[key] = {} unless facts.key?(key) + apply_overrides!(facts[key], value, true) + else + facts[key] = value + end + end +end diff --git a/spec/spec_helper_system.rb b/spec/spec_helper_system.rb deleted file mode 100644 index 55d51145a1..0000000000 --- a/spec/spec_helper_system.rb +++ /dev/null @@ -1,28 +0,0 @@ -require 'rspec-system/spec_helper' -require 'rspec-system-puppet/helpers' -require 'rspec-system-serverspec/helpers' -include Serverspec::Helper::RSpecSystem -include Serverspec::Helper::DetectOS -include RSpecSystemPuppet::Helpers - -RSpec.configure do |c| - # Project root - proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) - - # Enable colour - c.tty = true - - c.include RSpecSystemPuppet::Helpers - - # This is where we 'setup' the nodes before running our tests - c.before :suite do - # Install puppet - puppet_install - - # Install modules and dependencies - puppet_module_install(:source => proj_root, :module_name => 'apache') - shell('puppet module install puppetlabs-concat --version 1.0.0') - shell('puppet module install puppetlabs-stdlib --version 2.4.0') - end -end - diff --git a/spec/system/basic_spec.rb b/spec/system/basic_spec.rb deleted file mode 100644 index a87f908411..0000000000 --- a/spec/system/basic_spec.rb +++ /dev/null @@ -1,22 +0,0 @@ -require 'spec_helper_system' - -describe 'basic tests:' do - # Using puppet_apply as a subject - context puppet_apply 'notice("foo")' do - its(:stdout) { should =~ /foo/ } - its(:stderr) { should be_empty } - its(:exit_code) { should be_zero } - end -end - -describe 'disable selinux:' do - context puppet_apply ' - exec { "setenforce 0": - path => "/bin:/sbin:/usr/bin:/usr/sbin", - onlyif => "which setenforce && getenforce | grep Enforcing", - } - ' do - its(:stderr) { should be_empty } - its(:exit_code) { should_not == 1 } - end -end diff --git a/spec/system/class_spec.rb b/spec/system/class_spec.rb deleted file mode 100644 index 441331658c..0000000000 --- a/spec/system/class_spec.rb +++ /dev/null @@ -1,62 +0,0 @@ -require 'spec_helper_system' - -describe 'apache class' do - case node.facts['osfamily'] - when 'RedHat' - package_name = 'httpd' - service_name = 'httpd' - when 'Debian' - package_name = 'apache2' - service_name = 'apache2' - end - - context 'default parameters' do - # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - r.exit_code.should_not == 1 - r.refresh - r.exit_code.should be_zero - end - end - - describe package(package_name) do - it { should be_installed } - end - - describe service(service_name) do - it { should be_enabled } - it { should be_running } - end - end - - context 'custom site/mod dir parameters' do - # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS - file { '/apache': ensure => directory, } - class { 'apache': - mod_dir => '/apache/mods', - vhost_dir => '/apache/vhosts', - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - r.exit_code.should_not == 1 - r.refresh - r.exit_code.should be_zero - end - end - - describe service(service_name) do - it { should be_enabled } - it { should be_running } - end - end -end diff --git a/spec/system/default_mods_spec.rb b/spec/system/default_mods_spec.rb deleted file mode 100644 index 95e57e844a..0000000000 --- a/spec/system/default_mods_spec.rb +++ /dev/null @@ -1,103 +0,0 @@ -require 'spec_helper_system' - -case node.facts['osfamily'] -when 'RedHat' - servicename = 'httpd' -when 'Debian' - servicename = 'apache2' -else - raise "Unconfigured OS for apache service on #{node.facts['osfamily']}" -end - -describe 'apache::default_mods class' do - describe 'no default mods' do - # Using puppet_apply as a helper - it 'should apply with no errors' do - pp = <<-EOS - class { 'apache': - default_mods => false, - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - [0,2].should include(r.exit_code) - r.refresh - r.exit_code.should be_zero - end - end - - describe service(servicename) do - it { should be_running } - end - end - - describe 'no default mods and failing' do - # Using puppet_apply as a helper - it 'should apply with errors' do - pp = <<-EOS - class { 'apache': - default_mods => false, - } - apache::vhost { 'defaults.example.com': - docroot => '/var/www/defaults', - aliases => { - alias => '/css', - path => '/var/www/css', - }, - setenv => 'TEST1 one', - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - [4,6].should include(r.exit_code) - end - end - - describe "service #{servicename}" do - it 'should not be running' do - shell("pidof #{servicename}") do |r| - r.exit_code.should eq(1) - end - end - end - end - - describe 'alternative default mods' do - # Using puppet_apply as a helper - it 'should apply with no errors' do - pp = <<-EOS - class { 'apache': - default_mods => [ - 'info', - 'alias', - 'mime', - 'env', - 'expires', - ], - } - apache::vhost { 'defaults.example.com': - docroot => '/var/www/defaults', - aliases => { - alias => '/css', - path => '/var/www/css', - }, - setenv => 'TEST1 one', - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - [0,2].should include(r.exit_code) - sleep 10 # avoid race condition on centos :( - r.refresh - r.exit_code.should be_zero - end - end - - describe service(servicename) do - it { should be_running } - end - end -end diff --git a/spec/system/itk_spec.rb b/spec/system/itk_spec.rb deleted file mode 100644 index fdbabb9fe6..0000000000 --- a/spec/system/itk_spec.rb +++ /dev/null @@ -1,36 +0,0 @@ -require 'spec_helper_system' - -case node.facts['osfamily'] -when 'Debian' - service_name = 'apache2' -else - # Not implemented yet - service_name = :skip -end - -unless service_name.equal? :skip - describe 'apache::mod::itk class' do - describe 'running puppet code' do - # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': - mpm_module => 'itk', - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - r.exit_code.should_not == 1 - r.refresh - r.exit_code.should be_zero - end - end - end - - describe service(service_name) do - it { should be_running } - it { should be_enabled } - end - end -end diff --git a/spec/system/mod_php_spec.rb b/spec/system/mod_php_spec.rb deleted file mode 100644 index 71a806b6b9..0000000000 --- a/spec/system/mod_php_spec.rb +++ /dev/null @@ -1,48 +0,0 @@ -require 'spec_helper_system' - -describe 'apache::mod::php class' do - case node.facts['osfamily'] - when 'Debian' - mod_dir = '/etc/apache2/mods-available' - service_name = 'apache2' - when 'RedHat' - mod_dir = '/etc/httpd/conf.d' - service_name = 'httpd' - end - - context "default php config" do - it 'succeeds in puppeting php' do - puppet_apply(%{ - class { 'apache': - mpm_module => 'prefork', - } - class { 'apache::mod::php': } - apache::vhost { 'php.example.com': - port => '80', - docroot => '/var/www/php', - } - host { 'php.example.com': ip => '127.0.0.1', } - file { '/var/www/php/index.php': - ensure => file, - content => "\\n", - } - }) { |r| [0,2].should include r.exit_code} - end - - describe service(service_name) do - it { should be_enabled } - it { should be_running } - end - - describe file("#{mod_dir}/php5.conf") do - it { should contain "DirectoryIndex index.php" } - end - - it 'should answer to php.example.com' do - shell("/usr/bin/curl php.example.com:80") do |r| - r.stdout.should =~ /PHP Version/ - r.exit_code.should == 0 - end - end - end -end diff --git a/spec/system/mod_suphp_spec.rb b/spec/system/mod_suphp_spec.rb deleted file mode 100644 index 297b2d54aa..0000000000 --- a/spec/system/mod_suphp_spec.rb +++ /dev/null @@ -1,43 +0,0 @@ -require 'spec_helper_system' - -describe 'apache::mod::suphp class' do - case node.facts['osfamily'] - when 'Debian' - context "default suphp config" do - it 'succeeds in puppeting suphp' do - puppet_apply(%{ - class { 'apache': - mpm_module => 'prefork', - } - class { 'apache::mod::php': } - class { 'apache::mod::suphp': } - apache::vhost { 'suphp.example.com': - port => '80', - docroot => '/var/www/suphp', - } - host { 'suphp.example.com': ip => '127.0.0.1', } - file { '/var/www/suphp/index.php': - ensure => file, - owner => 'puppet', - group => 'puppet', - content => "\\n", - } - }) { |r| [0,2].should include r.exit_code} - end - - describe service('apache2') do - it { should be_enabled } - it { should be_running } - end - - it 'should answer to suphp.example.com' do - shell("/usr/bin/curl suphp.example.com:80") do |r| - r.stdout.should =~ /^puppet$/ - r.exit_code.should == 0 - end - end - end - when 'RedHat' - # Not implemented yet - end -end diff --git a/spec/system/prefork_worker_spec.rb b/spec/system/prefork_worker_spec.rb deleted file mode 100644 index 69e87532d9..0000000000 --- a/spec/system/prefork_worker_spec.rb +++ /dev/null @@ -1,60 +0,0 @@ -require 'spec_helper_system' - -case node.facts['osfamily'] -when 'RedHat' - servicename = 'httpd' -when 'Debian' - servicename = 'apache2' -else - raise "Unconfigured OS for apache service on #{node.facts['osfamily']}" -end - -describe 'apache::mod::worker class' do - describe 'running puppet code' do - # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': - mpm_module => 'worker', - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - r.exit_code.should_not == 1 - r.refresh - r.exit_code.should be_zero - end - end - end - - describe service(servicename) do - it { should be_running } - it { should be_enabled } - end -end - -describe 'apache::mod::prefork class' do - describe 'running puppet code' do - # Using puppet_apply as a helper - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': - mpm_module => 'prefork', - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - r.exit_code.should_not == 1 - r.refresh - r.exit_code.should be_zero - end - end - end - - describe service(servicename) do - it { should be_running } - it { should be_enabled } - end -end diff --git a/spec/system/service_spec.rb b/spec/system/service_spec.rb deleted file mode 100644 index 5f76600b35..0000000000 --- a/spec/system/service_spec.rb +++ /dev/null @@ -1,22 +0,0 @@ -require 'spec_helper_system' - -describe 'apache::service class' do - describe 'adding dependencies in between the base class and service class' do - it 'should work with no errors' do - pp = <<-EOS - class { 'apache': } - file { '/tmp/test': - require => Class['apache'], - notify => Class['apache::service'], - } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - [0,2].should include(r.exit_code) - r.refresh - r.exit_code.should be_zero - end - end - end -end diff --git a/spec/system/vhost_spec.rb b/spec/system/vhost_spec.rb deleted file mode 100644 index 72427a0176..0000000000 --- a/spec/system/vhost_spec.rb +++ /dev/null @@ -1,244 +0,0 @@ -require 'spec_helper_system' - -describe 'apache::vhost define' do - case node.facts['osfamily'] - when 'RedHat' - vhost_dir = '/etc/httpd/conf.d' - package_name = 'httpd' - service_name = 'httpd' - when 'Debian' - vhost_dir = '/etc/apache2/sites-enabled' - package_name = 'apache2' - service_name = 'apache2' - end - - context "default vhost without ssl" do - it 'should create a default vhost config' do - puppet_apply(%{ - class { 'apache': } - }) { |r| [0,2].should include r.exit_code} - end - - describe file("#{vhost_dir}/15-default.conf") do - it { should contain '' } - end - - describe file("#{vhost_dir}/15-default-ssl.conf") do - it { should_not be_file } - end - end - - context 'default vhost with ssl' do - it 'should create default vhost configs' do - puppet_apply(%{ - class { 'apache': - default_ssl_vhost => true, - } - }) { |r| [0,2].should include r.exit_code} - end - - describe file("#{vhost_dir}/15-default.conf") do - it { should contain '' } - end - - describe file("#{vhost_dir}/15-default-ssl.conf") do - it { should contain '' } - it { should contain "SSLEngine on" } - end - end - - context 'new vhost on port 80' do - it 'should configure an apache vhost' do - puppet_apply(%{ - class { 'apache': } - apache::vhost { 'first.example.com': - port => '80', - docroot => '/var/www/first', - } - }) { |r| [0,2].should include r.exit_code} - end - - describe file("#{vhost_dir}/25-first.example.com.conf") do - it { should contain '' } - it { should contain "ServerName first.example.com" } - end - end - - context 'new proxy vhost on port 80' do - it 'should configure an apache proxy vhost' do - puppet_apply(%{ - class { 'apache': } - apache::vhost { 'proxy.example.com': - port => '80', - docroot => '/var/www/proxy', - proxy_pass => [ - { 'path' => '/foo', 'url' => 'http://backend-foo/'}, - ], - } - }) { |r| [0,2].should include r.exit_code} - end - - describe file("#{vhost_dir}/25-proxy.example.com.conf") do - it { should contain '' } - it { should contain "ServerName proxy.example.com" } - it { should contain "ProxyPass" } - it { should_not contain "" } - end - end - - context 'new vhost on port 80' do - it 'should configure two apache vhosts' do - puppet_apply(%{ - class { 'apache': } - apache::vhost { 'first.example.com': - port => '80', - docroot => '/var/www/first', - } - host { 'first.example.com': ip => '127.0.0.1', } - file { '/var/www/first/index.html': - ensure => file, - content => "Hello from first\\n", - } - apache::vhost { 'second.example.com': - port => '80', - docroot => '/var/www/second', - } - host { 'second.example.com': ip => '127.0.0.1', } - file { '/var/www/second/index.html': - ensure => file, - content => "Hello from second\\n", - } - }) { |r| [0,2].should include r.exit_code} - end - - describe service(service_name) do - it { should be_enabled } - it { should be_running } - end - - it 'should answer to first.example.com' do - shell("/usr/bin/curl first.example.com:80") do |r| - r.stdout.should == "Hello from first\n" - r.exit_code.should == 0 - end - end - - it 'should answer to second.example.com' do - shell("/usr/bin/curl second.example.com:80") do |r| - r.stdout.should == "Hello from second\n" - r.exit_code.should == 0 - end - end - end - - context 'apache_directories readme example, adapted' do - it 'should configure a vhost with Files' do - puppet_apply(%{ - class { 'apache': } - apache::vhost { 'files.example.net': - docroot => '/var/www/files', - directories => [ - { path => '~ (\.swp|\.bak|~)$', 'provider' => 'files', 'deny' => 'from all' }, - ], - } - file { '/var/www/files/index.html.bak': - ensure => file, - content => "Hello World\\n", - } - host { 'files.example.net': ip => '127.0.0.1', } - }) { |r| [0,2].should include r.exit_code} - end - - describe service(service_name) do - it { should be_enabled } - it { should be_running } - end - - it 'should answer to files.example.net' do - shell("/usr/bin/curl -sSf files.example.net:80/index.html.bak") do |r| - r.stderr.should =~ /curl: \(22\) The requested URL returned error: 403/ - r.exit_code.should == 22 - end - end - - end - - case node.facts['lsbdistcodename'] - when 'precise', 'wheezy' - context 'vhost fallbackresouce example' do - it 'should configure a vhost with Fallbackresource' do - puppet_apply(%{ - class { 'apache': } - apache::vhost { 'fallback.example.net': - docroot => '/var/www/fallback', - fallbackresource => '/index.html' - } - file { '/var/www/fallback/index.html': - ensure => file, - content => "Hello World\\n", - } - host { 'fallback.example.net': ip => '127.0.0.1', } - }) { |r| [0,2].should include r.exit_code} - end - - describe service(service_name) do - it { should be_enabled } - it { should be_running } - end - - it 'should answer to fallback.example.net' do - shell("/usr/bin/curl fallback.example.net:80/Does/Not/Exist") do |r| - r.stdout.should == "Hello World\n" - r.exit_code.should == 0 - end - end - - end - else - # The current stable RHEL release (6.4) comes with Apache httpd 2.2.15 - # That was released March 6, 2010. - # FallbackResource was backported to 2.2.16, and released July 25, 2010. - # Ubuntu Lucid (10.04) comes with apache2 2.2.14, released October 3, 2009. - # https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS - end - - context 'virtual_docroot hosting separate sites' do - it 'should configure a vhost with VirtualDocumentRoot' do - puppet_apply(%{ - class { 'apache': } - apache::vhost { 'virt.example.com': - vhost_name => '*', - serveraliases => '*virt.example.com', - port => '80', - docroot => '/var/www/virt', - virtual_docroot => '/var/www/virt/%1', - } - host { 'virt.example.com': ip => '127.0.0.1', } - host { 'a.virt.example.com': ip => '127.0.0.1', } - host { 'b.virt.example.com': ip => '127.0.0.1', } - file { [ '/var/www/virt/a', '/var/www/virt/b', ]: ensure => directory, } - file { '/var/www/virt/a/index.html': ensure => file, content => "Hello from a.virt\\n", } - file { '/var/www/virt/b/index.html': ensure => file, content => "Hello from b.virt\\n", } - }) { |r| [0,2].should include r.exit_code} - end - - describe service(service_name) do - it { should be_enabled } - it { should be_running } - end - - it 'should answer to a.virt.example.com' do - shell("/usr/bin/curl a.virt.example.com:80") do |r| - r.stdout.should == "Hello from a.virt\n" - r.exit_code.should == 0 - end - end - - it 'should answer to b.virt.example.com' do - shell("/usr/bin/curl b.virt.example.com:80") do |r| - r.stdout.should == "Hello from b.virt\n" - r.exit_code.should == 0 - end - end - end -end diff --git a/spec/type_aliases/loglevel_spec.rb b/spec/type_aliases/loglevel_spec.rb new file mode 100644 index 0000000000..0580094219 --- /dev/null +++ b/spec/type_aliases/loglevel_spec.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'Apache::LogLevel' do + [ + 'info', + 'warn ssl:info', + 'warn mod_ssl.c:info', + 'warn mod_ssl.c:info', + 'warn ssl_module:info', + 'trace4', + 'ssl:info', + ].each do |allowed_value| + it { is_expected.to allow_value(allowed_value) } + end + + [ + 'garbage', + '', + [], + ['info'], + 'thisiswarning', + 'errorerror', + ].each do |invalid_value| + it { is_expected.not_to allow_value(invalid_value) } + end +end diff --git a/spec/type_aliases/modproxy_spec.rb b/spec/type_aliases/modproxy_spec.rb new file mode 100644 index 0000000000..ab7c1bcf1a --- /dev/null +++ b/spec/type_aliases/modproxy_spec.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'Apache::ModProxyProtocol' do + [ + 'ajp://www.example.com', + 'fcgi://www.example.com', + 'ftp://www.example.com', + 'h2://www.example.com', + 'h2c://www.example.com', + 'http://www.example.com', + 'https://www.example.com', + 'scgi://www.example.com', + 'uwsgi://www.example.com', + 'ws://www.example.com', + 'wss://www.example.com', + 'unix:/path/to/unix.socket', + ].each do |allowed_value| + it { is_expected.to allow_value(allowed_value) } + end +end diff --git a/spec/type_aliases/vhost_priority_spec.rb b/spec/type_aliases/vhost_priority_spec.rb new file mode 100644 index 0000000000..fba8cebdfb --- /dev/null +++ b/spec/type_aliases/vhost_priority_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'Apache::Vhost::Priority' do + # Pattern + it { is_expected.to allow_value('10') } + it { is_expected.to allow_value('010') } + it { is_expected.not_to allow_value('') } + it { is_expected.not_to allow_value('a') } + it { is_expected.not_to allow_value('a1') } + it { is_expected.not_to allow_value('1a') } + + # Integer + it { is_expected.to allow_value(0) } + it { is_expected.to allow_value(1) } + + # Boolean + it { is_expected.to allow_value(true) } # Technically an illegal value + it { is_expected.to allow_value(false) } + + it { is_expected.not_to allow_value(nil) } +end diff --git a/spec/unit/provider/a2mod/gentoo_spec.rb b/spec/unit/provider/a2mod/gentoo_spec.rb deleted file mode 100644 index ddb9dddda4..0000000000 --- a/spec/unit/provider/a2mod/gentoo_spec.rb +++ /dev/null @@ -1,184 +0,0 @@ -#!/usr/bin/env rspec - -require 'spec_helper' - -provider_class = Puppet::Type.type(:a2mod).provider(:gentoo) - -describe provider_class do - before :each do - provider_class.clear - end - - [:conf_file, :instances, :modules, :initvars, :conf_file, :clear].each do |method| - it "should respond to the class method #{method}" do - provider_class.should respond_to(method) - end - end - - describe "when fetching modules" do - before do - @filetype = mock() - end - - it "should return a sorted array of the defined parameters" do - @filetype.expects(:read).returns(%Q{APACHE2_OPTS="-D FOO -D BAR -D BAZ"\n}) - provider_class.expects(:filetype).returns(@filetype) - - provider_class.modules.should == %w{bar baz foo} - end - - it "should cache the module list" do - @filetype.expects(:read).once.returns(%Q{APACHE2_OPTS="-D FOO -D BAR -D BAZ"\n}) - provider_class.expects(:filetype).once.returns(@filetype) - - 2.times { provider_class.modules.should == %w{bar baz foo} } - end - - it "should normalize parameters" do - @filetype.expects(:read).returns(%Q{APACHE2_OPTS="-D FOO -D BAR -D BAR"\n}) - provider_class.expects(:filetype).returns(@filetype) - - provider_class.modules.should == %w{bar foo} - end - end - - describe "when prefetching" do - it "should match providers to resources" do - provider = mock("ssl_provider", :name => "ssl") - resource = mock("ssl_resource") - resource.expects(:provider=).with(provider) - - provider_class.expects(:instances).returns([provider]) - provider_class.prefetch("ssl" => resource) - end - end - - describe "when flushing" do - before :each do - @filetype = mock() - @filetype.stubs(:backup) - provider_class.expects(:filetype).at_least_once.returns(@filetype) - - @info = mock() - @info.stubs(:[]).with(:name).returns("info") - @info.stubs(:provider=) - - @mpm = mock() - @mpm.stubs(:[]).with(:name).returns("mpm") - @mpm.stubs(:provider=) - - @ssl = mock() - @ssl.stubs(:[]).with(:name).returns("ssl") - @ssl.stubs(:provider=) - end - - it "should add modules whose ensure is present" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS="-D INFO"}) - - @info.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("info" => @info) - - provider_class.flush - end - - it "should remove modules whose ensure is present" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-D INFO"}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS=""}) - - @info.stubs(:should).with(:ensure).returns(:absent) - @info.stubs(:provider=) - provider_class.prefetch("info" => @info) - - provider_class.flush - end - - it "should not modify providers without resources" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-D INFO -D MPM"}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS="-D MPM -D SSL"}) - - @info.stubs(:should).with(:ensure).returns(:absent) - provider_class.prefetch("info" => @info) - - @ssl.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("ssl" => @ssl) - - provider_class.flush - end - - it "should write the modules in sorted order" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).with(%Q{APACHE2_OPTS="-D INFO -D MPM -D SSL"}) - - @mpm.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("mpm" => @mpm) - @info.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("info" => @info) - @ssl.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("ssl" => @ssl) - - provider_class.flush - end - - it "should write the records back once" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).once.with(%Q{APACHE2_OPTS="-D INFO -D SSL"}) - - @info.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("info" => @info) - - @ssl.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("ssl" => @ssl) - - provider_class.flush - end - - it "should only modify the line containing APACHE2_OPTS" do - @filetype.expects(:read).at_least_once.returns(%Q{# Comment\nAPACHE2_OPTS=""\n# Another comment}) - @filetype.expects(:write).once.with(%Q{# Comment\nAPACHE2_OPTS="-D INFO"\n# Another comment}) - - @info.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("info" => @info) - provider_class.flush - end - - it "should restore any arbitrary arguments" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-Y -D MPM -X"}) - @filetype.expects(:write).once.with(%Q{APACHE2_OPTS="-Y -X -D INFO -D MPM"}) - - @info.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("info" => @info) - provider_class.flush - end - - it "should backup the file once if changes were made" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS=""}) - @filetype.expects(:write).once.with(%Q{APACHE2_OPTS="-D INFO -D SSL"}) - - @info.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("info" => @info) - - @ssl.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("ssl" => @ssl) - - @filetype.unstub(:backup) - @filetype.expects(:backup) - provider_class.flush - end - - it "should not write the file or run backups if no changes were made" do - @filetype.expects(:read).at_least_once.returns(%Q{APACHE2_OPTS="-X -D INFO -D SSL -Y"}) - @filetype.expects(:write).never - - @info.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("info" => @info) - - @ssl.stubs(:should).with(:ensure).returns(:present) - provider_class.prefetch("ssl" => @ssl) - - @filetype.unstub(:backup) - @filetype.expects(:backup).never - provider_class.flush - end - end -end diff --git a/spec/util/_resources/test_metadata_json.rb b/spec/util/_resources/test_metadata_json.rb new file mode 100644 index 0000000000..c79deec08b --- /dev/null +++ b/spec/util/_resources/test_metadata_json.rb @@ -0,0 +1,88 @@ +# frozen_string_literal: true + +METADATA_JSON = '{ + "name": "puppetlabs-apache", + "version": "5.4.0", + "author": "puppetlabs", + "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.", + "license": "Apache-2.0", + "source": "https://github.com/puppetlabs/puppetlabs-apache", + "project_page": "https://github.com/puppetlabs/puppetlabs-apache", + "issues_url": "https://github.com/puppetlabs/puppetlabs-apache/issues", + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.13.1 < 7.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 2.2.1 < 7.0.0" + } + ], + "operatingsystem_support": [ + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "6", + "7", + "8" + ] + }, + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "6", + "7", + "8" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "6", + "7" + ] + }, + { + "operatingsystem": "Scientific", + "operatingsystemrelease": [ + "6", + "7" + ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "8", + "9", + "10" + ] + }, + { + "operatingsystem": "SLES", + "operatingsystemrelease": [ + "11 SP1", + "12", + "15" + ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ + "14.04", + "16.04", + "18.04" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 5.5.10 < 7.0.0" + } + ], + "description": "Module for Apache configuration", + "pdk-version": "1.17.0", + "template-url": "https://github.com/puppetlabs/pdk-templates#main", + "template-ref": "heads/main-0-g095317c" +}' diff --git a/spec/util/apache_mod_platform_compatibility_spec.rb b/spec/util/apache_mod_platform_compatibility_spec.rb new file mode 100644 index 0000000000..91220c46c3 --- /dev/null +++ b/spec/util/apache_mod_platform_compatibility_spec.rb @@ -0,0 +1,196 @@ +# frozen_string_literal: true + +require 'rspec' +require 'rspec-puppet-facts' +require_relative '../../util/apache_mod_platform_support' +require_relative '_resources/test_metadata_json' + +describe ApacheModPlatformCompatibility do + foobar_pp = 'foobar.pp' + foobar_mod = 'apache::mod::foobar' + foobar_class = "class #{foobar_mod}" + foobar_linux = 'foobar_linux' + + expected_compatible_platform_versions = { + 'redhat' => [7, 8], + 'centos' => [7, 8], + 'oraclelinux' => [7], + 'scientific' => [7], + 'debian' => [8, 9, 10], + 'sles' => [11, 12, 15], + 'ubuntu' => [14, 16, 18] + } + + context 'when initialized' do + describe '#process_line' do + ampc = described_class.new + it 'returns an empty hash when given garbage line' do + expect(ampc.process_line('foobar')).to eq({}) + end + + it 'returns a hash with type: :unsupported_platform_declaration and extracted value' do + expect(ampc.process_line('# @note Unsupported platforms: foobar')).to eq(type: :unsupported_platform_declaration, value: 'foobar') + end + + it 'returns a hash with type: :class_declaration and extracted value' do + expect(ampc.process_line(foobar_class)).to eq(type: :class_declaration, value: foobar_mod) + end + end + + describe '#extract_os_ver_pairs' do + ampc = described_class.new + it 'handles single OS with single Version' do + expect(ampc.extract_os_ver_pairs('Debian: 5')).to eq('debian' => [5]) + end + + it 'handles single OS with multiple Versions' do + expect(ampc.extract_os_ver_pairs('Debian: 5, 6, 7')).to eq('debian' => [5, 6, 7]) + end + + it 'handles multiple OSs with multiple Versions' do + expect(ampc.extract_os_ver_pairs('Debian: 5, 6, 7; CentOS: 5,6,7')).to eq('debian' => [5, 6, 7], 'centos' => [5, 6, 7]) + end + + it 'handles Versions in \d+\.\d+ format' do + expect(ampc.extract_os_ver_pairs('Ubuntu: 18.04, 20.04')).to eq('ubuntu' => [18, 20]) + end + + it 'handles Versions with "SP"' do + expect(ampc.extract_os_ver_pairs('SLES: 11 SP1, 12')).to eq('sles' => [11, 12]) + end + + it 'returns an empty Hash when given data in an entirely invalid format' do + expect(ampc.extract_os_ver_pairs('foobar')).to eq({}) + end + + it 'returns an empty Hash when given data with incorrect OS/Version group separator' do + expect(ampc.extract_os_ver_pairs('Ubuntu#18.04, 20.04')).to eq({}) + end + + it 'returns an empty Hash when given data with incorrect OS + Version separator' do + expect(ampc.extract_os_ver_pairs('CentOS:7,8#Debian:10,11')).to eq({}) + end + + it 'returns an empty Hash when given data with incorrect Version separator' do + expect(ampc.extract_os_ver_pairs('CentOS:5@6')).to eq({}) + end + end + + describe '#register_unsupported_platforms' do + ampc = described_class.new + it 'registers a valid unsupported platform' do + ampc.register_running_platform(family: 'debian', release: '8.11', arch: 'x86_64') + expect(ampc).to receive(:valid_os?).with('debian').and_return(true) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, 'debian' => [8]) + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(false) + end + + it 'registers multiple valid unsupported platforms' do + expect(ampc).to receive(:valid_os?).with('debian').and_return(true) + expect(ampc).to receive(:valid_os?).with('ubuntu').and_return(true) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, 'debian' => [8]) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, 'ubuntu' => [14]) + ampc.register_running_platform(family: 'debian', release: '8.11', arch: 'x86_64') + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(false) + ampc.register_running_platform(family: 'ubuntu', release: '14.04', arch: 'x86_64') + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(false) + end + + it 'registers an :os_parse error when given an invalid platform' do + expect(ampc).to receive(:valid_os?).with(foobar_linux).and_return(false) + expect(ampc).to receive(:register_error).with(foobar_pp, 1, :os_parse, foobar_linux) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, foobar_linux => [1]) + ampc.register_running_platform(family: 'debian', release: '8.11', arch: 'x86_64') + end + end + + describe '#generate_supported_platforms_versions' do + ampc = described_class.new + + before(:each) do + allow(File).to receive(:read).and_call_original + allow(File).to receive(:read).with('../../metadata.json').and_return(METADATA_JSON) + ampc.generate_supported_platforms_versions + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, foobar_linux => [1]) + end + + context 'after parsing the metadata.json' do + expected_compatible_platform_versions.each do |os, vers| + vers.each do |ver| + it "states #{os} version #{ver} IS a compatible platform" do + ampc.register_running_platform(family: os, version: ver) + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(true) + end + end + end + end + end + + describe '#mod_unsupported_on_platform' do + ampc = described_class.new + before(:each) do + allow(File).to receive(:read).and_call_original + allow(File).to receive(:read).with('../../metadata.json').and_return(METADATA_JSON) + ampc = described_class.new + ampc.generate_supported_platforms_versions + end + + ubuntu_14_04_os = { family: 'ubuntu', release: '14.04' } + + it 'returns false when running on an OS with all versions incompatible' do + ampc.register_running_platform(ubuntu_14_04_os) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, 'ubuntu' => [0]) + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(false) + end + + it 'returns false when running on an OS with one specific version incompatible' do + ampc.register_running_platform(ubuntu_14_04_os) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, 'ubuntu' => [14]) + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(false) + end + + it 'returns true when running on an OS with no versions marked as incompatible' do + ampc.register_running_platform(ubuntu_14_04_os) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, 'debian' => [6, 7]) + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(true) + end + + it 'returns true when running on an OS version not marked as incompatible' do + ampc.register_running_platform(ubuntu_14_04_os) + ampc.register_unsupported_platforms(foobar_pp, 1, foobar_mod, 'ubuntu' => [16, 18]) + expect(ampc.mod_supported_on_platform?(foobar_mod)).to be(true) + end + end + + describe '#print_parsing_errors' do + ampc = described_class.new + abc_pp = 'abc.pp' + abc_pp_error_line = 1 + abc_pp_error_type = :tag_parse + abc_pp_error_type_msg = 'OS and version information in incorrect format:' + abc_pp_error_detail = 'Bad line' + def_pp = 'def.pp' + def_pp_error_line = 2 + def_pp_error_type = :os_parse + def_pp_error_type_msg = 'OS name is not present in metadata.json:' + def_pp_error_detail = foobar_linux + + tag_format_help_msg_txt = ['succint', 'warning'] + + expected_stderr_msg = "The following errors were encountered when trying to parse the 'Unsupported platforms' tag(s) in 'manifests/mod':\n " \ + "* #{abc_pp} (line #{abc_pp_error_line}): #{abc_pp_error_type_msg} #{abc_pp_error_detail}\n " \ + "* #{def_pp} (line #{def_pp_error_line}): #{def_pp_error_type_msg} #{def_pp_error_detail}\n" \ + "#{tag_format_help_msg_txt[0]}\n" \ + "#{tag_format_help_msg_txt[1]}\n" + + context 'given a number of errors were discovered when parsing the manifests' do + ampc.register_error(abc_pp, abc_pp_error_line, abc_pp_error_type, abc_pp_error_detail) + ampc.register_error(def_pp, def_pp_error_line, def_pp_error_type, def_pp_error_detail) + it 'prints the expected warnings to $stderr' do + allow(File).to receive(:readlines).with('util/_resources/tag_format_help_msg.txt').and_return(tag_format_help_msg_txt) + expect { ampc.print_parsing_errors }.to output(expected_stderr_msg).to_stderr + end + end + end + end +end diff --git a/tasks/init.json b/tasks/init.json new file mode 100644 index 0000000000..3822ed643c --- /dev/null +++ b/tasks/init.json @@ -0,0 +1,14 @@ +{ + "description": "Allows you to perform apache service functions", + "input_method": "stdin", + "parameters": { + "action": { + "description": "Action to perform ", + "type": "Enum[reload]" + }, + "service_name": { + "description": "The name of the apache service ", + "type": "Optional[String[1]]" + } + } +} diff --git a/tasks/init.rb b/tasks/init.rb new file mode 100755 index 0000000000..caf5b58843 --- /dev/null +++ b/tasks/init.rb @@ -0,0 +1,37 @@ +#!/opt/puppetlabs/puppet/bin/ruby +# frozen_string_literal: true + +require 'json' +require 'open3' +require 'puppet' + +def service(action, service_name) + if service_name.nil? + stdout, _stderr, _status = Open3.capture3('facter', '-p', 'osfamily') + osfamily = stdout.strip + service_name = if osfamily == 'RedHat' + 'httpd' + elsif osfamily == 'FreeBSD' + 'apache24' + else + 'apache2' + end + end + _stdout, stderr, status = Open3.capture3('service', service_name, action) + raise Puppet::Error, stderr if status != 0 + + { status: "#{action} successful" } +end + +params = JSON.parse($stdin.read) +action = params['action'] +service_name = params['service_name'] + +begin + result = service(action, service_name) + puts result.to_json + exit 0 +rescue Puppet::Error => e + puts({ status: 'failure', error: e.message }.to_json) + exit 1 +end diff --git a/templates/confd/no-accf.conf.epp b/templates/confd/no-accf.conf.epp new file mode 100644 index 0000000000..10e51644ce --- /dev/null +++ b/templates/confd/no-accf.conf.epp @@ -0,0 +1,4 @@ + + AcceptFilter http none + AcceptFilter https none + diff --git a/templates/fastcgi/server.epp b/templates/fastcgi/server.epp new file mode 100644 index 0000000000..50bd052a2f --- /dev/null +++ b/templates/fastcgi/server.epp @@ -0,0 +1,24 @@ +<% + $timeout_updated = " -idle-timeout #{$timeout}" + + if $flush { + $flush_updated = " -flush" + } else { + $flush_updated = "" + } + if $socket { + $host_or_socket = " -socket #{$socket}" + } else { + $host_or_socket = " -host #{$host}" + } + if $pass_header and !$pass_header.empty { + $pass_header_updated = " -pass-header #{$pass_header}" + } else { + $pass_header_updated = "" + } + + $options = $timeout_updated + $flush_updated + $host_or_socket + $pass_header_updated +-%> +FastCGIExternalServer <%= $faux_path %><%= $options %> +Alias <%= $fcgi_alias %> <%= $faux_path %> +Action <%= $file_type %> <%= $fcgi_alias %> diff --git a/templates/fastcgi/server.erb b/templates/fastcgi/server.erb new file mode 100644 index 0000000000..bae56d48ef --- /dev/null +++ b/templates/fastcgi/server.erb @@ -0,0 +1,22 @@ +<% + timeout = " -idle-timeout #{@timeout}" + flush = "" + if @flush + flush = " -flush" + end + if @socket + host_or_socket = " -socket #{@socket}" + else + host_or_socket = " -host #{@host}" + end + + pass_header = "" + if @pass_header and ! @pass_header.empty? + pass_header = " -pass-header #{@pass_header}" + end + + options = timeout + flush + host_or_socket + pass_header +-%> +FastCGIExternalServer <%= @faux_path %><%= options %> +Alias <%= @fcgi_alias %> <%= @faux_path %> +Action <%= @file_type %> <%= @fcgi_alias %> diff --git a/templates/httpd.conf.epp b/templates/httpd.conf.epp new file mode 100644 index 0000000000..53d7e8ab2c --- /dev/null +++ b/templates/httpd.conf.epp @@ -0,0 +1,151 @@ +# Security +ServerTokens <%= $server_tokens %> +ServerSignature <%= apache::bool2httpd($server_signature) %> +TraceEnable <%= apache::bool2httpd($trace_enable) %> + +ServerName "<%= $servername %>" +ServerRoot "<%= $server_root %>" +<%- if $serveradmin { -%> +ServerAdmin <%= $serveradmin %> +<%- } -%> +PidFile <%= $pidfile %> +Timeout <%= $timeout %> +KeepAlive <%= $keepalive %> +MaxKeepAliveRequests <%= $max_keepalive_requests %> +KeepAliveTimeout <%= $keepalive_timeout %> +LimitRequestFieldSize <%= $limitreqfieldsize %> +LimitRequestFields <%= $limitreqfields %> +<% if $limitreqline { -%> +LimitRequestLine <%= $limitreqline %> +<% } -%> +<%- if $http_protocol_options { -%> +HttpProtocolOptions <%= $http_protocol_options %> +<%- } -%> + +<%- unless $protocols.empty { -%> +Protocols <%= $protocols.join(' ') %> +<%- } -%> +<%- if $protocols_honor_order { -%> +ProtocolsHonorOrder <%= apache::bool2httpd($protocols_honor_order) %> +<%- } -%> + +User <%= $user %> +Group <%= $group %> + +AccessFileName .htaccess + + Require all denied + + + + Options <%= Array($root_directory_options).join(' ') %> + AllowOverride None +<%- if $root_directory_secured { -%> + Require all denied +<%- } -%> + + +<% if $default_charset { -%> +AddDefaultCharset <%= $default_charset %> +<% } -%> + +HostnameLookups <%= $hostname_lookups %> +<%- if $error_log.match(/^[|\/]/) or $error_log.match(/^syslog:/) { -%> +ErrorLog "<%= $error_log %>" +<%- }else { -%> +ErrorLog "<%= $logroot %>/<%= $error_log %>" +<% } -%> +LogLevel <%= $log_level %> +EnableSendfile <%= $sendfile %> +<%- if $allow_encoded_slashes { -%> +AllowEncodedSlashes <%= $allow_encoded_slashes %> +<%- } -%> +<%- if $file_e_tag { -%> +FileETag <%= $file_e_tag %> +<%- } -%> +<%- if $use_canonical_name { -%> +UseCanonicalName <%= $use_canonical_name %> +<%- } -%> + +#Listen 80 + +<% if $apxs_workaround { -%> +# Workaround: without this hack apxs would be confused about where to put +# LoadModule directives and fail entire procedure of apache package +# installation/reinstallation. This problem was observed on FreeBSD (apache22). +#LoadModule fake_module libexec/apache22/mod_fake.so +<% } -%> + +Include "<%= $mod_load_dir %>/*.load" +<% if $mod_load_dir != $confd_dir and $mod_load_dir != $vhost_load_dir { -%> +Include "<%= $mod_load_dir %>/*.conf" +<% } -%> +Include "<%= $ports_file %>" + +<% unless $log_formats['combined'] { -%> +LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +<% } -%> +<% unless $log_formats['common'] { -%> +LogFormat "%a %l %u %t \"%r\" %>s %b" common +<% } -%> +<% unless $log_formats['referer'] { -%> +LogFormat "%{Referer}i -> %U" referer +<% } -%> +<% unless $log_formats['agent'] { -%> +LogFormat "%{User-agent}i" agent +<% } -%> +<% unless $log_formats['forwarded'] { -%> +LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded +<% } -%> +<% if $log_formats and !$log_formats.empty { -%> + <%- $log_formats.convert_to(Array).sort.each |$values| { -%> +LogFormat "<%= $values[1] -%>" <%= $values[0] %> + <%- } -%> +<% } -%> + +<%- if $conf_enabled { -%> +IncludeOptional "<%= $conf_enabled %>/*.conf" +<%- } -%> +IncludeOptional "<%= $confd_dir %>/*.conf" +<% if $vhost_load_dir != $confd_dir { -%> +IncludeOptional "<%= $vhost_load_dir %>/<%= $vhost_include_pattern %>" +<% } -%> +<% if $ldap_verify_server_cert { -%> +LDAPVerifyServerCert <%= $ldap_verify_server_cert %> +<% } -%> +<% if $ldap_trusted_mode { -%> +LDAPTrustedMode <%= $ldap_trusted_mode %> +<% } -%> + +<% if $error_documents { -%> +# /usr/share/apache2/error on debian +Alias /error/ "<%=$error_documents_path %>/" + +"> + AllowOverride None + Options IncludesNoExec + AddOutputFilter Includes html + AddHandler type-map var + Require all granted + LanguagePriority en cs de es fr it nl sv pt-br ro + ForceLanguagePriority Prefer Fallback + + +ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +ErrorDocument 410 /error/HTTP_GONE.html.var +ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var +<% } -%> diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb deleted file mode 100644 index 0345f1cf4c..0000000000 --- a/templates/httpd.conf.erb +++ /dev/null @@ -1,84 +0,0 @@ -# Security -ServerTokens <%= @server_tokens %> -ServerSignature <%= @server_signature %> -TraceEnable Off - -ServerName "<%= @servername %>" -ServerRoot "<%= @httpd_dir %>" -PidFile <%= @pidfile %> -Timeout <%= @timeout %> -KeepAlive <%= @keepalive %> -MaxKeepAliveRequests 100 -KeepAliveTimeout <%= @keepalive_timeout %> - -User <%= @user %> -Group <%= @group %> - -AccessFileName .htaccess - - Order allow,deny - Deny from all - Satisfy all - - - - Options FollowSymLinks - AllowOverride None - - -DefaultType none -HostnameLookups Off -ErrorLog <%= @logroot %>/<%= @error_log %> -LogLevel warn -EnableSendfile <%= @sendfile %> - -#Listen 80 -Include <%= @mod_load_dir %>/*.load -<% if @mod_load_dir != @confd_dir and @mod_load_dir != @vhost_load_dir -%> -Include <%= @mod_load_dir %>/*.conf -<% end -%> -Include <%= @ports_file %> - -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined -LogFormat "%h %l %u %t \"%r\" %>s %b" common -LogFormat "%{Referer}i -> %U" referer -LogFormat "%{User-agent}i" agent - -Include <%= @confd_dir %>/*.conf -<% if @vhost_load_dir != @confd_dir -%> -Include <%= @vhost_load_dir %>/*.conf -<% end -%> - -<% if @error_documents -%> -# /usr/share/apache2/error on debian -Alias /error/ "<%= @error_documents_path %>/" - -"> - AllowOverride None - Options IncludesNoExec - AddOutputFilter Includes html - AddHandler type-map var - Order allow,deny - Allow from all - LanguagePriority en cs de es fr it nl sv pt-br ro - ForceLanguagePriority Prefer Fallback - - -ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var -ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var -ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var -ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var -ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var -ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var -ErrorDocument 410 /error/HTTP_GONE.html.var -ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var -ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var -ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var -ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var -ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var -ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var -ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var -ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var -ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var -ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var -<% end -%> diff --git a/templates/listen.erb b/templates/listen.epp similarity index 73% rename from templates/listen.erb rename to templates/listen.epp index 8fc871b0ad..5b9035ae7e 100644 --- a/templates/listen.erb +++ b/templates/listen.epp @@ -3,4 +3,4 @@ - : - [ -%> -Listen <%= @listen_addr_port %> +Listen <%= $listen_addr_port %> diff --git a/templates/mod/_allow.epp b/templates/mod/_allow.epp new file mode 100644 index 0000000000..136ac41791 --- /dev/null +++ b/templates/mod/_allow.epp @@ -0,0 +1,7 @@ + Order deny,allow + Deny from all +<% if $allow_from and !$allow_from.empty { -%> + Allow from <%= Array($allow_from).join(" ") %> +<% } else { -%> + Allow from <%= Array($allow_defaults).join(" ") %> +<% } -%> diff --git a/templates/mod/_require.epp b/templates/mod/_require.epp new file mode 100644 index 0000000000..88443db572 --- /dev/null +++ b/templates/mod/_require.epp @@ -0,0 +1,33 @@ +<% $_requires = if $requires { %>$requires<% } else {%>$requires_defaults<%} %> +<% if type($_requires, 'generalized') == String { %> + <%- if !($_requires.downcase in ['', 'unmanaged']) { -%> + Require <%= $_requires %> + <%- } -%> +<% }elsif String(type($_requires, 'generalized')).index('Array') == 0 { -%> + <%- $_requires.each |$req| { -%> + Require <%= $req %> + <%- } -%> +<% }elsif String(type($_requires, 'generalized')).index('Hash') == 0 { -%> + <%- if $_requires['enforce'] and $_requires['enforce'].downcase in ['all', 'none', 'any'] { -%> + <%- $enforce_str = "Require${_requires['enforce'].capitalize}>\n" -%> + <%- $enforce_open = " <${enforce_str}" -%> + <%- $enforce_close = " + <%- $indentation = ' ' -%> + <%- } else { -%> + <%- if $_requires['enforce'] { -%> + <%- scope.function_warning(["Class #{@title}: Require can only be overwritten with all, none or any."]) -%> + <%- } -%> + <%- $enforce_open = '' -%> + <%- $enforce_close = '' -%> + <%- $indentation = '' -%> + <%- } -%> + <%- if $_requires['requires'] and String(type($_requires['requires'], 'generalized')).index('Array') == 0 { -%> +<%# %><%= $enforce_open -%> + <%- $_requires['requires'].each |$req| { -%> +<%# %> <%= $indentation -%>Require <%= $req %> + <%- } -%> +<%# %><%= $enforce_close -%> + <%- } else { -%> + <%- scope.function_warning(["Class #{@title}: Require hash must have a key named \"requires\" with array value"]) -%> + <%- } -%> +<% } -%> diff --git a/templates/mod/_require.erb b/templates/mod/_require.erb new file mode 100644 index 0000000000..404dcc4c26 --- /dev/null +++ b/templates/mod/_require.erb @@ -0,0 +1,33 @@ +<% _requires = @requires != nil ? @requires : @requires_defaults -%> +<% if _requires.is_a?(String) -%> + <%- if ! ['', 'unmanaged'].include?_requires.downcase -%> + Require <%= _requires %> + <%- end -%> +<% elsif _requires.is_a?(Array) -%> + <%- _requires.each do |req| -%> + Require <%= req %> + <%- end -%> +<% elsif _requires.is_a?(Hash) -%> + <%- if _requires.has_key?('enforce') and ['all', 'none', 'any'].include?_requires['enforce'].downcase -%> + <%- enforce_str = "Require#{_requires['enforce'].capitalize}>\n" -%> + <%- enforce_open = " <#{enforce_str}" -%> + <%- enforce_close = " + <%- indentation = ' ' -%> + <%- else -%> + <%- if _requires.has_key?('enforce') -%> + <%- scope.function_warning(["Class #{@title}: Require can only be overwritten with all, none or any."]) -%> + <%- end -%> + <%- enforce_open = '' -%> + <%- enforce_close = '' -%> + <%- indentation = '' -%> + <%- end -%> + <%- if _requires.has_key?('requires') and _requires['requires'].is_a?(Array) -%> +<%# %><%= enforce_open -%> + <%- _requires['requires'].each do |req| -%> +<%# %> <%= indentation -%>Require <%= req %> + <%- end -%> +<%# %><%= enforce_close -%> + <%- else -%> + <%- scope.function_warning(["Class #{@title}: Require hash must have a key named \"requires\" with array value"]) -%> + <%- end -%> +<% end -%> diff --git a/templates/mod/alias.conf.epp b/templates/mod/alias.conf.epp new file mode 100644 index 0000000000..12571c1452 --- /dev/null +++ b/templates/mod/alias.conf.epp @@ -0,0 +1,8 @@ + +Alias /<%= $icons_prefix %>/ "<%= $icons_path %>/" +"> + Options <%= $icons_options %> + AllowOverride None + Require all granted + + diff --git a/templates/mod/alias.conf.erb b/templates/mod/alias.conf.erb deleted file mode 100644 index 52f16c1719..0000000000 --- a/templates/mod/alias.conf.erb +++ /dev/null @@ -1,9 +0,0 @@ - -Alias /icons/ "<%= @icons_path %>/" -"> - Options Indexes MultiViews - AllowOverride None - Order allow,deny - Allow from all - - diff --git a/templates/mod/auth_cas.conf.epp b/templates/mod/auth_cas.conf.epp new file mode 100644 index 0000000000..97df151c98 --- /dev/null +++ b/templates/mod/auth_cas.conf.epp @@ -0,0 +1,58 @@ +CASCookiePath <%= $cas_cookie_path %> +CASLoginURL <%= $cas_login_url %> +CASValidateURL <%= $cas_validate_url %> + +CASVersion <%= $cas_version %> +CASDebug <%= $cas_debug %> + +<% if $cas_certificate_path { -%> +CASCertificatePath <%= $cas_certificate_path %> +<% } -%> +<% if $cas_proxy_validate_url { -%> +CASProxyValidateURL <%= $cas_proxy_validate_url %> +<% } -%> +<% if $cas_validate_server { -%> +CASValidateServer <%= $cas_validate_server %> +<% } -%> +<% if $cas_validate_depth { -%> +CASValidateDepth <%= $cas_validate_depth %> +<% } -%> +<% if $cas_root_proxied_as { -%> +CASRootProxiedAs <%= $cas_root_proxied_as %> +<% } -%> +<% if $cas_cookie_entropy { -%> +CASCookieEntropy <%= $cas_cookie_entropy %> +<% } -%> +<% if $cas_timeout { -%> +CASTimeout <%= $cas_timeout %> +<% } -%> +<% if $cas_idle_timeout { -%> +CASIdleTimeout <%= $cas_idle_timeout %> +<% } -%> +<% if $cas_cache_clean_interval { -%> +CASCacheCleanInterval <%= $cas_cache_clean_interval %> +<% } -%> +<% if $cas_cookie_domain { -%> +CASCookieDomain <%= $cas_cookie_domain %> +<% } -%> +<% if $cas_cookie_http_only { -%> +CASCookieHttpOnly <%= $cas_cookie_http_only %> +<% } -%> +<% if $cas_authoritative { -%> +CASAuthoritative <%= $cas_authoritative %> +<% } -%> +<%- if $cas_sso_enabled { -%> +CASSSOEnabled On +<%- } -%> +<%- if $cas_validate_saml { -%> +CASValidateSAML On +<%- } -%> +<%- if $cas_attribute_prefix { -%> +CASAttributePrefix <%= $cas_attribute_prefix %> +<%- } -%> +<%- if $cas_attribute_delimiter { -%> +CASAttributeDelimiter <%= $cas_attribute_delimiter %> +<%- } -%> +<%- if $cas_scrub_request_headers { -%> +CASAttributeDelimiter On +<%- } -%> diff --git a/templates/mod/auth_mellon.conf.epp b/templates/mod/auth_mellon.conf.epp new file mode 100644 index 0000000000..609e5504ac --- /dev/null +++ b/templates/mod/auth_mellon.conf.epp @@ -0,0 +1,21 @@ +<%- if $mellon_cache_size { -%> +MellonCacheSize <%= $mellon_cache_size %> +<%- } -%> +<%- if $mellon_cache_entry_size { -%> +MellonCacheEntrySize <%= $mellon_cache_entry_size %> +<%- } -%> +<%- if $mellon_lock_file { -%> +MellonLockFile "<%= $mellon_lock_file %>" +<%- } -%> +<%- if $mellon_post_directory { -%> +MellonPostDirectory "<%= $mellon_post_directory %>" +<%- } -%> +<%- if $mellon_post_ttl { -%> +MellonPostTTL <%= $mellon_post_ttl %> +<%- } -%> +<%- if $mellon_post_size { -%> +MellonPostSize <%= $mellon_post_size %> +<%- } -%> +<%- if $mellon_post_count { -%> +MellonPostCount <%= $mellon_post_count %> +<%- } -%> diff --git a/templates/mod/authn_dbd.conf.epp b/templates/mod/authn_dbd.conf.epp new file mode 100644 index 0000000000..6bb1e9e204 --- /dev/null +++ b/templates/mod/authn_dbd.conf.epp @@ -0,0 +1,17 @@ +#Database Management +DBDriver <%= $authn_dbd_dbdriver %> + +#Connection string: database name and login credentials +DBDParams "<%= $authn_dbd_params %>" + +#Parameters for Connection Pool Management +DBDMin <%= $authn_dbd_min %> +DBDMax <%= $authn_dbd_max %> +DBDKeep <%= $authn_dbd_keep %> +DBDExptime <%= $authn_dbd_exptime %> + +<%- if $authn_dbd_alias { -%> +> + AuthDBDUserPWQuery "<%= $authn_dbd_query %>" + +<%- } -%> diff --git a/templates/mod/authnz_ldap.conf.epp b/templates/mod/authnz_ldap.conf.epp new file mode 100644 index 0000000000..242a7356a7 --- /dev/null +++ b/templates/mod/authnz_ldap.conf.epp @@ -0,0 +1 @@ +LDAPVerifyServerCert <%= apache::bool2httpd($verify_server_cert) %> diff --git a/templates/mod/autoindex.conf.epp b/templates/mod/autoindex.conf.epp new file mode 100644 index 0000000000..9e052dc8f4 --- /dev/null +++ b/templates/mod/autoindex.conf.epp @@ -0,0 +1,56 @@ +IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 +AddIconByEncoding (CMP,/<%= $icons_prefix %>/compressed.gif) x-compress x-gzip x-bzip2 + +AddIconByType (TXT,/<%= $icons_prefix %>/text.gif) text/* +AddIconByType (IMG,/<%= $icons_prefix %>/image2.gif) image/* +AddIconByType (SND,/<%= $icons_prefix %>/sound2.gif) audio/* +AddIconByType (VID,/<%= $icons_prefix %>/movie.gif) video/* + +AddIcon /<%= $icons_prefix %>/binary.gif .bin .exe +AddIcon /<%= $icons_prefix %>/binhex.gif .hqx +AddIcon /<%= $icons_prefix %>/tar.gif .tar +AddIcon /<%= $icons_prefix %>/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /<%= $icons_prefix %>/compressed.gif .Z .z .tgz .gz .zip +AddIcon /<%= $icons_prefix %>/a.gif .ps .ai .eps +AddIcon /<%= $icons_prefix %>/layout.gif .html .shtml .htm .pdf +AddIcon /<%= $icons_prefix %>/text.gif .txt +AddIcon /<%= $icons_prefix %>/c.gif .c +AddIcon /<%= $icons_prefix %>/p.gif .pl .py +AddIcon /<%= $icons_prefix %>/f.gif .for +AddIcon /<%= $icons_prefix %>/dvi.gif .dvi +AddIcon /<%= $icons_prefix %>/uuencoded.gif .uu +AddIcon /<%= $icons_prefix %>/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /<%= $icons_prefix %>/tex.gif .tex +AddIcon /<%= $icons_prefix %>/bomb.gif /core +AddIcon (SND,/<%= $icons_prefix %>/sound2.gif) .ogg +AddIcon (VID,/<%= $icons_prefix %>/movie.gif) .ogm + +AddIcon /<%= $icons_prefix %>/back.gif .. +AddIcon /<%= $icons_prefix %>/hand.right.gif README +AddIcon /<%= $icons_prefix %>/folder.gif ^^DIRECTORY^^ +AddIcon /<%= $icons_prefix %>/blank.gif ^^BLANKICON^^ + +AddIcon /<%= $icons_prefix %>/odf6odt<%= $icon_suffix %>.png .odt +AddIcon /<%= $icons_prefix %>/odf6ods<%= $icon_suffix %>.png .ods +AddIcon /<%= $icons_prefix %>/odf6odp<%= $icon_suffix %>.png .odp +AddIcon /<%= $icons_prefix %>/odf6odg<%= $icon_suffix %>.png .odg +AddIcon /<%= $icons_prefix %>/odf6odc<%= $icon_suffix %>.png .odc +AddIcon /<%= $icons_prefix %>/odf6odf<%= $icon_suffix %>.png .odf +AddIcon /<%= $icons_prefix %>/odf6odb<%= $icon_suffix %>.png .odb +AddIcon /<%= $icons_prefix %>/odf6odi<%= $icon_suffix %>.png .odi +AddIcon /<%= $icons_prefix %>/odf6odm<%= $icon_suffix %>.png .odm + +AddIcon /<%= $icons_prefix %>/odf6ott<%= $icon_suffix %>.png .ott +AddIcon /<%= $icons_prefix %>/odf6ots<%= $icon_suffix %>.png .ots +AddIcon /<%= $icons_prefix %>/odf6otp<%= $icon_suffix %>.png .otp +AddIcon /<%= $icons_prefix %>/odf6otg<%= $icon_suffix %>.png .otg +AddIcon /<%= $icons_prefix %>/odf6otc<%= $icon_suffix %>.png .otc +AddIcon /<%= $icons_prefix %>/odf6otf<%= $icon_suffix %>.png .otf +AddIcon /<%= $icons_prefix %>/odf6oti<%= $icon_suffix %>.png .oti +AddIcon /<%= $icons_prefix %>/odf6oth<%= $icon_suffix %>.png .oth + +DefaultIcon /<%= $icons_prefix %>/unknown.gif +ReadmeName README.html +HeaderName HEADER.html + +IndexIgnore .??* *~ *# HEADER.html README.html RCS CVS *,v *,t diff --git a/templates/mod/autoindex.conf.erb b/templates/mod/autoindex.conf.erb deleted file mode 100644 index ef6bbebea6..0000000000 --- a/templates/mod/autoindex.conf.erb +++ /dev/null @@ -1,56 +0,0 @@ -IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 -AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2 - -AddIconByType (TXT,/icons/text.gif) text/* -AddIconByType (IMG,/icons/image2.gif) image/* -AddIconByType (SND,/icons/sound2.gif) audio/* -AddIconByType (VID,/icons/movie.gif) video/* - -AddIcon /icons/binary.gif .bin .exe -AddIcon /icons/binhex.gif .hqx -AddIcon /icons/tar.gif .tar -AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv -AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip -AddIcon /icons/a.gif .ps .ai .eps -AddIcon /icons/layout.gif .html .shtml .htm .pdf -AddIcon /icons/text.gif .txt -AddIcon /icons/c.gif .c -AddIcon /icons/p.gif .pl .py -AddIcon /icons/f.gif .for -AddIcon /icons/dvi.gif .dvi -AddIcon /icons/uuencoded.gif .uu -AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl -AddIcon /icons/tex.gif .tex -AddIcon /icons/bomb.gif /core -AddIcon (SND,/icons/sound2.gif) .ogg -AddIcon (VID,/icons/movie.gif) .ogm - -AddIcon /icons/back.gif .. -AddIcon /icons/hand.right.gif README -AddIcon /icons/folder.gif ^^DIRECTORY^^ -AddIcon /icons/blank.gif ^^BLANKICON^^ - -AddIcon /icons/odf6odt-20x22.png .odt -AddIcon /icons/odf6ods-20x22.png .ods -AddIcon /icons/odf6odp-20x22.png .odp -AddIcon /icons/odf6odg-20x22.png .odg -AddIcon /icons/odf6odc-20x22.png .odc -AddIcon /icons/odf6odf-20x22.png .odf -AddIcon /icons/odf6odb-20x22.png .odb -AddIcon /icons/odf6odi-20x22.png .odi -AddIcon /icons/odf6odm-20x22.png .odm - -AddIcon /icons/odf6ott-20x22.png .ott -AddIcon /icons/odf6ots-20x22.png .ots -AddIcon /icons/odf6otp-20x22.png .otp -AddIcon /icons/odf6otg-20x22.png .otg -AddIcon /icons/odf6otc-20x22.png .otc -AddIcon /icons/odf6otf-20x22.png .otf -AddIcon /icons/odf6oti-20x22.png .oti -AddIcon /icons/odf6oth-20x22.png .oth - -DefaultIcon /icons/unknown.gif -ReadmeName README.html -HeaderName HEADER.html - -IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t diff --git a/templates/mod/cache.conf.epp b/templates/mod/cache.conf.epp new file mode 100644 index 0000000000..354f3b52b8 --- /dev/null +++ b/templates/mod/cache.conf.epp @@ -0,0 +1,30 @@ +<% | + Optional[Array[String[1]]] $cache_ignore_headers = undef, + Optional[Integer] $cache_default_expire = undef, + Optional[Integer] $cache_max_expire = undef, + Optional[Apache::OnOff] $cache_ignore_no_lastmod = undef, + Optional[Apache::OnOff] $cache_header = undef, + Optional[Apache::OnOff] $cache_lock = undef, + Optional[Apache::OnOff] $cache_ignore_cache_control = undef, +| -%> +<%- if $cache_default_expire { -%> +CacheDefaultExpire <%= $cache_default_expire %> +<%- } -%> +<%- if $cache_max_expire { -%> +CacheMaxExpire <%= $cache_max_expire %> +<%- } -%> +<%- if $cache_ignore_no_lastmod { -%> +CacheIgnoreNoLastMod <%= $cache_ignore_no_lastmod %> +<%- } -%> +<%- if $cache_header { -%> +CacheHeader <%= $cache_header %> +<%- } -%> +<%- if $cache_lock { -%> +CacheLock <%= $cache_lock %> +<%- } -%> +<%- if $cache_ignore_cache_control { -%> +CacheIgnoreCacheControl <%= $cache_ignore_cache_control %> +<%- } -%> +<%- if ! empty($cache_ignore_headers) { -%> +CacheIgnoreHeaders <%= $cache_ignore_headers.sort.join(' ') %> +<%- } -%> diff --git a/templates/mod/cache_disk.conf.epp b/templates/mod/cache_disk.conf.epp new file mode 100644 index 0000000000..6ae5a7b130 --- /dev/null +++ b/templates/mod/cache_disk.conf.epp @@ -0,0 +1,26 @@ +<% | + Optional[String] $cache_root = undef, + Array[String] $cache_enable = [], + Optional[Integer] $cache_dir_length = undef, + Optional[Integer] $cache_dir_levels = undef, + Optional[Integer] $cache_max_filesize = undef, + Optional[String] $cache_ignore_headers = undef, +| -%> +<%- if $cache_enable { -%> + <%- $cache_enable.each |$enable| { -%> +CacheEnable disk <%= $enable %> + <%- } -%> +<%- } -%> +CacheRoot "<%= $cache_root %>" +<%- if $cache_dir_levels { -%> +CacheDirLevels <%= $cache_dir_levels %> +<%- } -%> +<%- if $cache_dir_length { -%> +CacheDirLength <%= $cache_dir_length %> +<%- } -%> +<%- if $cache_max_filesize { -%> +CacheMaxFileSize <%= $cache_max_filesize %> +<%- } -%> +<%- if $cache_ignore_headers { -%> +CacheIgnoreHeaders <%= $cache_ignore_headers -%> +<%- } -%> diff --git a/templates/mod/cgid.conf.epp b/templates/mod/cgid.conf.epp new file mode 100644 index 0000000000..7772fb2ce4 --- /dev/null +++ b/templates/mod/cgid.conf.epp @@ -0,0 +1 @@ +ScriptSock "<%= $cgisock_path %>" diff --git a/templates/mod/cgid.conf.erb b/templates/mod/cgid.conf.erb deleted file mode 100644 index d771012de9..0000000000 --- a/templates/mod/cgid.conf.erb +++ /dev/null @@ -1 +0,0 @@ -ScriptSock <%= @cgisock_path %> diff --git a/templates/mod/cluster.conf.epp b/templates/mod/cluster.conf.epp new file mode 100644 index 0000000000..b34c2cb8d1 --- /dev/null +++ b/templates/mod/cluster.conf.epp @@ -0,0 +1,26 @@ +Listen <%= $ip %>:<%= $port %> +:<%= $port %>> + + Order deny,allow + Deny from all + Allow from <%= $allowed_network %> + + + KeepAliveTimeout <%= $keep_alive_timeout %> + MaxKeepAliveRequests <%= $max_keep_alive_requests %> + EnableMCPMReceive <%= apache::bool2httpd($enable_mcpm_receive) %> + + ManagerBalancerName <%= $balancer_name %> + ServerAdvertise <%= apache::bool2httpd($server_advertise) %> + <%- if $server_advertise == true and $advertise_frequency != undef { -%> + AdvertiseFrequency <%= $advertise_frequency %> + <%- } -%> + + + SetHandler mod_cluster-manager + Order deny,allow + Deny from all + Allow from <%= $manager_allowed_network %> + + + diff --git a/templates/mod/dav_fs.conf.epp b/templates/mod/dav_fs.conf.epp new file mode 100644 index 0000000000..f7da458dbc --- /dev/null +++ b/templates/mod/dav_fs.conf.epp @@ -0,0 +1 @@ +DAVLockDB "<%= $dav_lock %>" diff --git a/templates/mod/dav_fs.conf.erb b/templates/mod/dav_fs.conf.erb deleted file mode 100644 index 50edf004e9..0000000000 --- a/templates/mod/dav_fs.conf.erb +++ /dev/null @@ -1 +0,0 @@ -DAVLockDB <%= @dav_lock %> diff --git a/templates/mod/deflate.conf.epp b/templates/mod/deflate.conf.epp new file mode 100644 index 0000000000..da6d9f8eb2 --- /dev/null +++ b/templates/mod/deflate.conf.epp @@ -0,0 +1,7 @@ +<%- $types.sort.each |$type| { -%> +AddOutputFilterByType DEFLATE <%= $type %> +<%- } -%> + +<%- Array($notes).sort.each |$values| { -%> +DeflateFilterNote <%= $values[0] %> <%= $values[1] %> +<%- } -%> diff --git a/templates/mod/deflate.conf.erb b/templates/mod/deflate.conf.erb deleted file mode 100644 index d0997dfebb..0000000000 --- a/templates/mod/deflate.conf.erb +++ /dev/null @@ -1,4 +0,0 @@ -AddOutputFilterByType DEFLATE text/html text/plain text/xml -AddOutputFilterByType DEFLATE text/css -AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript -AddOutputFilterByType DEFLATE application/rss+xml diff --git a/templates/mod/dir.conf.epp b/templates/mod/dir.conf.epp new file mode 100644 index 0000000000..4ca134034e --- /dev/null +++ b/templates/mod/dir.conf.epp @@ -0,0 +1 @@ +DirectoryIndex <%= $indexes.join(' ') %> diff --git a/templates/mod/dir.conf.erb b/templates/mod/dir.conf.erb deleted file mode 100644 index 741f6ae034..0000000000 --- a/templates/mod/dir.conf.erb +++ /dev/null @@ -1 +0,0 @@ -DirectoryIndex <%= @indexes.join(' ') %> diff --git a/templates/mod/disk_cache.conf.erb b/templates/mod/disk_cache.conf.erb deleted file mode 100644 index 0c7e2c4b73..0000000000 --- a/templates/mod/disk_cache.conf.erb +++ /dev/null @@ -1,8 +0,0 @@ - - - CacheEnable disk / - CacheRoot "<%= @cache_root %>" - CacheDirLevels 2 - CacheDirLength 1 - - diff --git a/templates/mod/dumpio.conf.epp b/templates/mod/dumpio.conf.epp new file mode 100644 index 0000000000..c8f3e65808 --- /dev/null +++ b/templates/mod/dumpio.conf.epp @@ -0,0 +1,3 @@ +# https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html +DumpIOInput "<%= $dump_io_input %>" +DumpIOOutput "<%= $dump_io_output %>" diff --git a/templates/mod/event.conf.epp b/templates/mod/event.conf.epp new file mode 100644 index 0000000000..d6549166d4 --- /dev/null +++ b/templates/mod/event.conf.epp @@ -0,0 +1,29 @@ + + <%- if $serverlimit { -%> + ServerLimit <%= $serverlimit %> + <%- } -%> + <%- if $startservers { -%> + StartServers <%= $startservers %> + <%- } -%> + <%- if $maxrequestworkers { -%> + MaxRequestWorkers <%= $maxrequestworkers %> + <%- } -%> + <%- if $minsparethreads { -%> + MinSpareThreads <%= $minsparethreads %> + <%- } -%> + <%- if $maxsparethreads { -%> + MaxSpareThreads <%= $maxsparethreads %> + <%- } -%> + <%- if $threadsperchild { -%> + ThreadsPerChild <%= $threadsperchild %> + <%- } -%> + <%- if $maxconnectionsperchild { -%> + MaxConnectionsPerChild <%= $maxconnectionsperchild %> + <%- } -%> + <%- if $threadlimit { -%> + ThreadLimit <%= $threadlimit %> + <%- } -%> + <%- if $listenbacklog { -%> + ListenBacklog <%= $listenbacklog %> + <%- } -%> + diff --git a/templates/mod/expires.conf.epp b/templates/mod/expires.conf.epp new file mode 100644 index 0000000000..fe5a2c40e4 --- /dev/null +++ b/templates/mod/expires.conf.epp @@ -0,0 +1,11 @@ +ExpiresActive <%= apache::bool2httpd($expires_active) %> +<%- if $expires_default != undef and !($expires_default.empty) { -%> +ExpiresDefault "<%= $expires_default %>" +<%- } -%> +<%- if $expires_by_type != undef and !($expires_by_type.empty) { -%> +<%- $expires_by_type.flatten.each |$line| { -%> +<%- $line.map |$type, $seconds| { -%> +ExpiresByType <%= $type %> "<%= $seconds -%>" +<%- } -%> +<%- } -%> +<%- } -%> diff --git a/templates/mod/ext_filter.conf.epp b/templates/mod/ext_filter.conf.epp new file mode 100644 index 0000000000..63b2b6643a --- /dev/null +++ b/templates/mod/ext_filter.conf.epp @@ -0,0 +1,4 @@ +# mod_ext_filter definitions +<%- Array($ext_filter_define).sort.each |$name_and_value| { -%> +ExtFilterDefine <%= $name_and_value[0] %> <%= $name_and_value[1] %> +<%- } -%> diff --git a/templates/mod/fcgid.conf.epp b/templates/mod/fcgid.conf.epp new file mode 100644 index 0000000000..3c111fe852 --- /dev/null +++ b/templates/mod/fcgid.conf.epp @@ -0,0 +1,6 @@ + +<% $sorted_keys = $options.keys.sort -%> +<% $sorted_keys.each |$key| { -%> + <%= $key %> <%= $options[$key] %> +<% } -%> + diff --git a/templates/mod/geoip.conf.epp b/templates/mod/geoip.conf.epp new file mode 100644 index 0000000000..309e2170f5 --- /dev/null +++ b/templates/mod/geoip.conf.epp @@ -0,0 +1,25 @@ +GeoIPEnable <%= apache::bool2httpd($enable) %> + +<%- if $db_file and !($db_file in [ false, 'false', '' ]) { -%> + <%- if String(type($db_file, 'generalized')).index('Array') == 0 { -%> + <%- Array($db_file).each |$file| { -%> +GeoIPDBFile <%= $file %> <%= $flag %> + <%- } -%> + <%- } else { -%> +GeoIPDBFile <%= $db_file %> <%= $flag %> + <%- } -%> +<%- } -%> +GeoIPOutput <%= $output %> +<% if $enable_utf8 != undef { -%> +GeoIPEnableUTF8 <%= apache::bool2httpd($enable_utf8) %> +<% } -%> +<% if $scan_proxy_headers != undef { -%> +GeoIPScanProxyHeaders <%= apache::bool2httpd($scan_proxy_headers) %> +<% } -%> +<% if $scan_proxy_header_field != undef { -%> +GeoIPScanProxyHeaderField <%= $scan_proxy_header_field %> +<% } -%> +<% if $use_last_xforwarededfor_ip != undef { -%> +GeoIPUseLastXForwardedForIP <%= apache::bool2httpd($use_last_xforwarededfor_ip) %> +<% } -%> + diff --git a/templates/mod/http2.conf.epp b/templates/mod/http2.conf.epp new file mode 100644 index 0000000000..a9e0a168d3 --- /dev/null +++ b/templates/mod/http2.conf.epp @@ -0,0 +1,57 @@ +# The http2 Apache module configuration file is being +# managed by Puppet and changes will be overwritten. + +<% if $h2_copy_files != undef { -%> +H2CopyFiles <%= apache::bool2httpd($h2_copy_files) %> +<% } -%> +<% if $h2_direct != undef { -%> +H2Direct <%= apache::bool2httpd($h2_direct) %> +<% } -%> +<% if $h2_early_hints != undef { -%> +H2EarlyHints <%= apache::bool2httpd($h2_early_hints) %> +<% } -%> +<% if $h2_max_session_streams != undef { -%> +H2MaxSessionStreams <%= $h2_max_session_streams %> +<% } -%> +<% if $h2_max_worker_idle_seconds != undef { -%> +H2MaxWorkerIdleSeconds <%= $h2_max_worker_idle_seconds %> +<% } -%> +<% if $h2_max_workers != undef { -%> +H2MaxWorkers <%= $h2_max_workers %> +<% } -%> +<% if $h2_min_workers != undef { -%> +H2MinWorkers <%= $h2_min_workers %> +<% } -%> +<%- if $h2_modern_tls_only != undef { -%> +H2ModernTLSOnly <%= apache::bool2httpd($h2_modern_tls_only) %> +<%- } -%> +<%- if $h2_push != undef { -%> +H2Push <%= apache::bool2httpd($h2_push) %> +<%- } -%> +<%- if $h2_push_diary_size != undef { -%> +H2PushDiarySize <%= $h2_push_diary_size %> +<%- } -%> +<%- $h2_push_priority.each |$expr| { -%> +H2PushPriority <%= $expr %> +<%- } -%> +<%- $h2_push_resource.each |$expr| { -%> +H2PushResource <%= $expr %> +<%- } -%> +<% if $h2_serialize_headers != undef { -%> +H2SerializeHeaders <%= apache::bool2httpd($h2_serialize_headers) %> +<% } -%> +<% if $h2_stream_max_mem_size != undef { -%> +H2StreamMaxMemSize <%= $h2_stream_max_mem_size %> +<% } -%> +<%- if $h2_tls_cool_down_secs != undef { -%> +H2TLSCoolDownSecs <%= $h2_tls_cool_down_secs %> +<%- } -%> +<%- if $h2_tls_warm_up_size != undef { -%> +H2TLSWarmUpSize <%= $h2_tls_warm_up_size %> +<%- } -%> +<% if $h2_upgrade != undef { -%> +H2Upgrade <%= apache::bool2httpd($h2_upgrade) %> +<% } -%> +<% if $h2_window_size != undef { -%> +H2WindowSize <%= $h2_window_size %> +<% } -%> diff --git a/templates/mod/info.conf.epp b/templates/mod/info.conf.epp new file mode 100644 index 0000000000..b031fe09a4 --- /dev/null +++ b/templates/mod/info.conf.epp @@ -0,0 +1,6 @@ +> + SetHandler server-info +<%- if $restrict_access { -%> + Require ip <%= Array($allow_from).join(" ") %> +<%- } -%> + diff --git a/templates/mod/info.conf.erb b/templates/mod/info.conf.erb deleted file mode 100644 index 01ffe95a91..0000000000 --- a/templates/mod/info.conf.erb +++ /dev/null @@ -1,6 +0,0 @@ - - SetHandler server-info - Order deny,allow - Deny from all - Allow from <%= Array(@allow_from).join(" ") %> - diff --git a/templates/mod/itk.conf.epp b/templates/mod/itk.conf.epp new file mode 100644 index 0000000000..f397e2f715 --- /dev/null +++ b/templates/mod/itk.conf.epp @@ -0,0 +1,11 @@ + + StartServers <%= $startservers %> + MinSpareServers <%= $minspareservers %> + MaxSpareServers <%= $maxspareservers %> + ServerLimit <%= $serverlimit %> + MaxClients <%= $maxclients %> + MaxRequestsPerChild <%= $maxrequestsperchild %> + <%- if $enablecapabilities != undef { -%> + EnableCapabilities <%= apache::bool2httpd($enablecapabilities) %> + <%- } -%> + diff --git a/templates/mod/itk.conf.erb b/templates/mod/itk.conf.erb deleted file mode 100644 index f45f2b35dd..0000000000 --- a/templates/mod/itk.conf.erb +++ /dev/null @@ -1,8 +0,0 @@ - - StartServers <%= @startservers %> - MinSpareServers <%= @minspareservers %> - MaxSpareServers <%= @maxspareservers %> - ServerLimit <%= @serverlimit %> - MaxClients <%= @maxclients %> - MaxRequestsPerChild <%= @maxrequestsperchild %> - diff --git a/templates/mod/jk.conf.epp b/templates/mod/jk.conf.epp new file mode 100644 index 0000000000..c5cb36000d --- /dev/null +++ b/templates/mod/jk.conf.epp @@ -0,0 +1,167 @@ +# This file is generated automatically by Puppet - DO NOT EDIT +# Any manual changes will be overwritten + + + <%- if $workers_file { -%> + JkWorkersFile <%= $workers_file %> + <%- } -%> + <%- if $worker_property { -%> + <%- Array($worker_property).sort.each |$property_and_value| { -%> + JkWorkerProperty <%= $property_and_value[0] %>=<%= $property_and_value[1] %> + <%- } -%> + <%- } -%> + <%- if $shm_path { -%> + JkShmFile <%= $shm_path %> + <%- } -%> + <%- if $shm_size { -%> + JkShmSize <%= $shm_size %> + <%- } -%> + <%- if $mount_file { -%> + JkMountFile <%= $mount_file %> + <%- } -%> + <%- if $mount_file_reload { -%> + JkMountFileReload <%= $mount_file_reload %> + <%- } -%> + <%- if $mount { -%> + <%- Array($mount).sort.each |$url_prefix_and_worker_name| { -%> + JkMount <%= $url_prefix_and_worker_name[0] %> <%= $url_prefix_and_worker_name[1] %> + <%- } -%> + <%- } -%> + <%- if $un_mount { -%> + <%- Array($un_mount).sort.each |$url_prefix_and_worker_name| { -%> + JkUnMount <%= $url_prefix_and_worker_name[0] %> <%= $url_prefix_and_worker_name[1] %> + <%- } -%> + <%- } -%> + <%- if $auto_alias { -%> + JkAutoAlias <%= $auto_alias %> + <%- } -%> + <%- if $mount_copy { -%> + JkMountCopy <%= $mount_copy %> + <%- } -%> + <%- if $worker_indicator { -%> + JkWorkerIndicator <%= $worker_indicator %> + <%- } -%> + <%- if $watchdog_interval { -%> + JkWatchdogInterval <%= $watchdog_interval %> + <%- } -%> + <%- if $log_path { -%> + JkLogFile <%= $log_path %> + <%- } -%> + <%- if $log_level { -%> + JkLogLevel <%= $log_level %> + <%- } -%> + <%- if $log_stamp_format { -%> + JkLogStampFormat <%= $log_stamp_format %> + <%- } -%> + <%- if $request_log_format { -%> + JkRequestLogFormat <%= $request_log_format %> + <%- } -%> + <%- if $extract_ssl { -%> + JkExtractSSL <%= $extract_ssl %> + <%- } -%> + <%- if $https_indicator { -%> + JkHTTPSIndicator <%= $https_indicator %> + <%- } -%> + <%- if $sslprotocol_indicator { -%> + JkSSLPROTOCOLIndicator <%= $sslprotocol_indicator %> + <%- } -%> + <%- if $certs_indicator { -%> + JkCERTSIndicator <%= $certs_indicator %> + <%- } -%> + <%- if $cipher_indicator { -%> + JkCIPHERIndicator <%= $cipher_indicator %> + <%- } -%> + <%- if $certchain_prefix { -%> + JkCERTCHAINPrefix <%= $certchain_prefix %> + <%- } -%> + <%- if $session_indicator { -%> + JkSESSIONIndicator <%= $session_indicator %> + <%- } -%> + <%- if $keysize_indicator { -%> + JkKEYSIZEIndicator <%= $keysize_indicator %> + <%- } -%> + <%- if $local_name_indicator { -%> + JkLocalNameIndicator <%= $local_name_indicator %> + <%- } -%> + <%- if $ignore_cl_indicator { -%> + JkIgnoreCLIndicator <%= $ignore_cl_indicator %> + <%- } -%> + <%- if $local_addr_indicator { -%> + JkLocalAddrIndicator <%= $local_addr_indicator %> + <%- } -%> + <%- if $local_port_indicator { -%> + JkLocalPortIndicator <%= $local_port_indicator %> + <%- } -%> + <%- if $remote_host_indicator { -%> + JkRemoteHostIndicator <%= $remote_host_indicator %> + <%- } -%> + <%- if $remote_addr_indicator { -%> + JkRemoteAddrIndicator <%= $remote_addr_indicator %> + <%- } -%> + <%- if $remote_port_indicator { -%> + JkRemotePortIndicator <%= $remote_port_indicator %> + <%- } -%> + <%- if $remote_user_indicator { -%> + JkRemoteUserIndicator <%= $remote_user_indicator %> + <%- } -%> + <%- if $auth_type_indicator { -%> + JkAuthTypeIndicator <%= $auth_type_indicator %> + <%- } -%> + <%- if $options { -%> + <%- $options.sort.each |$fwd_option| { -%> + JkOptions <%= $fwd_option %> + <%- } -%> + <%- } -%> + <%- if $env_var { -%> + <%- Array($env_var).sort.each |$variable_and_value| { -%> + JkEnvVar <%= $variable_and_value[0] %><% if !$variable_and_value[1].empty { %> value<% } -%> + <%- } -%> + <%- } -%> + <%- if $strip_session { -%> + JkStripSession <%= $strip_session %> + <%- } -%> + <%# -%> + <%# Global locations for mod_jk are defined in array location_list -%> + <%# Each array item is a hash with quoted* property name as key -%> + <%# and value as value itself -%> + <%# You can define a comment in a special 'comment' key -%> + <%# -%> + <%# Example: -%> + <%# -%> + <%# # Configures jkstatus -%> + <%# JkMount status -%> + <%# Order deny,allow -%> + <%# Deny from all -%> + <%# Allow from 127.0.0.1 -%> + <%# -%> + <%# -%> + <%# Is defined as: -%> + <%# location_list = [ -%> + <%# { -%> + <%# 'Location' => '/jkstatus/', -%> + <%# 'Comment' => 'Configures jkstatus', -%> + <%# 'JkMount' => 'status', -%> + <%# 'Order' => 'deny,allow', -%> + <%# 'Deny from' => 'all', -%> + <%# 'Allow from' => '127.0.0.1', -%> + <%# }, -%> + <%# ] -%> + <%# * Keys must be quoted to allow arbitrary case and/or multi-word keys -%> + <%# (BTW, note the case of 'Location' and 'Comment' keys) -%> + <%# -%> + <%- if $location_list { -%> + <%- $location_list.each |$location_tag| { -%> + + > + <%- if $location_tag['Comment'] { -%> + # <%= $location_tag['Comment'] %> + <%- } -%> + <%- $location_tag.each |$property, $value| { -%> + <%- if $property != 'Comment' and $property != 'Location' { -%> + <%= $property %> <%= $value %> + <%- } -%> + <%- } -%> + + <%- } -%> + <%- } -%> + diff --git a/templates/mod/jk/uriworkermap.properties.epp b/templates/mod/jk/uriworkermap.properties.epp new file mode 100644 index 0000000000..88e42c1711 --- /dev/null +++ b/templates/mod/jk/uriworkermap.properties.epp @@ -0,0 +1,40 @@ +# This file is generated automatically by Puppet - DO NOT EDIT +# Any manual changes will be overwritten +<%# -%> +<%# mount_file_content should be a hash which keys are workers names -%> +<%# and values are new hashes with two items: -%> +<%# uri_list - Array with URIs to be mapped to worker -%> +<%# comment - Optional comment line -%> +<%# -%> +<%# Example: -%> +<%# # Worker 1 -%> +<%# /context_1/ = worker_1 -%> +<%# /context_1/* = worker_1 -%> +<%# -%> +<%# # Worker 2 -%> +<%# / = worker_2 -%> +<%# /context_2/ = worker_2 -%> +<%# /context_2/* = worker_2 -%> +<%# -%> +<%# should be parameterized as: -%> +<%# $mount_file_content = { -%> +<%# worker_1 => { -%> +<%# uri_list => ['/context_1/', '/context_1/*'], -%> +<%# comment => 'Worker 1', -%> +<%# }, -%> +<%# worker_2 => { -%> +<%# uri_list => ['/context_2/', '/context_2/*'], -%> +<%# comment => 'Worker 2', -%> +<%# }, -%> +<%# }, -%> +<%# -%> +<% Array($mount_file_content).sort.each |$worker_and_directives| { -%> + +<%# Places comment before worker mappings -%> +<% if $worker_and_directives[1]['comment'] { -%> +# <%= $worker_and_directives[1]['comment'] %> +<% } -%> +<% $worker_and_directives[1]['uri_list'].sort.each |$uri| { -%> +<%= $uri %> = <%= $worker_and_directives[0] %> +<% } -%> +<% } -%> diff --git a/templates/mod/jk/workers.properties.epp b/templates/mod/jk/workers.properties.epp new file mode 100644 index 0000000000..25cc758ae2 --- /dev/null +++ b/templates/mod/jk/workers.properties.epp @@ -0,0 +1,62 @@ +# This file is generated automatically by Puppet - DO NOT EDIT +# Any manual changes will be overwritten +<%# -%> +<%# workers_file_content should be a hash which keys are workers names -%> +<%# and values are new hashes with properties and values -%> +<%# Two keys are special (and reserved!): -%> +<%# worker_lists - Array of comma-separated worker names lists -%> +<%# Each list is an item of the array and will be placed in one line -%> +<%# worker_maintain - Numeric string -%> +<%# -%> +<%# Example: -%> +<%# worker.list = status -%> +<%# worker.list = some_name,other_name -%> +<%# worker.maintain = 60 -%> +<%# # Optional comment -%> +<%# worker.some_name.type=ajp13 -%> +<%# worker.some_name.socket_keepalive=true -%> +<%# # I just like comments -%> +<%# worker.other_name.type=ajp12 (why would you?) -%> +<%# worker.other_name.socket_keepalive=false -%> +<%# -%> +<%# should be parameterized as: -%> +<%# $workers_file_content = { -%> +<%# worker_lists => ['status', 'some_name,other_name'], -%> +<%# worker_maintain => '60', -%> +<%# some_name => { -%> +<%# type => 'ajp13', -%> +<%# socket_keepalive => 'true', -%> +<%# comment => 'Optional comment', -%> +<%# }, -%> +<%# other_name => { -%> +<%# type => 'ajp12', -%> +<%# socket_keepalive => 'false', -%> +<%# comment => 'I just like comments', -%> +<%# }, -%> +<%# }, -%> +<%# -%> +<% if $workers_file_content['worker_lists'] { -%> + +<% $workers_file_content['worker_lists'].sort.each |$list| { -%> +worker.list = <%= $list %> +<% } -%> +<% } -%> +<% if $workers_file_content['worker_maintain'] { -%> + +worker.maintain = <%= $workers_file_content['worker_maintain'] %> +<% } -%> +<% Array($workers_file_content).sort.each |$name_and_directives| { -%> +<%# Skip hash items with the reserved keys -%> +<% if !($name_and_directives[0] in ['worker_lists', 'worker_maintain']) { -%> + +<%# Places comment before worker directives -%> +<% if $name_and_directives[1]['comment'] { -%> +# <%= $name_and_directives[1]['comment'] %> +<% } -%> +<% Array($name_and_directives[1]).sort.each |$property_and_value| { -%> +<% if $property_and_value[0] != 'comment' { -%> +worker.<%= $name_and_directives[0] %>.<%= $property_and_value[0] %>=<%= $property_and_value[1] %> +<% } -%> +<% } -%> +<% } -%> +<% } -%> diff --git a/templates/mod/ldap.conf.epp b/templates/mod/ldap.conf.epp new file mode 100644 index 0000000000..c2e28a9a5a --- /dev/null +++ b/templates/mod/ldap.conf.epp @@ -0,0 +1,25 @@ +> + SetHandler ldap-status + Require ip 127.0.0.1 ::1 + +<% if $ldap_trusted_global_cert_file { -%> +LDAPTrustedGlobalCert <%= $ldap_trusted_global_cert_type %> <%= $ldap_trusted_global_cert_file %> +<% } -%> +<% if $ldap_trusted_mode { -%> +LDAPTrustedMode <%= $ldap_trusted_mode %> +<% } -%> +<%- if $ldap_shared_cache_size { -%> +LDAPSharedCacheSize <%= $ldap_shared_cache_size %> +<%- } -%> +<%- if $ldap_cache_entries { -%> +LDAPCacheEntries <%= $ldap_cache_entries %> +<%- } -%> +<%- if $ldap_cache_ttl { -%> +LDAPCacheTTL <%= $ldap_cache_ttl %> +<%- } -%> +<%- if $ldap_opcache_entries { -%> +LDAPOpCacheEntries <%= $ldap_opcache_entries %> +<%- } -%> +<%- if $ldap_opcache_ttl { -%> +LDAPOpCacheTTL <%= $ldap_opcache_ttl %> +<%- } -%> diff --git a/templates/mod/ldap.conf.erb b/templates/mod/ldap.conf.erb deleted file mode 100644 index 14f33ab2b2..0000000000 --- a/templates/mod/ldap.conf.erb +++ /dev/null @@ -1,7 +0,0 @@ - - SetHandler ldap-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 ::1 - Satisfy all - diff --git a/templates/mod/load.epp b/templates/mod/load.epp new file mode 100644 index 0000000000..a753dd2520 --- /dev/null +++ b/templates/mod/load.epp @@ -0,0 +1,7 @@ +<% if $loadfiles { -%> +<% Array($loadfiles).each |$loadfile| { -%> +LoadFile <%= $loadfile %> +<% } -%> + +<% } -%> +LoadModule <%= $_id %> <%= $_path %> diff --git a/templates/mod/md.conf.epp b/templates/mod/md.conf.epp new file mode 100644 index 0000000000..0ae45fc7cf --- /dev/null +++ b/templates/mod/md.conf.epp @@ -0,0 +1,84 @@ +<% if $apache::mod::md::md_activation_delay { -%> +MDActivationDelay <%= $apache::mod::md::md_activation_delay %> +<% } -%> +<% if $apache::mod::md::md_base_server { -%> +MDBaseServer <%= $apache::mod::md::md_base_server %> +<% } -%> +<% if $apache::mod::md::md_ca_challenges { -%> +MDCAChallenges <%= $apache::mod::md::md_ca_challenges.join(' ') %> +<% } -%> +<% if $apache::mod::md::md_certificate_agreement { -%> +MDCertificateAgreement <%= $apache::mod::md::md_certificate_agreement %> +<% } -%> +<% if $apache::mod::md::md_certificate_authority { -%> +MDCertificateAuthority <%= $apache::mod::md::md_certificate_authority %> +<% } -%> +<% if $apache::mod::md::md_certificate_check { -%> +MDCertificateCheck <%= $apache::mod::md::md_certificate_check %> +<% } -%> +<% if $apache::mod::md::md_certificate_monitor { -%> +MDCertificateMonitor <%= $apache::mod::md::md_certificate_monitor %> +<% } -%> +<% if $apache::mod::md::md_certificate_protocol { -%> +MDCertificateProtocol <%= $apache::mod::md::md_certificate_protocol %> +<% } -%> +<% if $apache::mod::md::md_certificate_status { -%> +MDCertificateStatus <%= $apache::mod::md::md_certificate_status %> +<% } -%> +<% if $apache::mod::md::md_challenge_dns01 { -%> +MDChallengeDns01 "<%= $apache::mod::md::md_challenge_dns01 %>" +<% } -%> +<% if $apache::mod::md::md_contact_email { -%> +MDContactEmail <%= $apache::mod::md::md_contact_email %> +<% } -%> +<% if $apache::mod::md::md_http_proxy { -%> +MDHttpProxy <%= $apache::mod::md::md_http_proxy %> +<% } -%> +<% if $apache::mod::md::md_members { -%> +MDMembers <%= $apache::mod::md::md_members %> +<% } -%> +<% if $apache::mod::md::md_message_cmd { -%> +MDMessageCmd "<%= $apache::mod::md::md_message_cmd %>" +<% } -%> +<% if $apache::mod::md::md_must_staple { -%> +MDMustStaple <%= $apache::mod::md::md_must_staple %> +<% } -%> +<% if $apache::mod::md::md_notify_cmd { -%> +MDNotifyCmd "<%= $apache::mod::md::md_notify_cmd %>" +<% } -%> +<% if $apache::mod::md::md_port_map { -%> +MDPortMap <%= $apache::mod::md::md_port_map %> +<% } -%> +<% if $apache::mod::md::md_private_keys { -%> +MDPrivateKeys <%= $apache::mod::md::md_private_keys %> +<% } -%> +<% if $apache::mod::md::md_renew_mode { -%> +MDRenewMode <%= $apache::mod::md::md_renew_mode %> +<% } -%> +<% if $apache::mod::md::md_renew_window { -%> +MDRenewWindow <%= $apache::mod::md::md_renew_window %> +<% } -%> +<% if $apache::mod::md::md_require_https { -%> +MDRequireHttps <%= $apache::mod::md::md_require_https %> +<% } -%> +<% if $apache::mod::md::md_server_status { -%> +MDServerStatus <%= $apache::mod::md::md_server_status %> +<% } -%> +<% if $apache::mod::md::md_staple_others { -%> +MDStapleOthers <%= $apache::mod::md::md_staple_others %> +<% } -%> +<% if $apache::mod::md::md_stapling { -%> +MDStapling <%= $apache::mod::md::md_stapling %> +<% } -%> +<% if $apache::mod::md::md_stapling_keep_response { -%> +MDStaplingKeepResponse <%= $apache::mod::md::md_stapling_keep_response %> +<% } -%> +<% if $apache::mod::md::md_stapling_renew_window { -%> +MDStaplingRenewWindow <%= $apache::mod::md::md_stapling_renew_window %> +<% } -%> +<% if $apache::mod::md::md_store_dir { -%> +MDStoreDir "<%= $apache::mod::md::md_store_dir %>" +<% } -%> +<% if $apache::mod::md::md_warn_window { -%> +MDWarnWindow <%= $apache::mod::md::md_warn_window %> +<% } -%> diff --git a/templates/mod/mime.conf.erb b/templates/mod/mime.conf.epp similarity index 70% rename from templates/mod/mime.conf.erb rename to templates/mod/mime.conf.epp index 34f4add924..11a2ca045d 100644 --- a/templates/mod/mime.conf.erb +++ b/templates/mod/mime.conf.epp @@ -1,4 +1,4 @@ -TypesConfig /etc/mime.types +TypesConfig <%= $mime_types_config %> AddType application/x-compress .Z AddType application/x-gzip .gz .tgz @@ -31,6 +31,8 @@ AddLanguage sv .sv AddLanguage zh-CN .zh-cn AddLanguage zh-TW .zh-tw -AddHandler type-map var -AddType text/html .shtml -AddOutputFilter INCLUDES .shtml +<%- Array($_mime_types_additional).sort.each |$add_mime_and_config| { -%> + <%- $add_mime_and_config[1].each |$type, $extension| { %> +<%= $add_mime_and_config[0] %> <%= $type %> <%= $extension %> + <%- } -%> +<% } %> diff --git a/templates/mod/mime_magic.conf.epp b/templates/mod/mime_magic.conf.epp new file mode 100644 index 0000000000..5696f89513 --- /dev/null +++ b/templates/mod/mime_magic.conf.epp @@ -0,0 +1 @@ +MIMEMagicFile "<%= $_magic_file %>" diff --git a/templates/mod/mime_magic.conf.erb b/templates/mod/mime_magic.conf.erb deleted file mode 100644 index ee69bca4ae..0000000000 --- a/templates/mod/mime_magic.conf.erb +++ /dev/null @@ -1 +0,0 @@ -MIMEMagicFile conf/magic diff --git a/templates/mod/mpm_event.conf.erb b/templates/mod/mpm_event.conf.erb deleted file mode 100644 index eb6f1ff5f5..0000000000 --- a/templates/mod/mpm_event.conf.erb +++ /dev/null @@ -1,9 +0,0 @@ - - StartServers 2 - MinSpareThreads 25 - MaxSpareThreads 75 - ThreadLimit 64 - ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 0 - diff --git a/templates/mod/negotiation.conf.epp b/templates/mod/negotiation.conf.epp new file mode 100644 index 0000000000..5183e2b8fb --- /dev/null +++ b/templates/mod/negotiation.conf.epp @@ -0,0 +1,12 @@ +<% if String(type($language_priority, 'generalized')).index('Array') == 0 { -%> + <%- $language_priority_updated = $language_priority.join(' ') -%> +<% } else { -%> + <%- $language_priority_updated = $language_priority -%> +<% } -%> +<% if String(type($force_language_priority, 'generalized')).index('Array') == 0 { -%> + <%- $force_language_priority_updated = $force_language_priority.join(' ') -%> +<% } else { -%> + <%- $force_language_priority_updated = $force_language_priority -%> +<% } -%> +LanguagePriority <%= $language_priority_updated %> +ForceLanguagePriority <%= $force_language_priority_updated %> diff --git a/templates/mod/nss.conf.epp b/templates/mod/nss.conf.epp new file mode 100644 index 0000000000..79571820a3 --- /dev/null +++ b/templates/mod/nss.conf.epp @@ -0,0 +1,228 @@ +# +# This is the Apache server configuration file providing SSL support using. +# the mod_nss plugin. It contains the configuration directives to instruct +# the server how to serve pages over an https connection. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +#LoadModule nss_module modules/libmodnss.so + +# +# When we also provide SSL we have to listen to the +# standard HTTP port (see above) and to the HTTPS port +# +# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" +# +Listen <%= $port %> + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +<% if $passwd_file { -%> +NSSPassPhraseDialog "file:<%= $passwd_file %>" +<% } else { -%> +NSSPassPhraseDialog builtin +<% } -%> + +# Pass Phrase Helper: +# This helper program stores the token password pins between +# restarts of Apache. +NSSPassPhraseHelper /usr/sbin/nss_pcache + +# Configure the SSL Session Cache. +# NSSSessionCacheSize is the number of entries in the cache. +# NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). +# NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). +NSSSessionCacheSize 10000 +NSSSessionCacheTimeout 100 +NSSSession3CacheTimeout 86400 + +# +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the SSL library. +# The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. Those platforms usually also provide a non-blocking +# device, /dev/urandom, which may be used instead. +# +# This does not support seeding the RNG with each connection. + +NSSRandomSeed startup builtin +#NSSRandomSeed startup file:/dev/random 512 +#NSSRandomSeed startup file:/dev/urandom 512 + +# +# TLS Negotiation configuration under RFC 5746 +# +# Only renegotiate if the peer's hello bears the TLS renegotiation_info +# extension. Default off. +NSSRenegotiation off + +# Peer must send Signaling Cipher Suite Value (SCSV) or +# Renegotiation Info (RI) extension in ALL handshakes. Default: off +NSSRequireSafeNegotiation off + +## +## SSL Virtual Host Context +## + +> + +# General setup for the virtual host +#DocumentRoot "/etc/httpd/htdocs" +#ServerName www.example.com:8443 +#ServerAdmin you@example.com + +# mod_nss can log to separate log files, you can choose to do that if you'd like +# LogLevel is not inherited from httpd.conf. +ErrorLog "<%= $error_log %>" +TransferLog "<%= $transfer_log %>" +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. + +# SSL 3 ciphers. SSL 2 is disabled by default. +NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha + +# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. +# +# Comment out the NSSCipherSuite line above and use the one below if you have +# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography +#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha + +# SSL Protocol: +# Cryptographic protocols that provide communication security. +# NSS handles the specified protocols as "ranges", and automatically +# negotiates the use of the strongest protocol for a connection starting +# with the maximum specified protocol and downgrading as necessary to the +# minimum specified protocol that can be used between two processes. +# Since all protocol ranges are completely inclusive, and no protocol in the +# middle of a range may be excluded, the entry "NSSProtocol TLSv1.0,TLSv1.2" +# is identical to the entry "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2". +NSSProtocol TLSv1.0,TLSv1.1 + +# SSL Certificate Nickname: +# The nickname of the RSA server certificate you are going to use. +NSSNickname Server-Cert + +# SSL Certificate Nickname: +# The nickname of the ECC server certificate you are going to use, if you +# have an ECC-enabled version of NSS and mod_nss +#NSSECCNickname Server-Cert-ecc + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase "<%= $httpd_dir -%>/alias" + +# Database Prefix: +# In order to be able to store multiple NSS databases in one directory +# they need unique names. This option sets the database prefix used for +# cert8.db and key3.db. +#NSSDBPrefix my-prefix- + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +#NSSVerifyClient none + +# +# Online Certificate Status Protocol (OCSP). +# Verify that certificates have not been revoked before accepting them. +#NSSOCSP off + +# +# Use a default OCSP responder. If enabled this will be used regardless +# of whether one is included in a client certificate. Note that the +# server certificate is verified during startup. +# +# NSSOCSPDefaultURL defines the service URL of the OCSP responder +# NSSOCSPDefaultName is the nickname of the certificate to trust to +# sign the OCSP responses. +#NSSOCSPDefaultResponder on +#NSSOCSPDefaultURL http://example.com/ocsp/status +#NSSOCSPDefaultName ocsp-nickname + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +# +#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "NSSRequireSSL" or "NSSRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire + + NSSOptions +StdEnvVars + + + NSSOptions +StdEnvVars + + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + diff --git a/templates/mod/pagespeed.conf.epp b/templates/mod/pagespeed.conf.epp new file mode 100644 index 0000000000..840a8eeaab --- /dev/null +++ b/templates/mod/pagespeed.conf.epp @@ -0,0 +1,87 @@ +ModPagespeed on + +ModPagespeedInheritVHostConfig <%= $inherit_vhost_config %> +AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html +<% if $filter_xhtml { -%> +AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER application/xhtml+xml +<% } -%> +ModPagespeedFileCachePath "<%= $cache_path %>" +ModPagespeedLogDir "<%= $log_dir %>" + +<% $memcache_servers.each |$server| { -%> +ModPagespeedMemcachedServers <%= $server %> +<% } -%> + +ModPagespeedRewriteLevel <%= $rewrite_level -%> + +<% $disable_filters.each |$filter| { -%> +ModPagespeedDisableFilters <%= $filter %> +<% } -%> + +<% $enable_filters.each |$filter| { -%> +ModPagespeedEnableFilters <%= $filter %> +<% } -%> + +<% $forbid_filters.each |$filter| { -%> +ModPagespeedForbidFilters <%= $filter %> +<% } -%> + +ModPagespeedRewriteDeadlinePerFlushMs <%= $rewrite_deadline_per_flush_ms %> + +<% if $additional_domains { -%> +ModPagespeedDomain <%= $additional_domains -%> +<% } -%> + +ModPagespeedFileCacheSizeKb <%= $file_cache_size_kb %> +ModPagespeedFileCacheCleanIntervalMs <%= $file_cache_clean_interval_ms %> +ModPagespeedLRUCacheKbPerProcess <%= $lru_cache_per_process %> +ModPagespeedLRUCacheByteLimit <%= $lru_cache_byte_limit %> +ModPagespeedCssFlattenMaxBytes <%= $css_flatten_max_bytes %> +ModPagespeedCssInlineMaxBytes <%= $css_inline_max_bytes %> +ModPagespeedCssImageInlineMaxBytes <%= $css_image_inline_max_bytes %> +ModPagespeedImageInlineMaxBytes <%= $image_inline_max_bytes %> +ModPagespeedJsInlineMaxBytes <%= $js_inline_max_bytes %> +ModPagespeedCssOutlineMinBytes <%= $css_outline_min_bytes %> +ModPagespeedJsOutlineMinBytes <%= $js_outline_min_bytes %> + + +ModPagespeedFileCacheInodeLimit <%= $inode_limit %> +ModPagespeedImageMaxRewritesAtOnce <%= $image_max_rewrites_at_once %> + +ModPagespeedNumRewriteThreads <%= $num_rewrite_threads %> +ModPagespeedNumExpensiveRewriteThreads <%= $num_expensive_rewrite_threads %> + +ModPagespeedStatistics <%= $collect_statistics %> + + + # You may insert other "Allow from" lines to add hosts you want to + # allow to look at generated statistics. Another possibility is + # to comment out the "Order" and "Allow" options from the config + # file, to allow any client that can reach your server to examine + # statistics. This might be appropriate in an experimental setup or + # if the Apache server is protected by a reverse proxy that will + # filter URLs in some fashion. + Require ip 127.0.0.1 ::1 <%= Array($allow_view_stats).join(" ") %> + SetHandler mod_pagespeed_statistics + + +ModPagespeedStatisticsLogging <%= $statistics_logging %> + + Require ip 127.0.0.1 ::1 <%= Array($allow_pagespeed_console).join(" ") %> + SetHandler pagespeed_console + + +ModPagespeedMessageBufferSize <%= $message_buffer_size %> + + + Require ip 127.0.0.1 ::1 <%= Array($allow_pagespeed_message).join(" ") %> + SetHandler mod_pagespeed_message + + +<% if String(type($additional_configuration, 'generalized')).index('Array') == 0 { -%> +<%= $additional_configuration.join("\n") %> +<% } else { -%> +<% $additional_configuration.each |$key, $value| { -%> +<%= $key %> <%= $value %> +<% } -%> +<% } -%> diff --git a/templates/mod/passenger.conf.epp b/templates/mod/passenger.conf.epp new file mode 100644 index 0000000000..3961b3395b --- /dev/null +++ b/templates/mod/passenger.conf.epp @@ -0,0 +1,243 @@ +# The Passenger Apache module configuration file is being +# managed by Puppet and changes will be overwritten. + + <%- if $passenger_allow_encoded_slashes { -%> + PassengerAllowEncodedSlashes <%= $passenger_allow_encoded_slashes %> + <%- } -%> + <%- if $passenger_anonymous_telemetry_proxy { -%> + PassengerAnonymousTelemetryProxy <%= $passenger_anonymous_telemetry_proxy %> + <%- } -%> + <%- if $passenger_admin_panel_url { -%> + PassengerAdminPanelUrl <%= $passenger_admin_panel_url %> + <%- } -%> + <%- if $passenger_admin_panel_auth_type { -%> + PassengerAdminPanelAuthType <%= $passenger_admin_panel_auth_type %> + <%- } -%> + <%- if $passenger_admin_panel_username { -%> + PassengerAdminPanelUsername <%= $passenger_admin_panel_username %> + <%- } -%> + <%- if $passenger_admin_panel_password { -%> + PassengerAdminPanelPassword <%= $passenger_admin_panel_password %> + <%- } -%> + <%- if $passenger_app_env { -%> + PassengerAppEnv <%= $passenger_app_env %> + <%- } -%> + <%- if $passenger_app_group_name { -%> + PassengerAppGroupName <%= $passenger_app_group_name %> + <%- } -%> + <%- if $passenger_app_log_file { -%> + PassengerAppLogFile <%= $passenger_app_log_file %> + <%- } -%> + <%- if $passenger_app_root { -%> + PassengerAppRoot "<%= $passenger_app_root %>" + <%- } -%> + <%- if $passenger_app_type { -%> + PassengerAppType <%= $passenger_app_type %> + <%- } -%> + <%- if $passenger_base_uri { -%> + PassengerBaseURI <%= $passenger_base_uri %> + <%- } -%> + <%- if $passenger_buffer_response { -%> + PassengerBufferResponse <%= $passenger_buffer_response %> + <%- } -%> + <%- if $passenger_buffer_upload { -%> + PassengerBufferUpload <%= $passenger_buffer_upload %> + <%- } -%> + <%- if $passenger_concurrency_model { -%> + PassengerConcurrencyModel <%= $passenger_concurrency_model %> + <%- } -%> + <%- if $passenger_data_buffer_dir { -%> + PassengerDataBufferDir "<%= $passenger_data_buffer_dir %>" + <%- } -%> + <%- if $passenger_debug_log_file { -%> + PassengerDebugLogFile <%= $passenger_debug_log_file %> + <%- } -%> + <%- if $passenger_debugger { -%> + PassengerDebugger <%= $passenger_debugger %> + <%- } -%> + <%- if $passenger_default_group { -%> + PassengerDefaultGroup <%= $passenger_default_group %> + <%- } -%> + <%- if $passenger_default_ruby { -%> + PassengerDefaultRuby "<%= $passenger_default_ruby %>" + <%- } -%> + <%- if $passenger_default_user { -%> + PassengerDefaultUser <%= $passenger_default_user %> + <%- } -%> + <%- if $passenger_disable_anonymous_telemetry != undef { -%> + PassengerDisableAnonymousTelemetry <%= apache::bool2httpd($passenger_disable_anonymous_telemetry) %> + <%- } -%> + <%- if $passenger_disable_log_prefix != undef { -%> + PassengerDisableLogPrefix <%= apache::bool2httpd($passenger_disable_log_prefix) %> + <%- } -%> + <%- if $passenger_disable_security_update_check { -%> + PassengerDisableSecurityUpdateCheck <%= $passenger_disable_security_update_check %> + <%- } -%> + <%- if $passenger_dump_config_manifest { -%> + PassengerDumpConfigManifest <%= $passenger_dump_config_manifest %> + <%- } -%> + <%- if $passenger_enabled { -%> + PassengerEnabled <%= $passenger_enabled %> + <%- } -%> + <%- if $passenger_error_override { -%> + PassengerErrorOverride <%= $passenger_error_override %> + <%- } -%> + <%- if $passenger_file_descriptor_log_file { -%> + PassengerFileDescriptorLogFile "<%= $passenger_file_descriptor_log_file %>" + <%- } -%> + <%- if $passenger_fly_with { -%> + PassengerFlyWith "<%= $passenger_fly_with %>" + <%- } -%> + <%- if $passenger_force_max_concurrent_requests_per_process { -%> + PassengerForceMaxConcurrentRequestsPerProcess <%= $passenger_force_max_concurrent_requests_per_process %> + <%- } -%> + <%- if $passenger_friendly_error_pages { -%> + PassengerFriendlyErrorPages <%= $passenger_friendly_error_pages %> + <%- } -%> + <%- if $passenger_group { -%> + PassengerGroup <%= $passenger_group %> + <%- } -%> + <%- if $passenger_high_performance { -%> + PassengerHighPerformance <%= $passenger_high_performance %> + <%- } -%> + <%- if $passenger_instance_registry_dir { -%> + PassengerInstanceRegistryDir "<%= $passenger_instance_registry_dir %>" + <%- } -%> + <%- if $passenger_load_shell_envvars { -%> + PassengerLoadShellEnvvars <%= $passenger_load_shell_envvars %> + <%- } -%> + <%- if $passenger_preload_bundler != undef { -%> + PassengerPreloadBundler <%= apache::bool2httpd($passenger_preload_bundler) %> + <%- } -%> + <%- if $passenger_log_file { -%> + PassengerLogFile "<%= $passenger_log_file %>" + <%- } -%> + <%- if $passenger_log_level { -%> + PassengerLogLevel <%= $passenger_log_level %> + <%- } -%> + <%- if $passenger_lve_min_uid { -%> + PassengerLveMinUid <%= $passenger_lve_min_uid %> + <%- } -%> + <%- if $passenger_max_instances { -%> + PassengerMaxInstances <%= $passenger_max_instances %> + <%- } -%> + <%- if $passenger_max_instances_per_app { -%> + PassengerMaxInstancesPerApp <%= $passenger_max_instances_per_app %> + <%- } -%> + <%- if $passenger_max_pool_size { -%> + PassengerMaxPoolSize <%= $passenger_max_pool_size %> + <%- } -%> + <%- if $passenger_max_preloader_idle_time { -%> + PassengerMaxPreloaderIdleTime <%= $passenger_max_preloader_idle_time %> + <%- } -%> + <%- if $passenger_max_request_queue_size { -%> + PassengerMaxRequestQueueSize <%= $passenger_max_request_queue_size %> + <%- } -%> + <%- if $passenger_max_request_time { -%> + PassengerMaxRequestTime <%= $passenger_max_request_time %> + <%- } -%> + <%- if $passenger_max_request_queue_time { -%> + PassengerMaxRequestQueueTime <%= $passenger_max_request_queue_time %> + <%- } -%> + <%- if $passenger_max_requests { -%> + PassengerMaxRequests <%= $passenger_max_requests %> + <%- } -%> + <%- if $passenger_memory_limit { -%> + PassengerMemoryLimit <%= $passenger_memory_limit %> + <%- } -%> + <%- if $passenger_meteor_app_settings { -%> + PassengerMeteorAppSettings "<%= $passenger_meteor_app_settings %>" + <%- } -%> + <%- if $passenger_min_instances { -%> + PassengerMinInstances <%= $passenger_min_instances %> + <%- } -%> + <%- if $passenger_nodejs { -%> + PassengerNodejs "<%= $passenger_nodejs %>" + <%- } -%> + <%- if $passenger_pool_idle_time { -%> + PassengerPoolIdleTime <%= $passenger_pool_idle_time %> + <%- } -%> + <%- if $passenger_pre_start { -%> + <%- [$passenger_pre_start].flatten.filter |$item| { $item != undef }.each |$passenger_pre_start| { -%> + PassengerPreStart <%= $passenger_pre_start %> + <%- } -%> + <%- } -%> + <%- if $passenger_python { -%> + PassengerPython "<%= $passenger_python %>" + <%- } -%> + <%- if $passenger_resist_deployment_errors { -%> + PassengerResistDeploymentErrors <%= $passenger_resist_deployment_errors %> + <%- } -%> + <%- if $passenger_resolve_symlinks_in_document_root { -%> + PassengerResolveSymlinksInDocumentRoot <%= $passenger_resolve_symlinks_in_document_root %> + <%- } -%> + <%- if $passenger_response_buffer_high_watermark { -%> + PassengerResponseBufferHighWatermark <%= $passenger_response_buffer_high_watermark %> + <%- } -%> + <%- if $passenger_restart_dir { -%> + PassengerRestartDir "<%= $passenger_restart_dir %>" + <%- } -%> + <%- if $passenger_rolling_restarts { -%> + PassengerRollingRestarts <%= $passenger_rolling_restarts %> + <%- } -%> + <%- if $passenger_root { -%> + PassengerRoot "<%= $passenger_root %>" + <%- } -%> + <%- if $passenger_ruby { -%> + PassengerRuby "<%= $passenger_ruby %>" + <%- } -%> + <%- if $passenger_security_update_check_proxy { -%> + PassengerSecurityUpdateCheckProxy <%= $passenger_security_update_check_proxy %> + <%- } -%> + <%- if $passenger_show_version_in_header { -%> + PassengerShowVersionInHeader <%= $passenger_show_version_in_header %> + <%- } -%> + <%- if $passenger_socket_backlog { -%> + PassengerSocketBacklog <%= $passenger_socket_backlog %> + <%- } -%> + <%- if $passenger_spawn_dir { -%> + PassengerSpawnDir "<%= $passenger_spawn_dir %>" + <%- } -%> + <%- if $passenger_spawn_method { -%> + PassengerSpawnMethod <%= $passenger_spawn_method %> + <%- } -%> + <%- if $passenger_start_timeout { -%> + PassengerStartTimeout <%= $passenger_start_timeout %> + <%- } -%> + <%- if $passenger_startup_file { -%> + PassengerStartupFile "<%= $passenger_startup_file %>" + <%- } -%> + <%- if $passenger_stat_throttle_rate { -%> + PassengerStatThrottleRate <%= $passenger_stat_throttle_rate %> + <%- } -%> + <%- if $passenger_sticky_sessions { -%> + PassengerStickySessions <%= $passenger_sticky_sessions %> + <%- } -%> + <%- if $passenger_sticky_sessions_cookie_name { -%> + PassengerStickySessionsCookieName <%= $passenger_sticky_sessions_cookie_name %> + <%- } -%> + <%- if $passenger_sticky_sessions_cookie_attributes { -%> + PassengerStickySessionsCookieAttributes "<%= $passenger_sticky_sessions_cookie_attributes %>" + <%- } -%> + <%- if $passenger_thread_count { -%> + PassengerThreadCount <%= $passenger_thread_count %> + <%- } -%> + <%- if $passenger_use_global_queue { -%> + PassengerUseGlobalQueue <%= $passenger_use_global_queue %> + <%- } -%> + <%- if $passenger_user { -%> + PassengerUser <%= $passenger_user %> + <%- } -%> + <%- if $passenger_user_switching { -%> + PassengerUserSwitching <%= $passenger_user_switching %> + <%- } -%> + <%- if $rack_env { -%> + RackEnv <%= $rack_env %> + <%- } -%> + <%- if $rails_env { -%> + RailsEnv <%= $rails_env %> + <%- } -%> + <%- if $rails_framework_spawner_idle_time { -%> + RailsFrameworkSpawnerIdleTime <%= $rails_framework_spawner_idle_time %> + <%- } -%> + diff --git a/templates/mod/passenger.conf.erb b/templates/mod/passenger.conf.erb deleted file mode 100644 index a2014cebb8..0000000000 --- a/templates/mod/passenger.conf.erb +++ /dev/null @@ -1,30 +0,0 @@ -# The Passanger Apache module configuration file is being -# managed by Puppet and changes will be overwritten. - - PassengerRoot <%= @passenger_root %> - PassengerRuby <%= @passenger_ruby %> - <%- if @passenger_high_performance -%> - PassengerHighPerformance <%= @passenger_high_performance %> - <%- end -%> - <%- if @passenger_max_pool_size -%> - PassengerMaxPoolSize <%= @passenger_max_pool_size %> - <%- end -%> - <%- if @passenger_pool_idle_time -%> - PassengerPoolIdleTime <%= @passenger_pool_idle_time %> - <%- end -%> - <%- if @passenger_max_requests -%> - PassengerMaxRequests <%= @passenger_max_requests %> - <%- end -%> - <%- if @passenger_stat_throttle_rate -%> - PassengerStatThrottleRate <%= @passenger_stat_throttle_rate %> - <%- end -%> - <%- if @rack_autodetect -%> - RackAutoDetect <%= @rack_autodetect %> - <%- end -%> - <%- if @rails_autodetect -%> - RailsAutoDetect <%= @rails_autodetect %> - <%- end -%> - <%- if @passenger_use_global_queue -%> - PassengerUseGlobalQueue <%= @passenger_use_global_queue %> - <%- end -%> - diff --git a/templates/mod/peruser.conf.epp b/templates/mod/peruser.conf.epp new file mode 100644 index 0000000000..282dcf99c0 --- /dev/null +++ b/templates/mod/peruser.conf.epp @@ -0,0 +1,12 @@ + + MinSpareProcessors <%= $minspareprocessors %> + MinProcessors <%= $minprocessors %> + MaxProcessors <%= $maxprocessors %> + MaxClients <%= $maxclients %> + MaxRequestsPerChild <%= $maxrequestsperchild %> + IdleTimeout <%= $idletimeout %> + ExpireTimeout <%= $expiretimeout %> + KeepAlive <%= $keepalive %> + Include "<%= $mod_dir %>/peruser/multiplexers/*.conf" + Include "<%= $mod_dir %>/peruser/processors/*.conf" + diff --git a/templates/mod/php5.conf.erb b/templates/mod/php.conf.erb similarity index 59% rename from templates/mod/php5.conf.erb rename to templates/mod/php.conf.erb index 9eef7628a8..9e684fe6d0 100644 --- a/templates/mod/php5.conf.erb +++ b/templates/mod/php.conf.erb @@ -2,20 +2,13 @@ # PHP is an HTML-embedded scripting language which attempts to make it # easy for developers to write dynamically generated webpages. # -# -# LoadModule php5_module modules/libphp5.so -# -# -# # Use of the "ZTS" build with worker is experimental, and no shared -# # modules are supported. -# LoadModule php5_module modules/libphp5-zts.so -# # # Cause the PHP interpreter to handle files with a .php extension. # -AddHandler php5-script .php -AddType text/html .php +)$"> + SetHandler application/x-httpd-php + # # Add index.php to the list of files that will be served as directory diff --git a/templates/mod/prefork.conf.epp b/templates/mod/prefork.conf.epp new file mode 100644 index 0000000000..6eb23ff508 --- /dev/null +++ b/templates/mod/prefork.conf.epp @@ -0,0 +1,17 @@ + + StartServers <%= $startservers %> + MinSpareServers <%= $minspareservers %> + MaxSpareServers <%= $maxspareservers %> + ServerLimit <%= $serverlimit %> + <%- if $maxrequestworkers { -%> + MaxRequestWorkers <%= $maxrequestworkers %> + <%- }elsif $maxclients { -%> + MaxClients <%= $maxclients %> + <%- } -%> + <%- if $maxconnectionsperchild { -%> + MaxConnectionsPerChild <%= $maxconnectionsperchild %> + <%- }elsif $maxrequestsperchild { -%> + MaxRequestsPerChild <%= $maxrequestsperchild %> + <%- } -%> + ListenBacklog <%= $listenbacklog %> + diff --git a/templates/mod/prefork.conf.erb b/templates/mod/prefork.conf.erb deleted file mode 100644 index aabfdf7b22..0000000000 --- a/templates/mod/prefork.conf.erb +++ /dev/null @@ -1,8 +0,0 @@ - - StartServers <%= @startservers %> - MinSpareServers <%= @minspareservers %> - MaxSpareServers <%= @maxspareservers %> - ServerLimit <%= @serverlimit %> - MaxClients <%= @maxclients %> - MaxRequestsPerChild <%= @maxrequestsperchild %> - diff --git a/templates/mod/proxy.conf.epp b/templates/mod/proxy.conf.epp new file mode 100644 index 0000000000..b9aca2e969 --- /dev/null +++ b/templates/mod/proxy.conf.epp @@ -0,0 +1,32 @@ +# +# Proxy Server directives. Uncomment the following lines to +# enable the proxy server: +# + + # Do not enable proxying with ProxyRequests until you have secured your + # server. Open proxy servers are dangerous both to your network and to the + # Internet at large. + ProxyRequests <%= $proxy_requests %> + + <% if $proxy_requests != 'Off' or ( $allow_from and ! $allow_from.empty ) { -%> + + <%- if String(type($allow_from, 'generalized')).index('Array') == 0 { -%> + Require ip <%= $allow_from.join(" ") %> + <%- } else { -%> + Require ip <%= $allow_from %> + <%- } -%> + + <% } -%> + + # Enable/disable the handling of HTTP/1.1 "Via:" headers. + # ("Full" adds the server version; "Block" removes all outgoing Via: headers) + # Set to one of: Off | On | Full | Block + ProxyVia <%= $proxy_via %> + + <%- if $proxy_timeout { -%> + ProxyTimeout <%= $proxy_timeout %> + <%- } -%> + <%- if $proxy_iobuffersize { -%> + ProxyIOBufferSize <%= $proxy_iobuffersize %> + <%- } -%> + diff --git a/templates/mod/proxy.conf.erb b/templates/mod/proxy.conf.erb deleted file mode 100644 index 1f4a4129c8..0000000000 --- a/templates/mod/proxy.conf.erb +++ /dev/null @@ -1,23 +0,0 @@ -# -# Proxy Server directives. Uncomment the following lines to -# enable the proxy server: -# - - # Do not enable proxying with ProxyRequests until you have secured your - # server. Open proxy servers are dangerous both to your network and to the - # Internet at large. - ProxyRequests <%= @proxy_requests %> - - <% if @proxy_requests != 'Off' or ( @allow_from and ! @allow_from.empty? ) -%> - - Order deny,allow - Deny from all - Allow from <%= Array(@allow_from).join(" ") %> - - <% end -%> - - # Enable/disable the handling of HTTP/1.1 "Via:" headers. - # ("Full" adds the server version; "Block" removes all outgoing Via: headers) - # Set to one of: Off | On | Full | Block - ProxyVia On - diff --git a/templates/mod/proxy_balancer.conf.epp b/templates/mod/proxy_balancer.conf.epp new file mode 100644 index 0000000000..116e11ac5a --- /dev/null +++ b/templates/mod/proxy_balancer.conf.epp @@ -0,0 +1,4 @@ +> + SetHandler balancer-manager + Require ip <%= $allow_from.join(" ") %> + diff --git a/templates/mod/proxy_html.conf.erb b/templates/mod/proxy_html.conf.epp similarity index 77% rename from templates/mod/proxy_html.conf.erb rename to templates/mod/proxy_html.conf.epp index 7f5898ef74..3cb8eca625 100644 --- a/templates/mod/proxy_html.conf.erb +++ b/templates/mod/proxy_html.conf.epp @@ -1,9 +1,3 @@ -<% if @proxy_html_loadfiles -%> -<% Array(@proxy_html_loadfiles).each do |loadfile| -%> -LoadFile <%= loadfile %> -<% end -%> - -<% end -%> ProxyHTMLLinks a href ProxyHTMLLinks area href ProxyHTMLLinks link href @@ -15,8 +9,10 @@ ProxyHTMLLinks ins cite ProxyHTMLLinks del cite ProxyHTMLLinks form action ProxyHTMLLinks input src usemap -ProxyHTMLLinks head profileProxyHTMLLinks base href +ProxyHTMLLinks head profile +ProxyHTMLLinks base href ProxyHTMLLinks script src for +ProxyHTMLLinks meta content ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \ onmouseover onmousemove onmouseout onkeypress \ diff --git a/templates/mod/remoteip.conf.epp b/templates/mod/remoteip.conf.epp new file mode 100644 index 0000000000..439de12f68 --- /dev/null +++ b/templates/mod/remoteip.conf.epp @@ -0,0 +1,51 @@ +<%- | + String $header, + Optional[Array[Stdlib::Host]] $internal_proxy = undef, + Optional[Stdlib::Absolutepath] $internal_proxy_list = undef, + Optional[String] $proxies_header = undef, + Boolean $proxy_protocol = undef, + Optional[Array[Stdlib::Host]] $proxy_protocol_exceptions = undef, + Optional[Array[Stdlib::IP::Address]] $trusted_proxy = undef, + Optional[Stdlib::Absolutepath] $trusted_proxy_list = undef, +| -%> +# Declare the header field which should be parsed for useragent IP addresses +RemoteIPHeader <%= $header %> + +<%- if $internal_proxy { -%> +# Declare client intranet IP addresses trusted to present +# the RemoteIPHeader value +<%- $internal_proxy.each |$proxy| { -%> +RemoteIPInternalProxy <%= $proxy %> +<%- } -%> +<%- } -%> + +<%- if $internal_proxy_list { -%> +RemoteIPInternalProxyList <%= $internal_proxy_list %> +<%- } -%> + +<%- if $proxies_header { -%> +# Declare the header field which will record all intermediate IP addresses +RemoteIPProxiesHeader <%= $proxies_header %> +<%- } -%> + +<%- if $proxy_protocol { -%> +RemoteIPProxyProtocol On +<%- } -%> + +<%- if $proxy_protocol_exceptions { -%> +<%- $proxy_protocol_exceptions.each |$exception| { -%> +RemoteIPProxyProtocolExceptions <%= $exception %> +<%- } -%> +<%- } -%> + +<%- if $trusted_proxy { -%> +# Declare client intranet IP addresses trusted to present +# the RemoteIPHeader value + <%- $trusted_proxy.each |$proxy| { -%> +RemoteIPTrustedProxy <%= $proxy %> + <%- } -%> +<%- } -%> + +<%- if $trusted_proxy_list { -%> +RemoteIPTrustedProxyList <%= $trusted_proxy_list %> +<%- } -%> diff --git a/templates/mod/reqtimeout.conf.epp b/templates/mod/reqtimeout.conf.epp new file mode 100644 index 0000000000..a62b4b69ad --- /dev/null +++ b/templates/mod/reqtimeout.conf.epp @@ -0,0 +1,8 @@ +<% if type($timeouts, 'generalized') == String { -%> +RequestReadTimeout <%= $timeouts -%> +<% } else { -%> + <%- $timeouts.each |$timeout| { -%> +RequestReadTimeout <%= $timeout %> + <%- } -%> +<% } -%> + diff --git a/templates/mod/reqtimeout.conf.erb b/templates/mod/reqtimeout.conf.erb deleted file mode 100644 index 9a18800da5..0000000000 --- a/templates/mod/reqtimeout.conf.erb +++ /dev/null @@ -1,2 +0,0 @@ -RequestReadTimeout header=20-40,minrate=500 -RequestReadTimeout body=10,minrate=500 diff --git a/templates/mod/rpaf.conf.epp b/templates/mod/rpaf.conf.epp new file mode 100644 index 0000000000..2db9bbee0d --- /dev/null +++ b/templates/mod/rpaf.conf.epp @@ -0,0 +1,11 @@ +# Enable reverse proxy add forward +RPAFenable On +# RPAFsethostname will, when enabled, take the incoming X-Host header and +# update the virtual host settings accordingly. This allows to have the same +# hostnames as in the "real" configuration for the forwarding proxy. +RPAFsethostname <%= apache::bool2httpd($sethostname) %> +# Which IPs are forwarding requests to us +RPAFproxy_ips <%= Array($proxy_ips).join(" ") %> +# Setting RPAFheader allows you to change the header name to parse from the +# default X-Forwarded-For to something of your choice. +RPAFheader <%= $header %> diff --git a/templates/mod/security.conf.epp b/templates/mod/security.conf.epp new file mode 100644 index 0000000000..059c763557 --- /dev/null +++ b/templates/mod/security.conf.epp @@ -0,0 +1,84 @@ + + # Default recommended configuration + SecRuleEngine <%= $modsec_secruleengine %> + SecRequestBodyAccess <%= $secrequestbodyaccess %> + <%- if $custom_rules { -%> + Include <%= $modsec_dir %>/custom_rules/*.conf + <%- } -%> + SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + SecRequestBodyLimit <%= $secrequestbodylimit %> + SecRequestBodyNoFilesLimit <%= $secrequestbodynofileslimit %> + SecRequestBodyInMemoryLimit <%= $secrequestbodyinmemorylimit %> + SecRequestBodyLimitAction <%= $secrequestbodylimitaction %> + SecRule REQBODY_ERROR "!@eq 0" \ + "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_MISSING_SEMICOLON}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IP %{MULTIPART_INVALID_PART}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + + SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'" + + + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + + SecPcreMatchLimit <%= $secpcrematchlimit %> + SecPcreMatchLimitRecursion <%= $secpcrematchlimitrecursion %> + + SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + SecResponseBodyAccess <%= $secresponsebodyaccess %> + SecResponseBodyMimeType text/plain text/html text/xml + SecResponseBodyLimit 524288 + SecResponseBodyLimitAction <%= $secresponsebodylimitaction %> + SecDebugLogLevel <%= $debug_log_level %> + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "<%= $audit_log_relevant_status %>" + SecAuditLogParts <%= $audit_log_parts %> + SecAuditLogType <%= $audit_log_type %> + <%- if $audit_log_format == 'JSON' { -%> + SecAuditLogFormat JSON + <%- } -%> + <%- if $audit_log_storage_dir { -%> + SecAuditLogStorageDir <%= $audit_log_storage_dir %> + <%- } -%> + SecArgumentSeparator & + SecCookieFormat 0 +<%- if $facts['os']['family'] == 'Debian' { -%> + SecDebugLog <%= $logroot %>/modsec_debug.log + SecAuditLog <%= $logroot %>/modsec_audit.log + SecTmpDir /var/cache/modsecurity + SecDataDir /var/cache/modsecurity + SecUploadDir /var/cache/modsecurity +<%- }elsif $facts['os']['family'] == 'Suse' { -%> + SecDebugLog /var/log/apache2/modsec_debug.log + SecAuditLog /var/log/apache2/modsec_audit.log + SecTmpDir /var/lib/mod_security + SecDataDir /var/lib/mod_security + SecUploadDir /var/lib/mod_security +<% } else { -%> + SecDebugLog <%= $logroot %>/modsec_debug.log + SecAuditLog <%= $logroot %>/modsec_audit.log + SecTmpDir /var/lib/mod_security + SecDataDir /var/lib/mod_security + SecUploadDir /var/lib/mod_security +<% } -%> + SecUploadKeepFiles Off + + # ModSecurity Core Rules Set configuration + IncludeOptional <%= $modsec_dir %>/*.conf + IncludeOptional <%= $modsec_dir %>/activated_rules/*.conf + diff --git a/templates/mod/security_crs.conf.epp b/templates/mod/security_crs.conf.epp new file mode 100644 index 0000000000..653fca6466 --- /dev/null +++ b/templates/mod/security_crs.conf.epp @@ -0,0 +1,1271 @@ +<% if $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'].convert_to(Integer) <= 7 { -%> +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.9 +# Copyright (C) 2006-2012 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# -- [[ Recommended Base Configuration ]] ------------------------------------------------- +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings such as: +# +# - SecRuleEngine +# - SecRequestBodyAccess +# - SecAuditEngine +# - SecDebugLog +# +# You should use the modsecurity.conf-recommended file that comes with the +# ModSecurity source code archive. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended +# + + +# +# -- [[ Rule Version ]] ------------------------------------------------------------------- +# +# Rule version data is added to the "Producer" line of Section H of the Audit log: +# +# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature +# +SecComponentSignature "OWASP_CRS/2.2.9" + + +# +# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] ----------------- +# +# Each detection rule uses the "block" action which will inherit the SecDefaultAction +# specified below. Your settings here will determine which mode of operation you use. +# +# -- [[ Self-Contained Mode ]] -- +# Rules inherit the "deny" disruptive action. The first rule that matches will block. +# +# -- [[ Collaborative Detection Mode ]] -- +# This is a "delayed blocking" mode of operation where each matching rule will inherit +# the "pass" action and will only contribute to anomaly scores. Transactional blocking +# can be applied +# +# -- [[ Alert Logging Control ]] -- +# You have three options - +# +# - To log to both the Apache error_log and ModSecurity audit_log file use: "log" +# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog" +# - To log *only* to the Apache error_log file use: "log,noauditlog" +# +# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecDefaultAction +# +SecDefaultAction "phase:1,<%= $_secdefaultaction -%>" +SecDefaultAction "phase:2,<%= $_secdefaultaction -%>" + +# +# -- [[ Collaborative Detection Severity Levels ]] ---------------------------------------- +# +# These are the default scoring points for each severity level. You may +# adjust these to you liking. These settings will be used in macro expansion +# in the rules to increment the anomaly scores when rules match. +# +# These are the default Severity ratings (with anomaly scores) of the individual rules - +# +# - 2: Critical - Anomaly Score of 5. +# Is the highest severity level possible without correlation. It is +# normally generated by the web attack rules (40 level files). +# - 3: Error - Anomaly Score of 4. +# Is generated mostly from outbound leakage rules (50 level files). +# - 4: Warning - Anomaly Score of 3. +# Is generated by malicious client rules (35 level files). +# - 5: Notice - Anomaly Score of 2. +# Is generated by the Protocol policy and anomaly files. +# +SecAction \ + "id:'900001', \ + phase:1, \ + t:none, \ + setvar:tx.critical_anomaly_score=<%= $critical_anomaly_score -%>, \ + setvar:tx.error_anomaly_score=<%= $error_anomaly_score -%>, \ + setvar:tx.warning_anomaly_score=<%= $warning_anomaly_score -%>, \ + setvar:tx.notice_anomaly_score=<%= $notice_anomaly_score -%>, \ + nolog, \ + pass" + + +# +# -- [[ Collaborative Detection Scoring Initialization and Threshold Levels ]] ------------------------------ +# +# These variables are used in macro expansion in the 49 inbound blocking and 59 +# outbound blocking files. +# +# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric +# operators. If you have an earlier version, edit the 49/59 files directly to +# set the appropriate anomaly score levels. +# +# You should set the score level (rule 900003) to the proper threshold you +# would prefer. If set to "5" it will work similarly to previous Mod CRS rules +# and will create an event in the error_log file if there are any rules that +# match. If you would like to lessen the number of events generated in the +# error_log file, you should increase the anomaly score threshold to something +# like "20". This would only generate an event in the error_log file if there +# are multiple lower severity rule matches or if any 1 higher severity item matches. +# +SecAction \ + "id:'900002', \ + phase:1, \ + t:none, \ + setvar:tx.anomaly_score=0, \ + setvar:tx.sql_injection_score=0, \ + setvar:tx.xss_score=0, \ + setvar:tx.inbound_anomaly_score=0, \ + setvar:tx.outbound_anomaly_score=0, \ + nolog, \ + pass" + + +SecAction \ + "id:'900003', \ + phase:1, \ + t:none, \ + setvar:tx.inbound_anomaly_score_level=<%= $inbound_anomaly_threshold -%>, \ + setvar:tx.outbound_anomaly_score_level=<%= $outbound_anomaly_threshold -%>, \ + nolog, \ + pass" + + +# +# -- [[ Collaborative Detection Blocking ]] ----------------------------------------------- +# +# This is a collaborative detection mode where each rule will increment an overall +# anomaly score for the transaction. The scores are then evaluated in the following files: +# +# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file +# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file +# +# If you want to use anomaly scoring mode, then uncomment this line. +# +SecAction \ + "id:'900004', \ + phase:1, \ + t:none, \ + setvar:tx.anomaly_score_blocking=<%= $anomaly_score_blocking -%>, \ + nolog, \ + pass" + + +# +# -- [[ GeoIP Database ]] ----------------------------------------------------------------- +# +# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data. +# +# You must first download the MaxMind GeoIP Lite City DB - +# +# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz +# +# You then need to define the proper path for the SecGeoLookupDb directive +# +# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html +# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# +#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat + +# +# -- [[ Regression Testing Mode ]] -------------------------------------------------------- +# +# If you are going to run the regression testing mode, you should uncomment the +# following rule. It will enable DetectionOnly mode for the SecRuleEngine and +# will enable Response Header tagging so that the client testing script can see +# which rule IDs have matched. +# +# You must specify the your source IP address where you will be running the tests +# from. +# +#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ + "id:'900005', \ + phase:1, \ + t:none, \ + ctl:ruleEngine=DetectionOnly, \ + setvar:tx.regression_testing=1, \ + nolog, \ + pass" + + +# +# -- [[ HTTP Policy Settings ]] ---------------------------------------------------------- +# +# Set the following policy settings here and they will be propagated to the 23 rules +# file (modsecurity_common_23_request_limits.conf) by using macro expansion. +# If you run into false positives, you can adjust the settings here. +# +# Only the max number of args is uncommented by default as there are a high rate +# of false positives. Uncomment the items you wish to set. +# +# +# -- Maximum number of arguments in request limited +SecAction \ + "id:'900006', \ + phase:1, \ + t:none, \ + setvar:tx.max_num_args=<%= $secrequestmaxnumargs %>, \ + nolog, \ + pass" + +# +# -- Limit argument name length +#SecAction \ + "id:'900007', \ + phase:1, \ + t:none, \ + setvar:tx.arg_name_length=100, \ + nolog, \ + pass" + +# +# -- Limit value name length +#SecAction \ + "id:'900008', \ + phase:1, \ + t:none, \ + setvar:tx.arg_length=400, \ + nolog, \ + pass" + +# +# -- Limit arguments total length +#SecAction \ + "id:'900009', \ + phase:1, \ + t:none, \ + setvar:tx.total_arg_length=64000, \ + nolog, \ + pass" + +# +# -- Individual file size is limited +#SecAction \ + "id:'900010', \ + phase:1, \ + t:none, \ + setvar:tx.max_file_size=1048576, \ + nolog, \ + pass" + +# +# -- Combined file size is limited +#SecAction \ + "id:'900011', \ + phase:1, \ + t:none, \ + setvar:tx.combined_file_sizes=1048576, \ + nolog, \ + pass" + + +# +# Set the following policy settings here and they will be propagated to the 30 rules +# file (modsecurity_crs_30_http_policy.conf) by using macro expansion. +# If you run into false positves, you can adjust the settings here. +# +SecAction \ + "id:'900012', \ + phase:1, \ + t:none, \ + setvar:'tx.allowed_methods=<%= $allowed_methods -%>', \ + setvar:'tx.allowed_request_content_type=<%= $content_types -%>', \ + setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ + setvar:'tx.restricted_extensions=<%= $restricted_extensions -%>', \ + setvar:'tx.restricted_headers=<%= $restricted_headers -%>', \ + nolog, \ + pass" + + +# +# -- [[ Content Security Policy (CSP) Settings ]] ----------------------------------------- +# +# The purpose of these settings is to send CSP response headers to +# Mozilla FireFox users so that you can enforce how dynamic content +# is used. CSP usage helps to prevent XSS attacks against your users. +# +# Reference Link: +# +# https://developer.mozilla.org/en/Security/CSP +# +# Uncomment this SecAction line if you want use CSP enforcement. +# You need to set the appropriate directives and settings for your site/domain and +# and activate the CSP file in the experimental_rules directory. +# +# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html +# +#SecAction \ + "id:'900013', \ + phase:1, \ + t:none, \ + setvar:tx.csp_report_only=1, \ + setvar:tx.csp_report_uri=/csp_violation_report, \ + setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ + nolog, \ + pass" + + +# +# -- [[ Brute Force Protection ]] --------------------------------------------------------- +# +# If you are using the Brute Force Protection rule set, then uncomment the following +# lines and set the following variables: +# - Protected URLs: resources to protect (e.g. login pages) - set to your login page +# - Burst Time Slice Interval: time interval window to monitor for bursts +# - Request Threshold: request # threshold to trigger a burst +# - Block Period: temporary block timeout +# +#SecAction \ + "id:'900014', \ + phase:1, \ + t:none, \ + setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \ + setvar:'tx.brute_force_burst_time_slice=60', \ + setvar:'tx.brute_force_counter_threshold=10', \ + setvar:'tx.brute_force_block_timeout=300', \ + nolog, \ + pass" + + +# +# -- [[ DoS Protection ]] ---------------------------------------------------------------- +# +# If you are using the DoS Protection rule set, then uncomment the following +# lines and set the following variables: +# - Burst Time Slice Interval: time interval window to monitor for bursts +# - Request Threshold: request # threshold to trigger a burst +# - Block Period: temporary block timeout +# +SecAction \ + "id:'900015', \ + phase:1, \ + t:none, \ + setvar:'tx.dos_burst_time_slice=60', \ + setvar:'tx.dos_counter_threshold=100', \ + setvar:'tx.dos_block_timeout=600', \ + nolog, \ + pass" + + +# +# -- [[ Check UTF enconding ]] ----------------------------------------------------------- +# +# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise +# it will result in false positives. +# +# Uncomment this line if your site uses UTF8 encoding +#SecAction \ + "id:'900016', \ + phase:1, \ + t:none, \ + setvar:tx.crs_validate_utf8_encoding=1, \ + nolog, \ + pass" + + +# +# -- [[ Enable XML Body Parsing ]] ------------------------------------------------------- +# +# The rules in this file will trigger the XML parser upon an XML request +# +# Initiate XML Processor in case of xml content-type +# +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'900017', \ + phase:1, \ + t:none,t:lowercase, \ + nolog, \ + pass, \ + chain" + SecRule REQBODY_PROCESSOR "!@streq XML" \ + "ctl:requestBodyProcessor=XML" + + +# +# -- [[ Global and IP Collections ]] ----------------------------------------------------- +# +# Create both Global and IP collections for rules to use +# There are some CRS rules that assume that these two collections +# have already been initiated. +# +SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ + "id:'900018', \ + phase:1, \ + t:none,t:sha1,t:hexEncode, \ + setvar:tx.ua_hash=%{matched_var}, \ + nolog, \ + pass" + + +SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \ + "id:'900019', \ + phase:1, \ + t:none, \ + capture, \ + setvar:tx.real_ip=%{tx.1}, \ + nolog, \ + pass" + + +SecRule &TX:REAL_IP "!@eq 0" \ + "id:'900020', \ + phase:1, \ + t:none, \ + initcol:global=global, \ + initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ + nolog, \ + pass" + + +SecRule &TX:REAL_IP "@eq 0" \ + "id:'900021', \ + phase:1, \ + t:none, \ + initcol:global=global, \ + initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ + setvar:tx.real_ip=%{remote_addr}, \ + nolog, \ + pass" +<% } else { -%> +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# +# -- [[ Introduction ]] -------------------------------------------------------- +# +# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack +# detection rules that provide a base level of protection for any web +# application. They are written for the open source, cross-platform +# ModSecurity Web Application Firewall. +# +# See also: +# https://coreruleset.org/ +# https://github.com/SpiderLabs/owasp-modsecurity-crs +# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project +# + + +# +# -- [[ System Requirements ]] ------------------------------------------------- +# +# CRS requires ModSecurity version 2.8.0 or above. +# We recommend to always use the newest ModSecurity version. +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, +# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. +# +# The CRS assumes that modsecurity.conf has been loaded. It is bundled with +# ModSecurity. If you don't have it, you can get it from: +# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended +# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended +# +# The order of file inclusion in your webserver configuration should always be: +# 1. modsecurity.conf +# 2. crs-setup.conf (this file) +# 3. rules/*.conf (the CRS rule files) +# +# Please refer to the INSTALL file for detailed installation instructions. +# + + +# +# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- +# +# The CRS can run in two modes: +# +# -- [[ Anomaly Scoring Mode (default) ]] -- +# In CRS3, anomaly mode is the default and recommended mode, since it gives the +# most accurate log information and offers the most flexibility in setting your +# blocking policies. It is also called "collaborative detection mode". +# In this mode, each matching rule increases an 'anomaly score'. +# At the conclusion of the inbound rules, and again at the conclusion of the +# outbound rules, the anomaly score is checked, and the blocking evaluation +# rules apply a disruptive action, by default returning an error 403. +# +# -- [[ Self-Contained Mode ]] -- +# In this mode, rules apply an action instantly. This was the CRS2 default. +# It can lower resource usage, at the cost of less flexibility in blocking policy +# and less informative audit logs (only the first detected threat is logged). +# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). +# The first rule that matches will execute this action. In most cases this will +# cause evaluation to stop after the first rule has matched, similar to how many +# IDSs function. +# +# -- [[ Alert Logging Control ]] -- +# In the mode configuration, you must also adjust the desired logging options. +# There are three common options for dealing with logging. By default CRS enables +# logging to the webserver error log (or Event viewer) plus detailed logging to +# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). +# +# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" +# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" +# - To log *only* to the error log file, use: "log,noauditlog" +# +# Examples for the various modes follow. +# You must leave one of the following options enabled. +# Note that you must specify the same line for phase:1 and phase:2. +# + +# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,pass" +# SecDefaultAction "phase:2,log,auditlog,pass" + +# Example: Anomaly Scoring mode, log only to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,nolog,auditlog,pass" +# SecDefaultAction "phase:2,nolog,auditlog,pass" + +# Example: Self-contained mode, return error 403 on blocking +# - In this configuration the default disruptive action becomes 'deny'. After a +# rule triggers, it will stop processing the request and return an error 403. +# - You can also use a different error status, such as 404, 406, et cetera. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,deny,status:403" +# SecDefaultAction "phase:2,log,auditlog,deny,status:403" + +# Example: Self-contained mode, redirect back to homepage on blocking +# - In this configuration the 'tag' action includes the Host header data in the +# log. This helps to identify which virtual host triggered the rule (if any). +# - Note that this might cause redirect loops in some situations; for example +# if a Cookie or User-Agent header is blocked, it will also be blocked when +# the client subsequently tries to access the homepage. You can also redirect +# to another custom URL. +# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" +# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" + +SecDefaultAction "phase:1,<%= $_secdefaultaction -%>" +SecDefaultAction "phase:2,<%= $_secdefaultaction -%>" + +# +# -- [[ Paranoia Level Initialization ]] --------------------------------------- +# +# The Paranoia Level (PL) setting allows you to choose the desired level +# of rule checks that will add to your anomaly scores. +# +# With each paranoia level increase, the CRS enables additional rules +# giving you a higher level of security. However, higher paranoia levels +# also increase the possibility of blocking some legitimate traffic due to +# false alarms (also named false positives or FPs). If you use higher +# paranoia levels, it is likely that you will need to add some exclusion +# rules for certain requests and applications receiving complex input. +# +# - A paranoia level of 1 is default. In this level, most core rules +# are enabled. PL1 is advised for beginners, installations +# covering many different sites and applications, and for setups +# with standard security requirements. +# At PL1 you should face FPs rarely. If you encounter FPs, please +# open an issue on the CRS GitHub site and don't forget to attach your +# complete Audit Log record for the request with the issue. +# - Paranoia level 2 includes many extra rules, for instance enabling +# many regexp-based SQL and XSS injection protections, and adding +# extra keywords checked for code injections. PL2 is advised +# for moderate to experienced users desiring more complete coverage +# and for installations with elevated security requirements. +# PL2 comes with some FPs which you need to handle. +# - Paranoia level 3 enables more rules and keyword lists, and tweaks +# limits on special characters used. PL3 is aimed at users experienced +# at the handling of FPs and at installations with a high security +# requirement. +# - Paranoia level 4 further restricts special characters. +# The highest level is advised for experienced users protecting +# installations with very high security requirements. Running PL4 will +# likely produce a very high number of FPs which have to be +# treated before the site can go productive. +# +# All rules will log their PL to the audit log; +# example: [tag "paranoia-level/2"]. This allows you to deduct from the +# audit log how the WAF behavior is affected by paranoia level. +# +# It is important to also look into the variable +# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) +# defined below. Enabling it closes a possible bypass of CRS. +# +# Uncomment this rule to change the default: +# +SecAction \ + "id:900000,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.paranoia_level=<%= $paranoia_level -%>" + + +# It is possible to execute rules from a higher paranoia level but not include +# them in the anomaly scoring. This allows you to take a well-tuned system on +# paranoia level 1 and add rules from paranoia level 2 without having to fear +# the new rules would lead to false positives that raise your score above the +# threshold. +# This optional feature is enabled by uncommenting the following rule and +# setting the tx.executing_paranoia_level. +# Technically, rules up to the level defined in tx.executing_paranoia_level +# will be executed, but only the rules up to tx.paranoia_level affect the +# anomaly scores. +# By default, tx.executing_paranoia_level is set to tx.paranoia_level. +# tx.executing_paranoia_level must not be lower than tx.paranoia_level. +# +# Please notice that setting tx.executing_paranoia_level to a higher paranoia +# level results in a performance impact that is equally high as setting +# tx.paranoia_level to said level. +# +SecAction \ + "id:900001,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.executing_paranoia_level=<%= $executing_paranoia_level -%>" + + +# +# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- +# +# ModSecurity selects the body processor based on the Content-Type request +# header. But clients are not always setting the Content-Type header for their +# request body payloads. This will leave ModSecurity with limited vision into +# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the +# URLENCODED body processor in these situations. This is off by default, as it +# implies a change of the behaviour of ModSecurity beyond CRS (the body +# processor applies to all rules, not only CRS) and because it may lead to +# false positives already on paranoia level 1. However, enabling this variable +# closes a possible bypass of CRS so it should be considered. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900010,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.enforce_bodyproc_urlencoded=1" + + +# +# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- +# +# Each rule in the CRS has an associated severity level. +# These are the default scoring points for each severity level. +# These settings will be used to increment the anomaly score if a rule matches. +# You may adjust these points to your liking, but this is usually not needed. +# +# - CRITICAL severity: Anomaly Score of 5. +# Mostly generated by the application attack rules (93x and 94x files). +# - ERROR severity: Anomaly Score of 4. +# Generated mostly from outbound leakage rules (95x files). +# - WARNING severity: Anomaly Score of 3. +# Generated mostly by malicious client rules (91x files). +# - NOTICE severity: Anomaly Score of 2. +# Generated mostly by the protocol rules (92x files). +# +# In anomaly mode, these scores are cumulative. +# So it's possible for a request to hit multiple rules. +# +# (Note: In this file, we use 'phase:1' to set CRS configuration variables. +# In general, 'phase:request' is used. However, we want to make absolutely sure +# that all configuration variables are set before the CRS rules are processed.) +# +SecAction \ + "id:900100,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.critical_anomaly_score=<%= $critical_anomaly_score -%>, \ + setvar:tx.error_anomaly_score=<%= $error_anomaly_score -%>, \ + setvar:tx.warning_anomaly_score=<%= $warning_anomaly_score -%>, \ + setvar:tx.notice_anomaly_score=<%= $notice_anomaly_score -%>" + + +# +# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ +# +# Here, you can specify at which cumulative anomaly score an inbound request, +# or outbound response, gets blocked. +# +# Most detected inbound threats will give a critical score of 5. +# Smaller violations, like violations of protocol/standards, carry lower scores. +# +# [ At default value ] +# If you keep the blocking thresholds at the defaults, the CRS will work +# similarly to previous CRS versions: a single critical rule match will cause +# the request to be blocked and logged. +# +# [ Using higher values ] +# If you want to make the CRS less sensitive, you can increase the blocking +# thresholds, for instance to 7 (which would require multiple rule matches +# before blocking) or 10 (which would require at least two critical alerts - or +# a combination of many lesser alerts), or even higher. However, increasing the +# thresholds might cause some attacks to bypass the CRS rules or your policies. +# +# [ New deployment strategy: Starting high and decreasing ] +# It is a common practice to start a fresh CRS installation with elevated +# anomaly scoring thresholds (>100) and then lower the limits as your +# confidence in the setup grows. You may also look into the Sampling +# Percentage section below for a different strategy to ease into a new +# CRS installation. +# +# [ Anomaly Threshold / Paranoia Level Quadrant ] +# +# High Anomaly Limit | High Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Fresh Site | -> Experimental Site +# ------------------------------------------------------ +# Low Anomaly Limit | Low Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Standard Site | -> High Security Site +# +# Uncomment this rule to change the defaults: +# +SecAction \ + "id:900110,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.inbound_anomaly_score_threshold=<%= $inbound_anomaly_threshold -%>, \ + setvar:tx.outbound_anomaly_score_threshold=<%= $outbound_anomaly_threshold -%>" + +# +# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- +# +# Some well-known applications may undertake actions that appear to be +# malicious. This includes actions such as allowing HTML or Javascript within +# parameters. In such cases the CRS aims to prevent false positives by allowing +# administrators to enable prebuilt, application specific exclusions on an +# application by application basis. +# These application specific exclusions are distinct from the rules that would +# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as +# they are prebuilt for specific applications. The 'REQUEST-900' file is +# designed for users to add their own custom exclusions. Note, using these +# application specific exclusions may loosen restrictions of the CRS, +# especially if used with an application they weren't designed for. As a result +# they should be applied with care. +# To use this functionality you must specify a supported application. To do so +# uncomment rule 900130. In addition to uncommenting the rule you will need to +# specify which application(s) you'd like to enable exclusions for. Only a +# (very) limited set of applications are currently supported, please use the +# filenames prefixed with 'REQUEST-903' to guide you in your selection. +# Such filenames use the following convention: +# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf +# +# It is recommended if you run multiple web applications on your site to limit +# the effects of the exclusion to only the path where the excluded webapp +# resides using a rule similar to the following example: +# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 + +# +# Modify and uncomment this rule to select which application: +# +#SecAction \ +# "id:900130,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_exclusions_cpanel=1,\ +# setvar:tx.crs_exclusions_drupal=1,\ +# setvar:tx.crs_exclusions_dokuwiki=1,\ +# setvar:tx.crs_exclusions_nextcloud=1,\ +# setvar:tx.crs_exclusions_wordpress=1,\ +# setvar:tx.crs_exclusions_xenforo=1" + +# +# -- [[ HTTP Policy Settings ]] ------------------------------------------------ +# +# This section defines your policies for the HTTP protocol, such as: +# - allowed HTTP versions, HTTP methods, allowed request Content-Types +# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) +# +# These variables are used in the following rule files: +# - REQUEST-911-METHOD-ENFORCEMENT.conf +# - REQUEST-912-DOS-PROTECTION.conf +# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf + +# HTTP methods that a client is allowed to use. +# Default: GET HEAD POST OPTIONS +# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE +# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK +# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK +# Uncomment this rule to change the default. +SecAction \ + "id:900200,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_methods=<%= $allowed_methods -%>'" + +# Content-Types that a client is allowed to send in a request. +# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| +# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| +# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| +# |application/csp-report| |application/xss-auditor-report| |text/plain| +# Uncomment this rule to change the default. +SecAction \ + "id:900220,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_request_content_type=<%= $content_types -%>'" + +# Allowed HTTP versions. +# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so +# we include both version strings by default. +# Uncomment this rule to change the default. +#SecAction \ +# "id:900230,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + +# Forbidden file extensions. +# Guards against unintended exposure of development/configuration files. +# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ +# Uncomment this rule to change the default. +SecAction \ + "id:900240,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.restricted_extensions=<%= $restricted_extensions -%>'" + +# Forbidden request headers. +# Header names should be lowercase, enclosed by /slashes/ as delimiters. +# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org +# Default: /proxy/ /lock-token/ /content-range/ /if/ +# Uncomment this rule to change the default. +SecAction \ + "id:900250,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.restricted_headers=<%= $restricted_headers -%>'" + +# File extensions considered static files. +# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. +# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". +# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900260,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. +#SecAction \ +# "id:900280,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + +# +# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- +# +# Here you can define optional limits on HTTP get/post parameters and uploads. +# This can help to prevent application specific DoS attacks. +# +# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. +# Beware of blocking legitimate traffic when enabling these limits. +# + +# Block request if number of arguments is too high +# Default: unlimited +# Example: 255 +# Uncomment this rule to set a limit. +SecAction \ + "id:900300,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.max_num_args=<%= $secrequestmaxnumargs %>" + +# Block request if the length of any argument name is too high +# Default: unlimited +# Example: 100 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900310,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_name_length=100" + +# Block request if the length of any argument value is too high +# Default: unlimited +# Example: 400 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900320,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_length=400" + +# Block request if the total length of all combined arguments is too high +# Default: unlimited +# Example: 64000 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900330,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.total_arg_length=64000" + +# Block request if the file size of any individual uploaded file is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900340,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_file_size=1048576" + +# Block request if the total size of all combined uploaded files is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900350,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.combined_file_sizes=1048576" + + +# +# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- +# +# Adding the Core Rule Set to an existing productive site can lead to false +# positives, unexpected performance issues and other undesired side effects. +# +# It can be beneficial to test the water first by enabling the CRS for a +# limited number of requests only and then, when you have solved the issues (if +# any) and you have confidence in the setup, to raise the ratio of requests +# being sent into the ruleset. +# +# Adjust the percentage of requests that are funnelled into the Core Rules by +# setting TX.sampling_percentage below. The default is 100, meaning that every +# request gets checked by the CRS. The selection of requests, which are going +# to be checked, is based on a pseudo random number generated by ModSecurity. +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). +# +# SecRuleUpdateActionById 901150 "nolog" +# +# ATTENTION: If this TX.sampling_percentage is below 100, then some of the +# requests will bypass the Core Rules completely and you lose the ability to +# protect your service with ModSecurity. +# +# Uncomment this rule to enable this feature: +# +#SecAction "id:900400,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.sampling_percentage=100" + + +# +# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ +# +# Optionally, you can check the client IP address against the Project Honey Pot +# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a +# free API key. Set it here with SecHttpBlKey. +# +# Project Honeypot returns multiple different malicious IP types. +# You may specify which you want to block by enabling or disabling them below. +# +# Ref: https://www.projecthoneypot.org/httpbl.php +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey +# +# Uncomment these rules to use this feature: +# +#SecHttpBlKey XXXXXXXXXXXXXXXXX +#SecAction "id:900500,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.block_search_ip=1,\ +# setvar:tx.block_suspicious_ip=1,\ +# setvar:tx.block_harvester_ip=1,\ +# setvar:tx.block_spammer_ip=1" + + +# +# -- [[ GeoIP Database ]] ------------------------------------------------------ +# +# There are some rulesets that inspect geolocation data of the client IP address +# (geoLookup). The CRS uses geoLookup to implement optional country blocking. +# +# To use geolocation, we make use of the MaxMind GeoIP database. +# This database is not included with the CRS and must be downloaded. +# +# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), +# and ModSecurity v3 uses GeoLite2 (.mmdb files). +# +# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, +# see https://github.com/maxmind/geoipupdate. +# +# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ +# for configuration options. +# +# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. +# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. +# +# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files +# from CSV files first. +# +# You can achieve this using https://github.com/sherpya/geolite2legacy +# Pick the zip files from maxmind site: +# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip +# +# Follow the guidelines for installing the tool and run: +# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ +# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat +# +# Update the database regularly, see Step 3 of the configuration link above. +# +# By default, when you execute `sudo geoipupdate` on Linux, files from the free database +# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). +# +# Then choose from: +# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) +# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) +# +# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html +# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# +# Uncomment only one of the next rules here to use this feature. +# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: +# +# For ModSecurity v3: +#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb +# For ModSecurity v2 (points to the converted one): +#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat + +# +# -=[ Block Countries ]=- +# +# Rules in the IP Reputation file can check the client against a list of high +# risk country codes. These countries have to be defined in the variable +# tx.high_risk_country_codes via their ISO 3166 two-letter country code: +# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements +# +# If you are sure that you are not getting any legitimate requests from a given +# country, then you can disable all access from that country via this variable. +# The rule performing the test has the rule id 910100. +# +# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be +# downloaded (see the section "GeoIP Database" above.) +# +# By default, the list is empty. A list used by some sites was the following: +# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900600,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.high_risk_country_codes='" + + +# +# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ +# +# Optional DoS protection against clients making requests too quickly. +# +# When a client is making more than 100 requests (excluding static files) within +# 60 seconds, this is considered a 'burst'. After two bursts, the client is +# blocked for 600 seconds. +# +# Requests to static files are not counted towards DoS; they are listed in the +# 'tx.static_extensions' setting, which you can change in this file (see +# section "HTTP Policy Settings"). +# +# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. +# +# Uncomment this rule to use this feature: +# +<% if $enable_dos_protection { -%> +SecAction \ + "id:900700,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.dos_burst_time_slice=<%= $dos_burst_time_slice %>',\ + setvar:'tx.dos_counter_threshold=<%= $dos_counter_threshold %>',\ + setvar:'tx.dos_block_timeout=<%= $dos_block_timeout %>'" +<% } -%> + +# +# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ +# +# The CRS can optionally check request contents for invalid UTF-8 encoding. +# We only want to apply this check if UTF-8 encoding is actually used by the +# site; otherwise it will result in false positives. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900950,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_validate_utf8_encoding=1" + + +# +# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ +# +# Blocking based on reputation is permanent in the CRS. Unlike other rules, +# which look at the individual request, the blocking of IPs is based on +# a persistent record in the IP collection, which remains active for a +# certain amount of time. +# +# There are two ways an individual client can become flagged for blocking: +# - External information (RBL, GeoIP, etc.) +# - Internal information (Core Rules) +# +# The record in the IP collection carries a flag, which tags requests from +# individual clients with a flag named IP.reput_block_flag. +# But the flag alone is not enough to have a client blocked. There is also +# a global switch named tx.do_reput_block. This is off by default. If you set +# it to 1 (=On), requests from clients with the IP.reput_block_flag will +# be blocked for a certain duration. +# +# Variables +# ip.reput_block_flag Blocking flag for the IP collection record +# ip.reput_block_reason Reason (= rule message) that caused to blocking flag +# tx.do_reput_block Switch deciding if we really block based on flag +# tx.reput_block_duration Setting to define the duration of a block +# +# It may be important to know, that all the other core rules are skipped for +# requests, when it is clear that they carry the blocking flag in question. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900960,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.do_reput_block=1" +# +# Uncomment this rule to change the blocking time: +# Default: 300 (5 minutes) +# +#SecAction \ +# "id:900970,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.reput_block_duration=300" + + +# +# -- [[ Collection timeout ]] -------------------------------------------------- +# +# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) +# to a lower setting which is appropriate to most sites. +# This increases performance by cleaning out stale collection (block) entries. +# +# This value should be greater than or equal to: +# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and +# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout + +# Please keep this directive uncommented. +# Default: 600 (10 minutes) +SecCollectionTimeout 600 + + +# +# -- [[ End of setup ]] -------------------------------------------------------- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# has been loaded. If you are not planning to use this setup template, +# you must manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# +SecAction \ + "id:900990,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.crs_setup_version=332" +<% } -%> + diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb new file mode 100644 index 0000000000..fb8dbff146 --- /dev/null +++ b/templates/mod/security_crs.conf.erb @@ -0,0 +1,1271 @@ +<% if scope['facts']['os']['family'] == 'RedHat' and scope['facts']['os']['release']['major'].to_i <= 7 -%> +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.9 +# Copyright (C) 2006-2012 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# -- [[ Recommended Base Configuration ]] ------------------------------------------------- +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings such as: +# +# - SecRuleEngine +# - SecRequestBodyAccess +# - SecAuditEngine +# - SecDebugLog +# +# You should use the modsecurity.conf-recommended file that comes with the +# ModSecurity source code archive. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended +# + + +# +# -- [[ Rule Version ]] ------------------------------------------------------------------- +# +# Rule version data is added to the "Producer" line of Section H of the Audit log: +# +# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature +# +SecComponentSignature "OWASP_CRS/2.2.9" + + +# +# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] ----------------- +# +# Each detection rule uses the "block" action which will inherit the SecDefaultAction +# specified below. Your settings here will determine which mode of operation you use. +# +# -- [[ Self-Contained Mode ]] -- +# Rules inherit the "deny" disruptive action. The first rule that matches will block. +# +# -- [[ Collaborative Detection Mode ]] -- +# This is a "delayed blocking" mode of operation where each matching rule will inherit +# the "pass" action and will only contribute to anomaly scores. Transactional blocking +# can be applied +# +# -- [[ Alert Logging Control ]] -- +# You have three options - +# +# - To log to both the Apache error_log and ModSecurity audit_log file use: "log" +# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog" +# - To log *only* to the Apache error_log file use: "log,noauditlog" +# +# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecDefaultAction +# +SecDefaultAction "phase:1,<%= @_secdefaultaction -%>" +SecDefaultAction "phase:2,<%= @_secdefaultaction -%>" + +# +# -- [[ Collaborative Detection Severity Levels ]] ---------------------------------------- +# +# These are the default scoring points for each severity level. You may +# adjust these to you liking. These settings will be used in macro expansion +# in the rules to increment the anomaly scores when rules match. +# +# These are the default Severity ratings (with anomaly scores) of the individual rules - +# +# - 2: Critical - Anomaly Score of 5. +# Is the highest severity level possible without correlation. It is +# normally generated by the web attack rules (40 level files). +# - 3: Error - Anomaly Score of 4. +# Is generated mostly from outbound leakage rules (50 level files). +# - 4: Warning - Anomaly Score of 3. +# Is generated by malicious client rules (35 level files). +# - 5: Notice - Anomaly Score of 2. +# Is generated by the Protocol policy and anomaly files. +# +SecAction \ + "id:'900001', \ + phase:1, \ + t:none, \ + setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ + setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ + setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ + setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>, \ + nolog, \ + pass" + + +# +# -- [[ Collaborative Detection Scoring Initialization and Threshold Levels ]] ------------------------------ +# +# These variables are used in macro expansion in the 49 inbound blocking and 59 +# outbound blocking files. +# +# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric +# operators. If you have an earlier version, edit the 49/59 files directly to +# set the appropriate anomaly score levels. +# +# You should set the score level (rule 900003) to the proper threshold you +# would prefer. If set to "5" it will work similarly to previous Mod CRS rules +# and will create an event in the error_log file if there are any rules that +# match. If you would like to lessen the number of events generated in the +# error_log file, you should increase the anomaly score threshold to something +# like "20". This would only generate an event in the error_log file if there +# are multiple lower severity rule matches or if any 1 higher severity item matches. +# +SecAction \ + "id:'900002', \ + phase:1, \ + t:none, \ + setvar:tx.anomaly_score=0, \ + setvar:tx.sql_injection_score=0, \ + setvar:tx.xss_score=0, \ + setvar:tx.inbound_anomaly_score=0, \ + setvar:tx.outbound_anomaly_score=0, \ + nolog, \ + pass" + + +SecAction \ + "id:'900003', \ + phase:1, \ + t:none, \ + setvar:tx.inbound_anomaly_score_level=<%= @inbound_anomaly_threshold -%>, \ + setvar:tx.outbound_anomaly_score_level=<%= @outbound_anomaly_threshold -%>, \ + nolog, \ + pass" + + +# +# -- [[ Collaborative Detection Blocking ]] ----------------------------------------------- +# +# This is a collaborative detection mode where each rule will increment an overall +# anomaly score for the transaction. The scores are then evaluated in the following files: +# +# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file +# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file +# +# If you want to use anomaly scoring mode, then uncomment this line. +# +SecAction \ + "id:'900004', \ + phase:1, \ + t:none, \ + setvar:tx.anomaly_score_blocking=<%= @anomaly_score_blocking -%>, \ + nolog, \ + pass" + + +# +# -- [[ GeoIP Database ]] ----------------------------------------------------------------- +# +# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data. +# +# You must first download the MaxMind GeoIP Lite City DB - +# +# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz +# +# You then need to define the proper path for the SecGeoLookupDb directive +# +# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html +# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# +#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat + +# +# -- [[ Regression Testing Mode ]] -------------------------------------------------------- +# +# If you are going to run the regression testing mode, you should uncomment the +# following rule. It will enable DetectionOnly mode for the SecRuleEngine and +# will enable Response Header tagging so that the client testing script can see +# which rule IDs have matched. +# +# You must specify the your source IP address where you will be running the tests +# from. +# +#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ + "id:'900005', \ + phase:1, \ + t:none, \ + ctl:ruleEngine=DetectionOnly, \ + setvar:tx.regression_testing=1, \ + nolog, \ + pass" + + +# +# -- [[ HTTP Policy Settings ]] ---------------------------------------------------------- +# +# Set the following policy settings here and they will be propagated to the 23 rules +# file (modsecurity_common_23_request_limits.conf) by using macro expansion. +# If you run into false positives, you can adjust the settings here. +# +# Only the max number of args is uncommented by default as there are a high rate +# of false positives. Uncomment the items you wish to set. +# +# +# -- Maximum number of arguments in request limited +SecAction \ + "id:'900006', \ + phase:1, \ + t:none, \ + setvar:tx.max_num_args=<%= @secrequestmaxnumargs %>, \ + nolog, \ + pass" + +# +# -- Limit argument name length +#SecAction \ + "id:'900007', \ + phase:1, \ + t:none, \ + setvar:tx.arg_name_length=100, \ + nolog, \ + pass" + +# +# -- Limit value name length +#SecAction \ + "id:'900008', \ + phase:1, \ + t:none, \ + setvar:tx.arg_length=400, \ + nolog, \ + pass" + +# +# -- Limit arguments total length +#SecAction \ + "id:'900009', \ + phase:1, \ + t:none, \ + setvar:tx.total_arg_length=64000, \ + nolog, \ + pass" + +# +# -- Individual file size is limited +#SecAction \ + "id:'900010', \ + phase:1, \ + t:none, \ + setvar:tx.max_file_size=1048576, \ + nolog, \ + pass" + +# +# -- Combined file size is limited +#SecAction \ + "id:'900011', \ + phase:1, \ + t:none, \ + setvar:tx.combined_file_sizes=1048576, \ + nolog, \ + pass" + + +# +# Set the following policy settings here and they will be propagated to the 30 rules +# file (modsecurity_crs_30_http_policy.conf) by using macro expansion. +# If you run into false positves, you can adjust the settings here. +# +SecAction \ + "id:'900012', \ + phase:1, \ + t:none, \ + setvar:'tx.allowed_methods=<%= @allowed_methods -%>', \ + setvar:'tx.allowed_request_content_type=<%= @content_types -%>', \ + setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ + setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>', \ + setvar:'tx.restricted_headers=<%= @restricted_headers -%>', \ + nolog, \ + pass" + + +# +# -- [[ Content Security Policy (CSP) Settings ]] ----------------------------------------- +# +# The purpose of these settings is to send CSP response headers to +# Mozilla FireFox users so that you can enforce how dynamic content +# is used. CSP usage helps to prevent XSS attacks against your users. +# +# Reference Link: +# +# https://developer.mozilla.org/en/Security/CSP +# +# Uncomment this SecAction line if you want use CSP enforcement. +# You need to set the appropriate directives and settings for your site/domain and +# and activate the CSP file in the experimental_rules directory. +# +# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html +# +#SecAction \ + "id:'900013', \ + phase:1, \ + t:none, \ + setvar:tx.csp_report_only=1, \ + setvar:tx.csp_report_uri=/csp_violation_report, \ + setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ + nolog, \ + pass" + + +# +# -- [[ Brute Force Protection ]] --------------------------------------------------------- +# +# If you are using the Brute Force Protection rule set, then uncomment the following +# lines and set the following variables: +# - Protected URLs: resources to protect (e.g. login pages) - set to your login page +# - Burst Time Slice Interval: time interval window to monitor for bursts +# - Request Threshold: request # threshold to trigger a burst +# - Block Period: temporary block timeout +# +#SecAction \ + "id:'900014', \ + phase:1, \ + t:none, \ + setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \ + setvar:'tx.brute_force_burst_time_slice=60', \ + setvar:'tx.brute_force_counter_threshold=10', \ + setvar:'tx.brute_force_block_timeout=300', \ + nolog, \ + pass" + + +# +# -- [[ DoS Protection ]] ---------------------------------------------------------------- +# +# If you are using the DoS Protection rule set, then uncomment the following +# lines and set the following variables: +# - Burst Time Slice Interval: time interval window to monitor for bursts +# - Request Threshold: request # threshold to trigger a burst +# - Block Period: temporary block timeout +# +SecAction \ + "id:'900015', \ + phase:1, \ + t:none, \ + setvar:'tx.dos_burst_time_slice=60', \ + setvar:'tx.dos_counter_threshold=100', \ + setvar:'tx.dos_block_timeout=600', \ + nolog, \ + pass" + + +# +# -- [[ Check UTF enconding ]] ----------------------------------------------------------- +# +# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise +# it will result in false positives. +# +# Uncomment this line if your site uses UTF8 encoding +#SecAction \ + "id:'900016', \ + phase:1, \ + t:none, \ + setvar:tx.crs_validate_utf8_encoding=1, \ + nolog, \ + pass" + + +# +# -- [[ Enable XML Body Parsing ]] ------------------------------------------------------- +# +# The rules in this file will trigger the XML parser upon an XML request +# +# Initiate XML Processor in case of xml content-type +# +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'900017', \ + phase:1, \ + t:none,t:lowercase, \ + nolog, \ + pass, \ + chain" + SecRule REQBODY_PROCESSOR "!@streq XML" \ + "ctl:requestBodyProcessor=XML" + + +# +# -- [[ Global and IP Collections ]] ----------------------------------------------------- +# +# Create both Global and IP collections for rules to use +# There are some CRS rules that assume that these two collections +# have already been initiated. +# +SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ + "id:'900018', \ + phase:1, \ + t:none,t:sha1,t:hexEncode, \ + setvar:tx.ua_hash=%{matched_var}, \ + nolog, \ + pass" + + +SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \ + "id:'900019', \ + phase:1, \ + t:none, \ + capture, \ + setvar:tx.real_ip=%{tx.1}, \ + nolog, \ + pass" + + +SecRule &TX:REAL_IP "!@eq 0" \ + "id:'900020', \ + phase:1, \ + t:none, \ + initcol:global=global, \ + initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ + nolog, \ + pass" + + +SecRule &TX:REAL_IP "@eq 0" \ + "id:'900021', \ + phase:1, \ + t:none, \ + initcol:global=global, \ + initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ + setvar:tx.real_ip=%{remote_addr}, \ + nolog, \ + pass" +<% else -%> +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.3.2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# +# -- [[ Introduction ]] -------------------------------------------------------- +# +# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack +# detection rules that provide a base level of protection for any web +# application. They are written for the open source, cross-platform +# ModSecurity Web Application Firewall. +# +# See also: +# https://coreruleset.org/ +# https://github.com/SpiderLabs/owasp-modsecurity-crs +# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project +# + + +# +# -- [[ System Requirements ]] ------------------------------------------------- +# +# CRS requires ModSecurity version 2.8.0 or above. +# We recommend to always use the newest ModSecurity version. +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, +# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. +# +# The CRS assumes that modsecurity.conf has been loaded. It is bundled with +# ModSecurity. If you don't have it, you can get it from: +# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended +# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended +# +# The order of file inclusion in your webserver configuration should always be: +# 1. modsecurity.conf +# 2. crs-setup.conf (this file) +# 3. rules/*.conf (the CRS rule files) +# +# Please refer to the INSTALL file for detailed installation instructions. +# + + +# +# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- +# +# The CRS can run in two modes: +# +# -- [[ Anomaly Scoring Mode (default) ]] -- +# In CRS3, anomaly mode is the default and recommended mode, since it gives the +# most accurate log information and offers the most flexibility in setting your +# blocking policies. It is also called "collaborative detection mode". +# In this mode, each matching rule increases an 'anomaly score'. +# At the conclusion of the inbound rules, and again at the conclusion of the +# outbound rules, the anomaly score is checked, and the blocking evaluation +# rules apply a disruptive action, by default returning an error 403. +# +# -- [[ Self-Contained Mode ]] -- +# In this mode, rules apply an action instantly. This was the CRS2 default. +# It can lower resource usage, at the cost of less flexibility in blocking policy +# and less informative audit logs (only the first detected threat is logged). +# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). +# The first rule that matches will execute this action. In most cases this will +# cause evaluation to stop after the first rule has matched, similar to how many +# IDSs function. +# +# -- [[ Alert Logging Control ]] -- +# In the mode configuration, you must also adjust the desired logging options. +# There are three common options for dealing with logging. By default CRS enables +# logging to the webserver error log (or Event viewer) plus detailed logging to +# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). +# +# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" +# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" +# - To log *only* to the error log file, use: "log,noauditlog" +# +# Examples for the various modes follow. +# You must leave one of the following options enabled. +# Note that you must specify the same line for phase:1 and phase:2. +# + +# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,pass" +# SecDefaultAction "phase:2,log,auditlog,pass" + +# Example: Anomaly Scoring mode, log only to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,nolog,auditlog,pass" +# SecDefaultAction "phase:2,nolog,auditlog,pass" + +# Example: Self-contained mode, return error 403 on blocking +# - In this configuration the default disruptive action becomes 'deny'. After a +# rule triggers, it will stop processing the request and return an error 403. +# - You can also use a different error status, such as 404, 406, et cetera. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,deny,status:403" +# SecDefaultAction "phase:2,log,auditlog,deny,status:403" + +# Example: Self-contained mode, redirect back to homepage on blocking +# - In this configuration the 'tag' action includes the Host header data in the +# log. This helps to identify which virtual host triggered the rule (if any). +# - Note that this might cause redirect loops in some situations; for example +# if a Cookie or User-Agent header is blocked, it will also be blocked when +# the client subsequently tries to access the homepage. You can also redirect +# to another custom URL. +# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" +# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" + +SecDefaultAction "phase:1,<%= @_secdefaultaction -%>" +SecDefaultAction "phase:2,<%= @_secdefaultaction -%>" + +# +# -- [[ Paranoia Level Initialization ]] --------------------------------------- +# +# The Paranoia Level (PL) setting allows you to choose the desired level +# of rule checks that will add to your anomaly scores. +# +# With each paranoia level increase, the CRS enables additional rules +# giving you a higher level of security. However, higher paranoia levels +# also increase the possibility of blocking some legitimate traffic due to +# false alarms (also named false positives or FPs). If you use higher +# paranoia levels, it is likely that you will need to add some exclusion +# rules for certain requests and applications receiving complex input. +# +# - A paranoia level of 1 is default. In this level, most core rules +# are enabled. PL1 is advised for beginners, installations +# covering many different sites and applications, and for setups +# with standard security requirements. +# At PL1 you should face FPs rarely. If you encounter FPs, please +# open an issue on the CRS GitHub site and don't forget to attach your +# complete Audit Log record for the request with the issue. +# - Paranoia level 2 includes many extra rules, for instance enabling +# many regexp-based SQL and XSS injection protections, and adding +# extra keywords checked for code injections. PL2 is advised +# for moderate to experienced users desiring more complete coverage +# and for installations with elevated security requirements. +# PL2 comes with some FPs which you need to handle. +# - Paranoia level 3 enables more rules and keyword lists, and tweaks +# limits on special characters used. PL3 is aimed at users experienced +# at the handling of FPs and at installations with a high security +# requirement. +# - Paranoia level 4 further restricts special characters. +# The highest level is advised for experienced users protecting +# installations with very high security requirements. Running PL4 will +# likely produce a very high number of FPs which have to be +# treated before the site can go productive. +# +# All rules will log their PL to the audit log; +# example: [tag "paranoia-level/2"]. This allows you to deduct from the +# audit log how the WAF behavior is affected by paranoia level. +# +# It is important to also look into the variable +# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) +# defined below. Enabling it closes a possible bypass of CRS. +# +# Uncomment this rule to change the default: +# +SecAction \ + "id:900000,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.paranoia_level=<%= @paranoia_level -%>" + + +# It is possible to execute rules from a higher paranoia level but not include +# them in the anomaly scoring. This allows you to take a well-tuned system on +# paranoia level 1 and add rules from paranoia level 2 without having to fear +# the new rules would lead to false positives that raise your score above the +# threshold. +# This optional feature is enabled by uncommenting the following rule and +# setting the tx.executing_paranoia_level. +# Technically, rules up to the level defined in tx.executing_paranoia_level +# will be executed, but only the rules up to tx.paranoia_level affect the +# anomaly scores. +# By default, tx.executing_paranoia_level is set to tx.paranoia_level. +# tx.executing_paranoia_level must not be lower than tx.paranoia_level. +# +# Please notice that setting tx.executing_paranoia_level to a higher paranoia +# level results in a performance impact that is equally high as setting +# tx.paranoia_level to said level. +# +SecAction \ + "id:900001,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.executing_paranoia_level=<%= @executing_paranoia_level -%>" + + +# +# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- +# +# ModSecurity selects the body processor based on the Content-Type request +# header. But clients are not always setting the Content-Type header for their +# request body payloads. This will leave ModSecurity with limited vision into +# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the +# URLENCODED body processor in these situations. This is off by default, as it +# implies a change of the behaviour of ModSecurity beyond CRS (the body +# processor applies to all rules, not only CRS) and because it may lead to +# false positives already on paranoia level 1. However, enabling this variable +# closes a possible bypass of CRS so it should be considered. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900010,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.enforce_bodyproc_urlencoded=1" + + +# +# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- +# +# Each rule in the CRS has an associated severity level. +# These are the default scoring points for each severity level. +# These settings will be used to increment the anomaly score if a rule matches. +# You may adjust these points to your liking, but this is usually not needed. +# +# - CRITICAL severity: Anomaly Score of 5. +# Mostly generated by the application attack rules (93x and 94x files). +# - ERROR severity: Anomaly Score of 4. +# Generated mostly from outbound leakage rules (95x files). +# - WARNING severity: Anomaly Score of 3. +# Generated mostly by malicious client rules (91x files). +# - NOTICE severity: Anomaly Score of 2. +# Generated mostly by the protocol rules (92x files). +# +# In anomaly mode, these scores are cumulative. +# So it's possible for a request to hit multiple rules. +# +# (Note: In this file, we use 'phase:1' to set CRS configuration variables. +# In general, 'phase:request' is used. However, we want to make absolutely sure +# that all configuration variables are set before the CRS rules are processed.) +# +SecAction \ + "id:900100,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ + setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ + setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ + setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>" + + +# +# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ +# +# Here, you can specify at which cumulative anomaly score an inbound request, +# or outbound response, gets blocked. +# +# Most detected inbound threats will give a critical score of 5. +# Smaller violations, like violations of protocol/standards, carry lower scores. +# +# [ At default value ] +# If you keep the blocking thresholds at the defaults, the CRS will work +# similarly to previous CRS versions: a single critical rule match will cause +# the request to be blocked and logged. +# +# [ Using higher values ] +# If you want to make the CRS less sensitive, you can increase the blocking +# thresholds, for instance to 7 (which would require multiple rule matches +# before blocking) or 10 (which would require at least two critical alerts - or +# a combination of many lesser alerts), or even higher. However, increasing the +# thresholds might cause some attacks to bypass the CRS rules or your policies. +# +# [ New deployment strategy: Starting high and decreasing ] +# It is a common practice to start a fresh CRS installation with elevated +# anomaly scoring thresholds (>100) and then lower the limits as your +# confidence in the setup grows. You may also look into the Sampling +# Percentage section below for a different strategy to ease into a new +# CRS installation. +# +# [ Anomaly Threshold / Paranoia Level Quadrant ] +# +# High Anomaly Limit | High Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Fresh Site | -> Experimental Site +# ------------------------------------------------------ +# Low Anomaly Limit | Low Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Standard Site | -> High Security Site +# +# Uncomment this rule to change the defaults: +# +SecAction \ + "id:900110,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.inbound_anomaly_score_threshold=<%= @inbound_anomaly_threshold -%>, \ + setvar:tx.outbound_anomaly_score_threshold=<%= @outbound_anomaly_threshold -%>" + +# +# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- +# +# Some well-known applications may undertake actions that appear to be +# malicious. This includes actions such as allowing HTML or Javascript within +# parameters. In such cases the CRS aims to prevent false positives by allowing +# administrators to enable prebuilt, application specific exclusions on an +# application by application basis. +# These application specific exclusions are distinct from the rules that would +# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as +# they are prebuilt for specific applications. The 'REQUEST-900' file is +# designed for users to add their own custom exclusions. Note, using these +# application specific exclusions may loosen restrictions of the CRS, +# especially if used with an application they weren't designed for. As a result +# they should be applied with care. +# To use this functionality you must specify a supported application. To do so +# uncomment rule 900130. In addition to uncommenting the rule you will need to +# specify which application(s) you'd like to enable exclusions for. Only a +# (very) limited set of applications are currently supported, please use the +# filenames prefixed with 'REQUEST-903' to guide you in your selection. +# Such filenames use the following convention: +# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf +# +# It is recommended if you run multiple web applications on your site to limit +# the effects of the exclusion to only the path where the excluded webapp +# resides using a rule similar to the following example: +# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 + +# +# Modify and uncomment this rule to select which application: +# +#SecAction \ +# "id:900130,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_exclusions_cpanel=1,\ +# setvar:tx.crs_exclusions_drupal=1,\ +# setvar:tx.crs_exclusions_dokuwiki=1,\ +# setvar:tx.crs_exclusions_nextcloud=1,\ +# setvar:tx.crs_exclusions_wordpress=1,\ +# setvar:tx.crs_exclusions_xenforo=1" + +# +# -- [[ HTTP Policy Settings ]] ------------------------------------------------ +# +# This section defines your policies for the HTTP protocol, such as: +# - allowed HTTP versions, HTTP methods, allowed request Content-Types +# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) +# +# These variables are used in the following rule files: +# - REQUEST-911-METHOD-ENFORCEMENT.conf +# - REQUEST-912-DOS-PROTECTION.conf +# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf + +# HTTP methods that a client is allowed to use. +# Default: GET HEAD POST OPTIONS +# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE +# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK +# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK +# Uncomment this rule to change the default. +SecAction \ + "id:900200,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_methods=<%= @allowed_methods -%>'" + +# Content-Types that a client is allowed to send in a request. +# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| +# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| +# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| +# |application/csp-report| |application/xss-auditor-report| |text/plain| +# Uncomment this rule to change the default. +SecAction \ + "id:900220,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.allowed_request_content_type=<%= @content_types -%>'" + +# Allowed HTTP versions. +# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so +# we include both version strings by default. +# Uncomment this rule to change the default. +#SecAction \ +# "id:900230,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + +# Forbidden file extensions. +# Guards against unintended exposure of development/configuration files. +# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ +# Uncomment this rule to change the default. +SecAction \ + "id:900240,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>'" + +# Forbidden request headers. +# Header names should be lowercase, enclosed by /slashes/ as delimiters. +# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org +# Default: /proxy/ /lock-token/ /content-range/ /if/ +# Uncomment this rule to change the default. +SecAction \ + "id:900250,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.restricted_headers=<%= @restricted_headers -%>'" + +# File extensions considered static files. +# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. +# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". +# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900260,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. +#SecAction \ +# "id:900280,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + +# +# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- +# +# Here you can define optional limits on HTTP get/post parameters and uploads. +# This can help to prevent application specific DoS attacks. +# +# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. +# Beware of blocking legitimate traffic when enabling these limits. +# + +# Block request if number of arguments is too high +# Default: unlimited +# Example: 255 +# Uncomment this rule to set a limit. +SecAction \ + "id:900300,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.max_num_args=<%= @secrequestmaxnumargs %>" + +# Block request if the length of any argument name is too high +# Default: unlimited +# Example: 100 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900310,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_name_length=100" + +# Block request if the length of any argument value is too high +# Default: unlimited +# Example: 400 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900320,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_length=400" + +# Block request if the total length of all combined arguments is too high +# Default: unlimited +# Example: 64000 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900330,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.total_arg_length=64000" + +# Block request if the file size of any individual uploaded file is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900340,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_file_size=1048576" + +# Block request if the total size of all combined uploaded files is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900350,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.combined_file_sizes=1048576" + + +# +# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- +# +# Adding the Core Rule Set to an existing productive site can lead to false +# positives, unexpected performance issues and other undesired side effects. +# +# It can be beneficial to test the water first by enabling the CRS for a +# limited number of requests only and then, when you have solved the issues (if +# any) and you have confidence in the setup, to raise the ratio of requests +# being sent into the ruleset. +# +# Adjust the percentage of requests that are funnelled into the Core Rules by +# setting TX.sampling_percentage below. The default is 100, meaning that every +# request gets checked by the CRS. The selection of requests, which are going +# to be checked, is based on a pseudo random number generated by ModSecurity. +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). +# +# SecRuleUpdateActionById 901150 "nolog" +# +# ATTENTION: If this TX.sampling_percentage is below 100, then some of the +# requests will bypass the Core Rules completely and you lose the ability to +# protect your service with ModSecurity. +# +# Uncomment this rule to enable this feature: +# +#SecAction "id:900400,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.sampling_percentage=100" + + +# +# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ +# +# Optionally, you can check the client IP address against the Project Honey Pot +# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a +# free API key. Set it here with SecHttpBlKey. +# +# Project Honeypot returns multiple different malicious IP types. +# You may specify which you want to block by enabling or disabling them below. +# +# Ref: https://www.projecthoneypot.org/httpbl.php +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey +# +# Uncomment these rules to use this feature: +# +#SecHttpBlKey XXXXXXXXXXXXXXXXX +#SecAction "id:900500,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.block_search_ip=1,\ +# setvar:tx.block_suspicious_ip=1,\ +# setvar:tx.block_harvester_ip=1,\ +# setvar:tx.block_spammer_ip=1" + + +# +# -- [[ GeoIP Database ]] ------------------------------------------------------ +# +# There are some rulesets that inspect geolocation data of the client IP address +# (geoLookup). The CRS uses geoLookup to implement optional country blocking. +# +# To use geolocation, we make use of the MaxMind GeoIP database. +# This database is not included with the CRS and must be downloaded. +# +# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), +# and ModSecurity v3 uses GeoLite2 (.mmdb files). +# +# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, +# see https://github.com/maxmind/geoipupdate. +# +# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ +# for configuration options. +# +# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. +# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. +# +# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files +# from CSV files first. +# +# You can achieve this using https://github.com/sherpya/geolite2legacy +# Pick the zip files from maxmind site: +# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip +# +# Follow the guidelines for installing the tool and run: +# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ +# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat +# +# Update the database regularly, see Step 3 of the configuration link above. +# +# By default, when you execute `sudo geoipupdate` on Linux, files from the free database +# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). +# +# Then choose from: +# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) +# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) +# +# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html +# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# +# Uncomment only one of the next rules here to use this feature. +# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: +# +# For ModSecurity v3: +#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb +# For ModSecurity v2 (points to the converted one): +#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat + +# +# -=[ Block Countries ]=- +# +# Rules in the IP Reputation file can check the client against a list of high +# risk country codes. These countries have to be defined in the variable +# tx.high_risk_country_codes via their ISO 3166 two-letter country code: +# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements +# +# If you are sure that you are not getting any legitimate requests from a given +# country, then you can disable all access from that country via this variable. +# The rule performing the test has the rule id 910100. +# +# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be +# downloaded (see the section "GeoIP Database" above.) +# +# By default, the list is empty. A list used by some sites was the following: +# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900600,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.high_risk_country_codes='" + + +# +# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ +# +# Optional DoS protection against clients making requests too quickly. +# +# When a client is making more than 100 requests (excluding static files) within +# 60 seconds, this is considered a 'burst'. After two bursts, the client is +# blocked for 600 seconds. +# +# Requests to static files are not counted towards DoS; they are listed in the +# 'tx.static_extensions' setting, which you can change in this file (see +# section "HTTP Policy Settings"). +# +# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. +# +# Uncomment this rule to use this feature: +# +<% if @enable_dos_protection -%> +SecAction \ + "id:900700,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:'tx.dos_burst_time_slice=<%= @dos_burst_time_slice %>',\ + setvar:'tx.dos_counter_threshold=<%= @dos_counter_threshold %>',\ + setvar:'tx.dos_block_timeout=<%= @dos_block_timeout %>'" +<% end -%> + +# +# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ +# +# The CRS can optionally check request contents for invalid UTF-8 encoding. +# We only want to apply this check if UTF-8 encoding is actually used by the +# site; otherwise it will result in false positives. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900950,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_validate_utf8_encoding=1" + + +# +# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ +# +# Blocking based on reputation is permanent in the CRS. Unlike other rules, +# which look at the individual request, the blocking of IPs is based on +# a persistent record in the IP collection, which remains active for a +# certain amount of time. +# +# There are two ways an individual client can become flagged for blocking: +# - External information (RBL, GeoIP, etc.) +# - Internal information (Core Rules) +# +# The record in the IP collection carries a flag, which tags requests from +# individual clients with a flag named IP.reput_block_flag. +# But the flag alone is not enough to have a client blocked. There is also +# a global switch named tx.do_reput_block. This is off by default. If you set +# it to 1 (=On), requests from clients with the IP.reput_block_flag will +# be blocked for a certain duration. +# +# Variables +# ip.reput_block_flag Blocking flag for the IP collection record +# ip.reput_block_reason Reason (= rule message) that caused to blocking flag +# tx.do_reput_block Switch deciding if we really block based on flag +# tx.reput_block_duration Setting to define the duration of a block +# +# It may be important to know, that all the other core rules are skipped for +# requests, when it is clear that they carry the blocking flag in question. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900960,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.do_reput_block=1" +# +# Uncomment this rule to change the blocking time: +# Default: 300 (5 minutes) +# +#SecAction \ +# "id:900970,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.reput_block_duration=300" + + +# +# -- [[ Collection timeout ]] -------------------------------------------------- +# +# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) +# to a lower setting which is appropriate to most sites. +# This increases performance by cleaning out stale collection (block) entries. +# +# This value should be greater than or equal to: +# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and +# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout + +# Please keep this directive uncommented. +# Default: 600 (10 minutes) +SecCollectionTimeout 600 + + +# +# -- [[ End of setup ]] -------------------------------------------------------- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# has been loaded. If you are not planning to use this setup template, +# you must manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# +SecAction \ + "id:900990,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.crs_setup_version=332" +<% end -%> + diff --git a/templates/mod/security_custom.conf.epp b/templates/mod/security_custom.conf.epp new file mode 100644 index 0000000000..e2570c44a1 --- /dev/null +++ b/templates/mod/security_custom.conf.epp @@ -0,0 +1,6 @@ +# This file is managed by puppet, any direct modification will be overwritten. +<% if $custom_rules_set and !($custom_rules_set.empty) { -%> +<% $custom_rules_set.each |$secrule| { -%> +SecRule <%= $secrule %> +<% } -%> +<% } -%> \ No newline at end of file diff --git a/templates/mod/setenvif.conf.erb b/templates/mod/setenvif.conf.epp similarity index 100% rename from templates/mod/setenvif.conf.erb rename to templates/mod/setenvif.conf.epp diff --git a/templates/mod/ssl.conf.epp b/templates/mod/ssl.conf.epp new file mode 100644 index 0000000000..39c2f82703 --- /dev/null +++ b/templates/mod/ssl.conf.epp @@ -0,0 +1,58 @@ + + SSLRandomSeed startup builtin + SSLRandomSeed startup file:/dev/urandom <%= $ssl_random_seed_bytes %> + SSLRandomSeed connect builtin + SSLRandomSeed connect file:/dev/urandom <%= $ssl_random_seed_bytes %> + + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + + SSLPassPhraseDialog <%= $ssl_pass_phrase_dialog %> + SSLSessionCache "shmcb:<%= $ssl_sessioncache %>" + SSLSessionCacheTimeout <%= $ssl_sessioncachetimeout %> + Mutex <%= $ssl_mutex %> + <%- if $ssl_compression { -%> + SSLCompression <%= apache::bool2httpd($ssl_compression) %> + <%- } -%> + <%- if $ssl_sessiontickets != undef { -%> + SSLSessionTickets <%= apache::bool2httpd($ssl_sessiontickets) %> + <%- } -%> + SSLCryptoDevice <%= $ssl_cryptodevice %> + SSLHonorCipherOrder <%= apache::bool2httpd($_ssl_honorcipherorder) %> + <%- if $ssl_cert { -%> + SSLCertificateFile "<%= $ssl_cert %>" + <%- } -%> + <%- if $ssl_key { -%> + SSLCertificateKeyFile "<%= $ssl_key %>" + <%- } -%> + <%- if $ssl_ca { -%> + SSLCACertificateFile "<%= $ssl_ca %>" + <%- } -%> + SSLUseStapling <%= apache::bool2httpd($ssl_stapling) %> + <%- if $ssl_stapling_return_errors != undef { -%> + SSLStaplingReturnResponderErrors <%= apache::bool2httpd($ssl_stapling_return_errors) %> + <%- } -%> + SSLStaplingCache "shmcb:<%= $_stapling_cache %>" + <%- if String(type($ssl_cipher, 'generalized')).index('Hash') == 0 { -%> + <%- $ssl_cipher.map |$protocol, $cipher| { -%> + SSLCipherSuite <%= $protocol %> <%= $cipher %> + <%- } -%> + <%- } else { -%> + SSLCipherSuite <%= $ssl_cipher %> + <%- } -%> +<% if !($ssl_protocol.empty) { -%> + SSLProtocol <%= $ssl_protocol.filter |$item| { $item != undef }.join(' ') %> +<% } -%> +<% if !($ssl_proxy_protocol.empty) { -%> + SSLProxyProtocol <%= $ssl_proxy_protocol.filter |$item| { $item != undef }.join(' ') %> +<% } -%> +<% if $ssl_proxy_cipher_suite { -%> + SSLProxyCipherSuite <%= $ssl_proxy_cipher_suite %> +<% } -%> +<% if $ssl_options { -%> + SSLOptions <%= $ssl_options.filter |$item| { $item != undef }.join(' ') %> +<% } -%> +<%- if $ssl_openssl_conf_cmd { -%> + SSLOpenSSLConfCmd <%= $ssl_openssl_conf_cmd %> +<%- } -%> + diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb deleted file mode 100644 index 854a0d0a64..0000000000 --- a/templates/mod/ssl.conf.erb +++ /dev/null @@ -1,21 +0,0 @@ - - SSLRandomSeed startup builtin - SSLRandomSeed startup file:/dev/urandom 512 - SSLRandomSeed connect builtin - SSLRandomSeed connect file:/dev/urandom 512 - - AddType application/x-x509-ca-cert .crt - AddType application/x-pkcs7-crl .crl - - SSLPassPhraseDialog builtin - SSLSessionCache shmcb:<%= @session_cache %> - SSLSessionCacheTimeout 300 -<% if @ssl_compression -%> - SSLCompression Off -<% end -%> - SSLMutex <%= @ssl_mutex %> - SSLCryptoDevice builtin - SSLHonorCipherOrder On - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 - SSLProtocol all -SSLv2 - diff --git a/templates/mod/status.conf.epp b/templates/mod/status.conf.epp new file mode 100644 index 0000000000..b7031956ed --- /dev/null +++ b/templates/mod/status.conf.epp @@ -0,0 +1,14 @@ +> + SetHandler server-status + <%# From Puppet 4.2 up, replace: -%> + <%# "scope.function_template(["apache/mod/