Version information
released Nov 12th 2018
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 3.8.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'eyp-apache', '0.6.3'Learn more about managing modules with a PuppetfileDocumentation
eyp/apache — version 0.6.3 Nov 12th 2018
apache
NTTCom-MS/eyp-apache: 
Table of Contents
Overview
Apache httpd setup
Module Description
apache httpd and apache modules management
Setup
What apache affects
- installs httpd package
- optionally, manages httpd service
- puppet managed directories (purges unmanaged files):
- ${apache_confdir}/conf.d
- ${apache_confdir}/conf.d/sites
- ${apache_confdir}/ssl
Beginning with apache
Basic setup:
class { 'apache': }
apache::vhost {'default':
defaultvh=>true,
documentroot => '/var/www/void',
}
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
Usage
In this section we have several usage examples, most were used to test module's features or acceptance testing checks (spec/acceptance/base*_spec.rb)
general Options
aliasmatch, scriptalias, rewrites and directory directives
apache::vhost {'testing.lol':
order => '77',
serveradmin => 'root@lolcathost.lol',
serveralias => [ '1.testing.lol', '2.testing.lol' ],
documentroot => '/var/www/testing/',
options => [ 'Indexes', 'FollowSymLinks', 'MultiViews' ],
rewrites => [
'RewriteCond %{HTTP_HOST} !^testing\.lol',
'RewriteRule ^/(.*)$ http://www\.testing\.lol/$1 [R=301,L]'
],
aliasmatch => { 'RUC/lol' => '/var/www/testing/hc.php',
'(.*)' => '/var/www/testing/cc.php'},
scriptalias => { '/cgi-bin/' => '"/var/www/testing/cgi-bin/"' },
directoryindex => [ 'index.php', 'lolindex.php', 'lol.html' ],
}
apache::directory {'testing.lol':
vhost_order => '77',
directory => '/var/www/testing/cgi-bin/',
options => [ '+ExecCGI', '-Includes' ],
allowoverride => 'None',
}
redirect
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
apache::redirect { 'et2blog':
path => '/',
url => 'http://systemadmin.es/',
}
proxypass
class { 'apache::mod::proxy': }
class { 'apache::mod::proxyajp': }
class { 'apache::mod::proxybalancer': }
apache::mod::proxy::balancer { 'test':
members => { 'ajp://app1.example.com:8009' => undef,
'ajp://app2.example.com:8009' => undef,
}
}
apache::mod::proxy::proxypass { '/lol':
destination => 'balancer://test',
servername => 'et2blog',
}
custom logformats
we can add custom log formats using logformats hash, for example:
class { 'apache':
server_admin=> 'webmaster@localhost',
maxclients=> '150',
maxrequestsperchild=>'1000',
customlog_type=>'vhost_combined',
logformats => {
'vhost_combined' =>
'%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"'
},
add_defult_logformats=>true,
}
Load custom module
apache::module { 'asis_module':
sofile => 'modules/mod_asis.so',
}
server-status
server-status on a custom vhost with restricted IPs
apache::vhost {'default':
defaultvh => true,
documentroot => '/var/www/void',
}
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
apache::serverstatus {'et2blog':}
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
}
apache::serverstatus {'systemadmin.es':
order => '10',
port => '81',
allowedip => ['1.1.1.1','2.2.2.2','4.4.4.4 5.5.5.5','127.','::1'],
}
mod_php
class { 'apache': }
apache::vhost {'default':
defaultvh=>true,
documentroot => '/var/www/void',
}
class { 'apache::mod::php': }
addtype
apache::addtype { '.sinep':
mediatype => 'application/sinep',
}
SSL
SSL setup using yaml
classes:
- apache
apache::listen:
- 80
- 443
apache::ssl: true
apachecerts:
systemadmin:
cert_source: puppet:///customers/systemadmin/star_systemadmin_net.crt
pk_source: puppet:///customers/systemadmin/star_systemadmin_net.key
intermediate_source: puppet:///customers/systemadmin/star_systemadmin_net.intermediate
apachevhosts:
systemadmin:
documentroot: /var/www/systemadmin
systemadmin_ssl:
documentroot: /var/www/systemadmin
port: 443
certname: systemadmin
SSL without intermediate certificate
If we don't have a intermediate certificate, we can disable it using use_intermediate (intended for testing only)
apache::vhost {'et2blog_ssl':
documentroot => '/var/www/et2blog',
port => 443,
certname => 'cert_et2blog_ssl',
use_intermediate => false,
}
HSTS
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
hsts => true,
hsts_include_subdomains => true,
}
mod_nss
# vhost for ZnVja3RoYXRiaXRjaAo.com
apache::vhost {'ZnVja3RoYXRiaXRjaAo.com':
port => '443',
documentroot => '/var/www/void',
}
# generate CSR
apache::nss::csr { 'test2':
cn => 'ZnVja3RoYXRiaXRjaAo.com',
organization => 'systemadmin.es',
organization_unit => 'shitty apache modules team',
locality => 'barcelona',
state => 'barcelona',
country => 'RC', # Republica Catalana
}
# import intermediate
apache::nss::intermediate { 'intermediate':
intermediate_source => 'puppet:///certs/intermediate.crt',
}
# import actual certificate
apache::nss::cert { 'ZnVja3RoYXRiaXRjaAo':
intermediate_source => 'puppet:///certs/cert.crt',
}
# enable mod_nss for this vhost
apache::nss {'ZnVja3RoYXRiaXRjaAo.com':
port => '443',
}
Sorry page
every vhost created using this module have an alternative vhost to disable it (HTTP 503)
enable/disable sorry page
to enable or disable the sorry page for a given site we just need to flip site_running
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
site_running => false,
}
Custom sorry page
custom_sorrypage hash must contain both variables (path and errordocument)
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
custom_sorrypage => { 'path': '/var/www/systemadmin/maintenance',
'errordocument': 'maintenance.html',
}
}
includes
apache::include_conf { '/etc:
files => [ 'demo.conf' ],
}
mod_headers
apache::header
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
apache::header { 'et2blog':
header_name => 'X-Joke',
header_value => 'no hay MAC que por ARP no venga',
condition => 'always',
}
this adds the following directive:
Header onsuccess set X-Joke "no hay MAC que por ARP no venga"
mod_proxy
mod_proxy_balancer
classes:
- apache
- apache::mod::expires
- apache::mod::proxy
- apache::mod::proxybalancer
- apache::mod::proxyajp
apache::listen:
- 7790
apachevhosts:
default:
defaultvh: true
documentroot: /var/www/void
port: 7790
pspstores.systemadmin.es:
documentroot: /var/www/void
port: 7790
apachebalancers:
pspstores:
members:
'ajp://192.168.56.19:9509': undef
'ajp://192.168.56.18:9509': undef
apacheproxypasses:
'/':
destination: 'balancer://pspstores'
servername: pspstores.systemadmin.es
port: 7790
'/manager':
destination: '!'
servername: pspstores.systemadmin.es
port: 7790
'/host-manager':
destination: '!'
servername: pspstores.systemadmin.es
port: 7790
Exclude healthcheck
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
custom_sorrypage => { 'path': '/var/www/systemadmin/maintenance',
'errordocument': 'maintenance.html',
'healthcheck': 'healthcheck/healthcheck.html',
}
}
FCGI
class {'apache::fcgi':
fcgihost => '192.168.56.18',
}
Reference
facts
- eyp_apache_gcc: get gcc version
- eyp_apache_make: get make version
- eyp_apache_opensslver: get openssl version
global hiera settings
- eypapache::monitips: IP list to be allowed by default in the default vhost. Used in apache::serverstatus as a default list of allowd IPs
- eypapache::pfs: enable Perfect Fordward Secrecy (PFS) - it changed default ciphers to use ECC
classes
apache
private classes:
- apache::params: apache default values
- apache::service: apache service
- apache::version: detect distro's apache version
apache variables:
- operational variables:
- manage_service = true,
- manage_docker_service = false,
- purge_logrotate: Purge package's related logrotate configuration (default: true)
- compress_logs_mtime: compress log files after this value (for example: +3, default: undef)
- delete_logs_mtime: delete log files after this value (for example: +3, default: undef)
- distro related variables:
- version = $apache::version::default,
- apache_username = $apache::params::apache_username,
- apache_group = $apache::params::apache_group,
- logdir = $apache::params::logdir,
- general options:
- mpm = $apache::params::mpm_default,
- servertokens = $apache::params::servertokens_default,
- timeout = $apache::params::timeout_default,
- keepalive = $apache::params::keepalive_default,
- keepalivetimeout = $apache::params::keepalivetimeout_default,
- maxkeepalivereq = $apache::params::maxkeepalivereq_default,
- extendedstatus = $apache::params::extendedstatus_default,
- serversignature = $apache::params::serversignature_default,
- listen = [ '80' ],
- namevirtualhosts = undef,
- ssl = false,
- sni = true,
- trace = false,
- server_admin = $apache::params::server_admin_default,
- directoty_index = [ 'index.html' ],
- maxclients = $apache::params::maxclients_default,
- maxrequestsperchild = $apache::params::maxrequestsperchild_default,
- customlog_type = $apache::params::customlog_type_default,
- logformats = undef,
- add_defult_logformats = true,
- server_name = $apache::params::server_name_default,
- ssl_compression = $apache::params::ssl_compression_default,
- ssl_protocol = $apache::params::ssl_protocol_default,
- ssl_chiphersuite = $apache::params::ssl_chiphersuite_default,
- defaultcharset = 'UTF-8',
- loglevel_errorlog = 'warn',
- usecanonicalname = false,
- default_documentroot = '/var/www/html',
- accessfilename = '.htaccess',
- hostnamelookups = false,
- startservers = 8,
- minspareservers = 5,
- maxspareservers = 20,
apache::fcgi
installs mod_fastcgi
- srcdir: (default: /usr/local/src)
- handler_name: (default: resource's name)
- fcgihost: (default: 127.0.0.1)
- fcgiport: (default: 9000)
modules
apache::mod::deflate
- ensure: installed/purged (default: installed)
apache::mod::expires
- ensure: installed/purged (default: installed)
- expires_active: true/false (default: true)
- default_expire: default expire policy (default: access plus 1 year)
apache::mod::php
WARNING Only works on Ubuntu 14.04
- ensure: installed/purged (default: installed)
apache::mod::proxy
- ensure: installed/purged (default: installed)
apache::mod::proxyajp
- ensure: installed/purged (default: installed)
apache::mod::proxybalancer
- ensure: installed/purged (default: installed)
apache::mod::proxyconnect
- ensure: installed/purged (default: installed)
apache::mod::proxyftp
- ensure: installed/purged (default: installed)
apache::mod::proxyhttp
- ensure: installed/purged (default: installed)
apache::mod::nss
- ensure: installed/purged (default: installed)
- randomseed: Array to configure a set of sources to seed the PRNG of the SSL library. (default: builtin)
NSSRandomSeed startup builtin
NSSRandomSeed startup file:/dev/random 512
NSSRandomSeed startup file:/dev/urandom 512
defines
apache::cert
- pk_source: private key certificate source, incompatible with pk_file
- pk_file: private key certificate file path, file is already present on the fs. incompatible with pk_source - intended for testing only
- cert_source: cert certificate source, incompatible with cert_file
- cert_file: cert certificate file path, file is already present on the fs. incompatible with cert_source - intended for testing only
- intermediate_source: intermediate certificate source
- certname: cert name (default: resource's name)
- version: optional, cert version (to be able to keep several versions)
apache::custom_conf
- source: file to deploy
- filename: file to be deployed (default: resource's name)
file will be deployed in this path: ${apache::params::baseconf}/conf.d/${filename}.conf
apache::directory
- order: order of the vhost where we want to deploy the directory (default: 00)
- port: port of the vhost where we want to deploy the directory (default: 80)
- servername: servername on which we want to deploy the directory (default: resource's name)
- directory: directory to define (mandatory)
- allowedip: allow a given set of IPs to this directory (default: undef)
- denyip: deny a given set of IPs to this directory (default: undef)
- options: directory options (default: [ 'FollowSymlinks' ])
- allowoverride: allow override (default: None)
apache::module
- sofile: file to load
- modname: module name (default: resource's name)
- order: just in case it's relevant
apache::serverstatus
- order: order of the vhost where we want to deploy the server-status (default: 00)
- port: port of the vhost where we want to deploy the server-status (default: 80)
- serverstatus_url: server-status URL (default: /server-status)
- servername: servername on which we want to deploy the server-status
- allowedip: (default: eypapache::monitips)
- defaultvh: Defines whether this server-status is intended to be used in the default vhost or not (default: false)
apache::redirect
- url: destinarion URL
- path: path to redirect,
- status: redirect type (default: permanent)
- match: whether use RedirectMatch or nor (default: undef)
- order: order of the vhost where we want to deploy the redirect (default: 00)
- port: port of the vhost where we want to deploy the redirect (default: 80)
- servername: servername on which we want to deploy the redirect
example:
apache::redirect { 'et2blog':
path => '/',
url => 'http://systemadmin.es/',
}
apache::vhost
- documentroot: DocumentRoot
- order: Order (default: 00)
- port: Listen port (default: 80)
- use_intermediate: (default: true)
- certname_version:
- directoryindex: (default: [ 'index.php', 'index.html', 'index.htm' ])
- defaultvh: Only for default virtual host (default: false)
- defaultvh_ss: Enable or disable default virtual host server status (default: true)
- servername: ServerName (default: $name)
- serveralias: ServerAlias array (default: undef)
- allowedip: Allowed ip for DocumentRoot (default: undef)
- deniedip: Denied ip for DocumentRoot (default: undef)
- rewrites: Rewrites list (default: undef)
- rewrites_source: (default: undef)
- certname: (default: undef)
- serveradmin: ServerAdmin (default: undef)
- aliasmatch: AliasMatch hash (default: undef)
- scriptalias: ScriptAlias hash (default: undef)
- options: Options for DocumentRoot directory (default: [ 'FollowSymlinks' ])
- allowoverride: AllowOverride (default: None)
- aliases: Alias hash (default: undef)
- add_default_logs: Add default logging (default: true)
- site_running: Define if site should be running (true) or sorrypage should be shown (false) (default: true)
- custom_sorrypage: Define a custom sorry page. A hash with 'path' (where sorrypage document is stored) and 'errordocument' (document to load as sorry page) must be provided. If the vhost is load balanced and needs to serve a healthcheck page we can exclude it from 503 adding it to the key 'healthcheck'. (see Usage documentation) (default: undef)
- documentroot_owner: documentroot's owner (default: root)
- documentroot_group: documentroot's owner (default: group)
- documentroot_mode: documentroot's mode (default: 0755)
Limitations
Tested on:
- CentOS 6
- CentOS 7
- Ubuntu 16.04
- Ubuntu 18.04
Development
We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
CHANGELOG
0.6.3 - 2018-09-19
- fix dependencies
0.6.2 - 2018-06-19
- bugfix mod_php on Ubuntu 14.04
0.6.1
- added ssl certs to sorrypage
- added Ubuntu 18.04 support
0.6.0
- INCOMPATIBLE CHANGES:
- disabled apache modules:
- mod_userdir
- mod_info
- apache user shell under management by default
- changed default LogLevel from warn to notice core:info for Apache 2.4 and warn for Apache 2.2
- apache config cleanup (some useless directives have been removed)
- disabled apache modules:
- bugfix: default vhost documentroot ownership
- configurable conf.d purge/recurse
- added apache::vhost::xframeoptions to be able to easily add the X-Frame-Options header to a vhost
- added support for mod_reqtimeout using apache::mod::reqtimeout
- added variables for:
- LimitRequestLine
- LimitRequestFields
- LimitRequestFieldSize
- LimitRequestBody
- added block options to apache::location to be able to disable a specific URL
- added a flag to disable mod_autoindex
- added flag to disable FollowSymlinks by default
- added limit_http_methods variable to apache::location to be able to limit http methods by URL
- added disablereuse variable to apache::proxy::proxypass
- added AD auth support:
- mod_ldap via apache::mod::ldap
- AD auth via apache::vhost::adsauth
0.5.13
- added audit rules for apache config files
0.5.12
- fixed hard-coded SSLSessionCache
0.5.11
- added timeout and connectiontimeout variables to apache::mod::proxy::proxypass
- removed checks for subclasses, auto include required classes
0.5.10
- added variable root_directory_deny to set allow or deny by default to /
0.5.9
- added AllowEncodedSlashes to apache::vhost
0.5.8
- added apache::alias
- added selinux_httpd_use_nfs flag to allow httpd to use NFS mounts
0.5.7
- added listen_address to apache::vhost
- modified apache::mod::proxy::balancer to notify apache service
0.5.6
- added default SSLStaplingCache
0.5.5
- added lbmethod to apache::mod::proxy::balancer
- INCOMPATIBLE CHANGE: apache::mod::proxy::proxypass changed resource's name from $url to $servername, thus url is now a mandatory parameter
0.5.4
- bugfix apache 2.4 - prefork parameters were not being honored
0.5.3
- bugfix apache::logformat
0.5.2
- bugfix apache::header
0.5.1
- added ssl_use_stapling variable (only available on apache 2.4)
- added apache::sslproxy
- added apache::location
- added ssl_options to apache::directory
- added apache::browsermatch
- added description variable to apache::vhost
- added apache::requestheader
- added variables to apache::mod::proxy:
- proxy_requests
- proxy_via
- proxy_preserve_host
- added apache::mod::proxy::proxypassreverse
- added ssl verify options:
- SSLVerifyClient
- SSLVerifyDepth
- added customlog_filter to apache::vhost to be able to filter logs
- added apache::files and apache::filesmatch
- added apache::logformat
- added log related variables to apache::vhost:
- log_format
- log_rotate_seconds
- INCOMPATIBLE CHANGE: changed default values for apache::directory, directory is now mandatory, servername now default's to resource's name
- bugfix: added unimplemented vhost options to the default vhost
0.4.26
- added apache::addtype
0.4.25
- added variable to be able to set startservers, minspareservers, maxspareservers
- added apache::include_conf
- apache::vhost::includes and apache::vhost::includes_optional to be able to include non puppet managed files to a vhost
- added option for SSLHonorCipherOrder
- added HSTS support: apache::hsts (using mod_headers)
- added a global variable to enable PFS
0.4.24
- apache cert links will notify apache::service (which by the way sets an implicit order)
- limit puppetlabs-concat to < 3.0.0
0.4.23
- added variable to be able to set umask for httpd
0.4.22
- added Ubuntu 16.04 support
0.4.21
- added to apache::vhost:
- documentroot_owner
- documentroot_group
- documentroot_mode
- bugfix ServerAdmin in vhost template
0.4.20
- bugfix to be able to disable authentication on apache::davsvnrepo
0.4.19
- bugfix url_cleanup in apache::davsvnrepo
0.4.18
- added proxytimeout to modproxy
0.4.17
- added defaultcharset to apache::vhost
0.4.16
- added mod_headers support
0.4.15
- changed hiera to hiera_array to merge arrays
0.4.14
- typo svnpath
- bugfix fragment vhost
- bugfix template davsvnrepo.erb
0.4.9
- added apache::davsvnrepo with kerberos auth
0.4.8
- bugfix centos 6: /etc/httpd/modules/mod_authn_core.so
0.4.7
- added kerberos auth support
0.4.6
- minor bugfix
0.4.5
- mod_proxy (ProxyStatus changed default to On)
0.4
- INCOMPATIBLE CHANGE: Changed general ErrorLog and CustomLog to use rotatelogs, deleting any related logrotate stuff
0.3
- modules not loaded anymore by default:
- proxy
- proxy_ajp
- proxy_balancer
- proxy_connect
- proxy_ftp
- proxy_http
Dependencies
- puppetlabs/stdlib (>= 4.12.0 < 9.9.9)
- puppetlabs/concat (>= 1.2.3 < 9.9.9)
- eyp/eyplib (>= 0.1.0 < 0.2.0)
- eyp/audit (>= 0.1.12 < 0.2.0)