Version information
This version is compatible with:
- Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 3.8.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'eyp-apache', '0.6.3'
Learn more about managing modules with a PuppetfileDocumentation
apache
Table of Contents
Overview
Apache httpd setup
Module Description
apache httpd and apache modules management
Setup
What apache affects
- installs httpd package
- optionally, manages httpd service
- puppet managed directories (purges unmanaged files):
- ${apache_confdir}/conf.d
- ${apache_confdir}/conf.d/sites
- ${apache_confdir}/ssl
Beginning with apache
Basic setup:
class { 'apache': }
apache::vhost {'default':
defaultvh=>true,
documentroot => '/var/www/void',
}
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
Usage
In this section we have several usage examples, most were used to test module's features or acceptance testing checks (spec/acceptance/base*_spec.rb)
general Options
aliasmatch, scriptalias, rewrites and directory directives
apache::vhost {'testing.lol':
order => '77',
serveradmin => 'root@lolcathost.lol',
serveralias => [ '1.testing.lol', '2.testing.lol' ],
documentroot => '/var/www/testing/',
options => [ 'Indexes', 'FollowSymLinks', 'MultiViews' ],
rewrites => [
'RewriteCond %{HTTP_HOST} !^testing\.lol',
'RewriteRule ^/(.*)$ http://www\.testing\.lol/$1 [R=301,L]'
],
aliasmatch => { 'RUC/lol' => '/var/www/testing/hc.php',
'(.*)' => '/var/www/testing/cc.php'},
scriptalias => { '/cgi-bin/' => '"/var/www/testing/cgi-bin/"' },
directoryindex => [ 'index.php', 'lolindex.php', 'lol.html' ],
}
apache::directory {'testing.lol':
vhost_order => '77',
directory => '/var/www/testing/cgi-bin/',
options => [ '+ExecCGI', '-Includes' ],
allowoverride => 'None',
}
redirect
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
apache::redirect { 'et2blog':
path => '/',
url => 'http://systemadmin.es/',
}
proxypass
class { 'apache::mod::proxy': }
class { 'apache::mod::proxyajp': }
class { 'apache::mod::proxybalancer': }
apache::mod::proxy::balancer { 'test':
members => { 'ajp://app1.example.com:8009' => undef,
'ajp://app2.example.com:8009' => undef,
}
}
apache::mod::proxy::proxypass { '/lol':
destination => 'balancer://test',
servername => 'et2blog',
}
custom logformats
we can add custom log formats using logformats hash, for example:
class { 'apache':
server_admin=> 'webmaster@localhost',
maxclients=> '150',
maxrequestsperchild=>'1000',
customlog_type=>'vhost_combined',
logformats => {
'vhost_combined' =>
'%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"'
},
add_defult_logformats=>true,
}
Load custom module
apache::module { 'asis_module':
sofile => 'modules/mod_asis.so',
}
server-status
server-status on a custom vhost with restricted IPs
apache::vhost {'default':
defaultvh => true,
documentroot => '/var/www/void',
}
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
apache::serverstatus {'et2blog':}
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
}
apache::serverstatus {'systemadmin.es':
order => '10',
port => '81',
allowedip => ['1.1.1.1','2.2.2.2','4.4.4.4 5.5.5.5','127.','::1'],
}
mod_php
class { 'apache': }
apache::vhost {'default':
defaultvh=>true,
documentroot => '/var/www/void',
}
class { 'apache::mod::php': }
addtype
apache::addtype { '.sinep':
mediatype => 'application/sinep',
}
SSL
SSL setup using yaml
classes:
- apache
apache::listen:
- 80
- 443
apache::ssl: true
apachecerts:
systemadmin:
cert_source: puppet:///customers/systemadmin/star_systemadmin_net.crt
pk_source: puppet:///customers/systemadmin/star_systemadmin_net.key
intermediate_source: puppet:///customers/systemadmin/star_systemadmin_net.intermediate
apachevhosts:
systemadmin:
documentroot: /var/www/systemadmin
systemadmin_ssl:
documentroot: /var/www/systemadmin
port: 443
certname: systemadmin
SSL without intermediate certificate
If we don't have a intermediate certificate, we can disable it using use_intermediate (intended for testing only)
apache::vhost {'et2blog_ssl':
documentroot => '/var/www/et2blog',
port => 443,
certname => 'cert_et2blog_ssl',
use_intermediate => false,
}
HSTS
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
hsts => true,
hsts_include_subdomains => true,
}
mod_nss
# vhost for ZnVja3RoYXRiaXRjaAo.com
apache::vhost {'ZnVja3RoYXRiaXRjaAo.com':
port => '443',
documentroot => '/var/www/void',
}
# generate CSR
apache::nss::csr { 'test2':
cn => 'ZnVja3RoYXRiaXRjaAo.com',
organization => 'systemadmin.es',
organization_unit => 'shitty apache modules team',
locality => 'barcelona',
state => 'barcelona',
country => 'RC', # Republica Catalana
}
# import intermediate
apache::nss::intermediate { 'intermediate':
intermediate_source => 'puppet:///certs/intermediate.crt',
}
# import actual certificate
apache::nss::cert { 'ZnVja3RoYXRiaXRjaAo':
intermediate_source => 'puppet:///certs/cert.crt',
}
# enable mod_nss for this vhost
apache::nss {'ZnVja3RoYXRiaXRjaAo.com':
port => '443',
}
Sorry page
every vhost created using this module have an alternative vhost to disable it (HTTP 503)
enable/disable sorry page
to enable or disable the sorry page for a given site we just need to flip site_running
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
site_running => false,
}
Custom sorry page
custom_sorrypage hash must contain both variables (path and errordocument)
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
custom_sorrypage => { 'path': '/var/www/systemadmin/maintenance',
'errordocument': 'maintenance.html',
}
}
includes
apache::include_conf { '/etc:
files => [ 'demo.conf' ],
}
mod_headers
apache::header
apache::vhost {'et2blog':
documentroot => '/var/www/et2blog',
}
apache::header { 'et2blog':
header_name => 'X-Joke',
header_value => 'no hay MAC que por ARP no venga',
condition => 'always',
}
this adds the following directive:
Header onsuccess set X-Joke "no hay MAC que por ARP no venga"
mod_proxy
mod_proxy_balancer
classes:
- apache
- apache::mod::expires
- apache::mod::proxy
- apache::mod::proxybalancer
- apache::mod::proxyajp
apache::listen:
- 7790
apachevhosts:
default:
defaultvh: true
documentroot: /var/www/void
port: 7790
pspstores.systemadmin.es:
documentroot: /var/www/void
port: 7790
apachebalancers:
pspstores:
members:
'ajp://192.168.56.19:9509': undef
'ajp://192.168.56.18:9509': undef
apacheproxypasses:
'/':
destination: 'balancer://pspstores'
servername: pspstores.systemadmin.es
port: 7790
'/manager':
destination: '!'
servername: pspstores.systemadmin.es
port: 7790
'/host-manager':
destination: '!'
servername: pspstores.systemadmin.es
port: 7790
Exclude healthcheck
apache::vhost {'systemadmin.es':
order => '10',
port => '81',
documentroot => '/var/www/systemadmin',
custom_sorrypage => { 'path': '/var/www/systemadmin/maintenance',
'errordocument': 'maintenance.html',
'healthcheck': 'healthcheck/healthcheck.html',
}
}
FCGI
class {'apache::fcgi':
fcgihost => '192.168.56.18',
}
Reference
facts
- eyp_apache_gcc: get gcc version
- eyp_apache_make: get make version
- eyp_apache_opensslver: get openssl version
global hiera settings
- eypapache::monitips: IP list to be allowed by default in the default vhost. Used in apache::serverstatus as a default list of allowd IPs
- eypapache::pfs: enable Perfect Fordward Secrecy (PFS) - it changed default ciphers to use ECC
classes
apache
private classes:
- apache::params: apache default values
- apache::service: apache service
- apache::version: detect distro's apache version
apache variables:
- operational variables:
- manage_service = true,
- manage_docker_service = false,
- purge_logrotate: Purge package's related logrotate configuration (default: true)
- compress_logs_mtime: compress log files after this value (for example: +3, default: undef)
- delete_logs_mtime: delete log files after this value (for example: +3, default: undef)
- distro related variables:
- version = $apache::version::default,
- apache_username = $apache::params::apache_username,
- apache_group = $apache::params::apache_group,
- logdir = $apache::params::logdir,
- general options:
- mpm = $apache::params::mpm_default,
- servertokens = $apache::params::servertokens_default,
- timeout = $apache::params::timeout_default,
- keepalive = $apache::params::keepalive_default,
- keepalivetimeout = $apache::params::keepalivetimeout_default,
- maxkeepalivereq = $apache::params::maxkeepalivereq_default,
- extendedstatus = $apache::params::extendedstatus_default,
- serversignature = $apache::params::serversignature_default,
- listen = [ '80' ],
- namevirtualhosts = undef,
- ssl = false,
- sni = true,
- trace = false,
- server_admin = $apache::params::server_admin_default,
- directoty_index = [ 'index.html' ],
- maxclients = $apache::params::maxclients_default,
- maxrequestsperchild = $apache::params::maxrequestsperchild_default,
- customlog_type = $apache::params::customlog_type_default,
- logformats = undef,
- add_defult_logformats = true,
- server_name = $apache::params::server_name_default,
- ssl_compression = $apache::params::ssl_compression_default,
- ssl_protocol = $apache::params::ssl_protocol_default,
- ssl_chiphersuite = $apache::params::ssl_chiphersuite_default,
- defaultcharset = 'UTF-8',
- loglevel_errorlog = 'warn',
- usecanonicalname = false,
- default_documentroot = '/var/www/html',
- accessfilename = '.htaccess',
- hostnamelookups = false,
- startservers = 8,
- minspareservers = 5,
- maxspareservers = 20,
apache::fcgi
installs mod_fastcgi
- srcdir: (default: /usr/local/src)
- handler_name: (default: resource's name)
- fcgihost: (default: 127.0.0.1)
- fcgiport: (default: 9000)
modules
apache::mod::deflate
- ensure: installed/purged (default: installed)
apache::mod::expires
- ensure: installed/purged (default: installed)
- expires_active: true/false (default: true)
- default_expire: default expire policy (default: access plus 1 year)
apache::mod::php
WARNING Only works on Ubuntu 14.04
- ensure: installed/purged (default: installed)
apache::mod::proxy
- ensure: installed/purged (default: installed)
apache::mod::proxyajp
- ensure: installed/purged (default: installed)
apache::mod::proxybalancer
- ensure: installed/purged (default: installed)
apache::mod::proxyconnect
- ensure: installed/purged (default: installed)
apache::mod::proxyftp
- ensure: installed/purged (default: installed)
apache::mod::proxyhttp
- ensure: installed/purged (default: installed)
apache::mod::nss
- ensure: installed/purged (default: installed)
- randomseed: Array to configure a set of sources to seed the PRNG of the SSL library. (default: builtin)
NSSRandomSeed startup builtin
NSSRandomSeed startup file:/dev/random 512
NSSRandomSeed startup file:/dev/urandom 512
defines
apache::cert
- pk_source: private key certificate source, incompatible with pk_file
- pk_file: private key certificate file path, file is already present on the fs. incompatible with pk_source - intended for testing only
- cert_source: cert certificate source, incompatible with cert_file
- cert_file: cert certificate file path, file is already present on the fs. incompatible with cert_source - intended for testing only
- intermediate_source: intermediate certificate source
- certname: cert name (default: resource's name)
- version: optional, cert version (to be able to keep several versions)
apache::custom_conf
- source: file to deploy
- filename: file to be deployed (default: resource's name)
file will be deployed in this path: ${apache::params::baseconf}/conf.d/${filename}.conf
apache::directory
- order: order of the vhost where we want to deploy the directory (default: 00)
- port: port of the vhost where we want to deploy the directory (default: 80)
- servername: servername on which we want to deploy the directory (default: resource's name)
- directory: directory to define (mandatory)
- allowedip: allow a given set of IPs to this directory (default: undef)
- denyip: deny a given set of IPs to this directory (default: undef)
- options: directory options (default: [ 'FollowSymlinks' ])
- allowoverride: allow override (default: None)
apache::module
- sofile: file to load
- modname: module name (default: resource's name)
- order: just in case it's relevant
apache::serverstatus
- order: order of the vhost where we want to deploy the server-status (default: 00)
- port: port of the vhost where we want to deploy the server-status (default: 80)
- serverstatus_url: server-status URL (default: /server-status)
- servername: servername on which we want to deploy the server-status
- allowedip: (default: eypapache::monitips)
- defaultvh: Defines whether this server-status is intended to be used in the default vhost or not (default: false)
apache::redirect
- url: destinarion URL
- path: path to redirect,
- status: redirect type (default: permanent)
- match: whether use RedirectMatch or nor (default: undef)
- order: order of the vhost where we want to deploy the redirect (default: 00)
- port: port of the vhost where we want to deploy the redirect (default: 80)
- servername: servername on which we want to deploy the redirect
example:
apache::redirect { 'et2blog':
path => '/',
url => 'http://systemadmin.es/',
}
apache::vhost
- documentroot: DocumentRoot
- order: Order (default: 00)
- port: Listen port (default: 80)
- use_intermediate: (default: true)
- certname_version:
- directoryindex: (default: [ 'index.php', 'index.html', 'index.htm' ])
- defaultvh: Only for default virtual host (default: false)
- defaultvh_ss: Enable or disable default virtual host server status (default: true)
- servername: ServerName (default: $name)
- serveralias: ServerAlias array (default: undef)
- allowedip: Allowed ip for DocumentRoot (default: undef)
- deniedip: Denied ip for DocumentRoot (default: undef)
- rewrites: Rewrites list (default: undef)
- rewrites_source: (default: undef)
- certname: (default: undef)
- serveradmin: ServerAdmin (default: undef)
- aliasmatch: AliasMatch hash (default: undef)
- scriptalias: ScriptAlias hash (default: undef)
- options: Options for DocumentRoot directory (default: [ 'FollowSymlinks' ])
- allowoverride: AllowOverride (default: None)
- aliases: Alias hash (default: undef)
- add_default_logs: Add default logging (default: true)
- site_running: Define if site should be running (true) or sorrypage should be shown (false) (default: true)
- custom_sorrypage: Define a custom sorry page. A hash with 'path' (where sorrypage document is stored) and 'errordocument' (document to load as sorry page) must be provided. If the vhost is load balanced and needs to serve a healthcheck page we can exclude it from 503 adding it to the key 'healthcheck'. (see Usage documentation) (default: undef)
- documentroot_owner: documentroot's owner (default: root)
- documentroot_group: documentroot's owner (default: group)
- documentroot_mode: documentroot's mode (default: 0755)
Limitations
Tested on:
- CentOS 6
- CentOS 7
- Ubuntu 16.04
- Ubuntu 18.04
Development
We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
CHANGELOG
0.6.3 - 2018-09-19
- fix dependencies
0.6.2 - 2018-06-19
- bugfix mod_php on Ubuntu 14.04
0.6.1
- added ssl certs to sorrypage
- added Ubuntu 18.04 support
0.6.0
- INCOMPATIBLE CHANGES:
- disabled apache modules:
- mod_userdir
- mod_info
- apache user shell under management by default
- changed default LogLevel from warn to notice core:info for Apache 2.4 and warn for Apache 2.2
- apache config cleanup (some useless directives have been removed)
- disabled apache modules:
- bugfix: default vhost documentroot ownership
- configurable conf.d purge/recurse
- added apache::vhost::xframeoptions to be able to easily add the X-Frame-Options header to a vhost
- added support for mod_reqtimeout using apache::mod::reqtimeout
- added variables for:
- LimitRequestLine
- LimitRequestFields
- LimitRequestFieldSize
- LimitRequestBody
- added block options to apache::location to be able to disable a specific URL
- added a flag to disable mod_autoindex
- added flag to disable FollowSymlinks by default
- added limit_http_methods variable to apache::location to be able to limit http methods by URL
- added disablereuse variable to apache::proxy::proxypass
- added AD auth support:
- mod_ldap via apache::mod::ldap
- AD auth via apache::vhost::adsauth
0.5.13
- added audit rules for apache config files
0.5.12
- fixed hard-coded SSLSessionCache
0.5.11
- added timeout and connectiontimeout variables to apache::mod::proxy::proxypass
- removed checks for subclasses, auto include required classes
0.5.10
- added variable root_directory_deny to set allow or deny by default to /
0.5.9
- added AllowEncodedSlashes to apache::vhost
0.5.8
- added apache::alias
- added selinux_httpd_use_nfs flag to allow httpd to use NFS mounts
0.5.7
- added listen_address to apache::vhost
- modified apache::mod::proxy::balancer to notify apache service
0.5.6
- added default SSLStaplingCache
0.5.5
- added lbmethod to apache::mod::proxy::balancer
- INCOMPATIBLE CHANGE: apache::mod::proxy::proxypass changed resource's name from $url to $servername, thus url is now a mandatory parameter
0.5.4
- bugfix apache 2.4 - prefork parameters were not being honored
0.5.3
- bugfix apache::logformat
0.5.2
- bugfix apache::header
0.5.1
- added ssl_use_stapling variable (only available on apache 2.4)
- added apache::sslproxy
- added apache::location
- added ssl_options to apache::directory
- added apache::browsermatch
- added description variable to apache::vhost
- added apache::requestheader
- added variables to apache::mod::proxy:
- proxy_requests
- proxy_via
- proxy_preserve_host
- added apache::mod::proxy::proxypassreverse
- added ssl verify options:
- SSLVerifyClient
- SSLVerifyDepth
- added customlog_filter to apache::vhost to be able to filter logs
- added apache::files and apache::filesmatch
- added apache::logformat
- added log related variables to apache::vhost:
- log_format
- log_rotate_seconds
- INCOMPATIBLE CHANGE: changed default values for apache::directory, directory is now mandatory, servername now default's to resource's name
- bugfix: added unimplemented vhost options to the default vhost
0.4.26
- added apache::addtype
0.4.25
- added variable to be able to set startservers, minspareservers, maxspareservers
- added apache::include_conf
- apache::vhost::includes and apache::vhost::includes_optional to be able to include non puppet managed files to a vhost
- added option for SSLHonorCipherOrder
- added HSTS support: apache::hsts (using mod_headers)
- added a global variable to enable PFS
0.4.24
- apache cert links will notify apache::service (which by the way sets an implicit order)
- limit puppetlabs-concat to < 3.0.0
0.4.23
- added variable to be able to set umask for httpd
0.4.22
- added Ubuntu 16.04 support
0.4.21
- added to apache::vhost:
- documentroot_owner
- documentroot_group
- documentroot_mode
- bugfix ServerAdmin in vhost template
0.4.20
- bugfix to be able to disable authentication on apache::davsvnrepo
0.4.19
- bugfix url_cleanup in apache::davsvnrepo
0.4.18
- added proxytimeout to modproxy
0.4.17
- added defaultcharset to apache::vhost
0.4.16
- added mod_headers support
0.4.15
- changed hiera to hiera_array to merge arrays
0.4.14
- typo svnpath
- bugfix fragment vhost
- bugfix template davsvnrepo.erb
0.4.9
- added apache::davsvnrepo with kerberos auth
0.4.8
- bugfix centos 6: /etc/httpd/modules/mod_authn_core.so
0.4.7
- added kerberos auth support
0.4.6
- minor bugfix
0.4.5
- mod_proxy (ProxyStatus changed default to On)
0.4
- INCOMPATIBLE CHANGE: Changed general ErrorLog and CustomLog to use rotatelogs, deleting any related logrotate stuff
0.3
- modules not loaded anymore by default:
- proxy
- proxy_ajp
- proxy_balancer
- proxy_connect
- proxy_ftp
- proxy_http
Dependencies
- puppetlabs/stdlib (>= 4.12.0 < 9.9.9)
- puppetlabs/concat (>= 1.2.3 < 9.9.9)
- eyp/eyplib (>= 0.1.0 < 0.2.0)
- eyp/audit (>= 0.1.12 < 0.2.0)