apache

Table of Contents

1. Module description - What is the apache module, and what does it do?
2. Setup - The basics of getting started with apache
   • What the apache module affects
   • Beginning with Apache - Installation
3. Usage - The classes and defined types available for configuration
   • Configuring virtual hosts - Examples to help get started
   • Configuring FastCGI servers to handle PHP files
   • Load balancing with exported and non-exported resources
4. Reference - An under-the-hood peek at what the module is doing and how
   • Public classes
   • Private classes
   • Public defined types
   • Private defined types
   • Templates
   • Tasks
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module
   • Contributing to the apache module
   • [Running tests - A quick guide][Running tests]

Module description

Apache HTTP Server (also called Apache HTTPD, or simply Apache) is a widely used web server. This Puppet module simplifies the task of creating configurations to manage Apache servers in your infrastructure. It can configure and manage a range of virtual host setups and provides a streamlined way to install and configure Apache modules.

Setup

What the apache module affects:

• Configuration files and directories (created and written to)
  • WARNING: Configurations not managed by Puppet will be purged.
• Package/service/configuration files for Apache
• Apache modules
• Virtual hosts
• Listened-to ports
• /etc/make.conf on FreeBSD and Gentoo

On Gentoo, this module depends on the gentoo/puppet-portage Puppet module. Note that while several options apply or enable certain features and settings for Gentoo, it is not a supported operating system for this module.

Warning: This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Apache configuration should be managed by Puppet, as unmanaged configuration files can cause unexpected failures.

To temporarily disable full Puppet management, set the purge_configs parameter in the apache class declaration to false. We recommend this only as a temporary means of saving and relocating customized configurations.

Beginning with Apache

To have Puppet install Apache with the default parameters, declare the apache class:

class { 'apache': }

When you declare this class with the default options, the module:

• Installs the appropriate Apache software package and required Apache modules for your operating system.
• Places the required configuration files in a directory, with the default location Depends on operating system.
• Configures the server with a default virtual host and standard port ('80') and address ('*') bindings.
• Creates a document root directory Depends on operating system, typically /var/www.
• Starts the Apache service.

Apache defaults depend on your operating system. These defaults work in testing environments but are not suggested for production. We recommend customizing the class's parameters to suit your site.

For instance, this declaration installs Apache without the apache module's default virtual host configuration, allowing you to customize all Apache virtual hosts:

class { 'apache':
  default_vhost => false,
}

Note: When default_vhost is set to false, you have to add at least one apache::vhost resource or Apache will not start. To establish a default virtual host, either set the default_vhost in the apache class or use the apache::vhost defined type. You can also configure additional specific virtual hosts with the apache::vhost defined type.

Usage

Configuring virtual hosts

The default apache class sets up a virtual host on port 80, listening on all interfaces and serving the docroot parameter's default directory of /var/www.

To configure basic name-based virtual hosts, specify the port and docroot parameters in the apache::vhost defined type:

apache::vhost { 'vhost.example.com':
  port    => '80',
  docroot => '/var/www/vhost',
}

See the apache::vhost defined type's reference for a list of all virtual host parameters.

Note: Apache processes virtual hosts in alphabetical order, and server administrators can prioritize Apache's virtual host processing by prefixing a virtual host's configuration file name with a number. The apache::vhost defined type applies a default priority of 15, which Puppet interprets by prefixing the virtual host's file name with 15-. This all means that if multiple sites have the same priority, or if you disable priority numbers by setting the priority parameter's value to false, Apache still processes virtual hosts in alphabetical order.

To configure user and group ownership for docroot, use the docroot_owner and docroot_group parameters:

apache::vhost { 'user.example.com':
  port          => '80',
  docroot       => '/var/www/user',
  docroot_owner => 'www-data',
  docroot_group => 'www-data',
}

Configuring virtual hosts with SSL

To configure a virtual host to use SSL encryption and default SSL certificates, set the ssl parameter. You must also specify the port parameter, typically with a value of '443', to accommodate HTTPS requests:

apache::vhost { 'ssl.example.com':
  port    => '443',
  docroot => '/var/www/ssl',
  ssl     => true,
}

To configure a virtual host to use SSL and specific SSL certificates, use the paths to the certificate and key in the ssl_cert and ssl_key parameters, respectively:

apache::vhost { 'cert.example.com':
  port     => '443',
  docroot  => '/var/www/cert',
  ssl      => true,
  ssl_cert => '/etc/ssl/fourth.example.com.cert',
  ssl_key  => '/etc/ssl/fourth.example.com.key',
}

To configure a mix of SSL and unencrypted virtual hosts at the same domain, declare them with separate apache::vhost defined types:

# The non-ssl virtual host
apache::vhost { 'mix.example.com non-ssl':
  servername => 'mix.example.com',
  port       => '80',
  docroot    => '/var/www/mix',
}

# The SSL virtual host at the same domain
apache::vhost { 'mix.example.com ssl':
  servername => 'mix.example.com',
  port       => '443',
  docroot    => '/var/www/mix',
  ssl        => true,
}

To configure a virtual host to redirect unencrypted connections to SSL, declare them with separate apache::vhost defined types and redirect unencrypted requests to the virtual host with SSL enabled:

apache::vhost { 'redirect.example.com non-ssl':
  servername      => 'redirect.example.com',
  port            => '80',
  docroot         => '/var/www/redirect',
  redirect_status => 'permanent',
  redirect_dest   => 'https://redirect.example.com/'
}

apache::vhost { 'redirect.example.com ssl':
  servername => 'redirect.example.com',
  port       => '443',
  docroot    => '/var/www/redirect',
  ssl        => true,
}

Configuring virtual host port and address bindings

Virtual hosts listen on all IP addresses ('*') by default. To configure the virtual host to listen on a specific IP address, use the ip parameter:

apache::vhost { 'ip.example.com':
  ip      => '127.0.0.1',
  port    => '80',
  docroot => '/var/www/ip',
}

You can also configure more than one IP address per virtual host by using an array of IP addresses for the ip parameter:

apache::vhost { 'ip.example.com':
  ip      => ['127.0.0.1','169.254.1.1'],
  port    => '80',
  docroot => '/var/www/ip',
}

You can configure multiple ports per virtual host by using an array of ports for the port parameter:

apache::vhost { 'ip.example.com':
  ip      => ['127.0.0.1'],
  port    => ['80','8080']
  docroot => '/var/www/ip',
}

To configure a virtual host with aliased servers, refer to the aliases using the serveraliases parameter:

apache::vhost { 'aliases.example.com':
  serveraliases => [
    'aliases.example.org',
    'aliases.example.net',
  ],
  port          => '80',
  docroot       => '/var/www/aliases',
}

To set up a virtual host with a wildcard alias for the subdomain mapped to a directory of the same name, such as 'http://example.com.loc' mapped to /var/www/example.com, define the wildcard alias using the serveraliases parameter and the document root with the virtual_docroot parameter:

apache::vhost { 'subdomain.loc':
  vhost_name      => '*',
  port            => '80',
  virtual_docroot => '/var/www/%-2+',
  docroot         => '/var/www',
  serveraliases   => ['*.loc',],
}

To configure a virtual host with filter rules, pass the filter directives as an array using the filters parameter:

apache::vhost { 'subdomain.loc':
  port    => '80',
  filters => [
    'FilterDeclare  COMPRESS',
    'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html',
    'FilterChain    COMPRESS',
    'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no',
  ],
  docroot => '/var/www/html',
}

Configuring virtual hosts for apps and processors

To set up a virtual host with suPHP, use the following parameters:

• suphp_engine, to enable the suPHP engine.
• suphp_addhandler, to define a MIME type.
• suphp_configpath, to set which path suPHP passes to the PHP interpreter.
• directory, to configure Directory, File, and Location directive blocks.

For example:

apache::vhost { 'suphp.example.com':
  port             => '80',
  docroot          => '/home/appuser/myphpapp',
  suphp_addhandler => 'x-httpd-php',
  suphp_engine     => 'on',
  suphp_configpath => '/etc/php5/apache2',
  directories      => [
    { 'path'  => '/home/appuser/myphpapp',
      'suphp' => {
        user  => 'myappuser',
        group => 'myappgroup',
      },
    },
  ],
}

To configure a virtual host to use the Web Server Gateway Interface (WSGI) for Python applications, use the wsgi set of parameters:

apache::vhost { 'wsgi.example.com':
  port                        => '80',
  docroot                     => '/var/www/pythonapp',
  wsgi_application_group      => '%{GLOBAL}',
  wsgi_daemon_process         => 'wsgi',
  wsgi_daemon_process_options => {
    processes    => '2',
    threads      => '15',
    display-name => '%{GROUP}',
  },
  wsgi_import_script          => '/var/www/demo.wsgi',
  wsgi_import_script_options  => {
    process-group     => 'wsgi',
    application-group => '%{GLOBAL}',
  },
  wsgi_process_group          => 'wsgi',
  wsgi_script_aliases         => { '/' => '/var/www/demo.wsgi' },
}

As of Apache 2.2.16, Apache supports FallbackResource, a simple replacement for common RewriteRules. You can set a FallbackResource using the fallbackresource parameter:

apache::vhost { 'wordpress.example.com':
  port             => '80',
  docroot          => '/var/www/wordpress',
  fallbackresource => '/index.php',
}

Note: The fallbackresource parameter only supports the 'disabled' value since Apache 2.2.24.

To configure a virtual host with a designated directory for Common Gateway Interface (CGI) files, use the scriptalias parameter to define the cgi-bin path:

apache::vhost { 'cgi.example.com':
  port        => '80',
  docroot     => '/var/www/cgi',
  scriptalias => '/usr/lib/cgi-bin',
}

To configure a virtual host for Rack, use the rack_base_uris parameter:

apache::vhost { 'rack.example.com':
  port           => '80',
  docroot        => '/var/www/rack',
  rack_base_uris => ['/rackapp1', '/rackapp2'],
}

Configuring IP-based virtual hosts

You can configure IP-based virtual hosts to listen on any port and have them respond to requests on specific IP addresses. In this example, the server listens on ports 80 and 81, because the example virtual hosts are not declared with a port parameter:

apache::listen { '80': }

apache::listen { '81': }

Configure the IP-based virtual hosts with the ip_based parameter:

apache::vhost { 'first.example.com':
  ip       => '10.0.0.10',
  docroot  => '/var/www/first',
  ip_based => true,
}

apache::vhost { 'second.example.com':
  ip       => '10.0.0.11',
  docroot  => '/var/www/second',
  ip_based => true,
}

You can also configure a mix of IP- and name-based virtual hosts in any combination of SSL and unencrypted configurations.

In this example, we add two IP-based virtual hosts on an IP address (in this example, 10.0.0.10). One uses SSL and the other is unencrypted:

apache::vhost { 'The first IP-based virtual host, non-ssl':
  servername => 'first.example.com',
  ip         => '10.0.0.10',
  port       => '80',
  ip_based   => true,
  docroot    => '/var/www/first',
}

apache::vhost { 'The first IP-based vhost, ssl':
  servername => 'first.example.com',
  ip         => '10.0.0.10',
  port       => '443',
  ip_based   => true,
  docroot    => '/var/www/first-ssl',
  ssl        => true,
}

Next, we add two name-based virtual hosts listening on a second IP address (10.0.0.20):

apache::vhost { 'second.example.com':
  ip      => '10.0.0.20',
  port    => '80',
  docroot => '/var/www/second',
}

apache::vhost { 'third.example.com':
  ip      => '10.0.0.20',
  port    => '80',
  docroot => '/var/www/third',
}

To add name-based virtual hosts that answer on either 10.0.0.10 or 10.0.0.20, you must disable the Apache default Listen 80, as it conflicts with the preceding IP-based virtual hosts. To do this, set the add_listen parameter to false:

apache::vhost { 'fourth.example.com':
  port       => '80',
  docroot    => '/var/www/fourth',
  add_listen => false,
}

apache::vhost { 'fifth.example.com':
  port       => '80',
  docroot    => '/var/www/fifth',
  add_listen => false,
}

Installing Apache modules

There are two ways to install Apache modules using the Puppet apache module:

• Use the apache::mod::<MODULE NAME> classes to install specific Apache modules with parameters.
• Use the apache::mod defined type to install arbitrary Apache modules.

Installing specific modules

The Puppet apache module supports installing many common Apache modules, often with parameterized configuration options. For a list of supported Apache modules, see the apache::mod::<MODULE NAME> class references.

For example, you can install the mod_ssl Apache module with default settings by declaring the apache::mod::ssl class:

class { 'apache::mod::ssl': }

apache::mod::ssl has several parameterized options that you can set when declaring it. For instance, to enable mod_ssl with compression enabled, set the ssl_compression parameter to true:

class { 'apache::mod::ssl':
  ssl_compression => true,
}

Note that some modules have prerequisites, which are documented in their references under apache::mod::<MODULE NAME>.

Installing arbitrary modules

You can pass the name of any module that your operating system's package manager can install to the apache::mod defined type to install it. Unlike the specific-module classes, the apache::mod defined type doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you.

For example, to install the mod_authnz_external Apache module, declare the defined type with the 'mod_authnz_external' name:

apache::mod { 'mod_authnz_external': }

There are several optional parameters you can specify when defining Apache modules this way. See the defined type's reference for details.

Configuring FastCGI servers to handle PHP files

Add the apache::fastcgi::server defined type to allow FastCGI servers to handle requests for specific files. For example, the following defines a FastCGI server at 127.0.0.1 (localhost) on port 9000 to handle PHP requests:

apache::fastcgi::server { 'php':
  host       => '127.0.0.1:9000',
  timeout    => 15,
  flush      => false,
  faux_path  => '/var/www/php.fcgi',
  fcgi_alias => '/php.fcgi',
  file_type  => 'application/x-httpd-php'
}

You can then use the custom_fragment parameter to configure the virtual host to have the FastCGI server handle the specified file type:

apache::vhost { 'www':
  ...
  custom_fragment => 'AddType application/x-httpd-php .php'
  ...
}

Load balancing examples

Apache supports load balancing across groups of servers through the mod_proxy Apache module. Puppet supports configuring Apache load balancing groups (also known as balancer clusters) through the apache::balancer and apache::balancermember defined types.

To enable load balancing with exported resources, export the apache::balancermember defined type from the load balancer member server:

@@apache::balancermember { "${::fqdn}-puppet00":
  balancer_cluster => 'puppet00',
  url              => "ajp://${::fqdn}:8009",
  options          => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'],
}

Then, on the proxy server, create the load balancing group:

apache::balancer { 'puppet00': }

To enable load balancing without exporting resources, declare the following on the proxy server:

apache::balancer { 'puppet00': }

apache::balancermember { "${::fqdn}-puppet00":
  balancer_cluster => 'puppet00',
  url              => "ajp://${::fqdn}:8009",
  options          => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'],
}

Then declare the apache::balancer and apache::balancermember defined types on the proxy server.

To use the ProxySet directive on the balancer, use the proxy_set parameter of apache::balancer:

apache::balancer { 'puppet01':
  proxy_set => {
    'stickysession' => 'JSESSIONID',
    'lbmethod'      => 'bytraffic',
  },
}

Load balancing scheduler algorithms (lbmethod) are listed in mod_proxy_balancer documentation.

Reference

• Public classes
  • Class: apache
  • Class: apache::dev
  • Class: apache::vhosts
  • Classes: apache::mod::*
• Private classes
  • Class: apache::confd::no_accf
  • Class: apache::default_confd_files
  • Class: apache::default_mods
  • Class: apache::package
  • Class: apache::params
  • Class: apache::service
  • Class: apache::version
• Public defined types
  • Defined type: apache::balancer
  • Defined type: apache::balancermember
  • Defined type: apache::custom_config
  • Defined type: apache::fastcgi::server
  • Defined type: apache::listen
  • Defined type: apache::mod
  • Defined type: apache::namevirtualhost
  • Defined type: apache::vhost
  • Defined type: apache::vhost::custom
• Private defined types
  • Defined type: apache::default_mods::load
  • Defined type: apache::peruser::multiplexer
  • Defined type: apache::peruser::processor
  • Defined type: apache::security::file_link
• Templates
• Tasks

Public Classes

Class: apache

Guides the basic setup and installation of Apache on your system.

When this class is declared with the default options, Puppet:

• Installs the appropriate Apache software package and required Apache modules for your operating system.
• Places the required configuration files in a directory, with the default location determined by your operating system.
• Configures the server with a default virtual host and standard port ('80') and address ('*') bindings.
• Creates a document root directory determined by your operating system, typically /var/www.
• Starts the Apache service.

You can simply declare the default apache class:

class { 'apache': }

allow_encoded_slashes

Sets the server default for the AllowEncodedSlashes declaration, which modifies the responses to URLs containing '\' and '/' characters. If not specified, this parameter omits the declaration from the server's configuration and uses Apache's default setting of 'off'.

Values: 'on', 'off', 'nodecode'.

Default: undef.

apache_version

Configures module template behavior, package names, and default Apache modules by defining the version of Apache to use. We do not recommend manually configuring this parameter without reason.

Default: Depends on operating system and release version detected by the apache::version class.

conf_dir

Sets the directory where the Apache server's main configuration file is located.

Default: Depends on operating system.

• Debian: /etc/apache2
• FreeBSD: /usr/local/etc/apache22
• Gentoo: /etc/apache2
• Red Hat: /etc/httpd/conf

conf_template

Defines the template used for the main Apache configuration file. Modifying this parameter is potentially risky, as the apache module is designed to use a minimal configuration file customized by conf.d entries.

Default: apache/httpd.conf.erb.

confd_dir

Sets the location of the Apache server's custom configuration directory.

Default: Depends on operating system.

• Debian: /etc/apache2/conf.d
• FreeBSD: /usr/local/etc/apache22
• Gentoo: /etc/apache2/conf.d
• Red Hat: /etc/httpd/conf.d

default_charset

Used as the AddDefaultCharset directive in the main configuration file.

Default: undef.

default_confd_files

Determines whether Puppet generates a default set of includable Apache configuration files in the directory defined by the confd_dir parameter. These configuration files correspond to what is typically installed with the Apache package on the server's operating system.

Boolean.

Default: true.

default_mods

Determines whether to configure and enable a set of default Apache modules depending on your operating system.

If false, Puppet includes only the Apache modules required to make the HTTP daemon work on your operating system, and you can declare any other modules separately using the apache::mod::<MODULE NAME> class or apache::mod defined type.

If true, Puppet installs additional modules, depending on the operating system and the values of apache_version and mpm_module parameters. Because these lists of modules can change frequently, consult the Puppet module's code for up-to-date lists.

If this parameter contains an array, Puppet instead enables all passed Apache modules.

Values: Boolean or an array of Apache module names.

Default: true.

default_ssl_ca

Sets the default certificate authority for the Apache server.

Although the default value results in a functioning Apache server, you must update this parameter with your certificate authority information before deploying this server in a production environment.

Boolean.

Default: undef.

default_ssl_cert

Sets the SSL encryption certificate location.

Although the default value results in a functioning Apache server, you must update this parameter with your certificate location before deploying this server in a production environment.

Default: Depends on operating system.

• Debian: /etc/ssl/certs/ssl-cert-snakeoil.pem
• FreeBSD: /usr/local/etc/apache22/server.crt
• Gentoo: /etc/ssl/apache2/server.crt
• Red Hat: /etc/pki/tls/certs/localhost.crt

default_ssl_chain

Sets the default SSL chain location.

Although this default value results in a functioning Apache server, you must update this parameter with your SSL chain before deploying this server in a production environment.

Default: undef.

default_ssl_crl

Sets the path of the default certificate revocation list (CRL) file to use.

Although this default value results in a functioning Apache server, you must update this parameter with the CRL file path before deploying this server in a production environment. You can use this parameter with or in place of the default_ssl_crl_path.

Default: undef.

default_ssl_crl_path

Sets the server's certificate revocation list path, which contains your CRLs.

Although this default value results in a functioning Apache server, you must update this parameter with the CRL file path before deploying this server in a production environment.

Default: undef.

default_ssl_crl_check

Sets the default certificate revocation check level via the SSLCARevocationCheck directive. This parameter applies only to Apache 2.4 or higher and is ignored on older versions.

Although this default value results in a functioning Apache server, you must specify this parameter when using certificate revocation lists in a production environment.

Default: undef.

default_ssl_key

Sets the SSL certificate key file location.

Although the default values result in a functioning Apache server, you must update this parameter with your SSL key's location before deploying this server in a production environment.

Default: Depends on operating system.

• Debian: /etc/ssl/private/ssl-cert-snakeoil.key
• FreeBSD: /usr/local/etc/apache22/server.key
• Gentoo: /etc/ssl/apache2/server.key
• Red Hat: /etc/pki/tls/private/localhost.key

default_ssl_vhost

Configures a default SSL virtual host.

If true, Puppet automatically configures the following virtual host using the apache::vhost defined type:

apache::vhost { 'default-ssl':
  port            => 443,
  ssl             => true,
  docroot         => $docroot,
  scriptalias     => $scriptalias,
  serveradmin     => $serveradmin,
  access_log_file => "ssl_${access_log_file}",
  }

Note: SSL virtual hosts only respond to HTTPS queries.

Boolean.

Default: false.

default_type

Apache 2.2 only. Sets the MIME content-type sent if the server cannot otherwise determine an appropriate content-type. This directive is deprecated in Apache 2.4 and newer, and is only for backwards compatibility in configuration files.

Default: undef.

default_vhost

Configures a default virtual host when the class is declared.

To configure customized virtual hosts, set this parameter's value to false.

Note: Apache will not start without at least one virtual host. If you set this to false you must configure a virtual host elsewhere.

Boolean.

Default: true.

dev_packages

Configures a specific dev package to use.

Values: A string or array of strings.

Example for using httpd 2.4 from the IUS yum repo:

include ::apache::dev
class { 'apache':
  apache_name  => 'httpd24u',
  dev_packages => 'httpd24u-devel',
}

Default: Depends on operating system.

• Red Hat: 'httpd-devel'
• Debian 8/Ubuntu 13.10 or newer: ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev']
• Older Debian/Ubuntu versions: ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev']
• FreeBSD, Gentoo: undef
• Suse: ['libapr-util1-devel', 'libapr1-devel']

docroot

Sets the default DocumentRoot location.

Default: Depends on operating system.

• Debian: /var/www/html
• FreeBSD: /usr/local/www/apache22/data
• Gentoo: /var/www/localhost/htdocs
• Red Hat: /var/www/html

error_documents

Determines whether to enable custom error documents on the Apache server.

Boolean.

Default: false.

group

Sets the group ID that owns any Apache processes spawned to answer requests.

By default, Puppet attempts to manage this group as a resource under the apache class, determining the group based on the operating system as detected by the apache::params class. To to prevent the group resource from being created and use a group created by another Puppet module, set the manage_group parameter's value to false.

Note: Modifying this parameter only changes the group ID that Apache uses to spawn child processes to access resources. It does not change the user that owns the parent server process.

httpd_dir

Sets the Apache server's base configuration directory. This is useful for specially repackaged Apache server builds but might have unintended consequences when combined with the default distribution packages.

Default: Depends on operating system.

• Debian: /etc/apache2
• FreeBSD: /usr/local/etc/apache22
• Gentoo: /etc/apache2
• Red Hat: /etc/httpd

http_protocol_options

Specifies the strictness of HTTP protocol checks.

Valid options: any sequence of the following alternative values: Strict or Unsafe, RegisteredMethods or LenientMethods, and Allow0.9 or Require1.0.

Default 'Strict LenientMethods Allow0.9'.

keepalive

Determines whether to enable persistent HTTP connections with the KeepAlive directive. If you set this to 'On', use the keepalive_timeout and max_keepalive_requests parameters to set relevant options.

Values: 'Off', 'On'.

Default: 'Off'.

keepalive_timeout

Sets the KeepAliveTimeout directive, which determines the amount of time the Apache server waits for subsequent requests on a persistent HTTP connection. This parameter is only relevant if the keepalive parameter is enabled.

Default: '15'.

max_keepalive_requests

Limits the number of requests allowed per connection when the keepalive parameter is enabled.

Default: '100'.

lib_path

Specifies the location where Apache module files are stored.

Default: Depends on operating system.

• Debian and Gentoo: /usr/lib/apache2/modules
• FreeBSD: /usr/local/libexec/apache24
• Red Hat: modules

Note: Do not configure this parameter manually without special reason.

log_level

Changes the error log's verbosity. Values: 'alert', 'crit', 'debug', 'emerg', 'error', 'info', 'notice', 'warn'.

Default: 'warn'.

log_formats

Define additional LogFormat directives. Values: A hash, such as:

$log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' }

There are a number of predefined LogFormats in the httpd.conf that Puppet creates:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded

If your log_formats parameter contains one of those, it will be overwritten with your definition.

logroot

Changes the directory of Apache log files for the virtual host.

Default: Depends on operating system.

• Debian: /var/log/apache2
• FreeBSD: /var/log/apache22
• Gentoo: /var/log/apache2
• Red Hat: /var/log/httpd

logroot_mode

Overrides the default logroot directory's mode.

Note: Do not grant write access to the directory where the logs are stored without being aware of the consequences. See the Apache documentation for details.

Default: undef.

manage_group

When false, stops Puppet from creating the group resource.

If you have a group created from another Puppet module that you want to use to run Apache, set this to false. Without this parameter, attempting to use a previously established group results in a duplicate resource error.

Boolean.

Default: true.

supplementary_groups

A list of groups to which the user belongs. These groups are in addition to the primary group.

Default: No additional groups.

Notice: This option only has an effect when manage_user is set to true.

manage_user

When false, stops Puppet from creating the user resource.

This is for instances when you have a user, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established user would result in a duplicate resource error.

Boolean.

Default: true.

mod_dir

Sets where Puppet places configuration files for your Apache modules.

Default: Depends on operating system.

• Debian: /etc/apache2/mods-available
• FreeBSD: /usr/local/etc/apache22/Modules
• Gentoo: /etc/apache2/modules.d
• Red Hat: /etc/httpd/conf.d

mod_packages

Allows the user to override default module package names.

include apache::params
class { 'apache':
  mod_packages => merge($::apache::params::mod_packages, {
    'auth_kerb' => 'httpd24-mod_auth_kerb',
  })
}

Hash. Default: $apache::params::mod_packages

mpm_module

Determines which multi-processing module (MPM) is loaded and configured for the HTTPD process. Values: 'event', 'itk', 'peruser', 'prefork', 'worker', or false.

You must set this to false to explicitly declare the following classes with custom parameters:

• apache::mod::event
• apache::mod::itk
• apache::mod::peruser
• apache::mod::prefork
• apache::mod::worker

Default: Depends on operating system.

• Debian: 'worker'
• FreeBSD, Gentoo, and Red Hat: 'prefork'

package_ensure

Controls the package resource's ensure attribute. Values: 'absent', 'installed' (or equivalent 'present'), or a version string.

Default: 'installed'.

pidfile

Allows settting a custom location for the pid file. Useful if using a custom-built Apache rpm.

Default: Depends on operating system.

• Debian: '\${APACHE_PID_FILE}'
• FreeBSD: '/var/run/httpd.pid'
• Red Hat: 'run/httpd.pid'

ports_file

Sets the path to the file containing Apache ports configuration.

Default: '{$conf_dir}/ports.conf'.

purge_configs

Removes all other Apache configs and virtual hosts.

Setting this to false is a stopgap measure to allow the apache module to coexist with existing or unmanaged configurations. We recommend moving your configuration to resources within this module. For virtual host configurations, see purge_vhost_dir.

Boolean.

Default: true.

purge_vhost_dir

If the vhost_dir parameter's value differs from the confd_dir parameter's, this parameter determines whether Puppet removes any configurations inside vhost_dir that are not managed by Puppet.

Setting purge_vhost_dir to false is a stopgap measure to allow the apache module to coexist with existing or otherwise unmanaged configurations within vhost_dir.

Boolean.

Default: same as purge_configs.

rewrite_lock

Allows setting a custom location for a rewrite lock - considered best practice if using a RewriteMap of type prg in the [rewrites][] parameter of your virtual host. This parameter only applies to Apache version 2.2 or lower and is ignored on newer versions.

Default: undef.

sendfile

Forces Apache to use the Linux kernel's sendfile support to serve static files, via the EnableSendfile directive. Values: 'On', 'Off'.

Default: 'On'.

serveradmin

Sets the Apache server administrator's contact information via Apache's ServerAdmin directive.

Default: 'root@localhost'.

servername

Sets the Apache server name via Apache's ServerName directive.

Setting to false will not set ServerName at all.

Default: the 'fqdn' fact reported by Facter.

server_root

Sets the Apache server's root directory via Apache's ServerRoot directive.

Default: Depends on operating system.

• Debian: /etc/apache2
• FreeBSD: /usr/local
• Gentoo: /var/www
• Red Hat: /etc/httpd

server_signature

Configures a trailing footer line to display at the bottom of server-generated documents, such as error documents and output of certain Apache modules, via Apache's ServerSignature directive. Values: 'Off', 'On'.

Default: 'On'.

server_tokens

Controls how much information Apache sends to the browser about itself and the operating system, via Apache's ServerTokens directive.

Default: 'OS'.

service_enable

Determines whether Puppet enables the Apache HTTPD service when the system is booted.

Boolean.

Default: true.

service_ensure

Determines whether Puppet should make sure the service is running. Values: true (or 'running'), false (or 'stopped').

The false or 'stopped' values set the 'httpd' service resource's ensure parameter to false, which is useful when you want to let the service be managed by another application, such as Pacemaker.

Default: 'running'.

service_name

Sets the name of the Apache service.

Default: Depends on operating system.

• Debian and Gentoo: 'apache2'
• FreeBSD: 'apache22'
• Red Hat: 'httpd'

service_manage

Determines whether Puppet manages the HTTPD service's state.

Boolean.

Default: true.

service_restart

Determines whether Puppet should use a specific command to restart the HTTPD service.

Values: a command to restart the Apache service. The default setting uses the default Puppet behavior.

Default: undef.

ssl_ca

Specifies the SSL certificate authority. SSLCACertificateFile to use to verify certificate used in ssl client authentication.

It is possible to override this on a vhost level.

Default: undef.

timeout

Sets Apache's TimeOut directive, which defines the number of seconds Apache waits for certain events before failing a request.

Default: 120.

trace_enable

Controls how Apache handles TRACE requests (per RFC 2616) via the TraceEnable directive.

Values: 'Off', 'On'.

Default: 'On'.

use_systemd

Controls whether the systemd module should be installed on Centos 7 servers, this is especially useful if using custom-built RPMs.

Boolean.

Default: true.

file_mode

Sets the desired permissions mode for config files.

Values: A string, with permissions mode in symbolic or numeric notation.

Default: '0644'.

root_directory_options

Array of the desired options for the / directory in httpd.conf.

Defaults: 'FollowSymLinks'.

root_directory_secured

Sets the default access policy for the / directory in httpd.conf. A value of false allows access to all resources that are missing a more specific access policy. A value of true denies access to all resources by default. If true, more specific rules must be used to allow access to these resources (for example, in a directory block using the directories parameter).

Boolean.

Default: false.

vhost_dir

Changes your virtual host configuration files' location.

Default: Depends on operating system:

• Debian: /etc/apache2/sites-available
• FreeBSD: /usr/local/etc/apache22/Vhosts
• Gentoo: /etc/apache2/vhosts.d
• Red Hat: /etc/httpd/conf.d

vhost_include_pattern

Defines the pattern for files included from the vhost_dir.

If set to a value like [^.#]\*.conf[^~] to make sure that files accidentally created in this directory (such as files created by version control systems or editor backups) are not included in your server configuration.

Default: '*'.

Some operating systems use a value of *.conf. By default, this module creates configuration files ending in .conf.

user

Changes the user that Apache uses to answer requests. Apache's parent process continues to run as root, but child processes access resources as the user defined by this parameter. To prevent Puppet from managing the user, set the manage_user parameter to false.

Default: Depends on the user set by apache::params class, based on your operating system:

• Debian: 'www-data'
• FreeBSD: 'www'
• Gentoo and Red Hat: 'apache'

To prevent Puppet from managing the user, set the manage_user parameter to false.

apache_name

The name of the Apache package to install. If you are using a non-standard Apache package, such as those from Red Hat's software collections, you might need to override the default setting.

Default: Depends on the user set by apache::params class, based on your operating system:

• Debian: 'apache2'
• FreeBSD: 'apache24'
• Gentoo: 'www-servers/apache'
• Red Hat: 'httpd'

error_log

The name of the error log file for the main server instance. If the string starts with /, |, or syslog: the full path is set. Otherwise, the filename is prefixed with $logroot.

Default: Depends on operating system:

• Debian: 'error.log'
• FreeBSD: 'httpd-error.log'
• Gentoo: 'error.log'
• Red Hat: 'error_log'
• Suse: 'error.log'

scriptalias

Directory to use for global script alias

Default: Depends on operating system:

• Debian: '/usr/lib/cgi-bin'
• FreeBSD: '/usr/local/www/apache24/cgi-bin'
• Gentoo: 'var/www/localhost/cgi-bin'
• Red Hat: '/var/www/cgi-bin'
• Suse: '/usr/lib/cgi-bin'

access_log_file

The name of the access log file for the main server instance.

Default: Depends on operating system:

• Debian: 'error.log'
• FreeBSD: 'httpd-access.log'
• Gentoo: 'access.log'
• Red Hat: 'access_log'
• Suse: 'access.log'

Class: apache::dev

Installs Apache development libraries.

Default: Depends on the operating system:dev_packages parameter of the apache::params class, based on your operating system:

• Debian : 'libaprutil1-dev', 'libapr1-dev'; 'apache2-dev' on Ubuntu 13.10 and Debian 8; 'apache2-prefork-dev' on other versions.
• FreeBSD: undef; on FreeBSD, you must declare the apache::package or apache classes before declaring apache::dev.
• Gentoo: undef.
• Red Hat: 'httpd-devel'.

Class: apache::vhosts

Creates apache::vhost defined types.

Parameters:

• vhosts: Specifies the apache::vhost defined type's parameters.

  Values: A hash, where the key represents the name and the value represents a hash of apache::vhost defined type's parameters.

  Default: '{}'

  Note: See the apache::vhost defined type's reference for a list of all virtual host parameters or Configuring virtual hosts.

  For example, to create a name-based virtual host 'custom_vhost_1, declare this class with the vhosts parameter set to '{ "custom_vhost_1" => { "docroot" => "/var/www/custom_vhost_1", "port" => "81" }':

class { 'apache::vhosts':
  vhosts => {
    'custom_vhost_1' => {
      'docroot' => '/var/www/custom_vhost_1',
      'port'    => '81',
    },
  },
}

Classes: apache::mod::<MODULE NAME>

Enables specific Apache modules. Enable and configure an Apache module by declaring its class.

For example, to install and enable mod_alias with no icons, declare the apache::mod::alias class with the icons_options parameter set to 'None':

class { 'apache::mod::alias':
  icons_options => 'None',
}

The following Apache modules have supported classes, many of which allow for parameterized configuration. You can install other Apache modules with the apache::mod defined type.

• actions
• alias (see apache::mod::alias)
• auth_basic
• auth_cas* (see apache::mod::auth_cas)
• auth_mellon* (see apache::mod::auth_mellon)
• auth_kerb
• authn_core
• authn_dbd* (see apache::mod::authn_dbd)
• authn_file
• authnz_ldap* (see apache::mod::authnz_ldap)
• authnz_pam
• authz_default
• authz_user
• autoindex
• cache
• cgi
• cgid
• cluster (see apache::mod::cluster)
• dav
• dav_fs
• dav_svn*
• dbd
• deflate\
• dev
• dir*
• disk_cache (see apache::mod::disk_cache)
• dumpio (see apache::mod::dumpio)
• env
• event (see apache::mod::event)
• expires
• ext_filter (see apache::mod::ext_filter)
• fastcgi
• fcgid
• filter
• geoip (see apache::mod::geoip)
• headers
• include
• info*
• intercept_form_submit
• itk
• jk (see apache::mod::jk)
• ldap (see apache::mod::ldap)
• lookup_identity
• macro (see [apache:mod:macro][])
• mime
• mime_magic*
• negotiation
• nss* (see [apache::mod::nss][])
• pagespeed (see [apache::mod::pagespeed][])
• passenger* (see apache::mod::passenger)
• perl
• peruser
• php (requires mpm_module set to prefork)
• prefork*
• proxy* (see apache::mod::proxy)
• proxy_ajp
• proxy_balancer* (see apache::mod::proxy_balancer)
• proxy_balancer
• proxy_html (see apache::mod::proxy_html)
• proxy_http
• python
• reqtimeout
• remoteip*
• rewrite
• rpaf*
• setenvif
• security
• shib* (see apache::mod::shib)
• speling
• ssl* (see apache::mod::ssl)
• status* (see apache::mod::status)
• suphp
• userdir* (see apache::mod::userdir)
• version
• vhost_alias
• worker*
• wsgi (see apache::mod::wsgi)
• xsendfile

Modules noted with a * indicate that the module has settings and a template that includes parameters to configure the module. Most Apache module class parameters have default values and don't require configuration. For modules with templates, Puppet installs template files with the module; these template files are required for the module to work.

Class: apache::mod::alias

Installs and manages mod_alias.

Parameters:

• icons_options: Disables directory listings for the icons directory, via Apache Options directive.

  Default: 'Indexes MultiViews'.

• icons_path: Sets the local path for an /icons/ Alias.

  Default: Depends on operating system.

  • Debian: /usr/share/apache2/icons
  • FreeBSD: /usr/local/www/apache24/icons
  • Gentoo: /var/www/icons
  • *Red Hat**: /var/www/icons, except on Apache 2.4, where it's /usr/share/httpd/icons

Class: apache::mod::disk_cache

Installs and configures mod_disk_cache on Apache 2.2, or [mod_cache_disk][] on Apache 2.4.

Default: Depends on the Apache version and operating system:

• Debian: /var/cache/apache2/mod_cache_disk
• FreeBSD: /var/cache/mod_cache_disk
• Red Hat, Apache 2.4: /var/cache/httpd/proxy
• Red Hat, Apache 2.2: /var/cache/mod_proxy

To specify the cache root, pass a path as a string to the cache_root parameter.

class {'::apache::mod::disk_cache':
  cache_root => '/path/to/cache',
}

Class: apache::mod::diskio

Installs and configures [mod_diskio][].

class{'apache':
  default_mods => `false`,
  log_level    => 'dumpio:trace7',
}
class{'apache::mod::diskio':
  disk_io_input  => 'On',
  disk_io_output => 'Off',
}

Parameters:

• dump_io_input: Dump all input data to the error log.

  Values: 'On', 'Off'.

  Default: 'Off'.

• dump_io_output: Dump all output data to the error log.

  Values: 'On', 'Off'.

  Defaults to 'Off'.

Class: apache::mod::event

Installs and manages mod_mpm_event. You cannot include apache::mod::event with apache::mod::itk, apache::mod::peruser, apache::mod::prefork, or apache::mod::worker on the same server.

Parameters:

• listenbacklog: Sets the maximum length of the pending connections queue via the module's ListenBackLog directive. Setting this to false removes the parameter.

  Default: '511'.

• maxrequestworkers (Apache 2.3.12 or older: maxclients): Sets the maximum number of connections Apache can simultaneously process, via the module's MaxRequestWorkers directive. Setting these to false removes the parameters.

  Default: '150'.

• maxconnectionsperchild (Apache 2.3.8 or older: maxrequestsperchild): Limits the number of connections a child server handles during its life, via the module's MaxConnectionsPerChild directive. Setting these to false removes the parameters.

  Default: '0'.

• maxsparethreads and minsparethreads: Sets the maximum and minimum number of idle threads, via the MaxSpareThreads and MinSpareThreads directives. Setting these to false removes the parameters.

  Default: '75' and '25', respectively.

• serverlimit: Limits the configurable number of processes via the ServerLimit directive. Setting this to false removes the parameter.

  Default: '25'.

• startservers: Sets the number of child server processes created at startup, via the module's StartServers directive. Setting this to false removes the parameter.

  Default: '2'.

• threadlimit: Limits the number of event threads via the module's ThreadLimit directive. Setting this to false removes the parameter.

  Default: '64'.

• threadsperchild: Sets the number of threads created by each child process, via the ThreadsPerChild directive.

  Default: '25'. Setting this to false removes the parameter.

Class: apache::mod::auth_cas

Installs and manages mod_auth_cas. Parameters share names with the Apache module's directives.

The cas_login_url and cas_validate_url parameters are required; several other parameters have undef default values.

Note: The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. See https://github.com/Jasig/mod_auth_cas

Parameters:

• cas_attribute_prefix: Adds a header with the value of this header being the attribute values when SAML validation is enabled.

  Default: CAS_.

• cas_attribute_delimiter: The delimiter between attribute values in the header created by cas_attribute_prefix.

  Default: ,

• cas_authoritative: Determines whether an optional authorization directive is authoritative and binding.

  Default: undef.

• cas_certificate_path: Sets the path to the X509 certificate of the Certificate Authority for the server in cas_login_url and cas_validate_url.

  Default: undef.

• cas_cache_clean_interval: Sets the minimum number of seconds that must pass between cache cleanings.

  Default: undef.

• cas_cookie_domain: Sets the value of the Domain= parameter in the Set-Cookie HTTP header.

  Default: undef.

• cas_cookie_entropy: Sets the number of bytes to use when creating session identifiers.

  Default: undef.

• cas_cookie_http_only: Sets the optional HttpOnly flag when mod_auth_cas issues cookies.

  Default: undef.

• cas_cookie_path: Where cas cookie session data is stored. Should be writable by web server user.

  Default: OS dependent.

• cas_cookie_path_mode: The mode of cas_cookie_path.

  Default: '0750'.

• cas_debug: Determines whether to enable the module's debugging mode.

  Default: 'Off'.

• cas_idle_timeout: Sets the idle timeout limit, in seconds.

  Default: undef.

• cas_login_url: Required. Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don't have an active session.

• cas_proxy_validate_url: The URL to use when performing a proxy validation.

  Default: undef.

• cas_root_proxied_as: Sets the URL end users see when access to this Apache server is proxied.

  Default: undef.

• cas_scrub_request_headers: Remove inbound request headers that may have special meaning within mod_auth_cas.

• cas_sso_enabled: Enables experimental support for single sign out (may mangle POST data).

  Default: 'Off'.

• cas_timeout: Limits the number of seconds a mod_auth_cas session can remain active.

  Default: undef.

• cas_validate_depth: Limits the depth for chained certificate validation.

  Default: undef.

• cas_validate_saml: Parse response from CAS server for SAML.

  Default: 'Off'.

• cas_validate_server: Whether to validate the cert of the CAS server (deprecated in 1.1 - RedHat 7).

  Default: undef.

• cas_validate_url: Required. Sets the URL to use when validating a client-presented ticket in an HTTP query string.

• cas_version: The CAS protocol version to adhere to. Values: '1', '2'.

  Default: '2'.

• suppress_warning: Suppress warning about being on RedHat (mod_auth_cas package is now available in epel-testing repo).

  Default: false.

Class: apache::mod::auth_mellon

Installs and manages mod_auth_mellon. Parameters share names with the Apache module's directives.

class{ 'apache::mod::auth_mellon':
  mellon_cache_size => 101,
}

Parameters:

• mellon_cache_entry_size: Maximum size for a single session.

  Default: undef.

• mellon_cache_size: Size in megabytes of the mellon cache.

  Default: 100.

• mellon_lock_file: Location of lock file.

  Default: '/run/mod_auth_mellon/lock'.

• mellon_post_directory: Full path where post requests are saved.

  Default: '/var/cache/apache2/mod_auth_mellon/'

• mellon_post_ttl: Time to keep post requests.

  Default: undef.

• mellon_post_size: Maximum size of post requests.

  Default: undef.

• mellon_post_count: Maximum number of post requests.

  Default: undef.

Class: apache::mod::authn_dbd

Installs mod_authn_dbd and uses authn_dbd.conf.erb template to generate its configuration. Optionally, creates AuthnProviderAlias.

class { 'apache::mod::authn_dbd':
  $authn_dbd_params =>
    'host=db01 port=3306 user=apache password=xxxxxx dbname=apacheauth',
  $authn_dbd_query  => 'SELECT password FROM authn WHERE user = %s',
  $authn_dbd_alias  => 'db_auth',
}

Parameters:

• authn_dbd_alias: Name for the 'AuthnProviderAlias'.

• authn_dbd_dbdriver: Specifies the database driver to use.

  Default: 'mysql'.

• authn_dbd_exptime: corresponds to DBDExptime.

  Default: 300.

• authn_dbd_keep: Corresponds to DBDKeep.

  Default: 8.

• authn_dbd_max: Corresponds to DBDMax.

  Default: 20.

• authn_dbd_min: Corresponds to DBDMin.

  Default: 4.

• authn_dbd_params: Required. Corresponds to DBDParams for the connection string.

• authn_dbd_query: Whether to query the user and password for authentication.

Class: apache::mod::authnz_ldap

Installs mod_authnz_ldap and uses the authnz_ldap.conf.erb template to generate its configuration.

Parameters:

• package_name: The name of the package.

  Default: undef.

• verify_server_cert: Whether to verify the server certificate.

  Default: undef.

Class: apache::mod::cluster

Note: There is no official package available for mod_cluster, so you must make it available outside of the apache module. Binaries can be found at http://mod-cluster.jboss.org/

class { '::apache::mod::cluster':
  ip                      => '172.17.0.1',
  allowed_network         => '172.17.0.',
  balancer_name           => 'mycluster',
  version                 => '1.3.1'
}

Parameters:

• port: mod_cluster listen port.

  Default: '6666'.

• server_advertise: Whether the server should advertise.

  Default: true.

• advertise_frequency: Sets the interval between advertise messages in seconds[.miliseconds].

  Default: 10.

• manager_allowed_network: Whether to allow the network to access the mod_cluster_manager.

  Default: '127.0.0.1'.

• keep_alive_timeout: Specifies how long Apache should wait for a request, in seconds.

  Default: 60.

• max_keep_alive_requests: Maximum number of requests kept alive.

  Default: 0.

• enable_mcpm_receive: Whether MCPM should be enabled.

  Default: true.

• ip: Specifies the IP address to listen to.

• allowed_network: Balanced members network.

• version: Specifies the mod_cluster version. Version 1.3.0 or greater is required for httpd 2.4.

Class: apache::mod::deflate

Installs and configures [mod_deflate][].

Parameters:

• types: An array of [MIME types][MIME `content*type`] to be deflated.

  Default: [ 'text/html text/plain text/xml', 'text/css', 'application/x*javascript application/javascript application/ecmascript', 'application/rss+xml', 'application/json' ].

• notes: A Hash where the key represents the type and the value represents the note name.

  Default: { 'Input' => 'instream', 'Output' => 'outstream', 'Ratio' => 'ratio' }.

Class: apache::mod::expires

Installs mod_expires and uses the expires.conf.erb template to generate its configuration.

Parameters:

• expires_active: Enables generation of Expires headers for a document realm.

  Boolean.

  Default: true.

• expires_default: Specifies the default algorithm for calculating expiration time using ExpiresByType syntax or interval syntax.

  Default: undef.

• expires_by_type: Describes a set of [MIME content*type][] and their expiration times.

  Values: An array of Hashes, with each Hash's key a valid MIME content*type (i.e. 'text/json') and its value following valid interval syntax.

  Default: undef.

Class: apache::mod::ext_filter

Installs and configures mod_ext_filter.

class { 'apache::mod::ext_filter':
  ext_filter_define => {
    'slowdown'       => 'mode=output cmd=/bin/cat preservescontentlength',
    'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"',
  },
}

Parameters:

• ext_filter_define: A hash of filter names and their parameters.

  Default: undef.

Class: apache::mod::fcgid

Installs and configures mod_fcgid.

The class does not individually parameterize all available options. Instead, configure mod_fcgid using the options hash. For example:

class { 'apache::mod::fcgid':
  options => {
    'FcgidIPCDir'  => '/var/run/fcgidsock',
    'SharememPath' => '/var/run/fcgid_shm',
    'AddHandler'   => 'fcgid-script .fcgi',
  },
}

For a full list of options, see the official mod_fcgid documentation.

If you include apache::mod::fcgid, you can set the [FcgidWrapper][] per directory, per virtual host. The module must be loaded first; Puppet will not automatically enable it if you set the fcgiwrapper parameter in apache::vhost.

include apache::mod::fcgid

apache::vhost { 'example.org':
  docroot     => '/var/www/html',
  directories => {
    path        => '/var/www/html',
    fcgiwrapper => {
      command => '/usr/local/bin/fcgiwrapper',
    }
  },
}

Class: apache::mod::geoip

Installs and manages mod_geoip.

Parameters:

• db_file: Sets the path to your GeoIP database file.

  Values: a path, or an array paths for multiple GeoIP database files.

  Default: /usr/share/GeoIP/GeoIP.dat.

• enable: Determines whether to globally enable mod_geoip.

  Boolean.

  Default: false.

• flag: Sets the GeoIP flag.

  Values: 'CheckCache', 'IndexCache', 'MemoryCache', 'Standard'.

  Default: 'Standard'.

• output: Defines which output variables to use.

  Values: 'All', 'Env', 'Request', 'Notes'.

  Default: 'All'.

• enable_utf8: Changes the output from ISO88591 (Latin1) to UTF8.

  Boolean.

  Default: undef.

• scan_proxy_headers: Enables the GeoIPScanProxyHeaders option.

  Boolean.

  Default: undef.

• scan_proxy_header_field: Specifies the header mod_geoip uses to determine the client's IP address.

  Default: undef.

• use_last_xforwarededfor_ip (sic): Determines whether to use the first or last IP address for the client's IP in a comma-separated list of IP addresses is found.

  Boolean.

  Default: undef.

Class: apache::mod::info

Installs and manages mod_info, which provides a comprehensive overview of the server configuration.

Parameters:

• allow_from: Whitelist of IPv4 or IPv6 addresses or ranges that can access /server*info.

  Values: One or more octets of an IPv4 address, an IPv6 address or range, or an array of either.

  Default: ['127.0.0.1','::1'].

• apache_version: Apache's version number as a string, such as '2.2' or '2.4'.

  Default: The value of $::apache::apache_version.

• restrict_access: Determines whether to enable access restrictions. If false, the allow_from whitelist is ignored and any IP address can access /server*info.

  Boolean.

  Default: true.

Class: apache::mod::jk

Installs and manages mod_jk, a connector for Apache httpd redirection to old versions of TomCat and JBoss

Note: There is no official package available for mod_jk and thus it must be made available by means outside of the control of the apache module. Binaries can be found at Apache Tomcat Connectors download page

class { '::apache::mod::jk':
  ip           = '192.168.2.15',
  workers_file = 'conf/workers.properties',
  mount_file   = 'conf/uriworkermap.properties',
  shm_file     = 'run/jk.shm',
  shm_size     = '50M',
  $workers_file_content = {
    <Content>
  },
}

Parameters within apache::mod::jk:

The best source for understanding the mod_jk parameters is the official documentation, except for:

add_listen

Defines if a Listen directive according to parameters ip and port (see below), so that Apache listens to the IP/port combination and redirect to mod_jk. Useful when another Listen directive, like Listen *:<Port> or Listen <Port>, can conflict with the one necessary for mod_jk binding.

Type: Boolean Default: true

ip

IP for binding to mod_jk. Useful when the binding address is not the primary network interface IP.

Type: String Default: $facts['ipaddress']

port

Port for binding to mod_jk. Useful when something else, like a reverse proxy or cache, is receiving requests at port 80, then needs to forward them to Apache at a different port.

Type: String (numerical) Default: '80'

workers_file_content

Each directive has the format worker.<Worker name>.<Property>=<Value>. This maps as a hash of hashes, where the outer hash specifies workers, and each inner hash specifies each worker properties and values.
Plus, there are two global directives, 'worker.list' and 'worker.mantain'
For example, the workers file below:

worker.list = status
worker.list = some_name,other_name

worker.mantain = 60

# Optional comment
worker.some_name.type=ajp13
worker.some_name.socket_keepalive=true

# I just like comments
worker.other_name.type=ajp12 (why would you?)
worker.other_name.socket_keepalive=false

Should be parameterized as:

$workers_file_content = {
  worker_lists   => ['status', 'some_name,other_name'],
  worker_mantain => '60',
  some_name      => {
    comment          => 'Optional comment',
    type             => 'ajp13',
    socket_keepalive => 'true',
  },
  other_name     => {
    comment          => 'I just like comments',
    type             => 'ajp12',
    socket_keepalive => 'false',
  },
}

mount_file_content

Each directive has the format <URI> = <Worker name>. This maps as a hash of hashes, where the outer hash specifies workers, and each inner hash contains two items: uri_list - an array with URIs to be mapped to the worker - and comment - an optional string with a comment for the worker.
For example, the mount file below:

# Worker 1
/context_1/ = worker_1
/context_1/* = worker_1

# Worker 2
/ = worker_2
/context_2/ = worker_2
/context_2/* = worker_2

Should be parameterized as:

$mount_file_content = {
  worker_1 => {
    uri_list => ['/context_1/', '/context_1/*'],
    comment  => 'Worker 1',
  },
  worker_2 => {
    uri_list => ['/context_2/', '/context_2/*'],
    comment  => 'Worker 2',
  },
},

shm_file and log_file

Depending on how these files are specified, the class creates their final path differently:

• Relative path: prepends supplied path with logroot (see below)
• Absolute path or pipe: uses supplied path as-is

Examples (RHEL 6):

shm_file => 'shm_file'
# Ends up in
$shm_path = '/var/log/httpd/shm_file'

shm_file => '/run/shm_file'
# Ends up in
$shm_path = '/run/shm_file'

shm_file => '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"'
# Ends up in
$shm_path = '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"'

The default logroot is sane enough. Therefore, it is not recommended to specify absolute paths.

logroot

The base directory for shm_file and log_file is determined by the logroot parameter. If unspecified, defaults to apache::params::logroot.

The default logroot is sane enough. Therefore, it is not recommended to override it.

Class: apache::mod::passenger

Installs and manages mod_passenger. For Red Hat-based systems, ensure that you meet the minimum requirements described in the passenger docs.

Parameters:

• passenger_high_performance: Sets the PassengerHighPerformance.

  Values: 'On', 'Off'.

  Default: undef.

• passenger_pool_idle_time: Sets the PassengerPoolIdleTime.

  Default: undef.

• passenger_max_pool_size: Sets the PassengerMaxPoolSize.

  Default: undef.

• passenger_max_request_queue_size: Sets the PassengerMaxRequestQueueSize.

  Default: undef.

• passenger_max_requests: Sets the PassengerMaxRequests.

  Default: undef.

• passenger_data_buffer_dir: Sets the PassengerDataBufferDir.

  Default: undef.

Class: apache::mod::ldap

Installs and configures mod_ldap, and allows you to modify the LDAPTrustedGlobalCert Directive:

class { 'apache::mod::ldap':
  ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt',
  ldap_trusted_global_cert_type => 'CA_DER',
  ldap_shared_cache_size        => '500000',
  ldap_cache_entries            => '1024',
  ldap_cache_ttl                => '600',
  ldap_opcache_entries          => '1024',
  ldap_opcache_ttl              => '600',
}

Parameters

• apache_version: Specifies the installed Apache version.

  Default: undef.

• ldap_trusted_global_cert_file: Specifies the path and file name of the trusted CA certificates to use when establishing SSL or TLS connections to an LDAP server.

• ldap_trusted_global_cert_type: Specifies the global trust certificate format.

  Default: 'CA_BASE64'.

• ldap_shared_cache_size: Specifies the size, in bytes, of the shared memory cache.

• ldap_cache_entries: Specifies the maximum number of entries in the primary LDAP cache.

• ldap_cache_ttl: Specifies the time, in seconds, that cached items remain valid.

• ldap_opcache_entries: Specifies the number of entries used to cache LDAP compare operations.

• ldap_opcache_ttl: Specifies the time, in seconds, that entries in the operation cache remain valid.

• package_name: Specifies the custom package name.

  Default: undef.

Class: apache::mod::negotiation

Installs and configures mod_negotiation.

Parameters:

• force_language_priority: Sets the ForceLanguagePriority option.

  Values: A string.

  Default: Prefer Fallback.

• language_priority: An array of languages to set the LanguagePriority option of the module.

  Default: [ 'en', 'ca', 'cs', 'da', 'de', 'el', 'eo', 'es', 'et', 'fr', 'he', 'hr', 'it', 'ja', 'ko', 'ltz', 'nl', 'nn', 'no', 'pl', 'pt', 'ptBR', 'ru', 'sv', 'zhCN', 'zh*TW' ]

Class: apache::mod::nss

An SSL provider for Apache using the NSS crypto libraries.

Parameters:

• transfer_log: path to access.log
• error_log: path to error.log
• passwd_file: path to file used for NSSPassPhraseDialog directive
• port: SSL port. Defaults to 8443

Class: apache::mod::pagespeed

Installs and manages mod_pagespeed, a Google module that rewrites web pages to reduce latency and bandwidth.

Although this apache module requires the mod-pagespeed-stable package, Puppet does not manage the software repositories required to automatically install the package. If you declare this class when the package is either not installed or not available to your package manager, your Puppet run will fail.

Note: Verify that your system is compatible with the latest Google Pagespeed requirements.

Parameters:

These parameters correspond to the module's directives. See the module's documentation for details.

• inherit_vhost_config: Default: 'on'.
• filter_xhtml: Default: false.
• cache_path: Default: '/var/cache/mod_pagespeed/'.
• log_dir: Default: '/var/log/pagespeed'.
• memcache_servers: Default: [].
• rewrite_level: Default: 'CoreFilters'.
• disable_filters: Default: [].
• enable_filters: Default: [].
• forbid_filters: Default: [].
• rewrite_deadline_per_flush_ms: Default: 10.
• additional_domains: Default: undef.
• file_cache_size_kb: Default: 102400.
• file_cache_clean_interval_ms: Default: 3600000.
• lru_cache_per_process: Default: 1024.
• lru_cache_byte_limit: Default: 16384.
• css_flatten_max_bytes: Default: 2048.
• css_inline_max_bytes: Default: 2048.
• css_image_inline_max_bytes: Default: 2048.
• image_inline_max_bytes: Default: 2048.
• js_inline_max_bytes: Default: 2048.
• css_outline_min_bytes: Default: 3000.
• js_outline_min_bytes: Default: 3000.
• inode_limit: Default: 500000.
• image_max_rewrites_at_once: Default: 8.
• num_rewrite_threads: Default: 4.
• num_expensive_rewrite_threads: Default: 4.
• collect_statistics: Default: 'on'.
• statistics_logging: Default: 'on'.
• allow_view_stats: Default: [].
• allow_pagespeed_console: Default: [].
• allow_pagespeed_message: Default: [].
• message_buffer_size: Default: 100000.
• additional_configuration: A hash of directive value pairs, or an array of lines to insert at the end of the pagespeed configuration. Default: '{ }'.

Class: apache::mod::passenger

Installs and configures mod_passenger.

Note: The passenger module isn't available on RH/CentOS without providing the dependency packages provided by EPEL and the mod_passengers custom repository. See the manage_repo parameter above and https://www.phusionpassenger.com/library/install/apache/install/oss/el7/

Parameters:

• passenger_conf_file: $::apache::params::passenger_conf_file
• passenger_conf_package_file: $::apache::params::passenger_conf_package_file`
• passenger_high_performance: Default: undef
• passenger_pool_idle_time: Default: undef
• passenger_max_request_queue_size: Default: undef
• passenger_max_requests: Default: undef
• passenger_spawn_method: Default: undef
• passenger_stat_throttle_rate: Default: undef
• rack_autodetect: Default: undef
• rails_autodetect: Default: undef
• passenger_root : $::apache::params::passenger_root
• passenger_ruby : $::apache::params::passenger_ruby
• passenger_default_ruby: $::apache::params::passenger_default_ruby
• passenger_max_pool_size: Default: undef
• passenger_min_instances: Default: undef
• passenger_max_instances_per_app: Default: undef
• passenger_use_global_queue: Default: undef
• passenger_app_env: Default: undef
• passenger_log_file: Default: undef
• passenger_log_level: Default: undef
• passenger_data_buffer_dir: Default: undef
• manage_repo: Whether to manage the phusionpassenger.com repository. Default: true.
• mod_package: Default: undef.
• mod_package_ensure: Default: undef.
• mod_lib: Default: undef.
• mod_lib_path: Default: undef.
• mod_id: Default: undef.
• mod_path: Default: undef.

Class: apache::mod::proxy

Installs mod_proxy and uses the proxy.conf.erb template to generate its configuration.

Parameters within apache::mod::proxy:

• allow_from: Default: undef.
• apache_version: Default: undef.
• package_name: Default: undef.
• proxy_requests: Default: 'Off'.
• proxy_via: Default: 'On'.

Class: apache::mod::proxy_balancer

Installs and manages mod_proxy_balancer, which provides load balancing.

Parameters:

• manager: Determines whether to enable balancer manager support.

  Default: false.

• manager_path: The server location of the balancer manager.

  Default: '/balancer*manager'.

• allow_from: An array of IPv4 or IPv6 addresses that can access /balancer*manager.

  Default: ['127.0.0.1','::1'].

• apache_version: Apache's version number as a string, such as '2.2' or '2.4'.

  Default: the value of $::apache::apache_version. On Apache 2.4 or greater, mod_slotmem_shm is loaded.

Class: apache::mod::php

Installs and configures mod_php.

Parameters:

Default values for these parameters depend on your operating system. Most of this class's parameters correspond to mod_php directives; see the module's documentation for details.

• package_name: Names the package that installs mod_php.
• path: Defines the path to the mod_php shared object (.so) file.
• source: Defines the path to the default configuration. Values include a puppet:/// path.
• template: Defines the path to the php.conf template Puppet uses to generate the configuration file.
• content: Adds arbitrary content to php.conf.

Class: apache::mod::proxy_html

Note: There is no official package available for mod_proxy_html, so you must make it available outside of the apache module.

Class: apache::mod::reqtimeout

Installs and configures mod_reqtimeout.

Parameters

• timeouts: Sets the RequestReadTimeout option.

  Values: A string or array.

  Default: ['header=20-40,MinRate=500', 'body=20,MinRate=500'].

Class: apache::mod::rewrite

Installs and enables the Apache module mod_rewrite.

Class: apache::mod::shib

Installs the Shibboleth Apache module mod_shib, which enables SAML2 single sign-on (SSO) authentication by Shibboleth Identity Providers and Shibboleth Federations. Defining this class enables Shibboleth-specific parameters in apache::vhost instances.

This class installs and configures only the Apache components of a web application that consumes Shibboleth SSO identities. You can manage the Shibboleth configuration manually, with Puppet, or using a Shibboleth Puppet Module.

Note: The shibboleth module isn't available on RH/CentOS without providing dependency packages provided by Shibboleth's repositories. See http://wiki.aaf.edu.au/tech-info/sp-install-guide

Class: apache::mod::ssl

Installs Apache SSL features and uses the ssl.conf.erb template to generate its configuration. On most operating systems, this ssl.conf is placed in the module configuration directory. On Red Hat-based operating systems, this file is placed in /etc/httpd/conf.d, the same location in which the RPM stores the configuration.

To use SSL with a virtual host, you must either set the default_ssl_vhost parameter in ::apache to true or the ssl parameter in apache::vhost to true.

• ssl_cipher: Default: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'.
• ssl_compression: Default: false.
• ssl_cryptodevice: Default: 'builtin'.
• ssl_honorcipherorder: Default: true.
• ssl_openssl_conf_cmd: Default: undef.
• ssl_options: Default: [ 'StdEnvVars' ]
• ssl_pass_phrase_dialog: Default: 'builtin'.
• ssl_protocol: Default: [ 'all', '-SSLv2', '-SSLv3' ].
• ssl_proxy_protocol: Default: [].
• ssl_random_seed_bytes: Valid options: A string. Default: '512'.
• ssl_sessioncache: Valid options: A string. Default: '300'.
• ssl_sessioncachetimeout: Valid options: A string. Default: '300'.
• ssl_mutex: Default: Determined based on the OS. Valid options: See [mod_ssl][mod_ssl] documentation.
  • RedHat/FreeBSD/Suse/Gentoo: 'default'
  • Debian/Ubuntu + Apache >= 2.4: 'default'
  • Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex' **Parameters:

• ssl_cipher

  Default: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'.

• ssl_compression

  Default: false.

• ssl_cryptodevice

  Default: 'builtin'.

• ssl_honorcipherorder

  Default: true.

• ssl_openssl_conf_cmd

  Default: undef.

• ssl_options

  Default: [ 'StdEnvVars' ]

• ssl_pass_phrase_dialog

  Default: 'builtin'.

• ssl_protocol

  Default: [ 'all', 'SSLv2', 'SSLv3' ].

• ssl_random_seed_bytes

  Values: A string.

  Default: '512'.

• ssl_sessioncachetimeout

  Values: A string.

  Default: '300'.

• ssl_mutex:

  Values: See [mod_ssl][mod_ssl] documentation.

  Default: Based on the OS:

  • RedHat/FreeBSD/Suse/Gentoo: 'default'.
  • Debian/Ubuntu + Apache >= 2.4: 'default'.
  • Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex'.
  • Ubuntu 10.04: 'file:/var/run/apache2/ssl_mutex'.

Class: apache::mod::status

Installs mod_status and uses the status.conf.erb template to generate its configuration.

Parameters:

• allow_from: An array of IPv4 or IPv6 addresses that can access /server-status.

  Default: ['127.0.0.1','::1'].

• extended_status: Determines whether to track extended status information for each request, via the ExtendedStatus directive.

  Values: 'Off', 'On'.

  Default: 'On'.

• status_path: The server location of the status page.

  Default: '/server-status'.

Class: apache::mod::userdir

Allows user-specific directories to be accessed using the http://example.com/~user/ syntax. All parameters can be found in in the official Apache documentation.

Parameters:

• overrides: An array of directive-types.

  Default: '[ 'FileInfo', 'AuthConfig', 'Limit', 'Indexes' ]'.

Class: apache::mod::version

Installs mod_version on many operating systems and Apache configurations.

If Debian and Ubuntu systems with Apache 2.4 are classified with apache::mod::version, Puppet warns that mod_version is built-in and can't be loaded.

Class: apache::mod::security

Installs and configures Trustwave's mod_security. It is enabled and runs by default on all virtual hosts.

Parameters:

• activated_rules: An array of rules from the modsec_crs_path or absolute to activate via symlinks.

• allowed_methods: A space*separated list of allowed HTTP methods.

  Default: 'GET HEAD POST OPTIONS'.

• content_types: A list of one or more allowed [MIME types][MIME `content*type`].

  Default: 'application/xwwwformurlencoded|multipart/formdata|text/xml|application/xml|application/x*amf'.

• crs_package: Names the package that installs CRS rules.

  Default: modsec_crs_package in apache::params.

• manage_security_crs: Manage security_crs.conf rules file.

  Default: true.

• modsec_dir: Defines the path where Puppet installs the modsec configuration and activated rules links.

  Default: 'On', set by modsec_dir in apache::params. ${modsec_dir}/activated_rules.

• modsec_secruleengine: Configures the modsec rules engine. Values: 'On', 'Off', and 'DetectionOnly'.

  Default: modsec_secruleengine in apache::params.

• restricted_extensions: A space*separated list of prohibited file extensions.

  Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'.

• restricted_headers: A list of restricted headers separated by slashes and spaces.

  Default: 'ProxyConnection/ /LockToken/ /Content*Range/ /Translate/ /via/ /if/'.

• secdefaultaction: Configures the Mode of Operation, Self-Contained ('deny') or Collaborative Detection ('pass'), for the OWASP ModSecurity Core Rule Set.

  Default: 'deny'. You can also set full values, such as "log,auditlog,deny,status:406,tag:'SLA 24/7'".

• secpcrematchlimit: Sets the number for the match limit in the PCRE library.

  Default: 1500.

• secpcrematchlimitrecursion: Sets the number for the match limit recursion in the PCRE library.

  Default: 1500.

• logroot: Configures the location of audit and debug logs.

  Defaults to the Apache log directory (Redhat: /var/log/httpd, Debian: /var/log/apache2).

• audit_log_releavant_status: Configures which response status code is to be considered relevant for the purpose of audit logging.

  Default: '^(?:5|4(?!04))'.

• audit_log_parts: Sets the sections to be put in the audit log.

  Default: 'ABIJDEFHZ'.

• anomaly_score_blocking: Activates or deactivates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set.

  Default: 'off'.

• inbound_anomaly_threshold: Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

  Default: 5.

• outbound_anomaly_threshold: Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

  Default: 4.

• critical_anomaly_score: Sets the scoring points of the critical severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

  Default: 5.

• error_anomaly_score: Sets the scoring points of the error severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

  Default: 4.

• warning_anomaly_score: Sets the scoring points of the warning severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

  Default: 3.

• notice_anomaly_score: Sets the scoring points of the notice severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

Default: 2.

• secrequestmaxnumargs: Sets the Maximum number of arguments in the request.

  Default: 255.

• secrequestbodylimit: Sets the maximum request body size ModSecurity accepts for buffering.

  Default: '13107200'.

• secrequestbodynofileslimit: Sets the maximum request body size ModSecurity accepts for buffering, excluding the size of any files being transported in the request.

  Default: '131072'.

• secrequestbodyinmemorylimit: Sets the maximum request body size that ModSecurity stores in memory.

  Default: '131072'

Class: apache::mod::wsgi

Enables Python support via mod_wsgi.

Parameters:

• mod_path: Defines the path to the mod_wsgi shared object (.so) file.

  Default: undef.