hx_website
Version information
This version is compatible with:
Start using this module
Add this module to your Puppetfile:
mod 'pieterdp-hx_website', '1.0.6'Learn more about managing modules with a PuppetfileDocumentation
hx_website
Table of Contents
Description
Setting up websites is a time-consuming process. This module attempts to make it easier by preconfiguring the Apache HTTP Web Server and optionally configuring the website to use Let's Encrypt certificates.
This module will install and configure the Apache web server and configure any website you define using hx_website::website by creating a new name-based Virtual Host. Optionally, it will also take care of installing new Let's Encrypt certificates.
Setup
What hx_website affects
- This module uses the puppetlabs-apache-module, so it will automatically purge all (Apache) configuration files not managed by Puppet. It will not be possible to create your own Virtual Hosts, unless you disable the module first.
Beginning with hx_website
The module consists of two parts: hx_website which will do some configuration checks and hx_website::website which will configure your website.
The most simple configuration is:
class {'hx_website': }
Creating a website is done by using the defined type hx_website::website:
hx_website::website { 'www.example.org':
vhost_data => {
servername => 'www.example.org',
port => '80',
docroot => '/var/www/www.example.org/html',
docroot_owner => 'www-data',
docroot_group => 'www-data',
}
}
This will configure an Apache Virtual Host listening on port 80 for any requests to www.example.org, using /var/www/www.example.org/html as docroot.
Usage
Virtual Hosts
vhost_data is passed directly to apache::vhost. All valid parameters for that class can appear in vhost_data.
hx_website::website creates name-based virtual hosts. Two websites can have the same vhost_data['servername'], provided the vhost_data['port'] parameter is different. This can be used to create two hx_website::website, one HTTP version that redirects to a HTTPS version. This can be done automatically however.
SSL
To configure SSL-based virtual hosts, you can set either use_letsencrypt to true (see below) or provide the certificates manually. Note that, if you set use_letsencrypt, it will only request certificates when it encounters vhost_data['port'] == 443.
In a lot of cases, you want to redirect any traffic for the non-encrypted site (e.g. http://www.example.org) to the encrypted one (i.e. https://www.example.org). This can be done automatically, if you set configure_redirect to true. A new Virtual Host will be created which will redirect all non-encrypted traffic to a HTTPS-version of the vhost_data['servername'] parameter.
Let's Encrypt
It is possible to automatically configure Let's Encrypt, but it comes with some caveats.
After you enable use_letsencrypt, but before your first run, you must provide a certificate (it can be the snake-oil certificate) at the location you specified in vhost_data (on the client). Otherwise, the Apache web server won't start and letsencrypt will fail because it can't check your secret. After the first run and after the certificate has been assigned, it will automatically use the Let's Encrypt-provided one.
Reference
Class hx_website
The base class, that must be included and/or configured before you can use hx_website::website.
Parameters
-
configure_redirect(defaultfalse): if you provide a website that is HTTPS (port 443), should we create a redirect from the HTTP version to the HTTPS version. -
maintainer(defaulthostname@domain): required for Let's Encrypt: an email address to send expiration notices to. Set this to a working email address if you want to receive them, keep at the default if that isn't necessary. -
set_default_headers(defaultfalse): insert thealways set Referrer-Policy "strict-origin-when-cross-origin"andalways set Strict-Transport-Security "max-age=63072000;includeSubdomains;"(only for HTTPS hosts) headers. -
set_default_docroot(defaultfalse): automatically insert the<Directory>configuration for the docroot. SetsIndexes,FollowSymLinksandAllowOverride All.
Defined type hx_website::website
Configure a website. It will configure an apache Virtual host, and optionally configure Let's Encrypt. Note that you must have a temporary certificate in place at vhost_data['ssl_cert'] and vhost_data['ssl_key'] before you attempt to run Puppet if you want a Let's Encrypt certificate. This is because the webserver must be running before a certificate can be requested, and the server will only run if the certificate referred to in the configuration file is already present.
If you don't want Let's Encrypt, you can provide your own certificate. This can be either a certificate present on the Puppet master (recommended) or one on the client. Use cert_loc and key_loc to specify where it is. Both parameters accept the same settings the source parameter of the file type uses (as cert_loc and key_loc are passed directly to file->source, this should not come as a surprise). If you specified vhost_data['ssl_ca'], you can specify ca_loc, which will then be used to copy the CA certificate to the ca_loc location.
Parameters
-
vhost_data: hash of key-value pairs that is passed directly toapache::vhost. Must contain all required parameters forapache::vhostand can contain aything this module accepts. It must contain aservernameandportparameter forhx_website::websiteto function however. If you use SSL, you must use port 443 and setssl_certandssl_key(and even optionallyssl_ca). -
use_letsencrypt(default:false): request a Let's Encrypt certificate. A certificate must be present on the system before requesting a new certificate. Renewal is handled automatically. The root certificate is downloaded, but if you want to use it with your website, you must setvhost_data['ssl_ca']to/etc/ssl/certs/lets-encrypt-x3-cross-signed.pem. -
cert_loc(optional, required only ifuse_letsencryptis set tofalseandvhost_data['port']is set to443): location of the certificate file that will be copied to the location referred to invhost_data['ssl_cert']. Accepts the same syntax asfile->source. -
key_loc(optional, required only ifuse_letsencryptis set tofalseandvhost_data['port']is set to443): location of the key file that will be copied to the location referred to invhost_data['ssl_key']. Accepts the same syntax asfile->source.
Under-the-hood classes
-
hx_website::config::vhost: backend class forhx_website::website. Accepts the same parameters. -
hx_website::config::ssl::letsencrypt: configure Let's Encrypt. Accepts no parameters.
Limitations
This module was tested on Ubuntu 14.04, but should work with all Ubuntu versions. Only works for Apache >= 2.4.
Development
Pull requests welcome at https://github.com/pieterdp/hx_website.
Types in this module release
Release 1.0.5
Summary
- Added autoconfiguration for docroot directories.
- Added default headers.
- Removed dependency on hx_apache.
Release 1.0.4
Summary
This release fixes a grave bug with letsencrypt.
Bugfixes
- Fixes bug where config::ssl::letsencrypt would not be included.
Release 1.0.3
Summary
This release fixes some bugs and updates the documentation.
Bugfixes
- Remove unused parameter
ca_locfrom documentation. - Fixes bug where vhost redirects would ignore serveraliases.
Dependencies
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License.
Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License.
Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution.
You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
You must give any other recipients of the Work or Derivative Works a copy of this License; and
You must cause any modified files to carry prominent notices stating that You changed the files; and
You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions.
Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks.
This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty.
Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
8. Limitation of Liability.
In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability.
While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS