apache
Version information
This version is compatible with:
- Puppet Enterprise 3.x
- Puppet 3.x
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppetlabs-apache', '1.4.0'
Learn more about managing modules with a PuppetfileDocumentation
#apache
####Table of Contents
- Overview - What is the apache module?
- Module Description - What does the module do?
- Setup - The basics of getting started with apache
- Usage - The classes and defined types available for configuration
- Classes and Defined Types
- Class: apache
- Defined Type: apache::custom_config
- Class: apache::default_mods
- Defined Type: apache::mod
- Classes: apache::mod::*
- Class: apache::mod::alias
- Class: apache::mod::event
- Class: apache::mod::info
- Class: apache::mod::pagespeed
- Class: apache::mod::php
- Class: apache::mod::ssl
- Class: apache::mod::status
- Class: apache::mod::wsgi
- Class: apache::mod::fcgid
- Class: apache::mod::negotiation
- Class: apache::mod::deflate
- Class: apache::mod::reqtimeout
- Class: apache::mod::security
- Class: apache::mod::version
- Defined Type: apache::vhost
- Parameter:
directories
for apache::vhost - SSL parameters for apache::vhost
- Defined Type: apache::fastcgi::server
- Virtual Host Examples - Demonstrations of some configuration options
- Load Balancing
- Classes and Defined Types
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
##Overview
The apache module allows you to set up virtual hosts and manage web services with minimal effort.
##Module Description
Apache is a widely-used web server, and this module provides a simplified way of creating configurations to manage your infrastructure. This includes the ability to configure and manage a range of different virtual host setups, as well as a streamlined way to install and configure Apache modules.
##Setup
What apache affects:
- configuration files and directories (created and written to)
- WARNING: Configurations that are not managed by Puppet will be purged.
- package/service/configuration files for Apache
- Apache modules
- virtual hosts
- listened-to ports
/etc/make.conf
on FreeBSD and Gentoo- depends on module 'gentoo/puppet-portage' for Gentoo
###Beginning with Apache
To install Apache with the default parameters
class { 'apache': }
The defaults are determined by your operating system (e.g. Debian systems have one set of defaults, and RedHat systems have another, as do FreeBSD and Gentoo systems). These defaults work well in a testing environment, but are not suggested for production. To establish customized parameters
class { 'apache':
default_mods => false,
default_confd_files => false,
}
###Configure a virtual host
Declaring the apache
class creates a default virtual host by setting up a vhost on port 80, listening on all interfaces and serving $apache::docroot
.
class { 'apache': }
To configure a very basic, name-based virtual host
apache::vhost { 'first.example.com':
port => '80',
docroot => '/var/www/first',
}
Note: The default priority is 15. If nothing matches this priority, the alphabetically first name-based vhost is used. This is also true if you pass a higher priority and no names match anything else.
A slightly more complicated example, changes the docroot owner/group from the default 'root'
apache::vhost { 'second.example.com':
port => '80',
docroot => '/var/www/second',
docroot_owner => 'third',
docroot_group => 'third',
}
To set up a virtual host with SSL and default SSL certificates
apache::vhost { 'ssl.example.com':
port => '443',
docroot => '/var/www/ssl',
ssl => true,
}
To set up a virtual host with SSL and specific SSL certificates
apache::vhost { 'fourth.example.com':
port => '443',
docroot => '/var/www/fourth',
ssl => true,
ssl_cert => '/etc/ssl/fourth.example.com.cert',
ssl_key => '/etc/ssl/fourth.example.com.key',
}
Virtual hosts listen on '*' by default. To listen on a specific IP address
apache::vhost { 'subdomain.example.com':
ip => '127.0.0.1',
port => '80',
docroot => '/var/www/subdomain',
}
To set up a virtual host with a wildcard alias for the subdomain mapped to a same-named directory, for example: http://example.com.loc
to /var/www/example.com
apache::vhost { 'subdomain.loc':
vhost_name => '*',
port => '80',
virtual_docroot => '/var/www/%-2+',
docroot => '/var/www',
serveraliases => ['*.loc',],
}
To set up a virtual host with suPHP
apache::vhost { 'suphp.example.com':
port => '80',
docroot => '/home/appuser/myphpapp',
suphp_addhandler => 'x-httpd-php',
suphp_engine => 'on',
suphp_configpath => '/etc/php5/apache2',
directories => { path => '/home/appuser/myphpapp',
'suphp' => { user => 'myappuser', group => 'myappgroup' },
}
}
To set up a virtual host with WSGI
apache::vhost { 'wsgi.example.com':
port => '80',
docroot => '/var/www/pythonapp',
wsgi_application_group => '%{GLOBAL}',
wsgi_daemon_process => 'wsgi',
wsgi_daemon_process_options => {
processes => '2',
threads => '15',
display-name => '%{GROUP}',
},
wsgi_import_script => '/var/www/demo.wsgi',
wsgi_import_script_options =>
{ process-group => 'wsgi', application-group => '%{GLOBAL}' },
wsgi_process_group => 'wsgi',
wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' },
}
Starting in Apache 2.2.16, HTTPD supports FallbackResource, a simple replacement for common RewriteRules.
apache::vhost { 'wordpress.example.com':
port => '80',
docroot => '/var/www/wordpress',
fallbackresource => '/index.php',
}
Please note that the 'disabled' argument to FallbackResource is only supported since Apache 2.2.24.
See a list of all virtual host parameters. See an extensive list of virtual host examples.
##Usage
###Classes and Defined Types
This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Configuration of Apache should be managed by Puppet, as non-Puppet configuration files can cause unexpected failures.
It is possible to temporarily disable full Puppet management by setting the purge_configs
parameter within the base apache
class to 'false'. This option should only be used as a temporary means of saving and relocating customized configurations. See the purge_configs
parameter for more information.
####Class: apache
The apache module's primary class, apache
, guides the basic setup of Apache on your system.
You can establish a default vhost in this class, the vhost
class, or both. You can add additional vhost configurations for specific virtual hosts using a declaration of the vhost
type.
Parameters within apache
:
#####allow_encoded_slashes
This sets the server default for the AllowEncodedSlashes
declaration which modifies the responses to URLs with \
and /
characters. The default is undefined, which omits the declaration from the server configuration and select the Apache default setting of Off
. Allowed values are: on
, off
or nodecode
.
#####apache_version
Configures the behavior of the module templates, package names, and default mods by setting the Apache version. Default is determined by the class apache::version
using the OS family and release. It should not be configured manually without special reason.
#####conf_dir
Changes the location of the configuration directory the main configuration file is placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2' on Debian, '/usr/local/etc/apache22' on FreeBSD, and '/etc/apache2' on Gentoo.
#####confd_dir
Changes the location of the configuration directory your custom configuration files are placed in. Defaults to '/etc/httpd/conf' on RedHat, '/etc/apache2/conf.d' on Debian, '/usr/local/etc/apache22' on FreeBSD, and '/etc/apache2/conf.d' on Gentoo.
#####conf_template
Overrides the template used for the main apache configuration file. Defaults to 'apache/httpd.conf.erb'.
Note: Using this parameter is potentially risky, as the module has been built for a minimal configuration file with the configuration primarily coming from conf.d/ entries.
#####default_charset
If defined, the value will be set as AddDefaultCharset
in the main configuration file. It is undefined by default.
#####default_confd_files
Generates default set of include-able Apache configuration files under ${apache::confd_dir}
directory. These configuration files correspond to what is usually installed with the Apache package on a given platform.
#####default_mods
Sets up Apache with default settings based on your OS. Valid values are 'true', 'false', or an array of mod names.
Defaults to 'true', which includes the default HTTPD mods.
If false, it only includes the mods required to make HTTPD work, and any other mods can be declared on their own.
If an array, the apache module includes the array of mods listed.
#####default_ssl_ca
The default certificate authority, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production.
#####default_ssl_cert
The default SSL certification, which is automatically set based on your operating system ('/etc/pki/tls/certs/localhost.crt' for RedHat, '/etc/ssl/certs/ssl-cert-snakeoil.pem' for Debian, '/usr/local/etc/apache22/server.crt' for FreeBSD, and '/etc/ssl/apache2/server.crt' for Gentoo). This default works out of the box but must be updated with your specific certificate information before being used in production.
#####default_ssl_chain
The default SSL chain, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production.
#####default_ssl_crl
The default certificate revocation list to use, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production.
#####default_ssl_crl_path
The default certificate revocation list path, which is automatically set to 'undef'. This default works out of the box but must be updated with your specific certificate information before being used in production.
#####default_ssl_crl_check
Sets the default certificate revocation check level via the SSLCARevocationCheck directive, which is automatically set to 'undef'. This default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value is ignored on older versions.
#####default_ssl_key
The default SSL key, which is automatically set based on your operating system ('/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, '/usr/local/etc/apache22/server.key' for FreeBSD, and '/etc/ssl/apache2/server.key' for Gentoo). This default works out of the box but must be updated with your specific certificate information before being used in production.
#####default_ssl_vhost
Sets up a default SSL virtual host. Defaults to 'false'. If set to 'true', sets up the following vhost:
apache::vhost { 'default-ssl':
port => 443,
ssl => true,
docroot => $docroot,
scriptalias => $scriptalias,
serveradmin => $serveradmin,
access_log_file => "ssl_${access_log_file}",
}
SSL vhosts only respond to HTTPS queries.
#####default_type
(Apache httpd 2.2 only) MIME content-type that will be sent if the server cannot determine a type in any other way. This directive has been deprecated in Apache httpd 2.4, and only exists there for backwards compatibility of configuration files.
#####default_vhost
Sets up a default virtual host. Defaults to 'true', set to 'false' to set up customized virtual hosts.
#####docroot
Changes the location of the default Documentroot. Defaults to '/var/www/html' on RedHat, '/var/www' on Debian, '/usr/local/www/apache22/data' on FreeBSD, and '/var/www/localhost/htdocs' on Gentoo.
#####error_documents
Enables custom error documents. Defaults to 'false'.
#####httpd_dir
Changes the base location of the configuration directories used for the apache service. This is useful for specially repackaged HTTPD builds, but might have unintended consequences when used in combination with the default distribution packages. Defaults to '/etc/httpd' on RedHat, '/etc/apache2' on Debian, '/usr/local/etc/apache22' on FreeBSD, and '/etc/apache2' on Gentoo.
#####keepalive
Enables persistent connections.
#####keepalive_timeout
Sets the amount of time the server waits for subsequent requests on a persistent connection. Defaults to '15'.
#####max_keepalive_requests
Sets the limit of the number of requests allowed per connection when KeepAlive is on. Defaults to '100'.
#####loadfile_name
Sets the file name for the module loadfile. Should be in the format *.load. This can be used to set the module load order.
#####log_level
Changes the verbosity level of the error log. Defaults to 'warn'. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info', or 'debug'.
#####log_formats
Define additional LogFormats. This is done in a Hash:
$log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' }
#####logroot
Changes the directory where Apache log files for the virtual host are placed. Defaults to '/var/log/httpd' on RedHat, '/var/log/apache2' on Debian, '/var/log/apache22' on FreeBSD, and '/var/log/apache2' on Gentoo.
#####logroot_mode
Overrides the mode the default logroot directory is set to ($::apache::logroot). Defaults to undef. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see http://httpd.apache.org/docs/2.4/logs.html#security for details.
#####manage_group
Setting this to 'false' stops the group resource from being created. This is for when you have a group, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established group would result in a duplicate resource error.
#####manage_user
Setting this to 'false' stops the user resource from being created. This is for instances when you have a user, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established user would result in a duplicate resource error.
#####mod_dir
Changes the location of the configuration directory your Apache modules configuration files are placed in. Defaults to '/etc/httpd/conf.d' for RedHat, '/etc/apache2/mods-available' for Debian, '/usr/local/etc/apache22/Modules' for FreeBSD, and '/etc/apache2/modules.d' on Gentoo.
#####mpm_module
Determines which MPM is loaded and configured for the HTTPD process. Valid values are 'event', 'itk', 'peruser', 'prefork', 'worker', or 'false'. Defaults to 'prefork' on RedHat, FreeBSD and Gentoo, and 'worker' on Debian. Must be set to 'false' to explicitly declare the following classes with custom parameters:
apache::mod::event
apache::mod::itk
apache::mod::peruser
apache::mod::prefork
apache::mod::worker
Note: Switching between different MPMs on FreeBSD is possible but quite difficult. Before changing $mpm_module
you must uninstall all packages that depend on your currently-installed Apache.
#####package_ensure
Allows control over the package ensure attribute. Can be 'present','absent', or a version string.
#####ports_file
Changes the name of the file containing Apache ports configuration. Default is ${conf_dir}/ports.conf
.
#####purge_configs
Removes all other Apache configs and vhosts, defaults to 'true'. Setting this to 'false' is a stopgap measure to allow the apache module to coexist with existing or otherwise-managed configuration. It is recommended that you move your configuration entirely to resources within this module.
#####purge_vhost_configs
If vhost_dir
!= confd_dir
, this controls the removal of any configurations that are not managed by Puppet within vhost_dir
. It defaults to the value of purge_configs
. Setting this to false is a stopgap measure to allow the apache module to coexist with existing or otherwise unmanaged configurations within vhost_dir
#####sendfile
Makes Apache use the Linux kernel sendfile to serve static files. Defaults to 'On'.
#####serveradmin
Sets the server administrator. Defaults to 'root@localhost'.
#####servername
Sets the server name. Defaults to fqdn
provided by Facter.
#####server_root
Sets the root directory in which the server resides. Defaults to '/etc/httpd' on RedHat, '/etc/apache2' on Debian, '/usr/local' on FreeBSD, and '/var/www' on Gentoo.
#####server_signature
Configures a trailing footer line under server-generated documents. More information about ServerSignature. Defaults to 'On'.
#####server_tokens
Controls how much information Apache sends to the browser about itself and the operating system. More information about ServerTokens. Defaults to 'OS'.
#####service_enable
Determines whether the HTTPD service is enabled when the machine is booted. Defaults to 'true'.
#####service_ensure
Determines whether the service should be running. Valid values are 'true', 'false', 'running', or 'stopped' when Puppet should manage the service. Any other value sets ensure to 'false' for the Apache service, which is useful when you want to let the service be managed by some other application like Pacemaker. Defaults to 'running'.
#####service_name
Name of the Apache service to run. Defaults to: 'httpd' on RedHat, 'apache2' on Debian and Gentoo, and 'apache22' on FreeBSD.
#####service_manage
Determines whether the HTTPD service state is managed by Puppet . Defaults to 'true'.
#####trace_enable
Controls how TRACE requests per RFC 2616 are handled. More information about TraceEnable. Defaults to 'On'.
#####vhost_dir
Changes the location of the configuration directory your virtual host configuration files are placed in. Defaults to 'etc/httpd/conf.d' on RedHat, '/etc/apache2/sites-available' on Debian, '/usr/local/etc/apache22/Vhosts' on FreeBSD, and '/etc/apache2/vhosts.d' on Gentoo.
#####apache_name
The name of the Apache package to install. This is automatically detected in ::apache::params
. You might need to override this if you are using a non-standard Apache package, such as those from Red Hat's software collections.
####Defined Type: apache::custom_config
Allows you to create custom configs for Apache. The configuration files are only added to the Apache confd dir if the file is valid. An error is raised during the Puppet run if the file is invalid and $verify_config
is true
.
apache::custom_config { 'test':
content => '# Test',
}
Parameters within apache::custom_config
:
#####ensure
Specify whether the configuration file is present or absent. Defaults to 'present'. Valid values are 'present' and 'absent'.
#####confdir
The directory to place the configuration file in. Defaults to $::apache::confd_dir
.
#####content
The content of the configuration file. Only one of $content
and $source
can be specified.
#####priority
The priority of the configuration file, used for ordering. Defaults to '25'.
Pass priority false
to omit the priority prefix in file names.
#####source
The source of the configuration file. Only one of $content
and $source
can be specified.
#####verify_command
The command to use to verify the configuration file. It should use a fully qualified command. Defaults to '/usr/sbin/apachectl -t'. The $verify_command
is only used if $verify_config
is true
. If the $verify_command
fails, the configuration file is deleted, the Apache service is not notified, and an error is raised during the Puppet run.
#####verify_config
Boolean to specify whether the configuration file should be validated before the Apache service is notified. Defaults to true
.
####Class: apache::default_mods
Installs default Apache modules based on what OS you are running.
class { 'apache::default_mods': }
####Defined Type: apache::mod
Used to enable arbitrary Apache HTTPD modules for which there is no specific apache::mod::[name]
class. The apache::mod
defined type also installs the required packages to enable the module, if any.
apache::mod { 'rewrite': }
apache::mod { 'ldap': }
####Classes: apache::mod::[name]
There are many apache::mod::[name]
classes within this module that can be declared using include
:
actions
alias
(seeapache::mod::alias
below)auth_basic
auth_cas
* (seeapache::mod::auth_cas
below)auth_kerb
authn_file
authnz_ldap
*authz_default
authz_user
autoindex
cache
cgi
cgid
dav
dav_fs
dav_svn
*deflate
dev
dir
*disk_cache
event
(seeapache::mod::event
below)expires
fastcgi
fcgid
filter
headers
include
info
*itk
ldap
mime
mime_magic
*negotiation
nss
*pagespeed
(seeapache::mod::pagespeed
below)passenger
*perl
peruser
php
(requiresmpm_module
set toprefork
)prefork
*proxy
*proxy_ajp
proxy_balancer
proxy_html
proxy_http
python
reqtimeout
rewrite
rpaf
*setenvif
security
shib
* (seeapache::mod::shib
below)speling
ssl
* (seeapache::mod::ssl
below)status
* (seeapache::mod::status
below)suphp
userdir
*vhost_alias
worker
*wsgi
(seeapache::mod::wsgi
below)xsendfile
Modules noted with a * indicate that the module has settings and, thus, a template that includes parameters. These parameters control the module's configuration. Most of the time, these parameters do not require any configuration or attention.
The modules mentioned above, and other Apache modules that have templates, cause template files to be dropped along with the mod install. The module will not work without the template. Any module without a template installs the package but drops no files.
###Class: apache::mod::alias
Installs and manages the alias module.
Full Documentation for alias is available from Apache.
To disable directory listing for the icons directory:
class { 'apache::mod::alias':
icons_options => 'None',
}
####Class: apache::mod::event
Installs and manages mpm_event module.
Full Documentation for mpm_event is available from Apache.
To configure the event thread limit:
class {'apache::mod::event':
$threadlimit => '128',
}
####Class: apache::mod::auth_cas
Installs and manages mod_auth_cas. The parameters cas_login_url
and cas_validate_url
are required.
Full documentation on mod_auth_cas is available from JASIG.
####Class: apache::mod::info
Installs and manages mod_info which provides a comprehensive overview of the server configuration.
Full documentation for mod_info is available from Apache.
These are the default settings:
$allow_from = ['127.0.0.1','::1'],
$apache_version = $::apache::apache_version,
$restrict_access = true,
To set the addresses that are allowed to access /server-info add the following:
class {'apache::mod::info':
allow_from => [
'10.10.36',
'10.10.38',
'127.0.0.1',
],
}
To disable the access restrictions add the following:
class {'apache::mod::info':
restrict_access => false,
}
It is not recommended to leave this set to false though it can be very useful for testing. For this reason, you can insert this setting in your normal code to temporarily disable the restrictions like so:
class {'apache::mod::info':
restrict_access => false, # false disables the block below
allow_from => [
'10.10.36',
'10.10.38',
'127.0.0.1',
],
}
####Class: apache::mod::pagespeed
Installs and manages mod_pagespeed, which is a Google module that rewrites web pages to reduce latency and bandwidth.
This module does not manage the software repositories needed to automatically install the
mod-pagespeed-stable package. The module does however require that the package be installed,
or be installable using the system's default package provider. You should ensure that this
pre-requisite is met or declaring apache::mod::pagespeed
causes the Puppet run to fail.
These are the defaults:
class { 'apache::mod::pagespeed':
inherit_vhost_config => 'on',
filter_xhtml => false,
cache_path => '/var/cache/mod_pagespeed/',
log_dir => '/var/log/pagespeed',
memcache_servers => [],
rewrite_level => 'CoreFilters',
disable_filters => [],
enable_filters => [],
forbid_filters => [],
rewrite_deadline_per_flush_ms => 10,
additional_domains => undef,
file_cache_size_kb => 102400,
file_cache_clean_interval_ms => 3600000,
lru_cache_per_process => 1024,
lru_cache_byte_limit => 16384,
css_flatten_max_bytes => 2048,
css_inline_max_bytes => 2048,
css_image_inline_max_bytes => 2048,
image_inline_max_bytes => 2048,
js_inline_max_bytes => 2048,
css_outline_min_bytes => 3000,
js_outline_min_bytes => 3000,
inode_limit => 500000,
image_max_rewrites_at_once => 8,
num_rewrite_threads => 4,
num_expensive_rewrite_threads => 4,
collect_statistics => 'on',
statistics_logging => 'on',
allow_view_stats => [],
allow_pagespeed_console => [],
allow_pagespeed_message => [],
message_buffer_size => 100000,
additional_configuration => { }
}
Full documentation for mod_pagespeed is available from Google.
####Class: apache::mod::php
Installs and configures mod_php. The defaults are OS-dependant.
Overriding the package name:
class {'::apache::mod::php':
package_name => "php54-php",
path => "${::apache::params::lib_path}/libphp54-php5.so",
}
Overriding the default configuartion:
class {'::apache::mod::php':
source => 'puppet:///modules/apache/my_php.conf',
}
or
class {'::apache::mod::php':
template => 'apache/php.conf.erb',
}
or
class {'::apache::mod::php':
content => '
AddHandler php5-script .php
AddType text/html .php',
}
####Class: apache::mod::shib
Installs the Shibboleth module for Apache which allows the use of SAML2 Single-Sign-On (SSO) authentication by Shibboleth Identity Providers and Shibboleth Federations. This class only installs and configures the Apache components of a Shibboleth Service Provider (a web application that consumes Shibboleth SSO identities). The Shibboleth configuration can be managed manually, with Puppet, or using a Shibboleth Puppet Module.
Defining this class enables the Shibboleth specific parameters in apache::vhost
instances.
####Class: apache::mod::ssl
Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are the defaults:
class { 'apache::mod::ssl':
ssl_compression => false,
ssl_options => [ 'StdEnvVars' ],
ssl_cipher => 'HIGH:MEDIUM:!aNULL:!MD5',
ssl_protocol => [ 'all', '-SSLv2', '-SSLv3' ],
ssl_pass_phrase_dialog => 'builtin',
ssl_random_seed_bytes => '512',
}
To use SSL with a virtual host, you must either set thedefault_ssl_vhost
parameter in ::apache
to 'true' or set the ssl
parameter in apache::vhost
to 'true'.
####Class: apache::mod::status
Installs Apache mod_status and uses the status.conf.erb template. These are the defaults:
class { 'apache::mod::status':
allow_from = ['127.0.0.1','::1'],
extended_status = 'On',
status_path = '/server-status',
){
}
####Class: apache::mod::wsgi
Enables Python support in the WSGI module. To use, simply include 'apache::mod::wsgi'
.
For customized parameters, which tell Apache how Python is currently configured on the operating system,
class { 'apache::mod::wsgi':
wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI",
wsgi_python_home => '/path/to/venv',
wsgi_python_path => '/path/to/venv/site-packages',
}
To specify an alternate mod_wsgi package name to install and the name of the module .so it provides, (e.g. a "python27-mod_wsgi" package that provides "python27-mod_wsgi.so" in the default module directory):
class { 'apache::mod::wsgi':
wsgi_socket_prefix => "\${APACHE_RUN_DIR}WSGI",
wsgi_python_home => '/path/to/venv',
wsgi_python_path => '/path/to/venv/site-packages',
package_name => 'python27-mod_wsgi',
mod_path => 'python27-mod_wsgi.so',
}
If mod_path
does not contain "/", it will be prefixed by the default module path
for your OS; otherwise, it will be used literally.
More information about WSGI.
####Class: apache::mod::fcgid
Installs and configures mod_fcgid.
The class makes no effort to list all available options, but rather uses an options hash to allow for ultimate flexibility:
class { 'apache::mod::fcgid':
options => {
'FcgidIPCDir' => '/var/run/fcgidsock',
'SharememPath' => '/var/run/fcgid_shm',
'AddHandler' => 'fcgid-script .fcgi',
},
}
For a full list op options, see the official mod_fcgid documentation.
It is also possible to set the FcgidWrapper per directory per vhost. You must ensure the fcgid module is loaded because there is no auto loading.
include apache::mod::fcgid
apache::vhost { 'example.org':
docroot => '/var/www/html',
directories => {
path => '/var/www/html',
fcgiwrapper => {
command => '/usr/local/bin/fcgiwrapper',
}
},
}
See FcgidWrapper documentation for more information.
####Class: apache::mod::negotiation
Installs and configures mod_negotiation. If there are not provided any parameter, default apache mod_negotiation configuration is done.
class { '::apache::mod::negotiation':
force_language_priority => 'Prefer',
language_priority => [ 'es', 'en', 'ca', 'cs', 'da', 'de', 'el', 'eo' ],
}
Parameters within apache::mod::negotiation
:
#####force_language_priority
A string that sets the ForceLanguagePriority
option. Defaults to Prefer Fallback
.
#####language_priority
An array of languages to set the LanguagePriority
option of the module.
####Class: apache::mod::deflate
Installs and configures mod_deflate. If no parameters are provided, a default configuration is applied.
class { '::apache::mod::deflate':
types => [ 'text/html', 'text/css' ],
notes => {
'Input' => 'instream',
'Ratio' => 'ratio',
},
}
#####types
An array of mime types to be deflated.
#####notes
A hash where the key represents the type and the value represents the note name.
####Class: apache::mod::reqtimeout
Installs and configures mod_reqtimeout. Defaults to recommended apache mod_reqtimeout configuration.
class { '::apache::mod::reqtimeout':
timeouts => ['header=20-40,MinRate=500', 'body=20,MinRate=500'],
}
####Class: apache::mod::version
This wrapper around mod_version warns on Debian and Ubuntu systems with Apache httpd 2.4 about loading mod_version, as on these platforms it's already built-in.
include '::apache::mod::version'
#####timeouts
A string or an array that sets the RequestReadTimeout
option. Defaults to
['header=20-40,MinRate=500', 'body=20,MinRate=500']
.
####Class: apache::mod::security
Installs and configures mod_security. Defaults to enabled and running on all vhosts.
include '::apache::mod::security'
#####crs_package
Name of package to install containing crs rules
#####modsec_dir
Directory to install the modsec configuration and activated rules links into
#####activated_rules
Array of rules from the modsec_crs_path to activate by symlinking to ${modsec_dir}/activated_rules.
#####allowed_methods
HTTP methods allowed by mod_security
#####content_types
Content-types allowed by mod_security
#####restricted_extensions
Extensions prohibited by mod_security
#####restricted_headers
Headers restricted by mod_security
####Defined Type: apache::vhost
The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to vhost
being a defined resource type, which allows it to be evaluated multiple times with different parameters.
The vhost
defined type allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default vhost within the base ::apache
class, as well as set a customized vhost as default. Your customized vhost (priority 10) will be privileged over the base class vhost (15).
The vhost
defined type uses concat::fragment
to build the configuration file, so if you want to inject custom fragments for pieces of the configuration not supported by default by the defined type, you can add a custom fragment. For the order
parameter for the custom fragment, the vhost
defined type uses multiples of 10, so any order that isn't a multiple of 10 should work.
apache::vhost { "example.com":
docroot => '/var/www/html',
priority => '25',
}
concat::fragment { "example.com-my_custom_fragment":
target => '25-example.com.conf',
order => 11,
content => '# my custom comment',
}
If you have a series of specific configurations and do not want a base ::apache
class default vhost, make sure to set the base class default_vhost
to 'false'.
class { 'apache':
default_vhost => false,
}
Parameters within apache::vhost
:
#####access_log
Specifies whether *_access.log
directives (*_file
,*_pipe
, or *_syslog
) should be configured. Setting the value to 'false' chooses none. Defaults to 'true'.
#####access_log_file
Sets the *_access.log
filename that is placed in $logroot
. Given a vhost, example.com, it defaults to 'example.com_ssl.log' for SSL vhosts and 'example.com_access.log' for non-SSL vhosts.
#####access_log_pipe
Specifies a pipe to send access log messages to. Defaults to 'undef'.
#####access_log_syslog
Sends all access log messages to syslog. Defaults to 'undef'.
#####access_log_format
Specifies the use of either a LogFormat nickname or a custom format string for the access log. Defaults to 'combined'. See these examples.
#####access_log_env_var
Specifies that only requests with particular environment variables be logged. Defaults to 'undef'.
#####add_default_charset
Sets AddDefaultCharset, a default value for the media charset, which is added to text/plain and text/html responses.
#####add_listen
Determines whether the vhost creates a Listen statement. The default value is 'true'.
Setting add_listen
to 'false' stops the vhost from creating a Listen statement, and this is important when you combine vhosts that are not passed an ip
parameter with vhosts that are passed the ip
parameter.
#####use_optional_includes
Specifies if for apache > 2.4 it should use IncludeOptional instead of Include for additional_includes
. Defaults to 'false'.
#####additional_includes
Specifies paths to additional static, vhost-specific Apache configuration files. Useful for implementing a unique, custom configuration not supported by this module. Can be an array. Defaults to '[]'.
#####aliases
Passes a list of hashes to the vhost to create Alias, AliasMatch, ScriptAlias or ScriptAliasMatch directives as per the mod_alias documentation. These hashes are formatted as follows:
aliases => [
{ aliasmatch => '^/image/(.*)\.jpg$',
path => '/files/jpg.images/$1.jpg',
},
{ alias => '/image',
path => '/ftp/pub/image',
},
{ scriptaliasmatch => '^/cgi-bin(.*)',
path => '/usr/local/share/cgi-bin$1',
},
{ scriptalias => '/nagios/cgi-bin/',
path => '/usr/lib/nagios/cgi-bin/',
},
{ alias => '/nagios',
path => '/usr/share/nagios/html',
},
],
For alias
, aliasmatch
, scriptalias
and scriptaliasmatch
to work, each needs a corresponding context, such as <Directory /path/to/directory>
or <Location /some/location/here>
. The directives are created in the order specified in the aliases
parameter. As described in the mod_alias
documentation, more specific alias
, aliasmatch
, scriptalias
or scriptaliasmatch
parameters should come before the more general ones to avoid shadowing.
Note: Using the aliases
parameter is preferred over the scriptaliases
parameter since here the order of the various alias directives among each other can be controlled precisely. Defining ScriptAliases using the scriptaliases
parameter means all ScriptAlias directives will come after all Alias directives, which can lead to Alias directives shadowing ScriptAlias directives. This is often problematic, for example in case of Nagios.
Note: If apache::mod::passenger
is loaded and PassengerHighPerformance => true
is set, then Alias might have issues honoring the PassengerEnabled => off
statement. See this article for details.
#####allow_encoded_slashes
This sets the AllowEncodedSlashes
declaration for the vhost, overriding the server default. This modifies the vhost responses to URLs with \
and /
characters. The default is undefined, which omits the declaration from the server configuration and select the Apache default setting of Off
. Allowed values are: on
, off
or nodecode
.
#####block
Specifies the list of things Apache blocks access to. The default is an empty set, '[]'. Currently, the only option is 'scm', which blocks web access to .svn, .git and .bzr directories.
#####custom_fragment
Passes a string of custom configuration directives to be placed at the end of the vhost configuration. Defaults to 'undef'.
#####default_vhost
Sets a given apache::vhost
as the default to serve requests that do not match any other apache::vhost
definitions. The default value is 'false'.
#####directories
See the directories
section.
#####directoryindex
Sets the list of resources to look for when a client requests an index of the directory by specifying a '/' at the end of the directory name. DirectoryIndex has more information. Defaults to 'undef'.
#####docroot
Provides the DocumentRoot directive, which identifies the directory Apache serves files from. Required.
#####docroot_group
Sets group access to the docroot directory. Defaults to 'root'.
#####docroot_owner
Sets individual user access to the docroot directory. Defaults to 'root'.
#####docroot_mode
Sets access permissions of the docroot directory. Defaults to 'undef'.
#####manage_docroot
Whether to manage to docroot directory at all. Defaults to 'true'.
#####error_log
Specifies whether *_error.log
directives should be configured. Defaults to 'true'.
#####error_log_file
Points to the *_error.log
file. Given a vhost, example.com, it defaults to 'example.com_ssl_error.log' for SSL vhosts and 'example.com_access_error.log' for non-SSL vhosts.
#####error_log_pipe
Specifies a pipe to send error log messages to. Defaults to 'undef'.
#####error_log_syslog
Sends all error log messages to syslog. Defaults to 'undef'.
#####error_documents
A list of hashes which can be used to override the ErrorDocument settings for this vhost. Defaults to '[]'. Example:
apache::vhost { 'sample.example.net':
error_documents => [
{ 'error_code' => '503', 'document' => '/service-unavail' },
{ 'error_code' => '407', 'document' => 'https://example.com/proxy/login' },
],
}
#####ensure
Specifies if the vhost file is present or absent. Defaults to 'present'.
#####fallbackresource
Sets the FallbackResource directive, which specifies an action to take for any URL that doesn't map to anything in your filesystem and would otherwise return 'HTTP 404 (Not Found)'. Valid values must either begin with a / or be 'disabled'. Defaults to 'undef'.
#####headers
Adds lines to replace, merge, or remove response headers. See Header for more information. Can be an array. Defaults to 'undef'.
#####ip
Sets the IP address the vhost listens on. Defaults to listen on all IPs.
#####ip_based
Enables an IP-based vhost. This parameter inhibits the creation of a NameVirtualHost directive, since those are used to funnel requests to name-based vhosts. Defaults to 'false'.
#####itk
Configures ITK in a hash. Keys can be:
- user + group
assignuseridexpr
assigngroupidexpr
maxclientvhost
nice
limituidrange
(Linux 3.5.0 or newer)limitgidrange
(Linux 3.5.0 or newer)
Usage typically looks like:
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
itk => {
user => 'someuser',
group => 'somegroup',
},
}
#####logroot
Specifies the location of the virtual host's logfiles. Defaults to '/var/log//'.
#####$logroot_ensure
Determines whether or not to remove the logroot directory for a virtual host. Valid values are 'directory', or 'absent'.
#####logroot_mode
Overrides the mode the logroot directory is set to. Defaults to undef. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see http://httpd.apache.org/docs/2.4/logs.html#security for details.
#####log_level
Specifies the verbosity of the error log. Defaults to 'warn' for the global server configuration and can be overridden on a per-vhost basis. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' or 'debug'.
######modsec_body_limit
Configures the maximum request body size (in bytes) ModSecurity will accept for buffering
######modsec_disable_vhost
Boolean. Only valid if apache::mod::security is included. Used to disable mod_security on an individual vhost. Only relevant if apache::mod::security is included.
######modsec_disable_ids
Array of mod_security IDs to remove from the vhost. Also takes a hash allowing removal of an ID from a specific location.
apache::vhost { 'sample.example.net':
modsec_disable_ids => [ 90015, 90016 ],
}
apache::vhost { 'sample.example.net':
modsec_disable_ids => { '/location1' => [ 90015, 90016 ] },
}
######modsec_disable_ips
Array of IPs to exclude from mod_security rule matching
#####no_proxy_uris
Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with proxy_dest
.
#####no_proxy_uris_match
This directive is equivalent to no_proxy_uris
, but takes regular expressions.
#####proxy_preserve_host
Sets the ProxyPreserveHost Directive. true Enables the Host: line from an incoming request to be proxied to the host instead of hostname . false sets this option to off (default).
#####proxy_error_override
Sets the ProxyErrorOverride Directive. This directive controls whether apache should override error pages for proxied content. This option is off by default.
#####options
Sets the Options for the specified virtual host. Defaults to '['Indexes','FollowSymLinks','MultiViews']', as demonstrated below:
apache::vhost { 'site.name.fdqn':
…
options => ['Indexes','FollowSymLinks','MultiViews'],
}
Note: If you use directories
, 'Options', 'Override', and 'DirectoryIndex' are ignored because they are parameters within directories
.
#####override
Sets the overrides for the specified virtual host. Accepts an array of AllowOverride arguments. Defaults to '[none]'.
#####passenger_app_root
Sets PassengerRoot, the location of the Passenger application root if different from the DocumentRoot.
#####passenger_app_env
Sets PassengerAppEnv, the environment for the Passenger application. If not specifies, defaults to the global setting or 'production'.
#####passenger_ruby
Sets PassengerRuby on this virtual host, the Ruby interpreter to use for the application.
#####passenger_min_instances
Sets PassengerMinInstances, the minimum number of application processes to run.
#####passenger_start_timeout
Sets PassengerStartTimeout, the timeout for the application startup.
#####passenger_pre_start
Sets PassengerPreStart, the URL of the application if pre-starting is required.
#####php_flags & values
Allows per-vhost setting php_value
s or php_flag
s. These flags or values can be overwritten by a user or an application. Defaults to '[]'.
#####php_admin_flags & values
Allows per-vhost setting php_admin_value
s or php_admin_flag
s. These flags or values cannot be overwritten by a user or an application. Defaults to '[]'.
#####port
Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL vhosts and port 443 for SSL vhosts. The host only listens on the port set in this parameter.
#####priority
Sets the relative load-order for Apache HTTPD VirtualHost configuration files. Defaults to '25'.
If nothing matches the priority, the first name-based vhost is used. Likewise, passing a higher priority causes the alphabetically first name-based vhost to be used if no other names match.
Note: You should not need to use this parameter. However, if you do use it, be aware that the default_vhost
parameter for apache::vhost
passes a priority of '15'.
Pass priority false
to omit the priority prefix in file names.
#####proxy_dest
Specifies the destination address of a ProxyPass configuration. Defaults to 'undef'.
#####proxy_pass
Specifies an array of path => URI
for a ProxyPass configuration. Defaults to 'undef'. Optionally parameters can be added as an array.
apache::vhost { 'site.name.fdqn':
…
proxy_pass => [
{ 'path' => '/a', 'url' => 'http://backend-a/' },
{ 'path' => '/b', 'url' => 'http://backend-b/' },
{ 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}},
{ 'path' => '/l', 'url' => 'http://backend-xy',
'reverse_urls' => ['http://backend-x', 'http://backend-y'] },
{ 'path' => '/d', 'url' => 'http://backend-a/d',
'params' => { 'retry' => '0', 'timeout' => '5' }, },
{ 'path' => '/e', 'url' => 'http://backend-a/e',
'keywords' => ['nocanon', 'interpolate'] },
{ 'path' => '/f', 'url' => 'http://backend-f/',
'setenv' => ['proxy-nokeepalive 1','force-proxy-request-1.0 1']},
],
}
reverse_urls
is optional and can be an array or a string. It is useful when used with mod_proxy_balancer
.
params
is an optional parameter. It allows to provide the ProxyPass key=value parameters (Connection settings).
setenv
is optional and is an array to set environment variables for the proxy directive, for details see http://httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings
#####proxy_dest_match
This directive is equivalent to proxy_dest, but takes regular expressions, see ProxyPassMatch for details.
#####proxy_dest_reverse_match
Allows you to pass a ProxyPassReverse if proxy_dest_match
is specified. See ProxyPassReverse for details.
#####proxy_pass_match
This directive is equivalent to proxy_pass, but takes regular expressions, see ProxyPassMatch for details.
#####rack_base_uris
Specifies the resource identifiers for a rack configuration. The file paths specified are listed as rack application roots for Phusion Passenger in the _rack.erb template. Defaults to 'undef'.
#####redirect_dest
Specifies the address to redirect to. Defaults to 'undef'.
#####redirect_source
Specifies the source URIs that redirect to the destination specified in redirect_dest
. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent.
apache::vhost { 'site.name.fdqn':
…
redirect_source => ['/images','/downloads'],
redirect_dest => ['http://img.example.com/','http://downloads.example.com/'],
}
#####redirect_status
Specifies the status to append to the redirect. Defaults to 'undef'.
apache::vhost { 'site.name.fdqn':
…
redirect_status => ['temp','permanent'],
}
#####redirectmatch_regexp
& redirectmatch_status
& redirectmatch_dest
Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as arrays. Defaults to 'undef'.
apache::vhost { 'site.name.fdqn':
…
redirectmatch_status => ['404','404'],
redirectmatch_regexp => ['\.git(/.*|$)/','\.svn(/.*|$)'],
redirectmatch_dest => ['http://www.example.com/1','http://www.example.com/2'],
}
#####request_headers
Modifies collected request headers in various ways, including adding additional request headers, removing request headers, etc. Defaults to 'undef'.
apache::vhost { 'site.name.fdqn':
…
request_headers => [
'append MirrorID "mirror 12"',
'unset MirrorID',
],
}
#####rewrites
Creates URL rewrite rules. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', 'rewrite_rule' or 'rewrite_map'. Defaults to 'undef'.
For example, you can specify that anyone trying to access index.html is served welcome.html
apache::vhost { 'site.name.fdqn':
…
rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ]
}
The parameter allows rewrite conditions that, when true, execute the associated rule. For instance, if you wanted to rewrite URLs only if the visitor is using IE
apache::vhost { 'site.name.fdqn':
…
rewrites => [
{
comment => 'redirect IE',
rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'],
rewrite_rule => ['^index\.html$ welcome.html'],
},
],
}
You can also apply multiple conditions. For instance, rewrite index.html to welcome.html only when the browser is Lynx or Mozilla (version 1 or 2)
apache::vhost { 'site.name.fdqn':
…
rewrites => [
{
comment => 'Lynx or Mozilla v1/2',
rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'],
rewrite_rule => ['^index\.html$ welcome.html'],
},
],
}
Multiple rewrites and conditions are also possible
apache::vhost { 'site.name.fdqn':
…
rewrites => [
{
comment => 'Lynx or Mozilla v1/2',
rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'],
rewrite_rule => ['^index\.html$ welcome.html'],
},
{
comment => 'Internet Explorer',
rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'],
rewrite_rule => ['^index\.html$ /index.IE.html [L]'],
},
{
rewrite_base => /apps/,
rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'],
},
{ comment => 'Rewrite to lower case',
rewrite_cond => ['%{REQUEST_URI} [A-Z]'],
rewrite_map => ['lc int:tolower'],
rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'],
},
],
}
Refer to the mod_rewrite
documentation for more details on what is possible with rewrite rules and conditions.
#####scriptalias
Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', for example: '/usr/scripts'. Defaults to 'undef'.
#####scriptaliases
Note: This parameter is deprecated in favour of the aliases
parameter.
Passes an array of hashes to the vhost to create either ScriptAlias or ScriptAliasMatch statements as per the mod_alias
documentation. These hashes are formatted as follows:
scriptaliases => [
{
alias => '/myscript',
path => '/usr/share/myscript',
},
{
aliasmatch => '^/foo(.*)',
path => '/usr/share/fooscripts$1',
},
{
aliasmatch => '^/bar/(.*)',
path => '/usr/share/bar/wrapper.sh/$1',
},
{
alias => '/neatscript',
path => '/usr/share/neatscript',
},
]
The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with Alias and AliasMatch directives, more specific aliases should come before more general ones to avoid shadowing.
#####serveradmin
Specifies the email address Apache displays when it renders one of its error pages. Defaults to 'undef'.
#####serveraliases
Sets the ServerAliases of the site. Defaults to '[]'.
#####servername
Sets the servername corresponding to the hostname you connect to the virtual host at. Defaults to the title of the resource.
#####setenv
Used by HTTPD to set environment variables for vhosts. Defaults to '[]'.
Example:
apache::vhost { 'setenv.example.com':
setenv => ['SPECIAL_PATH /foo/bin'],
}
#####setenvif
Used by HTTPD to conditionally set environment variables for vhosts. Defaults to '[]'.
#####suphp_addhandler
, suphp_configpath
, & suphp_engine
Set up a virtual host with suPHP.
suphp_addhandler
defaults to 'php5-script' on RedHat and FreeBSD, and 'x-httpd-php' on Debian and Gentoo.
suphp_configpath
defaults to 'undef' on RedHat and FreeBSD, and '/etc/php5/apache2' on Debian and Gentoo.
suphp_engine
allows values 'on' or 'off'. Defaults to 'off'
To set up a virtual host with suPHP
apache::vhost { 'suphp.example.com':
port => '80',
docroot => '/home/appuser/myphpapp',
suphp_addhandler => 'x-httpd-php',
suphp_engine => 'on',
suphp_configpath => '/etc/php5/apache2',
directories => { path => '/home/appuser/myphpapp',
'suphp' => { user => 'myappuser', group => 'myappgroup' },
}
}
#####vhost_name
Enables name-based virtual hosting. If no IP is passed to the virtual host, but the vhost is assigned a port, then the vhost name is 'vhost_name:port'. If the virtual host has no assigned IP or port, the vhost name is set to the title of the resource. Defaults to '*'.
#####virtual_docroot
Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, 'http://example.com' would map to '/var/www/example.com'. Defaults to 'false'.
apache::vhost { 'subdomain.loc':
vhost_name => '*',
port => '80',
virtual_docroot' => '/var/www/%-2+',
docroot => '/var/www',
serveraliases => ['*.loc',],
}
#####wsgi_daemon_process
, wsgi_daemon_process_options
, wsgi_process_group
, wsgi_script_aliases
, & wsgi_pass_authorization
Set up a virtual host with WSGI.
wsgi_daemon_process
sets the name of the WSGI daemon. It is a hash, accepting these keys, and it defaults to 'undef'.
wsgi_daemon_process_options
is optional and defaults to 'undef'.
wsgi_process_group
sets the group ID the virtual host runs under. Defaults to 'undef'.
wsgi_script_aliases
requires a hash of web paths to filesystem .wsgi paths. Defaults to 'undef'.
wsgi_pass_authorization
the WSGI application handles authorisation instead of Apache when set to 'On'. For more information see [here] (http://modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html). Defaults to 'undef' where apache sets the defaults setting to 'Off'.
wsgi_chunked_request
enables support for chunked requests. Defaults to 'undef'.
To set up a virtual host with WSGI
apache::vhost { 'wsgi.example.com':
port => '80',
docroot => '/var/www/pythonapp',
wsgi_daemon_process => 'wsgi',
wsgi_daemon_process_options =>
{ processes => '2',
threads => '15',
display-name => '%{GROUP}',
},
wsgi_process_group => 'wsgi',
wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' },
wsgi_chunked_request => 'On',
}
####Parameter directories
for apache::vhost
The directories
parameter within the apache::vhost
class passes an array of hashes to the vhost to create Directory, File, and Location directive blocks. These blocks take the form, '< Directory /path/to/directory>...< /Directory>'.
The path
key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to directories
must contain path
as one of the keys.
The provider
key is optional. If missing, this key defaults to 'directory'. Valid values for provider
are 'directory', 'files', 'location', 'directorymatch', 'filesmatch', or 'locationmatch'. If you set provider
to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file.
General directories
usage looks something like
apache::vhost { 'files.example.net':
docroot => '/var/www/files',
directories => [
{ 'path' => '/var/www/files',
'provider' => 'files',
'deny' => 'from all'
},
],
}
Note: At least one directory should match the docroot
parameter. After you start declaring directories, apache::vhost
assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the docroot
parameter.
Available handlers, represented as keys, should be placed within the directory
,'files
, or location
hashes. This looks like
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [ { path => '/path/to/directory', handler => value } ],
}
Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are:
######addhandlers
Sets AddHandler directives, which map filename extensions to the specified handler. Accepts a list of hashes, with extensions
serving to list the extensions being managed by the handler, and takes the form: { handler => 'handler-name', extensions => ['extension']}
.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
addhandlers => [{ handler => 'cgi-script', extensions => ['.cgi']}],
},
],
}
######allow
Sets an Allow directive, which groups authorizations based on hostnames or IPs. Deprecated: This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
allow => 'from example.org',
},
],
}
######allow_override
Sets the types of directives allowed in .htaccess files. Accepts an array.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
allow_override => ['AuthConfig', 'Indexes'],
},
],
}
######auth_basic_authoritative
Sets the value for AuthBasicAuthoritative, which determines whether authorization and authentication are passed to lower level Apache modules.
######auth_basic_fake
Sets the value for AuthBasicFake, which statically configures authorization credentials for a given directive block.
######auth_basic_provider
Sets the value for [AuthBasicProvider] (http://httpd.apache.org/docs/current/mod/mod_auth_basic.html#authbasicprovider), which sets the authentication provider for a given location.
######auth_digest_algorithm
Sets the value for AuthDigestAlgorithm, which selects the algorithm used to calculate the challenge and response hashes.
######auth_digest_domain
Sets the value for AuthDigestDomain, which allows you to specify one or more URIs in the same protection space for digest authentication.
######auth_digest_nonce_lifetime
Sets the value for AuthDigestNonceLifetime, which controls how long the server nonce is valid.
######auth_digest_provider
Sets the value for AuthDigestProvider, which sets the authentication provider for a given location.
######auth_digest_qop
Sets the value for AuthDigestQop, which determines the quality-of-protection to use in digest authentication.
######auth_digest_shmem_size
Sets the value for AuthAuthDigestShmemSize, which defines the amount of shared memory allocated to the server for keeping track of clients.
######auth_group_file
Sets the value for AuthGroupFile, which sets the name of the text file containing the list of user groups for authorization.
######auth_name
Sets the value for AuthName, which sets the name of the authorization realm.
######auth_require
Sets the entity name you're requiring to allow access. Read more about Require.
######auth_type
Sets the value for AuthType, which guides the type of user authentication.
######auth_user_file
Sets the value for AuthUserFile, which sets the name of the text file containing the users/passwords for authentication.
######custom_fragment
Pass a string of custom configuration directives to be placed at the end of the directory configuration.
apache::vhost { 'monitor':
…
directories => [
{
path => '/path/to/directory',
custom_fragment => '
<Location /balancer-manager>
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
<Location /server-status>
SetHandler server-status
Order allow,deny
Allow from all
</Location>
ProxyStatus On',
},
]
}
######deny
Sets a Deny directive, specifying which hosts are denied access to the server. Deprecated: This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower. You can use it as a single string for one rule or as an array for more than one.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
deny => 'from example.org',
},
],
}
######error_documents
An array of hashes used to override the ErrorDocument settings for the directory.
apache::vhost { 'sample.example.net':
directories => [
{ path => '/srv/www',
error_documents => [
{ 'error_code' => '503',
'document' => '/service-unavail',
},
],
},
],
}
######headers
Adds lines for Header directives.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => {
path => '/path/to/directory',
headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"',
},
}
######index_options
Allows configuration settings for directory indexing.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
options => ['Indexes','FollowSymLinks','MultiViews'],
index_options => ['IgnoreCase', 'FancyIndexing', 'FoldersFirst', 'NameWidth=*', 'DescriptionWidth=*', 'SuppressHTMLPreamble'],
},
],
}
######index_order_default
Sets the default ordering of the directory index.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
order => 'Allow,Deny',
index_order_default => ['Descending', 'Date'],
},
],
}
######options
Lists the Options for the given Directory block.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
options => ['Indexes','FollowSymLinks','MultiViews'],
},
],
}
######order
Sets the order of processing Allow and Deny statements as per Apache core documentation. Deprecated: This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
order => 'Allow,Deny',
},
],
}
######passenger_enabled
Sets the value for the PassengerEnabled directory to 'on' or 'off'. Requires apache::mod::passenger
to be included.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
passenger_enabled => 'on',
},
],
}
Note: Be aware that there is an issue using the PassengerEnabled directive with the PassengerHighPerformance directive.
######php_value
and php_flag
php_value
sets the value of the directory, and php_flag
uses a boolean to configure the directory. Further information can be found here.
######php_admin_value
and php_admin_flag
php_admin_value
sets the value of the directory, and php_admin_flag
uses a boolean to configure the directory. Further information can be found here.
######satisfy
Sets a Satisfy
directive as per the Apache Core documentation. Deprecated: This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower.
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
satisfy => 'Any',
}
],
}
######sethandler
Sets a SetHandler
directive as per the Apache Core documentation. An example:
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
sethandler => 'None',
}
],
}
######rewrites
Creates URL rewrites
rules in vhost directories. Expects an array of hashes, and the hash keys can be any of 'comment', 'rewrite_base', 'rewrite_cond', or 'rewrite_rule'.
apache::vhost { 'secure.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
rewrites => [ { comment => 'Permalink Rewrites',
rewrite_base => '/'
},
{ rewrite_rule => [ '^index\.php$ - [L]' ]
},
{ rewrite_cond => [ '%{REQUEST_FILENAME} !-f',
'%{REQUEST_FILENAME} !-d',
],
rewrite_rule => [ '. /index.php [L]' ],
}
],
},
],
}
Note If you include rewrites in your directories make sure you are also including apache::mod::rewrite
. You may also want to consider setting the rewrites using the rewrites
parameter in apache::vhost
rather than setting the rewrites in the vhost directories.
######shib_request_setting
Allows an valid content setting to be set or altered for the application request. This command takes two parameters, the name of the content setting, and the value to set it to.Check the Shibboleth content setting documentation for valid settings. This key is disabled if apache::mod::shib
is not defined. Check the mod_shib
documentation for more details.
apache::vhost { 'secure.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
shib_require_setting => 'requiresession 1',
shib_use_headers => 'On',
},
],
}
######shib_use_headers
When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if apache::mod::shib
is not defined. Check the mod_shib
documentation for more details.
######ssl_options
String or list of SSLOptions, which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the vhost.
apache::vhost { 'secure.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
ssl_options => '+ExportCertData',
},
{ path => '/path/to/different/dir',
ssl_options => [ '-StdEnvVars', '+ExportCertData'],
},
],
}
######suphp
A hash containing the 'user' and 'group' keys for the suPHP_UserGroup setting. It must be used with suphp_engine => on
in the vhost declaration, and can only be passed within directories
.
apache::vhost { 'secure.example.net':
docroot => '/path/to/directory',
directories => [
{ path => '/path/to/directory',
suphp =>
{ user => 'myappuser',
group => 'myappgroup',
},
},
],
}
####SSL parameters for apache::vhost
All of the SSL parameters for ::vhost
default to whatever is set in the base apache
class. Use the below parameters to tweak individual SSL settings for specific vhosts.
#####ssl
Enables SSL for the virtual host. SSL vhosts only respond to HTTPS queries. Valid values are 'true' or 'false'. Defaults to 'false'.
#####ssl_ca
Specifies the SSL certificate authority. Defaults to 'undef'.
#####ssl_cert
Specifies the SSL certification. Defaults are based on your OS: '/etc/pki/tls/certs/localhost.crt' for RedHat, '/etc/ssl/certs/ssl-cert-snakeoil.pem' for Debian, '/usr/local/etc/apache22/server.crt' for FreeBSD, and '/etc/ssl/apache2/server.crt' on Gentoo.
#####ssl_protocol
Specifies SSLProtocol. Expects an array of accepted protocols. Defaults to 'all', '-SSLv2', '-SSLv3'.
#####ssl_cipher
Specifies SSLCipherSuite. Defaults to 'HIGH:MEDIUM:!aNULL:!MD5'.
#####ssl_honorcipherorder
Sets SSLHonorCipherOrder, which is used to prefer the server's cipher preference order. Defaults to 'On' in the base apache
config.
#####ssl_certs_dir
Specifies the location of the SSL certification directory. Defaults to '/etc/ssl/certs' on Debian, '/etc/pki/tls/certs' on RedHat, '/usr/local/etc/apache22' on FreeBSD, and '/etc/ssl/apache2' on Gentoo.
#####ssl_chain
Specifies the SSL chain. Defaults to 'undef'. (This default works out of the box, but it must be updated in the base apache
class with your specific certificate information before being used in production.)
#####ssl_crl
Specifies the certificate revocation list to use. Defaults to 'undef'. (This default works out of the box but must be updated in the base apache
class with your specific certificate information before being used in production.)
#####ssl_crl_path
Specifies the location of the certificate revocation list. Defaults to 'undef'. (This default works out of the box but must be updated in the base apache
class with your specific certificate information before being used in production.)
#####ssl_crl_check
Sets the certificate revocation check level via the SSLCARevocationCheck directive, defaults to 'undef'. This default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on older versions.
#####ssl_key
Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, '/usr/local/etc/apache22/server.key' for FreeBSD, and '/etc/ssl/apache2/server.key' on Gentoo. (This default works out of the box but must be updated in the base apache
class with your specific certificate information before being used in production.)
#####ssl_verify_client
Sets the SSLVerifyClient directive, which sets the certificate verification level for client authentication. Valid values are: 'none', 'optional', 'require', and 'optional_no_ca'. Defaults to 'undef'.
apache::vhost { 'sample.example.net':
…
ssl_verify_client => 'optional',
}
#####ssl_verify_depth
Sets the SSLVerifyDepth directive, which specifies the maximum depth of CA certificates in client certificate verification. Defaults to 'undef'.
apache::vhost { 'sample.example.net':
…
ssl_verify_depth => 1,
}
#####ssl_options
Sets the SSLOptions directive, which configures various SSL engine run-time options. This is the global setting for the given vhost and can be a string or an array. Defaults to 'undef'.
A string:
apache::vhost { 'sample.example.net':
…
ssl_options => '+ExportCertData',
}
An array:
apache::vhost { 'sample.example.net':
…
ssl_options => [ '+StrictRequire', '+ExportCertData' ],
}
#####ssl_proxyengine
Specifies whether or not to use SSLProxyEngine. Valid values are 'true' and 'false'. Defaults to 'false'.
####Defined Type: FastCGI Server
This type is intended for use with mod_fastcgi. It allows you to define one or more external FastCGI servers to handle specific file types.
Ex:
apache::fastcgi::server { 'php':
host => '127.0.0.1:9000',
timeout => 15,
flush => false,
faux_path => '/var/www/php.fcgi',
fcgi_alias => '/php.fcgi',
file_type => 'application/x-httpd-php'
}
Within your virtual host, you can then configure the specified file type to be handled by the fastcgi server specified above.
apache::vhost { 'www':
...
custom_fragment => 'AddType application/x-httpd-php .php'
...
}
#####host
The hostname or IP address and TCP port number (1-65535) of the FastCGI server.
#####timeout
The number of seconds of FastCGI application inactivity allowed before the request is aborted and the event is logged (at the error LogLevel). The inactivity timer applies only as long as a connection is pending with the FastCGI application. If a request is queued to an application, but the application doesn't respond (by writing and flushing) within this period, the request is aborted. If communication is complete with the application but incomplete with the client (the response is buffered), the timeout does not apply.
#####flush
Force a write to the client as data is received from the application. By default, mod_fastcgi buffers data in order to free the application as quickly as possible.
#####faux_path
faux_path
does not have to exist in the local filesystem. URIs that Apache resolves to this filename are handled by this external FastCGI application.
#####alias
A unique alias. This is used internally to link the action with the FastCGI server.
#####file_type
The MIME-type of the file to be processed by the FastCGI server.
###Virtual Host Examples
The apache module allows you to set up pretty much any configuration of virtual host you might need. This section addresses some common configurations, but look at the Tests section for even more examples.
Configure a vhost with a server administrator
apache::vhost { 'third.example.com':
port => '80',
docroot => '/var/www/third',
serveradmin => 'admin@example.com',
}
Set up a vhost with aliased servers
apache::vhost { 'sixth.example.com':
serveraliases => [
'sixth.example.org',
'sixth.example.net',
],
port => '80',
docroot => '/var/www/fifth',
}
Configure a vhost with a cgi-bin
apache::vhost { 'eleventh.example.com':
port => '80',
docroot => '/var/www/eleventh',
scriptalias => '/usr/lib/cgi-bin',
}
Set up a vhost with a rack configuration
apache::vhost { 'fifteenth.example.com':
port => '80',
docroot => '/var/www/fifteenth',
rack_base_uris => ['/rackapp1', '/rackapp2'],
}
Set up a mix of SSL and non-SSL vhosts at the same domain
#The non-ssl vhost
apache::vhost { 'first.example.com non-ssl':
servername => 'first.example.com',
port => '80',
docroot => '/var/www/first',
}
#The SSL vhost at the same domain
apache::vhost { 'first.example.com ssl':
servername => 'first.example.com',
port => '443',
docroot => '/var/www/first',
ssl => true,
}
Configure a vhost to redirect non-SSL connections to SSL
apache::vhost { 'sixteenth.example.com non-ssl':
servername => 'sixteenth.example.com',
port => '80',
docroot => '/var/www/sixteenth',
redirect_status => 'permanent',
redirect_dest => 'https://sixteenth.example.com/'
}
apache::vhost { 'sixteenth.example.com ssl':
servername => 'sixteenth.example.com',
port => '443',
docroot => '/var/www/sixteenth',
ssl => true,
}
Set up IP-based vhosts on any listen port and have them respond to requests on specific IP addresses. In this example, we set listening on ports 80 and 81. This is required because the example vhosts are not declared with a port parameter.
apache::listen { '80': }
apache::listen { '81': }
Then we set up the IP-based vhosts
apache::vhost { 'first.example.com':
ip => '10.0.0.10',
docroot => '/var/www/first',
ip_based => true,
}
apache::vhost { 'second.example.com':
ip => '10.0.0.11',
docroot => '/var/www/second',
ip_based => true,
}
Configure a mix of name-based and IP-based vhosts. First, we add two IP-based vhosts on 10.0.0.10, one SSL and one non-SSL
apache::vhost { 'The first IP-based vhost, non-ssl':
servername => 'first.example.com',
ip => '10.0.0.10',
port => '80',
ip_based => true,
docroot => '/var/www/first',
}
apache::vhost { 'The first IP-based vhost, ssl':
servername => 'first.example.com',
ip => '10.0.0.10',
port => '443',
ip_based => true,
docroot => '/var/www/first-ssl',
ssl => true,
}
Then, we add two name-based vhosts listening on 10.0.0.20
apache::vhost { 'second.example.com':
ip => '10.0.0.20',
port => '80',
docroot => '/var/www/second',
}
apache::vhost { 'third.example.com':
ip => '10.0.0.20',
port => '80',
docroot => '/var/www/third',
}
If you want to add two name-based vhosts so that they answer on either 10.0.0.10 or 10.0.0.20, you MUST declare add_listen => 'false'
to disable the otherwise automatic 'Listen 80', as it conflicts with the preceding IP-based vhosts.
apache::vhost { 'fourth.example.com':
port => '80',
docroot => '/var/www/fourth',
add_listen => false,
}
apache::vhost { 'fifth.example.com':
port => '80',
docroot => '/var/www/fifth',
add_listen => false,
}
###Load Balancing
####Defined Type: apache::balancer
apache::balancer
creates an Apache balancer cluster. Each balancer cluster needs one or more balancer members, which are declared with apache::balancermember
.
One apache::balancer
defined resource should be defined for each Apache load balanced set of servers. The apache::balancermember
resources for all balancer members can be exported and collected on a single Apache load balancer server using exported resources.
Parameters within apache::balancer
:
#####name
Sets the balancer cluster's title. This parameter also sets the title of the conf.d file.
#####proxy_set
Configures key-value pairs as ProxySet lines. Accepts a hash, and defaults to '{}'.
#####collect_exported
Determines whether or not to use exported resources. Valid values 'true' and 'false', defaults to 'true'.
If you statically declare all of your backend servers, you should set this to 'false' to rely on existing declared balancer member resources. Also make sure to use apache::balancermember
with array arguments.
If you wish to dynamically declare your backend servers via exported resources collected on a central node, you must set this parameter to 'true' in order to collect the exported balancer member resources that were exported by the balancer member nodes.
If you choose not to use exported resources, all balancer members will be configured in a single Puppet run. If you are using exported resources, Puppet has to run on the balanced nodes, then run on the balancer.
####Defined Type: apache::balancermember
Defines members of mod_proxy_balancer, which sets up a balancer member inside a listening service configuration block in etc/apache/apache.cfg on the load balancer.
Parameters within apache::balancermember
:
#####name
Sets the title of the resource. This name also sets the name of the concat fragment.
#####balancer_cluster
Sets the Apache service's instance name. This must match the name of a declared apache::balancer
resource. Required.
#####url
Specifies the URL used to contact the balancer member server. Defaults to 'http://${::fqdn}/'.
#####options
An array of options to be specified after the URL. Accepts any key-value pairs available to ProxyPass.
####Examples
To load balance with exported resources, export the balancermember
from the balancer member
@@apache::balancermember { "${::fqdn}-puppet00":
balancer_cluster => 'puppet00',
url => "ajp://${::fqdn}:8009"
options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'],
}
Then, on the proxy server, create the balancer cluster
apache::balancer { 'puppet00': }
To load balance without exported resources, declare the following on the proxy
apache::balancer { 'puppet00': }
apache::balancermember { "${::fqdn}-puppet00":
balancer_cluster => 'puppet00',
url => "ajp://${::fqdn}:8009"
options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'],
}
Then declare apache::balancer
and apache::balancermember
on the proxy server.
If you need to use ProxySet in the balancer config
apache::balancer { 'puppet01':
proxy_set => {'stickysession' => 'JSESSIONID'},
}
##Reference
###Classes
####Public Classes
apache
: Guides the basic setup of Apache.apache::dev
: Installs Apache development libraries. (Note: On FreeBSD, you must declareapache::package
orapache
beforeapache::dev
.)apache::mod::[name]
: Enables specific Apache HTTPD modules.
####Private Classes
apache::confd::no_accf
: Creates the no-accf.conf configuration file in conf.d, required by FreeBSD's Apache 2.4.apache::default_confd_files
: Includes conf.d files for FreeBSD.apache::default_mods
: Installs the Apache modules required to run the default configuration.apache::package
: Installs and configures basic Apache packages.apache::params
: Manages Apache parameters.apache::service
: Manages the Apache daemon.
###Defined Types
####Public Defined Types
apache::balancer
: Creates an Apache balancer cluster.apache::balancermember
: Defines members of mod_proxy_balancer.apache::listen
: Based on the title, controls which ports Apache binds to for listening. Adds Listen directives to ports.conf in the Apache HTTPD configuration directory. Titles take the form '', ':', or ':'.apache::mod
: Used to enable arbitrary Apache HTTPD modules for which there is no specificapache::mod::[name]
class.apache::namevirtualhost
: Enables name-based hosting of a virtual host. Adds all NameVirtualHost directives to theports.conf
file in the Apache HTTPD configuration directory. Titles take the form '*', '*:', '_default_:, '', or ':'.apache::vhost
: Allows specialized configurations for virtual hosts that have requirements outside the defaults.
####Private Defined Types
apache::peruser::multiplexer
: Enables the Peruser module for FreeBSD only.apache::peruser::processor
: Enables the Peruser module for FreeBSD only.apache::security::file_link
: Links the activated_rules from apache::mod::security to the respective CRS rules on disk.
###Templates
The Apache module relies heavily on templates to enable the vhost
and apache::mod
defined types. These templates are built based on Facter facts around your operating system. Unless explicitly called out, most templates are not meant for configuration.
##Limitations
###Ubuntu 10.04
The apache::vhost::WSGIImportScript
parameter creates a statement inside the VirtualHost which is unsupported on older versions of Apache, causing this to fail. This will be remedied in a future refactoring.
###RHEL/CentOS 5
The apache::mod::passenger
and apache::mod::proxy_html
classes are untested since repositories are missing compatible packages.
###RHEL/CentOS 7
The apache::mod::passenger
class is untested as the repository does not have packages for EL7 yet. The fact that passenger packages aren't available also makes us unable to test the rack_base_uri
parameter in apache::vhost
.
###General
This module is CI tested on Centos 5 & 6, Ubuntu 12.04 & 14.04, Debian 7, and RHEL 5, 6 & 7 platforms against both the OSS and Enterprise version of Puppet.
The module contains support for other distributions and operating systems, such as FreeBSD, Gentoo and Amazon Linux, but is not formally tested on those and regressions can occur.
###SELinux and Custom Paths
If you are running with SELinux in enforcing mode and want to use custom paths for your logroot
, mod_dir
, vhost_dir
, and docroot
, you need to manage the context for the files yourself.
Something along the lines of:
Types in this module release
##2015-03-17 - Supported Release 1.4.0 ###Summary
This release fixes the issue where the docroot was still managed even if the default vhosts were disabled and has many other features and bugfixes including improved support for 'deny' and 'require' as arrays in the 'directories' parameter under apache::vhost
####Features
- New parameters to
apache
default_charset
default_type
- New parameters to
apache::vhost
proxy_error_override
passenger_app_env
(MODULES-1776)proxy_dest_match
proxy_dest_reverse_match
proxy_pass_match
no_proxy_uris_match
- New parameters to
apache::mod::passenger
passenger_app_env
passenger_min_instances
- New parameter to
apache::mod::alias
icons_options
- New classes added under
apache::mod::*
authn_file
authz_default
authz_user
- Added support for 'deny' as an array in 'directories' under
apache::vhost
- Added support for RewriteMap
- Improved support for FreeBSD. (Note: If using apache < 2.4.12, see the discussion here)
- Added check for deprecated options in directories and fail when they are unsupported
- Added gentoo compatibility
- Added proper array support for
require
in thedirectories
parameter inapache::vhost
- Added support for
setenv
inside proxy locations
###Bugfixes
- Fix issue in
apache::vhost
that was preventing the scriptalias fragment from being included (MODULES-1784) - Install required
mod_ldap
package for EL7 (MODULES-1779) - Change default value of
maxrequestworkers
inapache::mod::event
to be a multiple of the defaultThreadsPerChild
of 25. - Use the correct
mod_prefork
package name for trusty and jessie - Don't manage docroot when default vhosts are disabled
- Ensure resources notify
Class['Apache::Service']
instead ofService['httpd']
(MODULES-1829) - Change the loadfile name for
mod_passenger
somod_proxy
will load by default beforemod_passenger
- Remove old Debian work-around that removed
passenger_extra.conf
##2015-02-17 - Supported Release 1.3.0 ###Summary
This release has many new features and bugfixes, including the ability to optionally not trigger service restarts on config changes.
####Features
- New parameters -
apache
service_manage
use_optional_includes
- New parameters -
apache::service
service_manage
- New parameters -
apache::vhost
access_logs
php_flags
php_values
modsec_disable_vhost
modsec_disable_ids
modsec_disable_ips
modsec_body_limit
- Improved FreeBSD support
- Add ability to omit priority prefix if
$priority
is set to false - Add
apache::security::rule_link
define - Improvements to
apache::mod::*
- Add
apache::mod::auth_cass
class - Add
threadlimit
,listenbacklog
,maxrequestworkers
,maxconnectionsperchild
parameters toapache::mod::event
- Add
apache::mod::filter
class - Add
root_group
toapache::mod::php
- Add
apache::mod::proxy_connect
class - Add
apache::mod::security
class - Add
ssl_pass_phrase_dialog
andssl_random_seed_bytes parameters to
apache::mod::ssl` (MODULES-1719) - Add
status_path
parameter toapache::mod::status
- Add
apache_version
parameter toapache::mod::version
- Add
package_name
andmod_path
parameters toapache::mod::wsgi
(MODULES-1458)
- Add
- Improved SCL support
- Add support for specifying the docroot
- Updated
_directories.erb
to add support for SetEnv - Support multiple access log directives (MODULES-1382)
- Add passenger support for Debian Jessie
- Add support for not having puppet restart the apache service (MODULES-1559)
####Bugfixes
- For apache 2.4
mod_itk
requiresmod_prefork
(MODULES-825) - Allow SSLCACertificatePath to be unset in
apache::vhost
(MODULES-1457) - Load fcgid after unixd on RHEL7
- Allow disabling default vhost for Apache 2.4
- Test fixes
mod_version
is now built-in (MODULES-1446)- Sort LogFormats for idempotency
allow_encoded_slashes
was omitted fromapache::vhost
- Fix documentation bug (MODULES-1403, MODULES-1510)
- Sort
wsgi_script_aliases
for idempotency (MODULES-1384) - lint fixes
- Fix automatic version detection for Debian Jessie
- Fix error docs and icons path for RHEL7-based systems (MODULES-1554)
- Sort php_* hashes for idempotency (MODULES-1680)
- Ensure
mod::setenvif
is included if needed (MODULES-1696) - Fix indentation in
vhost/_directories.erb
template (MODULES-1688) - Create symlinks on all distros if
vhost_enable_dir
is specified
##2014-09-30 - Supported Release 1.2.0 ###Summary
This release features many improvements and bugfixes, including several new defines, a reworking of apache::vhost for more extensibility, and many new parameters for more customization. This release also includes improved support for strict variables and the future parser.
####Features
- Convert apache::vhost to use concat for easier extensions
- Test improvements
- Synchronize files with modulesync
- Strict variable and future parser support
- Added apache::custom_config defined type to allow validation of configs before they are created
- Added bool2httpd function to convert true/false to apache 'On' and 'Off'. Intended for internal use in the module.
- Improved SCL support
- allow overriding of the mod_ssl package name
- Add support for reverse_urls/ProxyPassReverse in apache::vhost
- Add satisfy directive in apache::vhost::directories
- Add apache::fastcgi::server defined type
- New parameters - apache
- allow_encoded_slashes
- apache_name
- conf_dir
- default_ssl_crl_check
- docroot
- logroot_mode
- purge_vhost_dir
- New parameters - apache::vhost
- add_default_charset
- allow_encoded_slashes
- logroot_ensure
- logroot_mode
- manage_docroot
- passenger_app_root
- passenger_min_instances
- passenger_pre_start
- passenger_ruby
- passenger_start_timeout
- proxy_preserve_host
- redirectmatch_dest
- ssl_crl_check
- wsgi_chunked_request
- wsgi_pass_authorization
- Add support for ScriptAlias and ScriptAliasMatch in the apache::vhost::aliases parameter
- Add support for rewrites in the apache::vhost::directories parameter
- If the service_ensure parameter in apache::service is set to anything other than true, false, running, or stopped, ensure will not be passed to the service resource, allowing for the service to not be managed by puppet
- Turn of SSLv3 by default
- Improvements to apache::mod*
- Add restrict_access parameter to apache::mod::info
- Add force_language_priority and language_priority parameters to apache::mod::negotiation
- Add threadlimit parameter to apache::mod::worker
- Add content, template, and source parameters to apache::mod::php
- Add mod_authz_svn support via the authz_svn_enabled parameter in apache::mod::dav_svn
- Add loadfile_name parameter to apache::mod
- Add apache::mod::deflate class
- Add options parameter to apache::mod::fcgid
- Add timeouts parameter to apache::mod::reqtimeout
- Add apache::mod::shib
- Add apache_version parameter to apache::mod::ldap
- Add magic_file parameter to apache::mod::mime_magic
- Add apache_version parameter to apache::mod::pagespeed
- Add passenger_default_ruby parameter to apache::mod::passenger
- Add content, template, and source parameters to apache::mod::php
- Add apache_version parameter to apache::mod::proxy
- Add loadfiles parameter to apache::mod::proxy_html
- Add ssl_protocol and package_name parameters to apache::mod::ssl
- Add apache_version parameter to apache::mod::status
- Add apache_version parameter to apache::mod::userdir
- Add apache::mod::version class
####Bugfixes
- Set osfamily defaults for wsgi_socket_prefix
- Support multiple balancermembers with the same url
- Validate apache::vhost::custom_fragment
- Add support for itk with mod_php
- Allow apache::vhost::ssl_certs_dir to not be set
- Improved passenger support for Debian
- Improved 2.4 support without mod_access_compat
- Support for more than one 'Allow from'-directive in _directories.erb
- Don't load systemd on Amazon linux based on CentOS6 with apache 2.4
- Fix missing newline in ModPagespeed filter and memcached servers directive
- Use interpolated strings instead of numbers where required by future parser
- Make auth_require take precedence over default with apache 2.4
- Lint fixes
- Set default for php_admin_flags and php_admin_values to be empty hash instead of empty array
- Correct typo in mod::pagespeed
- spec_helper fixes
- Install mod packages before dealing with the configuration
- Use absolute scope to check class definition in apache::mod::php
- Fix dependency loop in apache::vhost
- Properly scope variables in the inline template in apache::balancer
- Documentation clarification, typos, and formatting
- Set apache::mod::ssl::ssl_mutex to default for debian on apache >= 2.4
- Strict variables fixes
- Add authn_core mode to Ubuntu trusty defaults
- Keep default loadfile for authz_svn on Debian
- Remove '.conf' from the site-include regexp for better Ubuntu/Debian support
- Load unixd before fcgid for EL7
- Fix RedirectMatch rules
- Fix misleading error message in apache::version
####Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
##2014-07-15 - Supported Release 1.1.1 ###Summary
This release merely updates metadata.json so the module can be uninstalled and upgraded via the puppet module command.
2014-04-14 Supported Release 1.1.0
###Summary
This release primarily focuses on extending the httpd 2.4 support, tested through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger 4 support, as well as several new modules and important bugfixes.
####Features
- Add support for RHEL7 and Ubuntu 14.04
- More complete apache24 support
- Passenger 4 support
- Add support for max_keepalive_requests and log_formats parameters
- Add mod_pagespeed support
- Add mod_speling support
- Added several parameters for mod_passenger
- Added ssl_cipher parameter to apache::mod::ssl
- Improved examples in documentation
- Added docroot_mode, action, and suexec_user_group parameters to apache::vhost
- Add support for custom extensions for mod_php
- Improve proxy_html support for Debian
####Bugfixes
- Remove NameVirtualHost directive for apache >= 2.4
- Order proxy_set option so it doesn't change between runs
- Fix inverted SSL compression
- Fix missing ensure on concat::fragment resources
- Fix bad dependencies in apache::mod and apache::mod::mime
####Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
2014-03-04 Supported Release 1.0.1
###Summary
This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath.
####Features ####Bugfixes ####Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
2014-03-04 Supported Release 1.0.0
###Summary
This is a supported release. This release introduces Apache 2.4 support for Debian and RHEL based osfamilies.
####Features
- Add apache24 support
- Add rewrite_base functionality to rewrites
- Updated README documentation
- Add WSGIApplicationGroup and WSGIImportScript directives
####Bugfixes
- Replace mutating hashes with merge() for Puppet 3.5
- Fix WSGI import_script and mod_ssl issues on Lucid
####Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
2014-01-31 Release 0.11.0
Summary:
This release adds preliminary support for Windows compatibility and multiple rewrite support.
Backwards-incompatible Changes:
- The rewrite_rule parameter is deprecated in favor of the new rewrite parameter and will be removed in a future release.
Features:
- add Match directive
- quote paths for windows compatibility
- add auth_group_file option to README.md
- allow AuthGroupFile directive for vhosts
- Support Header directives in vhost context
- Don't purge mods-available dir when separate enable dir is used
- Fix the servername used in log file name
- Added support for mod_include
- Remove index parameters.
- Support environment variable control for CustomLog
- added redirectmatch support
- Setting up the ability to do multiple rewrites and conditions.
- Convert spec tests to beaker.
- Support phpadmin(flag|value)s
Bugfixes:
- directories are either a Hash or an Array of Hashes
- Configure Passenger in separate .conf file on RH so PassengerRoot isn't lost
- (docs) Update list of
apache::mod::[name]
classes - (docs) Fix apache::namevirtualhost example call style
- Fix $ports_file reference in apache::listen.
- Fix $ports_file reference in Namevirtualhost.
2013-12-05 Release 0.10.0
Summary:
This release adds FreeBSD osfamily support and various other improvements to some mods.
Features:
- Add suPHP_UserGroup directive to directory context
- Add support for ScriptAliasMatch directives
- Set SSLOptions StdEnvVars in server context
- No implicit entry for ScriptAlias path
- Add support for overriding ErrorDocument
- Add support for AliasMatch directives
- Disable default "allow from all" in vhost-directories
- Add WSGIPythonPath as an optional parameter to mod_wsgi.
- Add mod_rpaf support
- Add directives: IndexOptions, IndexOrderDefault
- Add ability to include additional external configurations in vhost
- need to use the provider variable not the provider key value from the directory hash for matches
- Support for FreeBSD and few other features
- Add new params to apache::mod::mime class
- Allow apache::mod to specify module id and path
- added $server_root parameter
- Add Allow and ExtendedStatus support to mod_status
- Expand vhost/_directories.pp directive support
- Add initial support for nss module (no directives in vhost template yet)
- added peruser and event mpms
- added $service_name parameter
- add parameter for TraceEnable
- Make LogLevel configurable for server and vhost
- Add documentation about $ip
- Add ability to pass ip (instead of wildcard) in default vhost files
Bugfixes:
- Don't listen on port or set NameVirtualHost for non-existent vhost
- only apply Directory defaults when provider is a directory
- Working mod_authnz_ldap support on Debian/Ubuntu
2013-09-06 Release 0.9.0
Summary:
This release adds more parameters to the base apache class and apache defined resource to make the module more flexible. It also adds or enhances SuPHP, WSGI, and Passenger mod support, and support for the ITK mpm module.
Backwards-incompatible Changes:
- Remove many default mods that are not normally needed.
- Remove
rewrite_base
apache::vhost
parameter; did not work anyway. - Specify dependencies on stdlib >=2.4.0 (this was already the case, but making explicit)
- Deprecate
a2mod
in favor of theapache::mod::*
classes andapache::mod
defined resource.
Features:
apache
class- Add
httpd_dir
parameter to change the location of the configuration files. - Add
logroot
parameter to change the logroot - Add
ports_file
parameter to changes theports.conf
file location - Add
keepalive
parameter to enable persistent connections - Add
keepalive_timeout
parameter to change the timeout - Update
default_mods
to be able to take an array of mods to enable.
- Add
apache::vhost
- Add
wsgi_daemon_process
,wsgi_daemon_process_options
,wsgi_process_group
, andwsgi_script_aliases
parameters for per-vhost WSGI configuration. - Add
access_log_syslog
parameter to enable syslogging. - Add
error_log_syslog
parameter to enable syslogging of errors. - Add
directories
hash parameter. Please see README for documentation. - Add
sslproxyengine
parameter to enable SSLProxyEngine - Add
suphp_addhandler
,suphp_engine
, andsuphp_configpath
for configuring SuPHP. - Add
custom_fragment
parameter to allow for arbitrary apache configuration injection. (Feature pull requests are prefered over using this, but it is available in a pinch.)
- Add
- Add
apache::mod::suphp
class for configuring SuPHP. - Add
apache::mod::itk
class for configuring ITK mpm module. - Update
apache::mod::wsgi
class for global WSGI configuration withwsgi_socket_prefix
andwsgi_python_home
parameters. - Add README.passenger.md to document the
apache::mod::passenger
usage. Addedpassenger_high_performance
,passenger_pool_idle_time
,passenger_max_requests
,passenger_stat_throttle_rate
,rack_autodetect
, andrails_autodetect
parameters. - Separate the httpd service resource into a new
apache::service
class for dependency chaining ofClass['apache'] -> <resource> ~> Class['apache::service']
- Added
apache::mod::proxy_balancer
class forapache::balancer
Bugfixes:
- Change dependency to puppetlabs-concat
- Fix ruby 1.9 bug for
a2mod
- Change servername to be
$::hostname
if there is no$::fqdn
- Make
/etc/ssl/certs
the default ssl certs directory for RedHat non-5. - Make
php
the default php package for RedHat non-5. - Made
aliases
able to take a single alias hash instead of requiring an array.
2013-07-26 Release 0.8.1
Bugfixes:
- Update
apache::mpm_module
detection for worker/prefork - Update
apache::mod::cgi
andapache::mod::cgid
detection for worker/prefork
2013-07-16 Release 0.8.0
Features:
- Add
servername
parameter toapache
class - Add
proxy_set
parameter toapache::balancer
define
Bugfixes:
- Fix ordering for multiple
apache::balancer
clusters - Fix symlinking for sites-available on Debian-based OSs
- Fix dependency ordering for recursive confdir management
- Fix
apache::mod::*
to notify the service on config change - Documentation updates
2013-07-09 Release 0.7.0
Changes:
- Essentially rewrite the module -- too many to list
apache::vhost
has many abilities -- see README.md for detailsapache::mod::*
classes provide httpd mod-loading capabilitiesapache
base class is much more configurable
Bugfixes:
- Many. And many more to come
2013-03-2 Release 0.6.0
- update travis tests (add more supported versions)
- add access log_parameter
- make purging of vhost dir configurable
2012-08-24 Release 0.4.0
Changes:
include apache
is now required when usingapache::mod::*
Bugfixes:
- Fix syntax for validate_re
- Fix formatting in vhost template
- Fix spec tests such that they pass
##2012-05-08 Puppet Labs info@puppetlabs.com - 0.0.4
- e62e362 Fix broken tests for ssl, vhost, vhost::*
- 42c6363 Changes to match style guide and pass puppet-lint without error
- 42bc8ba changed name => path for file resources in order to name namevar by it's name
- 72e13de One end too much
- 0739641 style guide fixes: 'true' <> true, $operatingsystem needs to be $::operatingsystem, etc.
- 273f94d fix tests
- a35ede5 (#13860) Make a2enmod/a2dismo commands optional
- 98d774e (#13860) Autorequire Package['httpd']
- 05fcec5 (#13073) Add missing puppet spec tests
- 541afda (#6899) Remove virtual a2mod definition
- 976cb69 (#13072) Move mod python and wsgi package names to params
- 323915a (#13060) Add .gitignore to repo
- fdf40af (#13060) Remove pkg directory from source tree
- fd90015 Add LICENSE file and update the ModuleFile
- d3d0d23 Re-enable local php class
- d7516c7 Make management of firewalls configurable for vhosts
- 60f83ba Explicitly lookup scope of apache_name in templates.
- f4d287f (#12581) Add explicit ordering for vdir directory
- 88a2ac6 (#11706) puppetlabs-apache depends on puppetlabs-firewall
- a776a8b (#11071) Fix to work with latest firewall module
- 2b79e8b (#11070) Add support for Scientific Linux
- 405b3e9 Fix for a2mod
- 57b9048 Commit apache::vhost::redirect Manifest
- 8862d01 Commit apache::vhost::proxy Manifest
- d5c1fd0 Commit apache::mod::wsgi Manifest
- a825ac7 Commit apache::mod::python Manifest
- b77062f Commit Templates
- 9a51b4a Vhost File Declarations
- 6cf7312 Defaults for Parameters
- 6a5b11a Ensure installed
- f672e46 a2mod fix
- 8a56ee9 add pthon support to apache
Dependencies
- puppetlabs/stdlib (>= 2.4.0 < 5.0.0)
- puppetlabs/concat (>= 1.1.1 < 2.0.0)
Copyright (C) 2012 Puppet Labs Inc Puppet Labs can be contacted at: info@puppetlabs.com Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.